def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
# vpc network
vpc = aws_ec2.CfnVPC(self, 'vpc', cidr_block='10.0.0.0/16', enable_dns_hostnames=True, enable_dns_support=True, instance_tenancy='default', tags=[core.CfnTag(key='Name',value='vpc')])
internetgateway = aws_ec2.CfnInternetGateway(self, 'internetgateway', tags=[core.CfnTag(key='Name',value='internetgateway')])
aws_ec2.CfnVPCGatewayAttachment(self, 'VPCGatewayAttachment', vpc_id=vpc.ref, internet_gateway_id=internetgateway.ref)
# public network
publicsubnet01 = aws_ec2.CfnSubnet(self, 'publicsubnet01', cidr_block='10.0.0.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1a', tags=[core.CfnTag(key='Name',value='publicsubnet01')])
publicsubnet02 = aws_ec2.CfnSubnet(self, 'publicsubnet02', cidr_block='10.0.1.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1c', tags=[core.CfnTag(key='Name',value='publicsubnet02')])
publicsubnet03 = aws_ec2.CfnSubnet(self, 'publicsubnet03', cidr_block='10.0.2.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1d', tags=[core.CfnTag(key='Name',value='publicsubnet03')])
publicroutetable01 = aws_ec2.CfnRouteTable(self, 'publicroutetable01', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='publicroutetable01')])
publicroutetable02 = aws_ec2.CfnRouteTable(self, 'publicroutetable02', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='publicroutetable02')])
publicroutetable03 = aws_ec2.CfnRouteTable(self, 'publicroutetable03', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='publicroutetable03')])
aws_ec2.CfnRoute(self, 'publicroute01', destination_cidr_block='0.0.0.0/0', gateway_id=internetgateway.ref, route_table_id=publicroutetable01.ref,)
aws_ec2.CfnRoute(self, 'publicroute02', destination_cidr_block='0.0.0.0/0', gateway_id=internetgateway.ref, route_table_id=publicroutetable02.ref)
aws_ec2.CfnRoute(self, 'publicroute03', destination_cidr_block='0.0.0.0/0', gateway_id=internetgateway.ref, route_table_id=publicroutetable03.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'publicsubnetroutetableassociation01', route_table_id=publicroutetable01.ref, subnet_id=publicsubnet01.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'publicsubnetroutetableassociation02', route_table_id=publicroutetable02.ref, subnet_id=publicsubnet02.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'publicsubnetroutetableassociation03', route_table_id=publicroutetable03.ref, subnet_id=publicsubnet03.ref)
# private network
privatesubnet01 = aws_ec2.CfnSubnet(self, 'privatesubnet01', cidr_block='10.0.11.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1a', tags=[core.CfnTag(key='Name',value='privatesubnet01')])
privatesubnet02 = aws_ec2.CfnSubnet(self, 'privatesubnet02', cidr_block='10.0.12.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1c', tags=[core.CfnTag(key='Name',value='privatesubnet02')])
privatesubnet03 = aws_ec2.CfnSubnet(self, 'privatesubnet03', cidr_block='10.0.13.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1d', tags=[core.CfnTag(key='Name',value='privatesubnet03')])
privateroutetable01 = aws_ec2.CfnRouteTable(self, 'privateroutetable01', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='privateroutetable01')])
privateroutetable02 = aws_ec2.CfnRouteTable(self, 'privateroutetable02', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='privateroutetable02')])
privateroutetable03 = aws_ec2.CfnRouteTable(self, 'privateroutetable03', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='privateroutetable03')])
aws_ec2.CfnSubnetRouteTableAssociation(self, 'privatesubnetroutetableassociation01', route_table_id=privateroutetable01.ref, subnet_id=privatesubnet01.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'privatesubnetroutetableassociation02', route_table_id=privateroutetable02.ref, subnet_id=privatesubnet02.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'privatesubnetroutetableassociation03', route_table_id=privateroutetable03.ref, subnet_id=privatesubnet03.ref)
eip01 = aws_ec2.CfnEIP(self, 'eip01', tags=[core.CfnTag(key='Name',value='eip01')])
eip02 = aws_ec2.CfnEIP(self, 'eip02', tags=[core.CfnTag(key='Name',value='eip02')])
eip03 = aws_ec2.CfnEIP(self, 'eip03', tags=[core.CfnTag(key='Name',value='eip03')])
natgateway01 = aws_ec2.CfnNatGateway(self, 'natgateway01', allocation_id=eip01.attr_allocation_id, subnet_id=publicsubnet01.ref, tags=[core.CfnTag(key='Name',value='natgateway01')])
natgateway02 = aws_ec2.CfnNatGateway(self, 'natgateway02', allocation_id=eip02.attr_allocation_id, subnet_id=publicsubnet02.ref, tags=[core.CfnTag(key='Name',value='natgateway02')])
natgateway03 = aws_ec2.CfnNatGateway(self, 'natgateway03', allocation_id=eip03.attr_allocation_id, subnet_id=publicsubnet03.ref, tags=[core.CfnTag(key='Name',value='natgateway03')])
aws_ec2.CfnRoute(self, 'privateroute01', destination_cidr_block='0.0.0.0/0' ,nat_gateway_id=natgateway01.ref, route_table_id=privateroutetable01.ref)
aws_ec2.CfnRoute(self, 'privateroute02', destination_cidr_block='0.0.0.0/0' ,nat_gateway_id=natgateway02.ref, route_table_id=privateroutetable02.ref)
aws_ec2.CfnRoute(self, 'privateroute03', destination_cidr_block='0.0.0.0/0' ,nat_gateway_id=natgateway03.ref, route_table_id=privateroutetable03.ref)
# isolate network
isolatesubnet01 = aws_ec2.CfnSubnet(self, 'isolatesubnet01', cidr_block='10.0.21.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1a', tags=[core.CfnTag(key='Name',value='isolatesubnet01')])
isolatesubnet02 = aws_ec2.CfnSubnet(self, 'isolatesubnet02', cidr_block='10.0.22.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1c', tags=[core.CfnTag(key='Name',value='isolatesubnet02')])
isolatesubnet03 = aws_ec2.CfnSubnet(self, 'isolatesubnet03', cidr_block='10.0.23.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1d', tags=[core.CfnTag(key='Name',value='isolatesubnet03')])
isolateroutetable01 = aws_ec2.CfnRouteTable(self, 'isolateroutetable01', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='isolateroutetable01')])
isolateroutetable02 = aws_ec2.CfnRouteTable(self, 'isolateroutetable02', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='isolateroutetable02')])
isolateroutetable03 = aws_ec2.CfnRouteTable(self, 'isolateroutetable03', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name',value='isolateroutetable03')])
aws_ec2.CfnSubnetRouteTableAssociation(self, 'isolatesubnetroutetableassociation01', route_table_id=isolateroutetable01.ref, subnet_id=isolatesubnet01.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'isolatesubnetroutetableassociation02', route_table_id=isolateroutetable02.ref, subnet_id=isolatesubnet02.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'isolatesubnetroutetableassociation03', route_table_id=isolateroutetable03.ref, subnet_id=isolatesubnet03.ref)
def create_nat_gateway(self, subnet_dictionary, elastic_ip):
# NatGateway
nat_gateway = _ec2.CfnNatGateway(
self,
'CfnNatGateway',
allocation_id=elastic_ip.attr_allocation_id,
subnet_id=subnet_dictionary.get('DEMO-PUBLIC-SUBNET-A').ref,
tags=[CfnTag(
key='Name',
value='DEMO-NAT-GATEWAY',
)])
return nat_gateway
def create_nat_gateway(scope: core.Construct, vpc: aws_ec2.CfnVPC,
subnet: aws_ec2.CfnSubnet) -> aws_ec2.CfnNatGateway:
prefix = scope.node.try_get_context("prefix")
az_end = subnet.availability_zone[-2:]
eip = aws_ec2.CfnEIP(scope, f'{prefix}-eip-{az_end}')
nat_gateway = aws_ec2.CfnNatGateway(
scope,
f'{prefix}-nat-{az_end}',
allocation_id=eip.attr_allocation_id,
subnet_id=subnet.ref,
tags=[core.CfnTag(
key='Name',
value=f'{prefix}-nat-{az_end}',
)],
)
return nat_gateway
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id)
self._id = id
self._eip = kwargs['eip_attr_allocation_id']
self._subnet_id = kwargs['subnet_id']
try:
kwargs['tags']
except:
self._tags_wk = None
else:
self._tags_wk = [
core.CfnTag(key=kwargs['tags'][i]['key'],
value=kwargs['tags'][i]['value'])
if kwargs['tags'] else None for i in range(len(kwargs['tags']))
]
self._natgateway = aws_ec2.CfnNatGateway(
self,
self._id,
allocation_id=self._eip.attr_allocation_id,
subnet_id=self._subnet_id.ref,
tags=self._tags_wk)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# vpc = ec2.Vpc(self, "VPC",
# cidr = "10.1.0.0/16",
# max_azs = 2,
# subnet_configuration =[
# ec2.SubnetConfiguration(name='edx-subnet-Public', subnet_type=ec2.SubnetType.PUBLIC, cidr_mask=24),
# ec2.SubnetConfiguration(name='edx-subnet-Private', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24),
# ]
# )
# core.Tag.add(vpc, key = "Name", value = "edx-build-aws-vpc")
# core.Tag.add(vpc.public_subnets[0], key = "Name", value = "edx-subnet-public-a")
# core.Tag.add(vpc.public_subnets[1], key = "Name", value = "edx-subnet-public-b")
# core.Tag.add(vpc.private_subnets[0], key = "Name", value = "edx-subnet-public-a")
# core.Tag.add(vpc.private_subnets[1], key = "Name", value = "edx-subnet-public-b")
# Exercise 3
# Create VPC
vpc = ec2.CfnVPC(self,
"VPC",
cidr_block="10.1.0.0/16",
tags=[{
"key": "Name",
"value": "edx-build-aws-vpc"
}])
# Create Internet Gateway
internet_gateway = ec2.CfnInternetGateway(self,
"InternetGateway",
tags=[{
"key": "Name",
"value": "edx-igw"
}])
# Attach Gateway
attach_gateway = ec2.CfnVPCGatewayAttachment(
self,
"AttachGateway",
vpc_id=vpc.ref,
internet_gateway_id=internet_gateway.ref)
# Create EIP1
eip_1 = ec2.CfnEIP(self, "EIP1", domain="vpc")
# Create Public Subnet 1
public_subnet_1 = ec2.CfnSubnet(self,
"PublicSubnet1",
availability_zone=core.Fn.select(
0,
core.Fn.get_azs(core.Aws.REGION)),
cidr_block="10.1.1.0/24",
vpc_id=vpc.ref,
map_public_ip_on_launch=True,
tags=[{
"key": "Name",
"value": "edx-subnet-public-a"
}])
# Create Nat Gateway 1
nat_gateway_1 = ec2.CfnNatGateway(
self,
"NatGateway1",
allocation_id=eip_1.attr_allocation_id,
subnet_id=public_subnet_1.ref)
# Create Private Route Table 1
private_route_table_1 = ec2.CfnRouteTable(self,
"PrivateRouteTable1",
vpc_id=vpc.ref,
tags=[{
"key":
"Name",
"value":
"edx-routetable-private1"
}])
# Create Private Route 1
private_route_1 = ec2.CfnRoute(
self,
"PrivateRoute1",
route_table_id=private_route_table_1.ref,
destination_cidr_block="0.0.0.0/0",
nat_gateway_id=nat_gateway_1.ref)
# Create EIP2
eip_2 = ec2.CfnEIP(self, "EIP2", domain="vpc")
# Create Public Subnet 2
public_subnet_2 = ec2.CfnSubnet(self,
"PublicSubnet2",
availability_zone=core.Fn.select(
1,
core.Fn.get_azs(core.Aws.REGION)),
cidr_block="10.1.2.0/24",
vpc_id=vpc.ref,
map_public_ip_on_launch=True,
tags=[{
"key": "Name",
"value": "edx-subnet-public-b"
}])
# Create Nat Gateway 2
nat_gateway_2 = ec2.CfnNatGateway(
self,
"NatGateway2",
allocation_id=eip_2.attr_allocation_id,
subnet_id=public_subnet_2.ref)
# Create Private Route Table 2
private_route_table_2 = ec2.CfnRouteTable(self,
"PrivateRouteTable2",
vpc_id=vpc.ref,
tags=[{
"key":
"Name",
"value":
"edx-routetable-private2"
}])
# Create Private Route 2
private_route_2 = ec2.CfnRoute(
self,
"PrivateRoute2",
route_table_id=private_route_table_2.ref,
destination_cidr_block="0.0.0.0/0",
nat_gateway_id=nat_gateway_2.ref)
# Create Public Route Table
public_route_table = ec2.CfnRouteTable(self,
"PublicRouteTable",
vpc_id=vpc.ref,
tags=[{
"key":
"Name",
"value":
"edx-routetable-public"
}])
# Create Public Default Route
public_default_route = ec2.CfnRoute(
self,
"PublicDefaultRoute",
route_table_id=public_route_table.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=internet_gateway.ref)
# Create Public Route Association 1
public_route_association_1 = ec2.CfnSubnetRouteTableAssociation(
self,
"PublicRouteAssociation1",
route_table_id=public_route_table.ref,
subnet_id=public_subnet_1.ref)
# Create Public Route Association 12
public_route_association_2 = ec2.CfnSubnetRouteTableAssociation(
self,
"PublicRouteAssociation2",
route_table_id=public_route_table.ref,
subnet_id=public_subnet_2.ref)
# Create Private Subnet 1
private_subnet_1 = ec2.CfnSubnet(self,
"PrivateSubnet1",
availability_zone=core.Fn.select(
0,
core.Fn.get_azs(core.Aws.REGION)),
cidr_block="10.1.3.0/24",
vpc_id=vpc.ref,
tags=[{
"key": "Name",
"value": "edx-subnet-private-a"
}])
# Create Private Subnet 2
private_subnet_2 = ec2.CfnSubnet(self,
"PrivateSubnet2",
availability_zone=core.Fn.select(
1,
core.Fn.get_azs(core.Aws.REGION)),
cidr_block="10.1.4.0/24",
vpc_id=vpc.ref,
tags=[{
"key": "Name",
"value": "edx-subnet-private-b"
}])
# Create Private Route Association 1
private_route_association_1 = ec2.CfnSubnetRouteTableAssociation(
self,
"PrivateRouteAssociation1",
route_table_id=private_route_table_1.ref,
subnet_id=private_subnet_1.ref)
# Create Private Route Association 2
private_route_association_1 = ec2.CfnSubnetRouteTableAssociation(
self,
"PrivateRouteAssociation2",
route_table_id=private_route_table_2.ref,
subnet_id=private_subnet_2.ref)
# Output
core.CfnOutput(self,
"VPCOutput",
value=vpc.ref,
description="VPC",
export_name="VPC")
core.CfnOutput(self,
"PublicSubnet1Output",
value=public_subnet_1.ref,
description="PublicSubnet1",
export_name="PublicSubnet1")
core.CfnOutput(self,
"PublicSubnet2Output",
value=public_subnet_2.ref,
description="PublicSubnet2",
export_name="PublicSubnet2")
core.CfnOutput(self,
"PrivateSubnet1Output",
value=private_subnet_1.ref,
description="PrivateSubnet1",
export_name="PrivateSubnet1")
core.CfnOutput(self,
"PrivateSubnet2Output",
value=private_subnet_2.ref,
description="PrivateSubnet2",
export_name="PrivateSubnet2")
def __init__(self, scope: core.Construct, id: str, data, iam_vars) -> None:
super().__init__(scope, id)
# VPC
vpc = ec2.CfnVPC(self, "cdk-vpc", cidr_block=data["vpc"])
igw = ec2.CfnInternetGateway(self, id="igw")
ec2.CfnVPCGatewayAttachment(self,
id="igw-attach",
vpc_id=vpc.ref,
internet_gateway_id=igw.ref)
public_route_table = ec2.CfnRouteTable(self,
id="public_route_table",
vpc_id=vpc.ref)
ec2.CfnRoute(self,
id="public_route",
route_table_id=public_route_table.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref)
public_subnets = []
for i, s in enumerate(data["subnets"]["public"]):
subnet = ec2.CfnSubnet(self,
id="public_{}".format(s),
cidr_block=s,
vpc_id=vpc.ref,
availability_zone=core.Fn.select(
i, core.Fn.get_azs()),
map_public_ip_on_launch=True)
public_subnets.append(subnet)
ec2.CfnSubnetRouteTableAssociation(
self,
id="public_{}_association".format(s),
route_table_id=public_route_table.ref,
subnet_id=subnet.ref)
eip = ec2.CfnEIP(self, id="natip")
nat = ec2.CfnNatGateway(self,
id="nat",
allocation_id=eip.attr_allocation_id,
subnet_id=public_subnets[0].ref)
private_route_table = ec2.CfnRouteTable(self,
id="private_route_table",
vpc_id=vpc.ref)
ec2.CfnRoute(self,
id="private_route",
route_table_id=private_route_table.ref,
destination_cidr_block="0.0.0.0/0",
nat_gateway_id=nat.ref)
private_subnets = []
for i, s in enumerate(data["subnets"]["private"]):
subnet = ec2.CfnSubnet(self,
id="private_{}".format(s),
cidr_block=s,
vpc_id=vpc.ref,
availability_zone=core.Fn.select(
i, core.Fn.get_azs()),
map_public_ip_on_launch=False)
private_subnets.append(subnet)
ec2.CfnSubnetRouteTableAssociation(
self,
id="private_{}_association".format(s),
route_table_id=private_route_table.ref,
subnet_id=subnet.ref)
# Security groups
lb_sg = ec2.CfnSecurityGroup(self,
id="lb",
group_description="LB SG",
vpc_id=vpc.ref)
lambda_sg = ec2.CfnSecurityGroup(self,
id="lambda",
group_description="Lambda SG",
vpc_id=vpc.ref)
public_prefix = ec2.CfnPrefixList(self,
id="cidr_prefix",
address_family="IPv4",
max_entries=1,
prefix_list_name="public",
entries=[{
"cidr": "0.0.0.0/0",
"description": "Public"
}])
_sg_rules = [{
'sg':
lb_sg.attr_group_id,
'rules': [{
"direction": "ingress",
"description": "HTTP from Internet",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"cidr_blocks": public_prefix.ref
}, {
"direction": "egress",
"description": "LB to Lambda",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"source_security_group_id": lambda_sg.attr_group_id
}]
}, {
"sg":
lambda_sg.attr_group_id,
"rules": [{
"direction": "ingress",
"description": "HTTP from LB",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"source_security_group_id": lb_sg.attr_group_id
}, {
"direction": "egress",
"description": "All to Internet",
"from_port": 0,
"to_port": 65535,
"protocol": "tcp",
"cidr_blocks": public_prefix.ref
}]
}]
for ruleset in _sg_rules:
for rule in ruleset["rules"]:
if rule["direction"] == "ingress":
ec2.CfnSecurityGroupIngress(
self,
id=rule["description"].replace(" ", "_"),
description=rule["description"],
to_port=rule["to_port"],
from_port=rule["from_port"],
ip_protocol=rule["protocol"],
group_id=ruleset["sg"],
source_prefix_list_id=rule["cidr_blocks"]
if "cidr_blocks" in rule else None,
source_security_group_id=rule[
"source_security_group_id"]
if "source_security_group_id" in rule else None)
else:
ec2.CfnSecurityGroupEgress(
self,
id=rule["description"].replace(" ", "_"),
description=rule["description"],
to_port=rule["to_port"],
from_port=rule["from_port"],
ip_protocol=rule["protocol"],
group_id=ruleset["sg"],
destination_prefix_list_id=rule["cidr_blocks"]
if "cidr_blocks" in rule else None,
destination_security_group_id=rule[
"source_security_group_id"]
if "source_security_group_id" in rule else None)
# IAM
assume_policy_doc = iam.PolicyDocument()
for statement in iam_vars["assume"]["Statement"]:
_statement = iam.PolicyStatement(actions=[statement["Action"]], )
_statement.add_service_principal(statement["Principal"]["Service"])
assume_policy_doc.add_statements(_statement)
role = iam.CfnRole(self,
id="iam_role",
path="/",
assume_role_policy_document=assume_policy_doc)
role_policy_doc = iam.PolicyDocument()
for statement in iam_vars["policy"]["Statement"]:
_statement = iam.PolicyStatement(actions=statement["Action"],
resources=["*"])
role_policy_doc.add_statements(_statement)
policy = iam.CfnPolicy(self,
id="iam_policy",
policy_document=role_policy_doc,
policy_name="cdkPolicy",
roles=[role.ref])
# Lambda
shutil.make_archive("../lambda", 'zip', "../lambda/")
s3_client = boto3.client('s3')
s3_client.upload_file("../lambda.zip", "cloudevescops-zdays-demo",
"cdk.zip")
function = lmd.CfnFunction(self,
id="lambda_function",
handler="lambda.lambda_handler",
role=role.attr_arn,
runtime="python3.7",
code={
"s3Bucket": "cloudevescops-zdays-demo",
"s3Key": "cdk.zip"
},
vpc_config={
"securityGroupIds": [lambda_sg.ref],
"subnetIds":
[s.ref for s in private_subnets]
},
environment={"variables": {
"TOOL": "CDK"
}})
# LB
lb = alb.CfnLoadBalancer(self,
id="alb",
name="lb-cdk",
scheme="internet-facing",
type="application",
subnets=[s.ref for s in public_subnets],
security_groups=[lb_sg.ref])
lmd.CfnPermission(self,
id="lambda_permis",
action="lambda:InvokeFunction",
function_name=function.ref,
principal="elasticloadbalancing.amazonaws.com")
tg = alb.CfnTargetGroup(self,
id="alb_tg",
name="lambda-cdk",
target_type="lambda",
health_check_enabled=True,
health_check_interval_seconds=40,
health_check_path="/",
health_check_timeout_seconds=30,
targets=[{
"id":
function.get_att("Arn").to_string()
}],
matcher={"httpCode": "200"})
alb.CfnListener(self,
id="listener",
default_actions=[{
"type": "forward",
"targetGroupArn": tg.ref
}],
load_balancer_arn=lb.ref,
port=80,
protocol="HTTP")
core.CfnOutput(self, id="fqdn", value=lb.attr_dns_name)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Contexts
PRJ = self.node.try_get_context("prj")
CIDR_VPC = self.node.try_get_context("cidr-out-vpc")
CIDR_NGW_SUBNET = self.node.try_get_context("cidr-out-ngw-subnet")
CIDR_TGW_SUBNET = self.node.try_get_context("cidr-out-tgw-subnet")
# Parameters
# Functions
def nametag(x):
return core.CfnTag(key="Name", value="{}/{}".format(PRJ, x))
# ### Resources
# VPC
self.vpc = ec2.CfnVPC(self,
"vpc",
cidr_block=CIDR_VPC,
tags=[nametag("outVpc")])
# Ngw Subnet
self.ngw_subnet = ec2.CfnSubnet(self,
"ngwSubnet",
cidr_block=CIDR_NGW_SUBNET,
vpc_id=self.vpc.ref,
map_public_ip_on_launch=False,
availability_zone="ap-northeast-1a",
tags=[nametag("outNgwSubnet")])
# Tgw Subnet
self.tgw_subnet = ec2.CfnSubnet(self,
"tgwSubnet",
cidr_block=CIDR_TGW_SUBNET,
vpc_id=self.vpc.ref,
map_public_ip_on_launch=False,
availability_zone="ap-northeast-1a",
tags=[nametag("outTgwSubnet")])
# IGW
self.igw = ec2.CfnInternetGateway(self,
"igw",
tags=[nametag("outIgw")])
igw_attachment = ec2.CfnVPCGatewayAttachment(
self,
"igwAttachment",
vpc_id=self.vpc.ref,
internet_gateway_id=self.igw.ref)
# EIP for NATGW
eip = ec2.CfnEIP(self,
"eip",
domain="vpc",
tags=[nametag("outNatgwEip")])
eip.add_depends_on(igw_attachment)
# NATGW
self.natgw = ec2.CfnNatGateway(self,
"natgw",
allocation_id=eip.attr_allocation_id,
subnet_id=self.ngw_subnet.ref,
tags=[nametag("outNatgw")])
# RouteTable(NGW Subnet)
self.ngw_rtb = ec2.CfnRouteTable(self,
"ngwRtb",
vpc_id=self.vpc.ref,
tags=[nametag("outNgwRtb")])
ec2.CfnSubnetRouteTableAssociation(self,
"ngwRtbAssoc",
route_table_id=self.ngw_rtb.ref,
subnet_id=self.ngw_subnet.ref)
# RouteTable(TGW Subnet)
self.tgw_rtb = ec2.CfnRouteTable(self,
"tgwRtb",
vpc_id=self.vpc.ref,
tags=[nametag("outTgwRtb")])
ec2.CfnSubnetRouteTableAssociation(self,
"tgwRtbAssoc",
route_table_id=self.tgw_rtb.ref,
subnet_id=self.tgw_subnet.ref)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self,
id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=3,
subnet_configuration=[])
pub_subnet = ec2.PublicSubnet(self,
id="PublicSubnet",
availability_zone="eu-central-1c",
cidr_block="192.168.0.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
igw = ec2.CfnInternetGateway(
self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")])
ec2.CfnVPCGatewayAttachment(self,
id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
pub_subnet.add_route(id="default_route-sub01",
router_id=igw.ref,
router_type=ec2.RouterType('GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
# Elastic IP
eip_01 = ec2.CfnEIP(self, id="EIP01")
# NAT gateway
ngw = ec2.CfnNatGateway(self,
id="NAT_GW",
allocation_id=eip_01.attr_allocation_id,
subnet_id=pub_subnet.subnet_id,
tags=[core.CfnTag(key="Name", value="NAT_GW")])
subnet01 = ec2.Subnet(self,
id="Subnet01",
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=False)
subnet02 = ec2.Subnet(self,
id="Subnet02",
availability_zone="eu-central-1b",
cidr_block="192.168.2.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=False)
subnet01.add_route(id="default_route-sub01",
router_id=ngw.ref,
router_type=ec2.RouterType('NAT_GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
subnet02.add_route(id="default_route-sub02",
router_id=ngw.ref,
router_type=ec2.RouterType('NAT_GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
sg_lb = ec2.CfnSecurityGroup(
self,
id="SG_ALB",
group_description="SG for the APP LB",
group_name="SG_ALB",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_ALB")])
sg_ec2i = ec2.CfnSecurityGroup(
self,
id="SG_Instances",
group_description="SG for the Instances",
group_name="SG_Instances",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Instances")])
# my_home_ip = requests.get("https://api.ipify.org").text
my_home_ip = "94.112.113.195"
ports_pub = {'tcp': [22, 80], 'icmp': [-1]}
for protocol, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_alb_in_{protocol}_{port}",
group_id=sg_lb.attr_group_id,
ip_protocol=protocol,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocol.upper()} {port} from home IP")
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_ec2i_in_{protocol}_{port}",
group_id=sg_ec2i.attr_group_id,
ip_protocol=protocol,
to_port=port,
from_port=port,
source_security_group_id=sg_lb.ref,
description=f"{protocol.upper()} {port} from the ALB SG")
with open(
"/home/dragos/Documents/AWS_CDK/app_lb_sample/app_lb_sample/configure.sh",
'r') as config_file:
ud = core.Fn.base64(config_file.read())
bastion_host = ec2.CfnInstance(
self,
id="bastion",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=pub_subnet.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_lb.ref],
tags=[core.CfnTag(key="Name", value="bastion")])
instance01 = ec2.CfnInstance(
self,
id="WebServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet01.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_ec2i.ref],
user_data=ud,
tags=[core.CfnTag(key="Name", value="WebServer01")])
instance02 = ec2.CfnInstance(
self,
id="WebServer02",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet02.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_ec2i.ref],
user_data=ud,
tags=[core.CfnTag(key="Name", value="WebServer02")])
# health_check = elbv2.HealthCheck(enabled=True,
# healthy_http_codes="200",
# path="/index.html",
# protocol=elbv2.Protocol("HTTP"))
target01 = elbv2.CfnTargetGroup.TargetDescriptionProperty(
id=instance01.ref)
target02 = elbv2.CfnTargetGroup.TargetDescriptionProperty(
id=instance02.ref)
tg = elbv2.CfnTargetGroup(
self,
id="TG-WEB-HTTP",
name="TG-WEB-HTTP",
health_check_enabled=True,
health_check_path="/index.html",
health_check_port="80",
matcher=elbv2.CfnTargetGroup.MatcherProperty(http_code="200"),
port=80,
protocol="HTTP", # CASE SENSITIVE
target_type="instance", # CASE SENSITIVE
targets=[target01, target02],
vpc_id=vpc.vpc_id)
alb = elbv2.CfnLoadBalancer(
self,
id="MyALB-HTTP",
ip_address_type="ipv4",
name="MyALB-HTTP",
scheme="internet-facing",
security_groups=[sg_lb.ref],
type="application",
subnets=[subnet01.subnet_id, subnet02.subnet_id])
def_act = Listener.ActionProperty(type="forward",
authenticate_cognito_config=None,
authenticate_oidc_config=None,
fixed_response_config=None,
forward_config=None,
order=50000,
redirect_config=None,
target_group_arn=tg.ref)
listener = elbv2.CfnListener(self,
id="Listener01",
load_balancer_arn=alb.ref,
port=80,
protocol="HTTP",
default_actions=[def_act])
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# Create an empty VPC
# If you don't specify any other resources EXCEPT the VPC, there's a standard template applied
vpc = ec2.Vpc(
self,
id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=1,
subnet_configuration=[],
)
# A couple of subnets
app_subnet = ec2.CfnSubnet(
self,
id="Application",
vpc_id=vpc.vpc_id,
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
map_public_ip_on_launch=False,
tags=[core.CfnTag(key="Name", value="Application")])
web_subnet = ec2.CfnSubnet(
self,
id="Webhost",
vpc_id=vpc.vpc_id,
availability_zone="eu-central-1b",
cidr_block="192.168.2.0/24",
map_public_ip_on_launch=True,
tags=[core.CfnTag(key="Name", value="WebHost")])
# A couple of route tables
private_rt = ec2.CfnRouteTable(
self,
id="Private_RT",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="Private_RT")])
public_rt = ec2.CfnRouteTable(
self,
id="Public_RT",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="Public_RT")])
# How to associate a subnet with a route table
ec2.CfnSubnetRouteTableAssociation(self,
id="WebHostRTAssoc",
subnet_id=web_subnet.ref,
route_table_id=public_rt.ref)
ec2.CfnSubnetRouteTableAssociation(self,
id="ApplicationRTAssoc",
subnet_id=app_subnet.ref,
route_table_id=private_rt.ref)
# A gateway (Internet Gateway in this case)
igw = ec2.CfnInternetGateway(
self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")])
# How to associate a gateway to a VPC (IGW in this case - for VGW use vpn_gateway_id=blablabla)
ec2.CfnVPCGatewayAttachment(self,
id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
# Elastic IP
eip_01 = ec2.CfnEIP(self, id="EIP01")
# NAT gateway
ngw = ec2.CfnNatGateway(self,
id="NAT_GW",
allocation_id=eip_01.attr_allocation_id,
subnet_id=web_subnet.ref,
tags=[core.CfnTag(key="Name", value="NAT_GW")])
ngw.add_depends_on(eip_01)
# Add a route to a route table
default_route_public = ec2.CfnRoute(self,
id="DefaultRoutePublic",
route_table_id=public_rt.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref)
default_route_public.add_depends_on(igw)
default_route_private = ec2.CfnRoute(
self,
id="DefaultRouteprivate",
route_table_id=private_rt.ref,
destination_cidr_block="0.0.0.0/0",
nat_gateway_id=ngw.ref)
default_route_private.add_depends_on(ngw)
### Security Groups ###
# PUBLIC SUBNET SG
sg_public = ec2.CfnSecurityGroup(
self,
id="SG_PUBLIC",
group_description="SG for the Public Subnet",
group_name="SG_PUBLIC",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Public")])
my_home_ip = requests.get("https://api.my-ip.io/ip.json").json()['ip']
ports_pub = {'tcp': [22, 80], 'icmp': [-1]}
for protocl, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_pub_in_{protocl}_{port}",
group_id=sg_public.attr_group_id,
ip_protocol=protocl,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocl.upper()} {port} from home IP")
# SG INGRESS ENTRIES - ICMP - EXAMPLE
# sg_in_icmp = ec2.CfnSecurityGroupIngress(self, id="SG_PUB_IN_ICMP",
# group_id=sg_public.attr_group_id,
# ip_protocol = "icmp",
# cidr_ip = f"{my_home_ip}/32",
# to_port = -1,
# from_port = -1,
# description = "ICMP FROM HOME")
# SG EGRESS ENTRIES - AUTO-IMPLIED IF NOT CONFIGURED
# sg_out_all = ec2.CfnSecurityGroupEgress(self, id="SG_PUB_OUT_ALL",
# group_id=sg_public.attr_group_id,
# ip_protocol="-1",
# cidr_ip="0.0.0.0/0")
# PRIVATE SUBNET SG
sg_private = ec2.CfnSecurityGroup(
self,
id="SG_PRIVATE",
group_description="SG for the Private Subnet",
group_name="SG_PRIVATE",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Private")])
sg_private.add_depends_on(sg_public)
ports_priv = {'tcp': [22, 21, 53, 3368, 80], 'icmp': [-1]}
for protocl, ports_list in ports_priv.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_priv_in_{protocl}_{port}",
group_id=sg_private.attr_group_id,
description=
f"{protocl.upper()}:{port} from the public subnet only",
ip_protocol=protocl,
from_port=port,
to_port=port,
source_security_group_id=sg_public.ref)
### EC2 Instances ###
# Generate some user data _ WIP
# user_data = ec2.UserData.custom
# One in the public subnet
webserver01 = ec2.CfnInstance(
self,
id="WebServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=web_subnet.ref,
key_name="proton_mail_kp",
security_group_ids=[sg_public.ref],
tags=[core.CfnTag(key="Name", value="WebServer01")])
appserver01 = ec2.CfnInstance(
self,
id="AppServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=app_subnet.ref,
key_name="proton_mail_kp",
security_group_ids=[sg_private.ref],
tags=[core.CfnTag(key="Name", value="AppServer01")])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
# vpc network
vpc = aws_ec2.CfnVPC(self,
'VPC',
cidr_block='10.0.0.0/16',
enable_dns_hostnames=True,
enable_dns_support=True,
instance_tenancy='default',
tags=[core.CfnTag(key='Name', value='vpc')])
internetgateway = aws_ec2.CfnInternetGateway(
self,
'internetgateway',
tags=[core.CfnTag(key='Name', value='internetgateway')])
aws_ec2.CfnVPCGatewayAttachment(
self,
'VPCGatewayAttachment',
vpc_id=vpc.ref,
internet_gateway_id=internetgateway.ref)
networkacl = aws_ec2.CfnNetworkAcl(
self,
'NetworkAcl',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='networkacl')])
aws_ec2.CfnNetworkAclEntry(self,
'NetworkAclEntry01',
network_acl_id=networkacl.ref,
protocol=-1,
rule_action='allow',
rule_number=100,
cidr_block='0.0.0.0/0',
egress=True)
aws_ec2.CfnNetworkAclEntry(self,
'NetworkAclEntry03',
network_acl_id=networkacl.ref,
protocol=-1,
rule_action='allow',
rule_number=100,
cidr_block='0.0.0.0/0',
egress=False)
# public network
publicsubnet01 = aws_ec2.CfnSubnet(
self,
'publicsubnet01',
cidr_block='10.0.0.0/24',
vpc_id=vpc.ref,
availability_zone='ap-northeast-1a',
tags=[core.CfnTag(key='Name', value='publicsubnet01')])
publicsubnet02 = aws_ec2.CfnSubnet(
self,
'publicsubnet02',
cidr_block='10.0.1.0/24',
vpc_id=vpc.ref,
availability_zone='ap-northeast-1c',
tags=[core.CfnTag(key='Name', value='publicsubnet02')])
publicsubnet03 = aws_ec2.CfnSubnet(
self,
'publicsubnet03',
cidr_block='10.0.2.0/24',
vpc_id=vpc.ref,
availability_zone='ap-northeast-1d',
tags=[core.CfnTag(key='Name', value='publicsubnet03')])
publicroutetable01 = aws_ec2.CfnRouteTable(
self,
'publicroutetable01',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='publicroutetable01')])
publicroutetable02 = aws_ec2.CfnRouteTable(
self,
'publicroutetable02',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='publicroutetable02')])
publicroutetable03 = aws_ec2.CfnRouteTable(
self,
'publicroutetable03',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='publicroutetable03')])
aws_ec2.CfnRoute(
self,
'publicroute01',
destination_cidr_block='0.0.0.0/0',
gateway_id=internetgateway.ref,
route_table_id=publicroutetable01.ref,
)
aws_ec2.CfnRoute(self,
'publicroute02',
destination_cidr_block='0.0.0.0/0',
gateway_id=internetgateway.ref,
route_table_id=publicroutetable02.ref)
aws_ec2.CfnRoute(self,
'publicroute03',
destination_cidr_block='0.0.0.0/0',
gateway_id=internetgateway.ref,
route_table_id=publicroutetable03.ref)
aws_ec2.CfnSubnetRouteTableAssociation(
self,
'publicsubnetroutetableassociation01',
route_table_id=publicroutetable01.ref,
subnet_id=publicsubnet01.ref)
aws_ec2.CfnSubnetRouteTableAssociation(
self,
'publicsubnetroutetableassociation02',
route_table_id=publicroutetable02.ref,
subnet_id=publicsubnet02.ref)
aws_ec2.CfnSubnetRouteTableAssociation(
self,
'publicsubnetroutetableassociation03',
route_table_id=publicroutetable03.ref,
subnet_id=publicsubnet03.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(
self,
'publicSubnetNetworkAclAssociation01',
network_acl_id=networkacl.ref,
subnet_id=publicsubnet01.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(
self,
'publicSubnetNetworkAclAssociation02',
network_acl_id=networkacl.ref,
subnet_id=publicsubnet02.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(
self,
'publicSubnetNetworkAclAssociation03',
network_acl_id=networkacl.ref,
subnet_id=publicsubnet03.ref)
# private network
privatesubnet01 = aws_ec2.CfnSubnet(
self,
'privatesubnet01',
cidr_block='10.0.11.0/24',
vpc_id=vpc.ref,
availability_zone='ap-northeast-1a',
tags=[core.CfnTag(key='Name', value='privatesubnet01')])
privatesubnet02 = aws_ec2.CfnSubnet(
self,
'privatesubnet02',
cidr_block='10.0.12.0/24',
vpc_id=vpc.ref,
availability_zone='ap-northeast-1c',
tags=[core.CfnTag(key='Name', value='privatesubnet02')])
privatesubnet03 = aws_ec2.CfnSubnet(
self,
'privatesubnet03',
cidr_block='10.0.13.0/24',
vpc_id=vpc.ref,
availability_zone='ap-northeast-1d',
tags=[core.CfnTag(key='Name', value='privatesubnet03')])
privateroutetable01 = aws_ec2.CfnRouteTable(
self,
'privateroutetable01',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='privateroutetable01')])
privateroutetable02 = aws_ec2.CfnRouteTable(
self,
'privateroutetable02',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='privateroutetable02')])
privateroutetable03 = aws_ec2.CfnRouteTable(
self,
'privateroutetable03',
vpc_id=vpc.ref,
tags=[core.CfnTag(key='Name', value='privateroutetable03')])
aws_ec2.CfnSubnetRouteTableAssociation(
self,
'privatesubnetroutetableassociation01',
route_table_id=privateroutetable01.ref,
subnet_id=privatesubnet01.ref)
aws_ec2.CfnSubnetRouteTableAssociation(
self,
'privatesubnetroutetableassociation02',
route_table_id=privateroutetable02.ref,
subnet_id=privatesubnet02.ref)
aws_ec2.CfnSubnetRouteTableAssociation(
self,
'privatesubnetroutetableassociation03',
route_table_id=privateroutetable03.ref,
subnet_id=privatesubnet03.ref)
eip01 = aws_ec2.CfnEIP(self,
'eip01',
tags=[core.CfnTag(key='Name', value='eip01')])
eip02 = aws_ec2.CfnEIP(self,
'eip02',
tags=[core.CfnTag(key='Name', value='eip02')])
eip03 = aws_ec2.CfnEIP(self,
'eip03',
tags=[core.CfnTag(key='Name', value='eip03')])
natgateway01 = aws_ec2.CfnNatGateway(
self,
'natgateway01',
allocation_id=eip01.attr_allocation_id,
subnet_id=publicsubnet01.ref,
tags=[core.CfnTag(key='Name', value='natgateway01')])
natgateway02 = aws_ec2.CfnNatGateway(
self,
'natgateway02',
allocation_id=eip02.attr_allocation_id,
subnet_id=publicsubnet02.ref,
tags=[core.CfnTag(key='Name', value='natgateway02')])
natgateway03 = aws_ec2.CfnNatGateway(
self,
'natgateway03',
allocation_id=eip03.attr_allocation_id,
subnet_id=publicsubnet03.ref,
tags=[core.CfnTag(key='Name', value='natgateway03')])
aws_ec2.CfnRoute(self,
'privateroute01',
destination_cidr_block='0.0.0.0/0',
nat_gateway_id=natgateway01.ref,
route_table_id=privateroutetable01.ref)
aws_ec2.CfnRoute(self,
'privateroute02',
destination_cidr_block='0.0.0.0/0',
nat_gateway_id=natgateway02.ref,
route_table_id=privateroutetable02.ref)
aws_ec2.CfnRoute(self,
'privateroute03',
destination_cidr_block='0.0.0.0/0',
nat_gateway_id=natgateway03.ref,
route_table_id=privateroutetable03.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(
self,
'privateSubnetNetworkAclAssociation01',
network_acl_id=networkacl.ref,
subnet_id=privatesubnet01.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(
self,
'privateSubnetNetworkAclAssociation02',
network_acl_id=networkacl.ref,
subnet_id=privatesubnet02.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(
self,
'privateSubnetNetworkAclAssociation03',
network_acl_id=networkacl.ref,
subnet_id=privatesubnet03.ref)
# isolate network
'''
isolatesubnet01 = aws_ec2.CfnSubnet(self, 'isolatesubnet01', cidr_block='10.0.21.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1a', tags=[core.CfnTag(key='Name', value='isolatesubnet01')])
isolatesubnet02 = aws_ec2.CfnSubnet(self, 'isolatesubnet02', cidr_block='10.0.22.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1c', tags=[core.CfnTag(key='Name', value='isolatesubnet02')])
isolatesubnet03 = aws_ec2.CfnSubnet(self, 'isolatesubnet03', cidr_block='10.0.23.0/24', vpc_id=vpc.ref, availability_zone='ap-northeast-1d', tags=[core.CfnTag(key='Name', value='isolatesubnet03')])
isolateroutetable01 = aws_ec2.CfnRouteTable(self, 'isolateroutetable01', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name', value='isolateroutetable01')])
isolateroutetable02 = aws_ec2.CfnRouteTable(self, 'isolateroutetable02', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name', value='isolateroutetable02')])
isolateroutetable03 = aws_ec2.CfnRouteTable(self, 'isolateroutetable03', vpc_id=vpc.ref, tags=[core.CfnTag(key='Name', value='isolateroutetable03')])
aws_ec2.CfnSubnetRouteTableAssociation(self, 'isolatesubnetroutetableassociation01', route_table_id=isolateroutetable01.ref, subnet_id=isolatesubnet01.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'isolatesubnetroutetableassociation02', route_table_id=isolateroutetable02.ref, subnet_id=isolatesubnet02.ref)
aws_ec2.CfnSubnetRouteTableAssociation(self, 'isolatesubnetroutetableassociation03', route_table_id=isolateroutetable03.ref, subnet_id=isolatesubnet03.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(self, 'isolateSubnetNetworkAclAssociation01', network_acl_id=networkacl.ref, subnet_id=isolatesubnet01.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(self, 'isolateSubnetNetworkAclAssociation02', network_acl_id=networkacl.ref, subnet_id=isolatesubnet02.ref)
aws_ec2.CfnSubnetNetworkAclAssociation(self, 'isolateSubnetNetworkAclAssociation03', network_acl_id=networkacl.ref, subnet_id=isolatesubnet03.ref)
'''
# output
core.CfnOutput(self,
'output01',
value=vpc.ref,
description='vpcid',
export_name='vpcid01')
core.CfnOutput(self,
'output02',
value=publicsubnet01.ref,
description='publicsubnet01',
export_name='publicsubnet01')
core.CfnOutput(self,
'output03',
value=publicsubnet02.ref,
description='publicsubnet02',
export_name='publicsubnet02')
core.CfnOutput(self,
'output04',
value=publicsubnet03.ref,
description='publicsubnet03',
export_name='publicsubnet03')
core.CfnOutput(self,
'output05',
value=privatesubnet01.ref,
description='privatesubnet01',
export_name='privatesubnet01')
core.CfnOutput(self,
'output06',
value=privatesubnet02.ref,
description='privatesubnet02',
export_name='privatesubnet02')
core.CfnOutput(self,
'output07',
value=privatesubnet03.ref,
description='privatesubnet03',
export_name='privatesubnet03')
