AWS-CDKPipelinesCrossAccountStackRemoval _编程开发

AWS-CDKPipelinesCrossAccountStackRemoval

创始人

2024-11-18 16:02:12

0次

AWS-CDK管道可以使用多个AWS账户实现CI/CD过程，但是当一些应用程序或服务不再需要时，这些跨账户堆栈需要被删除。为了实现跨账户堆栈删除，可以使用以下步骤：

在CDK Pipeline的主账户中，开启跨账户访问IAM身份提供者的信任关系。这样，受信任的AWS账户才能访问CDK Pipeline的相关服务。

例如：

const pipelineStack = new CodePipelineStack(app, 'MyPipelineStack', {
  env: {
    account: PIPELINE_ACCOUNT,
    region: PIPELINE_REGION,
  },
});

pipelineStack.addPipeline({
  ...
});

const role = new Role(this, 'PipelineCrossAccountRole', {
  assumedBy: new AccountPrincipal(CROSS_ACCOUNT),
});

pipelineStack.pipeline.addToRolePolicy(new PolicyStatement({
  effect: Effect.ALLOW,
  actions: ['sts:AssumeRole'],
  resources: [role.roleArn],
}));

new CfnOutput(this, 'PipelineIAMRoleArn', {
  value: role.roleArn,
});

在受信任的AWS账户中，部署CDK应用程序，其中包含删除跨账户堆栈的代码。这里需要使用CloudFormationCapabilities.NAMED_IAM以便CDK在受信任的账户中创建新的IAM角色。

例如：

const app = new App();
const stack = new Stack(app, 'CrossAccountStackRemovalStack', {
  env: {
    account: CROSS_ACCOUNT,
    region: CROSS_REGION,
  },
  // Required to create an IAM role for cross-account stack removal.
  // We are using `STRICT` because a cross-account IAM role is created and its permissions
  // must be explicitly granted using the pipeline output.
  // It is not necessary to use STRICT if your stack does not create new IAM roles
  // or have other CloudFormation capabilities that require an explicit allow.
  stackName: 'CrossAccountStackRemovalStack',
  synthesizer: new DefaultStackSynthes

上一篇：AWS-CDK类型'(cls:Runtime)->Runtime'无法分配给类型'Runtime'

下一篇：aws-cdk是否支持为Lambda函数上传外部依赖项？

AWS-CDKPipelinesCrossAccountStackRemoval

相关内容

热门资讯