I have been looking for ways to adapt infrastructure-as-code with my team. But the initial complexity is a big deterant. Remember we not only have to output the initial configuration, but to maintain it as well.
aws-cdk is released on 2019-07-11.
It is simpler than writing a CloudFromation template from scratch.
Perhaps it is a good entry point for teams that want to adapt infrastructure-as-code.
With load-balancer tier, stateless application logic tier, and database tier.
|2||Application Logic||AWS ECS Fargate||Private|
|3||Database||AWS RDS Aurora||Isolated|
Following the security practice of separating subnets for different tiers, the application will be deployed into:
- a public subnet(with two-way Internet access),
- a private subnet(with out-going Internet access only), and
- a isolated subnet(no Internet access either way).
We are also using environment variable to pass database credentials as it is easier to reuse existing docker image.
Here is the
aws-cdk stack that I managed to get working:
If you want to deploy it and poke around, you can checkout the GitHub repository here. The deployment instruction is written in
Note that we should install the same version of
aws-cdk and other
@aws-cdk/* dependencies. It seems even minor version difference may be incompatible. I used
- Use separate route tables for each subnet.
- Database security group should allow traffic from the private subnet only.
- Calling AWS Secret Manager API from application code for database credential is probably more secure, but it will require some custom code. If you expect to reuse the same Docker image in, say, Kubernetes, it may cause problems.
- I couldn't quite get the
DatabaseClusterconstruct to work. So I used the CloudFormation verions
CfnDBCluster. If you managed to use
DatabaseCluster, please feel free to leave a comment.
This blog is also published in billykong.github.io