Example #1
0
    def __init__(self, scope: core.Construct, id: str, out_nw_stack: outNwStack, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        # Contexts
        PRJ = self.node.try_get_context("prj")

        # Parameters
        # Functions
        def nametag(x): return core.CfnTag(
            key="Name", value="{}/{}".format(PRJ, x))

        # ### Resources
        # Tgw
        self.tgw = ec2.CfnTransitGateway(
            self, "tgw",
            auto_accept_shared_attachments="enable",
            default_route_table_association="disable",
            default_route_table_propagation="disable",
            description="transit gateway({})".format(PRJ),
            tags=[nametag("tgw")]
        )
        # Tgw Attachment for Outbound-VPC
        self.out_tgw_attachment = ec2.CfnTransitGatewayAttachment(
            self, "outTgwAttachment",
            vpc_id=out_nw_stack.vpc.ref,
            subnet_ids=[out_nw_stack.tgw_subnet.ref],
            transit_gateway_id=self.tgw.ref,
            tags=[nametag("outTgwAttachment")]
        )
Example #2
0
    def __init__(self, scope: core.Construct, id: str, cidr_ranges: list, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        # TODO: replace by CDK construct when available
        tg = ec2.CfnTransitGateway(
            self, 'TransitGateway',
            auto_accept_shared_attachments='enable',
            default_route_table_association='enable',
            default_route_table_propagation='enable',
            dns_support='enable',
        )

        role = iam.Role(
            self, 'Ec2SsmRole',
            assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore')
            ],
        )

        for i, cidr_range in enumerate(cidr_ranges):
            TransitMemberVpc(
                self, 'Member{}'.format(i + 1),
                cidr_range=cidr_range,
                transit_gateway=tg,
                role=role,
            )
Example #3
0
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        self.gateway = ec2.CfnTransitGateway(
            self,
            'TransitGateway',
            amazon_side_asn=64512,
            auto_accept_shared_attachments='enable',
            default_route_table_association='enable',
            default_route_table_propagation='enable',
            description='HomeNet TransitGateway',
            dns_support='enable',
            vpn_ecmp_support='enable',
            tags=[core.CfnTag(key='Name', value='HomeNet/TGW')])
Example #4
0
  def __init__(self, scope:core.Construct, id:str, landing_zone:LandingZone, peers:List[LandingZone], amazon_asn:int, **kwargs):
    """
    Configure the Transit Gateways
    """
    super().__init__(scope,id, **kwargs)
    self.landing_zone = landing_zone
    self.peers = peers
    
    self.gateway = ec2.CfnTransitGateway(self,'TransitGateway',
      amazon_side_asn=amazon_asn,
      auto_accept_shared_attachments='enable',
      default_route_table_association='enable',
      default_route_table_propagation='enable',
      description='HomeNet TransitGateway',
      dns_support='enable',
      vpn_ecmp_support='enable',
      tags=[
        core.CfnTag(key='Name',value='HomeNet/TGW')
      ])

    entries = []
    for peer in peers:
      if peer == landing_zone:
        continue
      entries.append(ec2.CfnPrefixList.EntryProperty(cidr=peer.cidr_block,description=peer.zone_name))

    ec2.CfnPrefixList(self,'PeerPrefix',
      address_family='IPv4',
      entries= entries,
      max_entries=100,
      prefix_list_name='nbachmei.homenet.tgw-peers',
      tags=[core.CfnTag(key='Name',value='HomeNet TGW Prefixes')])

    ec2.CfnTransitGatewayAttachment(self,'VpcAttachment',
      subnet_ids= landing_zone.vpc.select_subnets(subnet_group_name='TGW').subnet_ids,
      transit_gateway_id= self.gateway.ref,
      vpc_id= landing_zone.vpc.vpc_id,
      tags=[core.CfnTag(key='Name',value='HomeNet')])

    ssm.CfnParameter(self,'RegionalGatewayParameter',
      name='/homenet/{}/transit-gateway/gateway-id'.format(landing_zone.region),
      value=self.gateway.ref,
      type='String')

    self.__add_peers()
Example #5
0
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        #    def __init__(self, scope: core.Construct, id: str, cidr_range: str, tgw_asn: int, **kwargs) -> None:
        #        super().__init__(scope, id, **kwargs)
        this_dir = path.dirname(__file__)

        # VPC Creation
        self.vpc = ec2.Vpc(
            self,
            "TransitVPC",
            max_azs=1,
            cidr="172.16.0.0/24",
            # configuration will create 1 subnet in a single AZ.
            subnet_configuration=[
                ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.ISOLATED,
                                        name="Isolated",
                                        cidr_mask=25)
            ])

        # Transit Gateway creation
        self.tgw = ec2.CfnTransitGateway(
            self,
            id="TGW-USe1",
            amazon_side_asn=64512,
            auto_accept_shared_attachments="enable",
            default_route_table_association="enable",
            default_route_table_propagation="enable",
            tags=[core.CfnTag(key='Name', value="tgw-us-east-1")])

        # Transit Gateway attachment to the VPC
        self.tgw_attachment = ec2.CfnTransitGatewayAttachment(
            self,
            id="TGW-Attachment",
            transit_gateway_id=self.tgw.ref,
            vpc_id=self.vpc.vpc_id,
            subnet_ids=[
                subnet.subnet_id for subnet in self.vpc.isolated_subnets
            ],
            tags=[
                core.CfnTag(key='Name',
                            value=f"tgw-{self.vpc.vpc_id}-attachment")
            ])
Example #6
0
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        self.defaultVpc = aws_ec2.Vpc(
            self,
            "Default",
            cidr='10.0.0.0/24',
            nat_gateways=2,
            subnet_configuration=[
                aws_ec2.SubnetConfiguration(
                    name="public",
                    cidr_mask=27,
                    reserved=False,
                    subnet_type=aws_ec2.SubnetType.PUBLIC),
                aws_ec2.SubnetConfiguration(
                    name="private",
                    cidr_mask=27,
                    reserved=False,
                    subnet_type=aws_ec2.SubnetType.PRIVATE)
            ])

        self.eksVpc = aws_ec2.Vpc(
            self,
            "EKSvpc",
            cidr='192.168.0.0/24',
            subnet_configuration=[
                aws_ec2.SubnetConfiguration(
                    name="private",
                    cidr_mask=26,
                    reserved=False,
                    subnet_type=aws_ec2.SubnetType.ISOLATED)
            ])

        self.transitGw = aws_ec2.CfnTransitGateway(
            self,
            "DefaultTransitGw",
            default_route_table_association="disable",
        )

        self.tgAttachmentPrivate = aws_ec2.CfnTransitGatewayAttachment(
            self,
            "DefaultTGAttachment",
            transit_gateway_id=self.transitGw.ref,
            vpc_id=self.defaultVpc.vpc_id,
            subnet_ids=[
                self.defaultVpc.private_subnets[0].subnet_id,
                self.defaultVpc.private_subnets[1].subnet_id
            ],
            tags=None)
        self.tgAttachmentPrivate.add_depends_on(self.transitGw)

        self.tgAttachmentEks = aws_ec2.CfnTransitGatewayAttachment(
            self,
            "EksTGAttachment",
            transit_gateway_id=self.transitGw.ref,
            vpc_id=self.eksVpc.vpc_id,
            subnet_ids=[
                self.eksVpc.isolated_subnets[0].subnet_id,
                self.eksVpc.isolated_subnets[1].subnet_id
            ],
            tags=None)
        self.tgAttachmentEks.add_depends_on(self.transitGw)

        isolatedSubnetRoutes = core.Construct(self, 'Isolated Subnet Routes')
        for (i, subnet) in enumerate(self.eksVpc.isolated_subnets):
            aws_ec2.CfnRoute(
                isolatedSubnetRoutes,
                id=f"Default Route EKS {i}",
                route_table_id=subnet.route_table.route_table_id,
                destination_cidr_block="0.0.0.0/0",
                transit_gateway_id=self.transitGw.ref).add_depends_on(
                    self.tgAttachmentEks)

        privateSubnetRoutes = core.Construct(self, 'Private Subnet Routes')
        for (i, subnet) in enumerate(self.defaultVpc.private_subnets):
            aws_ec2.CfnRoute(
                privateSubnetRoutes,
                id=f"Eks route defalt {i}",
                route_table_id=subnet.route_table.route_table_id,
                destination_cidr_block=self.eksVpc.vpc_cidr_block,
                transit_gateway_id=self.transitGw.ref).add_depends_on(
                    self.tgAttachmentEks)

        publicSubnetRoutes = core.Construct(self, 'Public Subnet Routes')
        for (i, subnet) in enumerate(self.defaultVpc.public_subnets):
            aws_ec2.CfnRoute(
                publicSubnetRoutes,
                id=f"Eks route defalt {i}",
                route_table_id=subnet.route_table.route_table_id,
                destination_cidr_block=self.eksVpc.vpc_cidr_block,
                transit_gateway_id=self.transitGw.ref).add_depends_on(
                    self.tgAttachmentEks)

        self.transitGwRT = aws_ec2.CfnTransitGatewayRouteTable(
            self,
            'transitGw Route Table',
            transit_gateway_id=self.transitGw.ref,
            tags=None)

        self.transitGwRoute = aws_ec2.CfnTransitGatewayRoute(
            self,
            'transitGW Route',
            transit_gateway_route_table_id=self.transitGwRT.ref,
            destination_cidr_block='0.0.0.0/0',
            transit_gateway_attachment_id=self.tgAttachmentPrivate.ref)

        self.TGRouteTableAssociationDefaultVPC = aws_ec2.CfnTransitGatewayRouteTableAssociation(
            self,
            'DefaultVPC Association',
            transit_gateway_attachment_id=self.tgAttachmentPrivate.ref,
            transit_gateway_route_table_id=self.transitGwRoute.
            transit_gateway_route_table_id)

        self.TGRouteTablePropagationDefaultVPC = aws_ec2.CfnTransitGatewayRouteTablePropagation(
            self,
            'DefaultVPC Propagation',
            transit_gateway_attachment_id=self.tgAttachmentPrivate.ref,
            transit_gateway_route_table_id=self.transitGwRoute.
            transit_gateway_route_table_id)

        self.TGRouteTableAssociationEksVPC = aws_ec2.CfnTransitGatewayRouteTableAssociation(
            self,
            'EksVPC Association',
            transit_gateway_attachment_id=self.tgAttachmentEks.ref,
            transit_gateway_route_table_id=self.transitGwRoute.
            transit_gateway_route_table_id)

        self.TGRouteTablePropagationEksVPC = aws_ec2.CfnTransitGatewayRouteTablePropagation(
            self,
            'EksVPC Propagation',
            transit_gateway_attachment_id=self.tgAttachmentEks.ref,
            transit_gateway_route_table_id=self.transitGwRoute.
            transit_gateway_route_table_id)
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        vpc = _ec2.Vpc.from_lookup(self, "my_vpc", is_default=True)

        self.nat_vpc = _ec2.Vpc(
            self,
            id="nat_vpc",
            cidr="10.77.4.0/24",
            enable_dns_hostnames=True,
            enable_dns_support=True,
            max_azs=1,
            nat_gateways=1,
            subnet_configuration=[
                _ec2.SubnetConfiguration(cidr_mask=25,
                                         name='nat-public',
                                         subnet_type=_ec2.SubnetType.PUBLIC),
                _ec2.SubnetConfiguration(cidr_mask=25,
                                         name='nat-private',
                                         subnet_type=_ec2.SubnetType.PRIVATE)
            ])

        self.app_vpc = _ec2.Vpc(
            self,
            id="app_vpc",
            cidr="10.77.5.0/24",
            enable_dns_hostnames=True,
            enable_dns_support=True,
            max_azs=1,
            nat_gateways=0,
            subnet_configuration=[
                _ec2.SubnetConfiguration(cidr_mask=25,
                                         name='app-public1',
                                         subnet_type=_ec2.SubnetType.PUBLIC),
                _ec2.SubnetConfiguration(cidr_mask=25,
                                         name='app-private1',
                                         subnet_type=_ec2.SubnetType.ISOLATED)
            ])

        self.tgw = _ec2.CfnTransitGateway(
            self,
            id='tgw-test',
            amazon_side_asn=65520,
            auto_accept_shared_attachments="enable",
            default_route_table_association="enable",
            default_route_table_propagation="enable",
            tags=[core.CfnTag(key='Name', value='TGW-PoC')])

        self.tgw_nat_attachment = _ec2.CfnTransitGatewayAttachment(
            self,
            id="tgw-natvpc",
            transit_gateway_id=self.tgw.ref,
            vpc_id=self.nat_vpc.vpc_id,
            subnet_ids=[
                subnet.subnet_id for subnet in self.nat_vpc.private_subnets
            ],
            tags=[core.CfnTag(key='Name', value='TGW-Nat-Attachment')])

        self.tgw_app_attachment = _ec2.CfnTransitGatewayAttachment(
            self,
            id="tgw-appvpc",
            transit_gateway_id=self.tgw.ref,
            vpc_id=self.app_vpc.vpc_id,
            subnet_ids=[
                subnet.subnet_id for subnet in self.app_vpc.isolated_subnets
            ],
            tags=[core.CfnTag(key='Name', value='TGW-App-Attachment')])
    def __init__(self, scope: core.Construct, id: str, cidr_range: str,
                 tgw_asn: int, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        # VPC Creation
        self.vpc = ec2.Vpc(
            self,
            f"{kwargs['env']['region']}-vpc",
            max_azs=1,
            cidr=cidr_range,
            # configuration will create 1 subnet in a single AZ.
            subnet_configuration=[
                ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.ISOLATED,
                                        name="Isolated",
                                        cidr_mask=25)
            ])

        # Transit Gateway creation
        self.tgw = ec2.CfnTransitGateway(
            self,
            id=f"TGW-{kwargs['env']['region']}",
            amazon_side_asn=tgw_asn,
            auto_accept_shared_attachments="enable",
            default_route_table_association="enable",
            default_route_table_propagation="enable",
            tags=[
                core.CfnTag(key='Name', value=f"tgw-{kwargs['env']['region']}")
            ])

        # Transit Gateway attachment to the VPC
        self.tgw_attachment = ec2.CfnTransitGatewayAttachment(
            self,
            id=f"tgw-vpc-{kwargs['env']['region']}",
            transit_gateway_id=self.tgw.ref,
            vpc_id=self.vpc.vpc_id,
            subnet_ids=[
                subnet.subnet_id for subnet in self.vpc.isolated_subnets
            ],
            tags=[
                core.CfnTag(key='Name',
                            value=f"tgw-{self.vpc.vpc_id}-attachment")
            ])

        # VPC Endpoint creation for SSM (3 Endpoints needed)
        ec2.InterfaceVpcEndpoint(
            self,
            "VPCe - SSM",
            service=ec2.InterfaceVpcEndpointService(
                core.Fn.sub("com.amazonaws.${AWS::Region}.ssm")),
            private_dns_enabled=True,
            vpc=self.vpc,
        )

        ec2.InterfaceVpcEndpoint(
            self,
            "VPCe - EC2 Messages",
            service=ec2.InterfaceVpcEndpointService(
                core.Fn.sub("com.amazonaws.${AWS::Region}.ec2messages")),
            private_dns_enabled=True,
            vpc=self.vpc,
        )

        ec2.InterfaceVpcEndpoint(
            self,
            "VPCe - SSM Messages",
            service=ec2.InterfaceVpcEndpointService(
                core.Fn.sub("com.amazonaws.${AWS::Region}.ssmmessages")),
            private_dns_enabled=True,
            vpc=self.vpc,
        )
Example #9
0
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        security_vpc = ec2.Vpc(
            self,
            "SecurityVPC",
            cidr="10.0.0.0/16",
            nat_gateways=0,
            max_azs=2,
            subnet_configuration=[
                ec2.SubnetConfiguration(cidr_mask=24,
                                        name="untrust",
                                        subnet_type=ec2.SubnetType.PUBLIC),
                ec2.SubnetConfiguration(cidr_mask=24,
                                        name="trust",
                                        subnet_type=ec2.SubnetType.ISOLATED),
                ec2.SubnetConfiguration(cidr_mask=28,
                                        name="transit",
                                        subnet_type=ec2.SubnetType.ISOLATED),
                ec2.SubnetConfiguration(cidr_mask=28,
                                        name='fw_mgmt',
                                        subnet_type=ec2.SubnetType.ISOLATED)
            ])

        #Expose subnets for child stacks
        # self.subnets = {
        #     'fw_mgmt': security_vpc.select_subnets(subnet_group_name="fw_mgmt"),
        #     'untrust': security_vpc.select_subnets(subnet_group_name='untrust'),
        #     'trust': security_vpc.select_subnets(subnet_group_name='trust')
        # }

        security_vpc.add_gateway_endpoint(
            "S3GW", service=ec2.GatewayVpcEndpointAwsService.S3)

        management_vpc = ec2.Vpc(self,
                                 "ManagmentVPC",
                                 cidr="10.255.0.0/16",
                                 max_azs=1,
                                 subnet_configuration=[
                                     ec2.SubnetConfiguration(
                                         cidr_mask=24,
                                         name="Management",
                                         subnet_type=ec2.SubnetType.PUBLIC)
                                 ])

        management_host = ec2.Instance(
            self,
            "ManagementHost",
            instance_type=ec2.InstanceType("t2.micro"),
            vpc=management_vpc,
            machine_image=ec2.MachineImage.latest_windows(
                ec2.WindowsVersion("WINDOWS_SERVER_2019_ENGLISH_FULL_BASE")),
            key_name='joeycoak-alz-network-us-east-1',
        )

        # rdp = ec2.Port(
        #     protocol=ec2.Protocol("TCP"),
        #     string_representation="RDP",
        #     to_port=3389,
        #     from_port=3389
        # )

        management_host.connections.allow_from_any_ipv4(
            ec2.Port.tcp(3389), "Allow RDP Inbound")

        interface_endpoint_services = ("ec2", "ssm", "secretsmanager")

        for endpoint_service in interface_endpoint_services:
            security_vpc.add_interface_endpoint(
                "{}-Endpoint".format(endpoint_service),
                service=ec2.InterfaceVpcEndpointService(
                    "com.amazonaws.{region}.{endpoint_service}".format(
                        region=self.region,
                        endpoint_service=endpoint_service)),
                subnets=ec2.SubnetSelection(subnet_group_name="fw_mgmt"))

        ec2.CfnTransitGateway(self,
                              "MyCdkTgw",
                              default_route_table_propagation="disable",
                              default_route_table_association="disable")