ECSAutoScalingGroup = t.add_resource(
AutoScalingGroup(
"ECSAutoScalingGroup",
DesiredCapacity="1",
MinSize="1",
MaxSize="1",
VPCZoneIdentifier=["subnet-72849a0a", "subnet-72849a08"],
AvailabilityZones=["eu-west-1a", "eu-west-1b"],
LaunchConfigurationName=Ref("ContainerInstances"),
)
)
EC2InstanceProfile = t.add_resource(
InstanceProfile(
"EC2InstanceProfile",
Path="/",
Roles=[Ref("EcsClusterRole")],
)
)
EcsClusterRole = t.add_resource(
Role(
"EcsClusterRole",
Path="/",
ManagedPolicyArns=["arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"],
AssumeRolePolicyDocument={
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"},
)
]),
Path="/",
Policies=[IAMPolicy(
"PugPolicy",
PolicyName="PugPolicy",
PolicyDocument=Policy(
Statement=[
Statement(Effect=Allow, Action=[Action("s3", "*")],
Resource=["arn:aws:s3:::cpug/*"])
]
))]))
instance_profile = template.add_resource(InstanceProfile(
"PugInstanceProfile",
Path="/",
Roles=[{"Ref": "PugRole"}]
))
user_data = """#!/bin/bash
# install web server
yum install httpd -y
aws s3 cp s3://cpug/image.png /var/www/icons/image.png
echo "<img src='../icons/image.png'>" > /var/www/html/index.html
service httpd start"""
ec2_instance = template.add_resource(ec2.Instance(
"Ec2Instance",
ImageId="ami-11032472",
InstanceType="t2.micro",
KeyName="cpug",
t.add_resource(Role(
"Role",
AssumeRolePolicyDocument=Policy(
Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"])
)
]
)
))
t.add_resource(InstanceProfile(
"InstanceProfile",
Path="/",
Roles=[Ref("Role")]
))
t.add_resource(ec2.Instance(
"instance",
ImageId="ami-05b3bcf7f311194b3",
InstanceType="t2.micro",
SecurityGroups=[Ref("SecurityGroup")],
KeyName=Ref("KeyPair"),
UserData=ud,
IamInstanceProfile=Ref("InstanceProfile"),
))
t.add_resource(IAMPolicy(
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"Stmt1429136633762",
"Action":
["s3:ListObjects", "s3:GetObject"],
"Effect":
"Allow",
"Resource":
[bucket_arn, bucket_arn + "/*"]
}]
},
Roles=[Ref(example_role)])
example_instance_profile = InstanceProfile("ExampleInstanceProfile",
Roles=[Ref(example_role)])
template.add_resource(example_role)
template.add_resource(example_policy)
template.add_resource(example_instance_profile)
alb_security_group = SecurityGroup("albsecuritygroupingress",
GroupDescription="ALB HTTPS Ingress",
VpcId=Ref(vpc_id),
SecurityGroupIngress=[
SecurityGroupIngress(
"albsecuritygroupingress",
CidrIp="0.0.0.0/0",
IpProtocol="tcp",
FromPort="443",
ToPort="443")
])
def add_resources(self):
self.runner_ssm_role = self.template.add_resource(
Role(
"RunnerSsmRole",
Path="/",
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
],
AssumeRolePolicyDocument=aws.Policy(Statement=[
Statement(
Action=[sts.AssumeRole],
Effect=Allow,
Principal=Principal("Service", ["ec2.amazonaws.com"]),
)
]),
))
self.runner_ssm_instanceprofile = self.template.add_resource(
InstanceProfile("RunnerSsmInstanceProfile",
Path="/",
Roles=[Ref(self.runner_ssm_role)]))
self.runner_launch_config = self.template.add_resource(
LaunchConfiguration(
"RunnerLaunchConfiguration",
UserData=Base64(
Join(
"",
[
"#!/bin/bash\n",
"#####install ssm######\n",
"yum install -y amazon-ssm-agent\n",
"systemctl enable amazon-ssm-agent\n",
"systemctl start amazon-ssm-agent\n",
"####install docker####\n",
"yum install -y docker\n",
"systemctl enable docker\n",
"systemctl start docker\n",
"####install runner####\n",
"yum install -y wget\n",
"wget -O /usr/local/bin/gitlab-runner ",
"https://gitlab-runner-downloads.s3.amazonaws.com/v",
Ref(self.runner_version),
"/binaries/gitlab-runner-linux-amd64\n",
"ln -s /usr/local/bin/gitlab-runner ",
"/usr/bin/gitlab-runner\n",
"chmod +x /usr/local/bin/gitlab-runner\n",
"useradd --comment 'GitLab Runner' ",
"--create-home gitlab-runner --shell /bin/bash\n",
"/usr/local/bin/gitlab-runner install ",
"--user=gitlab-runner "
"--working-directory=/home/gitlab-runner\n",
"systemctl enable gitlab-runner\n",
"systemctl start gitlab-runner\n",
"####register runner####\n",
"gitlab-runner register ",
"--config=/etc/gitlab-runner/config.toml ",
"--request-concurrency=",
Ref(self.runner_job_concurrency),
" ",
"--tag-list=",
Ref(self.runner_tag_list),
" ",
"--non-interactive ",
"--registration-token=",
Ref(self.runner_register_token),
" ",
"--run-untagged=true ",
"--locked=false ",
"--url=",
Ref(self.runner_gitlab_url),
" ",
"--executor=docker ",
"--docker-image=alpine:latest ",
"--docker-privileged=true\n",
"####create unregister script####\n",
"TOKEN=$(gitlab-runner list 2>&1 | grep Executor | ",
"awk '{ print $4 }' | awk -F= '{ print $2 }')\n",
"URL=$(gitlab-runner list 2>&1 | grep Executor | ",
"awk '{ print $5 }' | awk -F= '{ print $2 }')\n",
"echo gitlab-runner unregister ",
"--url $URL --token $TOKEN > /unregister.sh\n",
"chmod +x /unregister.sh",
],
)),
ImageId=Ref(self.runner_ami_id),
KeyName=Ref(self.runner_key_pair),
BlockDeviceMappings=[
BlockDeviceMapping(
DeviceName="/dev/xvda",
Ebs=EBSBlockDevice(
VolumeSize=Ref(self.runner_volume_size)),
)
],
SecurityGroups=[Ref(self.runner_security_group)],
InstanceType=Ref(self.runner_server_instance_type),
IamInstanceProfile=GetAtt(self.runner_ssm_instanceprofile,
"Arn"),
))
self.runner_autoscaling_group = self.template.add_resource(
AutoScalingGroup(
"RunnerAutoscalingGroup",
DesiredCapacity=Ref(self.runner_desired_count),
LaunchConfigurationName=Ref(self.runner_launch_config),
MinSize=Ref(self.runner_min_count),
MaxSize=Ref(self.runner_max_count),
VPCZoneIdentifier=Split(",", Ref(self.runner_subnets)),
Tags=[Tag("Name", "gitlab-runner-created-by-asg", True)],
))
def emit_configuration():
vpc = cfn.vpcs[0]
region = Ref("AWS::Region")
mesos_instance_class = template.add_parameter(
Parameter(
'MesosInstanceType',
Type='String',
Default='m3.large',
Description='Mesos instance type (for workers and masters)',
AllowedValues=cfn.usable_instances(),
ConstraintDescription='Instance size must be a valid instance type'
))
ingress_rules = [
SecurityGroupRule(IpProtocol=p[0],
CidrIp=DEFAULT_ROUTE,
FromPort=p[1],
ToPort=p[1])
for p in [('tcp', 22), ('tcp', 5050), ('tcp', 8080)]
]
mesos_security_group = template.add_resource(
SecurityGroup("Mesos",
GroupDescription="Security Group for Mesos instances",
VpcId=Ref(vpc),
SecurityGroupIngress=ingress_rules,
DependsOn=vpc.title))
# Allow any mesos instances to talk to each other
template.add_resource(
SecurityGroupIngress("MesosSelfIngress",
IpProtocol='-1',
FromPort=0,
ToPort=65535,
GroupId=Ref(mesos_security_group),
SourceSecurityGroupId=Ref(mesos_security_group),
DependsOn=mesos_security_group.title))
default_policy = json.loads(
cfn.load_template("default_policy.json.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"region": "us-east-1"
}))
mesos_policy = json.loads(
cfn.load_template("mesos_policy.json.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"region": "us-east-1"
}))
# IAM role here
iam_role = template.add_resource(
Role("MesosIamRole",
AssumeRolePolicyDocument=ASSUME_ROLE_POLICY,
Path="/",
Policies=[
Policy(PolicyName='MesosDefaultPolicy',
PolicyDocument=default_policy),
Policy(PolicyName='MesosIamPolicy',
PolicyDocument=mesos_policy)
],
DependsOn=vpc.title))
# Instance profile here
instance_profile = template.add_resource(
InstanceProfile("mesosInstanceProfile",
Path="/",
Roles=[Ref(iam_role)],
DependsOn=iam_role.title))
# UserData here
master_user_data = cfn.load_template("default-init.bash.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"deploy": "mesos_master"
})
# LaunchConfiguration for master mesos
master_launch_configuration = template.add_resource(
LaunchConfiguration(
"MesosMasterLaunchConfiguration",
ImageId=FindInMap('RegionMap', region, int(cfn.Amis.INSTANCE)),
InstanceType=Ref(mesos_instance_class),
IamInstanceProfile=Ref(instance_profile),
KeyName=Ref(cfn.keyname),
SecurityGroups=[Ref(mesos_security_group)],
DependsOn=[instance_profile.title, mesos_security_group.title],
AssociatePublicIpAddress=False,
UserData=Base64(master_user_data)))
# Autoscaling Group for master Mesos
master_asg_name = '.'.join(['mesos-master', CLOUDNAME, CLOUDENV])
master_asg = template.add_resource(
AutoScalingGroup(
"MesosMasterASG",
AvailabilityZones=cfn.get_asg_azs(),
DesiredCapacity="3",
LaunchConfigurationName=Ref(master_launch_configuration),
MinSize="3",
MaxSize="3",
NotificationConfiguration=NotificationConfiguration(
TopicARN=Ref(cfn.alert_topic),
NotificationTypes=[
EC2_INSTANCE_TERMINATE, EC2_INSTANCE_LAUNCH,
EC2_INSTANCE_LAUNCH_ERROR, EC2_INSTANCE_TERMINATE_ERROR
]),
VPCZoneIdentifier=[
Ref(sn)
for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.MASTER)
],
DependsOn=[
sn.title
for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.MASTER)
]))
# Worker Mesos
worker_user_data = cfn.load_template("default-init.bash.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"deploy": "mesos_slave"
})
worker_launch_configuration = template.add_resource(
LaunchConfiguration(
"MesosWorkerLaunchConfiguration",
ImageId=FindInMap('RegionMap', region, int(cfn.Amis.INSTANCE)),
InstanceType=Ref(mesos_instance_class),
IamInstanceProfile=Ref(instance_profile),
KeyName=Ref(cfn.keyname),
SecurityGroups=[Ref(mesos_security_group)],
DependsOn=[instance_profile.title, mesos_security_group.title],
AssociatePublicIpAddress=False,
UserData=Base64(worker_user_data)))
worker_asg_name = '.'.join(['mesos-worker', CLOUDNAME, CLOUDENV]),
worker_asg = template.add_resource(
AutoScalingGroup(
"MesosWorkerASG",
AvailabilityZones=cfn.get_asg_azs(),
DesiredCapacity="3",
LaunchConfigurationName=Ref(worker_launch_configuration),
MinSize="3",
MaxSize="12",
NotificationConfiguration=NotificationConfiguration(
TopicARN=Ref(cfn.alert_topic),
NotificationTypes=[
EC2_INSTANCE_TERMINATE, EC2_INSTANCE_LAUNCH,
EC2_INSTANCE_LAUNCH_ERROR, EC2_INSTANCE_TERMINATE_ERROR
]),
VPCZoneIdentifier=[
Ref(sn)
for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.WORKER)
],
DependsOn=[
sn.title
for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.WORKER)
]))
Statement=[
Statement(
Effect=Allow,
Action=[
Action("sts", "AssumeRole")
],
Principal=Principal("Service", "ec2.amazonaws.com")
)
]
),
Path='/',
))
myEC2RoleInstanceProfile = t.add_resource(InstanceProfile(
"myEC2RoleInstanceProfile",
Roles=[Ref(QAEC2RoleTrop)]
))
# Create a security group
instanceSecurityGroup = t.add_resource(
SecurityGroup(
"instanceSecurityGroup",
GroupDescription='Enable SSH access via port 22',
SecurityGroupIngress=[
# SecurityGroupRule(
# IpProtocol='tcp',
# FromPort='22',
# ToPort='22',
# CidrIp=Ref(sshlocation_param)),
SecurityGroupRule(
IpProtocol='tcp',
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
})
]
)
)
EC2InstanceProfile = t.add_resource(
InstanceProfile(
"EC2InstanceProfile",
Roles=[Ref(EC2Role)],
Path="/",
)
)
# Create an autoscaling group
LaunchConfig = t.add_resource(LaunchConfiguration(
"LaunchConfig",
Metadata=cloudformation.Metadata(
cloudformation.Authentication({
"DeployUserAuth": cloudformation.AuthenticationBlock(
type="S3",
roleName=Ref(EC2Role),
buckets=[Ref(DeployBucket)]
)
ManagedPolicyArns=['arn:aws:iam::aws:policy/AmazonS3FullAccess'],
AssumeRolePolicyDocument={
'Statement': [{
'Action': ['sts:AssumeRole'],
'Effect': 'Allow',
'Principal': {
'Service': ['ecs-tasks.amazonaws.com']
}
}]
},
))
BatchInstanceProfile = t.add_resource(
InstanceProfile(
'BatchInstanceProfile',
Path='/',
Roles=[Ref(BatchInstanceRole)],
))
BatchSecurityGroup = t.add_resource(
SecurityGroup('BatchSecurityGroup',
VpcId=Ref(Vpc),
GroupDescription='Enable access to Batch instances',
Tags=Tags(Name='batch-sg')))
BatchComputeEnvironment = t.add_resource(
ComputeEnvironment('DataCarouselComputeEnvironment',
Type='MANAGED',
ServiceRole=Ref(BatchServiceRole),
ComputeResources=ComputeResources(
'DataCarouselComputeResources',
def init_cloud(args):
template = Template()
queue = template.add_resource(
Queue(
"{0}".format(args.sqs_name),
QueueName="{0}".format(args.sqs_name),
))
bucket = template.add_resource(
Bucket("{0}".format(args.s3_name),
BucketName="{0}".format(args.s3_name)))
kala_security_group = template.add_resource(
ec2.SecurityGroup(
"{0}".format(args.kala_security_group),
GroupName="{0}".format(args.kala_security_group),
GroupDescription="Enable HTTP and HTTPS access on the inbound port",
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="0.0.0.0/0",
),
]))
database_security_group = template.add_resource(
ec2.SecurityGroup(
"{0}".format(args.database_security_group),
GroupName="{0}".format(args.database_security_group),
GroupDescription="Enable Database access for the security groups",
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="5432",
ToPort="5432",
SourceSecurityGroupName=Ref(kala_security_group),
),
]))
database = template.add_resource(
rds.DBInstance(
"{0}".format(args.rds_instance_name),
DBInstanceIdentifier="{0}".format(args.rds_instance_name),
DBName=args.rds_name,
MasterUsername="******".format(args.rds_username),
MasterUserPassword="******".format(args.rds_password),
AllocatedStorage=args.rds_allocated_storage,
DBInstanceClass=args.rds_instance_class,
Engine="postgres",
MultiAZ=args.production,
StorageEncrypted=True,
VPCSecurityGroups=[GetAtt(database_security_group, "GroupId")]))
s3_policy = PolicyDocument(
Version="2012-10-17",
Id="{0}Policy".format(args.s3_name),
Statement=[
Statement(Effect="Allow",
Action=[S3Action("*")],
Resource=[Join("", [GetAtt(bucket, "Arn"), "/*"])]),
])
sqs_policy = PolicyDocument(Version="2012-10-17",
Id="{0}Policy".format(args.s3_name),
Statement=[
Statement(Effect="Allow",
Action=[SQSAction("*")],
Resource=[GetAtt(queue, "Arn")])
])
role = Role('{0}Role'.format(args.iam_role),
RoleName='{0}Role'.format(args.iam_role),
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
},
Policies=[
Policy(PolicyName="KalaS3Policy",
PolicyDocument=s3_policy),
Policy(PolicyName="KalaSQSPolicy",
PolicyDocument=sqs_policy)
])
template.add_resource(role)
template.add_resource(
InstanceProfile("{0}InstanceProfile".format(args.iam_role),
Roles=[Ref(role)],
InstanceProfileName="{0}InstanceProfile".format(
args.iam_role)))
return template
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
],
AssumeRolePolicyDocument={
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["batch.amazonaws.com"]
}
}]
},
Tags=[Tag("service", Ref(aws_service_tag))],
)
iam_instance_profile = InstanceProfile(
title="IAMInstanceProfilfe",
Roles=[Ref(ecs_instance_role)],
)
security_group = SecurityGroup(
title="SecurityGroup",
GroupDescription=("EC2 Security Group for"
" instances launched in the"
" VPC by batch"),
VpcId=Ref(virtual_private_cloud),
Tags=[Tag("service", Ref(aws_service_tag))],
)
# ------------------------------------------------------------------------------
# S3 Bucket
# ------------------------------------------------------------------------------
s3_bucket = Bucket(
title="S3Bucket",
def __init__(self):
self.name = 'ec2.template'
self.template = Template()
self.template.add_version("2010-09-09")
self.test_parameter_groups = TestParameterGroups()
default_test_params = TestParameterGroup()
self.test_parameter_groups.add(default_test_params)
Environment = self.template.add_parameter(Parameter(
"Environment",
Default="Development",
Type="String",
Description="Application environment",
AllowedValues=["Development", "Integration",
"PreProduction", "Production", "Staging", "Test"],
))
default_test_params.add(TestParameter("Environment", "Integration"))
Bucket = self.template.add_parameter(Parameter(
"S3Bucket",
Type="String",
Description="S3 Bucket",
))
default_test_params.add(TestParameter("S3Bucket", "Arn", S3Bucket()))
ImageId = self.template.add_parameter(Parameter(
"ImageId",
Type="String",
Description="Image Id"
))
default_test_params.add(TestParameter("ImageId", "ami-6869aa05"))
self.template.add_resource(Instance(
"EC2Instance",
Tags=Tags(
Name=Ref("AWS::StackName"),
ServiceProvider="Rackspace",
Environment=Ref(Environment),
),
InstanceType="t2.small",
ImageId=Ref(ImageId),
))
EC2Policy = Policy(
PolicyName="EC2_S3_Access",
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": Ref(Bucket)
}]
})
EC2InstanceRole = self.template.add_resource(Role(
"EC2InstanceRole",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Path="/",
Policies=[EC2Policy],
))
self.template.add_resource(InstanceProfile(
"EC2InstanceProfile",
Path="/",
Roles=[Ref(EC2InstanceRole)]
))
def create_instance_profile(stack, name, iam_role):
"""Add IAM Instance Profile Resource."""
return stack.stack.add_resource(
InstanceProfile('{0}InstanceProfile'.format(name),
Roles=[Ref(iam_role)]))
Effect='Allow',
Action=[
ecr.GetAuthorizationToken,
ecr.GetDownloadUrlForLayer,
ecr.BatchGetImage,
ecr.BatchCheckLayerAvailability,
],
Resource="*",
)
], ),
),
])
web_server_instance_profile = InstanceProfile(
"WebServerInstanceProfile",
template=template,
Path="/",
Roles=[Ref(web_server_role)],
)
eb_application = Application("EBApplication",
template=template,
Description="AWS Elastic Beanstalk Application")
# eb_application_version = ApplicationVersion(
# "EBApplicationVersion",
# template=template,
# Description="Version 1.0",
# ApplicationName=Ref(eb_application),
# SourceBundle=SourceBundle(
# S3Bucket=Join("-", ["elasticbeanstalk-samples", Ref("AWS::Region")]),
# S3Key="nodejs-sample.zip"
],
"Resource": [
"arn:aws:route53:::hostedzone/{}".format(
ZONE_ID
),
]
}
],
}
),
]
))
hugged_profile = t.add_resource(InstanceProfile(
"HuggedProfile",
Roles=[Ref(hugged_role)],
))
hugged_dns = t.add_resource(RecordSetType(
"HuggedDnsRecord",
HostedZoneId=ZONE_ID,
Name=FQDN,
Type="A",
TTL="180",
ResourceRecords=[GetAtt("HuggedInstance", "PublicIp")],
))
hugged_ecs_role = t.add_resource(Role(
"HuggedEcsRole",
AssumeRolePolicyDocument={
"Version": "2012-10-17",
PublicSubnet = t.add_resource(Subnet(
"PublicSubnet",
VpcId=Ref("VPC"),
CidrBlock=FindInMap("SubnetConfig", "Public", "CIDR"),
))
CFNRolePolicies = t.add_resource(PolicyType(
"CFNRolePolicies",
PolicyName="CFNaccess",
PolicyDocument={ "Statement": [{ "Action": "cloudformation:Describe*", "Resource": "*", "Effect": "Allow" }] },
Roles=[Ref("AmbariAccessRole")],
))
AmbariInstanceProfile = t.add_resource(InstanceProfile(
"AmbariInstanceProfile",
Path="/",
Roles=[Ref("AmbariAccessRole")],
))
NodeAccessRole = t.add_resource(Role(
"NodeAccessRole",
Path="/",
AssumeRolePolicyDocument={ "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] } }] },
))
PublicRouteTable = t.add_resource(RouteTable(
"PublicRouteTable",
VpcId=Ref(VPC),
))
"2012-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
]
}
}]
},
))
StorReduceHostProfile = t.add_resource(
InstanceProfile("StorReduceHostProfile",
DependsOn=StorReduceHostRole.title,
Roles=[Ref(StorReduceHostRole)],
Path="/"))
BASE_NAME = "StorReduceInstance"
counter = 0
def create_conditions():
condition_counter = 4
base_condition = Equals(Ref(NumSRRHostsParam), 4)
t.add_condition(CONDITION_COUNTER_PREFIX + str(condition_counter),
base_condition)
last_condition = CONDITION_COUNTER_PREFIX + str(condition_counter)
for i in range(condition_counter + 1, MAX_INSTANCES + 1):
t.add_condition(
]),
Path="/"))
t.add_resource(
IAMPolicy(
"WebServerRolePolicy",
PolicyName="WebServerRole",
PolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow, NotAction=Action("iam", "*"), Resource=["*"])
]),
Roles=[Ref("WebServerRole")]))
t.add_resource(
InstanceProfile("WebServerInstanceProfile",
Path="/",
Roles=[Ref("WebServerRole")]))
t.add_resource(
Application(
"SampleApplication",
Description="AWS Elastic Beanstalk Sample Node.js Application"))
t.add_resource(
ApplicationVersion("SampleApplicationVersion",
Description="Version 1.0",
ApplicationName=Ref("SampleApplication"),
SourceBundle=SourceBundle(S3Bucket=Join(
"-",
["elasticbeanstalk-samples",
Ref("AWS::Region")]),
"ecs:UpdateService",
],
"Effect":
"Allow",
"Resource":
Sub(
'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/NetKANCluster/${service}',
service=GetAtt('WebhooksService', 'Name'),
)
},
]
})
]))
netkan_profile = t.add_resource(
InstanceProfile("NetKANProdProfile", Roles=[Ref(netkan_role)]))
# To Access the Secrets manager, the ecs agent needs to AsssumeRole permission
# regardless of what the instance can access.
netkan_ecs_role = t.add_resource(
Role(
"NetKANProdEcsRole",
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
def instance_profile(template, name, role):
profile = InstanceProfile(name, template=template)
profile.InstanceProfileName = aws_name(name)
# per awacs documentation a max of 1 role can be defined
profile.Roles = [Ref(role)]
return profile
"arn:aws:s3:::mgmt.eu-west-1.weblox.io/logs",
"arn:aws:s3:::mgmt.eu-west-1.weblox.io/logs/*"
]
}]
}
)
]
)
template.add_resource(ecs_role)
ecs_instance_profile = InstanceProfile(
region.replace("-", "") + "ecsinstanceprofile",
Path = "/",
Roles = [
Ref(ecs_role)
]
)
template.add_resource(ecs_instance_profile)
launch_template = LaunchTemplate(
region.replace("-", "") + "ecslivelaunchtemplate",
LaunchTemplateName = "ecs-live-launch-template",
LaunchTemplateData = LaunchTemplateData(
ImageId = image_id,
BlockDeviceMappings = [
LaunchTemplateBlockDeviceMapping(
DeviceName = "/dev/xvda",
],
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}))
codedeploy_instance_profile = t.add_resource(
InstanceProfile(stackName + "CodeDeployInstanceProfile",
Roles=[Ref(code_deploy_instance_role)]))
application = t.add_resource(
Application(stackName, ApplicationName=stackName,
ComputePlatform="Server"))
deployment_groups = {}
for role in roles:
deployment_groups[role] = DeploymentGroup(
stackName + role + "DeploymentGroup",
DeploymentGroupName=role.capitalize(),
ApplicationName=stackName,
DependsOn=application,
AutoRollbackConfiguration=AutoRollbackConfiguration(
Enabled=True, Events=['DEPLOYMENT_FAILURE']),
t = Template()
t.add_description("AWS CloudFormation Sample Template: This template "
"demonstrates the creation of IAM Roles and "
"InstanceProfiles.")
cfnrole = t.add_resource(
Role("CFNRole",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"]))
])))
cfninstanceprofile = t.add_resource(
InstanceProfile("CFNInstanceProfile", Roles=[Ref(cfnrole)]))
cfninstancepolicy = t.add_resource(
PolicyType(
"CFNInstancePolicy",
PolicyName="CFNPolicy",
PolicyDocument={
"Version":
"2018-06-14",
"Statement": [{
"Effect":
"Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:AllocateAddress",
"ec2:DescribeInstances",
def emit_configuration():
vpc = cfn.vpcs[0]
instance_class = template.add_parameter(
Parameter(
'RegistryInstanceType',
Type='String',
Default='m3.medium',
Description='Registry instance type',
AllowedValues=cfn.usable_instances(),
))
create_bucket = template.add_parameter(
Parameter(
'CreateDockerRegistryBucket',
Type='String',
Description='Whether or not to create the Docker Registry bucket.',
Default='no',
AllowedValues=['yes', 'no']))
condition_name = "DockerRegistryBucketCondition"
conditions = {condition_name: Equals(Ref(create_bucket), "yes")}
for c in conditions:
template.add_condition(c, conditions[c])
# Create the registry bucket
bucket_name = Join(
'.',
['docker-registry', CLOUDNAME,
Ref("AWS::Region"), CLOUDENV, 'leafme'])
bucket = template.add_resource(
Bucket("DockerRegistryBucket",
BucketName=bucket_name,
DeletionPolicy='Retain',
Condition=condition_name))
ingress_rules = [
SecurityGroupRule(IpProtocol=p[0],
CidrIp=DEFAULT_ROUTE,
FromPort=p[1],
ToPort=p[1]) for p in [('tcp', 80), ('tcp', 22)]
]
sg = template.add_resource(
SecurityGroup("DockerRegistry",
GroupDescription="Security Group for Docker Registries",
VpcId=Ref(vpc),
SecurityGroupIngress=ingress_rules,
DependsOn=vpc.title))
policy_vars = {"env": CLOUDENV, "cloud": CLOUDNAME, "region": "us-east-1"}
# IAM role for docker registry
policy = json.loads(
cfn.load_template("registry_policy.json.j2", policy_vars))
default_policy = json.loads(
cfn.load_template("default_policy.json.j2", policy_vars))
iam_role = template.add_resource(
Role("DockerRegistryIamRole",
AssumeRolePolicyDocument=ASSUME_ROLE_POLICY,
Path="/",
Policies=[
Policy(PolicyName="RegistryDefaultPolicy",
PolicyDocument=default_policy),
Policy(PolicyName="RegistryPolicy", PolicyDocument=policy)
],
DependsOn=vpc.title))
instance_profile = template.add_resource(
InstanceProfile("DockerRegistryInstanceProfile",
Path="/",
Roles=[Ref(iam_role)],
DependsOn=iam_role.title))
user_data = cfn.load_template("default-init.bash.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"deploy": "docker_registry"
})
launch_config = template.add_resource(
LaunchConfiguration("RegistryLaunchConfiguration",
ImageId=FindInMap('RegionMap', Ref("AWS::Region"),
int(cfn.Amis.INSTANCE)),
InstanceType=Ref(instance_class),
IamInstanceProfile=Ref(instance_profile),
KeyName=Ref(cfn.keyname),
SecurityGroups=[Ref(sg)],
DependsOn=[instance_profile.title, sg.title],
AssociatePublicIpAddress=False,
UserData=Base64(user_data)))
asg = template.add_resource(
AutoScalingGroup(
"RegistryAutoscalingGroup",
AvailabilityZones=cfn.get_asg_azs(),
DesiredCapacity="1",
LaunchConfigurationName=Ref(launch_config),
MinSize="1",
MaxSize="1",
NotificationConfiguration=NotificationConfiguration(
TopicARN=Ref(cfn.alert_topic),
NotificationTypes=[
EC2_INSTANCE_TERMINATE, EC2_INSTANCE_LAUNCH,
EC2_INSTANCE_LAUNCH_ERROR, EC2_INSTANCE_TERMINATE_ERROR
]),
VPCZoneIdentifier=[
Ref(sn)
for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.PLATFORM)
],
DependsOn=[
sn.title
for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.PLATFORM)
]))
))
ECSAutoScalingGroup = t.add_resource(AutoScalingGroup(
'ECSAutoScalingGroup',
DesiredCapacity='1',
MinSize='1',
MaxSize='1',
VPCZoneIdentifier=['subnet-72849a0a', 'subnet-72849a08'],
AvailabilityZones=['eu-west-1a', 'eu-west-1b'],
LaunchConfigurationName=Ref('ContainerInstances'),
))
EC2InstanceProfile = t.add_resource(InstanceProfile(
'EC2InstanceProfile',
Path='/',
Roles=[Ref('EcsClusterRole')],
))
EcsClusterRole = t.add_resource(Role(
'EcsClusterRole',
Path='/',
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
],
AssumeRolePolicyDocument={'Version': '2012-10-17',
'Statement': [{'Action': 'sts:AssumeRole',
'Principal':
{'Service': 'ec2.amazonaws.com'},
'Effect': 'Allow',
}]}
def roleTemplate(app,env,nameBucket):
template = Template()
Ec2Role = template.add_resource(Role(
"Ec2Role",
RoleName="ec2-role",
AssumeRolePolicyDocument={"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
}]},
Policies=[Policy(
PolicyName="ec2-policy",
PolicyDocument={
"Statement": [
{
"Action": [
"ec2:*",
],
"Effect": "Allow",
"Resource": ["*"]
}
]
}
),
Policy(
PolicyName="s3List",
PolicyDocument={
"Statement": [
{
"Action": ["s3:ListBucket"],
"Resource":[Join("",["arn:aws:s3:::",ImportValue("Bucket"+nameBucket+app+env)])],
"Effect": "Allow"
}
]
}
),
Policy(
PolicyName="s3Permissions",
PolicyDocument={
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [Join("",["arn:aws:s3:::",ImportValue("Bucket"+nameBucket+app+env),"/*"])]
}
]
}
)
]
)
)
profile = template.add_resource(InstanceProfile(
"InstanceProfile",
Roles=[Ref(Ec2Role)]
))
output = template.add_output(Output(
"iamRole"+app+env,
Description="IAM Role",
Value=Ref(profile),
Export=Export("Role-"+app+"-"+env)
))
return (template.to_json())
'arn:aws:iam::aws:policy/CloudWatchFullAccess'
],
AssumeRolePolicyDocument={
'Version':
'2012-10-17',
'Statement': [{
'Action': 'sts:AssumeRole',
'Principal': {
'Service': 'ec2.amazonaws.com'
},
'Effect': 'Allow',
}]
}))
t.add_resource(
InstanceProfile(
'EC2InstanceProfile',
Roles=[Ref('EcsClusterRole')],
))
t.add_resource(
LaunchConfiguration(
'ContainerInstances',
UserData=Base64(
Join('', [
"#!/bin/bash -xe\n", "echo ECS_CLUSTER=",
Ref('ECSCluster'), " >> /etc/ecs/ecs.config\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-signal -e $? ", " --stack ",
Ref('AWS::StackName'), " --resource ECSAutoScalingGroup ",
" --region ",
Ref('AWS::Region'), "\n"
])),
ImageId='ami-06bec82fb46167b4f',
def generate_template(service_name):
t = Template()
t.add_version('2010-09-09')
t.add_description("""\
AWS CloudFormation Template for AWS Exploitation Lab """)
t.add_mapping("PublicRegionMap", ami_public_mapping)
t.add_mapping("PrivateRegionMap", ami_private_mapping)
keyname_param = t.add_parameter(
Parameter(
'KeyName',
ConstraintDescription='must be the name of an existing EC2 KeyPair.',
Description='Name of an existing EC2 KeyPair to enable SSH access to \
the instance',
Type='AWS::EC2::KeyPair::KeyName',
))
sshlocation_param = t.add_parameter(
Parameter(
'SSHLocation',
Description=' The IP address range that can be used to SSH to the EC2 \
instances',
Type='String',
MinLength='9',
MaxLength='18',
Default='0.0.0.0/0',
AllowedPattern="(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=(
"must be a valid IP CIDR range of the form x.x.x.x/x."),
))
instanceType_param = t.add_parameter(Parameter(
'InstanceType',
Type='String',
Description='WebServer EC2 instance type',
Default='t2.micro',
AllowedValues=[
't2.micro', 't2.small', 't2.medium',
'm3.medium', 'm3.large', 'm3.xlarge', 'm3.2xlarge',
],
ConstraintDescription='must be a valid EC2 instance type.',
))
ref_stack_id = Ref('AWS::StackId')
ec2_role = t.add_resource(Role(
"%sEC2Role" % service_name,
AssumeRolePolicyDocument=awacs.aws.Policy(
Statement=[
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[awacs.aws.Action("sts", "AssumeRole")],
Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])
)
]
)
))
ec2_role.ManagedPolicyArns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
ec2_snapshot_policy_document = awacs.aws.Policy(
Statement=[
awacs.aws.Statement(
Sid="PermitEC2Snapshots",
Effect=awacs.aws.Allow,
Action=[
awacs.aws.Action("ec2", "CreateSnapshot"),
awacs.aws.Action("ec2", "ModifySnapshotAttribute"),
],
Resource=["*"]
)
]
)
ec2_snapshot_policy = Policy(
PolicyName="EC2SnapshotPermissions",
PolicyDocument=ec2_snapshot_policy_document
)
priv_ec2_role = t.add_resource(Role(
"%sPrivEC2Role" % service_name,
AssumeRolePolicyDocument=awacs.aws.Policy(
Statement=[
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[awacs.aws.Action("sts", "AssumeRole")],
Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])
)
]
),
Policies=[ec2_snapshot_policy]
))
priv_ec2_role.ManagedPolicyArns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
VPC_ref = t.add_resource(
VPC(
'VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(
Application=ref_stack_id)))
instanceProfile = t.add_resource(
InstanceProfile(
"InstanceProfile",
InstanceProfileName="%sInstanceRole" % (service_name),
Roles=[Ref(ec2_role)]))
privInstanceProfile = t.add_resource(
InstanceProfile(
"PrivInstanceProfile",
InstanceProfileName="%sPrivInstanceRole" % (service_name),
Roles=[Ref(priv_ec2_role)]))
public_subnet = t.add_resource(
Subnet(
'%sSubnetPublic' % service_name,
MapPublicIpOnLaunch=True,
CidrBlock='10.0.1.0/24',
VpcId=Ref(VPC_ref),
Tags=Tags(
Application=ref_stack_id,
Name="%sSubnet_public" % (service_name))
)
)
private_subnet = t.add_resource(
Subnet(
'%sSubnetPrivate' % service_name,
MapPublicIpOnLaunch=False,
CidrBlock='10.0.2.0/24',
VpcId=Ref(VPC_ref),
Tags=Tags(
Application=ref_stack_id,
Name="%sSubnet_private" % (service_name))
)
)
internetGateway = t.add_resource(
InternetGateway(
'InternetGateway',
Tags=Tags(
Application=ref_stack_id,
Name="%sInternetGateway" % service_name)))
gatewayAttachment = t.add_resource(
VPCGatewayAttachment(
'AttachGateway',
VpcId=Ref(VPC_ref),
InternetGatewayId=Ref(internetGateway)))
routeTable = t.add_resource(
RouteTable(
'RouteTable',
VpcId=Ref(VPC_ref),
Tags=Tags(
Application=ref_stack_id,
Name="%sRouteTable" % service_name)))
route = t.add_resource(
Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routeTable),
))
# Only associate this Route Table with the public subnet
subnetRouteTableAssociation = t.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(public_subnet),
RouteTableId=Ref(routeTable),
))
instanceSecurityGroup = t.add_resource(
SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='%sSecurityGroup' % service_name,
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=Ref(sshlocation_param)),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='1080',
ToPort='1080',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='443',
ToPort='443',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='0',
ToPort='65535',
CidrIp="10.0.0.0/8"),
],
VpcId=Ref(VPC_ref),
)
)
public_instance = t.add_resource(
Instance(
"Public%sInstance" % service_name,
ImageId=FindInMap("PublicRegionMap", Ref("AWS::Region"), "AMI"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[
Ref(instanceSecurityGroup)],
AssociatePublicIpAddress='true',
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(public_subnet))],
UserData=Base64(public_instance_userdata),
Tags=Tags(
Application=ref_stack_id,
Name='%sPublicInstance' % (service_name))
)
)
private_instance = t.add_resource(
Instance(
"Private%sInstance" % service_name,
ImageId=FindInMap("PrivateRegionMap", Ref("AWS::Region"), "AMI"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[
Ref(instanceSecurityGroup)],
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(private_subnet))],
UserData=Base64(private_instance_userdata),
Tags=Tags(
Application=ref_stack_id,
Name='%sPrivateInstance' % (service_name)),
IamInstanceProfile="%sPrivInstanceRole" % (service_name)
)
)
outputs = []
outputs.append(
Output(
"PublicIP",
Description="IP Address of Public Instance",
Value=GetAtt(public_instance, "PublicIp"),
)
)
t.add_output(outputs)
# Set up S3 Bucket and CloudTrail
S3Bucket = t.add_resource(
Bucket(
"S3Bucket",
DeletionPolicy="Retain"
)
)
S3PolicyDocument=awacs.aws.PolicyDocument(
Id='EnforceServersideEncryption',
Version='2012-10-17',
Statement=[
awacs.aws.Statement(
Sid='PermitCTBucketPut',
Action=[s3.PutObject],
Effect=awacs.aws.Allow,
Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]),
Resource=[Join('', [s3.ARN(''), Ref(S3Bucket), "/*"])],
),
awacs.aws.Statement(
Sid='PermitCTBucketACLRead',
Action=[s3.GetBucketAcl],
Effect=awacs.aws.Allow,
Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]),
Resource=[Join('', [s3.ARN(''), Ref(S3Bucket)])],
)
]
)
S3BucketPolicy = t.add_resource(
BucketPolicy(
"BucketPolicy",
PolicyDocument=S3PolicyDocument,
Bucket=Ref(S3Bucket),
DependsOn=[S3Bucket]
)
)
myTrail = t.add_resource(
Trail(
"CloudTrail",
IsLogging=True,
S3BucketName=Ref(S3Bucket),
DependsOn=["BucketPolicy"],
)
)
myTrail.IsMultiRegionTrail = True
myTrail.IncludeGlobalServiceEvents = True
return t.to_json()
PolicyName="AllowS3",
PolicyDocument=Policy(Statement=[
Statement(Effect=Allow, Action=[Action("s3", "*")], Resource=["*"])
]),
Roles=[Ref("Role")]))
t.add_resource(
Role("Role",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service", ["ec2.amazonaws.com"]))
])))
t.add_resource(
InstanceProfile("InstanceProfile", Path="/", Roles=[Ref("Role")]))
t.add_resource(
LaunchConfiguration(
"LaunchConfiguration",
UserData=ud,
ImageId="ami-047bb4163c506cd98",
KeyName=Ref("KeyPair"),
SecurityGroups=[Ref("SecurityGroup")],
InstanceType=Ref("InstanceType"),
IamInstanceProfile=Ref("InstanceProfile"),
))
t.add_resource(
AutoScalingGroup(
"AutoscalingGroup",
's3:Get*',
's3:List*',
],
'Resource': 'arn:aws:s3:::7finity-infra-dev-deployment/*',
},
],
[
Ref(role_ec2)
]
)
# EC2 - InstanceProfile (Role to run everything)
instance_role_profile = template.add_resource(
InstanceProfile("InstanceRoleProfileJenkins",
Path='/ec2/',
Roles=[Ref(role_ec2)]))
ec2_instance = template.add_resource(
ec2.Instance(
"Ec2Instance",
ImageId="ami-25681456",
InstanceType="t2.micro",
KeyName='dev-ec2',
SecurityGroupIds=["sg-8eec36e8"], # hard coded to glomex default sg
SubnetId='subnet-b6eaa5d2', # hard coded to glomex subnet eu-west-1a
UserData=Base64("80"),
IamInstanceProfile=Ref(instance_role_profile),
Monitoring=True,
Tags=[ec2.Tag('Name', NAME_TAG)]))
