Skip to content

Direction for BLEA v3.0 #214

New issue
New issue
Closed
Closed
Direction for BLEA v3.0#214
@ohmurayu

Description

@ohmurayu
ohmurayu
opened on Mar 12, 2023

After BLEA was released in 2021, AWS launched various updates in security services and CDK become widely used.
I'll propose several updates to catch up with recent AWS security and CDK best practices in the next BLEA release.
It contains several breaking changes, so the version number should be BLEA v3.0.

Main points:

  • Single or fewer Stacks

    • Currently BLEA creates many stacks. It's to reduce blast radius on update and simplify class architecture. However this induces several difficulties on stack dependencies, so recent CDK best practice suggest using fewer stacks.
    • ControlTower has released Account Factory Customization (AFC). AFC provides functionality to deploy a baseline when creating account and it requires single stack (CFn template) to apply. With a single stack, BLEA's baseline can be deployed with AFC.

  • Simplify file placement in the bin/ and lib/ directories

    • The guest system sample (especially guest-webapp-sample) contains several CDK Apps in bin/ directory and these app refer to constructs defined in the lib/ directory for each they need. To simplify it, use only one App for a single use case. We will add CDK Apps in bin/ directory only when we need other deployment patterns, for example, using CDKPipelines.

  • Passing parameter within CDK code but not cdk.json

    • According to feedbacks and CDK best practices, It is not recommended to use cdk.json as a parameter store. For example we can't verify type of parameters, and cloud assembly is overridden when we synth for another environment. So we will add parameters in CDK code (i.e. parameters.ts) to define parameters and use it in CDK App. Within the CDK App, We will define stacks for each environment (i.e. DevStack, ProdStack). When you need to create specific environment stack, you specify the name of stack in cdk deploy command.

  • Governance model is unchanged

    • Baseline with CloudTrail, Config, SecurityHub... will not change. However, if you already use BLEA v2, you need to re-create resources for baseline, because the stack architecture and resource names will change.

Development:

  • use dev.v3 branch to push breaking changes for BLEA v3.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions