def alb_listener(self, alb, vpc, alb_port, alb_cert=None):
alb_listener = elbv2.ApplicationListener(
self,
"alb-listener",
load_balancer=alb,
certificate_arns=alb_cert,
open=True,
default_target_groups=[
elbv2.ApplicationTargetGroup(self,
"alb-default-tg",
port=alb_port,
vpc=vpc['vpc'])
],
port=alb_port)
return alb_listener
def __create_application_load_balancer__(self):
alb = elb.ApplicationLoadBalancer(
self,
"frontend-alb",
security_group=self.alb_security_group,
vpc=self.network_stack.vpc,
vpc_subnets=ec2.SubnetSelection(one_per_az=True,
subnet_type=ec2.SubnetType.PUBLIC),
internet_facing=True,
load_balancer_name="acme-frontend-public-alb")
alb_listener_http = elb.ApplicationListener(
self, "frontend-alb-http-listener", load_balancer=alb, port=80)
alb.log_access_logs(self.logs_bucket)
return alb
def configure_load_balancers(self, vpc: ec2.Vpc, publoadbal: elbv2.ApplicationLoadBalancer):
tgroups = {}
hc = elbv2.HealthCheck()
hc['intervalSecs'] = 10
hc['protocol'] = elbv2.ApplicationProtocol.Http
hc['healthyThresholdCount'] = 10
hc['unhealthyThresholdCount'] = 10
hc['timeoutSeconds'] = 5
hc['path'] = '/'
targetgroups = [
{'name': 'grafana', 'httpcode': '302', 'port': 3000},
{'name': 'prometheus', 'httpcode': '405', 'port': 9090},
{'name': 'colorgateway', 'httpcode': '200', 'port': 9080}]
for tgs in targetgroups:
tgname = tgs['name']
code = tgs['httpcode']
port = tgs['port']
hc['healthyHttpCodes'] = code
atg = elbv2.ApplicationTargetGroup(self, id=tgname + 'TargetGroup', protocol=elbv2.ApplicationProtocol.Http,
port=port, deregistration_delay_sec=30, vpc=vpc,
target_group_name='appmeshdemo-' + tgname + '-1', health_check=hc,
target_type=elbv2.TargetType.Ip)
lbl = elbv2.ApplicationListener(self, tgname + 'LoadBalancerListener', port=port,
protocol=elbv2.ApplicationProtocol.Http, default_target_groups=[atg],
load_balancer=publoadbal)
elbv2.ApplicationListenerRule(self, tgname + 'LoadBalancerRule', listener=lbl,
target_groups=[atg], priority=1, path_pattern='*')
tgroups[tgname] = atg
return tgroups
def __init__(self, app: cdk.App, id: str, vpc: ec2.Vpc, servicedomain: str,
**kwargs) -> None:
super().__init__(app, id)
cluster = ecs.Cluster(self, id, vpc=vpc)
cluster.add_default_cloud_map_namespace(
name=servicedomain, type=ecs.NamespaceType.PrivateDns)
self._cluster = cluster
ecssg = ec2.SecurityGroup(self, 'ECSServiceSecurityGroup', vpc=vpc)
ecssg.add_ingress_rule(peer=ec2.CidrIPv4(vpc.vpc_cidr_block),
connection=ec2.TcpAllPorts())
self._clustersg = ecssg
# Bastion host stuff -------------------------------------------------------------------------------------
# BastionInstanceRole
pd = pu.PolicyUtils.createpolicyfromfile(
'./appmeshdemo/policydocs/appmesh.json')
bir = iam.Role(
self,
'BastionInstanceRole',
assumed_by=iam.ServicePrincipal('ec2'),
inline_policies={'appmesh': pd},
managed_policy_arns=[
'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
])
bip = iam.CfnInstanceProfile(self,
'BastionInstanceProfile',
roles=[bir.role_name])
# Bastion EC2 instance
bsg = ec2.SecurityGroup(self, 'BastionSG', vpc=vpc)
bsg.add_ingress_rule(peer=ec2.AnyIPv4(), connection=ec2.TcpAllPorts())
ni = ec2.CfnNetworkInterfaceProps()
ni['associatePublicIpAddress'] = True
ni['deviceIndex'] = '0'
ni['groupSet'] = [bsg.security_group_name]
ni['subnetId'] = vpc.public_subnets[0].subnet_id
bhi = ec2.CfnInstance(
self,
'BastionInstance',
instance_type='t2.micro',
iam_instance_profile=bip.instance_profile_name,
image_id=ec2.AmazonLinuxImage().get_image(self).image_id,
network_interfaces=[ni])
# Load-Balancer stuff ------------------------------------------------------------------------------------
plbsg = ec2.SecurityGroup(self, 'PublicLoadBalancerSG', vpc=vpc)
plbsg.add_ingress_rule(peer=ec2.AnyIPv4(),
connection=ec2.TcpPortRange(0, 65535))
plb = elbv2.ApplicationLoadBalancer(self,
'PublicLoadBalancer',
internet_facing=True,
load_balancer_name='appmeshdemo',
security_group=plbsg,
vpc=vpc,
idle_timeout_secs=30)
self._publoadbal = plb
healthchk = elbv2.HealthCheck()
healthchk['intervalSecs'] = 6
healthchk['healthyThresholdCount'] = 2
healthchk['unhealthyThresholdCount'] = 2
dtg = elbv2.ApplicationTargetGroup(
self,
'DummyTargetGroupPublic',
vpc=vpc,
port=80,
protocol=elbv2.ApplicationProtocol.Http,
health_check=healthchk,
target_group_name='appmeshdemo-drop-1')
plbl = elbv2.ApplicationListener(
self,
'PublicLoadBalancerListener',
load_balancer=plb,
port=80,
protocol=elbv2.ApplicationProtocol.Http,
default_target_groups=[dtg])
cdk.CfnOutput(self,
id='External URL',
value='http://' + plb.load_balancer_dns_name)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
# Create a VPC
myvpc = ec2.Vpc(self, "CDKVPC", cidr=vars.cidr)
# SG for ELB creation
websitefrontendSG = ec2.SecurityGroup(
self,
'websitefrontendSG',
vpc=myvpc,
security_group_name='websitefrontendSG')
websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(80))
websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(443))
# Create ALB in VPC
alb = elb.ApplicationLoadBalancer(
self,
'websitefrontend-public',
vpc=myvpc,
load_balancer_name='websitefrontend-public',
security_group=websitefrontendSG,
internet_facing=True)
# Add target group to ALB
catalogtargetgroup = elb.ApplicationTargetGroup(
self,
'CatalogTargetGroup',
port=80,
vpc=myvpc,
target_type=elb.TargetType.IP)
if not vars.sslcert:
# Add http listener to ALB
alblistenerhttp = elb.ApplicationListener(
self,
'alblistenerhttp',
load_balancer=alb,
default_target_groups=[catalogtargetgroup],
port=80)
if vars.sslcert:
# Add http listener to ALB
alblistenerhttp = elb.ApplicationListener(self,
'alblistenerhttp',
load_balancer=alb,
port=80)
elb.ApplicationListenerRule(self,
'httpredirectionrule',
listener=alblistenerhttp,
redirect_response=elb.RedirectResponse(
status_code='HTTP_301',
port='443',
protocol='HTTPS'))
# OPTIONAL - Add https listener to ALB & attach certificate
alblistenerhttps = elb.ApplicationListener(
self,
'alblistenerhttps',
load_balancer=alb,
default_target_groups=[catalogtargetgroup],
port=443,
certificate_arns=[vars.sslcert_arn])
# OPTIONAL - Redirect HTTP to HTTPS
alblistenerhttp.add_redirect_response(id='redirectionrule',
port='443',
status_code='HTTP_301',
protocol='HTTPS')
if vars.customdomain:
# OPTIONAL - Update DNS with ALB
webshopxyz_zone = r53.HostedZone.from_hosted_zone_attributes(
self,
id='customdomain',
hosted_zone_id=vars.hosted_zone_id,
zone_name=vars.zone_name)
webshop_root_record = r53.ARecord(
self,
'ALBAliasRecord',
zone=webshopxyz_zone,
target=r53.RecordTarget.from_alias(
alias.LoadBalancerTarget(alb)))
# SG for ECS creation
ECSSG = ec2.SecurityGroup(self,
'ECSSecurityGroup',
vpc=myvpc,
security_group_name='ECS')
ECSSG.add_ingress_rule(peer=websitefrontendSG,
connection=ec2.Port.tcp(80))
# SG for MySQL creation
MySQLSG = ec2.SecurityGroup(self,
'DBSecurityGroup',
vpc=myvpc,
security_group_name='DB')
MySQLSG.add_ingress_rule(peer=ECSSG, connection=ec2.Port.tcp(3306))
# Create DB subnet group
subnetlist = []
for subnet in myvpc.private_subnets:
subnetlist.append(subnet.subnet_id)
subnetgr = rds.CfnDBSubnetGroup(
self,
'democlustersubnetgroup',
db_subnet_group_name='democlustersubnetgroup',
db_subnet_group_description='DemoCluster',
subnet_ids=subnetlist)
# Create secret db passwd
secret = sm.SecretStringGenerator(
exclude_characters="\"'@/\\",
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=40)
dbpass = sm.Secret(self,
'democlusterpass',
secret_name='democlusterpass',
generate_secret_string=secret)
# Create Aurora serverless MySQL instance
dbcluster = rds.CfnDBCluster(
self,
'DemoCluster',
engine='aurora',
engine_mode='serverless',
engine_version='5.6',
db_cluster_identifier='DemoCluster',
master_username=dbpass.secret_value_from_json(
'username').to_string(),
master_user_password=dbpass.secret_value_from_json(
'password').to_string(),
storage_encrypted=True,
port=3306,
vpc_security_group_ids=[MySQLSG.security_group_id],
scaling_configuration=rds.CfnDBCluster.
ScalingConfigurationProperty(auto_pause=True,
max_capacity=4,
min_capacity=1,
seconds_until_auto_pause=300),
db_subnet_group_name=subnetgr.db_subnet_group_name)
dbcluster.add_override('DependsOn', 'democlustersubnetgroup')
# Attach database to secret
attach = sm.CfnSecretTargetAttachment(
self,
'RDSAttachment',
secret_id=dbpass.secret_arn,
target_id=dbcluster.ref,
target_type='AWS::RDS::DBCluster')
# Upload image into ECR repo
ecrdemoimage = ecra.DockerImageAsset(self,
'ecrdemoimage',
directory='../',
repository_name='demorepo',
exclude=['cdk.out'])
# Create ECS fargate cluster
ecscluster = ecs.Cluster(self, "ecsCluster", vpc=myvpc)
# Create task role for productsCatalogTask
getsecretpolicystatement = iam.PolicyStatement(actions=[
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
resources=[
dbpass.secret_arn
],
effect=iam.Effect.ALLOW)
getsecretpolicydocument = iam.PolicyDocument(
statements=[getsecretpolicystatement])
taskrole = iam.Role(
self,
'TaskRole',
assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
role_name='TaskRoleforproductsCatalogTask',
inline_policies=[getsecretpolicydocument])
# Create task definition
taskdefinition = ecs.FargateTaskDefinition(self,
'productsCatalogTask',
cpu=1024,
memory_limit_mib=2048,
task_role=taskrole)
# Add container to task definition
productscatalogcontainer = taskdefinition.add_container(
'productscatalogcontainer',
image=ecs.ContainerImage.from_docker_image_asset(
asset=ecrdemoimage),
environment={
"region": vars.region,
"secretname": "democlusterpass"
})
productscatalogcontainer.add_port_mappings(
ecs.PortMapping(container_port=80, host_port=80))
# Create service and associate it with the cluster
catalogservice = ecs.FargateService(
self,
'catalogservice',
task_definition=taskdefinition,
assign_public_ip=False,
security_group=ECSSG,
vpc_subnets=ec2.SubnetSelection(subnets=myvpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnets),
cluster=ecscluster,
desired_count=2)
# Add autoscaling to the service
scaling = catalogservice.auto_scale_task_count(max_capacity=20,
min_capacity=1)
scaling.scale_on_cpu_utilization(
'ScaleOnCPU',
target_utilization_percent=70,
scale_in_cooldown=core.Duration.seconds(amount=1),
scale_out_cooldown=core.Duration.seconds(amount=0))
# Associate the fargate service with load balancer targetgroup
catalogservice.attach_to_application_target_group(catalogtargetgroup)
def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# The code that defines your stack goes here
#############################################
#Import resorce and custom setting part start
#############################################
#cn-north-1
impRes={
"vpc":"vpc-0883083ff3a10c1ec",
"SvcSG":"sg-04d3b60e954c1c1ef",
"ALBSG":"sg-0b6d093d52d48bba9",
"ALBInternet":True,
"taskRole":"arn:aws-cn:iam::627484392488:role/ecsTaskExecutionRole",
"AlbSubnet":[
{"subnetId":"subnet-0d16fa0c969f234d3",
"routeTabId":"rtb-074c6b532f3030ad6"},
{"subnetId":"subnet-0f28a97c04d3b11cd",
"routeTabId":"rtb-074c6b532f3030ad6"}
],
#"SvcSubNet":[{"subnetId":"subnet-0d16fa0c969f234d3","routeTabId":"rtb-074c6b532f3030ad6"}]
"SvcSubNet":[{"subnetId":"subnet-0f28a97c04d3b11cd","routeTabId":"rtb-0587cc522717461cd"},
{"subnetId":"subnet-0d16fa0c969f234d3","routeTabId":"rtb-0587cc522717461cd"}]
}
newRes={
"TG":{"HealthPath":"/test.html","Port":80,"containPort":80},
"Listener":{"Port":80},
"TaskFamily":"tsFargate",
"ImageAsset1":{"DockfilePath":"httpd-ssh",
"BuildArgs":{"HTTP_PROXY":"http://YOUR_PROXY_SERVER:80"}
}
}
MyTaskDefinition=[{"Cpu":512,"MemLimitMib":1024}]
MyContainerDefinition=[
{"containerName":"MyContainer1",
"cpu":256,
"essential":True,
"portMappings":[ecs.PortMapping(container_port=80,host_port=80)], #"portMappings":[ecs.PortMapping(container_port=80,host_port=80),ecs.PortMapping(container_port=22,host_port=22)],
"environment":{"SSH_PUBLIC_KEY":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/alWrS+HH5KkPbso+Tsy+Z0WGTX5wvXvon5OacLMyOU3gj2mbbIifasXf/RadpuywuyW3uFirtRlPmSb5Q0PVLODku503Xettw+u6/Z22VV7F2ACgg4iHaCo2SR4L8saUrLLfcKXKr/WCn3w7uYcqGsXEcSFCCSZgn4BoZJqP4Q=="},
"LogMountPoint":["/usr/local/apache2/logs"]
}
]
MySvc={"AssignPubIp":True, "desiredCount":1}
#############################################
#Import resorce and custom setting part end
#############################################
#if you import external resource app you cannot set destory policy
#import VPC, Private Subnet, SG
vpc = ec2.Vpc.from_lookup(self, "vpc", vpc_id=impRes["vpc"])
#import SG
mysvcsg = ec2.SecurityGroup.from_security_group_id(self, "svcsg",
impRes["SvcSG"],
mutable=False)
#import Role
taskRole = iam.Role.from_role_arn(self, "TaskRole",impRes["taskRole"])
#create ALB
mytargetGrp = elbv2.ApplicationTargetGroup(self, "targetGrp",
target_type=elbv2.TargetType.IP,
port=newRes["TG"]["Port"],
vpc=vpc,
health_check=elbv2.HealthCheck(path=newRes["TG"]["HealthPath"]))
#target group cannot use .apply_removal_policy directly
cfn_mytargetGrp=mytargetGrp.node.find_child("Resource")
cfn_mytargetGrp.apply_removal_policy(cdk.RemovalPolicy.DESTROY)
#import public subnet for alb
albsubnets = [
ec2.Subnet.from_subnet_attributes(self,'albsubnetid1',
subnet_id = impRes["AlbSubnet"][0]["subnetId"],
route_table_id=impRes["AlbSubnet"][0]["routeTabId"]
),
ec2.Subnet.from_subnet_attributes(self,'albsubnetid2',
subnet_id = impRes["AlbSubnet"][1]["subnetId"],
route_table_id=impRes["AlbSubnet"][1]["routeTabId"]
)
]
vpc_subnets_selection = ec2.SubnetSelection(subnets=albsubnets)
#create new ALB
myalb = elbv2.ApplicationLoadBalancer(self, "ALBv2",
vpc=vpc,
security_group=ec2.SecurityGroup.from_security_group_id(self, "ALBSG", impRes["ALBSG"],mutable=False),
internet_facing=impRes["ALBInternet"],
vpc_subnets=vpc_subnets_selection)
myalb.apply_removal_policy(cdk.RemovalPolicy.DESTROY)
#create new ALB listener
myalblistener = elbv2.ApplicationListener(self, "ALBlistenter",
load_balancer=myalb,
port=newRes["Listener"]["Port"])
myalblistener.apply_removal_policy(cdk.RemovalPolicy.DESTROY)
myalblistener.add_target_groups("albaddtg", target_groups=[mytargetGrp])
#create new ECS Cluster
mycluster = ecs.Cluster(self, "cluster", vpc=vpc)
mycluster.apply_removal_policy(cdk.RemovalPolicy.DESTROY)
fargatetaskDefinition = ecs.FargateTaskDefinition(self, "fargatetaskDefinition",
cpu=MyTaskDefinition[0]["Cpu"],
memory_limit_mib=MyTaskDefinition[0]["MemLimitMib"],
execution_role=taskRole,
family=newRes["TaskFamily"],
task_role=taskRole)
#volumes=myEfsVols)
fargatetaskDefinition.apply_removal_policy(cdk.RemovalPolicy.DESTROY)
#defind docker image asset
dirname = os.path.dirname(__file__)
#for container 1 normally httpd
#create Image assent image will generated locally then push to ecr
asset1 = DockerImageAsset(self, "ImageAsset1",
directory=os.path.join(dirname, "../..", newRes["ImageAsset1"]["DockfilePath"]),
build_args=newRes["ImageAsset1"]["BuildArgs"]
)
#create container definition for task definition
MyContainer1def = ecs.ContainerDefinition(self, "MyContainer1def",
task_definition=fargatetaskDefinition,
linux_parameters=ecs.LinuxParameters(self,"LinuxPara1",init_process_enabled=True),
image=ecs.ContainerImage.from_ecr_repository(asset1.repository, asset1.image_uri.rpartition(":")[-1]),
container_name=MyContainerDefinition[0]["containerName"],
essential=MyContainerDefinition[0]["essential"],
port_mappings=MyContainerDefinition[0]["portMappings"],
environment=MyContainerDefinition[0]["environment"]
)
#import service private subnet
mysvcprivateSNs = [
ec2.Subnet.from_subnet_attributes(self,'svcprivateSN1',
subnet_id = impRes["SvcSubNet"][0]["subnetId"],
route_table_id=impRes["SvcSubNet"][0]["routeTabId"]),
ec2.Subnet.from_subnet_attributes(self,'svcprivateSN2',
subnet_id = impRes["SvcSubNet"][1]["subnetId"],
route_table_id=impRes["SvcSubNet"][1]["routeTabId"])
]
#create service
myservice=ecs.FargateService(self,"service",
task_definition=fargatetaskDefinition,
assign_public_ip=MySvc["AssignPubIp"],
platform_version=ecs.FargatePlatformVersion.VERSION1_4,
vpc_subnets=ec2.SubnetSelection(subnets=mysvcprivateSNs),
security_group=mysvcsg,
cluster=mycluster,
desired_count=MySvc["desiredCount"])
mytargetGrp.add_target(myservice.load_balancer_target(container_name="MyContainer1",container_port=newRes["TG"]["containPort"], protocol=ecs.Protocol.TCP))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(
self, "MyVpc",
max_azs=2
)
cluster = ecs.Cluster(
self, "EC2Cluster",
vpc=vpc
)
security_group = ec2.SecurityGroup(
self, "SecurityGroup",
vpc=vpc,
allow_all_outbound=True,
)
security_group.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port.all_tcp(),
description="Allow all traffic"
)
app_target_group = elbv2.ApplicationTargetGroup(
self, "AppTargetGroup",
port=http_port,
vpc=vpc,
target_type=elbv2.TargetType.IP,
)
elastic_loadbalancer = elbv2.ApplicationLoadBalancer(
self, "ALB",
vpc=vpc,
internet_facing=True,
security_group=security_group,
)
app_listener = elbv2.ApplicationListener(
self, "AppListener",
load_balancer=elastic_loadbalancer,
port=http_port,
default_target_groups=[app_target_group],
)
task_definition = ecs.TaskDefinition(
self, "TaskDefenition",
compatibility=ecs.Compatibility.FARGATE,
cpu=task_def_cpu,
memory_mib=task_def_memory_mb,
)
container_defenition = ecs.ContainerDefinition(
self, "ContainerDefenition",
image=ecs.ContainerImage.from_registry("vulnerables/web-dvwa"),
task_definition=task_definition,
logging=ecs.AwsLogDriver(
stream_prefix="DemoContainerLogs",
log_retention=logs.RetentionDays.ONE_DAY,
),
)
container_defenition.add_port_mappings(
ecs.PortMapping(
container_port=http_port,
)
)
fargate_service = ecs.FargateService(
self, "FargateService",
task_definition=task_definition,
cluster=cluster,
security_group=security_group,
)
fargate_service.attach_to_application_target_group(
target_group=app_target_group,
)
core.CfnOutput(
self, "LoadBalancerDNS",
value=elastic_loadbalancer.load_balancer_dns_name
)
def __init__(self, scope: core.Construct, id: str, props,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
alb_subnet = ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PUBLIC,
name="ALB",
cidr_mask=24)
db_subnet = ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.ISOLATED, name="DB", cidr_mask=24)
# VPC
vpc = ec2.Vpc(
self,
"VPC",
max_azs=2,
cidr="10.10.0.0/16",
# configuration will create 2 groups in 2 AZs = 4 subnets.
subnet_configuration=[alb_subnet, db_subnet],
nat_gateway_provider=ec2.NatProvider.gateway(),
nat_gateways=1,
)
# Security groups
# Create Security group that allows traffic into the ALB
alb_security_group = ec2.SecurityGroup(
self,
"ALBSecurityGroup",
description="Ghost ALB Security Group",
vpc=vpc)
alb_security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.tcp(80),
"allow HTTP to ALB")
alb_security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.tcp(443),
"allow HTTPS to ALB")
# Create Security group for the host/ENI/Fargate that allows 2368
fargate_security_group = ec2.SecurityGroup(
self,
"FargateSecurityGroup",
description="Ghost ECS Fargate Security Group",
vpc=vpc)
fargate_security_group.add_ingress_rule(
alb_security_group, ec2.Port.tcp(2368),
"allow ghost default 2368 to fargate")
# Create the DB's Security group which only allows access to memebers of the Ghost Fargate SG
db_security_group = ec2.SecurityGroup(
self,
"DBSecurityGroup",
description="Security group for RDS DB Instance for ghost cms",
vpc=vpc)
db_security_group.add_ingress_rule(
fargate_security_group, ec2.Port.tcp(3306),
"allow ghost fargate host to connect to db")
ghost_alb = elb.ApplicationLoadBalancer(
self,
"GhostALB",
internet_facing=True,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
security_group=alb_security_group,
vpc=vpc)
ghost_target_health_check = elb.HealthCheck(
interval=core.Duration.seconds(30),
protocol=elb.Protocol.HTTP,
timeout=core.Duration.seconds(10),
healthy_threshold_count=4,
unhealthy_threshold_count=3,
healthy_http_codes="200,301")
ghost_target_group = elb.ApplicationTargetGroup(
self,
"GhostTargetGroup",
port=2368,
protocol=elb.Protocol.HTTP,
vpc=vpc,
health_check=ghost_target_health_check,
target_type=elb.TargetType.IP)
ghost_alb_listener = elb.ApplicationListener(
self,
"Listener80",
port=80,
protocol=elb.Protocol.HTTP,
load_balancer=ghost_alb,
default_target_groups=[ghost_target_group])
core.CfnOutput(self, "vpcid", value=vpc.vpc_id)
core.CfnOutput(self,
"alb_url",
description="ALB URL",
value=ghost_alb.load_balancer_dns_name)
self.output_props = props.copy()
self.output_props['vpc'] = vpc
self.output_props['subnets'] = vpc.public_subnets
self.output_props['alb_security_group'] = alb_security_group
self.output_props['fargate_security_group'] = fargate_security_group
self.output_props['db_security_group'] = db_security_group
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
az1 = core.Fn.select(0, core.Fn.get_azs(region=core.Aws.REGION))
az2 = core.Fn.select(1, core.Fn.get_azs(region=core.Aws.REGION))
##########
# VPC
##########
# VPC
vpc = ec2.Vpc(self, "vpc", cidr="10.0.0.0/16", subnet_configuration=[])
# Internet gateway
internet_gateway = ec2.CfnInternetGateway(self, "internet-gateway")
ec2.CfnVPCGatewayAttachment(self,
"internet_gateway_attatchment",
vpc_id=vpc.vpc_id,
internet_gateway_id=internet_gateway.ref)
# Public Subnet az1
public_subnet_az1 = ec2.PublicSubnet(self,
"subnet-public-1a",
availability_zone=az1,
cidr_block="10.0.0.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
public_subnet_az1.add_route("internet-gateway-route",
router_id=internet_gateway.ref,
router_type=ec2.RouterType.GATEWAY)
# Public Subnet az2
public_subnet_az2 = ec2.PublicSubnet(self,
"subnet-public-1c",
availability_zone=az2,
cidr_block="10.0.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
public_subnet_az2.add_route("internet-gateway-route",
router_id=internet_gateway.ref,
router_type=ec2.RouterType.GATEWAY)
# Private Subnet az1
private_subnet_az1 = ec2.PrivateSubnet(self,
"subnet-private-1a",
availability_zone=az1,
cidr_block="10.0.2.0/24",
vpc_id=vpc.vpc_id)
# Private Subnet az2
private_subnet_az2 = ec2.PrivateSubnet(self,
"subnet-private-1c",
availability_zone=az2,
cidr_block="10.0.3.0/24",
vpc_id=vpc.vpc_id)
##########
# EC2
##########
# # EC2 Security Group
ec2_security_group = ec2.SecurityGroup(self,
"ec2-security-group",
vpc=vpc)
# ec2_security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(),connection=ec2.Port.tcp(80))
# User Data
user_data = ec2.UserData.for_linux()
user_data.add_commands(
"yum -y update", "amazon-linux-extras install php7.2 -y",
"yum -y install mysql httpd php-mbstring php-xml",
"wget http://ja.wordpress.org/latest-ja.tar.gz -P /tmp/",
"tar zxvf /tmp/latest-ja.tar.gz -C /tmp",
"cp -r /tmp/wordpress/* /var/www/html/",
"chown apache:apache -R /var/www/html",
"systemctl enable httpd.service", "systemctl start httpd.service")
# EC2 Instance
instance_az1 = ec2.CfnInstance(
self,
"wordpress-instance-az1",
subnet_id=public_subnet_az1.subnet_id,
image_id=ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(
self).image_id,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.BURSTABLE3,
instance_size=ec2.InstanceSize.MICRO).to_string(),
security_group_ids=[ec2_security_group.security_group_id],
user_data=core.Fn.base64(user_data.render()))
core.CfnOutput(self,
"EC2 PublicDnsName",
value=instance_az1.attr_public_dns_name)
##########
# RDS
##########
# RDS Security Group
rds_security_group = ec2.SecurityGroup(self,
"rds-security-group",
vpc=vpc)
ec2.CfnSecurityGroupIngress(
self,
"rds-security-group-ingress",
group_id=rds_security_group.security_group_id,
ip_protocol="tcp",
from_port=3306,
to_port=3306,
source_security_group_id=ec2_security_group.security_group_id)
# RDS Subnet Group
rds_subnet_group = rds.CfnDBSubnetGroup(
self,
"rds-subnet-group",
db_subnet_group_description="rds-subnet-group",
subnet_ids=[
private_subnet_az1.subnet_id, private_subnet_az2.subnet_id
])
# RDS Instance
rds_instance = rds.CfnDBInstance(
self,
"rds-instance",
db_instance_identifier="wordpress-rds",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0_20).engine_type,
db_instance_class="db.t3.micro",
master_username="******",
master_user_password="******",
db_name="wordpress",
multi_az=False,
vpc_security_groups=[rds_security_group.security_group_id],
db_subnet_group_name=rds_subnet_group.ref,
allocated_storage="20")
core.CfnOutput(self,
"RDS EndpointAddress",
value=rds_instance.attr_endpoint_address)
core.CfnOutput(self,
"RDS EndpointPort",
value=rds_instance.attr_endpoint_port)
##########
# ALB
##########
# ALB Security Group
alb_security_group = ec2.SecurityGroup(self,
"alb-security-group",
vpc=vpc)
alb_security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(),
connection=ec2.Port.tcp(80))
# ALB Instance
alb_instance = elb.ApplicationLoadBalancer(
self,
"alb",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnets=[public_subnet_az1, public_subnet_az2]),
internet_facing=True,
security_group=alb_security_group)
# ALB Target Group
alb_target_group = elb.ApplicationTargetGroup(
self,
"alb-target-group",
vpc=vpc,
target_type=elb.TargetType.INSTANCE,
targets=[elb.InstanceTarget(instance_az1.ref)],
protocol=elb.ApplicationProtocol.HTTP,
port=80,
health_check=elb.HealthCheck(protocol=elb.ApplicationProtocol.HTTP,
path="/wp-includes/images/blank.gif"))
# ALB Listener
alb_listener = elb.ApplicationListener(
self,
"alb-listener",
load_balancer=alb_instance,
default_target_groups=[alb_target_group],
protocol=elb.ApplicationProtocol.HTTP,
port=80)
core.CfnOutput(self,
"ALB DNS Name",
value=alb_instance.load_balancer_dns_name)
# EC2 Security Group Ingress
ec2.CfnSecurityGroupIngress(
self,
"ec2-security-group-ingress",
group_id=ec2_security_group.security_group_id,
ip_protocol="tcp",
from_port=80,
to_port=80,
source_security_group_id=alb_security_group.security_group_id)
