def __init__(self, scope: cdk.Stack, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # Create the VPC resource. self._vpc = Vpc(self, "MyVPC", cidr="10.10.0.0/16") # Create a Security Group within the VPC that is used to allow # management traffic from designated jump hosts. self._sg = SecurityGroup( self, "MySG", vpc=self._vpc, allow_all_outbound=False, description="Management traffic from jump boxes", security_group_name="jumpbox-mgmt-traffic") # Add ingress rules to the Security Group for the jump host # 10.255.0.10 to TCP/22 and TCP/3389. self._sg.add_ingress_rule(peer=Peer.ipv4("10.255.0.10/32"), connection=Port( protocol=Protocol.TCP, string_representation="host1", from_port=22, to_port=22)) self._sg.add_ingress_rule(peer=Peer.ipv4("10.255.0.10/32"), connection=Port( protocol=Protocol.TCP, string_representation="host1", from_port=3389, to_port=3389))
def get_peer(self, traffic: AlbTrafficEnum) -> Optional[IPeer]: """ Depending on enum creates a peer. :param traffic: Configuration enum. :return: Peer. """ if traffic == AlbTrafficEnum.INTERNET: cidr_peer = Peer.any_ipv4() elif traffic == AlbTrafficEnum.VPC: cidr_peer = Peer.ipv4(self.__vpc.vpc_cidr_block) else: cidr_peer = None return cidr_peer
def create_sg(self, jump_host, mgmt_ports): # Create a Security Group within the VPC that is used to allow # management traffic from designated jump hosts. self._sg = SecurityGroup( self, "MySG", vpc=self._vpc, allow_all_outbound=False, description="Management traffic from jump boxes", security_group_name="jumpbox-mgmt-traffic") # Add ingress rules to the Security Group for port in mgmt_ports: self._sg.add_ingress_rule(peer=Peer.ipv4(jump_host), connection=Port( protocol=Protocol.TCP, string_representation="jump", from_port=int(port), to_port=int(port)))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here EcsStack.readConfig(0) vpc = ec.Vpc( self, "Main", cidr="11.0.0.0/26", max_azs=2, nat_gateways=1, subnet_configuration=[ ec.SubnetConfiguration(name="public", cidr_mask=28, subnet_type=ec.SubnetType.PUBLIC), ec.SubnetConfiguration(name="private", cidr_mask=28, subnet_type=ec.SubnetType.PRIVATE) ]) cluster = ecs.Cluster(self, "TestingCluster", vpc=vpc) # defining the task iam role taskRole = iam.Role( self, id="taskRole", assumed_by=iam.CompositePrincipal( iam.ServicePrincipal(service='ecs-tasks.amazonaws.com'), iam.ServicePrincipal(service='ec2.amazonaws.com')), role_name="webmaintaskRole", managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonRDSFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSQSFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3FullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "CloudWatchFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonDynamoDBFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonRedshiftFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonKinesisFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonECSTaskExecutionRolePolicy"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSNSFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AWSLambdaRole"), iam.ManagedPolicy(self, id="ManagedPolicy", managed_policy_name="Grant_dev", statements=[ iam.PolicyStatement(actions=[ "kms:Decrypt", "secretemanager:GetSecreteValue" ], resources=["*"]) ]) ]) # taskRole.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonRDSFullAccess")) # WebApp Main task Defenition & Service webmain_task_definition = ecs.FargateTaskDefinition( self, "WebAppMain", memory_limit_mib=512, cpu=256, task_role=taskRole, execution_role=taskRole) webmain_container = webmain_task_definition.add_container( "webapp-mainContainer", image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"), environment=EcsStack.commands, docker_labels={ "com.datadoghq.ad.instances": "[{\"host\": \"%%host%%\", \"port\": 80}]", "com.datadoghq.ad.check_names": "[\"ecs_fargate\"]", "com.datadoghq.ad.init_configs": "[{}]" }, logging=ecs.LogDriver.aws_logs(stream_prefix="awslogs")) # Clearing the environment vairables from the commands(Map) EcsStack.commands.clear() EcsStack.readConfig(1) webmain_datadog_container = webmain_task_definition.add_container( "webapp-main_datadog_Container", image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"), environment=EcsStack.commands) webmain_port_mapping = ecs.PortMapping(container_port=80, host_port=80, protocol=ecs.Protocol.TCP) datadog_port_mapping1 = ecs.PortMapping(container_port=8126, host_port=8126, protocol=ecs.Protocol.TCP) datadog_port_mapping2 = ecs.PortMapping(container_port=8125, host_port=8125, protocol=ecs.Protocol.TCP) webmain_container.add_port_mappings(webmain_port_mapping) webmain_datadog_container.add_port_mappings(datadog_port_mapping1) webmain_datadog_container.add_port_mappings(datadog_port_mapping2) # Security group for service webmain_sg = ec.SecurityGroup(self, "webmain_sg", vpc=vpc, allow_all_outbound=True, security_group_name="WebAppMain") webmain_sg.add_ingress_rule(peer=Peer.ipv4("202.65.133.194/32"), connection=Port.tcp(5432)) webmain_service = ecs.FargateService( self, "webapp-main", cluster=cluster, task_definition=webmain_task_definition, desired_count=1, security_group=webmain_sg) # defining the load balancer webmain_lb = elbv2.ApplicationLoadBalancer( self, "LB", vpc=vpc, internet_facing=True, load_balancer_name="WebAppMain", # security_group= vpc_subnets=ec.SubnetSelection(subnet_type=ec.SubnetType.PUBLIC)) webmain_target_grp = elbv2.ApplicationTargetGroup( self, id="webapp-main-target", port=80, protocol=elbv2.ApplicationProtocol.HTTP, health_check=elbv2.HealthCheck(healthy_http_codes="200-399", healthy_threshold_count=2, unhealthy_threshold_count=2, port="traffic-port", protocol=elbv2.Protocol.HTTP, timeout=core.Duration.seconds(6), interval=core.Duration.seconds(10)), targets=[webmain_service], target_group_name="WebAppMain", target_type=elbv2.TargetType.IP, vpc=vpc) listener = webmain_lb.add_listener( "webMain_Listener", port=443, open=True, default_target_groups=[webmain_target_grp], certificate_arns=[ "arn:aws:acm:us-west-2:384853870836:certificate/182c0fdd-813f-4bd3-aee1-0b4543cfb52b" ]) listener2 = webmain_lb.add_listener( "webMain_Listener2", port=80, # default_target_groups=[webmain_target_grp] ) # elbv2.ApplicationListenerCertificate(self,"WebAppMAin_Certificate",listener=listener,certificate_arns=["arn:aws:acm:us-west-2:384853870836:certificate/182c0fdd-813f-4bd3-aee1-0b4543cfb52b"]) listener2.add_redirect_response(id="HttptoHttps", status_code="HTTP_301", port="443", protocol="HTTPS")
def __init__(self, scope: cdk.Construct, construct_id: str, config, vpc: IVpc, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.neo4j_user_secret = Secret(self,'secretsmanager-secret-neo4j-user', secret_name=NEO4J_USER_SECRET_NAME ) neo4j_server_instance_role = Role(self,'iam-role-neo4j-server-instance', assumed_by=ServicePrincipal('ec2.amazonaws.com'), managed_policies=[ ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore'), # Use SSM Session Manager rather than straight ssh ManagedPolicy.from_aws_managed_policy_name('CloudWatchAgentServerPolicy') ], inline_policies={ "work-with-tags": PolicyDocument( statements=[ PolicyStatement( actions=[ 'ec2:CreateTags', 'ec2:Describe*', 'elasticloadbalancing:Describe*', 'cloudwatch:ListMetrics', 'cloudwatch:GetMetricStatistics', 'cloudwatch:Describe*', 'autoscaling:Describe*', ], resources=["*"] ) ] ), "access-neo4j-user-secret": PolicyDocument( statements=[ PolicyStatement( actions=['secretsmanager:GetSecretValue'], resources=[self.neo4j_user_secret.secret_arn] ) ] ) } ) instance_security_group = SecurityGroup(self, "ec2-sg-neo4j-server-instance", description="Altimeter Neo4j Server Instance", vpc=vpc ) instance_security_group.add_ingress_rule(Peer.ipv4("0.0.0.0/0"), Port.tcp(7687), 'Bolt from ANYWHERE') # TESTING # instance_security_group.add_ingress_rule(Peer.ipv4("0.0.0.0/0"), Port.tcp(7473), 'Bolt from ANYWHERE') # TESTING # Prepare userdata script with open("./resources/neo4j-server-instance-userdata.sh", "r") as f: userdata_content = f.read() userdata_content = userdata_content.replace("[[NEO4J_USER_SECRET_NAME]]",NEO4J_USER_SECRET_NAME) user_data = UserData.for_linux() user_data.add_commands(userdata_content) instance_type = InstanceType.of(InstanceClass.BURSTABLE2, InstanceSize.MEDIUM) self.instance = Instance(self, 'ec2-instance-neo4j-server-instance', instance_name="instance-altimeter--neo4j-community-standalone-server", machine_image=MachineImage.generic_linux( ami_map={ "eu-west-1": "ami-00c8631d384ad7c53" } ), instance_type=instance_type, role=neo4j_server_instance_role, vpc=vpc, # vpc_subnets=SubnetSelection(subnets=vpc.select_subnets(subnet_group_name='Private').subnets), vpc_subnets=SubnetSelection(subnets=vpc.select_subnets(subnet_group_name='Public').subnets), security_group=instance_security_group, user_data=user_data, block_devices=[ BlockDevice( device_name="/dev/sda1", volume=BlockDeviceVolume.ebs( volume_size=10, volume_type=EbsDeviceVolumeType.GP2, encrypted=True, # Just encrypt delete_on_termination=True ) ), BlockDevice( device_name="/dev/sdb", volume=BlockDeviceVolume.ebs( volume_size=20, # TODO: Check size requirements volume_type=EbsDeviceVolumeType.GP2, encrypted=True, delete_on_termination=True # ASSUMPTION: NO 'primary' data, only altimeter results. ) ) ] ) cdk.Tags.of(self.instance).add("neo4j_mode", "SINGLE") cdk.Tags.of(self.instance).add("dbms_mode", "SINGLE")