class NetworkTier(Stack):
"""
The network tier consists of all constructs that are required for the foundational
networking between the various components of the Deadline render farm.
"""
@builtins.property # type: ignore
@jsii.member(jsii_name="availabilityZones")
def availability_zones(self) -> typing.List[builtins.str]:
"""
This overrides the availability zones the Stack will use. The zones that we set here are what
our VPC will use, so adding local zones to this return value will enable us to then deploy
infrastructure to them.
"""
return config.availability_zones_standard + config.availability_zones_local
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None:
"""
Initializes a new instance of NetworkTier
"""
super().__init__(scope, stack_id, **kwargs)
# We're creating a SubnetSelection with only the standard availability zones to be used to put
# the NAT gateway in and the VPC interface endpoints, because the local zones do no have
# these available.
standard_zone_subnets = SubnetSelection(
availability_zones=config.availability_zones_standard,
subnet_type=SubnetType.PUBLIC)
# The VPC that all components of the render farm will be created in. We are using the `availability_zones()`
# method to override the availability zones that this VPC will use.
self.vpc = Vpc(self,
'Vpc',
max_azs=len(self.availability_zones),
subnet_configuration=[
SubnetConfiguration(name='Public',
subnet_type=SubnetType.PUBLIC,
cidr_mask=28),
SubnetConfiguration(name='Private',
subnet_type=SubnetType.PRIVATE,
cidr_mask=18)
],
nat_gateway_subnets=standard_zone_subnets)
# Add interface endpoints
for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_interface_endpoint(service_name,
service=service,
subnets=standard_zone_subnets)
# Add gateway endpoints
for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_gateway_endpoint(service_name,
service=service,
subnets=[standard_zone_subnets])
# Internal DNS zone for the VPC.
self.dns_zone = PrivateHostedZone(self,
'DnsZone',
vpc=self.vpc,
zone_name='deadline-test.internal')
class NetworkTier(Stack):
"""
The network tier consists of all constructs that are required for the foundational
networking between the various components of the Deadline render farm.
"""
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None:
"""
Initializes a new instance of NetworkTier
:param scope: The scope of this construct.
:param stack_id: The ID of this construct.
:param kwargs: The stack properties.
"""
super().__init__(scope, stack_id, **kwargs)
# The VPC that all components of the render farm will be created in.
self.vpc = Vpc(
self,
'Vpc',
max_azs=2,
subnet_configuration=[
SubnetConfiguration(
name='Public',
subnet_type=SubnetType.PUBLIC,
cidr_mask=28
),
SubnetConfiguration(
name='Private',
subnet_type=SubnetType.PRIVATE,
cidr_mask=18 # 16,382 IP addresses
)
]
)
# VPC flow logs are a security best-practice as they allow us
# to capture information about the traffic going in and out of
# the VPC. For more information, see the README for this app.
self.vpc.add_flow_log(
'NetworkTierFlowLogs',
destination=FlowLogDestination.to_cloud_watch_logs(),
traffic_type=FlowLogTrafficType.ALL
)
# TODO - Create a NetworkAcl for your VPC that only allows
# network traffic required for your render farm. This is a
# security best-practice to ensure the safety of your farm.
# The default network ACLs allow all traffic by default,
# whereas custom network ACLs deny all traffic by default.
# For more information, see the README for this app.
#
# Example code to create a custom network ACL:
# acl = NetworkAcl(
# self,
# 'ACL',
# vpc=self.vpc,
# subnet_selection=SubnetSelection(
# subnets=self.vpc.public_subnets
# )
# )
#
# You can optionally add rules to allow traffic (e.g. SSH):
# acl.add_entry(
# 'SSH',
# cidr=AclCidr.ipv4(
# # some-ipv4-address-cidr
# ),
# traffic=AclTraffic.tcp_port(22),
# rule_number=1
# )
endpoint_subnets = SubnetSelection(subnet_type=SubnetType.PRIVATE)
# Add interface endpoints
for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_interface_endpoint(
f'{service_name}{idx}',
service=service,
subnets=endpoint_subnets
)
# Add gateway endpoints
for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_gateway_endpoint(
service_name,
service=service,
subnets=[endpoint_subnets]
)
# Internal DNS zone for the VPC.
self.dns_zone = PrivateHostedZone(
self,
'DnsZone',
vpc=self.vpc,
zone_name='deadline-test.internal'
)
class DataLakeFoundations(NestedStack):
@property
def raw_s3_bucket(self):
return self.__raw_s3_bucket
@property
def clean_s3_bucket(self):
return self.__clean_s3_bucket
@property
def curated_s3_bucket(self):
return self.__curated_s3_bucket
@property
def raw_glue_db(self):
return self.__raw_glue_db
@property
def clean_glue_db(self):
return self.__clean_glue_db
@property
def curated_glue_db(self):
return self.__curated_glue_db
@property
def audit_glue_db(self):
return self.__audit_glue_db
@property
def logs_s3_bucket(self):
return self.__logs_s3_bucket
@property
def vpc(self):
return self.__vpc
@property
def private_subnets_selection(self):
return self.__private_subnets
@property
def public_subnets_selection(self):
return self.__public_subnets
@property
def admin_group(self):
return self.__admin_group
@property
def analysts_group(self):
return self.__analysts_group
@property
def developers_group(self):
return self.__developers_group
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# implement the glue data catalog databases used in the data lake
catalog = DataLakeCatalog(self, 'DataLakeCatalog')
self.__raw_glue_db = catalog.raw_database
self.__clean_glue_db = catalog.clean_database
self.__curated_glue_db = catalog.transform_database
self.__audit_glue_db = Database(self, 'AuditGlueDB', database_name='ara_audit_data_' + self.account)
# implement the S3 buckets for the data lake
storage = DataLakeStorage(self, 'DataLakeStorage')
self.__logs_s3_bucket = AutoEmptyBucket(
self, 'Logs',
bucket_name='ara-logs-' + self.account,
uuid=AutoEmptyConfig.FOUNDATIONS_UUID
).bucket
self.__raw_s3_bucket = storage.raw_bucket
self.__clean_s3_bucket = storage.clean_bucket
self.__curated_s3_bucket = storage.transform_bucket
AuditTrailGlue(self, 'GlueAudit',
log_bucket=self.__logs_s3_bucket,
audit_bucket=self.__curated_s3_bucket,
audit_db=self.__audit_glue_db,
audit_table=self.__curated_s3_bucket.bucket_name
)
# the vpc used for the overall data lake (same vpc, different subnet for modules)
self.__vpc = Vpc(self, 'Vpc')
self.__public_subnets = self.__vpc.select_subnets(subnet_type=SubnetType.PUBLIC)
self.__private_subnets = self.__vpc.select_subnets(subnet_type=SubnetType.PRIVATE)
self.__vpc.add_gateway_endpoint("S3GatewayEndpoint",
service=GatewayVpcEndpointAwsService.S3,
subnets=[SubnetSelection(subnet_type=SubnetType.PUBLIC),
SubnetSelection(subnet_type=SubnetType.PRIVATE)])
# IAM groups
self.__admin_group = Group(self, 'GroupAdmins', group_name='ara-admins')
self.__analysts_group = Group(self, 'GroupAnalysts', group_name='ara-analysts')
self.__developers_group = Group(self, 'GroupDevelopers', group_name='ara-developers')