我的目标是将 Jenkins 构建为 docker 映像并将其部署到 AWS Elastic Beanstalk。
为了构建 docker 映像,我使用Configuration as Code插件并通过 Dockerfile 中的环境变量注入所有机密。
我现在想弄清楚的是如何使用 CloudFormation 或 CodePipeline 自动执行此部署。
我的问题是:
不知道为什么您一般要以这种方式做事,但您不能直接使用 AWS CLI 从您的 ELB 实例中从 Secrets Manager 获取密钥吗?
Cloudformation 模板可以从 Secrets Manager 中恢复机密。它有点难看,但效果很好。一般来说,我使用 security.yaml 嵌套堆栈在 SM 中为我生成秘密,然后在其他堆栈中恢复它们。
我不能对 EB 说太多,但如果您通过 CF 进行部署,那么这应该会有所帮助。
在 SM (CF security.yaml) 中生成密钥:
Parameters:
DeploymentEnvironment:
Type: String
Description: Deployment environment, e.g. prod, stage, qa, dev, or userdev
Default: "dev"
...
Resources:
...
RegistryDbAdminCreds:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub "RegistryDbAdminCreds-${DeploymentEnvironment}"
Description: "RDS master uid/password for artifact registry database."
GenerateSecretString:
SecretStringTemplate: '{"username": "artifactadmin"}'
GenerateStringKey: "password"
PasswordLength: 30
ExcludeCharacters: '"@/\+//:*`"'
Tags:
-
Key: AppName
Value: RegistryDbAdminCreds
在另一个 yaml 中使用秘密:
Parameters:
DeploymentEnvironment:
Type: String
Description: Deployment environment, e.g. prod, stage, qa, dev, or userdev
Default: "dev"
...
Resources:
DB:
Type: 'AWS::RDS::DBInstance'
DependsOn: security
Properties:
Engine: postgres
DBInstanceClass: db.t2.small
DBName: quilt
MasterUsername: !Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:password}}'
StorageType: gp2
AllocatedStorage: "100"
PubliclyAccessible: true
DBSubnetGroupName: !Ref SubnetGroup
MultiAZ: true
VPCSecurityGroups:
- !GetAtt "network.Outputs.VPCSecurityGroup"
Tags:
- Key: Name
Value: !Join [ '-', [ !Ref StackName, "dbinstance", !Ref DeploymentEnvironment ] ]
诀窍在于!Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:username}}'和!Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:password}}'