連載 [第4回] :
今日からはじめる Pulumiでカンタン インフラ運用・管理SecretもPulumiで使いこなしたい! PulumiのSecurityを試してみよう
2023年5月26日(金)
第4回となる今回は、PulumiのSecurityについて解説し、ハンズオンではPulumiによる暗号化処理を行い、AWS SecretManagerを利用したRDS接続する流れを実践していきます。
クリーンアップ作業
今回のハンズオンで構築した環境のクリーンアップ手順です。複数のStackをデプロイしているため、リソースの削除もStackを切り替えて行います。依存関係を考慮して、Stackの削除はcompute.dev > network.dev > secret.devの順に行います。
$ pwd /***/compute $ pulumi stack select compute.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev* 1 hour ago 8 https://app.pulumi.com/***/pulumi-security/compute.dev network.dev 36 minutes ago 12 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 4 https://app.pulumi.com/***/pulumi-security/secret.dev
$ pulumi destroy Previewing destroy (compute.dev) View Live: https://app.pulumi.com/***/pulumi-security/compute.dev/previews/d2fa1597-7207-4da1-87b5-*** Type Name Plan - pulumi:pulumi:Stack pulumi-security-compute.dev delete - ├─ aws:rds:Instance my-rds-instance delete - └─ aws:ec2:Instance my-instance delete Outputs: - ec2_instance_id : "i-09442300d7b789f9c" - rds_instance_endpoint: "my-rds-instanced451c77.cfaau1r4ttnj.ap-northeast-1.rds.amazonaws.com:3306" Resources: - 3 to delete Do you want to perform this destroy? yes Destroying (compute.dev) View Live: https://app.pulumi.com/***/pulumi-security/compute.dev/updates/19 Type Name Status - pulumi:pulumi:Stack pulumi-security-compute.dev deleted - ├─ aws:rds:Instance my-rds-instance deleted (251s) - └─ aws:ec2:Instance my-instance deleted (36s) Outputs: - ec2_instance_id : "i-09442300d7b789f9c" - rds_instance_endpoint: "my-rds-instanced451c77.cfaau1r4ttnj.ap-northeast-1.rds.amazonaws.com:3306" Resources: - 3 deleted
$ cd ../network $ pwd /***/network $ pulumi stack select network.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev 6 minutes ago 0 https://app.pulumi.com/***/pulumi-security/compute.dev network.dev* 48 minutes ago 12 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 4 https://app.pulumi.com/***/pulumi-security/secret.dev
$ pulumi destroy Previewing destroy (network.dev) View Live: https://app.pulumi.com/***/pulumi-security/network.dev/previews/ee8c011e-a2ce-4f0b-bf6d-*** Type Name Plan - pulumi:pulumi:Stack pulumi-security-network.dev delete - ├─ aws:ec2:RouteTableAssociation my-public-subnet-association delete - ├─ aws:ec2:SecurityGroup my-rds-security-group delete - ├─ aws:ec2:RouteTable my-public-route-table delete - ├─ aws:rds:SubnetGroup my-rds-subnet-group delete - ├─ aws:ec2:SecurityGroup my-ec2-security-group delete - ├─ aws:ec2:Subnet my-private-subnet-1c delete - ├─ aws:ec2:Subnet my-public-subnet delete - ├─ aws:ec2:Subnet my-private-subnet-1a delete - ├─ aws:ec2:InternetGateway my-internet-gateway delete - └─ aws:ec2:Vpc my-vpc delete Outputs: - ec2_security_group_id: "sg-052a2e7fdba64a8f6" - public_subnet_id : "subnet-06b202ef7a429ff62" - rds_security_group_id: "sg-0de2f277650c44b35" - rds_subnet_group_id : "my-rds-subnet-group-8575162" Resources: - 11 to delete Do you want to perform this destroy? yes Destroying (network.dev) View Live: https://app.pulumi.com/***/pulumi-security/network.dev/updates/18 Type Name Status - pulumi:pulumi:Stack pulumi-security-network.dev deleted - ├─ aws:ec2:RouteTableAssociation my-public-subnet-association deleted (0.50s) - ├─ aws:ec2:RouteTable my-public-route-table deleted (1s) - ├─ aws:ec2:SecurityGroup my-ec2-security-group deleted (1s) - ├─ aws:ec2:SecurityGroup my-rds-security-group deleted (1s) - ├─ aws:rds:SubnetGroup my-rds-subnet-group deleted (1s) - ├─ aws:ec2:Subnet my-private-subnet-1a deleted (0.59s) - ├─ aws:ec2:InternetGateway my-internet-gateway deleted (1s) - ├─ aws:ec2:Subnet my-private-subnet-1c deleted (1s) - ├─ aws:ec2:Subnet my-public-subnet deleted (1s) - └─ aws:ec2:Vpc my-vpc deleted (0.93s) Outputs: - ec2_security_group_id: "sg-052a2e7fdba64a8f6" - public_subnet_id : "subnet-06b202ef7a429ff62" - rds_security_group_id: "sg-0de2f277650c44b35" - rds_subnet_group_id : "my-rds-subnet-group-8575162" Resources: - 11 deleted Duration: 8s
$ cd ../secret $ pwd /***/secret $ pulumi stack select secret.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev 8 minutes ago 0 https://app.pulumi.com/CL_Kenneth/pulumi-security/compute.dev network.dev 1 minute ago 0 https://app.pulumi.com/CL_Kenneth/pulumi-security/network.dev secret.dev* 1 day ago 4 https://app.pulumi.com/CL_Kenneth/pulumi-security/secret.dev
$ pulumi destroy Previewing destroy (secret.dev) View Live: https://app.pulumi.com/***/pulumi-security/secret.dev/previews/8b017ea0-0131-4b59-8284-*** Type Name Plan - pulumi:pulumi:Stack pulumi-security-secret.dev delete - ├─ aws:secretsmanager:SecretVersion db-user-secret-version delete - └─ aws:secretsmanager:Secret db-user-secret delete Outputs: - secret_id: "arn:aws:secretsmanager:ap-northeast-1:926403295735:secret:db-user-secret-rJyJ1T" Resources: - 3 to delete Do you want to perform this destroy? yes Destroying (secret.dev) View Live: https://app.pulumi.com/***/pulumi-security/secret.dev/updates/9 Type Name Status - pulumi:pulumi:Stack pulumi-security-secret.dev deleted - ├─ aws:secretsmanager:SecretVersion db-user-secret-version deleted (1s) - └─ aws:secretsmanager:Secret db-user-secret deleted (0.40s) Outputs: - secret_id: "arn:aws:secretsmanager:ap-northeast-1:926403295735:secret:db-user-secret-rJyJ1T" Resources: - 3 deleted Duration: 4s
$ pulumi stack select compute.dev $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL compute.dev* 8 minutes ago 0 https://app.pulumi.com/***/pulumi-security/compute.dev network.dev 1 minute ago 0 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 0 https://app.pulumi.com/***/pulumi-security/secret.dev $ pulumi stack rm This will permanently remove the 'compute.dev' stack! Please confirm that this is what you'd like to do by typing `compute.dev`: compute.dev Stack 'compute.dev' has been removed! $ pulumi stack select network.dev $ pulumi stack ls network.dev* 1 minute ago 0 https://app.pulumi.com/***/pulumi-security/network.dev secret.dev 1 day ago 0 https://app.pulumi.com/***/pulumi-security/secret.dev $ pulumi stack rm This will permanently remove the 'network.dev' stack! Please confirm that this is what you'd like to do by typing `network.dev`: network.dev Stack 'network.dev' has been removed! $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL secret.dev* 1 day ago 0 https://app.pulumi.com/***/pulumi-security/secret.dev $ pulumi stack rm This will permanently remove the 'secret.dev' stack! Please confirm that this is what you'd like to do by typing `secret.dev`: secret Stack 'secret.dev' has been removed! $ pulumi stack ls NAME LAST UPDATE RESOURCE COUNT URL
おわりに
今回は、PulumiのSecurityについて解説しました。Pulumi ServiceのようなSaaSを使う場合は、どうしてもSecurityの部分が気になってくるかと思います。本記事を読まれた方は、ある程度安心してPulumiを利用できると思っていただけるかもしれませんが、それでも気になる場合はSelf-Hosted ArchitectureでPulumi Serverを自社の環境にホストするのも1つの手段だと思います。
Securityはとても奥深い話なので、PulumiのSecurityについて更新があれば、またどこかの機会に紹介したいと思います。次回もお楽しみに!
連載バックナンバー
Think ITメルマガ会員登録受付中
Think ITでは、技術情報が詰まったメールマガジン「Think IT Weekly」の配信サービスを提供しています。メルマガ会員登録を済ませれば、メルマガだけでなく、さまざまな限定特典を入手できるようになります。
全文検索エンジンによるおすすめ記事
- 「Pulumi Stack」とは ー Pulumiによるマルチステージ環境の構築方法
- Policy as Codeでインフラのコンプライアンスを自動実現! 「Pulumi CrossGuard」を活用してみよう
- PulumiでAWSリソースをデプロイしよう
- Pulumi Kubernetes Operatorを活用してPulumiのCI/CDを実現しよう
- 既に存在するリソースをPulumiで管理してみよう
- 「Pulumi Automation API」でPulumi CLIの機能をコード化しよう
- TerraformからPulumiへの移行
- マシン・イメージを自動構築し、作業効率を高めるPacker入門
- 「Terraform」のコードを自分で書けるようになろう
- インフラの構成管理を自動化するTerraform入門