@makemydeal/cdk-dr-constructs
This package contains DR specific implementations of most of the types above. This will take some opinions from Accelerate, for example, using the SSM Parameter Store to retrieve ARN values for IAM roles.
Constructs
| Name | Description |
|---|---|
| Encryption | Reads an Encryption Key from SSM /dr/global/encryption/{keyName} where Keyname is a property passed |
| IAM | Reads 7 different IAM roles from SSM all in /dr/global/iam. CodeBuild (NonProd and Prod), CodePipeline (NonProd and Prod), CloudFormation (NonProd and Prod) along with Lambda Execution Role (read during build from the appropriate account) |
| SsmProperties | Class to read SSM properties. |
| VpcConfig | Given a VpcId, SecurityGroup Ids and Subnet Ids it will read these resources from the account/region given to the stack. VPC requires concrete values to be read (cannot come from SSM or other dynamic sources) |
| VpcEndpoint | Given a VpcConfig, it can read an existing VPC Endpoint or create a new one. |
Factories
The following factories exist to build their corresponding construct above. This allows these factories to be passed to the main stack allowing you to customize construction of the objects or supply your own object with your implementation.
- EncryptionFactory
- EncryptionFactoryProps (takes properties to specify region or a different key)
- IamFactory
- SsmPropertiesFactory
- VpcConfigFactory
Usage
import { VpcConfigFactory } from '@makemydeal/cdk-dr-constructs';
const factory = VpcConfigFactory({
// VPC Configuration coming from the process.env variables from CodeBuild. These NEED to be concrete, cannot come from SSM directly in the stack
vpcId,
securityGroupIds,
subnetIds
})
Parameter Store Dependencies
All Deployments
| Key | Construct | Description |
|---|---|---|
| /dr/global/iam/code-build-service-role | IAM | Code Build Service Role |
| /dr/global/iam/crossaccount-build-role | IAM | Role used for cross account builds (production) |
| /dr/global/iam/code-pipeline-service-role | IAM | Code Pipeline Service Role |
| /dr/global/iam/crossaccount-deploy-role | IAM | Role used for cross account deployment (production) |
| /dr/global/iam/cfn-service-role-prod | IAM | Production Account CloudFormation role |
| /dr/global/iam/cfn-service-role | IAM | Non-Production Account CloudFormation role |
| /dr/global/iam/lambda-execution-role | IAM | Lambda Execution Role |
| /dr/global/iam/s3-replication-role | IAM | Role used to set up replication between s3 buckets |
| /dr/global/certificates/makemydealcom | DRCertificate | Default ARN to use for Certificate |
| /dr/global/network/hosted-zone-ids/makemydealcom | DRHostedZone | Default Hosted Zone ID |
Single Region Deployments
To support backward compatibility, we will support the existing keys when a region is not specified.
| Key | Construct | Description |
|---|---|---|
| /dr/global/encryption/basicKey | Encryption | KMS key used for encryption |
Multi Region Deployments
For multi region deployments, we need to support a region for these values. This is used in the pipeline only so the keys change
| Key | Construct | Description |
|---|---|---|
| /dr/global/cdk/regions/${region}/encryption/basicKey | Encryption | KMS key used for encryption |