連載 [第4回] :
今日からはじめる Pulumiでカンタン インフラ運用・管理SecretもPulumiで使いこなしたい! PulumiのSecurityを試してみよう
2023年5月26日(金)
第4回となる今回は、PulumiのSecurityについて解説し、ハンズオンではPulumiによる暗号化処理を行い、AWS SecretManagerを利用したRDS接続する流れを実践していきます。
クリーンアップ作業
今回のハンズオンで構築した環境のクリーンアップ手順です。複数のStackをデプロイしているため、リソースの削除もStackを切り替えて行います。依存関係を考慮して、Stackの削除はcompute.dev > network.dev > secret.devの順に行います。
$ pwd /***/compute $ pulumi stack select compute.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev* 1 hour ago 8 https://app.pulumi.com/***/pulumi-security/compute.dev network.dev 36 minutes ago 12 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 4 https://app.pulumi.com/***/pulumi-security/secret.dev
$ pulumi destroy
Previewing destroy (compute.dev)
View Live: https://app.pulumi.com/***/pulumi-security/compute.dev/previews/d2fa1597-7207-4da1-87b5-***
Type Name Plan
- pulumi:pulumi:Stack pulumi-security-compute.dev delete
- ├─ aws:rds:Instance my-rds-instance delete
- └─ aws:ec2:Instance my-instance delete
Outputs:
- ec2_instance_id : "i-09442300d7b789f9c"
- rds_instance_endpoint: "my-rds-instanced451c77.cfaau1r4ttnj.ap-northeast-1.rds.amazonaws.com:3306"
Resources:
- 3 to delete
Do you want to perform this destroy? yes
Destroying (compute.dev)
View Live: https://app.pulumi.com/***/pulumi-security/compute.dev/updates/19
Type Name Status
- pulumi:pulumi:Stack pulumi-security-compute.dev deleted
- ├─ aws:rds:Instance my-rds-instance deleted (251s)
- └─ aws:ec2:Instance my-instance deleted (36s)
Outputs:
- ec2_instance_id : "i-09442300d7b789f9c"
- rds_instance_endpoint: "my-rds-instanced451c77.cfaau1r4ttnj.ap-northeast-1.rds.amazonaws.com:3306"
Resources:
- 3 deleted$ cd ../network $ pwd /***/network $ pulumi stack select network.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev 6 minutes ago 0 https://app.pulumi.com/***/pulumi-security/compute.dev network.dev* 48 minutes ago 12 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 4 https://app.pulumi.com/***/pulumi-security/secret.dev
$ pulumi destroy
Previewing destroy (network.dev)
View Live: https://app.pulumi.com/***/pulumi-security/network.dev/previews/ee8c011e-a2ce-4f0b-bf6d-***
Type Name Plan
- pulumi:pulumi:Stack pulumi-security-network.dev delete
- ├─ aws:ec2:RouteTableAssociation my-public-subnet-association delete
- ├─ aws:ec2:SecurityGroup my-rds-security-group delete
- ├─ aws:ec2:RouteTable my-public-route-table delete
- ├─ aws:rds:SubnetGroup my-rds-subnet-group delete
- ├─ aws:ec2:SecurityGroup my-ec2-security-group delete
- ├─ aws:ec2:Subnet my-private-subnet-1c delete
- ├─ aws:ec2:Subnet my-public-subnet delete
- ├─ aws:ec2:Subnet my-private-subnet-1a delete
- ├─ aws:ec2:InternetGateway my-internet-gateway delete
- └─ aws:ec2:Vpc my-vpc delete
Outputs:
- ec2_security_group_id: "sg-052a2e7fdba64a8f6"
- public_subnet_id : "subnet-06b202ef7a429ff62"
- rds_security_group_id: "sg-0de2f277650c44b35"
- rds_subnet_group_id : "my-rds-subnet-group-8575162"
Resources:
- 11 to delete
Do you want to perform this destroy? yes
Destroying (network.dev)
View Live: https://app.pulumi.com/***/pulumi-security/network.dev/updates/18
Type Name Status
- pulumi:pulumi:Stack pulumi-security-network.dev deleted
- ├─ aws:ec2:RouteTableAssociation my-public-subnet-association deleted (0.50s)
- ├─ aws:ec2:RouteTable my-public-route-table deleted (1s)
- ├─ aws:ec2:SecurityGroup my-ec2-security-group deleted (1s)
- ├─ aws:ec2:SecurityGroup my-rds-security-group deleted (1s)
- ├─ aws:rds:SubnetGroup my-rds-subnet-group deleted (1s)
- ├─ aws:ec2:Subnet my-private-subnet-1a deleted (0.59s)
- ├─ aws:ec2:InternetGateway my-internet-gateway deleted (1s)
- ├─ aws:ec2:Subnet my-private-subnet-1c deleted (1s)
- ├─ aws:ec2:Subnet my-public-subnet deleted (1s)
- └─ aws:ec2:Vpc my-vpc deleted (0.93s)
Outputs:
- ec2_security_group_id: "sg-052a2e7fdba64a8f6"
- public_subnet_id : "subnet-06b202ef7a429ff62"
- rds_security_group_id: "sg-0de2f277650c44b35"
- rds_subnet_group_id : "my-rds-subnet-group-8575162"
Resources:
- 11 deleted
Duration: 8s$ cd ../secret $ pwd /***/secret $ pulumi stack select secret.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev 8 minutes ago 0 https://app.pulumi.com/CL_Kenneth/pulumi-security/compute.dev network.dev 1 minute ago 0 https://app.pulumi.com/CL_Kenneth/pulumi-security/network.dev secret.dev* 1 day ago 4 https://app.pulumi.com/CL_Kenneth/pulumi-security/secret.dev
$ pulumi destroy
Previewing destroy (secret.dev)
View Live: https://app.pulumi.com/***/pulumi-security/secret.dev/previews/8b017ea0-0131-4b59-8284-***
Type Name Plan
- pulumi:pulumi:Stack pulumi-security-secret.dev delete
- ├─ aws:secretsmanager:SecretVersion db-user-secret-version delete
- └─ aws:secretsmanager:Secret db-user-secret delete
Outputs:
- secret_id: "arn:aws:secretsmanager:ap-northeast-1:926403295735:secret:db-user-secret-rJyJ1T"
Resources:
- 3 to delete
Do you want to perform this destroy? yes
Destroying (secret.dev)
View Live: https://app.pulumi.com/***/pulumi-security/secret.dev/updates/9
Type Name Status
- pulumi:pulumi:Stack pulumi-security-secret.dev deleted
- ├─ aws:secretsmanager:SecretVersion db-user-secret-version deleted (1s)
- └─ aws:secretsmanager:Secret db-user-secret deleted (0.40s)
Outputs:
- secret_id: "arn:aws:secretsmanager:ap-northeast-1:926403295735:secret:db-user-secret-rJyJ1T"
Resources:
- 3 deleted
Duration: 4s$ pulumi stack select compute.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev* 8 minutes ago 0 https://app.pulumi.com/***/pulumi-security/compute.dev network.dev 1 minute ago 0 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 0 https://app.pulumi.com/***/pulumi-security/secret.dev $ pulumi stack rm This will permanently remove the 'compute.dev' stack! Please confirm that this is what you'd like to do by typing `compute.dev`: compute.dev Stack 'compute.dev' has been removed! $ pulumi stack select network.dev $ pulumi stack ls network.dev* 1 minute ago 0 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 0 https://app.pulumi.com/***/pulumi-security/secret.dev $ pulumi stack rm This will permanently remove the 'network.dev' stack! Please confirm that this is what you'd like to do by typing `network.dev`: network.dev Stack 'network.dev' has been removed! $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL secret.dev* 1 day ago 0 https://app.pulumi.com/***/pulumi-security/secret.dev $ pulumi stack rm This will permanently remove the 'secret.dev' stack! Please confirm that this is what you'd like to do by typing `secret.dev`: secret Stack 'secret.dev' has been removed! $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL
おわりに
今回は、PulumiのSecurityについて解説しました。Pulumi ServiceのようなSaaSを使う場合は、どうしてもSecurityの部分が気になってくるかと思います。本記事を読まれた方は、ある程度安心してPulumiを利用できると思っていただけるかもしれませんが、それでも気になる場合はSelf-Hosted ArchitectureでPulumi Serverを自社の環境にホストするのも1つの手段だと思います。
Securityはとても奥深い話なので、PulumiのSecurityについて更新があれば、またどこかの機会に紹介したいと思います。次回もお楽しみに!
連載バックナンバー
Think ITメルマガ会員登録受付中
Think ITでは、技術情報が詰まったメールマガジン「Think IT Weekly」の配信サービスを提供しています。メルマガ会員登録を済ませれば、メルマガだけでなく、さまざまな限定特典を入手できるようになります。
他にもこの記事が読まれています
全文検索エンジンによるおすすめ記事
- 「Pulumi Stack」とは ー Pulumiによるマルチステージ環境の構築方法
- Policy as Codeでインフラのコンプライアンスを自動実現! 「Pulumi CrossGuard」を活用してみよう
- PulumiでAWSリソースをデプロイしよう
- Pulumi Kubernetes Operatorを活用してPulumiのCI/CDを実現しよう
- 既に存在するリソースをPulumiで管理してみよう
- 「Pulumi Automation API」でPulumi CLIの機能をコード化しよう
- TerraformからPulumiへの移行
- マシン・イメージを自動構築し、作業効率を高めるPacker入門
- 「Terraform」のコードを自分で書けるようになろう
- インフラの構成管理を自動化するTerraform入門