Python Login Examples

Example #1

    def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc,
                 lambdasg: ec2.SecurityGroup, bastionsg: ec2.SecurityGroup,
                 kmskey, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        prj_name = self.node.try_get_context('project_name')
        env_name = self.node.try_get_context('env')

        creds_json_template = {'username': '******'}

        db_creds = sm.Secret(
            self,
            id="db-secret",
            secret_name=f'{env_name}-rds-secret',
            generate_secret_string=sm.SecretStringGenerator(
                include_space=False,  # no space in secret
                password_length=12,
                generate_string_key=
                'rds-password',  # key in json dictionary for the password
                exclude_punctuation=True,
                secret_string_template=json.dumps(creds_json_template)))

        db_name = f'pryancdkdb'
        db_mysql = rds.DatabaseCluster(
            self,
            id=f'{env_name}-mysql',
            default_database_name=db_name,
            engine=rds.DatabaseClusterEngine.aurora_mysql(
                version=rds.AuroraMysqlEngineVersion.VER_5_7_12),
            master_user=rds.Login(
                username='******',
                password=db_creds.secret_value_from_json('rds-password')),
            instance_props=rds.InstanceProps(
                vpc=vpc,
                vpc_subnets=ec2.SubnetSelection(
                    subnet_type=ec2.SubnetType.ISOLATED),
                # will pick one of the isolated Subnets from the vpc
                instance_type=ec2.InstanceType(
                    instance_type_identifier='t3.small')),
            instances=1,
            storage_encrypted=True,
            storage_encryption_key=kmskey,
            removal_policy=core.RemovalPolicy.DESTROY)

        # we need to define the ingress rules for rds
        db_mysql.connections.allow_default_port_from(
            lambdasg, 'Access from Lambda Functions')
        db_mysql.connections.allow_default_port_from(
            bastionsg, "Access from bastion host")

        # ssm
        ssm.StringParameter(self,
                            id=f'{env_name}-db-host',
                            parameter_name=f"/{env_name}/db-host",
                            string_value=db_mysql.cluster_endpoint.hostname)

        ssm.StringParameter(self,
                            id=f'{env_name}-db-name',
                            parameter_name=f"/{env_name}/db-name",
                            string_value=db_name)

Example #2

    def __init__(self, scope: core.Construct, id: str, vpc, sg, redissg,
                 kmskey, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        rdskey = kms.Key.from_key_arn(self, "rdskey", key_arn=kmskey)

        db_mysql = rds.DatabaseCluster(
            self,
            "Dev_MySQL",
            default_database_name="msadev",
            engine=rds.DatabaseClusterEngine.AURORA_MYSQL,
            engine_version="5.7.12",
            master_user=rds.Login(username="******"),
            instance_props=rds.InstanceProps(
                vpc=vpc,
                vpc_subnets=ec2.SubnetSelection(
                    subnet_type=ec2.SubnetType.ISOLATED),
                instance_type=ec2.InstanceType(
                    instance_type_identifier="t3.medium")),
            instances=1,
            parameter_group=rds.ClusterParameterGroup.
            from_parameter_group_name(
                self,
                "paramter-group-msadev",
                parameter_group_name="default.aurora-mysql5.7"),
            kms_key=rdskey)
        sgId = ec2.SecurityGroup.from_security_group_id(self, "sgid", sg)
        redis_sg = ec2.SecurityGroup.from_security_group_id(
            self, "redissgid", redissg)

        db_mysql.connections.allow_default_port_from(sgId,
                                                     "Access from Bastion")
        db_mysql.connections.allow_default_port_from(redis_sg,
                                                     "Access from Redis")

Example #3

File: rds_stack.py Project: ebox86/cdk-ecs-fargate-ghost

    def __init__(self, scope: core.Construct, id: str, props,
                 **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        # Aurora RDS Cluster
        db_Aurora_cluster = rds.DatabaseCluster(
            self,
            "ghost_db_cluster",
            default_database_name=f"{props['namespace']}-db",
            engine=rds.DatabaseClusterEngine.AURORA_MYSQL,
            engine_version="5.7.12",
            master_user=rds.Login(username="******"),
            instance_props=rds.InstanceProps(
                vpc=props['vpc'],
                vpc_subnets=ec2.SubnetSelection(
                    subnet_type=ec2.SubnetType.ISOLATED),
                security_group=props['db_security_group'],
                instance_type=ec2.InstanceType(
                    instance_type_identifier="t2.small")),
            instances=2,
            parameter_group=rds.ClusterParameterGroup.
            from_parameter_group_name(
                self,
                "para-group-aurora",
                parameter_group_name="default.aurora-mysql5.7"),
        )

Example #4

File: rds_stack.py Project: youngsoul/aws-devops-cdk

    def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc,
                 lambdasg: ec2.SecurityGroup, bastionsg: ec2.SecurityGroup,
                 kmskey, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        prj_name = self.node.try_get_context("project_name")
        env_name = self.node.try_get_context("env")

        json_template = {'username': '******'}
        db_creds = sm.Secret(
            self,
            'db-secret',
            secret_name=env_name + '/rds-secret',
            generate_secret_string=sm.SecretStringGenerator(
                include_space=False,
                password_length=12,
                generate_string_key='password',
                exclude_punctuation=True,
                secret_string_template=json.dumps(json_template)))
        db_mysql = rds.DatabaseCluster(
            self,
            'mysql',
            default_database_name=prj_name + env_name,
            engine=rds.DatabaseClusterEngine.AURORA_MYSQL,
            engine_version="5.7.12",
            master_user=rds.Login(
                username='******',
                password=db_creds.secret_value_from_json('password')),
            instance_props=rds.InstanceProps(
                vpc=vpc,
                vpc_subnets=ec2.SubnetSelection(
                    subnet_type=ec2.SubnetType.ISOLATED),
                instance_type=ec2.InstanceType(
                    instance_type_identifier="t3.small")),
            instances=1,
            parameter_group=rds.ClusterParameterGroup.
            from_parameter_group_name(
                self, 'pg-dev',
                parameter_group_name='default.aurora-mysql5.7'),
            kms_key=kmskey,
            removal_policy=core.RemovalPolicy.DESTROY)

        db_mysql.connections.allow_default_port_from(
            lambdasg, "Access from Lambda functions")
        db_mysql.connections.allow_default_port_from(
            bastionsg, "Allow from bastion host")

        #SSM Parameter
        ssm.StringParameter(self,
                            'db-host',
                            parameter_name='/' + env_name + '/db-host',
                            string_value=db_mysql.cluster_endpoint.hostname)

        ssm.StringParameter(self,
                            'db-name',
                            parameter_name='/' + env_name + '/db-name',
                            string_value=prj_name + env_name)

Example #5

 def create_rds(self, vpc):
     # Create DB
     rds_cluster = rds.DatabaseCluster(
         self,
         'Database',
         engine=rds.DatabaseClusterEngine.AURORA,
         master_user=rds.Login(username='******'),
         instance_props=rds.InstanceProps(
             instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2,
                                               ec2.InstanceSize.SMALL),
             vpc_subnets=ec2.SubnetSelection(
                 subnet_type=ec2.SubnetType.PRIVATE),
             vpc=vpc))
     return rds_cluster

Example #6

File: rds_stack.py Project: tysoncung/aws-cdk-refarch-3tier-web

    def __init__(self, scope: core.Construct, id: str, vpc, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        master_user = _rds.Login(
            username="******", password=core.SecretValue.plain_text("password"))

        rds = _rds.DatabaseCluster(
            self,
            "rds",
            engine=_rds.DatabaseClusterEngine.aurora_mysql(
                version=_rds.AuroraMysqlEngineVersion.VER_5_7_12),
            master_user=master_user,
            instance_props=_rds.InstanceProps(
                vpc=vpc,
                instance_type=_ec2.InstanceType("t3.medium"),
                security_groups=[vpc.sg],
                vpc_subnets=_ec2.SubnetSelection(
                    subnets=vpc.isolated_subnets)),
            instances=2)

Example #7

File: adl_rds_stack.py Project: zakriya753/aws-cdk-scripts

 def rds_cluster(self, vpc, ec2sg, rds_type, rds_param=None):
     postgres = rds.DatabaseCluster(
         self,
         "adl-" + rds_type,
         default_database_name="adldb",
         engine=getattr(rds.DatabaseClusterEngine, rds_type),
         instance_props=rds.InstanceProps(
             vpc=vpc['vpc'],
             vpc_subnets=ec2.SubnetSelection(
                 subnet_type=ec2.SubnetType.PRIVATE),
             instance_type=ec2.InstanceType(
                 instance_type_identifier="t3.medium")),
         master_user=rds.Login(username="******"),
         backup=rds.BackupProps(retention=core.Duration.days(7),
                                preferred_window='01:00-02:00'),
         parameter_group=rds_param,
         preferred_maintenance_window="Sun:23:45-Mon:00:15",
         removal_policy=core.RemovalPolicy.DESTROY,
         storage_encrypted=True)
     postgres.connections.allow_from(ec2sg['ec2-sg'], ec2.Port.all_tcp())

Example #8

File: sonar_stack.py Project: voliveirajr/SonarQubeCDK

    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        #create VPC
        self.vpc = ec2.Vpc(
            self, 'SonarVPC',
            max_azs=3
        )
        
        #DB Security Group with required ingress rules
        self.sg= ec2.SecurityGroup(
            self, "SonarQubeSG",
            vpc=self.vpc,
            allow_all_outbound=True,
            description="Aurora Security Group"
        )
        self.sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(5432), "SonarDBAurora")
        pgroup = rds.ParameterGroup.from_parameter_group_name(
            self, "SonarDBParamGroup",
            parameter_group_name='default.aurora-postgresql11'
        )

        #create RDS Cluster
        self.db= rds.DatabaseCluster(self, 'SonarDBCluster',
            engine= rds.DatabaseClusterEngine.aurora_postgres(version=rds.AuroraPostgresEngineVersion.VER_11_6),
            default_database_name= 'sonarqube',
            parameter_group= pgroup,
            master_user=rds.Login(username= "******"),
            instance_props= rds.InstanceProps(
                instance_type= ec2.InstanceType.of(
                    ec2.InstanceClass.BURSTABLE3,
                    ec2.InstanceSize.MEDIUM
                ),
                security_groups= [self.sg],
                vpc= self.vpc
            )
        )

        #create Cluster
        self.cluster= ecs.Cluster(self, "SonarCluster",
            capacity= ecs.AddCapacityOptions(
            instance_type= ec2.InstanceType('m5.large')),
            vpc= self.vpc
        )

        asg= self.cluster.autoscaling_group
        user_data= asg.user_data
        user_data.add_commands('sysctl -qw vm.max_map_count=262144')
        user_data.add_commands('sysctl -w fs.file-max=65536')
        user_data.add_commands('ulimit -n 65536')
        user_data.add_commands('ulimit -u 4096')

        #Create iam Role for Task
        self.task_role = iam.Role(
            self,
            id= "SonarTaskRole",
            role_name= "SonarTaskRole",
            assumed_by= iam.ServicePrincipal(service= "ecs-tasks.amazonaws.com"),
            managed_policies= [
                iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonECSTaskExecutionRolePolicy")
            ]
        )
        #Grant permission for Task to read secret from SecretsManager
        self.db.secret.grant_read(self.task_role)

        url = 'jdbc:postgresql://{}/sonarqube'.format(self.db.cluster_endpoint.socket_address)
        #create task
        task= ecs_patterns.ApplicationLoadBalancedEc2Service(self, "SonarService",
            # if a cluster is provided use the same vpc
            cluster= self.cluster,            
            cpu=512,
            desired_count=1, 
            task_image_options= ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_registry("sonarqube:8.2-community"),
                container_port=9000,
                secrets={
                    "sonar.jdbc.username": ecs.Secret.from_secrets_manager(self.db.secret, field="username"),
                    "sonar.jdbc.password": ecs.Secret.from_secrets_manager(self.db.secret, field="password")
                },
                environment={
                    'sonar.jdbc.url': url
                },
                task_role= self.task_role
            ),
            memory_limit_mib=2048,
            public_load_balancer=True
        )

        container = task.task_definition.default_container
        container.add_ulimits(
            ecs.Ulimit(
                name=ecs.UlimitName.NOFILE,
                soft_limit=65536,
                hard_limit=65536
            )
        )

Example #9

File: keycloak_stack.py Project: Pawlik91/cdk-keycloak-alb-authentication-sample

    def __init__(
        self, 
        scope: core.Construct, 
        id: str, 
        keycloak_domain: str,
        vpc: ec2.IVpc = None, 
        cluster: ecs.ICluster = None, 
        load_balancer: elbv2.IApplicationLoadBalancer = None, 
        log_group: logs.ILogGroup = None,
        keycloak_database_name: str = 'keykloak',
        keycloak_database_user: str = 'admin',
        **kwargs
    ) -> None:
        super().__init__(scope, id, **kwargs)

        # The code that defines your stack goes here
        
        keycloak_task_role = iam.Role(
            self, 'KeycloakTastRole',
            assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com')
        )

        keycloak_database_secret = secretsmanager.Secret(
            self, 'KeycloakDatabaseSecret',
            description='Keycloak Database Password',
            generate_secret_string=secretsmanager.SecretStringGenerator(exclude_punctuation=True)
        )

        keycloak_database_cluster = rds.DatabaseCluster(
            self, 'KeycloakDatabaseCluster',
            engine= rds.DatabaseClusterEngine.AURORA,
            instance_props=rds.InstanceProps(
                instance_type=ec2.InstanceType.of(
                    instance_class=ec2.InstanceClass.BURSTABLE3, 
                    instance_size=ec2.InstanceSize.SMALL
                ),
                vpc=vpc,
            ),
            master_user= rds.Login(
                username=keycloak_database_user,
                password=keycloak_database_secret.secret_value,
            ),
            instances=1,
            default_database_name=keycloak_database_name,
            removal_policy=core.RemovalPolicy.DESTROY,
        )


        keycloak_hosted_zone = route53.HostedZone.from_lookup(
            self, 'KeycloakHostedZone',
            domain_name=keycloak_domain
        )

        keycloak_certificate = acm.DnsValidatedCertificate(
            self, 'KeycloakCertificate',
            hosted_zone=keycloak_hosted_zone,
            domain_name='keycloak.' + keycloak_domain
        )

        keycloak_service = ecs_patterns.ApplicationLoadBalancedFargateService(
            self, 'KeycloakLoadBalancedFargateService',
            load_balancer=load_balancer,
            cluster=cluster,

            task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_asset('keycloak'),
                container_port=8080,
                enable_logging=True,
                task_role=keycloak_task_role,

                log_driver=ecs.AwsLogDriver(
                    stream_prefix='keycloak',
                    log_group=log_group,
                ),

                secrets={
                    'DB_PASSWORD': ecs.Secret.from_secrets_manager(keycloak_database_secret),
                },
                environment={
                    'DB_VENDOR': 'mysql',
                    'DB_USER': keycloak_database_user,
                    'DB_ADDR': keycloak_database_cluster.cluster_endpoint.hostname,
                    'DB_DATABASE': keycloak_database_name,
                    # 'KEYCLOAK_LOGLEVEL': 'DEBUG',
                    'PROXY_ADDRESS_FORWARDING': 'true',
                },
            ),

            memory_limit_mib=512,
            cpu=256,
            desired_count=1,
            public_load_balancer=True,
            domain_name= 'keycloak.' + keycloak_domain,
            domain_zone= keycloak_hosted_zone,
            protocol=elbv2.ApplicationProtocol.HTTPS,
        )

        keycloak_service.target_group.enable_cookie_stickiness(core.Duration.seconds(24 * 60 * 60))
        keycloak_service.target_group.configure_health_check(
            port='8080',
            path='/auth/realms/master/.well-known/openid-configuration',
            timeout=core.Duration.seconds(20),
            healthy_threshold_count=2,
            unhealthy_threshold_count=10,
            interval=core.Duration.seconds(30),
        )

        keycloak_service.listener.add_certificates(
            'KeycloakListenerCertificate',
            certificates= [ keycloak_certificate ]
        )

        keycloak_database_cluster.connections.allow_default_port_from(keycloak_service.service, 'From Keycloak Fargate Service')

Example #10

    def __init__(self, scope: core.Construct, config: dict, id: str,
                 **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        # create the securty group that will allow to connect to this instance
        # I am lazy and create only 1 SG that allows TCP 5432 from itself
        # database clients (lambda functions) will have TCP 5432 authorized for themselves too,
        # which is not necessary but harmless
        self.db_security_group = ec2.SecurityGroup(self,
                                                   "Database Security Group",
                                                   vpc=config['vpc'])
        self.db_security_group.add_ingress_rule(self.db_security_group,
                                                ec2.Port.tcp(5432))

        self.cluster = rds.DatabaseCluster(
            self,
            config['rds']['name'],
            engine=rds.DatabaseClusterEngine.aurora_postgres(
                version=rds.AuroraPostgresEngineVersion.VER_11_7),
            default_database_name=config['rds']['databaseName'],
            master_user=rds.Login(username=config['rds']['masterUsername']),
            instance_props=rds.InstanceProps(
                vpc=config['vpc'], security_groups=[self.db_security_group]))

        # Add Secrets Manager Password rotation
        self.cluster.add_rotation_single_user()

        # aurora serverless is not yet support by CDK, https://github.com/aws/aws-cdk/issues/929
        # escape hatch https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html#cfn_layer_raw
        # cfn_aurora_cluster = cluster.node.default_child
        # cfn_aurora_cluster.add_override("Properties.EngineMode", "serverless")
        # cfn_aurora_cluster.add_override("Properties.EnableHttpEndpoint",True) # Enable Data API
        # cfn_aurora_cluster.add_override("Properties.ScalingConfiguration", {
        #     'AutoPause': True,
        #     'MaxCapacity': 4,
        #     'MinCapacity': 1,
        #     'SecondsUntilAutoPause': 600
        # })
        # cluster.node.try_remove_child('Instance1') # Remove 'Server' instance that isn't required for serverless Aurora

        # create a custom resource to initialize the data schema
        function = _lambda.Function(
            self,
            config['custom resource lambda']['name'],
            runtime=_lambda.Runtime.PYTHON_3_8,
            code=_lambda.Code.asset('./custom_resources'),
            handler='app.on_event',
            vpc=config['vpc'],
            environment={
                'DB_SECRET_ARN': self.get_secret_arn(),
                'PYTHON_LOGLEVEL': 'DEBUG'
            },
            security_groups=[self.db_security_group])
        # add permission to access the secret
        function.add_to_role_policy(
            iam.PolicyStatement(resources=[self.get_secret_arn()],
                                actions=["secretsmanager:GetSecretValue"]))

        custom_resource_provider = cr.Provider(self,
                                               'Custom Resource Provider',
                                               on_event_handler=function)
        custom_resource = core.CustomResource(
            self,
            'Custom Resource',
            service_token=custom_resource_provider.service_token)

        # Tell CFN to wait for the database to be ready before ot create the custom resource
        custom_resource.node.add_dependency(self.cluster)