Question

We have a CDK project with several stacks, one of them is going to deploy OpenSearch and it needs "AWSServiceRoleForAmazonOpenSearchService" to exists before the actual resource being deployed. We deploy this project to many fresh accounts and as a multi region deployment (active active in us-east-1 and ap-northeast-2). Below is our code

if region == "us-east-1":
            slr = iam.CfnServiceLinkedRole(
                self,
                f"{props.customer}-{region}-Service Linked Role",
                aws_service_name="es.amazonaws.com",
            )

domain = opensearchservice.Domain(...)

迄今为止,这一守则是行之有效的,但今后我们可能在非我们东部-1或东北部2的地区部署,这将打破我们的守则,或者如果 st部署首先是东北部2,这也将打破逻辑,因为这一作用将只部署我们东部-1,而分遣队将在东北部2部署非洲顾问领域。

最好的逻辑不是根据区域进行核查,而是根据存在的作用进行核查。

if slr.alreadyExists
   continue
else
   create slr role

然而,一看AWS CDK 或其它职位中提到的情况,是可能的,还是还有另一种将发挥作用的替代方法?

Answer 1

在“世界妇女论坛”中,你可以检查在试图创建这一角色之前是否已经存在与服务相关的作用。然而,在<代码>CfnserviceLinkedRole资源上没有直接方法,如<代码>/rereadyExists。相反,你可以使用AWS身份和出入管理软件(IAM)来检查服务相关作用的存在。

Here s a possible approach:

from aws_cdk import (
    aws_iam as iam,
    aws_opensearchservice as opensearchservice,
    core,
)

class YourStack(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        slr = self.get_service_linked_role("es.amazonaws.com")

        if slr is None:
            slr = iam.CfnServiceLinkedRole(
                self,
                "ServiceLinkedRole",
                aws_service_name="es.amazonaws.com",
            )

        domain = opensearchservice.CfnDomain(
            self,
            "OpenSearchDomain",
            # ... other domain configuration ...
        )

    def get_service_linked_role(self, service_name: str) -> iam.CfnServiceLinkedRole:
        try:
            slr = iam.CfnServiceLinkedRole.from_service_linked_role_name(
                self, "ServiceLinkedRoleCheck", service_linked_role_name=service_name
            )
            return slr
        except:
            return None

In this example, the get_service_linked_role method attempts to retrieve the existing service-linked role using iam.CfnServiceLinkedRole.from_service_linked_role_name. If the role exists, it returns the existing role; otherwise, it returns None. Based on this result, you can decide whether to create the service-linked role.

这种做法把检查与服务相关作用是否存在的逻辑推向一种单独的方法,使之更具模块化,并使你能够重新使用裁谈会《守则》其他部分的逻辑。

Answer 2

Another approach is to use a custom resource to determine if you should create a new service linked role or not on deployment time. Sometimes it isn t desirable to determine it on synth time because it makes the synthesis process less deterministic.

有一个CDK图书馆能够轻易地实现创建SLR的部署时间决定:upsert-slr。

页: 1

如果它失踪,或者没有发挥作用。

import upsert_slr

upsert_slr.ServiceLinkedRole(stack, "ServiceLinkedRole",
    aws_service_name="es.amazonaws.com",
)

友情链接