search

sebranchett / ec2-instance-python

AWS CDK Python example of an EC2 that can be accessed by AWS System Manager and has access to S3 bucket. Configuration shell script can be provided to run on creation
Apache License 2.0
0 stars 1 forks source link

Store the Cloud Formation template somewhere #5

Open sebranchett opened 2 years ago

sebranchett commented 2 years ago

Perhaps using a GitHub action on creating a release. (Idea Nathan.) This would mean that researchers could use the template without going through the CDK. (Request Mark.)

sebranchett commented 2 years ago

Having some doubts about this one.

Made a .github/workflows/save_CF_template.yml at commit 4d3e8ec. Got: Searching for AMI in 123456789012:us-east-1 [Error at /ec2-instance] Need to perform AWS calls for account 123456789012, but no credentials have been configured [Error at /ec2-instance/Instance] Need to perform AWS calls for account 123456789012, but no credentials have been configured

Specified: CDK_DEFAULT_ACCOUNT: "123456789012" # this is a fake CDK_DEFAULT_REGION: "eu-central-1" # but searches us-east-1. I don't understand this

Looks like I need to provide AWS Credentials. This is the way to go: https://github.com/aws-actions/configure-aws-credentials#examples and set up a role to assume in AWS and OpenID Connect to AWS: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Lookint at my cdk.out/ec2-instance.template.json, it contains my Account ID, when referencing the input/output bucket. I don't think I want to publish my Account ID on GitHub.

I should maybe revisit this issue after solving parameter issue #3.

sebranchett commented 2 years ago

cdk.out/ec2-instance.template.json no longer contains an account ID. BUT, 'cdk synth' does require valid credentials: https://docs.aws.amazon.com/cdk/v2/guide/cli.html section "Specifying credentials and region" specifies "The CDK Toolkit needs to know your AWS account credentials and the AWS region into which you are deploying, not only for deployment operations but also to retrieve context values during synthesis.". I tried everything I could think of too, just in case.

sebranchett commented 2 years ago

I can store encrypted access keys to my AWS account in this repository's secrets, BUT "Anyone with collaborator access to this repository can use these secrets for Actions.". That's not a problem at the moment, but when I'm happy with everything, I want to transfer this repository to the TU-Delft-ICT-Innovation organisation. It doesn't feel right that the organisation is then dependent on my AWS account.

@mmaschenk, help, I'm talking to myself here. 😃 What do you think? Create a dedicated AWS account for all collaborators on CDK templates for research? Use those credentials to automatically 'cdk synth' when we create a release and store the CDK template with the release?