惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
T
Tenable Blog
Project Zero
Project Zero
C
Cybersecurity and Infrastructure Security Agency CISA
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
S
Schneier on Security
Scott Helme
Scott Helme
S
Securelist
Know Your Adversary
Know Your Adversary
Vercel News
Vercel News
IT之家
IT之家
V
V2EX
F
Fortinet All Blogs
Simon Willison's Weblog
Simon Willison's Weblog
K
Kaspersky official blog
博客园_首页
T
Tailwind CSS Blog
The GitHub Blog
The GitHub Blog
Spread Privacy
Spread Privacy
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
有赞技术团队
有赞技术团队
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
L
LINUX DO - 热门话题
Hugging Face - Blog
Hugging Face - Blog
博客园 - 三生石上(FineUI控件)
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CXSECURITY Database RSS Feed - CXSecurity.com
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Privacy & Cybersecurity Law Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
S
SegmentFault 最新的问题
AWS News Blog
AWS News Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
罗磊的独立博客
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
The Cloudflare Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost

In Pursuit of Simplicity

A Genius AI Product design: Reddit translation The Essence of Prompt Engineering is the Art of Asking Questions A Story About Bypassing Air Canada's In-flight Network Restrictions A Telegram Spam Blocker Bot Based On Bayesian Algorithm Reflections on Ten Years of Programming TIL: Git Blame with Following TIL: Git Conditional Configs Rewind your Github summary Topological Sort
How to share resource between CDK stacks
Ramsay Leung · 2023-06-29 · via In Pursuit of Simplicity

1 Introduction

1.1 IaC

Infrastructure as code(IaC) is the managing and provisioning of infrastructure through code instead of manual processes, for example, clicking button, adding or editing roles in AWS console.

1.2 AWS CloudFormation

AWS CloudFormation is the original IaC tool for AWS, released in 2011, which uses template files to automate and mange the setup of AWS resources.

1.3 AWS CDK

AWS Cloud Development Kit(CDK) is a product provided by AWS that makes it easier for developers to manage their infrastructure with familiar programming languages like TypeScript, Python, Java, etc.

And, CDK is standing on the shoulder of Cloudformation, providing tools for developers by leveraging Cloudformation.

A stack is a collection of AWS resources that you can manage as a single unit, like a box.

For instance, this box could include all the resources required to run an application or Lambda service, such as S3 Buckets (storage), Roles (authorization), Lambda Function (computing), API Gateway (access point), Alarm, Monitoring, etc.

2 Problem

I am currently working on a project which requires to set up two stacks, one stack( GlueStack ) for defining a list of AWS Glue tables and the other stack( ServiceStack ) for definition of Lambda service and associated resources.

In fact, S3 bucket names have to be globally unique within a partition, which means crossing the whole AWS customer base.

You are unable to create a S3 bucket with bucket name which is in use by another AWS customer or your own account.

So it’s safer to let CloudFormation generate a random bucket name for a developer when he need to initialize a S3 bucket.

However, there is new a problem I face: since the S3 bucket name is randomly generated characters, if GlueStack need to read the bucket created by ServiceStack, how could I share the bucket name between two stacks?

While these two stacks are isolated and separated, resources collection.

3 Solution

Fortunately, CDK offers a facility named CfnOutput to export a deployed resource, so that the consumer of the resource is able to Import required resource.

  1. Define the required resource in ServiceStack (producer), for instance, a S3 bucket:
    1
    2
    3
    
    import { Bucket } from 'aws-cdk-lib/aws-s3';
    
    const s3Bucket = new Bucket(this, 'MyBucketId', {});
    
  2. Export the resource by specifying the value and exportName:
    1
    2
    3
    4
    5
    6
    7
    
    import { CfnOutput } from 'aws-cdk-lib';
    
    // export the generated bucket name to other stack
    new CfnOutput(this, 'exportRequiredS3Bucket', {
        value: s3Bucket.bucketName,
        exportName: 'exportRequiredS3Bucket',
    });
    
  3. Import the required resource in GlueStack (consumer):
    1
    2
    3
    
    import { Fn} from 'aws-cdk-lib';
    
    const requiredS3BucketName = Fn.importValue('exportRequiredS3Bucket');
    

If we take a closer look at the synthesized CFN template for ServiceStack, we could find:

1
2
3
4
5
6
7
8
9
"Outputs": {
    "exportRequiredS3Bucket": {
        "Value": {
            "Ref": "MyBucketId737FC949"
        },
        "Export": {
            "Name": "exportRequiredS3Bucket"
        }
    }

The synthesized CFN template for GlueStack:

1
2
3
{
    "Fn::ImportValue": "exportRequiredS3Bucket"
}

This is the way about how to share value between two stacks.


4 Loose couping solution

Updated on 2023-12-02

People learn from mistake.

After applying this practice in my project, I recently learn that it’s not good practice to share resource across stack.

With using export/import, I tightly couple my stacks with a commitment that I can never update that unless I remove that couping later on.

It means it will become a disaster1 whenever I need to update/delete the S3Bucket, CloudFormation will raise an error, complaining something like: “ServiceStack cannot be deleted as it’s in use by GlueStack”.

A better practice I learnt is adding a loose couping between ServiceStack and GlueStack by sharing a constant variable:

  1. Define a constant variable somewhere:

    1
    2
    3
    
    export const Constants = {
        MyBucketName: 'TestBucket'
    }
    
  2. Refine the definition of s3Bucket

    1
    2
    3
    4
    5
    
    import { Bucket } from 'aws-cdk-lib/aws-s3';
    
    const s3Bucket = new Bucket(this, 'MyBucketId', {
        bucketName: Constants.MyBucketName,
    });
    
  3. Refer the s3Bucket in GlueStack by MyBucketName instead of CDK exported reference

    1
    
    const requiredS3BucketName = Constants.MyBucketName;
    

Therefore, these two stacks are not directly coupled, but they are referencing the same constant variable.

Then, CloudFormation won’t prevent you from updating the S3Bucket as there is not direct relation between these two stacks anymore.

This is the benefit of loose couping.

5 Reference