def __init__(self, scope:core.Construct, id:str,landing_zone:IVpcLandingZone, **kwargs):
super().__init__(scope,id, **kwargs)
# Create the primary domain
self.virtual_world = r53.PrivateHostedZone(self,'VirtualWorld',
zone_name='virtual.world',
vpc=landing_zone.vpc,
comment='Primary domain name')
# Create the real world
self.real_world = r53.PrivateHostedZone(self,'RealWorld',
zone_name='real.world',
vpc=landing_zone.vpc,
comment='Name resolution back to physical realm')
# Add the public records...
# https://abram.com.au/converting-pem-to-pfx-certificates/
with open('chatham.json','r') as f:
json = loads(f.read())
for zone in [self.real_world]:
for entry in json:
ip = entry['ip']
name = entry['name']
record_name = '{}.{}'.format(name,zone.zone_name)
r53.ARecord(self,record_name,
zone=self.real_world,
record_name=record_name,
target= r53.RecordTarget.from_ip_addresses(ip))
def __init__(self, scope: core.Construct, id: builtins.str,
landing_zone: IVpcLandingZone) -> None:
super().__init__(scope, id)
self.__landing_zone = landing_zone
# Setup DNS...
self.trader_dns_zone = r53.PrivateHostedZone(
self,
'Trader',
zone_name='trader.fsi'.format(landing_zone.zone_name.lower()),
vpc=landing_zone.vpc,
comment='HomeNet Financial Services Domain')
# Create a key and delegate access to IAM...
self.key = kms.Key(
self,
'Key',
alias='homenet/fsi',
enable_key_rotation=True,
policy=iam.PolicyDocument(statements=[
iam.PolicyStatement(effect=iam.Effect.ALLOW,
principals=[
iam.AccountPrincipal(
core.Stack.of(self).account)
],
actions=['kms:*'],
resources=['*'])
]))
# Create central resources...
self.tda_secret = sm.Secret(
self,
'AmeritradeSecrets',
removal_policy=core.RemovalPolicy.DESTROY,
secret_name='HomeNet-{}-Ameritrade-Secrets'.format(
self.landing_zone.zone_name))
self.bucket = s3.Bucket(self,
'Bucket',
bucket_name='homenet-{}.{}.trader.fsi'.format(
self.landing_zone.zone_name,
core.Stack.of(self).region).lower(),
versioned=True)
r53.ARecord(self,
'BucketAlias',
zone=self.trader_dns_zone,
record_name=self.bucket.bucket_domain_name,
target=r53.RecordTarget.from_alias(
dns_targets.BucketWebsiteTarget(self.bucket)))
# self.fspace = space.CfnEnvironment(self,'Finspace',
# name='HomeNet-FsiCoreSvc',
# kms_key_id= self.key.key_id,
# description="HomeNet Financial Servicing Catalog")
self.finspace = FinSpaceEnvironment()
self.key.grant_admin(iam.ServicePrincipal(service='finspace'))
def __init__(self, scope: core.Construct, id: str, context: InfraContext,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.__vpc = ec2.Vpc(
self,
'FinSurf',
cidr='10.50.0.0/16',
nat_gateway_subnets=ec2.SubnetSelection(
subnet_group_name='Egress'),
enable_dns_hostnames=True,
enable_dns_support=True,
nat_gateways=2,
max_azs=2,
subnet_configuration=[
ec2.SubnetConfiguration(name='Egress',
subnet_type=ec2.SubnetType.PUBLIC,
cidr_mask=28),
ec2.SubnetConfiguration(name='EarningApi',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='Alexa',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='FriendlyNamed',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='AccountLinking',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='PortfolioMgmt',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='Collections',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='MarketGraph',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
ec2.SubnetConfiguration(name='MapReduce',
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24),
])
self.__hostedZone = dns.PrivateHostedZone(
self,
'PrivateFinSurfZone',
vpc=self.vpc,
zone_name=context.environment.region + '.finsurf.internal',
comment='Internal zone for FinSurf application')
def __init__(self, scope: core.Construct, construct_id: str, env, **kwargs) -> None:
super().__init__(scope, construct_id, env=env, **kwargs)
# The code that defines your stack goes here
if self.node.try_get_context("tags"):
self.user_defined_tags = self.node.try_get_context("tags").split(' ')
else:
self.user_defined_tags = None
vpc = ec2.Vpc(self, "VPC_EMQ",
max_azs=2,
cidr="10.10.0.0/16",
# configuration will create 3 groups in 2 AZs = 6 subnets.
subnet_configuration=[ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name="Public",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE,
name="Private",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.ISOLATED,
name="DB",
cidr_mask=24
)
],
nat_gateways=2
)
self.vpc = vpc
# Route53
int_zone = r53.PrivateHostedZone(self, r53_zone_name,
zone_name = 'int.emqx',
vpc = vpc
)
self.int_zone = int_zone
# Define cfn parameters
# ec2_type = CfnParameter(self, "ec2-instance-type",
# type="String", default="m5.2xlarge",
# description="Specify the instance type you want").value_as_string
key_name = CfnParameter(self, "ssh key",
type="String", default="key_ireland",
description="Specify your SSH key").value_as_string
sg = ec2.SecurityGroup(self, id = 'sg_int', vpc = vpc)
self.sg = sg
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), 'SSH frm anywhere')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(1883), 'MQTT TCP Port')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(8883), 'MQTT TCP/TLS Port')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.udp(14567), 'MQTT Quic Port')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(18083), 'WEB UI')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(4369), 'EMQX dist port 1')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(4370), 'EMQX dist port 2')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(8081), 'EMQX dashboard')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(2379), 'etcd client port')
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(2380), 'etcd peer port')
# Create Bastion Server
bastion = ec2.BastionHostLinux(self, "Bastion",
vpc=vpc,
subnet_selection=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
instance_name="BastionHostLinux",
instance_type=ec2.InstanceType(instance_type_identifier="t3.nano"))
bastion.instance.instance.add_property_override("KeyName", key_name)
bastion.connections.allow_from_any_ipv4(
ec2.Port.tcp(22), "Internet access SSH")
# Create NLB
nlb = elb.NetworkLoadBalancer(self, "emq-elb",
vpc=vpc,
internet_facing=False,
cross_zone_enabled=True,
load_balancer_name="emq-nlb")
r53.ARecord(self, "AliasRecord",
zone = int_zone,
record_name = loadbalancer_dnsname,
target = r53.RecordTarget.from_alias(r53_targets.LoadBalancerTarget(nlb))
)
self.nlb = nlb
listener = nlb.add_listener("port1883", port=1883)
listenerTLS = nlb.add_listener("port8883", port=8883) # TLS, emqx terminataion
listenerQuic = nlb.add_listener("port14567", port=14567, protocol=elbv2.Protocol.UDP)
listenerUI = nlb.add_listener("port80", port=80)
# Create Autoscaling Group with desired 2*EC2 hosts
# asg = autoscaling.AutoScalingGroup(self, "emq-asg",
# vpc=vpc,
# vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE),
# instance_type=ec2.InstanceType(
# instance_type_identifier=ec2_type),
# machine_image=linux_ami,
# security_group = sg,
# key_name=key_name,
# user_data=ec2.UserData.custom(user_data),
# health_check=HealthCheck.elb(grace=Duration.seconds(60)),
# desired_capacity=3,
# min_capacity=2,
# max_capacity=4
# )
# if self.user_defined_tags:
# core.Tags.of(asg).add(*self.user_defined_tags)
# # NLB cannot associate with a security group therefore NLB object has no Connection object
# # Must modify manuall inbound rule of the newly created asg security group to allow access
# # from NLB IP only
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(1883), "Allow NLB access 1883 port of EC2 in Autoscaling Group")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(18083), "Allow NLB access WEB UI")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(4369), "Allow emqx cluster distribution port 1")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(4370), "Allow emqx cluster distribution port 2")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.udp(4369), "Allow emqx cluster discovery port 1")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.udp(4370), "Allow emqx cluster discovery port 2")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(8081), "Allow emqx cluster dashboard access")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(2379), "Allow emqx cluster discovery port (etcd)")
# asg.connections.allow_from_any_ipv4(
# ec2.Port.tcp(2380), "Allow emqx cluster discovery port (etcd)")
# asg.connections.allow_from(bastion,
# ec2.Port.tcp(22), "Allow SSH from the bastion only")
self.setup_emqx(numEmqx, vpc, int_zone, sg, key_name)
listener.add_targets('ec2',
port=1883,
targets=
[ target.InstanceTarget(x)
for x in self.emqx_vms])
# @todo we need ssl terminataion
listenerUI.add_targets('ec2',
port=18083,
targets=[ target.InstanceTarget(x)
for x in self.emqx_vms])
listenerQuic.add_targets('ec2',
port=14567,
protocol=elbv2.Protocol.UDP,
targets=[ target.InstanceTarget(x)
for x in self.emqx_vms])
listenerTLS.add_targets('ec2',
port=8883,
targets=[ target.InstanceTarget(x)
for x in self.emqx_vms])
""" db_mysql = rds.DatabaseInstance(self, "EMQ_MySQL_DB",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_5_7_30),
instance_type=ec2.InstanceType.of(
ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
vpc=vpc,
multi_az=True,
allocated_storage=100,
storage_type=rds.StorageType.GP2,
cloudwatch_logs_exports=["audit", "error", "general", "slowquery"],
deletion_protection=False,
delete_automated_backups=False,
backup_retention=core.Duration.days(7),
parameter_group=rds.ParameterGroup.from_parameter_group_name(
self, "para-group-mysql",
parameter_group_name="default.mysql5.7"),
)
asg_security_groups = asg.connections.security_groups
for asg_sg in asg_security_groups:
db_mysql.connections.allow_default_port_from(asg_sg, "EC2 Autoscaling Group access MySQL") """
#self.setup_monitoring()
self.setup_etcd(vpc, int_zone, sg, key_name)
self.setup_loadgen(numLg, vpc, int_zone, sg, key_name, nlb.load_balancer_dns_name)
self.setup_monitoring()
core.CfnOutput(self, "Output",
value=nlb.load_balancer_dns_name)
core.CfnOutput(self, "SSH Entrypoint",
value=bastion.instance_public_ip)
core.CfnOutput(self, "SSH cmds",
value="ssh -A -l ec2-user %s -L8888:%s:80 -L 9999:%s:80 -L 13000:%s:3000"
% (bastion.instance_public_ip, nlb.load_balancer_dns_name, self.mon_lb, self.mon_lb)
)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
demords = rds.DatabaseInstance(
self,
"RDS",
master_username="******",
master_user_password=core.SecretValue.plain_text(rdspwd),
database_name="db1",
engine_version="8.0.16",
delete_automated_backups=True,
engine=rds.DatabaseInstanceEngine.MYSQL,
# instance_identifier="cdkdemords2",
vpc=vpc,
port=3306,
instance_type=ec2.InstanceType.of(
ec2.InstanceClass.BURSTABLE3,
ec2.InstanceSize.SMALL,
),
removal_policy=core.RemovalPolicy.DESTROY,
deletion_protection=False,
)
# The code that is version for 1.62.0 .
#vpc = ec2.Vpc(self, 'rdsvpc',
#cidr="10.0.0.0/16",
#enable_dns_hostnames=True,
#enable_dns_support=True,
#nat_gateways=0,
#subnet_configuration=[ec2.SubnetConfiguration(
# cidr_mask=20,
# name='PublicSubnet',
# subnet_type=ec2.SubnetType.PUBLIC,
# )])
#rdspg = rds.ParameterGroup(self, 'dbpg',engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_16))
#demords = rds.DatabaseInstance(
# self, "RDS",
# master_username="******",
# master_user_password=core.SecretValue.plain_text(rdspwd),
# database_name="db1",
# delete_automated_backups=True,
# parameter_group=rdspg,
# # instance_identifier="cdkdemords2",
# vpc=vpc,
# engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_16),
# port=3306,
# instance_type=ec2.InstanceType("t3.small"),
# removal_policy=core.RemovalPolicy.DESTROY,
# deletion_protection=False,
# vpc_subnets={
# "subnet_type": ec2.SubnetType.PUBLIC
# }
#)
#external_ip = requests.get('https://checkip.amazonaws.com').text.rstrip()
#your_public_ip = str(external_ip + "/32")
#demords.connections.allow_default_port_from(other=ec2.Peer.ipv4(your_public_ip))
demords.connections.allow_default_port_from(
other=ec2.Peer.ipv4(vpc.vpc_cidr_block))
zone = r53.PrivateHostedZone(self,
'cdkdemo-zone',
vpc=vpc,
zone_name="example.io")
cname = r53.CnameRecord(
self,
'cdk-rds-cname-record',
zone=zone,
domain_name=demords.db_instance_endpoint_address,
record_name="cdkdemo",
ttl=core.Duration.minutes(1))
core.CfnOutput(self, 'rds-passwd', value=rdspwd)
core.CfnOutput(self,
'rds-host-url',
value=demords.db_instance_endpoint_address)
core.CfnOutput(self, 'rds-cname', value=cname.domain_name)