Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

自己修復的なインフラ -Self-Healing Infrastructure-

9.477 visualizaciones

Publicado el

Rails Developers Meetup 2019 https://railsdm.github.io/

Publicado en: Tecnología
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... (Unlimited)
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Download or read that Ebooks here ... ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... .........................................................................................................................
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • ACCESS that WEBSITE Over for All Ebooks (Unlimited) ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... DOWNLOAD FULL EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M }
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... (Unlimited)
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • If you want to download or read this book, Copy link or url below in the New tab ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... .........................................................................................................................
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

自己修復的なインフラ -Self-Healing Infrastructure-

  1. 1. -Self-Healing Infrastructure- Rails Developer Meetup 2019 Day2 1
  2. 2. 2
  3. 3. CI 3
  4. 4. CI Rails ECS 4
  5. 5. 1. AWS IAM 2. 3. Rails 4. 5
  6. 6. : GitHub: @sinsoku ( ) Twi2er: @sinsoku_listy ( ) Rails : : Rails 6
  7. 7. 1. AWS IAM 7
  8. 8. Iden%ty Access Management IAM • IAM • IAM • IAM • IAM • AssumeRole 8
  9. 9. IAM • AWS • AWS ID/ • • IAM 9
  10. 10. IAM • IAM • IAM • 10
  11. 11. • REST API • 1 IAM 2 • 1 1 h$ps://docs.aws.amazon.com/ja_jp/general/latest/gr/aws-access-keys-best-prac=ces.html 11
  12. 12. IAM • EC2 AWS • AWS • • IAM 12
  13. 13. IAM • JSON • Deny • Deny < Allow < Deny • Deny 13
  14. 14. IAM JSON Effect Allow Deny Ac.on Resource AWS Condi.on Principal 14
  15. 15. IAM { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "IpAddress": { "aws:SourceIp": "123.0.0.10" } } } } IP example_bucket s3:ListBucket API 15
  16. 16. MFA Deny { "Sid": "DenyEc2Full", "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": false } } } BoolIfExists 2 2 h$ps://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/idcreden5alsmfasample- policies.html#ExampleMFAforResource 16
  17. 17. MFA { "Sid": "DenyEc2Full", "Effect": "Deny", "Action": "ec2:*", "Resource": "*", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": false } } } MFA 17
  18. 18. AssumeRole 18
  19. 19. 19
  20. 20. IMA IAM • IAM • • 1 1 IAM • AWS • 20
  21. 21. IAM AssumeRole { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/AssumeRoleTest" } ] } 21
  22. 22. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::123456789012:user/sinsoku" } } ] } 22
  23. 23. AWS 23
  24. 24. AWS 24
  25. 25. AWS 25
  26. 26. AssumeRole AssumeRole AWS Security Token Service AWS STS API 26
  27. 27. aws-cli AWS STS $ aws sts get-caller-identity { "UserId": "ABCDEFGHIJKLMNOPQRSTU", "Account": "123456789012", "Arn": "arn:aws:iam::123456789012:user/sinsoku" } IAM arn 27
  28. 28. aws-cli AWS STS $ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/AssumeRoleTest --role-session-name "foo" { "Credentials": { "AccessKeyId": "ASIATNT2A6NHADIU4J6O", "SecretAccessKey": "PaarCp7VtbstlKoO5wUh2wsNhD2AWofDjFqvL7+I", "SessionToken": "FQoGZXIvYXdzEAQaDOnrQA7f7kXteOkVCFk...i1ttbkBQ==", "Expiration": "2019-03-23T03:34:29Z" }, "AssumedRoleUser": { "AssumedRoleId": "AROAJRJLCZOBJHBW5S6FK:foo", "Arn": "arn:aws:sts::123456789012:assumed-role/AssumeRoleTest/foo" } } 28
  29. 29. $ export AWS_ACCESS_KEY_ID=<AccessKeyId> $ export AWS_SECRET_ACCESS_KEY=<SecretAccessKey> $ export AWS_SESSION_TOKEN=<SessionToken> $ aws sts get-caller-identity { "UserId": "AROAJRJLCZOBJHBW5S6FK:foo", "Account": "123456789012", "Arn": "arn:aws:sts::123456789012:assumed-role/AssumeRoleTest/foo" } arn 29
  30. 30. 30
  31. 31. • InfraReadOnly • InfraPowerUser • InfraFullAccess 31
  32. 32. 32
  33. 33. InfraReadOnly • • kms:Decrypt • MFA terraform plan 33
  34. 34. InfraPowerUser • • kms:Decrypt • state S3 • MFA terraform import 34
  35. 35. InfraFullAccess • AdministratorAccess • CodeBuild ( ) • • MFA terraform apply 35
  36. 36. [ ] aws-whoami AssumeRole alias alias aws-whoami="aws sts get-caller-identity --output text --query Arn" arn $ aws-whoami arn:aws:iam::123456789012:user/sinsoku 36
  37. 37. 2. 37
  38. 38. Infrastructure as Code IaC ! Wikipedia 38
  39. 39. IaC • • grep • • • 39
  40. 40. [ ] Terraform vs CloudForma2on IaC AWS Terraform 3 3 CloudForma,on 40
  41. 41. 41
  42. 42. 1. dry-run 2. (stg) 3. (prod) 42
  43. 43. GitHub Ac*ons 43
  44. 44. GitHub Ac*ons Private Beta 44
  45. 45. Docker entrypoint.sh # Post the comment. PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body') COMMENTS_URL=$(cat /github/workflow/event.json | jq -r .pull_request.comments_url) curl -s -S -H "Authorization: token $GITHUB_TOKEN" --header "Content-Type: application/json" --data "$PAYLOAD" "$COMMENTS_URL" > /dev/null URL /github/workflow/event.json 45
  46. 46. bin/ci_simulate_github_ac0ons #!/bin/sh set +e # github.com => api.github.com/repos API_URL_TEMP="${CIRCLE_PULL_REQUEST/github.com/api.github.com/repos}" # pull => issues comments API_URL="${API_URL_TEMP/pull/issues}/comments" mkdir -p /github/workflow echo '{}' | jq --arg comments_url "${API_URL}" '.pull_request.comments_url = $comments_url' > /github/workflow/event.json 46
  47. 47. bin/ci_build #!/bin/sh set -e if [ -n "${CIRCLE_PULL_REQUEST}" ]; then bin/ci_simulate_github_actions else export TF_ACTION_COMMENT=false fi bin/tf_fmt # fmt/entrypoint.sh bin/tf_init # init/entrypoint.sh bin/tf_plan # plan/entrypoint.sh 47
  48. 48. 48
  49. 49. 1. ✅ dry-run 2. (stg) 3. (prod) 49
  50. 50. Terraform 50
  51. 51. Terraform on AWS CodeBuild 51
  52. 52. [ ] 4 CircleCI CodeBuild GitHub Enterprise CodeBuild CircleCI Enterprise 4 h$ps://circleci.com/docs/2.0/workflows/#holding-a-workflow-for-a-manual-approval 52
  53. 53. Terraform on AWS CodeBuild CircleCI • CodeCommit Push • InfraReadOnly CodeBuild terraform apply 53
  54. 54. 1. ✅ dry-run 2. ✅ (stg) 3. (prod) 54
  55. 55. stg/prod • • Module Terraform ... 55
  56. 56. Running Terraform in Automa0on5 5 h$ps://learn.hashicorp.com/terraform/development/running-terraform-in-automa:on 56
  57. 57. Doc Workspace *.tf ├── iam_policy │ ├── foo.json │ └ ─ bar.json ├── aws_iam_user.tf ├── aws_instance.tf ├── variables.tf ├── ... 57
  58. 58. CodeBuild TF_WORKSPACE 58
  59. 59. stg prod CircleCI Approval4 CodeBuild Push 4 h$ps://circleci.com/docs/2.0/workflows/#holding-a-workflow-for-a-manual-approval 59
  60. 60. 1. ✅ dry-run 2. ✅ (stg) 3. ✅ (prod) 60
  61. 61. 3. Rails 61
  62. 62. 62
  63. 63. CloudForma*on ALB CloudFront URL /assets /public /landing-pages/* 63
  64. 64. ECS(Fargate) • Ruby • • 64
  65. 65. ECS • execution_role_arn: • ECR • task_role_arn: • S3 SES 2 65
  66. 66. 4. 66
  67. 67. 67
  68. 68. • • • DB • 68
  69. 69. stg 69
  70. 70. 1. 2. E2E • • Puppeteer E2E 3. Revert PR 70
  71. 71. 71
  72. 72. 72

×