def __init__(self, scope: cdk.Stack, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # Create the VPC resource. self._vpc = Vpc(self, "MyVPC", cidr="10.10.0.0/16") # Create a Security Group within the VPC that is used to allow # management traffic from designated jump hosts. self._sg = SecurityGroup( self, "MySG", vpc=self._vpc, allow_all_outbound=False, description="Management traffic from jump boxes", security_group_name="jumpbox-mgmt-traffic") # Add ingress rules to the Security Group for the jump host # 10.255.0.10 to TCP/22 and TCP/3389. self._sg.add_ingress_rule(peer=Peer.ipv4("10.255.0.10/32"), connection=Port( protocol=Protocol.TCP, string_representation="host1", from_port=22, to_port=22)) self._sg.add_ingress_rule(peer=Peer.ipv4("10.255.0.10/32"), connection=Port( protocol=Protocol.TCP, string_representation="host1", from_port=3389, to_port=3389))
def __init__(self, scope: Construct, id: str, *, alb: IApplicationLoadBalancer, **kwargs) -> None: super().__init__(scope, id, **kwargs) global g_listener_https Tags.of(self).add("Stack", "Common-Listener-Https") self._used_priorities = [] self._subdomains_cert = {} self._alb = alb self._listener = ApplicationListener( self, "Listener-Https", load_balancer=alb, port=443, protocol=ApplicationProtocol.HTTPS, ) # By default, only IPv4 is added to allowed connections self._listener.connections.allow_default_port_from( other=Peer.any_ipv6(), description="Allow from anyone on port 443", ) # Make sure there is always a backend picking up, even if we don't know the host self._listener.add_fixed_response( "default", status_code="404", message_body="Page not found", ) # Add a redirect; in case people go to HTTP, redirect them to HTTPS. self._http_listener = ApplicationListener( self, "Listener-Http", load_balancer=alb, port=80, protocol=ApplicationProtocol.HTTP, ) self._http_listener.connections.allow_default_port_from( other=Peer.any_ipv6(), description="Allow from anyone on port 80", ) self._http_listener.add_redirect_response( "Http-To-Https", status_code="HTTP_301", port="443", protocol="HTTPS", ) if g_listener_https is not None: raise Exception( "Only a single ListenerHTTPSStack instance can exist") g_listener_https = self
def add_nlb(self, scope: Construct, service: IEc2Service, port: Port, subdomain_name: str, description: str) -> None: port_dict = port.to_rule_json() Tags.of(service).add("NLB-protocol", port_dict["ipProtocol"]) Tags.of(service).add("NLB-port", str(port_dict["fromPort"])) self.create_alias(scope, subdomain_name) self.security_group.add_ingress_rule( peer=Peer.any_ipv6(), connection=port, description=f"{description} (IPv6)") self.security_group.add_ingress_rule( peer=Peer.any_ipv4(), connection=port, description=f"{description} (IPv4)")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, 'vpc1' ) bucket_name = 'my-cdk-bucket' s3.Bucket(self, bucket_name, bucket_name=bucket_name, access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE, removal_policy=RemovalPolicy.DESTROY) ec2.Volume(self, 'vol1', availability_zone='us-east-1a', size=core.Size.gibibytes(8)) sg = ec2.SecurityGroup(self, 'sg1', vpc=vpc) sg.add_ingress_rule(Peer.any_ipv4(), Port.tcp(22)) kms.Key(self, 'kms1') rds.DatabaseInstance(self, 'rds1', engine=rds.DatabaseInstanceEngine.postgres(version=PostgresEngineVersion.VER_12), master_username='******', vpc=vpc, vpc_placement=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC))
def get_peer(self, traffic: AlbTrafficEnum) -> Optional[IPeer]: """ Depending on enum creates a peer. :param traffic: Configuration enum. :return: Peer. """ if traffic == AlbTrafficEnum.INTERNET: cidr_peer = Peer.any_ipv4() elif traffic == AlbTrafficEnum.VPC: cidr_peer = Peer.ipv4(self.__vpc.vpc_cidr_block) else: cidr_peer = None return cidr_peer
def get_web_security_group(self, vpc): security_group = SecurityGroup( self._stack, 'obm_web', vpc=vpc, allow_all_outbound=True, ) for port_number in [SSH_PORT, HTTP_PORT, HTTPS_PORT]: port = Port(from_port=port_number, to_port=port_number, protocol=Protocol.TCP, string_representation=f"Port {port_number}") security_group.add_ingress_rule(peer=Peer.any_ipv4(), connection=port) security_group.add_ingress_rule(peer=Peer.any_ipv6(), connection=port) self._tag_it(security_group) return security_group
def create_sg(self, jump_host, mgmt_ports): # Create a Security Group within the VPC that is used to allow # management traffic from designated jump hosts. self._sg = SecurityGroup( self, "MySG", vpc=self._vpc, allow_all_outbound=False, description="Management traffic from jump boxes", security_group_name="jumpbox-mgmt-traffic") # Add ingress rules to the Security Group for port in mgmt_ports: self._sg.add_ingress_rule(peer=Peer.ipv4(jump_host), connection=Port( protocol=Protocol.TCP, string_representation="jump", from_port=int(port), to_port=int(port)))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, 'vpc1') bucket_name = 'my-cdk-bucket' s3.Bucket(self, bucket_name, bucket_name=bucket_name, access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE, removal_policy=RemovalPolicy.DESTROY) ec2.Volume(self, 'vol1', availability_zone='us-east-1a', size=core.Size.gibibytes(8)) sg = ec2.SecurityGroup(self, 'sg1', vpc=vpc) sg.add_ingress_rule(Peer.any_ipv4(), Port.tcp(22)) kms.Key(self, 'kms1')
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here EcsStack.readConfig(0) vpc = ec.Vpc( self, "Main", cidr="11.0.0.0/26", max_azs=2, nat_gateways=1, subnet_configuration=[ ec.SubnetConfiguration(name="public", cidr_mask=28, subnet_type=ec.SubnetType.PUBLIC), ec.SubnetConfiguration(name="private", cidr_mask=28, subnet_type=ec.SubnetType.PRIVATE) ]) cluster = ecs.Cluster(self, "TestingCluster", vpc=vpc) # defining the task iam role taskRole = iam.Role( self, id="taskRole", assumed_by=iam.CompositePrincipal( iam.ServicePrincipal(service='ecs-tasks.amazonaws.com'), iam.ServicePrincipal(service='ec2.amazonaws.com')), role_name="webmaintaskRole", managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonRDSFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSQSFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3FullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "CloudWatchFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonDynamoDBFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonRedshiftFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonKinesisFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonECSTaskExecutionRolePolicy"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSNSFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AWSLambdaRole"), iam.ManagedPolicy(self, id="ManagedPolicy", managed_policy_name="Grant_dev", statements=[ iam.PolicyStatement(actions=[ "kms:Decrypt", "secretemanager:GetSecreteValue" ], resources=["*"]) ]) ]) # taskRole.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonRDSFullAccess")) # WebApp Main task Defenition & Service webmain_task_definition = ecs.FargateTaskDefinition( self, "WebAppMain", memory_limit_mib=512, cpu=256, task_role=taskRole, execution_role=taskRole) webmain_container = webmain_task_definition.add_container( "webapp-mainContainer", image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"), environment=EcsStack.commands, docker_labels={ "com.datadoghq.ad.instances": "[{\"host\": \"%%host%%\", \"port\": 80}]", "com.datadoghq.ad.check_names": "[\"ecs_fargate\"]", "com.datadoghq.ad.init_configs": "[{}]" }, logging=ecs.LogDriver.aws_logs(stream_prefix="awslogs")) # Clearing the environment vairables from the commands(Map) EcsStack.commands.clear() EcsStack.readConfig(1) webmain_datadog_container = webmain_task_definition.add_container( "webapp-main_datadog_Container", image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"), environment=EcsStack.commands) webmain_port_mapping = ecs.PortMapping(container_port=80, host_port=80, protocol=ecs.Protocol.TCP) datadog_port_mapping1 = ecs.PortMapping(container_port=8126, host_port=8126, protocol=ecs.Protocol.TCP) datadog_port_mapping2 = ecs.PortMapping(container_port=8125, host_port=8125, protocol=ecs.Protocol.TCP) webmain_container.add_port_mappings(webmain_port_mapping) webmain_datadog_container.add_port_mappings(datadog_port_mapping1) webmain_datadog_container.add_port_mappings(datadog_port_mapping2) # Security group for service webmain_sg = ec.SecurityGroup(self, "webmain_sg", vpc=vpc, allow_all_outbound=True, security_group_name="WebAppMain") webmain_sg.add_ingress_rule(peer=Peer.ipv4("202.65.133.194/32"), connection=Port.tcp(5432)) webmain_service = ecs.FargateService( self, "webapp-main", cluster=cluster, task_definition=webmain_task_definition, desired_count=1, security_group=webmain_sg) # defining the load balancer webmain_lb = elbv2.ApplicationLoadBalancer( self, "LB", vpc=vpc, internet_facing=True, load_balancer_name="WebAppMain", # security_group= vpc_subnets=ec.SubnetSelection(subnet_type=ec.SubnetType.PUBLIC)) webmain_target_grp = elbv2.ApplicationTargetGroup( self, id="webapp-main-target", port=80, protocol=elbv2.ApplicationProtocol.HTTP, health_check=elbv2.HealthCheck(healthy_http_codes="200-399", healthy_threshold_count=2, unhealthy_threshold_count=2, port="traffic-port", protocol=elbv2.Protocol.HTTP, timeout=core.Duration.seconds(6), interval=core.Duration.seconds(10)), targets=[webmain_service], target_group_name="WebAppMain", target_type=elbv2.TargetType.IP, vpc=vpc) listener = webmain_lb.add_listener( "webMain_Listener", port=443, open=True, default_target_groups=[webmain_target_grp], certificate_arns=[ "arn:aws:acm:us-west-2:384853870836:certificate/182c0fdd-813f-4bd3-aee1-0b4543cfb52b" ]) listener2 = webmain_lb.add_listener( "webMain_Listener2", port=80, # default_target_groups=[webmain_target_grp] ) # elbv2.ApplicationListenerCertificate(self,"WebAppMAin_Certificate",listener=listener,certificate_arns=["arn:aws:acm:us-west-2:384853870836:certificate/182c0fdd-813f-4bd3-aee1-0b4543cfb52b"]) listener2.add_redirect_response(id="HttptoHttps", status_code="HTTP_301", port="443", protocol="HTTPS")
def __init__(self, scope: cdk.Construct, construct_id: str, config, vpc: IVpc, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.neo4j_user_secret = Secret(self,'secretsmanager-secret-neo4j-user', secret_name=NEO4J_USER_SECRET_NAME ) neo4j_server_instance_role = Role(self,'iam-role-neo4j-server-instance', assumed_by=ServicePrincipal('ec2.amazonaws.com'), managed_policies=[ ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore'), # Use SSM Session Manager rather than straight ssh ManagedPolicy.from_aws_managed_policy_name('CloudWatchAgentServerPolicy') ], inline_policies={ "work-with-tags": PolicyDocument( statements=[ PolicyStatement( actions=[ 'ec2:CreateTags', 'ec2:Describe*', 'elasticloadbalancing:Describe*', 'cloudwatch:ListMetrics', 'cloudwatch:GetMetricStatistics', 'cloudwatch:Describe*', 'autoscaling:Describe*', ], resources=["*"] ) ] ), "access-neo4j-user-secret": PolicyDocument( statements=[ PolicyStatement( actions=['secretsmanager:GetSecretValue'], resources=[self.neo4j_user_secret.secret_arn] ) ] ) } ) instance_security_group = SecurityGroup(self, "ec2-sg-neo4j-server-instance", description="Altimeter Neo4j Server Instance", vpc=vpc ) instance_security_group.add_ingress_rule(Peer.ipv4("0.0.0.0/0"), Port.tcp(7687), 'Bolt from ANYWHERE') # TESTING # instance_security_group.add_ingress_rule(Peer.ipv4("0.0.0.0/0"), Port.tcp(7473), 'Bolt from ANYWHERE') # TESTING # Prepare userdata script with open("./resources/neo4j-server-instance-userdata.sh", "r") as f: userdata_content = f.read() userdata_content = userdata_content.replace("[[NEO4J_USER_SECRET_NAME]]",NEO4J_USER_SECRET_NAME) user_data = UserData.for_linux() user_data.add_commands(userdata_content) instance_type = InstanceType.of(InstanceClass.BURSTABLE2, InstanceSize.MEDIUM) self.instance = Instance(self, 'ec2-instance-neo4j-server-instance', instance_name="instance-altimeter--neo4j-community-standalone-server", machine_image=MachineImage.generic_linux( ami_map={ "eu-west-1": "ami-00c8631d384ad7c53" } ), instance_type=instance_type, role=neo4j_server_instance_role, vpc=vpc, # vpc_subnets=SubnetSelection(subnets=vpc.select_subnets(subnet_group_name='Private').subnets), vpc_subnets=SubnetSelection(subnets=vpc.select_subnets(subnet_group_name='Public').subnets), security_group=instance_security_group, user_data=user_data, block_devices=[ BlockDevice( device_name="/dev/sda1", volume=BlockDeviceVolume.ebs( volume_size=10, volume_type=EbsDeviceVolumeType.GP2, encrypted=True, # Just encrypt delete_on_termination=True ) ), BlockDevice( device_name="/dev/sdb", volume=BlockDeviceVolume.ebs( volume_size=20, # TODO: Check size requirements volume_type=EbsDeviceVolumeType.GP2, encrypted=True, delete_on_termination=True # ASSUMPTION: NO 'primary' data, only altimeter results. ) ) ] ) cdk.Tags.of(self.instance).add("neo4j_mode", "SINGLE") cdk.Tags.of(self.instance).add("dbms_mode", "SINGLE")