}],
KeyName="common-us-east-1",
SecurityGroups=[Ref(InstanceSecurityGroups)],
IamInstanceProfile=Ref(IamInstanceProfile),
InstanceType=Ref(InstanceType),
AssociatePublicIpAddress="true",
))
NatAz2 = t.add_resource(
AutoScalingGroup(
"NatAz2",
AvailabilityZones=[Select("1", GetAZs(""))],
DesiredCapacity="1",
Tags=Tags(
Name="Test-Nat-Asg-Az2",
project="ShelterMutual",
WhichAZ="AZ2",
),
MinSize="1",
MaxSize="2",
VPCZoneIdentifier=[Ref(VpcZoneIdentifierAz2)],
LaunchConfigurationName=Ref(AsgLaunchConfiguration),
HealthCheckGracePeriod="300",
HealthCheckType="EC2",
))
NatAz3 = t.add_resource(
AutoScalingGroup(
"NatAz3",
AvailabilityZones=[Select("2", GetAZs(""))],
DesiredCapacity="1",
def generate_template():
template = Template()
ref_stack_id = Ref('AWS::StackId')
ref_region = Ref('AWS::Region')
ref_stack_name = Ref('AWS::StackName')
template.add_description(
'Base infrastructure Stack implementing VPC Scenario 2 with 2 private subnets'
)
# Create VPC
vpc = template.add_resource(
VPC('VPC',
CidrBlock='10.0.0.0/16',
EnableDnsHostnames=True,
Tags=Tags(Application=ref_stack_id)))
# Create Cidr Block for IPv6
vpc_cidr_block = template.add_resource(
VPCCidrBlock(
'VPCCidrBlock',
AmazonProvidedIpv6CidrBlock=True,
VpcId=Ref(vpc),
))
internet_gateway = template.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id)))
template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway)))
# Create Routing Tables
public_route_table = template.add_resource(
RouteTable('PublicRouteTable',
VpcId=Ref(vpc),
Tags=Tags(Application=ref_stack_id)))
template.add_resource(
Route(
'RouteIPv4',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(public_route_table),
))
template.add_resource(
Route(
'RouteIPv6',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationIpv6CidrBlock="::/0",
RouteTableId=Ref(public_route_table),
))
# Create Public Subnet
public_subnet1 = template.add_resource(
Subnet('PublicSubnet1',
DependsOn=vpc_cidr_block,
AssignIpv6AddressOnCreation=True,
CidrBlock='10.0.0.0/24',
Ipv6CidrBlock=Join("", [
Select(
0,
Split("00::/56", Select(0, GetAtt(
vpc, 'Ipv6CidrBlocks')))), "00::/64"
]),
AvailabilityZone=Join("", [ref_region, 'a']),
VpcId=Ref(vpc),
Tags=Tags(Name='public-10.0.0.0', Application=ref_stack_id)))
template.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation1',
SubnetId=Ref(public_subnet1),
RouteTableId=Ref(public_route_table),
))
# Outputs
template.add_output(Output('VPCId', Value=Ref(vpc), Description='VPC Id'))
template.add_output(
Output('PublicSubnet1',
Value=Ref(public_subnet1),
Description='Public subnet ID'))
template.add_output(
Output('StackID', Value=ref_stack_name, Description='Stack ID'))
return template
def generate_stack_template():
template = Template()
generate_description(template)
generate_version(template)
# ---Parameters------------------------------------------------------------
param_vpc_id = Parameter(
'VpcIdentifer',
Description=
'The identity of the VPC (vpc-abcdwxyz) in which this stack shall be created.',
Type='AWS::EC2::VPC::Id',
)
template.add_parameter(param_vpc_id)
param_vpc_cidr_block = Parameter(
'VpcCidrBlock',
Description=
'The CIDR block of the VPC (w.x.y.z/n) in which this stack shall be created.',
Type='String',
Default='10.0.0.0/16')
template.add_parameter(param_vpc_cidr_block)
param_database_instance_subnet_id = Parameter(
'VpcSubnetIdentifer',
Description=
'The identity of the private subnet (subnet-abcdwxyz) in which the database server shall be created.',
Type='AWS::EC2::Subnet::Id',
)
template.add_parameter(param_database_instance_subnet_id)
param_keyname = Parameter(
'PemKeyName',
Description=
'Name of an existing EC2 KeyPair file (.pem) to use to create EC2 instances',
Type='AWS::EC2::KeyPair::KeyName')
template.add_parameter(param_keyname)
param_instance_type = Parameter(
'EC2InstanceType',
Description=
'EC2 instance type, reference this parameter to insure consistency',
Type='String',
Default=
't2.medium', # Prices from (2015-12-03) (Windows, us-west (North CA))
AllowedValues=[ # Source : https://aws.amazon.com/ec2/pricing/
't2.small', # $0.044/hour
't2.micro', # $0.022/hour
't2.medium', # $0.088/hour
't2.large', # $0.166/hour
'm3.medium', # $0.140/hour
'm3.large', # $0.28/hour
'c4.large' # $0.221/hour
],
ConstraintDescription='Must be a valid EC2 instance type')
template.add_parameter(param_instance_type)
param_s3_bucket = Parameter(
'S3Bucket',
Description='The bucket in which applicable content can be found.',
Type='String',
Default='author-it-deployment-test-us-east-1')
template.add_parameter(param_s3_bucket)
param_s3_key = Parameter(
'S3Key',
Description=
'The key within the bucket in which relevant files are located.',
Type='String',
Default='source/database/postgresql/single')
template.add_parameter(param_s3_key)
param_database_admin_password = Parameter(
'PostgresAdminPassword',
Description='The password to be used by user postgres.',
Type='String',
NoEcho=True)
template.add_parameter(param_database_admin_password)
#---Mappings---------------------------------------------------------------
mapping_environment_attribute_map = template.add_mapping(
'EnvironmentAttributeMap', {
'ap-southeast-1': {
'DatabaseServerAmi': 'ami-1ddc0b7e'
},
'ap-southeast-2': {
'DatabaseServerAmi': 'ami-0c95b86f'
},
'us-east-1': {
'DatabaseServerAmi': 'ami-a4827dc9'
},
'us-west-1': {
'DatabaseServerAmi': 'ami-f5f41398'
}
})
# ---Resources-------------------------------------------------------------
ref_stack_id = Ref('AWS::StackId')
ref_region = Ref('AWS::Region')
ref_stack_name = Ref('AWS::StackName')
path_database_admin_script = 'usr/ec2-user/postgresql/set_admin_password.sql'
name_database_server_wait_handle = 'DatabaseServerWaitHandle'
cmd_postgresql_initdb = dict(command='service postgresql-95 initdb')
cmd_start_postgresql_service = dict(command='service postgresql-95 start')
cmd_set_postgres_user_password = dict(command='psql -U postgres -f %s' %
path_database_admin_script)
cmd_start_postgresql_on_startup = dict(command='chkconfig postgresql on')
cmd_signal_success = dict(command='cfn-signal --exit-code $?')
# Create an instance of AWS::IAM::Role for the instance.
# This allows:
# - Access to S3 bucket content.
# - Stack updates
resource_instance_role = template.add_resource(
iam.Role('InstanceRole',
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Action=[AssumeRole],
Effect=Allow,
Principal=Principal('Service',
['ec2.amazonaws.com']))
]),
Path='/'))
# Create the S3 policy and attach it to the role.
template.add_resource(
iam.PolicyType(
'InstanceS3DownloadPolicy',
PolicyName='S3Download',
PolicyDocument={
'Statement': [{
'Effect':
'Allow',
'Action': ['s3:GetObject'],
'Resource':
Join('', ['arn:aws:s3:::',
Ref(param_s3_bucket), '/*'])
}, {
'Effect':
'Allow',
'Action':
['cloudformation:DescribeStacks', 'ec2:DescribeInstances'],
'Resource':
'*'
}]
},
Roles=[Ref(resource_instance_role)]))
# Create the CloudFormation stack update policy and attach it to the role.
template.add_resource(
iam.PolicyType('InstanceStackUpdatePolicy',
PolicyName='StackUpdate',
PolicyDocument={
'Statement': [{
"Effect": "Allow",
"Action": "Update:*",
"Resource": "*"
}]
},
Roles=[Ref(resource_instance_role)]))
# Create the AWS::IAM::InstanceProfile from the role for reference in the
# database server instance definition.
resource_instance_profile = template.add_resource(
iam.InstanceProfile('InstanceProfile',
Path='/',
Roles=[Ref(resource_instance_role)]))
# Create a security group for the postgresql instance.
# This must be internal to the VPC only.
name_security_group_database = 'VpcDatabaseSecurityGroup'
resource_database_security_group = ec2.SecurityGroup(
name_security_group_database,
GroupDescription=Join(
' ', ['Security group for VPC database',
Ref(param_vpc_id)]),
Tags=Tags(Name=name_security_group_database),
VpcId=Ref(param_vpc_id))
template.add_resource(resource_database_security_group)
template.add_output(
Output('SecurityGroupForDatabase',
Description='Security group created for database in VPC.',
Value=Ref(resource_database_security_group)))
# Add ingress rule from VPC to database security group for database traffic.
database_port = 5432
ssh_port = 22
template.add_resource(
ec2.SecurityGroupIngress('DatabaseSecurityGroupDatabaseIngress',
CidrIp=Ref(param_vpc_cidr_block),
FromPort=str(database_port),
GroupId=Ref(resource_database_security_group),
IpProtocol='tcp',
ToPort=str(database_port)))
# Add ingress rule from VPC to database security group for ssh traffic.
ssh_port = 22
template.add_resource(
ec2.SecurityGroupIngress('DatabaseSecurityGroupSshIngress',
CidrIp=Ref(param_vpc_cidr_block),
FromPort=str(ssh_port),
GroupId=Ref(resource_database_security_group),
IpProtocol='tcp',
ToPort=str(ssh_port)))
# Create the metadata for the database instance.
name_database_server = 'DatabaseServer'
database_instance_metadata = cloudformation.Metadata(
cloudformation.Init({
'config':
cloudformation.InitConfig(
packages={
'rpm': {
'postgresql':
'https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-6-x86_64/pgdg-ami201503-95-9.5-2.noarch.rpm'
},
'yum': {
'postgresql95': [],
'postgresql95-libs': [],
'postgresql95-server': [],
'postgresql95-devel': [],
'postgresql95-contrib': [],
'postgresql95-docs': []
}
},
files=cloudformation.InitFiles({
# cfn-hup.conf initialization
'/etc/cfn/cfn-hup.conf':
cloudformation.InitFile(content=Join(
'', [
'[main]\n', 'stack=', ref_stack_id, '\n',
'region=', ref_region, '\n', 'interval=2', '\n',
'verbose=true', '\n'
]),
mode='000400',
owner='root',
group='root'),
# cfn-auto-reloader.conf initialization
'/etc/cfn/cfn-auto-reloader.conf':
cloudformation.InitFile(
content=Join(
'',
[
'[cfn-auto-reloader-hook]\n',
'triggers=post.update\n',
'path=Resources.%s.Metadata.AWS::CloudFormation::Init\n'
% name_database_server,
'action=cfn-init.exe ',
' --verbose '
' --stack ',
ref_stack_name,
' --resource %s ' %
name_database_server, # resource that defines the Metadata
' --region ',
ref_region,
'\n'
]),
mode='000400',
owner='root',
group='root'),
#
# pg_hba.conf retrieval from S3
'/var/lib/pgsql9/data/pg_hba.conf':
cloudformation.InitFile(
source=Join(
'/',
[
# Join('', ['https://s3-', ref_region, '.', 'amazonaws.com']),
'https://s3.amazonaws.com',
Ref(param_s3_bucket),
Ref(param_s3_key),
'conf'
'pg_hba.conf'
]),
mode='000400',
owner='root',
group='root'),
# postgresql.conf retrieval from S3
'/var/lib/pgsql9/data/postgresql.conf':
cloudformation.InitFile(
source=Join(
'/',
[
#Join('', ['https://s3-', ref_region, '.', 'amazonaws.com']),
'https://s3.amazonaws.com',
Ref(param_s3_bucket),
Ref(param_s3_key),
'conf'
'postgresql.conf'
]),
mode='000400',
owner='root',
group='root'),
# pg_ident.conf retrieval from S3
'/var/lib/pgsql9/data/pg_ident.conf':
cloudformation.InitFile(
source=Join(
'/',
[
#Join('', ['https://s3-', ref_region, '.', 'amazonaws.com']),
'https://s3.amazonaws.com',
Ref(param_s3_bucket),
Ref(param_s3_key),
'conf'
'pg_ident.conf'
]),
mode='000400',
owner='root',
group='root'),
# script to set postgresql admin password.
# (admin user = '******')
path_database_admin_script:
cloudformation.InitFile(
source=Join('', [
'ALTER USER postgres WITH PASSWORD ',
Ref(param_database_admin_password), ';', '\n'
]))
}),
commands={
'10-postgresql_initdb':
cmd_postgresql_initdb,
'20-start_postgresql_service':
cmd_start_postgresql_service,
'30-set-postgres-user-password':
cmd_set_postgres_user_password,
'40-start-postgresql-on-startup':
cmd_start_postgresql_on_startup,
#'99-signal-success': cmd_signal_success
},
services=dict(sysvinit=cloudformation.InitServices({
# start cfn-hup service -
# required for CloudFormation stack update
'cfn-hup':
cloudformation.InitService(
enabled=True,
ensureRunning=True,
files=[
'/etc/cfn/cfn-hup.conf',
'/etc/cfn/hooks.d/cfn-auto-reloader.conf'
]),
# start postgresql service
'postgresql-9.5':
cloudformation.InitService(enabled=True,
ensureRunning=True),
# Disable sendmail service - not required.
'sendmail':
cloudformation.InitService(enabled=False,
ensureRunning=False)
})))
}),
cloudformation.Authentication({
'S3AccessCredentials':
cloudformation.AuthenticationBlock(
buckets=[Ref(param_s3_bucket)],
roleName=Ref(resource_instance_role),
type='S3')
}))
# Add a wait handle to receive the completion signal.
#resource_database_server_wait_handle = template.add_resource(
# cloudformation.WaitConditionHandle(
# name_database_server_wait_handle
# )
# )
#template.add_resource(
# cloudformation.WaitCondition(
# 'DatabaseServerWaitCondition',
# DependsOn=name_database_server,
# Handle=Ref(resource_database_server_wait_handle),
# Timeout=300,
# )
#)
resource_database_server = ec2.Instance(
name_database_server,
DependsOn=name_security_group_database,
IamInstanceProfile=Ref(resource_instance_profile),
Metadata=database_instance_metadata,
ImageId=FindInMap('EnvironmentAttributeMap', ref_region,
'DatabaseServerAmi'),
InstanceType=Ref(param_instance_type),
KeyName=Ref(param_keyname),
SecurityGroupIds=[Ref(resource_database_security_group)],
SubnetId=Ref(param_database_instance_subnet_id),
Tags=Tags(Name=name_database_server, VPC=Ref(param_vpc_id)),
UserData=Base64(
Join('', [
'#!/bin/bash -xe\n', 'yum update -y aws-cfn-bootstrap\n',
'/opt/aws/bin/cfn-init --verbose ', ' --stack ',
ref_stack_name, ' --resource DatabaseServer ', ' --region ',
ref_region, '\n', '/opt/aws/bin/cfn-signal --exit-code $? ',
' --stack ', ref_stack_name, ' --resource ',
name_database_server, '\n'
])))
template.add_resource(resource_database_server)
template.add_output(
Output('DatabaseServer',
Description='PostgreSQL single instance database server',
Value=Ref(resource_database_server)))
return template
def create_network(self):
t = self.template
variables = self.get_variables()
self.create_gateway()
t.add_resource(ec2.NetworkAcl('DefaultACL', VpcId=VPC_ID))
self.create_nat_security_groups()
subnets = {'public': [], 'private': []}
net_types = subnets.keys()
route_table_ids = []
zones = []
for i in range(variables["AZCount"]):
az = Select(i, GetAZs(""))
zones.append(az)
name_suffix = i
for net_type in net_types:
name_prefix = net_type.capitalize()
subnet_name = "%sSubnet%s" % (name_prefix, name_suffix)
subnets[net_type].append(subnet_name)
t.add_resource(
ec2.Subnet(subnet_name,
AvailabilityZone=az,
VpcId=VPC_ID,
DependsOn=GW_ATTACH,
CidrBlock=variables.get("%sSubnets" %
name_prefix)[i],
Tags=Tags(type=net_type)))
route_table_name = "%sRouteTable%s" % (name_prefix,
name_suffix)
t.add_resource(
ec2.RouteTable(route_table_name,
VpcId=VPC_ID,
Tags=[ec2.Tag('type', net_type)]))
route_table_ids.append(Ref(route_table_name))
t.add_resource(
ec2.SubnetRouteTableAssociation(
"%sRouteTableAssociation%s" %
(name_prefix, name_suffix),
SubnetId=Ref(subnet_name),
RouteTableId=Ref(route_table_name)))
route_name = '%sRoute%s' % (name_prefix, name_suffix)
if net_type == 'public':
# the public subnets are where the NAT instances live,
# so their default route needs to go to the AWS
# Internet Gateway
t.add_resource(
ec2.Route(route_name,
RouteTableId=Ref(route_table_name),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(GATEWAY)))
self.create_nat_instance(i, subnet_name)
else:
# Private subnets are where actual instances will live
# so their gateway needs to be through the nat instances
route = ec2.Route(
route_name,
RouteTableId=Ref(route_table_name),
DestinationCidrBlock='0.0.0.0/0',
)
if variables["UseNatGateway"]:
route.NatGatewayId = Ref(NAT_GATEWAY_NAME %
name_suffix)
else:
route.InstanceId = Ref(NAT_INSTANCE_NAME % name_suffix)
t.add_resource(route)
for net_type in net_types:
t.add_output(
Output("%sSubnets" % net_type.capitalize(),
Value=Join(",", [Ref(sn) for sn in subnets[net_type]])))
for i, sn in enumerate(subnets[net_type]):
t.add_output(
Output("%sSubnet%d" % (net_type.capitalize(), i),
Value=Ref(sn)))
self.template.add_output(
Output("AvailabilityZones", Value=Join(",", zones)))
for i, az in enumerate(zones):
t.add_output(Output("AvailabilityZone%d" % (i), Value=az))
self.create_s3_endpoint(route_table_ids)
self.create_dynamo_endpoint(route_table_ids)
"SubnetId",
Type="AWS::EC2::Subnet::Id",
Default="subnet-0b3b0d6e",
Description="Id of the Subnet which will hold the instance")
template.add_parameter(subnet_id)
vpc_id = Parameter("VpcId",
Type="AWS::EC2::VPC::Id",
Default="vpc-ebe0c38e",
Description="Id of the VPC which will hold the instance")
template.add_parameter(vpc_id)
# security group
sg = ec2.SecurityGroup(app_name_capitalize + 'SG',
GroupDescription="Security Group for base instance.",
Tags=Tags(Name=app_name + '-base-instance-sg',
Custo=app_name),
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0"),
ec2.SecurityGroupRule(IpProtocol="tcp",
FromPort="9090",
ToPort="9090",
CidrIp="0.0.0.0/0"),
ec2.SecurityGroupRule(IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0"),
ec2.SecurityGroupRule(IpProtocol="tcp",
FromPort="443",
def tags(self):
variables = self.get_variables()
tag_dict = {"NetworkType": self.network_type}
tag_dict.update(variables["Tags"])
tags = Tags(**tag_dict)
return tags
def add_apps_subnets(template, vpc, az_index, layers, nats, endpoints=None):
"""
Function to add application/hosts subnets to the VPC
:param template: VPC Template()
:param vpc: Vpc() for Ref()
:param list az_index: index for the AZ (a,b,c ..)
:param nats: list of NatGateway()
:returns: tuple() list of rtb, list of subnets
"""
subnets = []
rtbs = []
if len(nats) < len(az_index):
primary_nat = nats[0]
nats = []
for _ in az_index:
nats.append(primary_nat)
for index, subnet_cidr, nat in zip(az_index, layers["app"], nats):
suffix = index.upper()
subnet = Subnet(
f"AppSubnet{suffix}",
template=template,
CidrBlock=subnet_cidr,
VpcId=Ref(vpc),
AvailabilityZone=Sub(f"${{AWS::Region}}{index}"),
Tags=Tags(
Name=If(
USE_STACK_NAME_CON_T,
Sub(f"${{AWS::StackName}}-App-{index}"),
Sub(f"${{{ROOT_STACK_NAME_T}}}-App-{index}"),
),
)
+ Tags({f"vpc{DELIM}usage": "application", f"vpc{DELIM}vpc-id": Ref(vpc)}),
Metadata=metadata,
)
rtb = RouteTable(
f"AppRtb{index.upper()}",
template=template,
VpcId=Ref(vpc),
Tags=Tags(Name=f"AppRtb{index.upper()}"),
Metadata=metadata,
)
Route(
f"AppRoute{index.upper()}",
template=template,
NatGatewayId=Ref(nat),
RouteTableId=Ref(rtb),
DestinationCidrBlock="0.0.0.0/0",
)
SubnetRouteTableAssociation(
f"SubnetRtbAssoc{index.upper()}",
template=template,
RouteTableId=Ref(rtb),
SubnetId=Ref(subnet),
Metadata=metadata,
)
rtbs.append(rtb)
subnets.append(subnet)
if endpoints is not None:
if keyisset("AwsServices", endpoints):
sg_endpoints = SecurityGroup(
"VpcEndpointsSg",
template=template,
GroupName=Sub(f"vpc-endpoints-${{{VPC_T}}}"),
GroupDescription=Sub(f"VPC Endpoints for VPC ${{{VPC_T}}}"),
VpcId=Ref(template.resources[VPC_T]),
SecurityGroupIngress=[
SecurityGroupRule(
CidrIp=GetAtt(template.resources[VPC_T], "CidrBlock"),
FromPort=443,
ToPort=443,
IpProtocol="TCP",
Description="HTTPs to VPC Endpoint",
)
],
)
for service in endpoints["AwsServices"]:
if service["service"] == "s3":
add_gateway_endpoint(service, rtbs, template)
else:
add_interface_endpoint(sg_endpoints, service, subnets, template)
return rtbs, subnets
def main():
"""Generates the CloudFormation template"""
template = Template()
template.add_version("2010-09-09")
template.add_description(
'This template deploys a VPC, with a pair of public and private subnets spread ' +
'across two Availabilty Zones. It deploys an Internet Gateway, with a default ' +
'route on the public subnets. It deploys a pair of NAT Gateways (one in each AZ), ' +
'and default routes for them in the private subnets.'
)
# Parameters
# EnvironmentName
env_param = template.add_parameter(Parameter(
'EnvironmentName',
Type='String',
Description='An environment name that will be prefixed to resource names',
))
# VPC CIDR
vpc_cidr_param = template.add_parameter(Parameter(
'VpcCIDR',
Type='String',
Description='Please enter the IP range (CIDR notation) for this VPC',
Default='10.192.0.0/16',
))
# PublicSubnet1CIDR
pub_subnet_1_param = template.add_parameter(Parameter(
'PublicSubnet1CIDR',
Type='String',
Description='Please enter the IP range (CIDR notation) for the public subnet ' +
'in the first Availability Zone',
Default='10.192.10.0/24',
))
# PublicSubnet2CIDR
pub_subnet_2_param = template.add_parameter(Parameter(
'PublicSubnet2CIDR',
Type='String',
Description='Please enter the IP range (CIDR notation) for the public subnet ' +
'in the second Availability Zone',
Default='10.192.11.0/24',
))
# PrivateSubnet1CIDR
prvt_subnet_1_param = template.add_parameter(Parameter(
'PrivateSubnet1CIDR',
Type='String',
Description='Please enter the IP range (CIDR notation) for the private subnet ' +
'in the first Availability Zone',
Default='10.192.20.0/24',
))
# PrivateSubnet2CIDR
prvt_subnet_2_param = template.add_parameter(Parameter(
'PrivateSubnet2CIDR',
Type='String',
Description='Please enter the IP range (CIDR notation) for the private subnet ' +
'in the second Availability Zone',
Default='10.192.21.0/24',
))
# Resources
# VPC
vpc = template.add_resource(
VPC(
'VPC',
CidrBlock=Ref(vpc_cidr_param),
Tags=Tags(Name=Ref(env_param)),
)
)
# InternetGateway
internet_gateway = template.add_resource(
InternetGateway(
'InternetGateway',
Tags=Tags(Name=Ref(env_param)),
)
)
# InternetGatewayAttachment
template.add_resource(
VPCGatewayAttachment(
'InternetGatewayAttachment',
InternetGatewayId=Ref(internet_gateway),
VpcId=Ref(vpc),
)
)
# PublicSubnet1
pub_subnet1 = template.add_resource(
Subnet(
'PublicSubnet1',
VpcId=Ref(vpc),
AvailabilityZone=Select('0', GetAZs("")),
CidrBlock=Ref(pub_subnet_1_param),
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Sub('${EnvironmentName} Public Subnet (AZ1)')),
)
)
# PublicSubnet2
pub_subnet2 = template.add_resource(
Subnet(
'PublicSubnet2',
VpcId=Ref(vpc),
AvailabilityZone=Select('1', GetAZs("")),
CidrBlock=Ref(pub_subnet_2_param),
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Sub('${EnvironmentName} Public Subnet (AZ2)')),
)
)
# PrivateSubnet1
prvt_subnet1 = template.add_resource(
Subnet(
'PrivateSubnet1',
VpcId=Ref(vpc),
AvailabilityZone=Select('0', GetAZs("")),
CidrBlock=Ref(prvt_subnet_1_param),
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Sub('${EnvironmentName} Private Subnet (AZ1)')),
)
)
# PrivateSubnet2
prvt_subnet2 = template.add_resource(
Subnet(
'PrivateSubnet2',
VpcId=Ref(vpc),
AvailabilityZone=Select('1', GetAZs("")),
CidrBlock=Ref(prvt_subnet_2_param),
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Sub('${EnvironmentName} Private Subnet (AZ2)')),
)
)
# NatGateway1EIP
nat_gateway1_eip = template.add_resource(
EIP(
'NatGateway1EIP',
DependsOn='InternetGatewayAttachment',
Domain='vpc',
)
)
# NatGateway2EIP
nat_gateway2_eip = template.add_resource(
EIP(
'NatGateway2EIP',
DependsOn='InternetGatewayAttachment',
Domain='vpc',
)
)
# NatGateway1
nat_gateway1 = template.add_resource(
NatGateway(
'NatGateway1',
AllocationId=GetAtt(nat_gateway1_eip, 'AllocationId'),
SubnetId=Ref(pub_subnet1),
)
)
# NatGateway2
nat_gateway2 = template.add_resource(
NatGateway(
'NatGateway2',
AllocationId=GetAtt(nat_gateway2_eip, 'AllocationId'),
SubnetId=Ref(pub_subnet2),
)
)
# PublicRouteTable
pub_route_table = template.add_resource(
RouteTable(
'PublicRouteTable',
VpcId=Ref(vpc),
Tags=Tags(Name=Sub('${EnvironmentName} Public Routes')),
)
)
# DefaultPublicRoute
template.add_resource(
Route(
'DefaultPublicRoute',
RouteTableId=Ref(pub_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(internet_gateway),
)
)
# PublicSubnet1RouteTableAssociation
template.add_resource(
SubnetRouteTableAssociation(
'PublicSubnet1RouteTableAssociation',
RouteTableId=Ref(pub_route_table),
SubnetId=Ref(pub_subnet1),
)
)
# PublicSubnet2RouteTableAssociation
template.add_resource(
SubnetRouteTableAssociation(
'PublicSubnet2RouteTableAssociation',
RouteTableId=Ref(pub_route_table),
SubnetId=Ref(pub_subnet2),
)
)
# PrivateRouteTable1
prvt_route_table1 = template.add_resource(
RouteTable(
'PrivateRouteTable1',
VpcId=Ref(vpc),
Tags=Tags(Name=Sub('${EnvironmentName} Private Routes (AZ1)')),
)
)
# DefaultPrivateRoute1
template.add_resource(
Route(
'DefaultPrivateRoute1',
RouteTableId=Ref(prvt_route_table1),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(nat_gateway1),
)
)
# PrivateSubnet1RouteTableAssociation
template.add_resource(
SubnetRouteTableAssociation(
'PrivateSubnet1RouteTableAssociation',
RouteTableId=Ref(prvt_route_table1),
SubnetId=Ref(prvt_subnet1),
)
)
# PrivateRouteTable2
prvt_route_table2 = template.add_resource(
RouteTable(
'PrivateRouteTable2',
VpcId=Ref(vpc),
Tags=Tags(Name=Sub('${EnvironmentName} Private Routes (AZ2)')),
)
)
# DefaultPrivateRoute2
template.add_resource(
Route(
'DefaultPrivateRoute2',
RouteTableId=Ref(prvt_route_table2),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(nat_gateway2),
)
)
# PrivateSubnet1RouteTableAssociation
template.add_resource(
SubnetRouteTableAssociation(
'PrivateSubnet2RouteTableAssociation',
RouteTableId=Ref(prvt_route_table2),
SubnetId=Ref(prvt_subnet2),
)
)
# Outputs
template.add_output(Output(
'VPC',
Description='A reference to the created VPC',
Value=Ref(vpc),
))
template.add_output(Output(
'PublicSubnets',
Description='A list of the public subnets',
Value=Join(',', [Ref(pub_subnet1), Ref(pub_subnet2)]),
))
template.add_output(Output(
'PrivateSubnets',
Description='A list of the private subnets',
Value=Join(',', [Ref(prvt_subnet1), Ref(prvt_subnet2)]),
))
template.add_output(Output(
'PublicSubnet1',
Description='A reference to the public subnet in the 1st Availability Zone',
Value=Ref(pub_subnet1),
))
template.add_output(Output(
'PublicSubnet2',
Description='A reference to the public subnet in the 2nd Availability Zone',
Value=Ref(pub_subnet2),
))
template.add_output(Output(
'PrivateSubnet1',
Description='A reference to the private subnet in the 1st Availability Zone',
Value=Ref(prvt_subnet1),
))
template.add_output(Output(
'PrivateSubnet2',
Description='A reference to the private subnet in the 2nd Availability Zone',
Value=Ref(prvt_subnet2),
))
print(template.to_json())
' --stack=', Ref('AWS::StackName'),
' --resource=%s' % ec2_instance_name,
' --configsets=on_metadata_update',
' --region=', Ref('AWS::Region'), '\n',
'runas=root\n',
]),
'mode': '000400',
'owner': 'root',
'group': 'root',
},
},
),
),
),
Tags=Tags(
Name=Ref("AWS::StackName"),
),
))
# Associate the Elastic IP separately, so it doesn't change when the instance changes.
eip_assoc = template.add_resource(ec2.EIPAssociation(
"EipAssociation",
InstanceId=Ref(ec2_instance),
EIP=Ref(eip),
))
template.add_output([
Output(
"PublicIP",
Description="Public IP address of Elastic IP associated with the Dokku instance",
Value=Ref(eip),
def create_subnet(t, output):
ref_region = Ref('AWS::Region')
igw = t.add_resource(InternetGateway(
"InternetGateway",
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"]])
)
))
GWattachment = t.add_resource(VPCGatewayAttachment(
"AttachGateway",
VpcId=output["vpc"],
InternetGatewayId=Ref("InternetGateway"),
))
# Pub Subnet Availability Zone A
pubsubneta = t.add_resource(
Subnet(
'PubSubnetA',
CidrBlock=Join('', [output["vpcenvcidr"], '.', '0', '.0/24']),
VpcId=output["vpc"],
AvailabilityZone=Select("0", GetAZs(ref_region)),
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-PubA"])
)
)
)
# Pub Subnet Availability Zone B
pubsubnetb = t.add_resource(
Subnet(
'PubSubnetB',
CidrBlock=Join('', [output["vpcenvcidr"], '.', '1', '.0/24']),
VpcId=output["vpc"],
AvailabilityZone=Select("1", GetAZs(ref_region)),
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-PubB"])
)
)
)
# Pub Subnet Availability Zone C
pubsubnetc = t.add_resource(
Subnet(
'PubSubnetC',
CidrBlock=Join('', [output["vpcenvcidr"], '.', '2', '.0/24']),
VpcId=output["vpc"],
AvailabilityZone=Select("2", GetAZs(ref_region)),
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-PubC"])
)
)
)
# Private Subnet Availability Zone A
privsubneta = t.add_resource(
Subnet(
'PrivSubnetA',
CidrBlock=Join('', [output["vpcenvcidr"], '.', '3', '.0/24']),
VpcId=output["vpc"],
AvailabilityZone=Select("0", GetAZs(ref_region)),
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-PrivA"])
)
)
)
# Private Subnet Availability Zone B
privsubnetb = t.add_resource(
Subnet(
'PrivSubnetB',
CidrBlock=Join('', [output["vpcenvcidr"], '.', '4', '.0/24']),
VpcId=output["vpc"],
AvailabilityZone=Select("1", GetAZs(ref_region)),
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-PrivB"])
)
)
)
# Private Subnet Availability Zone C
privsubnetc = t.add_resource(
Subnet(
'PrivSubnetC',
CidrBlock=Join('', [output["vpcenvcidr"], '.', '5', '.0/24']),
VpcId=output["vpc"],
AvailabilityZone=Select("2", GetAZs(ref_region)),
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-PrivC"])
)
)
)
output["SubnetIds"] = {}
output["SubnetIds"]["pubsubneta"] = Ref(pubsubneta)
output["SubnetIds"]["pubsubnetb"] = Ref(pubsubnetb)
output["SubnetIds"]["pubsubnetc"] = Ref(pubsubnetc)
output["SubnetIds"]["privsubneta"] = Ref(privsubneta)
output["SubnetIds"]["privsubnetb"] = Ref(privsubnetb)
output["SubnetIds"]["privsubnetc"] = Ref(privsubnetc)
# NAT Gateway
# Availability Zone A
nat_eip_a = t.add_resource(EIP(
'NATeipA',
Domain="vpc"
))
nat_gw_a = t.add_resource(NatGateway(
'NatGwA',
AllocationId=GetAtt(nat_eip_a, 'AllocationId'),
SubnetId=Ref(pubsubneta),
))
# Availability Zone B
nat_eip_b = t.add_resource(EIP(
'NATeipB',
Domain="vpc"
))
nat_gw_b = t.add_resource(NatGateway(
'NatGwB',
AllocationId=GetAtt(nat_eip_b, 'AllocationId'),
SubnetId=Ref(pubsubnetb),
))
# Availability Zone C
nat_eip_c = t.add_resource(EIP(
'NATeipC',
Domain="vpc"
))
nat_gw_c = t.add_resource(NatGateway(
'NatGwC',
AllocationId=GetAtt(nat_eip_c, 'AllocationId'),
SubnetId=Ref(pubsubnetc),
))
pubroutetable = t.add_resource(RouteTable(
"PubRouteTable",
VpcId=output["vpc"],
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-", "PubRT"])
)
))
pubroute = t.add_resource(Route(
"PubRoute",
DependsOn="AttachGateway",
RouteTableId=Ref(pubroutetable),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw)
))
privroutetablea = t.add_resource(RouteTable(
"PrivRouteTableA",
VpcId=output["vpc"],
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-", "PrivRT-A"])
)
))
privroutea = t.add_resource(Route(
"PrivRouteA",
RouteTableId=Ref(privroutetablea),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gw_a)
))
privroutetableb = t.add_resource(RouteTable(
"PrivRouteTableB",
VpcId=output["vpc"],
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-", "PrivRT-B"])
)
))
privrouteb = t.add_resource(Route(
"PrivRouteB",
RouteTableId=Ref(privroutetableb),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gw_b)
))
privroutetablec = t.add_resource(RouteTable(
"PrivRouteTableC",
VpcId=output["vpc"],
Tags=Tags(
Name=Join("", [output["service"], "-", output["env"], "-", "PrivRT-C"])
)
))
privroutec = t.add_resource(Route(
"PrivRouteC",
RouteTableId=Ref(privroutetablec),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gw_c)
))
subnetroutetableassociationpuba = t.add_resource(SubnetRouteTableAssociation(
'SubnetRouteTableAssociationPubA',
SubnetId=Ref(pubsubneta),
RouteTableId=Ref(pubroutetable),
))
subnetroutetableassociationpubb = t.add_resource(SubnetRouteTableAssociation(
'SubnetRouteTableAssociationPubB',
SubnetId=Ref(pubsubnetb),
RouteTableId=Ref(pubroutetable),
))
subnetroutetableassociationpubc = t.add_resource(SubnetRouteTableAssociation(
'SubnetRouteTableAssociationPubC',
SubnetId=Ref(pubsubnetc),
RouteTableId=Ref(pubroutetable),
))
subnetroutetableassociationpriva = t.add_resource(SubnetRouteTableAssociation(
'SubnetRouteTableAssociationPrivA',
SubnetId=Ref(privsubneta),
RouteTableId=Ref(privroutetablea),
))
subnetroutetableassociationprivb = t.add_resource(SubnetRouteTableAssociation(
'SubnetRouteTableAssociationPrivB',
SubnetId=Ref(privsubnetb),
RouteTableId=Ref(privroutetableb),
))
subnetroutetableassociationprivc = t.add_resource(SubnetRouteTableAssociation(
'SubnetRouteTableAssociationPrivC',
SubnetId=Ref(privsubnetc),
RouteTableId=Ref(privroutetablec),
))
outputs = t.add_output([
Output(
"IGW",
Value=Ref(igw),
Export=Export(Sub("${AWS::StackName}-IGW")),
Description="Internet Gateway"
),
Output(
"NatGWA",
Value=Ref(nat_gw_a),
Export=Export(Sub("${AWS::StackName}-NATGatewayA")),
Description="NAT Gateway AZ A"
),
Output(
"NatGWB",
Value=Ref(nat_gw_b),
Export=Export(Sub("${AWS::StackName}-NATGatewayB")),
Description="NAT Gateway AZ B"
),
Output(
"NatGWC",
Value=Ref(nat_gw_c),
Export=Export(Sub("${AWS::StackName}-NATGatewayC")),
Description="NAT Gateway AZ C"
),
Output(
"VPCEnvCidr",
Value=output["vpcenvcidr"],
Export=Export(Sub("${AWS::StackName}-CIDR")),
Description="First 2 CIDR Block of the VPC"
),
Output(
"ServiceID",
Value=output["service_id"],
Export=Export(Sub("${AWS::StackName}-ServiceID")),
Description="3rd Oct of CIDR block"
),
Output(
"PUBSUBNETA",
Value=Ref(pubsubneta),
Export=Export(Sub("${AWS::StackName}-PubSubnetA")),
Description="Public A Subnet"
),
Output(
"PUBSUBNETB",
Value=Ref(pubsubnetb),
Export=Export(Sub("${AWS::StackName}-PubSubnetB")),
Description="Public B Subnet"
),
Output(
"PUBSUBNETC",
Value=Ref(pubsubnetc),
Export=Export(Sub("${AWS::StackName}-PubSubnetC")),
Description="Public C Subnet"
),
Output(
"PRIVSUBNETA",
Value=Ref(privsubneta),
Export=Export(Sub("${AWS::StackName}-PrivSubnetA")),
Description="Priv A Subnet"
),
Output(
"PRIVSUBNETB",
Value=Ref(privsubnetb),
Export=Export(Sub("${AWS::StackName}-PrivSubnetB")),
Description="Priv B Subnet"
),
Output(
"PRIVSUBNETC",
Value=Ref(privsubnetc),
Export=Export(Sub("${AWS::StackName}-PrivSubnetC")),
Description="Priv C Subnet"
),
])
# t = create_sg(t, output)
# output["SubnetIds"] = [Ref(pubsubneta), Ref(pubsubnetb), Ref(pubsubnetc)]
# SubnetIds = [Ref(pubsubneta), Ref(pubsubnetb), Ref(pubsubnetc)]
# security_group_id = [GetAtt(sgtrusted, "GroupId")]
return t, output
def generate_template(service_name):
t = Template()
t.add_version('2010-09-09')
t.add_description("""\
AWS CloudFormation Template for AWS Exploitation Lab """)
t.add_mapping("PublicRegionMap", ami_public_mapping)
t.add_mapping("PrivateRegionMap", ami_private_mapping)
keyname_param = t.add_parameter(
Parameter(
'KeyName',
ConstraintDescription='must be the name of an existing EC2 KeyPair.',
Description='Name of an existing EC2 KeyPair to enable SSH access to \
the instance',
Type='AWS::EC2::KeyPair::KeyName',
))
sshlocation_param = t.add_parameter(
Parameter(
'SSHLocation',
Description=' The IP address range that can be used to SSH to the EC2 \
instances',
Type='String',
MinLength='9',
MaxLength='18',
Default='0.0.0.0/0',
AllowedPattern="(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=(
"must be a valid IP CIDR range of the form x.x.x.x/x."),
))
instanceType_param = t.add_parameter(Parameter(
'InstanceType',
Type='String',
Description='WebServer EC2 instance type',
Default='t2.micro',
AllowedValues=[
't2.micro', 't2.small', 't2.medium',
'm3.medium', 'm3.large', 'm3.xlarge', 'm3.2xlarge',
],
ConstraintDescription='must be a valid EC2 instance type.',
))
ref_stack_id = Ref('AWS::StackId')
ec2_role = t.add_resource(Role(
"%sEC2Role" % service_name,
AssumeRolePolicyDocument=awacs.aws.Policy(
Statement=[
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[awacs.aws.Action("sts", "AssumeRole")],
Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])
)
]
)
))
ec2_role.ManagedPolicyArns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
ec2_snapshot_policy_document = awacs.aws.Policy(
Statement=[
awacs.aws.Statement(
Sid="PermitEC2Snapshots",
Effect=awacs.aws.Allow,
Action=[
awacs.aws.Action("ec2", "CreateSnapshot"),
awacs.aws.Action("ec2", "ModifySnapshotAttribute"),
],
Resource=["*"]
)
]
)
ec2_snapshot_policy = Policy(
PolicyName="EC2SnapshotPermissions",
PolicyDocument=ec2_snapshot_policy_document
)
priv_ec2_role = t.add_resource(Role(
"%sPrivEC2Role" % service_name,
AssumeRolePolicyDocument=awacs.aws.Policy(
Statement=[
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[awacs.aws.Action("sts", "AssumeRole")],
Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])
)
]
),
Policies=[ec2_snapshot_policy]
))
priv_ec2_role.ManagedPolicyArns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
VPC_ref = t.add_resource(
VPC(
'VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(
Application=ref_stack_id)))
instanceProfile = t.add_resource(
InstanceProfile(
"InstanceProfile",
InstanceProfileName="%sInstanceRole" % (service_name),
Roles=[Ref(ec2_role)]))
privInstanceProfile = t.add_resource(
InstanceProfile(
"PrivInstanceProfile",
InstanceProfileName="%sPrivInstanceRole" % (service_name),
Roles=[Ref(priv_ec2_role)]))
public_subnet = t.add_resource(
Subnet(
'%sSubnetPublic' % service_name,
MapPublicIpOnLaunch=True,
CidrBlock='10.0.1.0/24',
VpcId=Ref(VPC_ref),
Tags=Tags(
Application=ref_stack_id,
Name="%sSubnet_public" % (service_name))
)
)
private_subnet = t.add_resource(
Subnet(
'%sSubnetPrivate' % service_name,
MapPublicIpOnLaunch=False,
CidrBlock='10.0.2.0/24',
VpcId=Ref(VPC_ref),
Tags=Tags(
Application=ref_stack_id,
Name="%sSubnet_private" % (service_name))
)
)
internetGateway = t.add_resource(
InternetGateway(
'InternetGateway',
Tags=Tags(
Application=ref_stack_id,
Name="%sInternetGateway" % service_name)))
gatewayAttachment = t.add_resource(
VPCGatewayAttachment(
'AttachGateway',
VpcId=Ref(VPC_ref),
InternetGatewayId=Ref(internetGateway)))
routeTable = t.add_resource(
RouteTable(
'RouteTable',
VpcId=Ref(VPC_ref),
Tags=Tags(
Application=ref_stack_id,
Name="%sRouteTable" % service_name)))
route = t.add_resource(
Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routeTable),
))
# Only associate this Route Table with the public subnet
subnetRouteTableAssociation = t.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(public_subnet),
RouteTableId=Ref(routeTable),
))
instanceSecurityGroup = t.add_resource(
SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='%sSecurityGroup' % service_name,
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=Ref(sshlocation_param)),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='1080',
ToPort='1080',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='0',
ToPort='65535',
CidrIp="10.0.0.0/8"),
],
VpcId=Ref(VPC_ref),
)
)
public_instance = t.add_resource(
Instance(
"Public%sInstance" % service_name,
ImageId=FindInMap("PublicRegionMap", Ref("AWS::Region"), "AMI"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[
Ref(instanceSecurityGroup)],
AssociatePublicIpAddress='true',
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(public_subnet))],
UserData=Base64(public_instance_userdata),
Tags=Tags(
Application=ref_stack_id,
Name='%sPublicInstance' % (service_name))
)
)
private_instance = t.add_resource(
Instance(
"Private%sInstance" % service_name,
ImageId=FindInMap("PrivateRegionMap", Ref("AWS::Region"), "AMI"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[
Ref(instanceSecurityGroup)],
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(private_subnet))],
UserData=Base64(private_instance_userdata),
Tags=Tags(
Application=ref_stack_id,
Name='%sPrivateInstance' % (service_name)),
IamInstanceProfile="%sPrivInstanceRole" % (service_name)
)
)
outputs = []
outputs.append(
Output(
"PublicIP",
Description="IP Address of Public Instance",
Value=GetAtt(public_instance, "PublicIp"),
)
)
t.add_output(outputs)
# Set up S3 Bucket and CloudTrail
S3Bucket = t.add_resource(
Bucket(
"S3Bucket",
DeletionPolicy="Retain"
)
)
S3PolicyDocument=awacs.aws.PolicyDocument(
Id='EnforceServersideEncryption',
Version='2012-10-17',
Statement=[
awacs.aws.Statement(
Sid='PermitCTBucketPut',
Action=[s3.PutObject],
Effect=awacs.aws.Allow,
Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]),
Resource=[Join('', [s3.ARN(''), Ref(S3Bucket), "/*"])],
),
awacs.aws.Statement(
Sid='PermitCTBucketACLRead',
Action=[s3.GetBucketAcl],
Effect=awacs.aws.Allow,
Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]),
Resource=[Join('', [s3.ARN(''), Ref(S3Bucket)])],
)
]
)
S3BucketPolicy = t.add_resource(
BucketPolicy(
"BucketPolicy",
PolicyDocument=S3PolicyDocument,
Bucket=Ref(S3Bucket),
DependsOn=[S3Bucket]
)
)
myTrail = t.add_resource(
Trail(
"CloudTrail",
IsLogging=True,
S3BucketName=Ref(S3Bucket),
DependsOn=["BucketPolicy"],
)
)
myTrail.IsMultiRegionTrail = True
myTrail.IncludeGlobalServiceEvents = True
return t.to_json()
def GenerateStepJenkinsLayer():
t = Template()
t.add_description("""\
Jenkins for Step Hackathon Layer
""")
stackname_param = t.add_parameter(
Parameter(
"StackName",
Description="Environment Name (default: hackathon)",
Type="String",
Default="hackathon",
))
vpcid_param = t.add_parameter(
Parameter(
"VpcId",
Type="String",
Description="VpcId of your existing Virtual Private Cloud (VPC)",
Default="vpc-fab00e9f"))
subnets = t.add_parameter(
Parameter(
"Subnets",
Type="CommaDelimitedList",
Description=(
"The list SubnetIds, for public subnets in the "
"region and in your Virtual Private Cloud (VPC) - minimum one"
),
Default="subnet-b68f3bef,subnet-9a6208ff,subnet-bfdd4fc8"))
keypair_param = t.add_parameter(
Parameter("KeyPair",
Description="Name of an existing EC2 KeyPair to enable SSH "
"access to the instance",
Type="String",
Default="glueteam"))
jenkins_ami_id_param = t.add_parameter(
Parameter("JenkinsAmiId",
Description="Jenkins server AMI ID (default: ami-f3641a84)",
Type="String",
Default="ami-f3641a84"))
operations_subdomain_hosted_zone_param = t.add_parameter(
Parameter("DashsoftHostedZoneParam",
Description="HostedZone (default: hackathon.operations.dk)",
Type="String",
Default="hackathon.operations.dk"))
iam_role_param = t.add_parameter(
Parameter(
"IamRole",
Description="IAM Role name",
Type="String",
))
# --------- Jenkins instance
jenkins_sg = t.add_resource(
ec2.SecurityGroup(
'JenkinsSG',
GroupDescription='Security group for Jenkins host',
VpcId=Ref(vpcid_param),
Tags=Tags(Name=Join("", [Ref(stackname_param), "SG"])),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="0.0.0.0/0",
),
]))
jenkins_eip = t.add_resource(ec2.EIP(
'JenkinsEIP',
Domain='vpc',
))
jenkins_eth0 = t.add_resource(
ec2.NetworkInterface(
"JenkinsEth0",
Description=Join("", [Ref(stackname_param), " Eth0"]),
GroupSet=[
Ref(jenkins_sg),
],
SourceDestCheck=True,
SubnetId=Select(0, Ref(subnets)),
Tags=Tags(
Name=Join("", [Ref(stackname_param), " Interface 0"]),
Interface="eth0",
)))
jenkins_host = t.add_resource(
ec2.Instance(
'JenkinsHost',
ImageId=Ref(jenkins_ami_id_param),
InstanceType='m3.medium',
KeyName=Ref(keypair_param),
IamInstanceProfile=Ref(iam_role_param),
NetworkInterfaces=[
ec2.NetworkInterfaceProperty(
NetworkInterfaceId=Ref(jenkins_eth0),
DeviceIndex="0",
),
],
Tags=Tags(Name=Ref(stackname_param), Id=Ref(stackname_param)),
UserData=Base64(Join('', [
'#!/bin/bash\n',
])),
))
jenkins_eip_assoc = t.add_resource(
ec2.EIPAssociation(
"JenkinsEIPAssoc",
NetworkInterfaceId=Ref(jenkins_eth0),
AllocationId=GetAtt("JenkinsEIP", "AllocationId"),
PrivateIpAddress=GetAtt("JenkinsEth0", "PrimaryPrivateIpAddress"),
))
jenkins_host_cname = t.add_resource(
route53.RecordSetType(
"JenkinsHostCname",
HostedZoneName=Join(
"", [Ref(operations_subdomain_hosted_zone_param), "."]),
Comment=Join("", ["Jenkins host CNAME for ",
Ref(stackname_param)]),
Name=Join(
"",
["jenkins.",
Ref(operations_subdomain_hosted_zone_param), "."]),
Type="A",
TTL="60",
ResourceRecords=[GetAtt("JenkinsHost", "PublicIp")],
DependsOn="JenkinsEIPAssoc"))
return t
def tag_builder(name_suffix=None):
if name_suffix:
name = Join("-", [Ref("AWS::StackName"), name_suffix])
else:
name = Ref("AWS::StackName")
return Tags(Application=Ref("AWS::StackId"), Name=name)
def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
variables = self.get_variables()
template.add_version('2010-09-09')
template.add_description('Sample app')
# Conditions
template.add_condition(
'BucketNameOmitted',
Or(Equals(variables['BucketName'].ref, ''),
Equals(variables['BucketName'].ref, 'undefined')))
# Resources
bucket = template.add_resource(
s3.Bucket(
'Bucket',
AccessControl=s3.Private,
BucketName=If('BucketNameOmitted', Ref('AWS::NoValue'),
variables['BucketName'].ref),
LifecycleConfiguration=s3.LifecycleConfiguration(Rules=[
s3.LifecycleRule(NoncurrentVersionExpirationInDays=90,
Status='Enabled')
]),
Tags=Tags(application=variables['ApplicationName'].ref,
customer=variables['CustomerName'].ref,
environment=variables['EnvironmentName'].ref),
VersioningConfiguration=s3.VersioningConfiguration(
Status='Enabled')))
template.add_output(
Output('BucketName',
Description='Name of bucket',
Value=Ref(bucket)))
template.add_output(
Output('BucketArn',
Description='Arn of bucket',
Value=GetAtt(bucket, 'Arn')))
# https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
template.add_resource(
s3.BucketPolicy(
'RequireBucketEncryption',
Bucket=Ref(bucket),
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Sid='DenyIncorrectEncryptionHeader',
Action=[awacs.s3.PutObject],
Condition=Condition(
StringNotEquals(
's3:x-amz-server-side-encryption',
'AES256')),
Effect=Deny,
Principal=Principal('*'),
Resource=[Join('',
[GetAtt(bucket, 'Arn'), '/*'])]),
Statement(
Sid='DenyUnEncryptedObjectUploads',
Action=[awacs.s3.PutObject],
Condition=Condition(
Null('s3:x-amz-server-side-encryption',
'true')),
Effect=Deny,
Principal=Principal('*'),
Resource=[Join('', [GetAtt(bucket, 'Arn'), '/*'])])
])))
from troposphere import Tags, Template
from troposphere.secretsmanager import GenerateSecretString, Secret
t = Template()
t.set_version("2010-09-09")
MySecret = t.add_resource(
Secret(
"MySecret",
Name="MySecret",
Description="This is an autogenerated secret",
GenerateSecretString=GenerateSecretString(
SecretStringTemplate='{"username":"******"}',
GenerateStringKey="password",
PasswordLength=30,
),
Tags=Tags(Appname="AppA"),
)
)
print(t.to_json())
'/etc/cfn/cfn-hup.conf': cfn_hup,
'/etc/cfn/hooks.d/cfn-auto-reloader.conf': reloader,
'/etc/docker/daemon.json': docker,
}),
),
'services': {
'sysvinit': {
'cfn': cfn_service,
'docker': docker_service,
}
}
}),
ImageId='ami-0adc350d7c7a2259f',
KeyName='Seras',
Tags=Tags(
Name=Join("", [Ref("AWS::StackName")]),
Application=Ref("AWS::StackId"),
),
InstanceType='t3.nano',
IamInstanceProfile=Ref(hugged_profile),
SecurityGroupIds=[SECURITY_GROUP],
CreditSpecification=CreditSpecification(CPUCredits='standard'),
UserData=Base64(Join(
"",
[
"#!/bin/bash -xe\n",
"echo ECS_CLUSTER=AllTheHugs > /etc/ecs/ecs.config\n",
"yum install -y aws-cfn-bootstrap\n",
"# Install the files and packages from the metadata\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", Ref("AWS::StackName"),
" --resource HuggedInstance ",
),
"cert_name":
Parameter(
"CertName",
Type="String",
Default=
"arn:aws:iam::314826648217:server-certificate/mediaplatformQA_2017Mar05",
Description="This has to be the right certificate for the environment",
AllowedValues=[
"arn:aws:iam::314826648217:server-certificate/star-mediaplatformdev-2017",
"arn:aws:iam::314826648217:server-certificate/mediaplatformQA_2017Mar05"
],
ConstraintDescription="must select a valid existing cert",
)
}
common_tags = Tags(env=Ref("DeploymentEnvironment"), )
for p in parameters.values():
zookeepstack.template.add_parameter(p)
# bunch of rules for security groups. They are fairly open for now, but will be tightened up later.
rule_all_office_access = zookeepstack.rule_adder(0, 65535, '192.186.2.0/24')
rule_http_access = zookeepstack.rule_adder(80)
rule_ssl_access = zookeepstack.rule_adder(443)
rule_amq_admin_access = zookeepstack.rule_adder(8161)
rule_amq_access = zookeepstack.rule_adder(61616)
rule_solr_admin_access = zookeepstack.rule_adder(8983)
rule_zookeeper_access = zookeepstack.rule_adder(2181)
rule_ssh_access_vpc = zookeepstack.rule_adder(22, cidr='10.0.0.0/16')
# Security group definitions. This should be simplified to get rid of redundancy.
amq_group = zookeepstack.group_adder('amqgroup', [
def generate_vpc_template(layers, az_count, cidr_block):
TPL = Template()
TPL.set_description('VPC - Version 2019-06-05')
TPL.set_metadata({'Author': 'https://github.com/johnpreston'})
VPC = VPCType('VPC',
CidrBlock=cidr_block,
EnableDnsHostnames=True,
EnableDnsSupport=True,
Tags=Tags(Name=Ref('AWS::StackName'),
EnvironmentName=Ref('AWS::StackName')))
IGW = InternetGateway("InternetGateway")
IGW_ATTACH = VPCGatewayAttachment("VPCGatewayAttachement",
InternetGatewayId=Ref(IGW),
VpcId=Ref(VPC))
DHCP_OPTIONS = DHCPOptions('VpcDhcpOptions',
DomainName=Sub(f'${{AWS::StackName}}.local'),
DomainNameServers=['AmazonProvidedDNS'],
Tags=Tags(Name=Sub(f'DHCP-${{{VPC.title}}}')))
DHCP_ATTACH = VPCDHCPOptionsAssociation('VpcDhcpOptionsAssociate',
DhcpOptionsId=Ref(DHCP_OPTIONS),
VpcId=Ref(VPC))
DNS_HOSTED_ZONE = HostedZone(
'VpcHostedZone',
VPCs=[HostedZoneVPCs(VPCId=Ref(VPC), VPCRegion=Ref('AWS::Region'))],
Name=Sub(f'${{AWS::StackName}}.local'),
HostedZoneTags=Tags(Name=Sub(f'ZoneFor-${{{VPC.title}}}')))
TPL.add_resource(VPC)
TPL.add_resource(IGW)
TPL.add_resource(IGW_ATTACH)
TPL.add_resource(DHCP_OPTIONS)
TPL.add_resource(DHCP_ATTACH)
TPL.add_resource(DNS_HOSTED_ZONE)
STORAGE_RTB = TPL.add_resource(
RouteTable('StorageRtb', VpcId=Ref(VPC), Tags=Tags(Name='StorageRtb')))
STORAGE_SUBNETS = []
for count, subnet_cidr in zip(az_count, layers['stor']):
subnet = Subnet(
f'StorageSubnet{alpha[count].upper()}',
CidrBlock=subnet_cidr,
VpcId=Ref(VPC),
AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Storage-{alpha[count]}'),
Usage="Storage"))
subnet_assoc = TPL.add_resource(
SubnetRouteTableAssociation(
f'StorageSubnetAssoc{alpha[count].upper()}',
SubnetId=Ref(subnet),
RouteTableId=Ref(STORAGE_RTB)))
STORAGE_SUBNETS.append(subnet)
TPL.add_resource(subnet)
PUBLIC_RTB = TPL.add_resource(
RouteTable('PublicRtb', VpcId=Ref(VPC), Tags=Tags(Name='PublicRtb')))
PUBLIC_ROUTE = TPL.add_resource(
Route('PublicDefaultRoute',
GatewayId=Ref(IGW),
RouteTableId=Ref(PUBLIC_RTB),
DestinationCidrBlock='0.0.0.0/0'))
PUBLIC_SUBNETS = []
NAT_GATEWAYS = []
for count, subnet_cidr in zip(az_count, layers['pub']):
subnet = Subnet(
f'PublicSubnet{alpha[count].upper()}',
CidrBlock=subnet_cidr,
VpcId=Ref(VPC),
AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
MapPublicIpOnLaunch=True,
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Public-{alpha[count]}')))
eip = TPL.add_resource(
EIP(f"NatGatewayEip{alpha[count].upper()}", Domain='vpc'))
nat = NatGateway(f"NatGatewayAz{alpha[count].upper()}",
AllocationId=GetAtt(eip, 'AllocationId'),
SubnetId=Ref(subnet))
subnet_assoc = TPL.add_resource(
SubnetRouteTableAssociation(
f'PublicSubnetsRtbAssoc{alpha[count].upper()}',
RouteTableId=Ref(PUBLIC_RTB),
SubnetId=Ref(subnet)))
NAT_GATEWAYS.append(nat)
PUBLIC_SUBNETS.append(subnet)
TPL.add_resource(nat)
TPL.add_resource(subnet)
APP_SUBNETS = []
APP_RTBS = []
for count, subnet_cidr, nat in zip(az_count, layers['app'], NAT_GATEWAYS):
SUFFIX = alpha[count].upper()
subnet = Subnet(
f'AppSubnet{SUFFIX}',
CidrBlock=subnet_cidr,
VpcId=Ref(VPC),
AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-App-{alpha[count]}')))
APP_SUBNETS.append(subnet)
rtb = RouteTable(f'AppRtb{alpha[count].upper()}',
VpcId=Ref(VPC),
Tags=Tags(Name=f'AppRtb{alpha[count].upper()}'))
APP_RTBS.append(rtb)
route = Route(f'AppRoute{alpha[count].upper()}',
NatGatewayId=Ref(nat),
RouteTableId=Ref(rtb),
DestinationCidrBlock='0.0.0.0/0')
subnet_assoc = SubnetRouteTableAssociation(
f'SubnetRtbAssoc{alpha[count].upper()}',
RouteTableId=Ref(rtb),
SubnetId=Ref(subnet))
TPL.add_resource(subnet)
TPL.add_resource(rtb)
TPL.add_resource(route)
TPL.add_resource(subnet_assoc)
APP_S3_ENDPOINT = VPCEndpoint(
'AppS3Endpoint',
VpcId=Ref(VPC),
RouteTableIds=[Ref(rtb) for rtb in APP_RTBS],
ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
VpcEndpointType='Gateway',
)
PUBLIC_S3_ENDPOINT = VPCEndpoint(
'PublicS3Endpoint',
VpcId=Ref(VPC),
RouteTableIds=[Ref(PUBLIC_RTB)],
ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
VpcEndpointType='Gateway',
)
STORAGE_S3_ENDPOINT = VPCEndpoint(
'StorageS3Endpoint',
VpcId=Ref(VPC),
RouteTableIds=[Ref(STORAGE_RTB)],
ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
VpcEndpointType='Gateway')
RESOURCES = []
for count in az_count:
resource = TPL.add_resource(EIP(f'Eip{count}', Domain='vpc'))
RESOURCES.append(resource)
TPL.add_resource(APP_S3_ENDPOINT)
TPL.add_resource(PUBLIC_S3_ENDPOINT)
TPL.add_resource(STORAGE_S3_ENDPOINT)
SG_RULES = []
for subnet in layers['app']:
RULE = SecurityGroupRule(
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp=subnet,
)
SG_RULES.append(RULE)
ENDPOINT_SG = TPL.add_resource(
SecurityGroup(
'VpcEndpointSecurityGroup',
VpcId=Ref(VPC),
GroupDescription='SG for all Interface VPC Endpoints',
SecurityGroupIngress=SG_RULES,
Tags=Tags(Name="sg-endpoints"),
))
APP_SNS_ENDPOINT = VPCEndpoint(
'AppSNSEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.sns'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SNS_ENDPOINT)
APP_SQS_ENDPOINT = VPCEndpoint(
'AppSQSEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.sqs'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SQS_ENDPOINT)
APP_ECR_API_ENDPOINT = VPCEndpoint(
'AppECRAPIEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.api'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_ECR_API_ENDPOINT)
APP_ECR_DKR_ENDPOINT = VPCEndpoint(
'AppECRDKREndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.dkr'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_ECR_DKR_ENDPOINT)
APP_SECRETS_MANAGER_ENDPOINT = VPCEndpoint(
'AppSecretsManagerEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.secretsmanager'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SECRETS_MANAGER_ENDPOINT)
APP_SSM_ENDPOINT = VPCEndpoint(
'AppSSMEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ssm'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SSM_ENDPOINT)
APP_SSM_MESSAGES_ENDPOINT = VPCEndpoint(
'AppSSMMessagesEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ssmmessages'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SSM_MESSAGES_ENDPOINT)
################################################################################
#
# OUTPUTS
#
TPL.add_output(object_outputs(VPC, name_is_id=True))
TPL.add_output(object_outputs(APP_SQS_ENDPOINT, name_is_id=True))
TPL.add_output(object_outputs(APP_SNS_ENDPOINT, name_is_id=True))
TPL.add_output(
comments_outputs([{
'EIP':
Join(',',
[GetAtt(resource, "AllocationId") for resource in RESOURCES])
}, {
'PublicSubnets':
Join(',', [Ref(subnet) for subnet in PUBLIC_SUBNETS])
}, {
'StorageSubnets':
Join(',', [Ref(subnet) for subnet in STORAGE_SUBNETS])
}, {
'ApplicationSubnets':
Join(',', [Ref(subnet) for subnet in APP_SUBNETS])
}, {
'StackName': Ref('AWS::StackName')
}, {
'VpcZoneId': Ref(DNS_HOSTED_ZONE)
}]))
return TPL
def add_public_subnets(template, vpc, az_index, layers, igw, single_nat):
"""
Function to add public subnets for the VPC
:param layers: layers of subnets
:type layers: dict
:param igw: internet gateway to route to
:type igw: troposphere.ec2.InternetGateway
:param single_nat: whether we should have a single NAT Gateway
:type single_nat: boolean
:param template: VPC Template()
:type template: troposphere.Template
:param vpc: Vpc() for Ref()
:type vpc: troposphere.ec2.Template
:param az_range: range for iteration over select AZs
:type az_range: list
:return: tuple() list of rtb, list of subnets, list of nats
"""
rtb = RouteTable(
"PublicRtb",
template=template,
VpcId=Ref(vpc),
Tags=Tags(Name="PublicRtb") + Tags({f"vpc{DELIM}usage": "public"}),
Metadata=metadata,
)
Route(
"PublicDefaultRoute",
template=template,
GatewayId=Ref(igw),
RouteTableId=Ref(rtb),
DestinationCidrBlock="0.0.0.0/0",
)
subnets = []
nats = []
for index, subnet_cidr in zip(az_index, layers["pub"]):
subnet = Subnet(
f"PublicSubnet{index.upper()}",
template=template,
CidrBlock=subnet_cidr,
VpcId=Ref(vpc),
AvailabilityZone=Sub(f"${{AWS::Region}}{index}"),
MapPublicIpOnLaunch=True,
Tags=Tags(
Name=If(
USE_STACK_NAME_CON_T,
Sub(f"${{AWS::StackName}}-Public-{index}"),
Sub(f"${{{ROOT_STACK_NAME_T}}}-Public-{index}"),
),
)
+ Tags({f"vpc{DELIM}usage": "public", f"vpc{DELIM}vpc-id": Ref(vpc)}),
Metadata=metadata,
)
if (single_nat and not nats) or not single_nat:
eip = EIP(f"NatGatewayEip{index.upper()}", template=template, Domain="vpc")
nat = NatGateway(
f"NatGatewayAz{index.upper()}",
template=template,
AllocationId=GetAtt(eip, "AllocationId"),
SubnetId=Ref(subnet),
Metadata=metadata,
)
nats.append(nat)
SubnetRouteTableAssociation(
f"PublicSubnetsRtbAssoc{index.upper()}",
template=template,
RouteTableId=Ref(rtb),
SubnetId=Ref(subnet),
)
subnets.append(subnet)
return [rtb], subnets, nats
SizeInGB="10", VolumeType="gp2"),
VolumesPerInstance="1")
],
EbsOptimized="true"),
InstanceCount="1",
InstanceType=M4_LARGE,
)),
Applications=[
emr.Application(Name="Hadoop"),
emr.Application(Name="Hive"),
emr.Application(Name="Mahout"),
emr.Application(Name="Pig"),
emr.Application(Name="Spark")
],
VisibleToAllUsers="true",
Tags=Tags(Name="EMR Sample Cluster")))
step = template.add_resource(
emr.Step('TestStep',
Name="TestStep",
ActionOnFailure='CONTINUE',
HadoopJarStep=emr.HadoopJarStepConfig(
Args=["5", "10"],
Jar="s3://emr-cfn-test/hadoop-mapreduce-examples-2.6.0.jar",
MainClass="pi",
StepProperties=[
emr.KeyValue('my.custom.property', 'my.custom.value')
]),
JobFlowId=Ref(cluster)))
print(template.to_json())
def add_resources(self):
self.RestApiPublicLBSG = self.template.add_resource(
ec2.SecurityGroup(
"RestApiPublicLBSG",
GroupDescription=
"Loadbalancer Security Group For Rest Api Public LB",
VpcId=Ref(self.VpcId),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=3389,
ToPort=3389,
CidrIp=Ref(self.AdminCidrBlock),
),
],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiPubLBSG"),
))
self.RestApiPrivateLBSG = self.template.add_resource(
ec2.SecurityGroup(
"RestApiPrivateLBSG",
GroupDescription=
"Loadbalancer Security Group For Rest Api Private LB",
VpcId=Ref(self.VpcId),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=3389,
ToPort=3389,
CidrIp=Ref(self.AdminCidrBlock),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=80,
ToPort=80,
CidrIp=Ref(self.AdminCidrBlock),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=80,
ToPort=80,
SourceSecurityGroupId=Ref(self.KongEC2SecurityGroup),
),
],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiPrivLBSG"),
))
self.RestApiSG = self.template.add_resource(
ec2.SecurityGroup(
"RestApiSG",
GroupDescription=
"Allow communication between Rest Api Load Balancers and Rest Api Ec2s",
VpcId=Ref(self.VpcId),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=3389,
ToPort=3389,
SourceSecurityGroupId=Ref(self.RestApiPublicLBSG),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=80,
ToPort=80,
SourceSecurityGroupId=Ref(self.RestApiPublicLBSG),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=80,
ToPort=80,
SourceSecurityGroupId=Ref(self.RestApiPrivateLBSG),
),
],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiEc2SG"),
))
self.ApiEc2ToKongPrivateALBIngress = self.template.add_resource(
ec2.SecurityGroupIngress(
"ApiEc2ToKongPrivateALBIngress",
DependsOn=self.RestApiSG,
GroupId=Ref(self.KongPrivateLoadBalancerSecurityGroup),
IpProtocol="tcp",
FromPort=8443,
ToPort=8444,
SourceSecurityGroupId=Ref(self.RestApiSG),
))
self.RestApiPublicLoadBalancer = self.template.add_resource(
elasticloadbalancing.LoadBalancer(
"RestApiPublicLoadBalancer",
LoadBalancerName=self.
environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiPubLB",
Scheme="internet-facing",
Listeners=[
elasticloadbalancing.Listener(
LoadBalancerPort="3389",
InstancePort="3389",
Protocol="TCP",
InstanceProtocol="TCP",
)
],
Instances=[],
SecurityGroups=[Ref(self.RestApiPublicLBSG)],
Subnets=[Ref(self.RESTPubSubnet1),
Ref(self.RESTPubSubnet2)],
ConnectionDrainingPolicy=elasticloadbalancing.
ConnectionDrainingPolicy(
Enabled=True,
Timeout=300,
),
CrossZone=True,
HealthCheck=elasticloadbalancing.HealthCheck(
Target=Join("", ["TCP:", "3389"]),
HealthyThreshold="3",
UnhealthyThreshold="5",
Interval="10",
Timeout="5",
),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiPubLB"),
))
self.RestApiPrivateLoadBalancer = self.template.add_resource(
elasticloadbalancing.LoadBalancer(
"RestApiPrivateLoadBalancer",
LoadBalancerName=self.
environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiPrivLB",
Scheme="internal",
Listeners=[
elasticloadbalancing.Listener(
LoadBalancerPort="3389",
InstancePort="3389",
Protocol="TCP",
InstanceProtocol="TCP",
),
elasticloadbalancing.Listener(
LoadBalancerPort="80",
InstancePort="80",
Protocol="TCP",
InstanceProtocol="TCP",
)
],
Instances=[],
SecurityGroups=[Ref(self.RestApiPrivateLBSG)],
Subnets=[Ref(self.RESTPrivSubnet1),
Ref(self.RESTPrivSubnet2)],
ConnectionDrainingPolicy=elasticloadbalancing.
ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
CrossZone=True,
HealthCheck=elasticloadbalancing.HealthCheck(
Target=Join("", ["HTTP:", "80", "/swagger/index.html"]),
HealthyThreshold="3",
UnhealthyThreshold="5",
Interval="30",
Timeout="5",
),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiPrivLB"),
))
self.RestApiLaunchConfiguration = self.template.add_resource(
LaunchConfiguration(
"RestApiLaunchConfiguration",
ImageId=self.ami_id,
InstanceType=Ref(self.RestApiInstanceType),
IamInstanceProfile=Ref(self.RestApiIAMInstanceProfile),
KeyName=Ref(self.RestApiKeyName),
SecurityGroups=[Ref(self.RestApiSG)],
UserData=Base64(
Join('', [
"<persist>true</persist>\n", "<powershell>\n",
"$ClientCode = '" +
self.environment_parameters["ClientEnvironmentKey"] +
"'\n",
"$bootstrapRepository = (Get-SSMParameterValue -Names $ClientCode-bootstrapRepository -WithDecryption $true).Parameters[0].Value\n",
"\n", "$region = '" +
self.environment_parameters["EnvironmentRegion"] +
"'\n", "$keyPrefix = 'bootstrap/rest/powershell/'\n",
"\n", "$localPath = 'C:/bootstrap/rest/powershell'\n",
"\n",
"if (-Not (Test-Path -Path $localPath)){New-Item -Path $localPath -ItemType directory -Force | out-null}\n",
"$artifacts = Get-S3Object -BucketName $bootstrapRepository -KeyPrefix $keyPrefix -Region $region\n",
"foreach($artifact in $artifacts) {$localFileName = $artifact.Key -replace $keyPrefix, '' \n",
"if ($localFileName -ne '') {$localFilePath = Join-Path $localPath $localFileName \n",
"Copy-S3Object -BucketName $bootstrapRepository -Key $artifact.Key -LocalFile $localFilePath -Region $region}} \n",
"\n",
"$cmdExecuteBootStrapping = 'C:\\bootstrap\\rest\\powershell\\ExecuteScripts.ps1' \n",
"Invoke-Expression \"$cmdExecuteBootStrapping\" \n",
"</powershell>", "\n"
]))))
self.RestApiAutoScalingGroup = self.template.add_resource(
AutoScalingGroup(
"RestApiAutoscalingGroup",
AutoScalingGroupName=self.
environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApiAutoScalingGroup",
LaunchConfigurationName=Ref(self.RestApiLaunchConfiguration),
LoadBalancerNames=[
Ref(self.RestApiPublicLoadBalancer),
Ref(self.RestApiPrivateLoadBalancer)
],
MaxSize=Ref(self.RestApiASGGroupMaxSize),
MinSize=Ref(self.RestApiASGGroupMinSize),
DesiredCapacity=Ref(self.RestApiASGGroupDesiredSize),
HealthCheckType=Ref(self.RestApiASGHealthCheckType),
HealthCheckGracePeriod=Ref(
self.RestApiASGHealthCheckGracePeriod),
Cooldown=Ref(self.RestApiASGCoolDown),
LifecycleHookSpecificationList=[
LifecycleHookSpecification(
HeartbeatTimeout=Ref(
self.RestApiASGLifeCycleHeartBeatTimeout),
LifecycleTransition=Ref(
self.RestApiASGLifeCycleTransition),
LifecycleHookName=self.
environment_parameters["ClientEnvironmentKey"] +
"-REST-API-LCH"),
],
VPCZoneIdentifier=[
Ref(self.RESTPrivSubnet1),
Ref(self.RESTPrivSubnet2)
],
Tags=[
AutoScalingTag(
"Name",
self.environment_parameters["ClientEnvironmentKey"] +
"-LoyaltyRestApi-Ec2", True),
AutoScalingTag(
"Environment",
self.environment_parameters["EnvironmentName"], True),
AutoScalingTag(
"ResourceOwner",
self.environment_parameters["ResourceOwner"], True),
AutoScalingTag(
"ClientCode",
self.environment_parameters["ClientEnvironmentKey"],
True),
],
))
def GenerateDockerRegistryLayer():
t = Template()
t.add_description("""\
DockerRegistry Layer
""")
stackname_param = t.add_parameter(
Parameter(
"StackName",
Description="Environment Name (default: test)",
Type="String",
Default="test",
))
vpcid_param = t.add_parameter(
Parameter(
"VpcId",
Type="String",
Description="VpcId of your existing Virtual Private Cloud (VPC)",
Default="vpc-fab00e9f"))
subnets = t.add_parameter(
Parameter(
"Subnets",
Type="CommaDelimitedList",
Description=(
"The list SubnetIds, for public subnets in the "
"region and in your Virtual Private Cloud (VPC) - minimum one"
),
Default="subnet-b68f3bef,subnet-9a6208ff,subnet-bfdd4fc8"))
keypair_param = t.add_parameter(
Parameter("KeyPair",
Description="Name of an existing EC2 KeyPair to enable SSH "
"access to the instance",
Type="String",
Default="glueteam"))
registry_ami_id_param = t.add_parameter(
Parameter("RegistryAmiId",
Description="Registry server AMI ID",
Type="String",
Default="ami-a10897d6"))
iam_role_param = t.add_parameter(
Parameter(
"IamRole",
Description="IAM Role name",
Type="String",
))
s3bucket_param = t.add_parameter(
Parameter(
"BucketName",
Description="S3 Bucket Name (default: )",
Type="String",
Default="",
))
# --------- Docker registry
registry_sg = t.add_resource(
ec2.SecurityGroup(
'RegistrySG',
GroupDescription='Security group for Registry host',
VpcId=Ref(vpcid_param),
Tags=Tags(Name=Join("", [Ref(stackname_param), "RegistrySG"])),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0",
),
]))
registry_eip = t.add_resource(ec2.EIP(
'RegistryEIP',
Domain='vpc',
))
registry_eth0 = t.add_resource(
ec2.NetworkInterface(
"RegistryEth0",
Description=Join("", [Ref(stackname_param), "Registry Eth0"]),
GroupSet=[
Ref(registry_sg),
],
SourceDestCheck=True,
SubnetId=Select(0, Ref(subnets)),
Tags=Tags(
Name=Join("", [Ref(stackname_param), "Registry Interface 0"]),
Interface="eth0",
)))
registry_host = t.add_resource(
ec2.Instance(
'RegistryHost',
ImageId=Ref(registry_ami_id_param),
InstanceType='t2.micro',
KeyName=Ref(keypair_param),
IamInstanceProfile=Ref(iam_role_param),
NetworkInterfaces=[
ec2.NetworkInterfaceProperty(
NetworkInterfaceId=Ref(registry_eth0),
DeviceIndex="0",
),
],
Tags=Tags(Name=Join("", [Ref(stackname_param), "Registry"]),
Id=Join("", [Ref(stackname_param), "Registry"])),
UserData=Base64(
Join('', [
'#!/bin/bash\n',
'yum update -y aws-cfn-bootstrap\n',
'mkdir -p /root/build/redis /root/build/registry\n',
'touch /root/build/redis/Dockerfile\n',
'touch /root/build/redis/redis.conf\n',
'touch /root/build/registry/Dockerfile\n',
])),
))
registry_eip_assoc = t.add_resource(
ec2.EIPAssociation(
"RegistryEIPAssoc",
NetworkInterfaceId=Ref(registry_eth0),
AllocationId=GetAtt("RegistryEIP", "AllocationId"),
PrivateIpAddress=GetAtt("RegistryEth0", "PrimaryPrivateIpAddress"),
))
return t
def create_template():
template = Template(Description="Simple public VPC")
availability_zones = template.add_parameter(
Parameter(
"AvailabilityZones",
Type="String",
))
vpc = template.add_resource(
VPC(
"Vpc",
CidrBlock="10.10.0.0/16",
EnableDnsHostnames=False,
EnableDnsSupport=True,
Tags=Tags(Name=StackName),
))
dhcp_options = template.add_resource(
DHCPOptions(
"DhcpOptions",
NtpServers=["169.254.169.123"],
DomainNameServers=["AmazonProvidedDNS"],
Tags=Tags(Name=StackName),
))
template.add_resource(
VPCDHCPOptionsAssociation(
"VpcDhcpOptionsAssociation",
VpcId=Ref(vpc),
DhcpOptionsId=Ref(dhcp_options),
))
internet_gateway = template.add_resource(
InternetGateway(
"InternetGateway",
Tags=Tags(Name=StackName),
))
vpc_gateway_attachment = template.add_resource(
VPCGatewayAttachment(
"VpcGatewayAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway),
))
subnet = template.add_resource(
Subnet(
"Subnet0",
MapPublicIpOnLaunch=True,
VpcId=Ref(vpc),
CidrBlock=Select(0, Cidr(GetAtt(vpc, "CidrBlock"), 8, 8)),
AvailabilityZone=Select(0, Split(",", Ref(availability_zones))),
Tags=Tags(Name=StackName),
))
route_table = template.add_resource(
RouteTable(
"RouteTable0",
VpcId=Ref(vpc),
Tags=Tags(Name=StackName),
))
internet_route = template.add_resource(
Route(
"InternetRoute0",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(internet_gateway),
RouteTableId=Ref(route_table),
DependsOn=[vpc_gateway_attachment],
))
template.add_resource(
SubnetRouteTableAssociation(
"SubnetRouteTableAssocation0",
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet),
))
template.add_output(Output(
"VpcId",
Value=Ref(vpc),
))
template.add_output(Output(
"SubnetIds",
Value=Ref(subnet),
))
return template
t = Template()
channel = Channel(
"TestChannel",
ChannelName="testchannel",
ChannelStorage=ChannelStorage(
CustomerManagedS3=CustomerManagedS3(
Bucket="customerbucket",
KeyPrefix="bobdog",
RoleArn="arn",
)
),
RetentionPeriod=RetentionPeriod(
NumberOfDays=10,
),
Tags=Tags(Manufacturer="AmazonWebServices"),
)
pipeline = Pipeline(
"TestPipeline",
PipelineActivities=[
Activity(
Channel=ActivityChannel(
ChannelName="ChannelName",
Name="testchannel",
Next="DatastoreActivity",
),
),
Activity(
Datastore=ActivityDatastore(
Name="DatastoreActivity",
return exports + bootstrap_script_body.splitlines(True)
AmbariNode = t.add_resource(
ec2.Instance(
"AmbariNode",
UserData=Base64(
Join(
"",
my_bootstrap_script('AmbariNode', 'true', 'true',
'127.0.0.1'))),
ImageId=FindInMap("CENTOS7", Ref("AWS::Region"), "AMI"),
BlockDeviceMappings=my_block_device_mappings_ephemeral(24, "/dev/sd"),
CreationPolicy=CreationPolicy(
ResourceSignal=ResourceSignal(Count=1, Timeout="PT15M")),
Tags=Tags(Name=ref_stack_name, ),
KeyName=Ref(KeyName),
InstanceType=Ref(InstanceType),
SubnetId=Ref(SubnetId),
SecurityGroupIds=Ref(SecurityGroups),
))
AdditionalNodeLaunchConfig = t.add_resource(
LaunchConfiguration(
"AdditionalNodeLaunchConfig",
UserData=Base64(
Join(
"",
my_bootstrap_script('AdditionalNodes', 'true', 'false',
ref_ambariserver))),
ImageId=FindInMap("CENTOS7", Ref("AWS::Region"), "AMI"),
Domain="vpc",
))
eth0 = t.add_resource(
ec2.NetworkInterface(
"Eth0",
Description="eth0",
DependsOn=AllInternalAccessSecurityGroup.title,
GroupSet=[
Ref(AllInternalAccessSecurityGroup),
Ref(MonitorSecurityGroup)
], #Split(",", Join(",", [Join(",", Ref(SecurityGroupIdsParam)), Ref(MonitorSecurityGroup), ])),
# SourceDestCheck=True,
SubnetId=Select("0", Ref(PublicSubnetsToSpanParam)),
Tags=Tags(
Name="Interface 0",
Interface="eth0",
),
))
eipassoc1 = t.add_resource(
ec2.EIPAssociation(
"EIPAssoc1",
NetworkInterfaceId=Ref(eth0),
AllocationId=GetAtt("EIPMonitor", "AllocationId"),
PrivateIpAddress=GetAtt("Eth0", "PrimaryPrivateIpAddress"),
))
######### End Monitor VM Pre-setup #######
def generate_new_instance(counter):
Type='AWS::EC2::KeyPair::KeyName',
Description='Name of an existing EC2 KeyPair to enable SSH access'))
ami_id = t.add_parameter(
Parameter('AmiId', Type='String', Default='ami-98aa1cf0'))
security_group = t.add_resource(
ec2.SecurityGroup('SecurityGroup',
GroupDescription='Allows SSH access from anywhere',
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort=22,
ToPort=22,
CidrIp='0.0.0.0/0')
],
Tags=Tags(Name='ops.cfninit-sg')))
ec2_instance = t.add_resource(
ec2.Instance(
'Ec2Instance',
ImageId=Ref(ami_id),
InstanceType='t1.micro',
KeyName=Ref(key_name),
SecurityGroups=[Ref(security_group)],
IamInstanceProfile='PullCredentials',
UserData=Base64(
Join('', [
'#!/bin/bash\n', 'sudo apt-get update\n',
'sudo apt-get -y install python-setuptools\n',
'sudo apt-get -y install python-pip\n',
'sudo pip install https://s3.amazonaws.com/cloudformation-examples/',
def get_tags(self):
variables = self.get_variables()
tag_var = variables["Tags"]
t = {"Name": self.name}
t.update(tag_var)
return Tags(**t)
VPC_PRIVATE_A = "192.168.8.0/23"
VPC_PRIVATE_B = "192.168.10.0/23"
t = Template()
t.add_description("Stack creating a VPC")
# Create the VPC
vpc = t.add_resource(VPC(
"VPC",
CidrBlock=VPC_NETWORK,
EnableDnsSupport=True,
EnableDnsHostnames=False,
InstanceTenancy="default",
Tags=Tags(
Owner="Ernie Van Duyne",
Environment="QA"
)
))
# Create the subnets
DMZSubnet1a = t.add_resource(Subnet(
"DMZSubnet1a",
AvailabilityZone=Join("", [Ref("AWS::Region"), "a"]),
VpcId=Ref(vpc),
CidrBlock=VPC_DMZ_A,
Tags=Tags(
Name=Join("", [Ref("AWS::StackName"), " DMZ subnet A"]),
)
))
DMZSubnet1b = t.add_resource(Subnet(
"DMZSubnet1b",
def tags(self):
"""Get the tags for the subnet"""
return Tags(Name=Sub("${AWS::StackName}-" + self.name + "_subnet"),
Stack=Ref("AWS::StackId"))