Releases: aws-samples/baseline-environment-on-aws
Releases · aws-samples/baseline-environment-on-aws
v3.0.0
After BLEA was released in 2021, AWS launched various updates in security services and CDK become widely used.
I'll propose several updates to catch up with recent AWS security and CDK best practices in the next BLEA release.
It contains several breaking changes, so the version number should be BLEA v3.0.
Main points:
-
Single or fewer Stacks
- Currently BLEA creates many stacks. It's to reduce blast radius on update and simplify class architecture. However this induces several difficulties on stack dependencies, so recent CDK best practice suggest using fewer stacks.
- ControlTower has released Account Factory Customization (AFC). AFC provides functionality to deploy a baseline when creating account and it requires single stack (CFn template) to apply. With a single stack, BLEA's baseline can be deployed with AFC.
-
Simplify file placement in the bin/ and lib/ directories
- The guest system sample (especially
guest-webapp-sample) contains several CDK Apps in bin/ directory and these app refer to constructs defined in the lib/ directory for each they need. To simplify it, use only one App for a single use case. We will add CDK Apps in bin/ directory only when we need other deployment patterns, for example, using CDKPipelines.
- The guest system sample (especially
-
Passing parameter within CDK code but not cdk.json
- According to feedbacks and CDK best practices, It is not recommended to use cdk.json as a parameter store. For example we can't verify type of parameters, and cloud assembly is overridden when we
synthfor another environment. So we will add parameters in CDK code (i.e. parameters.ts) to define parameters and use it in CDK App. Within the CDK App, We will define stacks for each environment (i.e. DevStack, ProdStack). When you need to create specific environment stack, you specify the name of stack incdk deploycommand.
- According to feedbacks and CDK best practices, It is not recommended to use cdk.json as a parameter store. For example we can't verify type of parameters, and cloud assembly is overridden when we
-
Governance model is unchanged
- Baseline with CloudTrail, Config, SecurityHub... will not change. However, if you already use BLEA v2, you need to re-create resources for baseline, because the stack architecture and resource names will change.
What's Changed
Full Changelog: v2.1.1...v3.0.0
Contributors
ohmurayu
Assets 2
v2.1.1
What's Changed
- refactor: Update subnet type, PRIVATE_WITH_NAT is deprecated. by @tkimurz in #106
- fix: change guest web db identifier by @kondo-kj in #86
- feat: enable scan on push with pull through cache by @tkimurz in #105
- doc: Update instructions for setup AWS Chatbot by @konokenj in #98
- feat(guest-webapp-sample):Change launch configurations to launch tem… by @tomoki10 in #183
- ci: increase dependabot PR limits by @konokenj in #229
- ci: enable CI in 'dev.*' branches by @konokenj in #230
- ci: add bot to update shapshot test in PR by @konokenj in #236
New Contributors
Full Changelog: v2.1.0...v2.1.1
Contributors
tkimurz, tomoki10, and 2 other contributors
