def create_network_acl(template, name, vpc, **attrs):
return template.add_resource(ec2.NetworkAcl(
name,
VpcId=Ref(vpc),
Tags=Tags(Name=name),
**attrs
))
def define_network_acl(self, acl_config, vpc):
acl = ec2.NetworkAcl(acl_config["name"],
DeletionPolicy=self.deletion_policy)
acl.VpcId = Ref(vpc)
acl.Tags = self._get_tags(acl_config)
self._add_resource(acl)
ingress_suffix = "%s%s" % (acl_config["name"], "Ingress")
egress_suffix = "%s%s" % (acl_config["name"], "Egress")
for line in acl_config["ingress"]:
i_entry = self.parse_acl_entry(acl, line, False, ingress_suffix)
self._add_resource(i_entry)
for line in acl_config["egress"]:
e_entry = self.parse_acl_entry(acl, line, True, egress_suffix)
self._add_resource(e_entry)
for subnet in acl_config["subnets"]:
self.define_subnet_network_acl(subnet, acl)
def create_network(self):
self.vpc_nw_acl = self.template.add_resource(
ec2.NetworkAcl(VPC_NETWORK_ACCESS_LIST,
VpcId=self.vpc.Ref(),
Tags=self.__set_tags("NetworkAcl")))
self.inbound_rule = self.template.add_resource(
ec2.NetworkAclEntry(VPC_NETWORK_ACL_INBOUND_RULE,
NetworkAclId=self.vpc_nw_acl.Ref(),
RuleNumber=100,
Protocol="6",
PortRange=PortRange(To="443", From="443"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0"))
self.outbound_rule = self.template.add_resource(
ec2.NetworkAclEntry(VPC_NETWORK_ACL_OUTBOUND_RULE,
NetworkAclId=self.vpc_nw_acl.Ref(),
RuleNumber=200,
Protocol="6",
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0"))
def gen_network_acl(self):
self.network_acl = ec2.NetworkAcl("NetworkAcl", VpcId=Ref(self.vpc))
self.template.add_resource(self.network_acl)
# Allow all inbound and outbound traffic for http, https, and
# ephemeral ports for load balancers. Deny all other traffic.
rule_number = 100
port_ranges = [(80, 80), (443, 443), (1024, 65535)]
for p in port_ranges:
for egress in [False, True]:
entry_type = "Egress" if egress else "Ingress"
name = f"NetworkAcl{entry_type}{p[0]}"
network_acl_entry = ec2.NetworkAclEntry(
name,
NetworkAclId=Ref(self.network_acl),
CidrBlock="0.0.0.0/0",
Egress=egress,
PortRange=ec2.PortRange(From=p[0], To=p[1]),
Protocol=6, # TCP
RuleAction="allow",
RuleNumber=rule_number,
)
self.template.add_resource(network_acl_entry)
rule_number += 10
def west_vpc_stack(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
east_peer_cidr_param = template.add_parameter(
Parameter(
"eastPeerCidrParam",
Type="String",
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
# stage 3: delete me and update to remove peering stack
# peer_route=template.add_resource(
# ec2.Route(
# "peerRoute",
# DestinationCidrBlock=Ref(east_peer_cidr_param),
# VpcPeeringConnectionId="pcx-0d27f0252e6c8ac93",
# RouteTableId=Ref(route_tbl)
# )
# )
# /stage3
my_net_acl = template.add_resource(
ec2.NetworkAcl(
"MyFirstNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
template.add_resource(
ec2.NetworkAclEntry(
"MyAllOutNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
template.add_resource(
ec2.NetworkAclEntry("MyPriv2PubNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock=Ref(east_peer_cidr_param),
Protocol=-1,
RuleAction="allow",
RuleNumber=101))
template.add_resource(
ec2.SubnetNetworkAclAssociation("subNaclAsoc",
NetworkAclId=Ref(my_net_acl),
SubnetId=Ref(subnet)))
# # stage 4: vpc endpoint connection
# s3_bucket=template.add_resource(
# s3.Bucket(
# "MyBucketForServiceConnection",
# BucketName="bucket-for-service-connection-lab-4-2-3-jdix"
# )
# )
# vpc_endpoint=template.add_resource(
# ec2.VPCEndpoint(
# "MyVpcS3Endpoint",
# VpcId=Ref(vpc),
# ServiceName="com.amazonaws.us-west-2.s3",
# RouteTableIds=[Ref(route_tbl)],
# PolicyDocument={
# "Statement": [
# {
# "Principal": "*",
# "Action": "*",
# "Effect": "Allow",
# "Resource": [
# Join("", ["arn:aws:s3:::", Ref(s3_bucket)]),
# Join("", ["arn:aws:s3:::", Ref(s3_bucket), '/*'])
# ],
# }
# ]
# }
# )
# )
# endpoint acls
# template.add_resource(
# ec2.NetworkAclEntry(
# "MyS3ClientPortsNetAclEntry1",
# NetworkAclId=Ref(my_net_acl),
# CidrBlock="3.5.76.0/22",
# Protocol=6,
# RuleAction="allow",
# RuleNumber=102,
# PortRange=ec2.PortRange(From=1024, To=65535)
# )
# )
# template.add_resource(
# ec2.NetworkAclEntry(
# "MyS3ClientPortsNetAclEntry2",
# NetworkAclId=Ref(my_net_acl),
# CidrBlock="3.5.80.0/21",
# Protocol=6,
# RuleAction="allow",
# RuleNumber=103,
# PortRange=ec2.PortRange(From=1024, To=65535)
# )
# )
# template.add_resource(
# ec2.NetworkAclEntry(
# "MyS3ClientPortsNetAclEntry3",
# NetworkAclId=Ref(my_net_acl),
# CidrBlock="52.218.128.0/17",
# Protocol=6,
# RuleAction="allow",
# RuleNumber=104,
# PortRange=ec2.PortRange(From=1024, To=65535)
# )
# )
# template.add_resource(
# ec2.NetworkAclEntry(
# "MyS3ClientPortsNetAclEntry4",
# NetworkAclId=Ref(my_net_acl),
# CidrBlock="52.92.128.0/17",
# Protocol=6,
# RuleAction="allow",
# RuleNumber=105,
# PortRange=ec2.PortRange(From=1024, To=65535)
# )
# )
# bucket policy
# template.add_resource(
# s3.BucketPolicy(
# "bucketPolicyForVpcEndpoint",
# Bucket=Ref(s3_bucket),
# PolicyDocument={
# "Version": "2012-10-17",
# "Statement": [
# {
# "Action": "*",
# "Principal": "*",
# "Resource": [
# Join("", ["arn:aws:s3:::", Ref(s3_bucket)]),
# Join("", ["arn:aws:s3:::", Ref(s3_bucket), '/*'])
# ],
# "Effect": "Allow",
# "Condition": {
# "StringEquals": {
# "aws:SourceVpce": Ref(vpc_endpoint)
# },
# "StringEquals": {
# "aws:SourceVpc": Ref(vpc)
# }
# }
# }
# ]
# }
# )
# )
# endpoint policy
# /stage4
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
def east_vpc_stack(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
west_peer_cidr_param = template.add_parameter(
Parameter(
"westPeerCidrParam",
Type="String",
))
igw = template.add_resource(
ec2.InternetGateway(
"Igw",
Tags=resource_tags,
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
igwa = template.add_resource(
ec2.VPCGatewayAttachment(
"IgwA",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
default_route = template.add_resource(
ec2.Route("defaultRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=Ref(route_tbl)))
# stage 3: delete me and update to remove peering stack
# peer_route=template.add_resource(
# ec2.Route(
# "peerRoute",
# DestinationCidrBlock=Ref(west_peer_cidr_param),
# VpcPeeringConnectionId="pcx-0d27f0252e6c8ac93",
# RouteTableId=Ref(route_tbl)
# )
# )
# /stage3
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
my_net_acl = template.add_resource(
ec2.NetworkAcl(
"MyFirstNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
template.add_resource(
ec2.NetworkAclEntry(
"MyAllOutNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
template.add_resource(
ec2.NetworkAclEntry("MyInNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock="74.77.86.69/32",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=22, To=22)))
template.add_resource(
ec2.NetworkAclEntry("MyPriv2PubNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock=Ref(west_peer_cidr_param),
Protocol=-1,
RuleAction="allow",
RuleNumber=101))
template.add_resource(
ec2.NetworkAclEntry("MyClientPortsNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=1024, To=65535)))
template.add_resource(
ec2.SubnetNetworkAclAssociation("subNaclAsoc",
NetworkAclId=Ref(my_net_acl),
SubnetId=Ref(subnet)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
"VpcDhcpOptionsAssociation",
DhcpOptionsId=Ref("DhcpOptions"),
VpcId=Ref("VPC"))
template.add_resource(VpcDhcpOptionsAssociation)
# Attach Internet Gateway to VPC
VpcGatewayAttachment = ec2.VPCGatewayAttachment(
"VpcGatewayAttachment",
InternetGatewayId=Ref("InternetGateway"),
VpcId=Ref("VPC"))
template.add_resource(VpcGatewayAttachment)
# Add VPC Network ACL
resource_tags.update({"Name": "ApiDev-Dev-NetworkAcl"})
VpcNetworkAcl = ec2.NetworkAcl("VpcNetworkAcl",
Tags=Tags(resource_tags),
VpcId=Ref("VPC"))
template.add_resource(VpcNetworkAcl)
# Add ACL rule for inbound public traffic over port 443
VpcNetworkAclInboundRulePublic443 = ec2.NetworkAclEntry(
"VpcNetworkAclInboundRulePublic443",
CidrBlock="0.0.0.0/0",
Egress="false",
NetworkAclId=Ref("VpcNetworkAcl"),
PortRange=ec2.PortRange(From="443", To="443"),
Protocol="6",
RuleAction="allow",
RuleNumber=20001)
template.add_resource(VpcNetworkAclInboundRulePublic443)
ec2.SubnetRouteTableAssociation(
'PublicSubnet3RouteTableAssociation',
Condition='3AZCondition',
SubnetId=Ref(public_subnet_3),
RouteTableId=Ref(public_subnet_routetable)))
public_subnet_4_routetable_association = t.add_resource(
ec2.SubnetRouteTableAssociation(
'PublicSubnet4RouteTableAssociation',
Condition='4AZCondition',
SubnetId=Ref(public_subnet_4),
RouteTableId=Ref(public_subnet_routetable)))
public_subnet_acl = t.add_resource(
ec2.NetworkAcl('PublicSubnetACL',
VpcId=Ref(vpc),
Tags=Tags(Name='PublicSubnetACL')))
public_subnet_acl_inbound = t.add_resource(
ec2.NetworkAclEntry('PublicSubnetACLIngress',
CidrBlock='0.0.0.0/0',
Egress='false',
NetworkAclId=Ref(public_subnet_acl),
Protocol='-1',
RuleAction='allow',
RuleNumber='100'))
public_subnet_acl_outbound = t.add_resource(
ec2.NetworkAclEntry('PublicSubnetACLEgress',
CidrBlock='0.0.0.0/0',
Egress='true',
def __init__(self):
super(VPC, self).__init__()
self.vpc = ec2.VPC(
"VPC",
CidrBlock="172.1.0.0/16",
InstanceTenancy="default",
EnableDnsSupport=True,
EnableDnsHostnames=True,
Tags=Tags(Name=Ref("AWS::StackName")),
)
self.internet_gateway = ec2.InternetGateway(
"InternetGateway",
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-internet-gateway"]), ),
)
self.internet_gateway_attachment = ec2.VPCGatewayAttachment(
"InternetGatewayAttachment",
InternetGatewayId=Ref(self.internet_gateway),
VpcId=Ref(self.vpc),
)
self.public_route_table = ec2.RouteTable(
"PublicRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(Name=Join(
"-", [Ref("AWS::StackName"), "public-route-table"]), ),
)
self.private_route_table = ec2.RouteTable(
"PrivateRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(Name=Join(
"-", [Ref("AWS::StackName"), "private-route-table"]), ),
)
self.vpc_s3_endpoint = ec2.VPCEndpoint(
"VPCS3Endpoint",
ServiceName=Join(
"",
["com.amazonaws.", Ref("AWS::Region"), ".s3"]),
VpcId=Ref(self.vpc),
RouteTableIds=[
Ref(self.public_route_table),
Ref(self.private_route_table)
],
)
self.route_to_internet = ec2.Route(
"RouteToInternet",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.internet_gateway),
RouteTableId=Ref(self.public_route_table),
DependsOn=self.internet_gateway_attachment.title,
)
# private subnets
self.private_subnet_1 = ec2.Subnet(
"PrivateSubnet1",
AvailabilityZone=Select(0, GetAZs()),
CidrBlock="172.1.1.0/24",
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-private-subnet-1"]), ),
VpcId=Ref(self.vpc),
)
self.private_subnet_1_route_table_association = ec2.SubnetRouteTableAssociation(
"PrivateSubnet1RouteTableAssociation",
RouteTableId=Ref(self.private_route_table),
SubnetId=Ref(self.private_subnet_1),
)
self.private_subnet_2 = ec2.Subnet(
"PrivateSubnet2",
AvailabilityZone=Select(1, GetAZs()),
CidrBlock="172.1.2.0/24",
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-private-subnet-2"]), ),
VpcId=Ref(self.vpc),
)
self.private_subnet_2_route_table_association = ec2.SubnetRouteTableAssociation(
"PrivateSubnet2RouteTableAssociation",
RouteTableId=Ref(self.private_route_table),
SubnetId=Ref(self.private_subnet_2),
)
self.private_network_aCL = ec2.NetworkAcl(
"PrivateNetworkACL",
VpcId=Ref(self.vpc),
Tags=Tags(Name=Join("",
[Ref("AWS::StackName"), "-private-nacl"]), ),
)
self.private_subnet_1_network_acl_association = ec2.SubnetNetworkAclAssociation(
"PrivateSubnet1NetworkAclAssociation",
SubnetId=Ref(self.private_subnet_1),
NetworkAclId=Ref(self.private_network_aCL),
)
self.private_subnet_2_network_acl_association = ec2.SubnetNetworkAclAssociation(
"PrivateSubnet2NetworkAclAssociation",
SubnetId=Ref(self.private_subnet_2),
NetworkAclId=Ref(self.private_network_aCL),
)
self.private_network_acl_entry_in = ec2.NetworkAclEntry(
"PrivateNetworkAclEntryIn",
CidrBlock="172.1.0.0/16",
Egress=False,
NetworkAclId=Ref(self.private_network_aCL),
Protocol=-1,
RuleAction="allow",
RuleNumber=200,
)
self.private_network_acl_entry_out = ec2.NetworkAclEntry(
"PrivateNetworkAclEntryOut",
CidrBlock="172.1.0.0/16",
Egress=True,
NetworkAclId=Ref(self.private_network_aCL),
Protocol=-1,
RuleAction="allow",
RuleNumber=200,
)
# public subnets
self.public_subnet_1 = ec2.Subnet(
"PublicSubnet1",
AvailabilityZone=Select(0, GetAZs()),
CidrBlock="172.1.128.0/24",
MapPublicIpOnLaunch=True,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-public-subnet-1"]), ),
VpcId=Ref(self.vpc),
)
self.public_subnet_1_route_table_association = ec2.SubnetRouteTableAssociation(
"PublicSubnet1RouteTableAssociation",
RouteTableId=Ref(self.public_route_table),
SubnetId=Ref(self.public_subnet_1),
)
self.public_subnet_2 = ec2.Subnet(
"PublicSubnet2",
AvailabilityZone=Select(1, GetAZs()),
CidrBlock="172.1.129.0/24",
MapPublicIpOnLaunch=True,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-public-subnet-2"]), ),
VpcId=Ref(self.vpc),
)
self.public_subnet_2_route_table_association = ec2.SubnetRouteTableAssociation(
"PublicSubnet2RouteTableAssociation",
RouteTableId=Ref(self.public_route_table),
SubnetId=Ref(self.public_subnet_2),
)
def dump_base_yaml(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
igw = template.add_resource(
ec2.InternetGateway(
"Igw",
Tags=resource_tags,
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
igwa = template.add_resource(
ec2.VPCGatewayAttachment(
"IgwA",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
default_route = template.add_resource(
ec2.Route("defaultRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=Ref(route_tbl)))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
priv_route_tbl = template.add_resource(
ec2.RouteTable(
"PrivRouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
priv_subnet = template.add_resource(
ec2.Subnet(
"PrivSubnet",
VpcId=Ref(vpc),
CidrBlock="10.10.1.0/24",
MapPublicIpOnLaunch=False,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblPrivSubnetAsoc",
RouteTableId=Ref(priv_route_tbl),
SubnetId=Ref(priv_subnet)))
ngw_elastic_ip = template.add_resource(
ec2.EIP(
"MyNgwEip",
Tags=resource_tags,
))
nat_gateway = template.add_resource(
ec2.NatGateway(
"MyNatGateway",
AllocationId=GetAtt(ngw_elastic_ip, "AllocationId"),
SubnetId=Ref(subnet),
))
private_out_route = template.add_resource(
ec2.Route("privateOutRoute",
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gateway),
RouteTableId=Ref(priv_route_tbl)))
first_network_acl = template.add_resource(
ec2.NetworkAcl(
"MyFirstNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry(
"MyPrivOutNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
network_inbound_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyInNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="74.77.86.69/32",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=22, To=22)))
private_to_public_client_ports_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPriv2PubClientPortsNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="10.10.1.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=101,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_internet_client_ports_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPub2DefaultClientPortsNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_private_icmpv4_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPubIcmpv4NetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="10.10.1.0/24",
Protocol=1,
Icmp=ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
RuleNumber=103))
second_network_acl = template.add_resource(
ec2.NetworkAcl(
"MySecondNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPriv2InternetClientPortsNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_private_ssh_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivSshNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=101,
PortRange=ec2.PortRange(From=22, To=22)))
public_to_private_http_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivHttpNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=80, To=80)))
private_to_public_icmpv4_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivIcmpv4NetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=1,
Icmp=ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
RuleNumber=103))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry(
"MyPubOutNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
subnet_nacl_asociation = template.add_resource(
ec2.SubnetNetworkAclAssociation("subNaclAsoc",
NetworkAclId=Ref(first_network_acl),
SubnetId=Ref(subnet)))
priv_subnet_nacl_asociation = template.add_resource(
ec2.SubnetNetworkAclAssociation("privSubNaclAsoc",
NetworkAclId=Ref(second_network_acl),
SubnetId=Ref(priv_subnet)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
Output(
"PrivSubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(priv_subnet),
Export=Export("PrivSubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
GatewayId=Ref('trointgat'),
DependsOn=Ref('trovpcintgatatt'),
RouteTableId=Ref('troroutab'),
))
"""Subnet & Route Table association"""
t.add_resource(ec2.SubnetRouteTableAssociation(
'trosubroutabass',
SubnetId=Ref('trosub'),
RouteTableId=Ref('troroutab'),
))
"""Network ACL CREATION"""
t.add_resource(ec2.NetworkAcl(
'tronetacl',
VpcId=Ref('trovpc'),
))
""" Network ACL ENTRY 1 """
t.add_resource(ec2.NetworkAclEntry(
'tronetaclent1',
NetworkAclId=Ref('tronetacl'),
RuleNumber='100',
RuleAction='allow',
Protocol='-1',
CidrBlock='0.0.0.0/0',
PortRange=PortRange(To="80", From="80"),
Egress=False,
))
""" Network ACL ENTRY 2 """
def west_vpc_stack(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
east_peer_cidr_param = template.add_parameter(
Parameter(
"eastPeerCidrParam",
Type="String",
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
# delete me and update to remove peering stack
peer_route = template.add_resource(
ec2.Route("peerRoute",
DestinationCidrBlock=Ref(east_peer_cidr_param),
VpcPeeringConnectionId="pcx-0d27f0252e6c8ac93",
RouteTableId=Ref(route_tbl)))
my_net_acl = template.add_resource(
ec2.NetworkAcl(
"MyFirstNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
template.add_resource(
ec2.NetworkAclEntry(
"MyAllOutNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
template.add_resource(
ec2.NetworkAclEntry("MyPriv2PubNetAclEntry",
NetworkAclId=Ref(my_net_acl),
CidrBlock=Ref(east_peer_cidr_param),
Protocol=-1,
RuleAction="allow",
RuleNumber=101))
template.add_resource(
ec2.SubnetNetworkAclAssociation("subNaclAsoc",
NetworkAclId=Ref(my_net_acl),
SubnetId=Ref(subnet)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
def __setup_template(self):
"""
Produces a valid template instance which can then be print as json or yaml
"""
template = Template()
template.add_description("Service VPC - used for services")
template.add_metadata({
"Build": "development",
"DependsOn": [],
"Environment": "ApiDev",
"Revision": "develop",
"StackName": "ApiDev-Dev-VPC",
"StackType": "InfrastructureResource",
"TemplateBucket": "cfn-apidev",
"TemplateName": "VPC",
"TemplatePath": "ApiDev/Dev/VPC"
})
vpc = template.add_resource(
ec2.VPC(
"VPC",
CidrBlock="10.0.0.0/16",
EnableDnsHostnames="true",
EnableDnsSupport="true",
InstanceTenancy="default",
Tags=self.__get_tags("ServiceVPC"),
)
)
instance_sg = template.add_resource(
ec2.SecurityGroup(
"BastionSG",
GroupDescription="Used for source/dest rules",
Tags=self.__get_tags("VPC-Bastion-SG"),
VpcId=Ref(
vpc
)
),
)
cw_alarm_topic = template.add_resource(
Topic(
"CloudWatchAlarmTopic",
TopicName="ApiDev-Dev-CloudWatchAlarms",
)
)
dhcp_options = template.add_resource(
ec2.DHCPOptions(
"DhcpOptions",
DomainName=Join(
"",
[
Ref("AWS::Region"),
".compute.internal"
]
),
DomainNameServers=["AmazonProvidedDNS"],
Tags=self.__get_tags("DhcpOptions"),
)
)
gateway = template.add_resource(
ec2.InternetGateway(
"InternetGateway",
Tags=self.__get_tags("InternetGateway")
)
)
nat_emergency_topic = template.add_resource(
Topic(
"NatEmergencyTopic",
TopicName="ApiDev-Dev-NatEmergencyTopic",
)
)
vpc_dhcp_options_assoc = template.add_resource(
ec2.VPCDHCPOptionsAssociation(
"VpcDhcpOptionsAssociation",
DhcpOptionsId=Ref(
dhcp_options
),
VpcId=Ref(
vpc
)
)
)
vpc_gw_attachment = template.add_resource(
ec2.VPCGatewayAttachment(
"VpcGatewayAttachment",
InternetGatewayId=Ref(
gateway
),
VpcId=Ref(
vpc
)
)
)
vpc_network_acl = template.add_resource(
ec2.NetworkAcl(
"VpcNetworkAcl",
Tags=self.__get_tags("NetworkAcl"),
VpcId=Ref(
vpc
)
)
)
vpc_network_acl_rules = template.add_resource([
ec2.NetworkAclEntry(
"VpcNetworkAclInboundRulePublic443",
CidrBlock="0.0.0.0/0",
Egress="false",
NetworkAclId=Ref(
vpc_network_acl
),
PortRange=ec2.PortRange(
From="443",
To="443",
),
Protocol="6",
RuleAction="allow",
RuleNumber=20001
),
ec2.NetworkAclEntry(
"VpcNetworkAclInboundRulePublic80",
CidrBlock="0.0.0.0/0",
Egress="false",
NetworkAclId=Ref(
vpc_network_acl
),
PortRange=ec2.PortRange(
From="80",
To="80",
),
Protocol="6",
RuleAction="allow",
RuleNumber=20000
),
ec2.NetworkAclEntry(
"VpcNetworkAclOutboundRule",
CidrBlock="0.0.0.0/0",
Egress="true",
NetworkAclId=Ref(
vpc_network_acl
),
Protocol="-1",
RuleAction="allow",
RuleNumber=30000
),
ec2.NetworkAclEntry(
"VpcNetworkAclSsh",
CidrBlock="127.0.0.1/32",
Egress="false",
NetworkAclId=Ref(
vpc_network_acl
),
PortRange=ec2.PortRange(
From="22",
To="22",
),
Protocol="6",
RuleAction="allow",
RuleNumber=10000
)
])
template.add_output([
Output(
"BastionSG",
Value=Ref(instance_sg)
),
Output(
"CloudWatchAlarmTopic",
Value=Ref(cw_alarm_topic)
),
Output(
"InternetGateway",
Value=Ref(gateway)
),
Output(
"NatEmergencyTopicARN",
Value=Ref(nat_emergency_topic)
),
Output(
"VPCID",
Value=Ref(vpc)
),
Output(
"VPCName",
Value=Ref("AWS::StackName")
),
Output(
"VpcNetworkAcl",
Value=Ref(vpc_network_acl)
)
])
return template
def __init__(
self,
region: str,
cidr_block: str,
name: str = "VPC",
internet_access_enabled: bool = True,
internal_networks: list = [],
):
"""Create VPC, internet gateway, route tables and network ACLs
Args:
region (str): Region to use when setting up the VPC. The
maximum number of subnets set up depends on the number
of availability zones present in the region.
cidr_block (str): IP range used by the VPC
name (str, optional): VPC name. Defaults to "VPC".
internet_access_enabled (bool, optional): If False, internet
gateway will not be set up. Public network ACLs and
route tables will still be created.
Defaults to True.
internal_networks (list, optional): IP ranges for private
networks that this VPC will be connected to. They will
be added to network ACLs. Defaults to [].
"""
self.name = name
self.region = region
self.cidr_block = cidr_block
self.internal_networks = internal_networks
self.internet_access_enabled = internet_access_enabled
self.public_subnets = []
# Gateway subnets are public subnets hosting exit points like
# NAT Gateway and VPC Endpoint interfaces
self.gateway_subnets = []
self.public_route_table = None
self.natted_route_tables = []
self.nat_gateways = []
self._t = Template() # Template
self._r = dict() # Resources
self._o = dict() # Outputs
self._r["Vpc"] = t_ec2.VPC(
title=f"{self.name}Vpc",
CidrBlock=self.cidr_block,
EnableDnsHostnames=True,
EnableDnsSupport=True,
Tags=[{
"Key": "Name",
"Value": self.name
}],
)
self.vpc = self._r["Vpc"]
self._o["VpcId"] = Output(
title="VpcId",
Value=Ref(self.vpc),
Export=Export(Sub("${AWS::StackName}-vpc-id")),
)
if internet_access_enabled:
# Create Internet Gateway
title = "Igw"
self._r[title] = t_ec2.InternetGateway(
title=title,
Tags=[{
"Key": "Name",
"Value": f"{self.name}-igw"
}],
)
self._r["igw_attachment"] = t_ec2.VPCGatewayAttachment(
title="IgwAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self._r["Igw"]),
)
# Public routing table
self._r["PubRouteTable"] = t_ec2.RouteTable(
title="PubRouteTable",
VpcId=Ref(self.vpc),
Tags=[{
"Key": "Name",
"Value": "Public"
}],
)
self.public_route_table = self._r["PubRouteTable"]
if internet_access_enabled:
self._r["pub_rtt_rt_pub"] = t_ec2.Route(
title="PubRoute",
RouteTableId=Ref(self._r["PubRouteTable"]),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self._r["Igw"]),
)
# Network ACL for public subnets
self._r["PubNacl"] = t_ec2.NetworkAcl(
title="PubNacl",
VpcId=Ref(self.vpc),
Tags=[{
"Key": "Name",
"Value": "Public"
}],
)
self.public_nacl = self._r["PubNacl"]
self._r["pub_nacl_out_all"] = t_ec2.NetworkAclEntry(
title="PubNaclOutAll",
NetworkAclId=Ref(self.public_nacl),
Egress=True,
RuleNumber=500,
CidrBlock="0.0.0.0/0",
Protocol=-1,
RuleAction="allow",
)
self._r["pub_nacl_in_icmp"] = t_ec2.NetworkAclEntry(
title="PubNaclInIcmp",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=99,
CidrBlock="0.0.0.0/0",
Protocol=1,
Icmp=t_ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
)
self._r["pub_nacl_in_vpc"] = t_ec2.NetworkAclEntry(
title="PubNaclInVpc",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=100,
CidrBlock=GetAtt(self.vpc, "CidrBlock"),
Protocol=-1,
RuleAction="allow",
)
for index, cidr_block in enumerate(self.internal_networks):
self._r[f"pub_nacl_in_internal_{index}"] = t_ec2.NetworkAclEntry(
title=f"PubNaclInInternal{index}",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=101 + index,
CidrBlock=cidr_block,
Protocol=-1,
RuleAction="allow",
)
self._r["pub_nacl_in_ssh"] = t_ec2.NetworkAclEntry(
title="PubNaclInSsh",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=210,
CidrBlock="0.0.0.0/0",
Protocol=6,
PortRange=t_ec2.PortRange(From=22, To=22),
RuleAction="allow",
)
self._r["pub_nacl_in_http"] = t_ec2.NetworkAclEntry(
title="PubNaclInHttp",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=220,
CidrBlock="0.0.0.0/0",
Protocol=6,
PortRange=t_ec2.PortRange(From=80, To=80),
RuleAction="allow",
)
self._r["pub_nacl_in_https"] = t_ec2.NetworkAclEntry(
title="PubNaclInHttps",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=221,
CidrBlock="0.0.0.0/0",
Protocol=6,
PortRange=t_ec2.PortRange(From=443, To=443),
RuleAction="allow",
)
self._r["pub_nacl_in_nat_tcp"] = t_ec2.NetworkAclEntry(
title="PubNaclInNatTcp",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=500,
CidrBlock="0.0.0.0/0",
Protocol=6,
PortRange=t_ec2.PortRange(From=1024, To=65535),
RuleAction="allow",
)
self._r["pub_nacl_in_nat_udp"] = t_ec2.NetworkAclEntry(
title="PubNaclInNatUdp",
NetworkAclId=Ref(self.public_nacl),
Egress=False,
RuleNumber=501,
CidrBlock="0.0.0.0/0",
Protocol=17,
PortRange=t_ec2.PortRange(From=1024, To=65535),
RuleAction="allow",
)
# Network ACL for private subnets
self._r["InternalNacl"] = t_ec2.NetworkAcl(
title="InternalNacl",
VpcId=Ref(self.vpc),
Tags=[{
"Key": "Name",
"Value": "Private"
}],
)
self.internal_nacl = self._r["InternalNacl"]
self._r["internal_nacl_out_all"] = t_ec2.NetworkAclEntry(
title="InternalNaclOutAll",
NetworkAclId=Ref(self.internal_nacl),
Egress=True,
RuleNumber=500,
CidrBlock="0.0.0.0/0",
Protocol=-1,
RuleAction="allow",
)
self._r["internal_nacl_in_icmp"] = t_ec2.NetworkAclEntry(
title="InternalNaclInIcmp",
NetworkAclId=Ref(self.internal_nacl),
Egress=False,
RuleNumber=99,
CidrBlock="0.0.0.0/0",
Protocol=1,
Icmp=t_ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
)
self._r["internal_nacl_in_vpc"] = t_ec2.NetworkAclEntry(
title="InternalNaclInVpc",
NetworkAclId=Ref(self.internal_nacl),
Egress=False,
RuleNumber=100,
CidrBlock=GetAtt(self.vpc, "CidrBlock"),
Protocol=-1,
RuleAction="allow",
)
for index, cidr_block in enumerate(self.internal_networks):
self._r[
f"internal_nacl_in_internal_{index}"] = t_ec2.NetworkAclEntry(
title=f"InternalNaclInInternal{index}",
NetworkAclId=Ref(self.internal_nacl),
Egress=False,
RuleNumber=101 + index,
CidrBlock=cidr_block,
Protocol=-1,
RuleAction="allow",
)
self._r["internal_nacl_in_nat_tcp"] = t_ec2.NetworkAclEntry(
title="InternalNaclInNatTcp",
NetworkAclId=Ref(self.internal_nacl),
Egress=False,
RuleNumber=500,
CidrBlock="0.0.0.0/0",
Protocol=6,
PortRange=t_ec2.PortRange(From=1024, To=65535),
RuleAction="allow",
)
self._r["internal_nacl_in_nat_udp"] = t_ec2.NetworkAclEntry(
title="InternalNaclInNatUdp",
NetworkAclId=Ref(self.internal_nacl),
Egress=False,
RuleNumber=501,
CidrBlock="0.0.0.0/0",
Protocol=17,
PortRange=t_ec2.PortRange(From=1024, To=65535),
RuleAction="allow",
)
def configure(self):
self.vpc_metadata = constants.ENVIRONMENTS[self.env]['vpc']
self.set_description('VPC, Routes, Base Security Groups, and NATs')
common_vpc_tags = [ec2.Tag('Name', self.env)
] + self.get_tags(service_override='VPC')
_vpc = self.add_resource(
ec2.VPC('VPC',
CidrBlock=self.vpc_metadata['cidrblock'],
EnableDnsSupport=True,
EnableDnsHostnames=True,
Tags=common_vpc_tags))
_dhcp_options = self.add_resource(
ec2.DHCPOptions('DHCPOptions',
DomainName="node.{}.{}".format(
self.env, constants.TAG),
DomainNameServers=['AmazonProvidedDNS'],
Tags=common_vpc_tags))
self.add_resource(
ec2.VPCDHCPOptionsAssociation('VPCDHCPOptionsAssociation',
DhcpOptionsId=Ref(_dhcp_options),
VpcId=Ref(_vpc)))
_internet_gateway = self.add_resource(
ec2.InternetGateway('InternetGateway',
Tags=self.get_tags(
service_override='InternetGateway',
role_override='InternetGateway')))
self.add_resource(
ec2.VPCGatewayAttachment('AttachInternetGateway',
VpcId=Ref(_vpc),
InternetGatewayId=Ref(_internet_gateway)))
# route_tables stores all ec2.RouteTables generated and adds them to
# a private vpc s3 endpoint
route_tables = []
_public_route_table = self.add_resource(
ec2.RouteTable('PublicRouteTable',
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PublicRouteTable',
role_override='PublicRouteTable')))
route_tables.append(_public_route_table)
# Public Subnet Routes and ACLs
self.add_resource(
ec2.Route('PublicRoute',
RouteTableId=Ref(_public_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(_internet_gateway)))
_public_network_acl = self.add_resource(
ec2.NetworkAcl('PublicNetworkAcl',
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PublicNetworkAcl',
role_override='PublicNetworkAcl')))
self.add_resource(
ec2.NetworkAclEntry('IngressPublicNetworkAclEntry',
NetworkAclId=Ref(_public_network_acl),
RuleNumber=100,
Protocol='-1',
RuleAction='allow',
Egress=False,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
self.add_resource(
ec2.NetworkAclEntry('EgressPublicNetworkAclEntry',
NetworkAclId=Ref(_public_network_acl),
RuleNumber=101,
Protocol='-1',
RuleAction='allow',
Egress=True,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
# Private Network ACLs
_private_network_acl = self.add_resource(
ec2.NetworkAcl('PrivateNetworkAcl',
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PrivateNetworkAcl',
role_override='PrivateNetworkAcl')))
self.add_resource(
ec2.NetworkAclEntry('IngressPrivateNetworkAclEntry',
NetworkAclId=Ref(_private_network_acl),
RuleNumber=100,
Protocol='-1',
RuleAction='allow',
Egress=False,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
self.add_resource(
ec2.NetworkAclEntry('EgressPrivateNetworkAclEntry',
NetworkAclId=Ref(_private_network_acl),
RuleNumber=101,
Protocol='-1',
RuleAction='allow',
Egress=True,
CidrBlock='0.0.0.0/0',
PortRange=ec2.PortRange(From=1, To=65535)))
# Default security groups - referenced by name by constants/default-security-groups
# _nat_security_group = self.add_resource(
# ec2.SecurityGroup(
# 'NATSecurityGroup',
# VpcId=Ref(_vpc),
# GroupDescription='Security Group for NAT Instances',
# SecurityGroupIngress=[
# {'IpProtocol': '-1', 'FromPort': 1, 'ToPort': 65535, 'CidrIp': self.vpc_metadata['cidrblock']},
# {'IpProtocol': '-1', 'FromPort': 1, 'ToPort': 65535, 'CidrIp': '10.0.0.0/8'}
# ],
# Tags=self.get_tags(service_override='NAT', role_override='NAT-SecurityGroup')
# )
# )
# _consul_security_group = self.add_resource(
# ec2.SecurityGroup(
# 'ConsulSecurityGroup',
# VpcId=Ref(_vpc),
# GroupDescription='Security Group for Consul access',
# SecurityGroupIngress=[
# {'IpProtocol': 'tcp', 'FromPort': 8300, 'ToPort': 8302, 'CidrIp': '10.0.0.0/8'}, # consul server rpc/serf
# {'IpProtocol': 'udp', 'FromPort': 8300, 'ToPort': 8302, 'CidrIp': '10.0.0.0/8'}, # consul server rpc/serf
# {'IpProtocol': 'tcp', 'FromPort': 8400, 'ToPort': 8400, 'CidrIp': '10.0.0.0/8'}, # consul client rpc
# {'IpProtocol': 'tcp', 'FromPort': 8500, 'ToPort': 8500, 'CidrIp': '10.0.0.0/8'}, # consul http
# {'IpProtocol': 'tcp', 'FromPort': 8600, 'ToPort': 8600, 'CidrIp': '10.0.0.0/8'}, # consul dns
# {'IpProtocol': 'udp', 'FromPort': 8600, 'ToPort': 8600, 'CidrIp': '10.0.0.0/8'} # consul dns
# ],
# Tags=[
# ec2.Tag('ivy:team', self.TEAM['email']),
# ec2.Tag('ivy:environment', self.env),
# ec2.Tag('ivy:service', 'Consul'),
# ec2.Tag('ivy:role', 'Consul-SecurityGroup')
# ]
# )
# )
# _ssh_security_group = self.add_resource(
# ec2.SecurityGroup(
# 'InternalSecurityGroup',
# VpcId=Ref(_vpc),
# GroupDescription='Internal Rules',
# SecurityGroupIngress=[
# {'IpProtocol': 'icmp', 'FromPort': -1, 'ToPort': -1, 'CidrIp': '10.0.0.0/8'},
# {'IpProtocol': 'tcp', 'FromPort': 22, 'ToPort': 22, 'CidrIp': '10.0.0.0/8'}
# ],
# SecurityGroupEgress=[
# {'IpProtocol': '-1', 'FromPort': 0, 'ToPort': 65535, 'CidrIp': '0.0.0.0/0'}
# ],
# Tags=[
# ec2.Tag('ivy:team', self.TEAM['email']),
# ec2.Tag('ivy:environment', self.env),
# ec2.Tag('ivy:service', 'infrastructure'),
# ec2.Tag('ivy:role', 'internal')
# ]
# )
# )
#
# self.add_security_group(Ref(_nat_security_group), Ref(_consul_security_group), Ref(_ssh_security_group))
## This sets up all private and public AZs
for index, zone in enumerate(self.vpc_metadata['zones'], 1):
_public_subnet = self.add_resource(
ec2.Subnet(
'PublicSubnet{}'.format(index),
VpcId=Ref(_vpc),
CidrBlock=zone['public-cidrblock'],
AvailabilityZone=zone['availability-zone'],
MapPublicIpOnLaunch=True,
Tags=self.get_tags(
service_override='PublicSubnet',
role_override='PublicSubnet{}'.format(index)) +
[
ec2.Tag('Name', '{}-PublicSubnet{}'.format(
self.env, index))
]))
self.add_resource(
ec2.SubnetRouteTableAssociation(
'PublicSubnetRouteTableAssociation{}'.format(index),
SubnetId=Ref(_public_subnet),
RouteTableId=Ref(_public_route_table)))
self.add_resource(
ec2.SubnetNetworkAclAssociation(
'PublicSubnetNetworkAclAssociation{}'.format(index),
SubnetId=Ref(_public_subnet),
NetworkAclId=Ref(_public_network_acl)))
# Allow VPCs with no private subnets (save money on NAT instances for VPCs with only public instances)
if zone.get('private-cidrblock'):
_private_subnet = self.add_resource(
ec2.Subnet(
'PrivateSubnet{}'.format(index),
VpcId=Ref(_vpc),
CidrBlock=zone['private-cidrblock'],
AvailabilityZone=zone['availability-zone'],
Tags=self.get_tags(
service_override='PrivateSubnet',
role_override='PrivateSubnet{}'.format(index)) + [
ec2.Tag(
'Name', '{}-PrivateSubnet{}'.format(
self.env, index))
]))
# Private subnets get their own route table for AZ-specific NATs
_private_route_table = self.add_resource(
ec2.RouteTable(
'PrivateRouteTable{}'.format(index),
VpcId=Ref(_vpc),
Tags=self.get_tags(
service_override='PrivateRouteTable',
role_override='PrivateRouteTable{}'.format(
index))))
route_tables.append(_private_route_table)
# Create an EIP to be used with the NAT instance or gateway
_nat_eip = self.add_resource(
ec2.EIP('NATInstanceEIP{}'.format(index), Domain='vpc'))
# Use VPC NAT Gateway
_nat_gw = self.add_resource(
ec2.NatGateway('NATGateway{}'.format(index),
AllocationId=GetAtt(_nat_eip,
"AllocationId"),
SubnetId=Ref(_public_subnet)))
# Create a route via the NAT GW for the private route table
self.add_resource(
ec2.Route('PrivateRoute{}'.format(index),
RouteTableId=Ref(_private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(_nat_gw)))
self.add_resource(
ec2.SubnetRouteTableAssociation(
'PrivateSubnetRouteTableAssociation{}'.format(index),
SubnetId=Ref(_private_subnet),
RouteTableId=Ref(_private_route_table)))
self.add_resource(
ec2.SubnetNetworkAclAssociation(
'PrivateSubnetNetworkAclAssociation{}'.format(index),
SubnetId=Ref(_private_subnet),
NetworkAclId=Ref(_private_network_acl)))
# use route_table to create a VPC S3 endpoint
self.add_resource(
ec2.VPCEndpoint('S3VPCEndpoint',
RouteTableIds=[Ref(rt) for rt in route_tables],
ServiceName='com.amazonaws.{}.s3'.format(
self.region),
VpcId=Ref(_vpc)))
ec2.SubnetRouteTableAssociation('HyP3PrivateRouteAssociation',
SubnetId=Ref(restricted_subnet),
RouteTableId=Ref(public_route_table)))
local_cidr_range = t.add_parameter(
Parameter(
"ApiCidrRange",
Description=("The IP range the hyp3 stack will be accessible from. "
"Default is to allow traffic from anywhere."),
Type="String",
Default="0.0.0.0/0",
AllowedPattern=r"((\d{1,3})\.){3}\d{1,3}/\d{1,2}",
ConstraintDescription="Valid CIDR IP range"))
local_network_acl = t.add_resource(
ec2.NetworkAcl('LocalNetworkAcl', VpcId=Ref(hyp3_vpc)))
inter_vpc_entry = t.add_resource(
ec2.NetworkAclEntry('InterVPCAclEntry',
NetworkAclId=Ref(local_network_acl),
CidrBlock=GetAtt(hyp3_vpc, "CidrBlock"),
Protocol=-1,
RuleAction="allow",
RuleNumber=200,
Egress=False))
local_acl_entry = t.add_resource(
ec2.NetworkAclEntry('LocalAclEntry',
NetworkAclId=Ref(local_network_acl),
CidrBlock=Ref(local_cidr_range),
Protocol=-1,
ToPort='80',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(
IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp='0.0.0.0/0')
],
VpcId=Ref(stack_vpc),
Tags=Tags(Name='PublicSecurityGroup')
))
# network acls
public_subnet_acl = t.add_resource(ec2.NetworkAcl(
'PublicACL',
VpcId=Ref(stack_vpc),
Tags=Tags(Name='PublicACL')
))
subnetNetworkAclAssociation = t.add_resource(ec2.SubnetNetworkAclAssociation(
'SubnetNetworkAclAssociation',
SubnetId=Ref(subnet_public),
NetworkAclId=Ref(public_subnet_acl),
))
# outbound acls for Public network
t.add_resource(ec2.NetworkAclEntry(
'sshOutbound',
NetworkAclId=Ref(public_subnet_acl),
RuleNumber='90',
Protocol='6',
def configure_vpc(config, template):
stack = config['stack']
region = config['region']
public_subnets = []
private_subnets = []
vpcs_file = read_yaml_file('configuration/vpcs.yaml')
vpcs = vpcs_file['vpcs']
connections = vpcs_file['connections']
eips = read_yaml_file('configuration/eips.yaml')
if stack not in vpcs:
sys.stderr.write('%s: not found in vpcs\n' % stack)
sys.exit(1)
if stack not in eips:
sys.stderr.write('%s: not found in eips; execute "bin/manage-eips"\n' %
stack)
sys.exit(1)
vpc = template.add_resource(
ec2.VPC(
'VPC',
CidrBlock=vpcs[stack]['cidr'],
InstanceTenancy='default',
Tags=Tags(Name=config['description'], ),
))
internet_gateway = template.add_resource(
ec2.InternetGateway(
'InternetGateway',
Tags=Tags(Name=config['description'], ),
))
internet_gateway_attachment = template.add_resource(
ec2.VPCGatewayAttachment(
'InternetGatewayAttachment',
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway),
# DeletionPolicy='Retain',
))
public_route_table = template.add_resource(
ec2.RouteTable(
'PublicRouteTable',
VpcId=Ref(vpc),
Tags=Tags(Name='%s - Public Routing Table' % stack, ),
))
private_route_table = template.add_resource(
ec2.RouteTable(
'PrivateRouteTable',
VpcId=Ref(vpc),
Tags=Tags(Name='%s - Private Routing Table' % stack, ),
))
# default public subnet route is through the Internet Gateway
default_public_route = template.add_resource(
ec2.Route(
'DefaultPublicRoute',
GatewayId=Ref(internet_gateway),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(public_route_table),
DependsOn=Name(internet_gateway_attachment),
))
network_acl = template.add_resource(
ec2.NetworkAcl(
'NetworkAcl',
VpcId=Ref(vpc),
Tags=Tags(Name=config['description'], ),
))
# It's standard practice to leave Network ACL's completely permissive
# (not to be confused with SecurityGroups)
template.add_resource(
ec2.NetworkAclEntry(
'NetworkAclEntryIngressFromVpc',
Protocol='-1',
RuleNumber='100',
CidrBlock='0.0.0.0/0',
Egress=False,
RuleAction='allow',
NetworkAclId=Ref(network_acl),
))
template.add_resource(
ec2.NetworkAclEntry(
'NetworkAclEntryEgress',
Protocol='-1',
RuleNumber='100',
CidrBlock='0.0.0.0/0',
Egress=True,
RuleAction='allow',
NetworkAclId=Ref(network_acl),
))
for subnet_config in config['subnets']:
if subnet_config['public']:
subnet_list = public_subnets
subnet_route_table = public_route_table
label = 'PublicSubnet'
else:
subnet_list = private_subnets
subnet_route_table = private_route_table
label = 'PrivateSubnet'
label += subnet_config['zone'].upper()
subnet = template.add_resource(
ec2.Subnet(
label,
VpcId=Ref(vpc),
AvailabilityZone=region + subnet_config['zone'],
CidrBlock=subnet_config['cidr'],
Tags=Tags(
Name='%s %s' % (config['description'], label),
IsPublic=subnet_config['public'],
),
))
subnet_list.append({
'label': label,
'object': subnet,
'config': subnet_config,
})
template.add_resource(
ec2.SubnetRouteTableAssociation(
'SubnetRouteTableAssociation%s' % label,
SubnetId=Ref(subnet),
RouteTableId=Ref(subnet_route_table),
))
template.add_resource(
ec2.SubnetNetworkAclAssociation(
'SubnetAclAssociation%s' % label,
SubnetId=Ref(subnet),
NetworkAclId=Ref(network_acl),
))
if 'create_s3_endpoint' in config and config['create_s3_endpoint']:
s3_endpoint = template.add_resource(
ec2.VPCEndpoint(
'S3Endpoint',
RouteTableIds=[Ref(private_route_table)],
PolicyDocument={
'Version':
'2012-10-17',
'Statement': [{
'Action': '*',
'Effect': 'Allow',
'Resource': '*',
'Principal': '*'
}]
},
VpcId=Ref(vpc),
ServiceName='com.amazonaws.' + region + '.s3',
))
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref("NATGateway1")),
# Associate private subnet 1B with the route table
"PrivateSubnet1BRouteTableAssociation":
ec2.SubnetRouteTableAssociation(
"PrivateSubnet1BRouteTableAssociation",
Condition="CreatePrivateSubnet1BCondition",
DependsOn="PrivateSubnet1BRoute",
SubnetId=Ref("PrivateSubnet1B"),
RouteTableId=Ref("PrivateSubnet1BRouteTable")),
# Create A NACL for Private Subnet 1B
"PrivateSubnet1BNetworkAcl":
ec2.NetworkAcl(
"PrivateSubnet1BNetworkAcl",
Condition="CreatePrivateSubnet1BCondition",
VpcId=Ref("VPC"),
Tags=Tags(IoCluster=Ref("AWS::StackName"),
Name=Join("-",
[Ref("AWS::StackName"), "NACLPrivateSubnet1B"]))),
# Create Inbound rules for NACL connected to Private Subnet 1B
"PrivateSubnet1BNetworkAclEntryInbound":
ec2.NetworkAclEntry("PrivateSubnet1BNetworkAclEntryInbound",
Condition="CreatePrivateSubnet1BCondition",
CidrBlock="10.0.0.0/16",
Egress="true",
NetworkAclId=Ref("PrivateSubnet1BNetworkAcl"),
Protocol="-1",
RuleAction="allow",
RuleNumber="100"),
# Associate the created NACL with the Private Subnet 1B
def sg_subnet_vpc(self, template, provision_refs):
ref_stack_id = Ref('AWS::StackId')
if 'aws_vpc_id' in self.app.config['provision']:
vpc = self.app.config['provision']['aws_vpc_id']
use_subnet = self.app.config['provision']['aws_subnet_id']
use_subnet2 = self.app.config['provision']['aws_subnet2_id']
use_sg = self.app.config['provision']['aws_sg_id']
use_alb_sg = self.app.config['provision']['alb_sg_id']
self.app.log.info(
'Using your AWS subnet, make sure the routes and ports are configured correctly'
)
else:
vpc = Ref(
template.add_resource(
ec2.VPC('VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(Application=ref_stack_id))))
internet_gateway = template.add_resource(
ec2.InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id)))
template.add_resource(
ec2.VPCGatewayAttachment(
'AttachGateway',
VpcId=vpc,
InternetGatewayId=Ref(internet_gateway)))
route_table = template.add_resource(
ec2.RouteTable('RouteTable',
VpcId=vpc,
Tags=Tags(Application=ref_stack_id)))
subnet = template.add_resource(
ec2.Subnet('Subnet',
CidrBlock='10.0.0.0/24',
VpcId=vpc,
AvailabilityZone=Select(0, GetAZs("")),
Tags=Tags(Application=ref_stack_id)))
subnet2 = template.add_resource(
ec2.Subnet('Subnet2',
CidrBlock='10.0.1.0/24',
VpcId=vpc,
AvailabilityZone=Select(1, GetAZs("")),
Tags=Tags(Application=ref_stack_id)))
template.add_resource(
ec2.Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(route_table),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(subnet),
RouteTableId=Ref(route_table),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'Subnet2RouteTableAssociation',
SubnetId=Ref(subnet2),
RouteTableId=Ref(route_table),
))
network_acl = template.add_resource(
ec2.NetworkAcl(
'NetworkAcl',
VpcId=vpc,
Tags=Tags(Application=ref_stack_id),
))
template.add_resource(
ec2.NetworkAclEntry(
'InboundSSHNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='100',
Protocol='6',
PortRange=ec2.PortRange(From='22', To='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'InboundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='101',
Protocol='6',
PortRange=ec2.PortRange(From='1024', To='65535'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'InboundICMPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='102',
Protocol='1',
Icmp=ec2.ICMP(Code=-1, Type=-1),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
# Only used when Blockscout is deployed
template.add_resource(
ec2.NetworkAclEntry(
'InboundHttpsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='103',
Protocol='6',
PortRange=ec2.PortRange(From='443', To='443'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutBoundHTTPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='100',
Protocol='6',
PortRange=ec2.PortRange(From='80', To='80'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutBoundHTTPSNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='101',
Protocol='6',
PortRange=ec2.PortRange(From='443', To='443'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutBoundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='102',
Protocol='6',
PortRange=ec2.PortRange(From='1024', To='65535'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutboundICMPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='103',
Protocol='1',
Icmp=ec2.ICMP(Code=-1, Type=-1),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.SubnetNetworkAclAssociation(
'SubnetNetworkAclAssociation',
SubnetId=Ref(subnet),
NetworkAclId=Ref(network_acl),
))
template.add_resource(
ec2.SubnetNetworkAclAssociation(
'Subnet2NetworkAclAssociation',
SubnetId=Ref(subnet2),
NetworkAclId=Ref(network_acl),
))
use_subnet = Ref(subnet)
use_subnet2 = Ref(subnet2)
alb_security_group = template.add_resource(
ec2.SecurityGroup(
'ALBSecurityGroup',
GroupDescription=
'ALB allows traffic from public, is used to terminate SSL',
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='46658',
ToPort='46658',
CidrIp='0.0.0.0/0'),
],
VpcId=vpc,
))
use_alb_sg = Ref(alb_security_group)
instance_security_group = template.add_resource(
ec2.SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='Enable tendermint and SSH for all nodes',
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='46656',
ToPort='46656',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='46658',
ToPort='46658',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(IpProtocol='icmp',
FromPort='-1',
ToPort='-1',
CidrIp='0.0.0.0/0'),
],
VpcId=vpc,
))
use_sg = Ref(instance_security_group)
provision_refs.vpc = vpc
provision_refs.security_group_ec2 = use_sg
provision_refs.security_group_alb = use_alb_sg
provision_refs.subnets.append(use_subnet)
provision_refs.subnets.append(use_subnet2)
"S3Instance",
IamInstanceProfile=Ref(S3InstanceProfile),
ImageId=ami,
InstanceType="t2.micro",
KeyName=Ref(sshKey),
SecurityGroupIds=[Ref(S3SecurityGroup)],
SubnetId=Ref("Subnet4"),
Tags=Tags(Name=Join("", [Ref(name), "-S3-instance"])),
)
)
# Public NACL
nacl = t.add_resource(
ec2.NetworkAcl(
"NACL",
VpcId=Ref(vpc),
Tags=Tags(Name=Join("", [Ref(name), "-NACL-PUBLIC"])),
)
)
naclIN = t.add_resource(
ec2.NetworkAclEntry(
"InboundDeny",
CidrBlock="0.0.0.0/0",
NetworkAclId=Ref(nacl),
Protocol=-1,
RuleAction="deny",
RuleNumber=10,
)
)
def create_network(self):
t = self.template
variables = self.get_variables()
self.create_gateway()
t.add_resource(ec2.NetworkAcl('DefaultACL', VpcId=VPC_ID))
self.create_nat_security_groups()
subnets = {'public': [], 'private': []}
net_types = subnets.keys()
zones = []
for i in range(variables["AZCount"]):
az = Select(i, GetAZs(""))
zones.append(az)
name_suffix = i
for net_type in net_types:
name_prefix = net_type.capitalize()
subnet_name = "%sSubnet%s" % (name_prefix, name_suffix)
subnets[net_type].append(subnet_name)
t.add_resource(
ec2.Subnet(subnet_name,
AvailabilityZone=az,
VpcId=VPC_ID,
DependsOn=GW_ATTACH,
CidrBlock=variables.get("%sSubnets" %
name_prefix)[i],
Tags=Tags(type=net_type)))
route_table_name = "%sRouteTable%s" % (name_prefix,
name_suffix)
t.add_resource(
ec2.RouteTable(route_table_name,
VpcId=VPC_ID,
Tags=[ec2.Tag('type', net_type)]))
t.add_resource(
ec2.SubnetRouteTableAssociation(
"%sRouteTableAssociation%s" %
(name_prefix, name_suffix),
SubnetId=Ref(subnet_name),
RouteTableId=Ref(route_table_name)))
route_name = '%sRoute%s' % (name_prefix, name_suffix)
if net_type == 'public':
# the public subnets are where the NAT instances live,
# so their default route needs to go to the AWS
# Internet Gateway
t.add_resource(
ec2.Route(route_name,
RouteTableId=Ref(route_table_name),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(GATEWAY)))
self.create_nat_instance(i, subnet_name)
else:
# Private subnets are where actual instances will live
# so their gateway needs to be through the nat instances
route = ec2.Route(
route_name,
RouteTableId=Ref(route_table_name),
DestinationCidrBlock='0.0.0.0/0',
)
if variables["UseNatGateway"]:
route.NatGatewayId = Ref(NAT_GATEWAY_NAME %
name_suffix)
else:
route.InstanceId = Ref(NAT_INSTANCE_NAME % name_suffix)
t.add_resource(route)
for net_type in net_types:
t.add_output(
Output("%sSubnets" % net_type.capitalize(),
Value=Join(",", [Ref(sn) for sn in subnets[net_type]])))
for i, sn in enumerate(subnets[net_type]):
t.add_output(
Output("%sSubnet%d" % (net_type.capitalize(), i),
Value=Ref(sn)))
self.template.add_output(
Output("AvailabilityZones", Value=Join(",", zones)))
for i, az in enumerate(zones):
t.add_output(Output("AvailabilityZone%d" % (i), Value=az))
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock=ALLOW_ALL_CIDR,
RouteTableId=Ref(routeTable),
))
subnetRouteTableAssociation = t.add_resource(
ec2.SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(subnet),
RouteTableId=Ref(routeTable),
))
networkAcl = t.add_resource(
ec2.NetworkAcl(
'NetworkAcl',
VpcId=Ref(VPC),
Tags=Tags(
Application=ref_stack_id),
))
inBoundPrivateNetworkAclEntry = t.add_resource(
ec2.NetworkAclEntry(
'InboundHTTPNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='100',
Protocol='6',
PortRange=ec2.PortRange(To='80', From='80'),
Egress='false',
RuleAction='allow',
CidrBlock=ALLOW_ALL_CIDR,
))
