■ はじめに
https://dk521123.hatenablog.com/entry/2022/03/02/122037
の続き。 Glueデプロイ時にPythonスクリプトなどをS3にあげる必要があるので その方法などをメモっとく また、S3で使っているKMSに関してもついでに調べてみた。
目次
【1】S3 1)Bucket 2)BucketObject 3)getBucket 4)BucketPolicy 5)BucketPublicAccessBlock 6)BucketNotification 【2】KMS 1)Key 2)getKey
【1】S3
* 基本「aws.s3.Xxxx」で、できる感じ
https://www.pulumi.com/registry/packages/aws/api-docs/s3/#s3-1
1)Bucket
* S3バケットの作成
https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucket/#bucket
サンプル
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // KMSキー作成 const demoKmsKey = new aws.kms.Key("demokey", { description: "This key is used to encrypt bucket objects", deletionWindowInDays: 10, }); // S3バケット作成 const demoBucket = new aws.s3.Bucket("your-s3-bucket", { bucket: "your-s3-bucket", serverSideEncryptionConfiguration: { rule: { applyServerSideEncryptionByDefault: { kmsMasterKeyId: demoKmsKey.arn, sseAlgorithm: "aws:kms", }, }, }, tags: { Name: "your-s3-bucket", }, });
2)BucketObject
* S3上にファイルをアップロードする
https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketobject/#bucketobject
サンプル
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // KMSキー取得「【2】KMS の 2)getKey」を参照 const demoKmsKey = pulumi.output(aws.kms.getKey({ keyId: "alias/demo-key", })); // アップロード const demoBucketObject = new aws.s3.BucketObject("demoBucketObject", { // アップロードしたいS3情報(バケット名&そのキー(パス)) bucket: "your-s3-bucket", key: "xxxx/xxxx/xxxx", // Local上にあるS3にアップロードしたい対象ファイル source: new pulumi.asset.FileAsset("../localpath/glue_job.py"), // KMSキーID kmsKeyId: demoKmsKey.arn, });
3)getBucket
* 既存S3バケットの詳細情報を取得する
https://www.pulumi.com/registry/packages/aws/api-docs/s3/getbucket/#getbucket
サンプル
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // S3バケットの情報を取得 const yourS3Bucket = pulumi.output(aws.s3.getBucket({ bucket: "your-s3-bucket", })); print(`ID : ${yourS3Bucket.id}`);
4)BucketPolicy
* S3バケットにポリシーをアタッチする
https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketpolicy/#bucketpolicy
サンプル
// S3バケット作成 const demoBucket = new aws.s3.Bucket("demo", {}); // JSON形式でのIAMポリシーを生成 // See: https://www.pulumi.com/registry/packages/aws/api-docs/iam/getpolicydocument/#getpolicydocument const demoPolicyDocument = aws.iam.getPolicyDocumentOutput({ statements: [{ principals: [{ type: "AWS", identifiers: ["123456789012"], }], actions: [ "s3:GetObject", "s3:ListBucket", ], resources: [ demoBucket.arn, pulumi.interpolate`${demoBucket.arn}/*`, ], }], }); // ★注目 const demoBucketPolicy = new aws.s3.BucketPolicy("demoBucketPolicy", { bucket: demoBucket.id, policy: demoPolicyDocument.apply(demoPolicyDocument=> demoPolicyDocument.json), });
5)BucketPublicAccessBlock
* S3パブリックアクセスブロックの設定
AWS仕様
https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_S3PublicAccessBlockConfiguration.html
サンプル
const demoBucketPublicAccessBlock = new aws.s3.BucketPublicAccessBlock("demoBucketPublicAccessBlock", { bucket: "your-s3-bucket", blockPublicAcls: true, blockPublicPolicy: true, ignorePublicAcls: true, restrictPublicBuckets: true, });
6)BucketNotification
* S3イベント通知の設定
https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketnotification/#bucketnotification
サンプル
// IAMロール作成 // See: https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/#role https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketpublicaccessblock/#bucketpublicaccessblock const iamForLambda = new aws.iam.Role("iamForLambda", {assumeRolePolicy: `{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com" }, "Effect": "Allow" } ] } `}); // Lambda関数の作成 // See: https://www.pulumi.com/registry/packages/aws/api-docs/lambda/function/#function const demoLambdaFunction = new aws.lambda.Function("demoLambdaFunction", { name: "demoLambdaFunction", description: "This is a demo function", code: new pulumi.asset.FileArchive("your-function.zip"), role: iamForLambda.arn, handler: "exports.demo", // See: https://github.com/pulumi/pulumi-aws/blob/master/sdk/nodejs/lambda/runtimes.ts runtime: aws.lambda.Python3d6Runtime, }); // ★注目 const demoBucketNotification = new aws.s3.BucketNotification("demoBucketNotification", { bucket: "your-s3-bucket", lambdaFunctions: [{ lambdaFunctionArn: demoLambdaFunction.arn, // S3にオブジェクト(ファイル)が作成された場合の通知 events: ["s3:ObjectCreated:*"], // フィルター(Prefix/Suffix) filterPrefix: "", filterSuffix: "", }], });
【2】KMS
* 基本「aws.kms.Xxxx」で、できる感じ
https://www.pulumi.com/registry/packages/aws/api-docs/kms/#kms-1
1)Key
* KMSキーの作成
https://www.pulumi.com/registry/packages/aws/api-docs/kms/key/#key
サンプル
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; const demoKmsKey = new aws.kms.Key("demokey", { description: "This key is used to encrypt bucket objects", deletionWindowInDays: 10, });
2)getKey
* 既存KMS情報を取得する
https://www.pulumi.com/registry/packages/aws/api-docs/kms/getkey/#getkey
サンプル
import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; const demoKmsKey = pulumi.output(aws.kms.getKey({ keyId: "alias/demo-key", }));
関連記事
Pulumi ~ 基礎知識編 ~
https://dk521123.hatenablog.com/entry/2021/10/23/025230
Pulumi ~ 入門編 / Hello World in Local/k8s ~
https://dk521123.hatenablog.com/entry/2022/03/07/233752
Pulumi ~ 入門編 / Hello World in AWS ~
https://dk521123.hatenablog.com/entry/2022/03/11/184041
Pulumi ~ AWS Glue のデプロイ ~
https://dk521123.hatenablog.com/entry/2022/03/02/122037
Pulumi ~ AWSリソース情報を取得する ~
https://dk521123.hatenablog.com/entry/2022/03/22/212828
KMS ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2020/02/27/232553