def create_nat_instance(self, zone_id, subnet_name):
t = self.template
suffix = zone_id
nat_instance = t.add_resource(
ec2.Instance(NAT_INSTANCE_NAME % suffix,
Condition="UseNatInstances",
ImageId=FindInMap('AmiMap', Ref("AWS::Region"),
Ref("ImageName")),
SecurityGroupIds=[Ref(DEFAULT_SG),
Ref(NAT_SG)],
SubnetId=Ref(subnet_name),
InstanceType=Ref('InstanceType'),
SourceDestCheck=False,
KeyName=Ref('SshKeyName'),
Tags=[ec2.Tag('Name', 'nat-gw%s' % suffix)],
DependsOn=GW_ATTACH))
eip = t.add_resource(
ec2.EIP('NATExternalIp%s' % suffix,
Domain='vpc',
InstanceId=If("UseNatInstances", Ref(nat_instance),
Ref("AWS::NoValue")),
DependsOn=GW_ATTACH))
t.add_resource(
ec2.NatGateway(
NAT_GATEWAY_NAME % suffix,
Condition="UseNatGateway",
AllocationId=GetAtt(eip, 'AllocationId'),
SubnetId=Ref(subnet_name),
))
return nat_instance
def nat_gateway(self) -> Optional[ec2.NatGateway]:
"""Return a NAT gateway for this subnet."""
if self.use_nat and self._nat_gateway is None:
self._nat_gateway = ec2.NatGateway(
name_to_id(f"{self.name}-nat"),
AllocationId=GetAtt(self.nat_eip, "AllocationId"),
SubnetId=Ref(self.subnet),
)
return self._nat_gateway
def create_nat_instance(self, zone_id, subnet_name):
t = self.template
variables = self.get_variables()
suffix = zone_id
eip_name = "NATExternalIp%s" % suffix
if variables["UseNatGateway"]:
gateway_name = NAT_GATEWAY_NAME % suffix
t.add_resource(
ec2.NatGateway(
gateway_name,
AllocationId=GetAtt(eip_name, 'AllocationId'),
SubnetId=Ref(subnet_name),
))
t.add_output(Output(gateway_name + "Id", Value=Ref(gateway_name)))
# Using NAT Gateways, leave the EIP unattached - it gets allocated
# to the NAT Gateway in that resource above
eip_instance_id = Ref("AWS::NoValue")
else:
image_id = FindInMap('AmiMap', Ref("AWS::Region"),
Ref("ImageName"))
instance_name = NAT_INSTANCE_NAME % suffix
t.add_resource(
ec2.Instance(instance_name,
Condition="UseNatInstances",
ImageId=image_id,
SecurityGroupIds=[Ref(DEFAULT_SG),
Ref(NAT_SG)],
SubnetId=Ref(subnet_name),
InstanceType=variables["InstanceType"],
SourceDestCheck=False,
KeyName=variables["SshKeyName"],
Tags=[ec2.Tag('Name', 'nat-gw%s' % suffix)],
DependsOn=GW_ATTACH))
t.add_output(
Output(instance_name + "PublicHostname",
Value=GetAtt(instance_name, "PublicDnsName")))
t.add_output(
Output(instance_name + "InstanceId", Value=Ref(instance_name)))
# Since we're using NAT instances, go ahead and attach the EIP
# to the NAT instance
eip_instance_id = Ref(instance_name)
t.add_resource(
ec2.EIP(eip_name,
Domain='vpc',
InstanceId=eip_instance_id,
DependsOn=GW_ATTACH))
def add_natgw(self):
t = self.template
natGwSubnetId = None
for subnetDict in self.subnets:
if subnetDict['useIgw']:
natGwSubnetId = subnetDict['ID1']
if natGwSubnetId != None:
break
self.natEip = t.add_resource(ec2.EIP('NatEIP', Domain='vpc'))
self.natGw = t.add_resource(
ec2.NatGateway('NatGateway',
AllocationId=GetAtt(self.natEip, "AllocationId"),
SubnetId=natGwSubnetId))
def create_vpc(t, env, env_number, subnet_mapping, subnet_config):
'''
Creates the VPC along with the subnets, IGW and RouteTables
'''
vpc_objects = {}
vpc_objects['vpc'] = t.add_resource(
ec2.VPC("{}VPC".format(env.upper()),
CidrBlock="10.{}.0.0/16".format(env_number),
InstanceTenancy="default",
Tags=Tags(Name="{}VPC".format(env.upper()))))
vpc_objects['igw'] = t.add_resource(ec2.InternetGateway("InternetGateway"))
vpc_objects['igw_attachment'] = t.add_resource(
ec2.VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(vpc_objects['vpc']),
InternetGatewayId=Ref(vpc_objects['igw']),
))
# Create Subnets
vpc_objects['subnets'] = {}
vpc_objects['nat_eip'] = {}
for subid in subnet_config:
vpc_objects['subnets'][subid] = t.add_resource(
ec2.Subnet(subid,
CidrBlock=subnet_config[subid]['subnet'],
VpcId=Ref(vpc_objects['vpc']),
AvailabilityZone="{}".format(
subnet_config[subid]['az_name']),
Tags=Tags(Name="{}Subnet".format(subid))))
# Create NAT Gateways
if subnet_config[subid]['service'] == 'nat':
az = subnet_config[subid]['az_number']
nat_eip_name = '{}{}NatEIP'.format(env.title(), az)
vpc_objects['nat_eip'][nat_eip_name] = t.add_resource(
ec2.EIP(nat_eip_name, Domain="vpc"))
t.add_resource(
ec2.NatGateway('{}{}NatGW'.format(env.title(), az),
AllocationId=GetAtt(
vpc_objects['nat_eip'][nat_eip_name],
'AllocationId'),
SubnetId=Ref(vpc_objects['subnets'][subid])))
return t, vpc_objects
def create_nat_gateway(self, availability_zone, public_subnet,
private_route_table):
nat_eip = self.create_resource(
ec2.EIP(
'{}NATIP'.format(availability_zone.cfn_name),
Domain="vpc",
))
nat_gateway = self.create_resource(
ec2.NatGateway(
'{}NATGateway'.format(availability_zone.cfn_name),
AllocationId=GetAtt(nat_eip, 'AllocationId'),
SubnetId=Ref(public_subnet),
))
self.create_resource(
ec2.Route('{}PrivateRoute'.format(availability_zone.cfn_name),
RouteTableId=Ref(private_route_table),
DestinationCidrBlock=ALLOW_ALL_CIDR,
NatGatewayId=Ref(nat_gateway)))
def create_nat_gateways(self):
# Nat gateways in public subnets, one per AZ
t = self.template
for name in self.subnets.keys():
if self.subnets[name]['net_type'] == 'public':
if name == 'Public':
prefix = ''
else:
prefix = name
self.subnets[name]['nat_gateways'] = list()
for i in range(len(self.zones)):
nat_gateway = '%sNatGateway%d' % (prefix, i)
nat_gateway_eip = '%sNatGatewayEIP%d' % (prefix, i)
self.subnets[name]['nat_gateways'].append(nat_gateway)
t.add_resource(ec2.EIP(nat_gateway_eip, Domain='vpc'))
t.add_resource(
ec2.NatGateway(
nat_gateway,
SubnetId=Ref(self.subnets[name]['az_subnets'][i]),
AllocationId=GetAtt(nat_gateway_eip,
'AllocationId')))
def create_nat_gateway(self):
t = self.template
variables = self.get_variables()
if variables["NatGatewayId"] or not variables["CreateNatGateway"]:
return
self.nat_gateway_eip = t.add_resource(
ec2.EIP("NatGatewayEIP", Domain="vpc"))
t.add_output(Output("NatGatewayEIP", Value=self.nat_gateway_eip.Ref()))
t.add_output(
Output("NatGatewayEIPAllocationId",
Value=self.nat_gateway_eip.GetAtt("AllocationId")))
self.nat_gateway = t.add_resource(
ec2.NatGateway(
"NatGateway",
AllocationId=self.nat_gateway_eip.GetAtt("AllocationId"),
SubnetId=self.subnet.Ref()))
t.add_output(Output("NatGatewayId", Value=self.nat_gateway.Ref()))
def ssm_network():
template = Template()
default_route = "0.0.0.0/0"
vpc_cidr = "192.168.0.0/16"
template.add_parameter(Parameter(
"VpcCidr",
Type="String",
Description="Cidr block for VPC",
MinLength="9",
MaxLength="18",
Default=vpc_cidr,
AllowedPattern="(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
ConstraintDescription="Must match following pattern 'xxx.xxx.xxx.xxx/xx'"
))
template.add_parameter(Parameter(
"CreateEndpoints",
Type="String",
Description="Create VPC Endpoints",
Default="No",
AllowedValues=["Yes", "No"],
ConstraintDescription="'Yes' or 'No' are only options"
))
template.add_parameter(Parameter(
"CreateNatGateway",
Type="String",
Description="Create NAT Gateway",
Default="No",
AllowedValues=["Yes", "No"],
ConstraintDescription="'Yes' or 'No' are only options"
))
conditions = {
"CreateVpcEndpointsUpperYes": Equals(
Ref("CreateEndpoints"), "Yes"
),
"CreateVpcEndpointsLowerYes": Equals(
Ref("CreateEndpoints"), "yes"
),
"CreateVpcEndpoints": Or(
Condition("CreateVpcEndpointsUpperYes"),
Condition("CreateVpcEndpointsLowerYes")
),
"CreateNatGatewayUpperYes": Equals(
Ref("CreateNatGateway"), "Yes"
),
"CreateNatGatewayLowerYes": Equals(
Ref("CreateNatGateway"), "yes"
),
"CreateNatGateway": Or(
Condition("CreateNatGatewayUpperYes"),
Condition("CreateNatGatewayLowerYes")
)
}
ssm_vpc = ec2.VPC(
'SsmVpc',
CidrBlock=Ref("VpcCidr"),
InstanceTenancy="default",
EnableDnsHostnames=True,
EnableDnsSupport=True,
Tags=Tags(
Name="SSM VPC"
)
)
subnet_blocks = Cidr(GetAtt(ssm_vpc, "CidrBlock"), 256, 8)
ssm_ig = ec2.InternetGateway(
'SsmIG',
)
ssm_attach_gw = ec2.VPCGatewayAttachment(
'SsmAttachGateway',
InternetGatewayId=Ref(ssm_ig),
VpcId=Ref(ssm_vpc)
)
ssm_public_subnet = ec2.Subnet(
'SsmPublicSubnet',
DependsOn=ssm_attach_gw,
AvailabilityZone=Select(0, GetAZs('')),
CidrBlock=Select(0, subnet_blocks),
VpcId=Ref(ssm_vpc),
Tags=Tags(
Name="Public Subnet"
)
)
ssm_public_route_table = ec2.RouteTable(
'SsmPublicRouteTable',
VpcId=Ref(ssm_vpc),
)
ssm_public_route = ec2.Route(
'SsmPublicRoute',
DestinationCidrBlock=default_route,
GatewayId=Ref(ssm_ig),
RouteTableId=Ref(ssm_public_route_table)
)
ssm_public_subnet_route_table_association = ec2.SubnetRouteTableAssociation(
'SsmPublicSubnetRouteTableAssociation',
RouteTableId=Ref(ssm_public_route_table),
SubnetId=Ref(ssm_public_subnet)
)
ssm_eip_nat_gateway = ec2.EIP(
'SsmEipNatGateway',
Condition="CreateNatGateway"
)
ssm_nat_gateway = ec2.NatGateway(
'SsmNatGateway',
Condition="CreateNatGateway",
DependsOn=ssm_eip_nat_gateway,
SubnetId=Ref(ssm_public_subnet),
AllocationId=GetAtt(ssm_eip_nat_gateway, "AllocationId"),
)
ssm_private_subnet = ec2.Subnet(
'SsmPrivateSubnet',
DependsOn=ssm_attach_gw,
AvailabilityZone=Select(0, GetAZs('')),
CidrBlock=Select(1, subnet_blocks),
VpcId=Ref(ssm_vpc),
Tags=Tags(
Name="Private Subnet"
)
)
ssm_private_route_table = ec2.RouteTable(
'SsmPrivateRouteTable',
VpcId=Ref(ssm_vpc),
)
ssm_private_route = ec2.Route(
'SsmPrivateRoute',
Condition="CreateNatGateway",
DestinationCidrBlock=default_route,
NatGatewayId=Ref(ssm_nat_gateway),
RouteTableId=Ref(ssm_private_route_table)
)
ssm_private_subnet_route_table_association = ec2.SubnetRouteTableAssociation(
'SsmPrivateSubnetRouteTableAssociation',
RouteTableId=Ref(ssm_private_route_table),
SubnetId=Ref(ssm_private_subnet)
)
ssm_sg_ingress_rules = [
ec2.SecurityGroupRule(
ToPort=443,
FromPort=443,
IpProtocol="tcp",
CidrIp=GetAtt(ssm_vpc, "CidrBlock")
)
]
ssm_security_group = ec2.SecurityGroup(
'SsmSecurityGroup',
GroupName="SsmSG",
GroupDescription="SG for SSM usage",
VpcId=Ref(ssm_vpc),
SecurityGroupIngress=ssm_sg_ingress_rules
)
ssm_s3e_vpc_endpoint = ec2.VPCEndpoint(
'SsmS3VpcEndpoint',
Condition="CreateVpcEndpoints",
RouteTableIds=[
Ref(ssm_private_route_table)
],
ServiceName=vpc_endpoint("s3"),
VpcId=Ref(ssm_vpc),
VpcEndpointType="Gateway"
)
ssm_ssm_vpc_endpoint = ec2.VPCEndpoint(
'SsmSsmVpcEndpoint',
Condition="CreateVpcEndpoints",
SubnetIds=[Ref(ssm_private_subnet)],
ServiceName=vpc_endpoint("ssm"),
VpcId=Ref(ssm_vpc),
VpcEndpointType="Interface",
SecurityGroupIds=[
Ref(ssm_security_group)
],
PrivateDnsEnabled=True
)
ssm_ssmmessages_vpc_endpoint = ec2.VPCEndpoint(
'SsmSsmMessagesVpcEndpoint',
Condition="CreateVpcEndpoints",
SubnetIds=[Ref(ssm_private_subnet)],
ServiceName=vpc_endpoint("ssmmessages"),
VpcId=Ref(ssm_vpc),
VpcEndpointType="Interface",
SecurityGroupIds=[
Ref(ssm_security_group)
],
PrivateDnsEnabled=True
)
ssm_ec2messages_vpc_endpoint = ec2.VPCEndpoint(
'SsmEc2MessagesVpcEndpoint',
Condition="CreateVpcEndpoints",
SubnetIds=[Ref(ssm_private_subnet)],
ServiceName=vpc_endpoint("ec2messages"),
VpcId=Ref(ssm_vpc),
VpcEndpointType="Interface",
SecurityGroupIds=[
Ref(ssm_security_group)
],
PrivateDnsEnabled=True
)
template.add_resource(ssm_vpc)
template.add_resource(ssm_ig)
template.add_resource(ssm_attach_gw)
template.add_resource(ssm_eip_nat_gateway)
template.add_resource(ssm_public_subnet)
template.add_resource(ssm_public_route_table)
template.add_resource(ssm_nat_gateway)
template.add_resource(ssm_public_route)
template.add_resource(ssm_public_subnet_route_table_association)
template.add_resource(ssm_private_subnet)
template.add_resource(ssm_private_route_table)
template.add_resource(ssm_private_route)
template.add_resource(ssm_private_subnet_route_table_association)
template.add_resource(ssm_security_group)
template.add_resource(ssm_s3e_vpc_endpoint)
template.add_resource(ssm_ec2messages_vpc_endpoint)
template.add_resource(ssm_ssm_vpc_endpoint)
template.add_resource(ssm_ssmmessages_vpc_endpoint)
for k in conditions:
template.add_condition(k, conditions[k])
template.add_output(Output(
'SsmVpc',
Description="VPC for SSM",
Value=Ref(ssm_vpc),
Export=Export(Join("", [Ref("AWS::StackName"), "-ssm-vpc"]))
))
template.add_output(Output(
'SsmSg',
Description="Security Group for SSM",
Value=Ref(ssm_security_group),
Export=Export(Join("", [Ref("AWS::StackName"), "-ssm-sg"]))
))
template.add_output(Output(
'SsmPrivateSubnet',
Description="Private Subnet for SSM",
Value=Ref(ssm_private_subnet),
Export=Export(Join("", [Ref("AWS::StackName"), "-ssm-private-subnet"]))
))
template.add_output(Output(
'SsmPrivateRouteTable',
Description="Private RouteTable for SSM",
Value=Ref(ssm_private_route_table),
Export=Export(Join("", [Ref("AWS::StackName"), "-ssm-private-route-table"]))
))
with open(os.path.dirname(os.path.realpath(__file__)) + '/ssm_network.yml', 'w') as cf_file:
cf_file.write(template.to_yaml())
return template.to_yaml()
def add_public_subnet_group(
self,
name_prefix: str,
cidr_block: str,
no_of_subnets: int = 4,
create_nat_gateways: bool = False,
):
"""Create public subnets and, optionally, NAT Gateways
Args:
name_prefix (str): Subnet name. AZ will be added at the end.
cidr_block (str): Range of IP addresses to be split over
availability zones.
no_of_subnets (int, optional): How many subnets to set up.
Defaults to 4.
create_nat_gateways (bool, optional): If True, it will
create one NAT gateway in each subnet and a private
route table for each. Defaults to False.
"""
for res in multiaz_subnets(
name_prefix=name_prefix,
cidr_block=cidr_block,
region=self.region,
no_of_subnets=no_of_subnets,
vpc=self.vpc,
network_acl=self.public_nacl,
route_table=self.public_route_table,
):
self._r[res.title] = res
self.public_subnets.append(res)
if create_nat_gateways and res.resource[
"Type"] == "AWS::EC2::Subnet":
subnet = res
az = subnet.Metadata["az"]
az_index = subnet.Metadata["az_index"]
suffix = subnet.Metadata["suffix"]
# Elastic IP for NAT Gateway
eip = t_ec2.EIP(title=f"EipNatGw{suffix}", Domain="vpc")
self._r[eip.title] = eip
# NAT Gateway
nat_gw = t_ec2.NatGateway(
title=f"NatGw{suffix}",
AllocationId=GetAtt(eip, "AllocationId"),
SubnetId=Ref(subnet),
Tags=[{
"Key": "Name",
"Value": f"Nat Gw {az_index}"
}],
Metadata={
"az": az,
"az_index": az_index,
"suffix": suffix
},
)
self._r[nat_gw.title] = nat_gw
self.nat_gateways.append(nat_gw)
# Natted route table
route_table = t_ec2.RouteTable(
title=f"PrivRouteTable{suffix}",
VpcId=Ref(self.vpc),
Tags=[{
"Key": "Name",
"Value": f"Private {az_index}"
}],
Metadata={
"az": az,
"az_index": az_index,
"suffix": suffix
},
)
self.gateway_subnets.append(subnet)
self.natted_route_tables.append(route_table)
# NAT route
self._r[route_table.title] = route_table
route = t_ec2.Route(
title=f"NatRoute{az_index.upper()}",
RouteTableId=Ref(route_table),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gw),
)
self._r[route.title] = route
private_route_association = t.add_resource(
ec2.SubnetRouteTableAssociation(
"PrivateRouteAssociation",
SubnetId=Ref(private_net),
RouteTableId=Ref(private_route_table),
))
nat_eip = t.add_resource(ec2.EIP(
"NatEip",
Domain="vpc",
))
nat = t.add_resource(
ec2.NatGateway(
"Nat",
AllocationId=GetAtt(nat_eip, "AllocationId"),
SubnetId=Ref(public_net),
))
t.add_resource(
ec2.Route(
"NatRoute",
RouteTableId=Ref(private_route_table),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat),
))
t.add_output(Output("VPCId", Value=Ref(vpc), Description="VPC Id"))
t.add_output(
Output(
def create_vpc_template(template=None):
if not template:
template = Template()
template.add_description(
'AWS cloud formation script template.at creates a VPC with a NAT Gg'
)
template.add_version('2010-09-09')
vpc_cidr_block = template.add_parameter(
Parameter(
'VPCCIDR',
Default=vpc_config['cidr_block'],
Description='The IP address space for this VPC, in CIDR notation',
Type='String',
))
vpc = template.add_resource(
ec2.VPC('VPC',
CidrBlock=Ref(vpc_cidr_block),
Tags=Tags(vpc_config['tags'])))
igw = template.add_resource(ec2.InternetGateway('InternetGateway', ))
template.add_resource(
ec2.VPCGatewayAttachment(
"NatAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
template.add_output(Output('VPCId', Value=Ref(vpc), Description='VPC Id'))
public_security_group = template.add_resource(
ec2.SecurityGroup(
security_group_config['public']['name'],
GroupDescription='{} public security group'.format(
vpc_config['name']),
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
ToPort=r['port'],
FromPort=r['port'],
CidrIp=r['cidr_block'])
for r in security_group_config['public']['ingress_rules']
],
VpcId=Ref(vpc),
Tags=Tags(
dict(Name='public {} security group'.format(
vpc_config['name']))),
))
template.add_output(
Output('PublicSecurityGroupId',
Value=Ref(public_security_group),
Description='Public Security Group Id'))
private_security_group = template.add_resource(
ec2.SecurityGroup(
security_group_config['private']['name'],
GroupDescription='{} private security group'.format(
vpc_config['name']),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp',
ToPort=r['port'],
FromPort=r['port'],
SourceSecurityGroupId=Ref(public_security_group))
for r in security_group_config['private']['ingress_rules']
],
VpcId=Ref(vpc),
Tags=Tags(
dict(Name='private {} security group'.format(
vpc_config['name']))),
))
for i, sub_net in enumerate(sub_nets):
public_subnet = template.add_parameter(
Parameter(
'PublicSubnetCidr{}'.format(i),
Type='String',
Description='Public Subnet CIDR',
Default=sub_net['public_cidr'],
))
public_net = template.add_resource(
ec2.Subnet(
'PublicSubnet{}'.format(i),
AvailabilityZone=sub_net['region'],
CidrBlock=Ref(public_subnet),
MapPublicIpOnLaunch=False,
VpcId=Ref(vpc),
Tags=Tags(dict(Name='Public Subnet {}'.format(i))),
))
public_route_table = template.add_resource(
ec2.RouteTable(
'PublicRouteTable{}'.format(i),
VpcId=Ref(vpc),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PublicRouteAssociation{}'.format(i),
SubnetId=Ref(public_net),
RouteTableId=Ref(public_route_table),
))
template.add_resource(
ec2.Route(
'PublicDefaultRoute{}'.format(i),
RouteTableId=Ref(public_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(igw),
))
template.add_output(
Output('PublicSubnet{}'.format(i),
Value=Ref(public_subnet),
Description='Subnet Id'))
if private_sub_net:
private_subnet = template.add_parameter(
Parameter(
'PrivateSubnetCidr{}'.format(i),
Type='String',
Description='Private Subnet CIDR',
Default=sub_net['private_cidr'],
))
private_net = template.add_resource(
ec2.Subnet(
'PrivateSubnet{}'.format(i),
CidrBlock=Ref(private_subnet),
MapPublicIpOnLaunch=False,
VpcId=Ref(vpc),
Tags=Tags(dict(Name='Private Subnet {}'.format(i))),
))
private_route_table = template.add_resource(
ec2.RouteTable(
'PrivateRouteTable{}'.format(i),
VpcId=Ref(vpc),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PrivateRouteAssociation{}'.format(i),
SubnetId=Ref(private_net),
RouteTableId=Ref(private_route_table),
))
template.add_output(
Output('PrivateSubnet{}'.format(i),
Value=Ref(private_subnet),
Description='Subnet Id'))
if nat_gateway and private_sub_net:
nat_eip = template.add_resource(
ec2.EIP(
'NatEip{}'.format(i),
Domain="vpc",
))
nat = template.add_resource(
ec2.NatGateway(
'Nat{}'.format(i),
AllocationId=GetAtt(nat_eip, 'AllocationId'),
SubnetId=Ref(public_net),
))
template.add_resource(
ec2.Route(
'NatRoute{}'.format(i),
RouteTableId=Ref(private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(nat),
))
template.add_output(
Output(
'NatEip{}'.format(i),
Value=Ref(nat_eip),
Description='Nat Elastic IP',
))
write_json_to_file('vpc.json', template)
def dump_base_yaml(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
igw = template.add_resource(
ec2.InternetGateway(
"Igw",
Tags=resource_tags,
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
igwa = template.add_resource(
ec2.VPCGatewayAttachment(
"IgwA",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
default_route = template.add_resource(
ec2.Route("defaultRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=Ref(route_tbl)))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
priv_route_tbl = template.add_resource(
ec2.RouteTable(
"PrivRouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
priv_subnet = template.add_resource(
ec2.Subnet(
"PrivSubnet",
VpcId=Ref(vpc),
CidrBlock="10.10.1.0/24",
MapPublicIpOnLaunch=False,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblPrivSubnetAsoc",
RouteTableId=Ref(priv_route_tbl),
SubnetId=Ref(priv_subnet)))
ngw_elastic_ip = template.add_resource(
ec2.EIP(
"MyNgwEip",
Tags=resource_tags,
))
nat_gateway = template.add_resource(
ec2.NatGateway(
"MyNatGateway",
AllocationId=GetAtt(ngw_elastic_ip, "AllocationId"),
SubnetId=Ref(subnet),
))
private_out_route = template.add_resource(
ec2.Route("privateOutRoute",
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gateway),
RouteTableId=Ref(priv_route_tbl)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
Output(
"PrivSubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(priv_subnet),
Export=Export("PrivSubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
def add_resources(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
# Add StackName to outputs (for ease of reference by child stacks)
template.add_output(
Output('StackName',
Description='Name of this CloudFormation stack',
Value=Ref('AWS::StackName')))
vpc = template.add_resource(
ec2.VPC('VPC',
CidrBlock=variables['VpcCidr'].ref,
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy=variables['VpcInstanceTenancy'].ref,
Tags=Tags(Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'vpc',
variables['EnvironmentName'].ref
]),
Network='Public')))
template.add_output(
Output('VPC',
Description='VPC',
Export=Export(Sub('${AWS::StackName}-VPC')),
Value=Ref(vpc)))
template.add_output(
Output('CidrBlock',
Description='Set of IP addresses for the VPC',
Export=Export(Sub('${AWS::StackName}-CidrBlock')),
Value=GetAtt(vpc, 'CidrBlock')))
# Create subnets
for i in range(AZS):
for zone in ['Public', 'Private']:
template.add_resource(
ec2.Subnet(
'%sSubnet%s' % (zone[:3], str(i + 1)),
Condition='%sAZ%i' % (zone, (i + 1)),
VpcId=Ref(vpc),
AvailabilityZone=Select(str(i + variables['AzOffset']),
GetAZs('')),
CidrBlock=Ref('%sSubnet%s' % (zone, str(i + 1))),
Tags=Tags(
Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref,
zone.lower(), variables['EnvironmentName'].ref,
Select(str(i + variables['AzOffset']),
GetAZs(''))
]),
Network='%s - %s' % (zone, str(i + 1)))))
template.add_output(
Output('%sSubnet%s' % (zone[:3], str(i + 1)),
Condition='%sAZ%s' % (zone, str(i + 1)),
Description='%sSubnet%s' % (zone[:3], str(i + 1)),
Export=Export(
Sub('${AWS::StackName}-'
'%sSubnet%s' % (zone[:3], str(i + 1)))),
Value=Ref('%sSubnet%s' % (zone[:3], str(i + 1)))))
template.add_output(
Output(
'%sSubnet%sAZ' % (zone[:3], str(i + 1)),
Condition='%sAZ%s' % (zone, str(i + 1)),
Description='%sSubnet%s Availability Zone' %
(zone[:3], str(i + 1)), # noqa
Export=Export(
Sub('${AWS::StackName}-'
'%sSubnet%sAZ' % (zone[:3], str(i + 1)))),
Value=GetAtt('%sSubnet%s' % (zone[:3], str(i + 1)),
'AvailabilityZone')))
internetgateway = template.add_resource(
ec2.InternetGateway('InternetGateway',
Tags=Tags(
Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'igw',
variables['EnvironmentName'].ref
]),
Network='Public')))
template.add_resource(
ec2.VPCGatewayAttachment(
'GatewayToInternet',
InternetGatewayId=Ref(internetgateway),
VpcId=Ref(vpc),
))
# Elastic IPs
for i in range(AZS):
template.add_resource(
ec2.EIP('NAT%iElasticIP' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
Domain='vpc'))
template.add_output(
Output(
'NAT%iElasticIP' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
Description='Elastic IP for NATs %i' % (i + 1),
Export=Export(
Sub('${AWS::StackName}-NAT%iElasticIP' % (i + 1))),
Value=Ref('NAT%iElasticIP' % (i + 1)),
))
# NAT Gateways
for i in range(AZS):
template.add_resource(
ec2.NatGateway('NATGateway%i' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
AllocationId=GetAtt('NAT%iElasticIP' % (i + 1),
'AllocationId'),
SubnetId=Ref('PubSubnet%i' % (i + 1))))
# Route tables
publicroutetable = template.add_resource(
ec2.RouteTable(
'PublicRouteTable',
VpcId=Ref(vpc),
Tags=Tags(Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'public-routes',
variables['EnvironmentName'].ref
]),
Network='Public')))
template.add_output(
Output(publicroutetable.title,
Description=publicroutetable.title,
Export=Export(
Sub('${AWS::StackName}-%s' % publicroutetable.title)),
Value=Ref(publicroutetable)))
for i in range(AZS):
template.add_resource(
ec2.RouteTable(
'PrivateRouteTable%i' % (i + 1),
Condition='PrivateAZ%i' % (i + 1),
VpcId=Ref(vpc),
Tags=Tags(
Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'private-routes',
variables['EnvironmentName'].ref,
Select(str(i + variables['AzOffset']), GetAZs(''))
]),
Network='Private - %i' % (i + 1))))
template.add_output(
Output('PrivateRouteTable%i' % (i + 1),
Condition='PrivateAZ%i' % (i + 1),
Description='PrivateRouteTable%i' % (i + 1),
Export=Export(
Sub('${AWS::StackName}-'
'PrivateRouteTable%i' % (i + 1))),
Value=Ref('PrivateRouteTable%i' % (i + 1))))
# Routes & Route Table Associations
template.add_resource(
ec2.Route('PublicRoute',
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(internetgateway),
RouteTableId=Ref(publicroutetable)))
for i in range(AZS):
template.add_resource(
ec2.Route('PrivateRoute%i' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref('NATGateway%i' % (i + 1)),
RouteTableId=Ref('PrivateRouteTable%i' % (i + 1))))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PubSubnet%iRTAssoc' % (i + 1),
Condition='PublicAZ%i' % (i + 1),
RouteTableId=Ref(publicroutetable),
SubnetId=Ref('PubSubnet%i' % (i + 1))))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PriSubnet%iRTAssoc' % (i + 1),
Condition='PrivateAZ%i' % (i + 1),
RouteTableId=Ref('PrivateRouteTable%i' % (i + 1)),
SubnetId=Ref('PriSubnet%i' % (i + 1))))
def __init__(self, key):
vpc_net = '10.80'
o_subnetprivate = []
o_subnetpublic = []
# Resources
R_VPC = ec2.VPC('VPC')
auto_get_props(R_VPC, mapname='')
R_RouteTablePrivate = EC2RouteTable('RouteTablePrivate')
R_RouteTablePrivate.Tags = Tags(Name=Sub('${VPCName}-Private'))
R_RouteTablePublic = EC2RouteTable('RouteTablePublic')
R_RouteTablePublic.Tags = Tags(Name=Sub('${VPCName}-Public'))
R_InternetGateway = ec2.InternetGateway('InternetGateway')
R_InternetGateway.Tags = Tags(Name=Ref('VPCName'))
R_VPCGatewayAttachment = ec2.VPCGatewayAttachment(
'VPCGatewayAttachment')
R_VPCGatewayAttachment.InternetGatewayId = Ref('InternetGateway')
R_VPCGatewayAttachment.VpcId = Ref('VPC')
if cfg.NatGateway != 'None':
# resources
R_EIPNat = ec2.EIP('EIPNat')
R_EIPNat.Domain = 'vpc'
R_NatGateway = ec2.NatGateway('NatGateway')
R_NatGateway.AllocationId = GetAtt('EIPNat', 'AllocationId')
R_NatGateway.SubnetId = Ref('SubnetPublicA')
R_RouteNatGateway = EC2RouteNatGateway('RouteNatGateway')
# outputs
O_EIPNat = Output('EIPNat')
O_EIPNat.Value = Ref('EIPNat')
add_obj([
R_NatGateway,
R_RouteNatGateway,
R_EIPNat,
O_EIPNat,
])
R_RouteInternetGateway = EC2RouteInternetGateway(
'RouteInternetGateway')
add_obj([
R_VPC,
R_RouteTablePrivate,
R_RouteTablePublic,
R_InternetGateway,
R_VPCGatewayAttachment,
R_RouteInternetGateway,
])
for i in range(cfg.AZones['MAX']):
zone_name = cfg.AZoneNames[i]
zone_cond = f'Zone{zone_name}'
# parameters
p_SubnetCidrBlockPrivate = Parameter(
f'SubnetCidrBlockPrivate{zone_name}')
p_SubnetCidrBlockPrivate.Description = (
f'Ip Class Range for Private Subnet in Zone {zone_name}')
p_SubnetCidrBlockPrivate.Default = f'{vpc_net}.{i * 16}.0/20'
p_SubnetCidrBlockPublic = Parameter(
f'SubnetCidrBlockPublic{zone_name}')
p_SubnetCidrBlockPublic.Description = (
f'Ip Class Range for Public Subnet in zone {zone_name}')
p_SubnetCidrBlockPublic.Default = f'{vpc_net}.{i + 200}.0/24'
add_obj([
p_SubnetCidrBlockPrivate,
p_SubnetCidrBlockPublic,
])
# conditions
c_Zone = {
zone_cond:
Equals(
FindInMap('AvabilityZones', Ref('AWS::Region'),
f'Zone{i}'), 'True')
}
add_obj(c_Zone)
# resources
r_SubnetPrivate = EC2SubnetPrivate(f'SubnetPrivate{zone_name}',
zone=zone_name)
r_SubnetPrivate.Condition = zone_cond
r_SubnetPublic = EC2SubnetPublic(f'SubnetPublic{zone_name}',
zone=zone_name)
r_SubnetPublic.Condition = zone_cond
r_SubnetRouteTableAssociationPrivate = (
EC2SubnetRouteTableAssociationPrivate(
f'SubnetRouteTableAssociationPrivate{zone_name}',
zone=zone_name))
r_SubnetRouteTableAssociationPrivate.Condition = zone_cond
r_SubnetRouteTableAssociationPublic = (
EC2SubnetRouteTableAssociationPublic(
f'SubnetRouteTableAssociationPublic{zone_name}',
zone=zone_name))
r_SubnetRouteTableAssociationPublic.Condition = zone_cond
add_obj([
r_SubnetPrivate,
r_SubnetPublic,
r_SubnetRouteTableAssociationPrivate,
r_SubnetRouteTableAssociationPublic,
])
# outputs
o_subnetprivate.append(
If(zone_cond, Ref(f'SubnetPrivate{zone_name}'),
Ref('AWS::NoValue')))
o_subnetpublic.append(
If(zone_cond, Ref(f'SubnetPublic{zone_name}'),
Ref('AWS::NoValue')))
# Outputs
O_SubnetsPrivate = Output('SubnetsPrivate')
O_SubnetsPrivate.Value = Join(',', o_subnetprivate)
O_SubnetsPrivate.Export = Export('SubnetsPrivate')
O_SubnetsPublic = Output('SubnetsPublic')
O_SubnetsPublic.Value = Join(',', o_subnetpublic)
O_SubnetsPublic.Export = Export('SubnetsPublic')
add_obj([
O_SubnetsPrivate,
O_SubnetsPublic,
])
# Nat Gateway EIP
natGatewayEIP = t.add_resource(ec2.EIP("NatGatewayEIP", Domain="vpc"))
# Public Subnet
publicSubnet = t.add_resource(
Subnet("PublicSubnet",
VpcId=Ref(vpc),
AvailabilityZone=Join("", [Ref("AWS::Region"), "a"]),
CidrBlock="10.0.1.0/24",
MapPublicIpOnLaunch=True,
Tags=Tags(Name="10.0.1.0-Public")))
# Nat Gateway
natGateway = t.add_resource(
ec2.NatGateway("NatGateway",
AllocationId=GetAtt(natGatewayEIP, 'AllocationId'),
SubnetId=Ref(publicSubnet)))
# Public Route Table
publicRouteTable = t.add_resource(
RouteTable("PublicRouteTable",
VpcId=Ref(vpc),
Tags=Tags(Name="Demo-Public-Route")))
# Default Public Route
t.add_resource(
Route("DefaultPublicRoute",
DependsOn=gatewayAttachment.title,
RouteTableId=Ref(publicRouteTable),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(internetGateway)))
def configure(self):
self.vpc_metadata = constants.ENVIRONMENTS[self.env]['vpc']
self.set_description('VPC, Routes, Base Security Groups, and NATs')
common_vpc_tags = [ec2.Tag('Name', self.env)
] + self.get_tags(service_override='VPC')
_vpc = self.add_resource(
ec2.VPC('VPC',
CidrBlock=self.vpc_metadata['cidrblock'],
EnableDnsSupport=True,
EnableDnsHostnames=True,
Tags=common_vpc_tags))
_dhcp_options = self.add_resource(
ec2.DHCPOptions('DHCPOptions',
DomainName="node.{}.{}".format(
self.env, constants.TAG),
DomainNameServers=['AmazonProvidedDNS'],
Tags=common_vpc_tags))
self.add_resource(
ec2.VPCDHCPOptionsAssociation('VPCDHCPOptionsAssociation',
DhcpOptionsId=Ref(_dhcp_options),
VpcId=Ref(_vpc)))
_internet_gateway = self.add_resource(
ec2.InternetGateway('InternetGateway',
Tags=self.get_tags(
service_override='InternetGateway',
role_override='InternetGateway')))
self.add_resource(
ec2.VPCGatewayAttachment('AttachInternetGateway',
VpcId=Ref(_vpc),
InternetGatewayId=Ref(_internet_gateway)))
# route_tables stores all ec2.RouteTables generated and adds them to
# a private vpc s3 endpoint
route_tables = []
_public_route_table = self.add_resource(
ec2.RouteTable('PublicRouteTable',
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PublicRouteTable',
role_override='PublicRouteTable')))
route_tables.append(_public_route_table)
# Public Subnet Routes and ACLs
self.add_resource(
ec2.Route('PublicRoute',
RouteTableId=Ref(_public_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(_internet_gateway)))
_public_network_acl = self.add_resource(
ec2.NetworkAcl('PublicNetworkAcl',
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PublicNetworkAcl',
role_override='PublicNetworkAcl')))
self.add_resource(
ec2.NetworkAclEntry('IngressPublicNetworkAclEntry',
NetworkAclId=Ref(_public_network_acl),
RuleNumber=100,
Protocol='-1',
RuleAction='allow',
Egress=False,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
self.add_resource(
ec2.NetworkAclEntry('EgressPublicNetworkAclEntry',
NetworkAclId=Ref(_public_network_acl),
RuleNumber=101,
Protocol='-1',
RuleAction='allow',
Egress=True,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
# Private Network ACLs
_private_network_acl = self.add_resource(
ec2.NetworkAcl('PrivateNetworkAcl',
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PrivateNetworkAcl',
role_override='PrivateNetworkAcl')))
self.add_resource(
ec2.NetworkAclEntry('IngressPrivateNetworkAclEntry',
NetworkAclId=Ref(_private_network_acl),
RuleNumber=100,
Protocol='-1',
RuleAction='allow',
Egress=False,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
self.add_resource(
ec2.NetworkAclEntry('EgressPrivateNetworkAclEntry',
NetworkAclId=Ref(_private_network_acl),
RuleNumber=101,
Protocol='-1',
RuleAction='allow',
Egress=True,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
# Default security groups - referenced by name by constants/default-security-groups
# _nat_security_group = self.add_resource(
# ec2.SecurityGroup(
# 'NATSecurityGroup',
# VpcId=Ref(_vpc),
# GroupDescription='Security Group for NAT Instances',
# SecurityGroupIngress=[
# {'IpProtocol': '-1', 'FromPort': 1, 'ToPort': 65535, 'CidrIp': self.vpc_metadata['cidrblock']},
# {'IpProtocol': '-1', 'FromPort': 1, 'ToPort': 65535, 'CidrIp': '10.0.0.0/8'}
# ],
# Tags=self.get_tags(service_override='NAT', role_override='NAT-SecurityGroup')
# )
# )
# _consul_security_group = self.add_resource(
# ec2.SecurityGroup(
# 'ConsulSecurityGroup',
# VpcId=Ref(_vpc),
# GroupDescription='Security Group for Consul access',
# SecurityGroupIngress=[
# {'IpProtocol': 'tcp', 'FromPort': 8300, 'ToPort': 8302, 'CidrIp': '10.0.0.0/8'}, # consul server rpc/serf
# {'IpProtocol': 'udp', 'FromPort': 8300, 'ToPort': 8302, 'CidrIp': '10.0.0.0/8'}, # consul server rpc/serf
# {'IpProtocol': 'tcp', 'FromPort': 8400, 'ToPort': 8400, 'CidrIp': '10.0.0.0/8'}, # consul client rpc
# {'IpProtocol': 'tcp', 'FromPort': 8500, 'ToPort': 8500, 'CidrIp': '10.0.0.0/8'}, # consul http
# {'IpProtocol': 'tcp', 'FromPort': 8600, 'ToPort': 8600, 'CidrIp': '10.0.0.0/8'}, # consul dns
# {'IpProtocol': 'udp', 'FromPort': 8600, 'ToPort': 8600, 'CidrIp': '10.0.0.0/8'} # consul dns
# ],
# Tags=[
# ec2.Tag('ivy:team', self.TEAM['email']),
# ec2.Tag('ivy:environment', self.env),
# ec2.Tag('ivy:service', 'Consul'),
# ec2.Tag('ivy:role', 'Consul-SecurityGroup')
# ]
# )
# )
# _ssh_security_group = self.add_resource(
# ec2.SecurityGroup(
# 'InternalSecurityGroup',
# VpcId=Ref(_vpc),
# GroupDescription='Internal Rules',
# SecurityGroupIngress=[
# {'IpProtocol': 'icmp', 'FromPort': -1, 'ToPort': -1, 'CidrIp': '10.0.0.0/8'},
# {'IpProtocol': 'tcp', 'FromPort': 22, 'ToPort': 22, 'CidrIp': '10.0.0.0/8'}
# ],
# SecurityGroupEgress=[
# {'IpProtocol': '-1', 'FromPort': 0, 'ToPort': 65535, 'CidrIp': '0.0.0.0/0'}
# ],
# Tags=[
# ec2.Tag('ivy:team', self.TEAM['email']),
# ec2.Tag('ivy:environment', self.env),
# ec2.Tag('ivy:service', 'infrastructure'),
# ec2.Tag('ivy:role', 'internal')
# ]
# )
# )
#
# self.add_security_group(Ref(_nat_security_group), Ref(_consul_security_group), Ref(_ssh_security_group))
## This sets up all private and public AZs
for index, zone in enumerate(self.vpc_metadata['zones'], 1):
_public_subnet = self.add_resource(
ec2.Subnet(
'PublicSubnet{}'.format(index),
VpcId=Ref(_vpc),
CidrBlock=zone['public-cidrblock'],
AvailabilityZone=zone['availability-zone'],
MapPublicIpOnLaunch=True,
Tags=self.get_tags(
service_override='PublicSubnet',
role_override='PublicSubnet{}'.format(index)) +
[
ec2.Tag('Name', '{}-PublicSubnet{}'.format(
self.env, index))
]))
self.add_resource(
ec2.SubnetRouteTableAssociation(
'PublicSubnetRouteTableAssociation{}'.format(index),
SubnetId=Ref(_public_subnet),
RouteTableId=Ref(_public_route_table)))
self.add_resource(
ec2.SubnetNetworkAclAssociation(
'PublicSubnetNetworkAclAssociation{}'.format(index),
SubnetId=Ref(_public_subnet),
NetworkAclId=Ref(_public_network_acl)))
# Allow VPCs with no private subnets (save money on NAT instances for VPCs with only public instances)
if zone.get('private-cidrblock'):
_private_subnet = self.add_resource(
ec2.Subnet(
'PrivateSubnet{}'.format(index),
VpcId=Ref(_vpc),
CidrBlock=zone['private-cidrblock'],
AvailabilityZone=zone['availability-zone'],
Tags=self.get_tags(
service_override='PrivateSubnet',
role_override='PrivateSubnet{}'.format(index)) + [
ec2.Tag(
'Name', '{}-PrivateSubnet{}'.format(
self.env, index))
]))
# Private subnets get their own route table for AZ-specific NATs
_private_route_table = self.add_resource(
ec2.RouteTable(
'PrivateRouteTable{}'.format(index),
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PrivateRouteTable',
role_override='PrivateRouteTable{}'.format(
index))))
route_tables.append(_private_route_table)
# Create an EIP to be used with the NAT instance or gateway
_nat_eip = self.add_resource(
ec2.EIP('NATInstanceEIP{}'.format(index), Domain='vpc'))
# Use VPC NAT Gateway
_nat_gw = self.add_resource(
ec2.NatGateway('NATGateway{}'.format(index),
AllocationId=GetAtt(_nat_eip,
"AllocationId"),
SubnetId=Ref(_public_subnet)))
# Create a route via the NAT GW for the private route table
self.add_resource(
ec2.Route('PrivateRoute{}'.format(index),
RouteTableId=Ref(_private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(_nat_gw)))
self.add_resource(
ec2.SubnetRouteTableAssociation(
'PrivateSubnetRouteTableAssociation{}'.format(index),
SubnetId=Ref(_private_subnet),
RouteTableId=Ref(_private_route_table)))
self.add_resource(
ec2.SubnetNetworkAclAssociation(
'PrivateSubnetNetworkAclAssociation{}'.format(index),
SubnetId=Ref(_private_subnet),
NetworkAclId=Ref(_private_network_acl)))
# use route_table to create a VPC S3 endpoint
self.add_resource(
ec2.VPCEndpoint('S3VPCEndpoint',
RouteTableIds=[Ref(rt) for rt in route_tables],
ServiceName='com.amazonaws.{}.s3'.format(
self.region),
VpcId=Ref(_vpc)))
def add_resources(self):
""" Add All Cloudformation Resources. This will include vpc, igw, and any other network
resources """
self.vpc = self.template.add_resource(
ec2.VPC(
"VPC",
CidrBlock=Ref(self.VpcCidr),
EnableDnsSupport=True,
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-VPC"),
))
self.RESTPubSubnet1 = self.template.add_resource(
ec2.Subnet(
"RESTPubSubnet1",
CidrBlock=Ref(self.RESTPubSub1Cidr),
VpcId=Ref(self.vpc),
AvailabilityZone="us-east-1a",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPubSubnet1"),
))
self.RESTPubSubnet2 = self.template.add_resource(
ec2.Subnet(
"RESTPubSubnet2",
VpcId=Ref(self.vpc),
CidrBlock=Ref(self.RESTPubSub2Cidr),
AvailabilityZone="us-east-1b",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPubSubnet2"),
))
self.RESTPrivSubnet1 = self.template.add_resource(
ec2.Subnet(
"RESTPrivSubnet1",
VpcId=Ref(self.vpc),
CidrBlock=Ref(self.RESTPrivSub1Cidr),
AvailabilityZone="us-east-1a",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPrivSubnet1"),
))
self.RESTPrivSubnet2 = self.template.add_resource(
ec2.Subnet(
"RESTPrivSubnet2",
CidrBlock=Ref(self.RESTPrivSub2Cidr),
VpcId=Ref(self.vpc),
AvailabilityZone="us-east-1b",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPrivSubnet2"),
))
self.RESTIGW = self.template.add_resource(
ec2.InternetGateway(
"RESTIGW",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTIGW"),
))
self.RESTIGWAttachment = self.template.add_resource(
ec2.VPCGatewayAttachment(
"RESTIGWAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.RESTIGW),
))
self.RESTEIP1 = self.template.add_resource(
ec2.EIP(
"RESTEIP1",
Domain="vpc",
))
self.RESTEIP2 = self.template.add_resource(
ec2.EIP(
"RESTEIP2",
Domain="vpc",
))
self.RESTNAT1 = self.template.add_resource(
ec2.NatGateway(
"NAT",
AllocationId=GetAtt(self.RESTEIP1, "AllocationId"),
SubnetId=Ref(self.RESTPubSubnet1),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTNAT1"),
))
self.RESTNAT2 = self.template.add_resource(
ec2.NatGateway(
"NAT2",
AllocationId=GetAtt(self.RESTEIP2, "AllocationId"),
SubnetId=Ref(self.RESTPubSubnet2),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTNAT2"),
))
self.RESTPrivRT1 = self.template.add_resource(
ec2.RouteTable(
"RESTPrivRT1",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPRIVRT1"),
))
self.RESTPrivRT2 = self.template.add_resource(
ec2.RouteTable(
"RESTPrivRT2",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPRIVRT2"),
))
self.RESTNatRoute = self.template.add_resource(
ec2.Route(
"RESTNatRoute",
RouteTableId=Ref(self.RESTPrivRT1),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(self.RESTNAT1),
))
self.RESTNat2Route = self.template.add_resource(
ec2.Route(
"RESTNatRoute2",
RouteTableId=Ref(self.RESTPrivRT2),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(self.RESTNAT2),
))
self.RESTPrivRT1Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"RESTPrivRT1Association",
SubnetId=Ref(self.RESTPrivSubnet1),
RouteTableId=Ref(self.RESTPrivRT1),
))
self.RESTPrivRT2Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"RESTPrivRT2Association",
SubnetId=Ref(self.RESTPrivSubnet2),
RouteTableId=Ref(self.RESTPrivRT2),
))
self.RESTPubRT1 = self.template.add_resource(
ec2.RouteTable(
"RESTPubRT1",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPUBRT1"),
))
self.RESTPubRT2 = self.template.add_resource(
ec2.RouteTable(
"RESTPubRT2",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-RESTPUBRT2"),
))
self.RESTPubRT1IGWattachment = self.template.add_resource(
ec2.Route(
"RESTPubRT1IGWAttachment",
DependsOn=["RESTIGWAttachment"],
RouteTableId=Ref(self.RESTPubRT1),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.RESTIGW),
))
self.RESTPubRT2IGWattachment = self.template.add_resource(
ec2.Route(
"RESTPubRT2IGWAttachment",
DependsOn=["RESTIGWAttachment"],
RouteTableId=Ref(self.RESTPubRT2),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.RESTIGW),
))
self.RESTPubRT1Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"RESTPubRT1Associate",
SubnetId=Ref(self.RESTPubSubnet1),
RouteTableId=Ref(self.RESTPubRT1),
))
self.RESTPubRT2Asocation = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"RESTPubR2Associate",
SubnetId=Ref(self.RESTPubSubnet2),
RouteTableId=Ref(self.RESTPubRT2),
))
self.VPCPeeringBetweenSharedVPCAndClientVPC = self.template.add_resource(
ec2.VPCPeeringConnection(
"VPCPeeringBetweenSharedVPCAndClientVPC",
DependsOn=["RESTPrivRT1", "RESTPrivRT2"],
VpcId=Ref(self.SharedServicesVpcId),
PeerVpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SSTOCLIENTVPCPEER"),
))
self.PeeringRouteForClientVPCPriv1 = self.template.add_resource(
ec2.Route(
"PeeringRouteForClientVPCPriv1",
DependsOn=["VPCPeeringBetweenSharedVPCAndClientVPC"],
RouteTableId=Ref(self.RESTPrivRT1),
DestinationCidrBlock=Ref(self.SharedServicesVpcCidrBlock),
VpcPeeringConnectionId=Ref(
self.VPCPeeringBetweenSharedVPCAndClientVPC),
))
self.PeeringRouteForClientVPCPriv2 = self.template.add_resource(
ec2.Route(
"PeeringRouteForClientVPCPriv2",
DependsOn=["VPCPeeringBetweenSharedVPCAndClientVPC"],
RouteTableId=Ref(self.RESTPrivRT2),
DestinationCidrBlock=Ref(self.SharedServicesVpcCidrBlock),
VpcPeeringConnectionId=Ref(
self.VPCPeeringBetweenSharedVPCAndClientVPC),
))
self.PeeringRouteForSharedServicesVPCPriv1 = self.template.add_resource(
ec2.Route(
"PeeringRouteForSharedServicesVPCPriv1",
DependsOn=["VPCPeeringBetweenSharedVPCAndClientVPC"],
RouteTableId=Ref(self.SharedServicesPrivateRouteTable1),
DestinationCidrBlock=Ref(self.VpcCidr),
VpcPeeringConnectionId=Ref(
self.VPCPeeringBetweenSharedVPCAndClientVPC),
))
self.PeeringRouteForSharedServicesVPCPriv2 = self.template.add_resource(
ec2.Route(
"PeeringRouteForSharedServicesVPCPriv2",
DependsOn=["VPCPeeringBetweenSharedVPCAndClientVPC"],
RouteTableId=Ref(self.SharedServicesPrivateRouteTable2),
DestinationCidrBlock=Ref(self.VpcCidr),
VpcPeeringConnectionId=Ref(
self.VPCPeeringBetweenSharedVPCAndClientVPC),
))
self.EnvironmentArtifactsBucket = self.template.add_resource(
Bucket(
"EnvironmentArtifactsBucket",
BucketName=(
self.environment_parameters["ClientEnvironmentKey"] +
"-environment-artifacts").lower(),
AccessControl="BucketOwnerRead",
VersioningConfiguration=VersioningConfiguration(
Status="Enabled", ),
))
self.BootstrapRepositorySSMParameter = self.template.add_resource(
SSMParameter(
"BootstrapRepositorySSMParameter",
Description="The Bootstrap Repository",
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-bootstrapRepository",
Type="String",
Value=(self.environment_parameters["ClientEnvironmentKey"] +
"-environment-artifacts").lower(),
))
))
# Internet gateway and NAT instances
igw = t.add_resource(ec2.InternetGateway('InternetGateway',))
t.add_resource(ec2.VPCGatewayAttachment("GWAttachmnent",
VpcId=Ref(stack_vpc),
InternetGatewayId=Ref(igw)))
nat_eip = t.add_resource(ec2.EIP(
'NatEip',
Domain="vpc",
))
nat = t.add_resource(ec2.NatGateway(
'Nat',
AllocationId=GetAtt(nat_eip, 'AllocationId'),
SubnetId=Ref(subnet_public),
))
# route tables
rt_public = t.add_resource(ec2.RouteTable(
"RouteTablePublic",
VpcId=Ref(stack_vpc),
Tags=Tags(Name='PublicRoutes')
))
rt_private = t.add_resource(ec2.RouteTable(
'RouteTablePrivate',
VpcId=Ref(stack_vpc),
Tags=Tags(Name='PrivateRoutes')
def add_resources(template, environment, purpose, name_region_attribute_map,
param_pem_key_name):
# IP address for Seattle, Palmerston North, and Auckland offices. (Airport codes used as keys.)
home_network_cidr_dict = dict(
(('Akl', '121.98.118.142/32'), ('Pmr', '121.99.230.178/32'),
('Sea', '67.131.4.94/30')))
# PostgresSQL database port
database_port_number = 5432
# Create the VPC.
cidr_block_vpc = '10.0.0.0/16'
name_vpc = 'Vpc%s%s' % (purpose, environment)
resource_vpc = ec2.VPC(
name_vpc,
CidrBlock=cidr_block_vpc,
EnableDnsHostnames=True,
Tags=Tags(Name=name_vpc, Purpose=purpose, Environment=environment),
)
template.add_resource(resource_vpc)
template.add_output(
Output('VPC',
Description='VPC created for purpose: %s, environment: %s' %
(purpose, environment),
Value=Ref(resource_vpc)))
# Report the CIDR block of the VPC as an output.
template.add_output(
Output('VpcCidrBlock',
Description='CIDR block of VPC',
Value=cidr_block_vpc))
# Create the security group for the VPC.
name_security_group_vpc = 'VpcSecurityGroup%s%s' % (purpose, environment)
resource_security_group_vpc = ec2.SecurityGroup(
name_security_group_vpc,
GroupDescription=Join(' ',
['Security group for VPC',
Ref(resource_vpc)]),
Tags=Tags(Name=name_security_group_vpc,
Purpose=purpose,
Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_security_group_vpc)
template.add_output(
Output('SecurityGroup',
Description='Security group created for VPC.',
Value=Ref(resource_security_group_vpc)))
# Add security group ingress rules.
# ICMP from home networks.
for site in home_network_cidr_dict.keys():
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressIcmp%s%s%s' %
(purpose, environment, site),
IpProtocol='icmp',
FromPort='-1',
ToPort='-1',
CidrIp=home_network_cidr_dict[site],
GroupId=Ref(resource_security_group_vpc)))
# ICMP from within the VPC.
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressVpcIcmp%s%s' %
(purpose, environment),
IpProtocol='icmp',
FromPort='-1',
ToPort='-1',
CidrIp=cidr_block_vpc,
GroupId=Ref(resource_security_group_vpc)))
# SSH from home networks
for site in home_network_cidr_dict.keys():
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressSsh%s%s%s' %
(purpose, environment, site),
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=home_network_cidr_dict[site],
GroupId=Ref(resource_security_group_vpc)))
# SSH from within the VPC.
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressVpcSsh%s%s' %
(purpose, environment),
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=cidr_block_vpc,
GroupId=Ref(resource_security_group_vpc)))
# For dev environments, restrict http(s) to home networks.
if environment.lower() == 'dev':
# HTTP from home networks.
for site in home_network_cidr_dict.keys():
template.add_resource((ec2.SecurityGroupIngress(
'SecurityGroupIngressHttp%s%s%s' %
(purpose, environment, site),
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp=home_network_cidr_dict[site],
GroupId=Ref(resource_security_group_vpc))))
# HTTPS from home networks.
for site in home_network_cidr_dict.keys():
template.add_resource((ec2.SecurityGroupIngress(
'SecurityGroupIngressHttps%s%s%s' %
(purpose, environment, site),
IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp=home_network_cidr_dict[site],
GroupId=Ref(resource_security_group_vpc))))
# For non-dev environments, open HTTP(s) to the internet.
else:
# HTTP from anywhere.
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressHttp%s%s' %
(purpose, environment),
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp='0.0.0.0/0',
GroupId=Ref(resource_security_group_vpc)))
# HTTPS from anywhere.
template.add_resource(
ec2.SecurityGroupIngress('SecurityGroupIngressHttps%s%s' %
(purpose, environment),
IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp='0.0.0.0/0',
GroupId=Ref(resource_security_group_vpc)))
# Add security group egress rules. (TBD)
template.add_resource(
ec2.SecurityGroupEgress('SecurityGroupEgress%s%s' %
(purpose, environment),
IpProtocol='-1',
FromPort='-1',
ToPort='-1',
CidrIp='0.0.0.0/0',
GroupId=Ref(resource_security_group_vpc)))
# Create an internet gateway.
name_internet_gateway = 'InternetGateway%s%s' % (purpose, environment)
resource_internet_gateway = ec2.InternetGateway(
name_internet_gateway,
Tags=Tags(Name=name_internet_gateway,
Purpose=purpose,
Environment=environment),
)
template.add_resource(resource_internet_gateway)
# Attach the internet gateway to the VPC.
name_vpc_internet_gateway_attachment = 'VpcGatewayAttachment%s%s' % (
purpose, environment)
resource_internet_gateway_attachment = ec2.VPCGatewayAttachment(
name_vpc_internet_gateway_attachment,
VpcId=Ref(resource_vpc),
InternetGatewayId=Ref(resource_internet_gateway))
template.add_resource(resource_internet_gateway_attachment)
# Create a public and private subnet in two availability zones
# for a total of four subnets.
# TODO: Get the subnet CIDR blocks correct, i.e.,
# appropriately sized to anticipate future growth.
# What is here now is just a SWAG.
public_subnet_cidr_dict = dict(A='10.0.0.0/24', B='10.0.1.0/24')
private_subnet_cidr_dict = dict(A1='10.0.10.0/24', B1='10.0.11.0/24')
# Create public subnet A.
name_subnet = 'SubnetPublicA%s%s' % (purpose, environment)
resource_subnet_public_a = ec2.Subnet(
name_subnet,
AvailabilityZone=Select('0', GetAZs('')),
CidrBlock=public_subnet_cidr_dict['A'],
Tags=Tags(Name=name_subnet, Purpose=purpose, Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_subnet_public_a)
template.add_output(
Output(name_subnet,
Description='Public Subnet A',
Value=Ref(resource_subnet_public_a)))
# Create public subnet B.
name_subnet = 'SubnetPublicB%s%s' % (purpose, environment)
resource_subnet_public_b = ec2.Subnet(
name_subnet,
AvailabilityZone=Select('1', GetAZs('')),
CidrBlock=public_subnet_cidr_dict['B'],
Tags=Tags(Name=name_subnet, Purpose=purpose, Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_subnet_public_b)
template.add_output(
Output(name_subnet,
Description='Public subnet B',
Value=Ref(resource_subnet_public_b)))
# Create the private subnet A1.
name_subnet = 'SubnetPrivateA1%s%s' % (purpose, environment)
resource_subnet_private_a1 = ec2.Subnet(
name_subnet,
AvailabilityZone=Select('0', GetAZs('')),
CidrBlock=private_subnet_cidr_dict['A1'],
Tags=Tags(Name=name_subnet, Purpose=purpose, Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_subnet_private_a1)
template.add_output(
Output(name_subnet,
Description='Private subnet A1',
Value=Ref(resource_subnet_private_a1)))
# Create the private subnet B1.
name_subnet = 'SubnetPrivateB1%s%s' % (purpose, environment)
resource_subnet_private_b1 = ec2.Subnet(
name_subnet,
AvailabilityZone=Select('1', GetAZs('')),
CidrBlock=private_subnet_cidr_dict['B1'],
Tags=Tags(Name=name_subnet, Purpose=purpose, Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_subnet_private_b1)
template.add_output(
Output(name_subnet,
Description='Private subnet B1',
Value=Ref(resource_subnet_private_b1)))
# Subnets are created at this point. Create dictionaries for iteration.
public_subnet_resource_dict = dict(A=resource_subnet_public_a,
B=resource_subnet_public_b)
private_subnet_resource_dict = dict(A1=resource_subnet_private_a1,
B1=resource_subnet_private_b1)
# Create an Elastic IP for the NAT gateway.
name_nat_eip = 'NatEip%s%s' % (purpose, environment)
resource_nat_eip = ec2.EIP(name_nat_eip, Domain=name_vpc)
template.add_resource(resource_nat_eip)
# Create the NAT gateway in public subnet B.
name_nat_gateway = 'NatGateway%s%s' % (purpose, environment)
resource_nat_gateway = ec2.NatGateway(
name_nat_gateway,
AllocationId=GetAtt(name_nat_eip, 'AllocationId'),
DependsOn=name_vpc_internet_gateway_attachment,
SubnetId=Ref(resource_subnet_public_b),
)
template.add_resource(resource_nat_gateway)
# Create the public subnet route table.
name_route_table = 'RouteTablePublic%s%s' % (purpose, environment)
resource_route_table_public = ec2.RouteTable(name_route_table,
Tags=Tags(
Name=name_route_table,
Purpose=purpose,
Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_route_table_public)
# Add a route from the public subnets to the internet.
template.add_resource(
ec2.Route(
'RouteToInternetPublicSubnets%s%s' % (purpose, environment),
DependsOn=name_vpc_internet_gateway_attachment,
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(resource_internet_gateway),
RouteTableId=Ref(resource_route_table_public),
))
# Associate the route table with the AZ-A, AZ-B subnets.
for subnet in public_subnet_resource_dict.keys():
template.add_resource(
ec2.SubnetRouteTableAssociation(
'RouteTableAssocPublicSubnet%s%s%s' %
(subnet, purpose, environment),
RouteTableId=Ref(resource_route_table_public),
SubnetId=Ref(public_subnet_resource_dict[subnet])))
# Create the private subnet route table.
name_route_table = 'RouteTablePrivate%s%s' % (purpose, environment)
resource_route_table_private = ec2.RouteTable(name_route_table,
Tags=Tags(
Name=name_route_table,
Purpose=purpose,
Environment=environment),
VpcId=Ref(resource_vpc))
template.add_resource(resource_route_table_private)
# Add route to internet via NAT.
template.add_resource(
ec2.Route('RouteToInternetPrivateSubnet%s%s' % (purpose, environment),
DependsOn=name_vpc_internet_gateway_attachment,
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(resource_nat_gateway),
RouteTableId=Ref(resource_route_table_private)))
# Associate the route table with the AZ-A1, AZ-B1 subnets.
for subnet in private_subnet_resource_dict.keys():
template.add_resource(
ec2.SubnetRouteTableAssociation(
'RouteTableAssocPrivateSubnet%s%s%s' %
(subnet, purpose, environment),
RouteTableId=Ref(resource_route_table_private),
SubnetId=Ref(private_subnet_resource_dict[subnet])))
# Create the bastion host.
name_bastion_host = 'BastionHost%s%s' % (purpose, environment)
resource_bastion_host = ec2.Instance(
name_bastion_host,
DependsOn=name_vpc_internet_gateway_attachment,
ImageId=FindInMap(name_region_attribute_map, Ref('AWS::Region'),
'BastionHostAmi'),
InstanceType='t2.micro',
KeyName=Ref(param_pem_key_name),
NetworkInterfaces=[
ec2.NetworkInterfaceProperty(
AssociatePublicIpAddress=str(True),
DeleteOnTermination=str(True),
Description='Bastion host network interface for %s%s' %
(purpose, environment),
DeviceIndex=str(0),
GroupSet=[Ref(resource_security_group_vpc)],
SubnetId=Ref(resource_subnet_public_a),
)
],
Tags=Tags(Name=name_bastion_host,
Purpose=purpose,
Environment=environment),
UserData=Base64('80'))
template.add_resource(resource_bastion_host)
template.add_output(
Output(name_bastion_host,
Description='Bastion Host Public IP address',
Value=GetAtt(resource_bastion_host, 'PublicIp')))
def dump_base_yaml(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
igw = template.add_resource(
ec2.InternetGateway(
"Igw",
Tags=resource_tags,
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
igwa = template.add_resource(
ec2.VPCGatewayAttachment(
"IgwA",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
default_route = template.add_resource(
ec2.Route("defaultRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=Ref(route_tbl)))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
priv_route_tbl = template.add_resource(
ec2.RouteTable(
"PrivRouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
priv_subnet = template.add_resource(
ec2.Subnet(
"PrivSubnet",
VpcId=Ref(vpc),
CidrBlock="10.10.1.0/24",
MapPublicIpOnLaunch=False,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblPrivSubnetAsoc",
RouteTableId=Ref(priv_route_tbl),
SubnetId=Ref(priv_subnet)))
ngw_elastic_ip = template.add_resource(
ec2.EIP(
"MyNgwEip",
Tags=resource_tags,
))
nat_gateway = template.add_resource(
ec2.NatGateway(
"MyNatGateway",
AllocationId=GetAtt(ngw_elastic_ip, "AllocationId"),
SubnetId=Ref(subnet),
))
private_out_route = template.add_resource(
ec2.Route("privateOutRoute",
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gateway),
RouteTableId=Ref(priv_route_tbl)))
first_network_acl = template.add_resource(
ec2.NetworkAcl(
"MyFirstNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry(
"MyPrivOutNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
network_inbound_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyInNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="74.77.86.69/32",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=22, To=22)))
private_to_public_client_ports_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPriv2PubClientPortsNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="10.10.1.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=101,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_internet_client_ports_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPub2DefaultClientPortsNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_private_icmpv4_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPubIcmpv4NetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="10.10.1.0/24",
Protocol=1,
Icmp=ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
RuleNumber=103))
second_network_acl = template.add_resource(
ec2.NetworkAcl(
"MySecondNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPriv2InternetClientPortsNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_private_ssh_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivSshNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=101,
PortRange=ec2.PortRange(From=22, To=22)))
public_to_private_http_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivHttpNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=80, To=80)))
private_to_public_icmpv4_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivIcmpv4NetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=1,
Icmp=ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
RuleNumber=103))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry(
"MyPubOutNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
subnet_nacl_asociation = template.add_resource(
ec2.SubnetNetworkAclAssociation("subNaclAsoc",
NetworkAclId=Ref(first_network_acl),
SubnetId=Ref(subnet)))
priv_subnet_nacl_asociation = template.add_resource(
ec2.SubnetNetworkAclAssociation("privSubNaclAsoc",
NetworkAclId=Ref(second_network_acl),
SubnetId=Ref(priv_subnet)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
Output(
"PrivSubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(priv_subnet),
Export=Export("PrivSubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
))
private_route_association_2 = t.add_resource(ec2.SubnetRouteTableAssociation(
'PrivateSubnet2RouteTableAssociation',
SubnetId=Ref(private_net_2),
RouteTableId=Ref(private_route_table_2),
))
# Nat Gateway EIP 1
nat_eip = t.add_resource(ec2.EIP(
'NatGateway1EIP',
Domain="vpc",
))
nat = t.add_resource(ec2.NatGateway(
'NatGateway',
AllocationId=GetAtt(nat_eip, 'AllocationId'),
SubnetId=Ref(public_net_1),
))
t.add_resource(ec2.Route(
'NatRoute',
RouteTableId=Ref(private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(nat),
))
# Nat Gateway 2
nat_eip_2 = t.add_resource(ec2.EIP(
'NatGateway2EIP',
Domain="vpc",
))
def add_resources(self):
""" Add All Cloudformation Resources. This will include vpc, igw, and any other network
resources """
self.vpc = self.template.add_resource(
ec2.VPC(
"VPC",
CidrBlock=Ref(self.VpcCidr),
EnableDnsSupport=True,
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-VPC"),
))
self.PubSubnet1 = self.template.add_resource(
ec2.Subnet(
"PubSubnet1",
CidrBlock=Ref(self.PubSub1Cidr),
VpcId=Ref(self.vpc),
AvailabilityZone="us-east-1a",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PubSubnet1"),
))
self.PubSubnet2 = self.template.add_resource(
ec2.Subnet(
"PubSubnet2",
VpcId=Ref(self.vpc),
CidrBlock=Ref(self.PubSub2Cidr),
AvailabilityZone="us-east-1b",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PubSubnet2"),
))
self.PrivSubnet1 = self.template.add_resource(
ec2.Subnet(
"PrivSubnet1",
VpcId=Ref(self.vpc),
CidrBlock=Ref(self.PrivSub1Cidr),
AvailabilityZone="us-east-1a",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PrivSubnet1"),
))
self.PrivSubnet2 = self.template.add_resource(
ec2.Subnet(
"PrivSubnet2",
CidrBlock=Ref(self.PrivSub2Cidr),
VpcId=Ref(self.vpc),
AvailabilityZone="us-east-1b",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PrivSubnet2"),
))
self.IGW = self.template.add_resource(
ec2.InternetGateway(
"IGW",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-IGW"),
))
self.IGWAttachment = self.template.add_resource(
ec2.VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.IGW),
))
self.EIP1 = self.template.add_resource(ec2.EIP(
"EIP1",
Domain="vpc",
))
self.EIP2 = self.template.add_resource(ec2.EIP(
"EIP2",
Domain="vpc",
))
self.NAT1 = self.template.add_resource(
ec2.NatGateway(
"NAT",
AllocationId=GetAtt(self.EIP1, "AllocationId"),
SubnetId=Ref(self.PubSubnet1),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-NAT1"),
))
self.NAT2 = self.template.add_resource(
ec2.NatGateway(
"NAT2",
AllocationId=GetAtt(self.EIP2, "AllocationId"),
SubnetId=Ref(self.PubSubnet2),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-NAT2"),
))
self.PrivRT1 = self.template.add_resource(
ec2.RouteTable(
"PrivRT1",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PRIVRT1"),
))
self.PrivRT2 = self.template.add_resource(
ec2.RouteTable(
"PrivRT2",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PRIVRT2"),
))
self.NatRoute = self.template.add_resource(
ec2.Route(
"NatRoute",
RouteTableId=Ref(self.PrivRT1),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(self.NAT1),
))
self.Nat2Route = self.template.add_resource(
ec2.Route(
"NatRoute2",
RouteTableId=Ref(self.PrivRT2),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(self.NAT2),
))
self.PrivRT1Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PrivRT1Association",
SubnetId=Ref(self.PrivSubnet1),
RouteTableId=Ref(self.PrivRT1),
))
self.PrivRT2Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PrivRT2Association",
SubnetId=Ref(self.PrivSubnet2),
RouteTableId=Ref(self.PrivRT2),
))
self.PubRT1 = self.template.add_resource(
ec2.RouteTable(
"PubRT1",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PUBRT1"),
))
self.PubRT2 = self.template.add_resource(
ec2.RouteTable(
"PubRT2",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PUBRT2"),
))
self.PubRT1IGWattachment = self.template.add_resource(
ec2.Route(
"PubRT1IGWAttachment",
DependsOn=["IGWAttachment"],
RouteTableId=Ref(self.PubRT1),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.IGW),
))
self.PubRT2IGWattachment = self.template.add_resource(
ec2.Route(
"PubRT2IGWAttachment",
DependsOn=["IGWAttachment"],
RouteTableId=Ref(self.PubRT2),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.IGW),
))
self.PubRT1Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PubRT1Associate",
SubnetId=Ref(self.PubSubnet1),
RouteTableId=Ref(self.PubRT1),
))
self.PubRT2Asocation = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PubR2Associate",
SubnetId=Ref(self.PubSubnet2),
RouteTableId=Ref(self.PubRT2),
))
AvailabilityZone=Ref("AvailabilityZone1"),
CidrBlock=Ref("CIDRPrivateSubnet1A"),
Tags=Tags(IoCluster=Ref("AWS::StackName"),
Name=Join("-", [Ref("AWS::StackName"), "PrivateSubnet1A"]))),
# Create NAT Elastic IP
"NAT1EIP":
ec2.EIP("NAT1EIP",
Condition="NAT1EIPCondition",
DependsOn="IGWAttachVPC",
Domain="vpc"),
# Create NAt Gateway
"NATGateway1":
ec2.NatGateway("NATGateway1",
Condition="NAT1EIPCondition",
DependsOn="IGWAttachVPC",
SubnetId=Ref("PublicSubnet1"),
AllocationId=GetAtt("NAT1EIP", "AllocationId")),
# Private Subnet 1A route Table
"PrivateSubnet1ARouteTable":
ec2.RouteTable(
"PrivateSubnet1ARouteTable",
Condition="CreatePrivateSubnet1ACondition",
VpcId=Ref("VPC"),
Tags=Tags(
IoCluster=Ref("AWS::StackName"),
Name=Join("-",
[Ref("AWS::StackName"), "PrivateSubnet1ARouteTable"]))),
# Create route in PrivateSubnet1A Route Table
"PrivateSubnet1ARoute":
ec2.Route("PrivateSubnet1ARoute",
private_route_association = t.add_resource(
ec2.SubnetRouteTableAssociation(
'PrivateRouteAssociation',
SubnetId=Ref(private_net),
RouteTableId=Ref(private_route_table),
))
nat_eip = t.add_resource(ec2.EIP(
'NatEip',
Domain="vpc",
))
nat = t.add_resource(
ec2.NatGateway(
'Nat',
AllocationId=GetAtt(nat_eip, 'AllocationId'),
SubnetId=Ref(public_net),
))
t.add_resource(
ec2.Route(
'NatRoute',
RouteTableId=Ref(private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(nat),
))
t.add_output(Output('VPCId', Value=Ref(vpc), Description='VPC Id'))
t.add_output(
Output(
def add_resources(self):
self.vpc = self.template.add_resource(
ec2.VPC(
"VPC",
CidrBlock=Ref(self.VpcCidr),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-VPC"),
))
self.public_subneta = self.template.add_resource(
ec2.Subnet(
"PublicSubnet",
CidrBlock=Ref(self.PublicSubnetA),
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(self.AvailabilityZoneA),
MapPublicIpOnLaunch=True,
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PUBSUBA"),
))
self.private_subneta = self.template.add_resource(
ec2.Subnet(
"PrivateSubnet",
CidrBlock=Ref(self.PrivateSubnetA),
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(self.AvailabilityZoneA),
MapPublicIpOnLaunch=True,
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PRIVSUBA"),
))
self.public_subnetb = self.template.add_resource(
ec2.Subnet(
"PublicSubnet2",
CidrBlock=Ref(self.PublicSubnetB),
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(self.AvailabilityZoneB),
MapPublicIpOnLaunch=True,
Tags=self.default_tags +
Tags(name=self.environment_name + "-PUBSUBB"),
))
self.private_subnetb = self.template.add_resource(
ec2.Subnet(
"PrivateSubnet2",
CidrBlock=Ref(self.PrivateSubnetB),
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(self.AvailabilityZoneB),
MapPublicIpOnLaunch=True,
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PRIVSUBB"),
))
self.private_route_table = self.template.add_resource(
ec2.RouteTable(
"PrivateRouteTable",
VpcId=Ref(self.vpc),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PRIVRTBL"),
))
self.public_route_table = self.template.add_resource(
ec2.RouteTable(
"PublicRouteTable",
VpcId=Ref(self.vpc),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PUBRTBL"),
))
self.igw = self.template.add_resource(
ec2.InternetGateway(
"InternetGateway",
Tags=self.default_tags +
Tags(Name=self.environment_name + "-IGW"),
))
self.attach_igw = self.template.add_resource(
ec2.VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.igw),
))
self.nat_eip = self.template.add_resource(
ec2.EIP(
"NatEIP",
Domain="vpc",
))
self.nat = self.template.add_resource(
ec2.NatGateway(
"Nat",
AllocationId=GetAtt(self.nat_eip, 'AllocationId'),
SubnetId=Ref(self.public_subneta),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-NAT"),
))
self.nat_route = self.template.add_resource(
ec2.Route(
"PublicRoute",
RouteTableId=Ref(self.private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(self.nat),
))
self.igw_route = self.template.add_resource(
ec2.Route(
"InternetGatewayRoute",
RouteTableId=Ref(self.public_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(self.igw),
))
self.private_subnet_association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PriSubnetAssociation",
SubnetId=Ref(self.private_subneta),
RouteTableId=Ref(self.private_route_table),
))
self.public_subnet_association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PubSubnetAssociation",
SubnetId=Ref(self.public_subneta),
RouteTableId=Ref(self.public_route_table),
))
"""Start Block for Second group of Subnets"""
self.private_route_tableb = self.template.add_resource(
ec2.RouteTable(
"PrivateRouteTableB",
VpcId=Ref(self.vpc),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PRIVRTBLB"),
))
self.public_route_tableb = self.template.add_resource(
ec2.RouteTable(
"PublicRouteTableB",
VpcId=Ref(self.vpc),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-PUBRTBLB"),
))
self.nat_eipb = self.template.add_resource(
ec2.EIP(
"NatEIPB",
Domain="vpc",
))
self.natb = self.template.add_resource(
ec2.NatGateway(
"NatB",
AllocationId=GetAtt(self.nat_eipb, 'AllocationId'),
SubnetId=Ref(self.public_subnetb),
Tags=self.default_tags +
Tags(Name=self.environment_name + "-NATB"),
))
self.nat_routeb = self.template.add_resource(
ec2.Route(
"PublicRouteB",
RouteTableId=Ref(self.private_route_tableb),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(self.natb),
))
self.private_subnet_associationb = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PriSubnetAssociationB",
SubnetId=Ref(self.private_subnetb),
RouteTableId=Ref(self.private_route_tableb),
))
self.public_subnet_associationb = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PubSubnetAssociationB",
SubnetId=Ref(self.public_subnetb),
RouteTableId=Ref(self.public_route_tableb),
))
