Reputation: 51
AWS CDK pattern for external dependencies
We're looking for a suggested design pattern to manage external dependencies in our CDK stack. Specifically, we utilize Atlas (mongodb) with our AWS stack. Our AWS stack is fully deployed using CDK/CF. We would like to use a VPC peering connection between our AWS account and Atlas instance. In a nutshell, the procedure to provision this peering connection is:
- Create VPC in AWS account (currently done as part of our CDK stack).
- Request VPC peering connection in Atlas account, referencing the VPC id from step 1.
- Wait a few minutes, approve the VPC peering request in the AWS account.
- In the AWS account, add a route table entry directing traffic to the Atlas CIDR to the VPC peering ID from step 3.
Has anyone found a good devops pattern to follow for this scenario? We can't perform step 4 until after the manual actions taken in steps 2 & 3. If we just do steps 2-4 manually after deploying our stack in AWS, what kind of drift issues are we going to experience in CloudFormation?
Upvotes: 5
Views: 1105
Answers (2)
Reputation: 2078
Example in Python for VPC Peering:
Install the package:
pip install awscdk-resources-mongodbatlas
from awscdk_resources_mongodbatlas import CfnNetworkPeering
cfn_network_peering = CfnNetworkPeering(
self,
"MongoDbCfnNetworkPeering",
container_id=<container_id>,
project_id=<mongo_project_id>,
vpc_id=vpc.vpc_id,
accepter_region_name="us-east-1",
aws_account_id=<aws_account_id>,
profile=<profile>,
route_table_cidr_block=vpc.vpc_cidr_block,
)
You can get your container_id using the following CLI command:
atlas config init
atlas networking containers list --projectId <projectId> --output json
For profile, first create an Access Key via CLI or console (organization > access manager > api keys). Ensure you've given minimum sufficient permissions to your key (believe it's Project Read Only). Then in the Project Access Manager tab, click Applications, and invite your api key to the relevant MongoDB project.
Then create a secret in AWS Secrets Manager according to this spec and more thoroughly this spec:
ProfileName: default
SecretName: cfn/atlas/profile/default
SecretValue: {"PublicKey": "YourPublicKey", "PrivateKey": "YourPrivateKey"}
Note: before you do the above, you will need to enable VPC Peering in Atlas Console or CLI using the following instructions.
There are now native CDK constructs for MongoDB with examples here and construct hub here.
Upvotes: 0
Reputation: 268
With some effort, you should be able to get the whole process automated. the benefit is that the VPC peering's lifecycle will be fully managed by cloudformation.
The key here is to use Cloudformation custom resources and dependencies.
Unfortunately, I can't find a ready-made CDK example for the whole process. I guess you'll have to build it🚀.
- Atlas MongoDB already did most of the work with their CFN resources project. Specifically interesting for your use-case is the network peering resource.
- AWS-CDK has a great custom resource framework. You will have to migrate the above atlas cloudformation templates to CDK (or, you might include it). There are quite a few good examples out there (google :).
- If Cloudformation fails to automatically figure out the required dependency tree/flow you can hint it using CDK's dependson method.
Upvotes: 3
Related Questions
- AWS CDK cross-stack references and deployment order
- Resolving cyclical dependencies between AWS CDK CloudFormation stacks
- Can I replicate the DependsOn behavior in AWS CDK?
- AWS CDK: run external build command in CDK sequence?
- Circular dependency between AWS Cloudformation stacks bad practice?
- How to solve circular dependency between AWS resources using AWS CDK
- AWS CDK resource create sequence?
- AWS CDK custom resource backed by a Lambda Function
- How to create CDK NestedStack?
- Does aws-cdk support uploading external dependencies for lambda functions?