本記事ã¯
IaCウィーク
8日目ã®è¨˜äº‹ã§ã™ã€‚
âš™ï¸
7日目
▶▶ 本記事 ▶▶
9日目
💻
ã¯ã˜ã‚ã«
NTシステム事æ¥ï¼’部ã®åŒ—野ã¨ç”³ã—ã¾ã™ã€‚ IaCウィークã¨ã„ã†ã“ã¨ã§ã€ä»Šå›žã¯IaCツールã§ã‚ã‚‹Terraformã§ç§˜å¯†æƒ…å ±ã‚’ã‚³ãƒ¼ãƒ‰åŒ–ã™ã‚‹éš›ã«ã€AWS Secrets Managerを用ã„る方法をã”紹介ã—ã¾ã™ã€‚
Terraformã¨ã¯
Terraformã¨ã¯ã€ã‚らゆるインフラストラクãƒãƒ£ã‚’コードã§ç®¡ç†ã™ã‚‹ãŸã‚ã®ãƒ„ールã§ã€HashiCorp社ã«ã‚ˆã£ã¦é–‹ç™ºã•ã‚Œã¦ã„ã¾ã™ã€‚ ç°¡å˜ã«è¨€ã†ã¨ã€ã‚µãƒ¼ãƒãƒ¼ã‚„ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãªã©ã®ã‚¯ãƒ©ã‚¦ãƒ‰ãƒªã‚½ãƒ¼ã‚¹ã‚’「è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã€ã§å®šç¾©ã—ã€è‡ªå‹•çš„ã«æ§‹ç¯‰ãƒ»å¤‰æ›´ãƒ»å‰Šé™¤ã§ãる仕組ã¿ã§ã™ã€‚
主ãªç‰¹å¾´ï¼š
- インフラ構æˆã‚’コード(HCL: HashiCorp Configuration Language)ã§è¨˜è¿°ã™ã‚‹ã“ã¨ã§ã€å†ç¾æ€§ãƒ»ãƒãƒ¼ã‚¸ãƒ§ãƒ³ç®¡ç†ãŒå¯èƒ½ã§ã™ã€‚
- AWSã€Azureã€GCPãªã©è¤‡æ•°ã®ã‚¯ãƒ©ã‚¦ãƒ‰ã‚µãƒ¼ãƒ“スを一括管ç†ã§ãã¾ã™ã€‚
想定ã™ã‚‹ã‚·ãƒ¼ãƒ³
AWSã®ãƒªã‚½ãƒ¼ã‚¹ã‚’Terraformã§ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã—ã¦ã„る時ã€ãƒªã‚½ãƒ¼ã‚¹ã®è¨å®šå€¤ã«ç§˜å¯†æƒ…å ±ï¼ˆãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã€Token)ãªã©ã‚’è¨å®šã—ãªã‘ã‚Œã°ãªã‚‰ãªã„シーンã¯å°‘ãªã‹ã‚‰ãšå˜åœ¨ã—ã¾ã™ã€‚ 例ã¨ã—ã¦ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªå ´åˆã§ã™ã€‚
- Amazon Cognitoã®identity providerã‚’è¨å®šã™ã‚‹éš›ã€é€£æºã—ãŸã„identity providerã‹ã‚‰ç™ºè¡Œã•ã‚ŒãŸclient_id,client_secretã‚’è¨å®šã—ãŸã„。
- RDSã®ãƒªã‚½ãƒ¼ã‚¹ã‚’åˆæœŸæ§‹ç¯‰ã™ã‚‹éš›ã®rootパスワードをè¨å®šã—ãŸã„。
- AWS Lambdaã®ç’°å¢ƒå¤‰æ•°ã«å¤–部APIã®Tokenã‚’è¨å®šã—ãŸã„
ãã®æ™‚ã€ä¸€èˆ¬çš„ãªæ–¹æ³•ã¨ã—ã¦ã‚ˆã紹介ã•ã‚Œã‚‹ã®ã¯TF_VARSを用ã„ãŸæ–¹å¼ã§ã™ã€‚ 以下ã¯Amazon Cognitoã®user poolã«ç´ã¥ã„ãŸIDPã‚’è¨å®šã™ã‚‹ã‚³ãƒ¼ãƒ‰ã«ãªã‚Šã¾ã™ã€‚
変数ã®å®šç¾©
variable "client_id" {
type = string
sensitive = true
}
variable "client_secret" {
type = string
sensitive = true
}
Amazon Cognitoリソースã®å®šç¾©
locals {
issuer_url = "https://external.auth.provider.example.com/idp"
}
resource "aws_cognito_user_pool" "example-user-pool" {
name = "example"
auto_verified_attributes = ["email"]
tags = {}
username_attributes = ["email"]
account_recovery_setting {
recovery_mechanism {
name = "admin_only"
priority = 1
}
}
}
resource "aws_cognito_identity_provider" "external-idp" {
user_pool_id = aws_cognito_user_pool.example-user-pool.id
provider_name = "external.idp"
provider_type = "OIDC"
provider_details = {
attributes_request_method = "GET"
attributes_url = "${local.issuer_url}/oidc/userinfo"
attributes_url_add_attributes = false
authorize_scopes = "openid me"
authorize_url = "${local.issuer_url}/oidc/authorization"
client_id = var.client_id
client_secret = var.client_secret
jwks_uri = "${local.issuer_url}/oidc/jwks"
oidc_issuer = local.issuer_url
token_url = "${local.issuer_url}/oidc/token"
}
}
client_id,client_secretã«å…ˆã»ã©å®šç¾©ã—ãŸvar.client_id,var.client_secretã‚’è¨å®šã—ã¾ã™ã€‚
client_id,client_secretã®å€¤ã‚’別ファイル(terraform.tfvars)ã«ã¦è¨˜è¿°ã—ã¾ã™ã€‚
client_id = "your-id" client_secret = "your-secret"
Terraformã®ã‚³ãƒ¼ãƒ‰ã¯gitãªã©ã®ãƒªãƒã‚¸ãƒˆãƒªã§ç®¡ç†ã•ã‚Œã‚‹ã“ã¨ãŒå¤šã„ã®ã§ã™ãŒã€ä¸Šè¨˜ã®æ–¹æ³•ã‚’使用ã™ã‚‹ã“ã¨ã§ terraform.tfvarsã‚’gitリãƒã‚¸ãƒˆãƒªã‹ã‚‰é™¤å¤–(.gitignoreファイルã«è¨˜è¼‰ï¼‰ã—ã€ã‚»ã‚ュアãªæƒ…å ±ãŒGitリãƒã‚¸ãƒˆãƒªã«ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã•ã‚Œã‚‹ã“ã¨ã‚’防ã’ã¾ã™ã€‚
ã—ã‹ã—ã“ã®æ–¹å¼ã¯æ‰‹è»½ã§ã‚ã‚‹åé¢ã€èª¤ã£ã¦gitリãƒã‚¸ãƒˆãƒªã«è¿½åŠ ã—ã¦ã—ã¾ã†ãƒªã‚¹ã‚¯ã‚„開発者ã®ãƒãƒ¼ã‚«ãƒ«ã§ä½œæˆã—ãŸtfvarsファイルã®å†…容を共有ã™ã‚‹æ–¹æ³•ã‚’検討ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ãªã©ã€ è¦æ¨¡ã®å¤§ããªé–‹ç™ºã«ãªã‚Œã°ãªã‚‹ã»ã©èª²é¡ŒãŒå‡ºã¦ãã¾ã™ã€‚
ãã“ã§ã”紹介ã—ãŸã„ã®ãŒSecrets Managerを利用ã—ãŸç§˜å¯†æƒ…å ±ã‚’Terraformã‹ã‚‰å–å¾—ã™ã‚‹æ–¹æ³•ã§ã™ã€‚
実装方法
今回ã¯ä¾‹ã¨ã—ã¦ä¸Šè¨˜ã¨åŒæ§˜Amazon Cognitoã®idpを実装ã™ã‚‹æ–¹æ³•ã‚’ã”紹介ã—ã¾ã™ã€‚
Secrets Managerã®è¨å®š
ã¾ãšãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚³ãƒ³ã‚½ãƒ¼ãƒ«ã‹ã‚‰Secrets Managerリソースを作æˆã—ã¾ã™ã€‚
ãã®ä»–ã®ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚¿ã‚¤ãƒ—ã‚’é¸æŠžã—ã€client_id,client_secretã®å€¤ã‚’è¨å®šã—ã¾ã™ã€‚
ã“ã“ã§ã¯ã‚ーを/cognito/idpã¨ã—ã¦ãŠãã¾ã™ã€‚
ãƒãƒ¼ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ã¯ç„¡åŠ¹ã«ã—ã¦ãŠãã¾ã™ã€‚
è¨å®šãŒå®Œäº†ã—ãŸã‚‰ä¿å˜ã‚’クリックã—ã¾ã™ã€‚
Terraformå´ã®å®Ÿè£…
Terraformã®ã‚³ãƒ¼ãƒ‰ã‚’以下ã®ã‚ˆã†ã«å®Ÿè£…ã—ã¾ã™ã€‚ dataブãƒãƒƒã‚¯ã§Secrets Managerã‹ã‚‰å–å¾—ã—ãŸå†…容をJSONå½¢å¼ã§ãƒ‡ã‚³ãƒ¼ãƒ‰ã™ã‚‹ã¨ã€Terraformã®ã‚³ãƒ¼ãƒ‰ä¸Šã§ä½¿ç”¨ã§ãるよã†ã«ãªã‚Šã¾ã™ã€‚
data "aws_secretsmanager_secret_version" "idp_secrets" {
secret_id = "/cognito/idp"
}
locals {
idp_secrets = jsondecode(data.aws_secretsmanager_secret_version.idp_secrets.secret_string)
issuer_url = "https://external.auth.provider.example.com/idp"
}
resource "aws_cognito_user_pool" "example-user-pool" {
name = "example"
auto_verified_attributes = ["email"]
tags = {}
username_attributes = ["email"]
account_recovery_setting {
recovery_mechanism {
name = "admin_only"
priority = 1
}
}
}
resource "aws_cognito_identity_provider" "external-idp" {
user_pool_id = aws_cognito_user_pool.example-user-pool.id
provider_name = "external.idp"
provider_type = "OIDC"
provider_details = {
attributes_request_method = "GET"
attributes_url = "${local.issuer_url}/oidc/userinfo"
attributes_url_add_attributes = false
authorize_scopes = "openid me"
authorize_url = "${local.issuer_url}/oidc/authorization"
client_id = local.idp_secrets.client_id
client_secret = local.idp_secrets.client_secret
jwks_uri = "${local.issuer_url}/oidc/jwks"
oidc_issuer = local.issuer_url
token_url = "${local.issuer_url}/oidc/token"
}
}
上記ã®ã‚ˆã†ã«ã—ã¦ã‚»ã‚ュアã«å¤–部ã®èªè¨¼åŸºç›¤ã¨ã®é€£æºè¨å®šãŒå®Ÿè£…ã§ãã¾ã—ãŸã€‚
メリット
上記ã®å®Ÿè£…ã§ã®ãƒ¡ãƒªãƒƒãƒˆã¯ä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ãŒè€ƒãˆã‚‰ã‚Œã¾ã™ã€‚
- コード上ã«ç§˜å¯†æƒ…å ±ã‚’è¨˜è¼‰ã—ãªãã¦ã‚‚良ã„。
- ç§˜å¯†æƒ…å ±ã®å…±æœ‰ã‚„å—ã‘渡ã—ã‚’Secrets Manager経由ã§è¡Œã†ã“ã¨ãŒã§ãã‚‹ã“ã¨ã«ã‚ˆã£ã¦ç§˜å¯†æƒ…å ±ã®æ•£åœ¨ã‚„ユーザー間ã®å…±æœ‰æ™‚ã®æ¼æ´©ãŒé˜²ã’る。
- ç§˜å¯†æƒ…å ±ã®å–å¾—æ–¹å¼ã®å®Ÿè£…を統一ã™ã‚‹ã“ã¨ã§ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ãƒŸã‚¹ã‚„ãƒã‚°ã®é˜²æ¢ãŒã§ãる。
注æ„点
stateファイルã®æ‰±ã„
上記方å¼ã§å®Ÿè£…ã—ãŸã¨ã—ã¦ã‚‚Terraformã§ãƒªã‚½ãƒ¼ã‚¹ã‚’実装ã—ãŸæ™‚ã«ä½œæˆã•ã‚Œã‚‹stateファイルã«ã¯ç§˜å¯†æƒ…å ±ãŒè¨˜è¼‰ã•ã‚Œã¾ã™ã€‚ stateファイルã¯é€šå¸¸ã§ã™ã¨S3ãƒã‚±ãƒƒãƒˆã«ä¿å˜ã™ã‚‹ã®ãŒä¸€èˆ¬çš„ã§ã™ãŒã€ãƒãƒ¼ã‚«ãƒ«ã«ä½œæˆã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚ ç§˜å¯†æƒ…å ±ã‚’Terraformã§å®Ÿè£…ã™ã‚‹éš›ã«ã¯ä¸Šè¨˜ã®ã“ã¨ã‚’ãµã¾ãˆä»¥ä¸‹ã®ã‚¢ãƒ—ãƒãƒ¼ãƒã‚’ã¨ã£ã¦ãã ã•ã„。
- Terraformã®stateファイルをS3ã«ä¿ç®¡ã™ã‚‹ï¼ˆS3ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ï¼‰ã€‚ãã®S3ãƒã‚±ãƒƒãƒˆã®æš—å·åŒ–を実施ã™ã‚‹ã€‚
- ã‚‚ã—ãƒãƒ¼ã‚«ãƒ«ã§stateファイルを扱ã†å ´åˆã¯.gitignoreã«terraform.tfstateãŠã‚ˆã³terraform.tfstate.backupã‚’è¿½åŠ ã—gitリãƒã‚¸ãƒˆãƒªã«ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã•ã‚Œãªã„よã†ã«ã™ã‚‹ã€‚
å‚考:S3ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã‚’Terraformã§è¨å®šã™ã‚‹ä¾‹
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "cognito/terraform.tfstate"
region = "ap-northeast-1"
encrypt = true # æš—å·åŒ–を有効化
dynamodb_table = "terraform-lock" # 状態ãƒãƒƒã‚¯ç”¨ã®DynamoDBテーブル
}
}
費用é¢ã®å•é¡Œ
AWS Secrets Managerã¯æœ‰æ–™ã‚µãƒ¼ãƒ“スã«ãªã‚Šã¾ã™ã®ã§ã€ä»¥ä¸‹ã®æ–™é‡‘ãŒã‹ã‹ã‚Šã¾ã™ã€‚
- シークレット1ã¤ã‚ãŸã‚Š: 月é¡$0.40
- API呼ã³å‡ºã—: 10,000回ã‚ãŸã‚Š$0.05
コストを抑ãˆãŸã„å ´åˆã¯ã€AWS Systems Manager Parameter Store(SecureString)ã®åˆ©ç”¨ã‚‚検討ã§ãã¾ã™ã€‚
AWS Systems Manager Parameter Storeã§ã®å®Ÿè£…例:
data "aws_ssm_parameter" "idp_client_id" {
name = "/cognito/idp/client_id"
}
data "aws_ssm_parameter" "idp_client_secret" {
name = "/cognito/idp/client_secret"
with_decryption = true # SecureStringã‚’è¨å®šã—ã¦ã„ã‚‹å ´åˆã“ã¡ã‚‰ã®ãƒ—ãƒãƒ‘ティãŒå¿…è¦ã§ã™ã€‚
}
locals {
issuer_url = "https://external.auth.provider.example.com/idp"
}
resource "aws_cognito_user_pool" "example-user-pool" {
name = "example"
auto_verified_attributes = ["email"]
tags = {}
username_attributes = ["email"]
account_recovery_setting {
recovery_mechanism {
name = "admin_only"
priority = 1
}
}
}
resource "aws_cognito_identity_provider" "external-idp" {
user_pool_id = aws_cognito_user_pool.example-user-pool.id
provider_name = "external.idp"
provider_type = "OIDC"
provider_details = {
attributes_request_method = "GET"
attributes_url = "${local.issuer_url}/oidc/userinfo"
attributes_url_add_attributes = false
authorize_scopes = "openid me"
authorize_url = "${local.issuer_url}/oidc/authorization"
client_id = data.aws_ssm_parameter.idp_client_id.value
client_secret = data.aws_ssm_parameter.idp_client_secret.value
jwks_uri = "${local.issuer_url}/oidc/jwks"
oidc_issuer = local.issuer_url
token_url = "${local.issuer_url}/oidc/token"
}
}
ã¾ã¨ã‚
IaCã§èª²é¡Œã«ãªã‚ŠãŒã¡ãªã®ãŒç§˜å¯†æƒ…å ±ã®æ‰±ã„æ–¹ãªã®ã§ã™ãŒã€Secrets Managerを使用ã™ã‚‹ã“ã¨ã§ã‚»ã‚ュアãªæƒ…å ±ã‚’ã‚³ãƒ¼ãƒ‰ã«è¨˜è¼‰ã™ã‚‹ã“ã¨ãªã実装ãŒå¯èƒ½ã§ã™ã€‚ 特ã«å¤–部ã®SaaSã¨é€£æºã—ãŸã‚¤ãƒ³ãƒ•ãƒ©ã®æ§‹ç¯‰ã¯æ˜¨ä»Šè¦æ±‚ãŒé«˜ã¾ã£ã¦ãã¦ã„る分野ã ã¨æ€ã„ã¾ã™ã®ã§ã€ãœã²ã”活用ãã ã•ã„。
インフラエンジニア。元アプリケーションエンジニア(æ¥å‹™ç³»ï¼‰ ç¾åœ¨ã¯AWSを用ã„ãŸã‚¤ãƒ³ãƒ•ãƒ©ã®è¨è¨ˆãƒ»æ§‹ç¯‰ã‚’担当 2025 Japan All AWS Certifications Engineers
