Skip to content

v3.0.0

Latest
Latest
Compare
Choose a tag to compare
@konokenj konokenj released this 20 Apr 02:25
· 429 commits to main since this release
v3.0.0
451b811

After BLEA was released in 2021, AWS launched various updates in security services and CDK become widely used.
I'll propose several updates to catch up with recent AWS security and CDK best practices in the next BLEA release.
It contains several breaking changes, so the version number should be BLEA v3.0.

Main points:

  • Single or fewer Stacks

    • Currently BLEA creates many stacks. It's to reduce blast radius on update and simplify class architecture. However this induces several difficulties on stack dependencies, so recent CDK best practice suggest using fewer stacks.
    • ControlTower has released Account Factory Customization (AFC). AFC provides functionality to deploy a baseline when creating account and it requires single stack (CFn template) to apply. With a single stack, BLEA's baseline can be deployed with AFC.

  • Simplify file placement in the bin/ and lib/ directories

    • The guest system sample (especially guest-webapp-sample) contains several CDK Apps in bin/ directory and these app refer to constructs defined in the lib/ directory for each they need. To simplify it, use only one App for a single use case. We will add CDK Apps in bin/ directory only when we need other deployment patterns, for example, using CDKPipelines.

  • Passing parameter within CDK code but not cdk.json

    • According to feedbacks and CDK best practices, It is not recommended to use cdk.json as a parameter store. For example we can't verify type of parameters, and cloud assembly is overridden when we synth for another environment. So we will add parameters in CDK code (i.e. parameters.ts) to define parameters and use it in CDK App. Within the CDK App, We will define stacks for each environment (i.e. DevStack, ProdStack). When you need to create specific environment stack, you specify the name of stack in cdk deploy command.

  • Governance model is unchanged

    • Baseline with CloudTrail, Config, SecurityHub... will not change. However, if you already use BLEA v2, you need to re-create resources for baseline, because the stack architecture and resource names will change.

What's Changed

Full Changelog: v2.1.1...v3.0.0

Contributors

ohmurayu
Assets 2
Loading