def __init__(self, app: core.Construct, id: str, **kwargs) -> None: super().__init__(app, id) iam_role = RoleConstruct( self, 'role', assumed_by=iam.ServicePrincipal(ServicePrincipals.ECS_TASKS), managed_policies=[ManagedPolicies.AMAZON_S3_FULL_ACCESS]).iam_role self.taskDefinition = ecs.FargateTaskDefinition(self, 'task_definition', task_role=iam_role) # build a new docker image and push to Elastic Container Registry self.docker_image_asset = ecr_assets.DockerImageAsset( self, 'image_asset', directory='../src', build_args={'SCRIPTPATH': kwargs.get('script_path')}) # get the image from the built docker image asset self.docker_image = ecs.ContainerImage.from_docker_image_asset( self.docker_image_asset) # add container to task definition self.taskDefinition.add_container( 'container', image=self.docker_image, logging=ecs.LogDriver.aws_logs(stream_prefix='fargatetask'), environment={'sns_topic': kwargs.get('sns_topic').topic_name}) kwargs.get('sns_topic').grant_publish(self.taskDefinition.task_role) rule = events.Rule( self, "rule", description="trigger for fargate task", enabled=True, schedule=kwargs.get('schedule'), targets=[ events_targets.EcsTask( cluster=kwargs.get('cluster'), taskDefinition=self.taskDefinition, securityGroup=kwargs.get('ecs_security_group'), ) ])
def __init__(self, scope: core.Construct, id: str, network_stack: core.Stack, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Create ServiceRole for EC2 instances; enable SSM usage ec2_instance_role = iam.Role( self, "Role", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSSMManagedInstanceCore") ], description="This is a custom role for assuming the SSM role") # Create security group ec2_sg = ec2.SecurityGroup(self, id='test-ec2-instance-sg', vpc=network_stack.vpc) # Create Ingress rule to allow ping ec2_sg.add_ingress_rule(ec2.Peer.ipv4('172.16.0.0/16'), ec2.Port.all_icmp()) # Create Instance ec2.Instance( self, 'Instance', role=ec2_instance_role, vpc=network_stack.vpc, instance_type=ec2.InstanceType.of( instance_class=ec2.InstanceClass.BURSTABLE3_AMD, instance_size=ec2.InstanceSize.NANO, ), machine_image=ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, ), security_group=ec2_sg) # Set the default route on the subnets to the TGW for subnet in network_stack.vpc.isolated_subnets: ec2.CfnRoute(self, id='vpc-route-all-tgw', route_table_id=subnet.route_table.route_table_id, destination_cidr_block='0.0.0.0/0', transit_gateway_id=network_stack.tgw.ref)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc, bastion_sg: ec2.SecurityGroup, **kwargs) -> None: super().__init__(scope, id, **kwargs) role = iam.Role(self, 'ec2-bastion-role', assumed_by=iam.ServicePrincipal('ec2.amazonaws.com') ) # Grant permission to access the MAD secret role.add_managed_policy(policy=iam.ManagedPolicy.from_managed_policy_arn(self, 'MP1', 'arn:aws:iam::aws:policy/SecretsManagerReadWrite')) role.add_managed_policy(policy=iam.ManagedPolicy.from_managed_policy_arn(self, 'MP2', 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore')) # Setup UserData user_data= '<powershell> \n' user_data+= 'Import-Module AWSPowerShell \n' user_data+= 'New-NetFirewallRule -DisplayName "Allow local VPC" -Direction Inbound -LocalAddress 10.0.0.0/8 -LocalPort Any -Action Allow \n' user_data+= 'ADD-WindowsFeature RSAT-AD-Tools \n' user_data+= 'ADD-WindowsFeature RSAT-DNS-Server \n' user_data+= '[string]$SecretAD = "MADSecret" \n' user_data+= '$SecretObj = Get-SECSecretValue -SecretId $SecretAD \n' user_data+= '[PSCustomObject]$Secret = ($SecretObj.SecretString | ConvertFrom-Json) \n' user_data+= '$password = $Secret.Password | ConvertTo-SecureString -asPlainText -Force \n' user_data+= '$username = $Secret.username + "@" + $Secret.Domain \n' user_data+= '$credential = New-Object System.Management.Automation.PSCredential($username,$password) \n' user_data+= 'Add-Computer -DomainName $Secret.Domain -Credential $credential -Restart -Force \n' user_data+= '</powershell> \n' # Create Bastion bastion = ec2.Instance(self, 'Bastion', instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM), machine_image=ec2.MachineImage.from_ssm_parameter( parameter_name='/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base', os=ec2.OperatingSystemType.WINDOWS ), vpc=vpc, user_data=ec2.UserData.custom(user_data), #key_name='ec2_key', role=role, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), security_group=bastion_sg ) core.CfnOutput(self, "Bastion Host", value=bastion.instance_public_dns_name )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Create Bucket bucket = s3.Bucket(self, "cdk-firehose-bucket") # IAM Role for Firehose firehose_role = iam.Role( self, "FirehoseRole", assumed_by=iam.ServicePrincipal(service="firehose.amazonaws.com")) delivery_policy = iam.Policy( self, "FirehosePolicy", policy_name="FirehosePolicy", statements=[ iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=[ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject" ], resources=[bucket.bucket_arn, bucket.bucket_arn + "/*"]) ]) delivery_policy.attach_to_role(firehose_role) # Firehose stream delivery_stream = firehose.CfnDeliveryStream( self, "QueueingStream", delivery_stream_name="QueueingStream", s3_destination_configuration={ "bucketArn": bucket.bucket_arn, "roleArn": firehose_role.role_arn }, elasticsearch_destination_configuration=None) # delivery_stream.add_depends_on(firehose_role) # We assign the stream's arn and name to a local variable for the Object. self._delivery_stream_name = delivery_stream.delivery_stream_name self._delivery_stream_arn = delivery_stream.attr_arn
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc( self, "VPC", nat_gateways=0, subnet_configuration=[ ec2.SubnetConfiguration(name="public", subnet_type=ec2.SubnetType.PUBLIC) ], ) ami_amazon_linux = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE, ) role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) ec2.Instance( self, "Instance", instance_type=ec2.InstanceType("t2.micro"), machine_image=ami_amazon_linux, vpc=vpc, role=role, ) security_group = aws_ec2.SecurityGroup( self, "EC2SecurityGroup", vpc=vpc, description="EC2 security group via CDK", security_group_name="CDK SecurityGroup", ) security_group.add_ingress_rule( aws_ec2.Peer.ipv4("10.0.0.0/16"), aws_ec2.Port.tcp(22), "allow ssh access from the VPC", )
def __init__(self, scope: core.Construct, id: str, TargetS3="default", **kwargs): super().__init__(scope, id, **kwargs) self.function_list = {} self.lambda_compute_role = _iam.Role( self, 'lambda_compute_role', assumed_by=_iam.CompositePrincipal( _iam.ServicePrincipal('lambda.amazonaws.com'), ), managed_policies=[ _iam.ManagedPolicy.from_aws_managed_policy_name( "CloudWatchLogsFullAccess") ]) TargetS3.grant_read_write(self.lambda_compute_role) self.Get_Job_List = _lambda.Function( self, 'Get_Job_List', runtime=_lambda.Runtime.PYTHON_3_7, handler='get_job_list.handler', code=_lambda.Code.asset('workshop/lambda/get_job_list'), # environment = { # 'BUCKET': "", # 'KEY': "", # }, timeout=core.Duration.seconds(15), role=self.lambda_compute_role) self.function_list["Get_Job_List"] = self.Get_Job_List self.Get_Output_size = _lambda.Function( self, 'Get_Output_size', runtime=_lambda.Runtime.PYTHON_3_7, handler='get_output_size.handler', code=_lambda.Code.asset('workshop/lambda/get_output_size'), timeout=core.Duration.seconds(15), role=self.lambda_compute_role) self.function_list["Get_Output_size"] = self.Get_Output_size
def create_ecs_role(stack): ecs_role = iam.Role( stack, 'FargateTaskExecutionServiceRole', assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com')) ecs_role.add_to_policy( iam.PolicyStatement(effect=iam.Effect('ALLOW'), resources=['*'], actions=[ 'ecr:GetAuthorizationToken', 'ecr:BatchCheckLayerAvailability', 'ecr:GetDownloadUrlForLayer', 'ecr:BatchGetImage', 'logs:CreateLogStream', 'logs:PutLogEvents' ])) return ecs_role
def __init__(self, app: App, id: str) -> None: super().__init__(app, id) # Lambda Function with open("lambda-handler.py", encoding="utf8") as fp: handler_code = fp.read() lambdaFn = _lambda.Function( self, "IoTTriggerLambda", code=_lambda.InlineCode(handler_code), handler="index.main", timeout=Duration.seconds(10), runtime=_lambda.Runtime.PYTHON_3_9, ) # Set Lambda Logs Retention and Removal Policy logs.LogGroup(self, 'logs', log_group_name=f"/aws/lambda/{lambdaFn.function_name}", removal_policy=RemovalPolicy.DESTROY, retention=logs.RetentionDays.ONE_DAY) # IoT Thing iot_thing = iot.CfnThing(self, "IoTThing", thing_name="MyIotThing") # IoT Rule with SQL, which invokes a Lambda Function iot_topic_rule_sql = 'SELECT * FROM "$aws/things/MyIotThing/*"' iot_topic_rule = iot.CfnTopicRule( self, "IoTRule", topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( sql=iot_topic_rule_sql, actions=[ iot.CfnTopicRule.ActionProperty( lambda_=iot.CfnTopicRule.LambdaActionProperty( function_arn=lambdaFn.function_arn)) ])) # Lambda Resource Policy allows invocation from IoT Rule lambdaFn.add_permission( "GrantIoTRule", principal=iam.ServicePrincipal("iot.amazonaws.com"), source_arn=iot_topic_rule.attr_arn)
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, f"{props['namespace'].lower()}-vpc", max_azs=3) cluster = ecs.Cluster(self, f"{props['namespace'].lower()}-cluster", vpc=vpc) task_role = iam.Role( self, f"{props['namespace'].lower()}-task-role", assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com')) task_role.add_to_policy( iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=["lambda:*", "cloudwatch:*", "dynamodb:*", "logs:*"], resources=["*"])) service = ecs_patterns.ApplicationLoadBalancedFargateService( self, f"{props['namespace'].lower()}", cluster=cluster, # Required cpu=512, # Default is 256 desired_count=6, # Default is 1 task_image_options=ecs_patterns. ApplicationLoadBalancedTaskImageOptions( image=ecs.ContainerImage.from_ecr_repository( props['ecr'], f"{props['namespace']}"), container_name="regulators", container_port=8000, task_role=task_role), memory_limit_mib=2048, # Default is 512 public_load_balancer=True # Default is False ) service.target_group.health_check = elb.HealthCheck( protocol=elb.Protocol.HTTP, port='8000', path='/', healthy_threshold_count=2, unhealthy_threshold_count=4)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, db_instance_class: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) stack = core.Stack.of(self) role = iam.Role( self, 'NeptuneRole', assumed_by=iam.ServicePrincipal('rds.amazonaws.com'), ) sg = ec2.SecurityGroup( self, 'SecurityGroup', vpc=vpc, ) subnet_group = neptune.CfnDBSubnetGroup( self, 'SubnetGroup', db_subnet_group_name='{}-subnet-group'.format( stack.stack_name.lower()), db_subnet_group_description='Private subnets', subnet_ids=[subnet.subnet_id for subnet in vpc.private_subnets]) cluster = neptune.CfnDBCluster( self, 'Cluster', db_subnet_group_name=subnet_group.ref, vpc_security_group_ids=[sg.security_group_id], associated_roles=[{ 'roleArn': role.role_arn }]) neptune.CfnDBInstance( self, 'Instance', db_cluster_identifier=cluster.ref, db_instance_class=db_instance_class, ) self.endpoint = cluster.attr_endpoint self.role = role self.security_group = sg
def __init__( self, scope: core.Construct, id: str, cluster_name: str, **kwargs, ) -> None: super().__init__(scope, id, **kwargs) # EKS admin role self._clusterAdminRole = iam.Role( self, 'clusterAdmin', assumed_by=iam.AccountRootPrincipal()) self._clusterAdminRole.add_to_policy( iam.PolicyStatement( resources=["*"], actions=[ "eks:Describe*", "eks:List*", "eks:AccessKubernetesApi", "ssm:GetParameter", "iam:ListRoles" ], )) core.Tags.of(self._clusterAdminRole).add(key='eks/%s/type' % cluster_name, value='admin-role') # Managed Node Group Instance Role _managed_node_managed_policies = ( iam.ManagedPolicy.from_aws_managed_policy_name( 'AmazonEKSWorkerNodePolicy'), iam.ManagedPolicy.from_aws_managed_policy_name( 'AmazonEKS_CNI_Policy'), iam.ManagedPolicy.from_aws_managed_policy_name( 'AmazonEC2ContainerRegistryReadOnly'), iam.ManagedPolicy.from_aws_managed_policy_name( 'CloudWatchAgentServerPolicy'), ) self._managed_node_role = iam.Role( self, 'NodeInstance-Role', role_name=cluster_name + '-NodeInstanceRole', path='/', assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'), managed_policies=list(_managed_node_managed_policies), )
def __init__(self, scope: core.Construct, id: str, api_gateway: aws_apigateway.RestApi, **kwargs): super().__init__(scope, id, **kwargs) vpc = ec2.Vpc.from_lookup(self, id="default", is_default=True) self.redis = self.create_redis(vpc) ecr_image = aws_lambda.EcrImageCode.from_asset_image( directory=os.path.join(os.getcwd(), "startuptoolbag/lambda-redis")) lambda_vpc_role = aws_iam.Role( self, id='lambda-vpc-role2', assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"), managed_policies=[ aws_iam.ManagedPolicy.from_aws_managed_policy_name( 'service-role/AWSLambdaBasicExecutionRole'), aws_iam.ManagedPolicy.from_aws_managed_policy_name( 'service-role/AWSLambdaVPCAccessExecutionRole') ]) lambda_function = aws_lambda.Function( self, id="lambdaRedisContainerFunction", description="LambdaRedisFunction", code=ecr_image, handler=aws_lambda.Handler.FROM_IMAGE, runtime=aws_lambda.Runtime.FROM_IMAGE, environment={ "CACHE_ADDRESS": self.redis.attr_redis_endpoint_address, "CACHE_PORT": self.redis.attr_redis_endpoint_port }, role=lambda_vpc_role, vpc=vpc, allow_public_subnet=True, memory_size=128, reserved_concurrent_executions=10, timeout=core.Duration.seconds(10)) foo_r = api_gateway.root.add_resource("cache") foo_r.add_method('GET', aws_apigateway.LambdaIntegration(lambda_function))
def _create_glue_role(self): """ Setup the permissions our glue crawler needs to have """ return iam.Role( self, id=f"GlueServiceRole", assumed_by=iam.ServicePrincipal("glue.amazonaws.com"), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AWSGlueServiceRole"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3FullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "CloudWatchLogsFullAccess"), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSSMReadOnlyAccess"), ], )
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) role = iam.Role( self, 'Ec2Role', assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( 'AmazonSSMManagedInstanceCore'), ], ) sg = ec2.SecurityGroup( self, 'SecurityGroup', vpc=vpc, ) # TODO: add this to userdata # yum install java-1.8.0-devel -y # wget https://archive.apache.org/dist/tinkerpop/3.4.1/apache-tinkerpop-gremlin-console-3.4.1-bin.zip # unzip apache-tinkerpop-gremlin-console-3.4.1-bin.zip # cd apache-tinkerpop-gremlin-console-3.4.1 # wget https://www.amazontrust.com/repository/SFSRootCAG2.pem ec2.Instance( self, 'Instance', role=role, vpc=vpc, security_group=sg, instance_type=ec2.InstanceType.of( instance_class=ec2.InstanceClass.BURSTABLE3_AMD, instance_size=ec2.InstanceSize.NANO, ), machine_image=ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, ), ) self.role = role self.security_group = sg
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, config: dict, region: str, **kwargs): super().__init__(scope, id, **kwargs) ### EC2 Server for Jenkins image = ec2.GenericLinuxImage({ region: config["ami_id"], }, ) role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) subnet = vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE).subnets[0] subnet_selection = ec2.SubnetSelection(subnets=[subnet]) self.security_group = ec2.SecurityGroup(self, "EC2SG", vpc=vpc) self._instance = ec2.Instance(self, "EC2", instance_type=ec2.InstanceType( config["instance_type"]), machine_image=image, vpc=vpc, vpc_subnets=subnet_selection, role=role, security_group=self.security_group) ### Lambda for github webhooks self._webhook_forwarder = _lambda.Function( self, "WebHookForwarder", runtime=_lambda.Runtime.PYTHON_3_8, code=_lambda.Code.from_asset( os.path.join(dirname, "lambda", "webhook_forwarder")), handler="lambda_function.lambda_handler", vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnets=vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE).subnets))
def _add_role(self) -> iam.Role: """ Add IAM role to the stack """ role = iam.Role(self, 'VPNInstanceRole', assumed_by=iam.ServicePrincipal('ec2.amazonaws.com')) # add access to outputs of the current stack to ec2 instance role.add_to_policy( iam.PolicyStatement(resources=[ self.format_arn(resource="stack/vpn-cdk/*", service="cloudformation") ], actions=['cloudformation:*'])) # add policy to allow elastic ip association role.add_to_policy( iam.PolicyStatement(resources=['*'], actions=['ec2:AssociateAddress'])) return role
def create_ecs(self, vpc, sg_dictionary, repository): # Cluster cluster = _ecs.Cluster( self, 'Cluster', cluster_name='DEMO-CLUSTER', vpc=vpc ) # Role(task execution) execution_role = _iam.Role( self, 'ExecutionRole', role_name='DEMO-TASK-EXECUTION-ROLE', assumed_by=_iam.ServicePrincipal('ecs-tasks.amazonaws.com') ) execution_role.add_managed_policy(_iam.ManagedPolicy.from_aws_managed_policy_name('service-role/AmazonECSTaskExecutionRolePolicy')) # TaskDefinition task_def = _ecs.TaskDefinition( self, 'TaskDefinition', compatibility=_ecs.Compatibility.FARGATE, cpu='2048', memory_mib='8192', network_mode=_ecs.NetworkMode.AWS_VPC, execution_role=execution_role, family='DEMO-TASK', task_role=execution_role, ) # Container container = task_def.add_container( id='DEMO-CONTAINER', image=_ecs.ContainerImage.from_ecr_repository(repository), logging=_ecs.LogDriver.aws_logs( stream_prefix='ecs', log_group=_logs.LogGroup( self, 'LogGroup', log_group_name='/ecs/'+'DEMO-TASK', retention=_logs.RetentionDays.INFINITE, ) ) ) container.add_port_mappings(_ecs.PortMapping(container_port=8080))
def __init__(self, scope: core.Construct, id: str, props_vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) role = iam.Role(self, "ec2Role", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) role.add_to_policy( iam.PolicyStatement(resources=["*"], actions=["s3:*"])) ec2_security_group = ec2.SecurityGroup( self, "sg-ec2", vpc=props_vpc['vpc'], security_group_name='adl-ec2-sg') bastion = ec2.Instance( self, "ubuntu-bastion", vpc=props_vpc['vpc'], machine_image=linux, key_name="adl-keypair-dev-us-east-1", instance_type=ec2.InstanceType( instance_type_identifier="t2.micro"), vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), instance_name='adl-bastion-test', role=role, #security_group=ssh_security_group ) # Connections bastion.add_security_group(ec2_security_group) bastion.connections.allow_from_any_ipv4(ec2.Port.tcp(22), 'Allow inbound SSH') bastion.connections.allow_from_any_ipv4(ec2.Port.tcp(8080), 'Allow inbound HTTP') for ssh_sg in bastion.connections.security_groups: ec2_security_group.connections.allow_from( ssh_sg, ec2.Port.all_tcp(), "SSH Access to EC2 Group") # Outputs props_ec2 = {"namespace": "ec2_props"} self.output_props_ec2 = props_ec2.copy() self.output_props_ec2['ec2-sg'] = ec2_security_group
def create_sagemaker_train_role(self, name): # Config role base_role = iam.Role( self, "gw_sagemaker_train_role_{}".format(name), assumed_by=iam.ServicePrincipal("sagemaker.amazonaws.com")) base_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3FullAccess")) base_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSageMakerFullAccess")) #base_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonElasticContainerRegistryPublicFullAccess")) #base_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryPublicFullAccess")) base_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonEC2ContainerRegistryFullAccess")) return base_role
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) lambda_role = aws_iam.Role( self, id='Lambda-BERT-Endpoint-Role', assumed_by=aws_iam.ServicePrincipal('lambda.amazonaws.com')) lambda_role.add_managed_policy( aws_iam.ManagedPolicy.from_aws_managed_policy_name( 'AmazonSageMakerFullAccess')) lambda_function = _lambda.Function( self, id='Lambda-BERT-Trigger', runtime=_lambda.Runtime.PYTHON_3_8, code=_lambda.Code.asset('lambda_function'), handler='endpoint_trigger.lambda_handler', function_name='Lambda-BERT-Trigger', role=lambda_role)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # VPC vpc = ec2.Vpc(self, "VPC", nat_gateways=0, subnet_configuration=[ec2.SubnetConfiguration(name="public",subnet_type=ec2.SubnetType.PUBLIC)] ) # AMI amzn_linux = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE ) # Instance Role and SSM Managed Policy role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore")) # Instance instance = ec2.Instance(self, "Instance", instance_type=ec2.InstanceType("t3.nano"), machine_image=amzn_linux, vpc = vpc, role = role ) # Script in S3 as Asset asset = Asset(self, "Asset", path=os.path.join(dirname, "configure.sh")) local_path = instance.user_data.add_s3_download_command( bucket=asset.bucket, bucket_key=asset.s3_object_key ) # Userdata executes script from S3 instance.user_data.add_execute_file_command( file_path=local_path ) asset.grant_read(instance.role)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Create ECR Repository ghost_repo = ecr.Repository( self, "GhostRepo", repository_name="ghost" ) # Create IAM Role For CodeBuild ghost_build_role = iam.Role( self, "GhostBuildRole", assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name("EC2InstanceProfileForImageBuilderECRContainerBuilds") ] ) # We only want to fire on the master branch and if there is a change in the dockerbuild folder git_hub_source = codebuild.Source.git_hub( owner="jasonumiker", repo="k8s-plus-aws-gitops", webhook=True, webhook_filters=[ codebuild.FilterGroup.in_event_of(codebuild.EventAction.PUSH).and_branch_is("master").and_file_path_is("dockerbuild/*") ] ) # Create CodeBuild build_project = codebuild.Project( self, "GhostBuildProject", source=git_hub_source, role=ghost_build_role, build_spec=codebuild.BuildSpec.from_source_filename("dockerbuild/buildspec.yml"), environment={ 'privileged': True, }, environment_variables={ 'AWS_ACCOUNT_ID': codebuild.BuildEnvironmentVariable(value=self.account), 'IMAGE_REPO_NAME': codebuild.BuildEnvironmentVariable(value=ghost_repo.repository_name) } )
def _create_lambda(self): role = iam.Role( self, "LambdaPrepareDbRole", assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"), description="Role for Lambda preparing RDS", role_name=f"{self.name_prefix}-lambda-prepare-db-role", managed_policies=[ #iam.ManagedPolicy.from_aws_managed_policy_name("AWSLambdaBasicExecutionRole"), iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AWSLambdaVPCAccessExecutionRole"), iam.ManagedPolicy.from_aws_managed_policy_name( "SecretsManagerReadWrite"), ], ) lambda_function_id = f"{self.name_prefix}-prepare_db_function" lambda_function_path = str(pathlib.Path( __file__).resolve().parent) + "/lambdafn/prepare_db_function/" lambda_layer_path = str(pathlib.Path( __file__).resolve().parent) + "/lambdafn/lambda_layer/" layer = aws_lambda.LayerVersion( self, 'Layer', code=aws_lambda.AssetCode(lambda_layer_path)) lambda_fn = aws_lambda.Function( scope=self, id=lambda_function_id, function_name=lambda_function_id, code=aws_lambda.AssetCode(path=lambda_function_path), handler="lambda_handler.lambda_handler", layers=[layer], timeout=Duration.seconds(300), runtime=aws_lambda.Runtime.PYTHON_3_7, role=role, description="write some description for this lambda", security_groups=[self.security_group], vpc=self.vpc, vpc_subnets=self.subnet_selection) lambda_fn.add_environment('SECRETS_NAME', self.rds.secret.secret_arn) lambda_fn.add_environment('REGION_NAME', self.region)
def __init__(self, scope, id, *, name=None, directory=None, bucket=None, key=None) -> None: super().__init__(scope, id) # ================================================== # ================= IAM ROLE ======================= # ================================================== lambda_role = iam.Role( scope=self, id='lambda_role', assumed_by=iam.ServicePrincipal(service='lambda.amazonaws.com'), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( 'AWSLambdaExecute') ]) # ================================================== # =================== ECR IMAGE ==================== # ================================================== ecr_image = aws_lambda.DockerImageCode.from_image_asset( repository_name=name, directory=directory) # ================================================== # ================ LAMBDA FUNCTION ================= # ================================================== self.lambda_function = aws_lambda.DockerImageFunction( scope=self, id='lambda', function_name=name, code=ecr_image, memory_size=1024, role=lambda_role, environment={ 'BUCKET': bucket, 'KEY': key }, timeout=core.Duration.seconds(60))
def __init__(self, scope: core.Construct, id: str, secgroup_name: str, **kwargs): super().__init__(scope, id, **kwargs) with open('common/common_cdk/lambda/empty_security_group.py', 'r') as f: lambda_source = f.read() # lambda utils to empty security group before deletion empty_secgroup_lambda = _lambda.SingletonFunction(self, 'EmptySecurityGroupLambda', uuid="dfs3k8730-4ee1-11e8-9c2d-fdfs65dfsc", runtime=_lambda.Runtime.PYTHON_3_7, code=_lambda.Code.inline(lambda_source), handler='index.handler', function_name='ara-auto-empty-secgroup' ) empty_secgroup_lambda_role = _iam.Role( self, 'AutoEmptyBucketLambdaRole', assumed_by=_iam.ServicePrincipal('lambda.amazonaws.com') ) empty_secgroup_lambda_role.add_to_policy( _iam.PolicyStatement( actions=[ 'ec2:RevokeSecurityGroupIngress', 'ec2:RevokeSecurityGroupEgress' ], resources=['arn:aws:ec2::'+core.Aws.ACCOUNT_ID+':security-group/'+secgroup_name] ) ) empty_secgroup_lambda_provider = _custom_resources.Provider( self, 'EmptyBucketLambdaProvider', on_event_handler=empty_secgroup_lambda ) core.CustomResource( self, 'EmptyBucketCustomResource', service_token=empty_secgroup_lambda_provider.service_token, properties={ "secgroup_name": secgroup_name } )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, "NewInstanceVPC", nat_gateways=0, subnet_configuration=[ ec2.SubnetConfiguration( name="public", subnet_type=ec2.SubnetType.PUBLIC) ]) amzn_linux = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance = ec2.Instance( self, "CDKNewInstance", instance_type=ec2.InstanceType("t3.nano"), key_name="arronmoore_com_v2", machine_image=amzn_linux, vpc=vpc, security_group=self.configure_security_group(vpc), role=role) asset = Asset(self, "NewInstanceConfigureScript", path="./new_instance/configure.sh") local_path = instance.user_data.add_s3_download_command( bucket=asset.bucket, bucket_key=asset.s3_object_key) instance.user_data.add_execute_file_command(file_path=local_path)
def create_crawler_role(self): """Crate a role used by crawlers in data lake.""" service = iam.ServicePrincipal("glue.amazonaws.com") managed_policies = [ iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AWSGlueServiceRole" ), iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3ReadOnlyAccess" ), ] id_suffix = self.database_name.replace("_", "-") self._crawler_role = iam.Role( scope=self, id=f"oedi-data-lake-crawler-role--{id_suffix}", role_name=f"oedi_data_lake_cralwer_role__{self.database_name}", assumed_by=service, managed_policies=managed_policies, )
def get_role(self, unique_name: str, service_principal: str) -> iam.Role: """ Get the default role for the datajob. We use administrator access as the policy for our default role. # todo - we probably want to refine the policies for this role :param unique_name: a unique name we can give to our role. :param service_principal: what is the service principal for our service. for example: glue.amazonaws.com :return: iam role object. """ role_name = unique_name + "-role" logger.debug(f"creating role {role_name}") return iam.Role( self, role_name, assumed_by=iam.ServicePrincipal(service_principal), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name("AdministratorAccess") ], )
def _create_env_nodegroup_role(self) -> NonPathRole: name: str = f"orbit-{self.context.name}-{self.context.region}-eks-nodegroup-role" role = NonPathRole( scope=self, id=name, role_name=name, assumed_by=cast(iam.IPrincipal, iam.ServicePrincipal(service="ec2.amazonaws.com")), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name="AmazonEKSWorkerNodePolicy"), iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name="AmazonEKS_CNI_Policy"), iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name="AmazonEC2ContainerRegistryReadOnly"), iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name="AmazonSSMManagedInstanceCore"), ], ) return role
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) lambda_role = iam.Role( self, 'IapTesLambdaRole', assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( 'service-role/AWSLambdaBasicExecutionRole') ]) function = lmbda.Function( self, 'IapTesLambda', function_name='rnasum_iap_tes_lambda_dev', handler='iap_tes.lambda_handler', runtime=lmbda.Runtime.PYTHON_3_7, code=lmbda.Code.from_asset('lambdas/iap_tes'), role=lambda_role, timeout=core.Duration.seconds(20), environment={ 'IAP_API_BASE_URL': props['iap_api_base_url'], 'TASK_ID': props['task_id'], 'TASK_VERSION_WTS': props['task_version_wts'], 'TASK_VERSION_WGS': props['task_version_wgs'], 'SSM_PARAM_NAME': props['ssm_param_name'], 'GDS_REFDATA_FOLDER': props['gds_refdata_folder'], 'GDS_LOG_FOLDER': props['gds_log_folder'], 'RNASUM_IMAGE_NAME': props['rnasum_image_name'], 'RNASUM_IMAGE_TAG': props['rnasum_image_tag'], 'REFDATA_NAME': props['ref_data_name'] }) secret_value = ssm.StringParameter.from_secure_string_parameter_attributes( self, "RNAsumJwtToken", parameter_name=props['ssm_param_name'], version=props['ssm_param_version']) secret_value.grant_read(function)