def createCouchbaseSecurityGroups(t, vpc): # Couchbase security group secGrpCouchbase = ec2.SecurityGroup('CouchbaseSecurityGroup') secGrpCouchbase.GroupDescription = "Allow access to Couchbase Server" secGrpCouchbase.VpcId = Ref(vpc) secGrpCouchbase.SecurityGroupIngress = [ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="8091", ToPort="8091", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="8092", ToPort="8092", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # sync gw user port IpProtocol="tcp", FromPort="4984", ToPort="4984", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # sync gw admin port IpProtocol="tcp", FromPort="4985", ToPort="4985", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # expvars IpProtocol="tcp", FromPort="9876", ToPort="9876", CidrIp="0.0.0.0/0", ) ] # Add security group to template t.add_resource(secGrpCouchbase) cbIngressPorts = [ { "FromPort": "4369", "ToPort": "4369" }, # couchbase server { "FromPort": "5984", "ToPort": "5984" }, # couchbase server { "FromPort": "11209", "ToPort": "11209" }, # couchbase server { "FromPort": "11210", "ToPort": "11210" }, # couchbase server { "FromPort": "11211", "ToPort": "11211" }, # couchbase server { "FromPort": "21100", "ToPort": "21299" }, # couchbase server ] for cbIngressPort in cbIngressPorts: from_port = cbIngressPort["FromPort"] to_port = cbIngressPort["ToPort"] name = 'CouchbaseSecurityGroupIngress{}'.format(from_port) secGrpCbIngress = ec2.SecurityGroupIngress(name) secGrpCbIngress.GroupId = GetAtt(secGrpCouchbase, 'GroupId') secGrpCbIngress.IpProtocol = "tcp" secGrpCbIngress.FromPort = from_port secGrpCbIngress.ToPort = to_port secGrpCbIngress.SourceSecurityGroupId = GetAtt(secGrpCouchbase, 'GroupId') t.add_resource(secGrpCbIngress) return secGrpCouchbase
t.add_parameter( Parameter( "KeyPair", Description="Name od an existing EC2 KeyPair to SSH", Type="AWS::EC2::KeyPair::KeyName", ConstraintDescription="Must be the name of an existing EC2 KeyPair.", )) t.add_resource( ec2.SecurityGroup( "SecurityGroup", GroupDescription="Allow SSH and TCP/{} access".format(APP_PORT), SecurityGroupIngress=[ ec2.SecurityGroupRule( #SSH connection IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=public_cidr_ip, # Connect from the local IP ), ec2.SecurityGroupRule( #TCP connection IpProtocol="tcp", FromPort=APP_PORT, ToPort=APP_PORT, CidrIp="0.0.0.0/0", ), ], )) ud = Base64( Join('\n', [ "#!/bin/bash", "yum install --enablerepo=epel -y git", "pip install ansible", ansible_pull_cmd,
MinValue="5", MaxValue="1024", ConstraintDescription="must be between 5 and 1024Gb.", )) db_security_group = ec2.SecurityGroup( 'DatabaseSecurityGroup', template=template, GroupDescription="Database security group.", VpcId=Ref(vpc), SecurityGroupIngress=[ # Postgres in from web clusters ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="5432", ToPort="5432", CidrIp=container_a_subnet_cidr, ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="5432", ToPort="5432", CidrIp=container_b_subnet_cidr, ), ], ) db_subnet_group = rds.DBSubnetGroup( "DatabaseSubnetGroup", template=template,
def create_security_groups(self): tile_server_lb_security_group_name = 'sgTileServerLoadBalancer' tile_server_lb_security_group = self.add_resource(ec2.SecurityGroup( tile_server_lb_security_group_name, GroupDescription='Enables access to tile servers via a load ' 'balancer', VpcId=Ref(self.vpc_id), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol='tcp', CidrIp=ALLOW_ALL_CIDR, FromPort=p, ToPort=p ) for p in [HTTP] ], SecurityGroupEgress=[ ec2.SecurityGroupRule( IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p ) for p in [HTTP] ], Tags=self.get_tags(Name=tile_server_lb_security_group_name) )) tile_server_security_group_name = 'sgTileServer' tile_server_security_group = self.add_resource(ec2.SecurityGroup( tile_server_security_group_name, DependsOn='sgTileServerLoadBalancer', GroupDescription='Enables access to tile servers', VpcId=Ref(self.vpc_id), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p ) for p in [SSH, HTTP] ] + [ ec2.SecurityGroupRule( IpProtocol='tcp', SourceSecurityGroupId=Ref(sg), FromPort=HTTP, ToPort=HTTP ) for sg in [tile_server_lb_security_group] ], SecurityGroupEgress=[ ec2.SecurityGroupRule( IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p ) for p in [GRAPHITE, POSTGRESQL, REDIS, STATSITE, RELP] ] + [ ec2.SecurityGroupRule( IpProtocol='udp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p ) for p in [STATSITE] ] + [ ec2.SecurityGroupRule( IpProtocol='tcp', CidrIp=ALLOW_ALL_CIDR, FromPort=p, ToPort=p ) for p in [HTTP, HTTPS] ], Tags=self.get_tags(Name=tile_server_security_group_name) )) return tile_server_lb_security_group, tile_server_security_group
key_name = t.add_parameter( Parameter( 'KeyName', Type='AWS::EC2::KeyPair::KeyName', Description='Name of an existing EC2 KeyPair to enable SSH access')) ami_id = t.add_parameter( Parameter('AmiId', Type='String', Default='ami-98aa1cf0')) security_group = t.add_resource( ec2.SecurityGroup('SecurityGroup', GroupDescription='Allows SSH access from anywhere', SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', FromPort=22, ToPort=22, CidrIp='0.0.0.0/0') ], Tags=Tags(Name='ops.cfninit-sg'))) ec2_instance = t.add_resource( ec2.Instance( 'Ec2Instance', ImageId=Ref(ami_id), InstanceType='t1.micro', KeyName=Ref(key_name), SecurityGroups=[Ref(security_group)], IamInstanceProfile='PullCredentials', UserData=Base64( Join('', [ '#!/bin/bash\n', 'sudo apt-get update\n',
# This is the Test condition we use later on in an If() test to control the differences between Prod and Dev # We assume a development stack by default. This does force some Parameters to be ignored. There is probably a # cleaner way to do this but in light of not refactoring the entire thing, we'll have to live with it being a bit # clunky. template.add_condition('IsProd', Equals(Ref('pEnvironment'), "production")) # This is the Security group that allows HTTP, SSH and ICMP # This is probably not very secure and could probably be scraped or narrowed. wpsg = template.add_resource( ec2.SecurityGroup('Access', VpcId=Ref('pVPCID'), GroupDescription='SSH/Ping Access', SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', FromPort='80', ToPort='80', CidrIp='0.0.0.0/0'), ec2.SecurityGroupRule(IpProtocol='tcp', FromPort='22', ToPort='22', CidrIp='0.0.0.0/0'), ec2.SecurityGroupRule(IpProtocol='icmp', FromPort='-1', ToPort='-1', CidrIp='0.0.0.0/0') ], Tags=create_tags(base_tags, 'SshAndPingAccess'))) # This is the Security Group for the LB. Allows port 80 lbsg = template.add_resource( ec2.SecurityGroup('ELBSG',
def main(): template = Template() template.add_version("2010-09-09") template.set_description( "AWS CloudFormation Sample Template: NLB with 1 EC2 instance") AddAMI(template) # Add the Parameters keyname_param = template.add_parameter( Parameter( "KeyName", Type="String", Default="mark", Description="Name of an existing EC2 KeyPair to " "enable SSH access to the instance", )) template.add_parameter( Parameter( "InstanceType", Type="String", Description="WebServer EC2 instance type", Default="m1.small", AllowedValues=[ "t1.micro", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "c1.medium", "c1.xlarge", "cc1.4xlarge", "cc2.8xlarge", "cg1.4xlarge" ], ConstraintDescription="must be a valid EC2 instance type.", )) webport_param = template.add_parameter( Parameter( "WebServerPort", Type="String", Default="8888", Description="TCP/IP port of the web server", )) subnetA = template.add_parameter( Parameter("subnetA", Type="String", Default="subnet-096fd06d")) subnetB = template.add_parameter( Parameter("subnetB", Type="String", Default="subnet-1313ef4b")) VpcId = template.add_parameter( Parameter("VpcId", Type="String", Default="vpc-82c514e6")) # Define the instance security group instance_sg = template.add_resource( ec2.SecurityGroup( "InstanceSecurityGroup", GroupDescription="Enable SSH and HTTP access on the inbound port", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=Ref(webport_param), ToPort=Ref(webport_param), CidrIp="0.0.0.0/0", ), ])) eipA = template.add_resource(ec2.EIP( 'eipA', Domain='vpc', )) eipB = template.add_resource(ec2.EIP( 'eipB', Domain='vpc', )) # Add the web server instance WebInstance = template.add_resource( ec2.Instance( "WebInstance", SecurityGroups=[Ref(instance_sg)], KeyName=Ref(keyname_param), InstanceType=Ref("InstanceType"), ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), UserData=Base64(Ref(webport_param)), )) # Add the network LB NetworkLB = template.add_resource( elb.LoadBalancer( "NetworkLB", Name="NetworkLB", Scheme="internet-facing", SubnetMappings=[ elb.SubnetMapping(AllocationId=GetAtt(eipA, 'AllocationId'), SubnetId=Ref(subnetA)), elb.SubnetMapping(AllocationId=GetAtt(eipB, 'AllocationId'), SubnetId=Ref(subnetB)) ], Type='network')) TargetGroupWeb = template.add_resource( elb.TargetGroup("TargetGroupWeb", HealthCheckIntervalSeconds="30", HealthCheckProtocol="HTTP", HealthCheckTimeoutSeconds="10", HealthyThresholdCount="4", Matcher=elb.Matcher(HttpCode="200"), Name="WebTarget", Port=Ref(webport_param), Protocol="HTTP", Targets=[ elb.TargetDescription(Id=Ref(WebInstance), Port=Ref(webport_param)) ], UnhealthyThresholdCount="3", VpcId=Ref(VpcId))) template.add_resource( elb.Listener("Listener", Port="80", Protocol="HTTP", LoadBalancerArn=Ref(NetworkLB), DefaultActions=[ elb.Action(Type="forward", TargetGroupArn=Ref(TargetGroupWeb)) ])) template.add_output( Output("URL", Description="URL of the sample website", Value=Join("", ["http://", GetAtt(NetworkLB, "DNSName")]))) print(template.to_json())
def GenerateStepJenkinsLayer(): t = Template() t.add_description("""\ Jenkins for Step Hackathon Layer """) stackname_param = t.add_parameter( Parameter( "StackName", Description="Environment Name (default: hackathon)", Type="String", Default="hackathon", )) vpcid_param = t.add_parameter( Parameter( "VpcId", Type="String", Description="VpcId of your existing Virtual Private Cloud (VPC)", Default="vpc-fab00e9f")) subnets = t.add_parameter( Parameter( "Subnets", Type="CommaDelimitedList", Description=( "The list SubnetIds, for public subnets in the " "region and in your Virtual Private Cloud (VPC) - minimum one" ), Default="subnet-b68f3bef,subnet-9a6208ff,subnet-bfdd4fc8")) keypair_param = t.add_parameter( Parameter("KeyPair", Description="Name of an existing EC2 KeyPair to enable SSH " "access to the instance", Type="String", Default="glueteam")) jenkins_ami_id_param = t.add_parameter( Parameter("JenkinsAmiId", Description="Jenkins server AMI ID (default: ami-f3641a84)", Type="String", Default="ami-f3641a84")) operations_subdomain_hosted_zone_param = t.add_parameter( Parameter("DashsoftHostedZoneParam", Description="HostedZone (default: hackathon.operations.dk)", Type="String", Default="hackathon.operations.dk")) iam_role_param = t.add_parameter( Parameter( "IamRole", Description="IAM Role name", Type="String", )) # --------- Jenkins instance jenkins_sg = t.add_resource( ec2.SecurityGroup( 'JenkinsSG', GroupDescription='Security group for Jenkins host', VpcId=Ref(vpcid_param), Tags=Tags(Name=Join("", [Ref(stackname_param), "SG"])), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="443", ToPort="443", CidrIp="0.0.0.0/0", ), ])) jenkins_eip = t.add_resource(ec2.EIP( 'JenkinsEIP', Domain='vpc', )) jenkins_eth0 = t.add_resource( ec2.NetworkInterface( "JenkinsEth0", Description=Join("", [Ref(stackname_param), " Eth0"]), GroupSet=[ Ref(jenkins_sg), ], SourceDestCheck=True, SubnetId=Select(0, Ref(subnets)), Tags=Tags( Name=Join("", [Ref(stackname_param), " Interface 0"]), Interface="eth0", ))) jenkins_host = t.add_resource( ec2.Instance( 'JenkinsHost', ImageId=Ref(jenkins_ami_id_param), InstanceType='m3.medium', KeyName=Ref(keypair_param), IamInstanceProfile=Ref(iam_role_param), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( NetworkInterfaceId=Ref(jenkins_eth0), DeviceIndex="0", ), ], Tags=Tags(Name=Ref(stackname_param), Id=Ref(stackname_param)), UserData=Base64(Join('', [ '#!/bin/bash\n', ])), )) jenkins_eip_assoc = t.add_resource( ec2.EIPAssociation( "JenkinsEIPAssoc", NetworkInterfaceId=Ref(jenkins_eth0), AllocationId=GetAtt("JenkinsEIP", "AllocationId"), PrivateIpAddress=GetAtt("JenkinsEth0", "PrimaryPrivateIpAddress"), )) jenkins_host_cname = t.add_resource( route53.RecordSetType( "JenkinsHostCname", HostedZoneName=Join( "", [Ref(operations_subdomain_hosted_zone_param), "."]), Comment=Join("", ["Jenkins host CNAME for ", Ref(stackname_param)]), Name=Join( "", ["jenkins.", Ref(operations_subdomain_hosted_zone_param), "."]), Type="A", TTL="60", ResourceRecords=[GetAtt("JenkinsHost", "PublicIp")], DependsOn="JenkinsEIPAssoc")) return t
DBSubnetGroupDescription='Created from the RDS Management Console', DBSubnetGroupName='default-vpc-0e12e822c1e5549cf', SubnetIds=['subnet-08d3101feec0e17da', 'subnet-0c86eeb5d3ab2e031'])) RDSDBSecurityGroup = template.add_resource( rds.DBSecurityGroup('RDSDBSecurityGroup', GroupDescription=Ref(ECSCluster))) EC2SecurityGroup = template.add_resource( ec2.SecurityGroup('EC2SecurityGroup', GroupDescription='2020-02-23T21:47:44.823Z', GroupName='ws-cur-1498', VpcId='vpc-0e12e822c1e5549cf', SecurityGroupIngress=[ ec2.SecurityGroupRule(CidrIp='0.0.0.0/0', FromPort=80, IpProtocol='tcp', ToPort=80), ec2.SecurityGroupRule(CidrIp='0.0.0.0/0', FromPort=8100, IpProtocol='tcp', ToPort=8100) ], SecurityGroupEgress=[ ec2.SecurityGroupRule(CidrIp='0.0.0.0/0', IpProtocol='-1') ])) EC2SecurityGroup2 = template.add_resource( ec2.SecurityGroup( 'EC2SecurityGroup2', GroupDescription=
t.add_parameter(Parameter("VpcId", Type="AWS::EC2::VPC::Id", Description="VPC")) t.add_parameter( Parameter("PublicSubnet", Description="PublicSubnet", Type="List<AWS::EC2::Subnet::Id>", ConstraintDescription="PublicSubnet")) t.add_resource( ec2.SecurityGroup("VPNSecurityGroup", GroupDescription="SoftEther security group", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="udp", FromPort="4500", ToPort="4500", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="udp", FromPort="500", ToPort="500", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="443", ToPort="443", CidrIp="0.0.0.0/0", ) ],
from troposphere import Ref, Template, Parameter, Join, GetAtt import troposphere.ec2 as ec2 t = template() #Securi group sg = ec2.SecurityGroup("LampSg") sg.GroupDescription = "Allou access thought ports 88 and 22" sg.securityGroupIngress = [ ec2.SecurityGroupRule(IpProtocol = "tcp", fromPort = "22", toPort = "22", CidrIp = "0.0.0.0/0") ,ec2.SecurityGroupRule(IpProtocol = "tcp", fromPort = "88", toPort = "70", CidrIp = "0.0.0.0/0") ] t.add_resource(sg); print(t.to_json) #AmiID
def add_security_groups(self): """ Wrapper method to encapsulate process of creating security groups for this tier Creates security groups for both ASG and ELB and opens the ports between them Sets self.security_groups as a dictionary with two security_groups: ha_cluster and elb """ elb_sg_ingress_rules = [] if self.allow_default_ingress: # Determine ingress rules for ELB security -- open to internet for internet-facing ELB, open to VPC for internal ELB access_cidr = PUBLIC_ACCESS_CIDR if self.elb_scheme == SCHEME_INTERNET_FACING else self.vpc_cidr # Add the ingress rules to the ELB security group for elb_port in [ listener.get('elb_port') for listener in self.elb_listeners ]: elb_sg_ingress_rules.append( ec2.SecurityGroupRule(FromPort=elb_port, ToPort=elb_port, IpProtocol='tcp', CidrIp=access_cidr)) # Create the ELB security group and attach the ingress rules elb_sg_name = '%sElbSecurityGroup' % self.name elb_sg = self.add_resource( ec2.SecurityGroup(elb_sg_name, GroupDescription='Security group for %s ELB' % self.name, VpcId=self.vpc_id, SecurityGroupIngress=elb_sg_ingress_rules)) # Create the ASG security group ha_cluster_sg_name = '%sSecurityGroup' % self.name ha_cluster_sg = self.add_resource( ec2.SecurityGroup(ha_cluster_sg_name, GroupDescription='Security group for %s' % self.name, VpcId=self.vpc_id)) # Create the reciprocal rules between the ELB and the ASG for all instance ports # NOTE: The condition in the list comprehension exists because elb_port is used as a default when instance_port is not specified cluster_sg_ingress_ports = { listener.get('instance_port') if listener.get('instance_port') else listener.get('elb_port') for listener in self.elb_listeners } # Also add the health check port to the security group rules if self.elb_health_check_port: cluster_sg_ingress_ports.add(self.elb_health_check_port) for cluster_sg_ingress_port in cluster_sg_ingress_ports: self.create_reciprocal_sg(elb_sg, elb_sg_name, ha_cluster_sg, ha_cluster_sg_name, from_port=cluster_sg_ingress_port) self.security_groups = {'ha_cluster': ha_cluster_sg, 'elb': elb_sg} return self.security_groups
ec2.SubnetRouteTableAssociation("SubnetRouteTableAssociation1", SubnetId=Ref(subnet_1), RouteTableId=Ref(public_route_table))) subnet_route_table_association_2 = template.add_resource( ec2.SubnetRouteTableAssociation("SubnetRouteTableAssociation2", SubnetId=Ref(subnet_2), RouteTableId=Ref(public_route_table))) security_group = template.add_resource( ec2.SecurityGroup("SecurityGroup", GroupDescription="SecurityGroup", VpcId=Ref(vpc), SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol="tcp", FromPort=53, ToPort=53, CidrIp="0.0.0.0/0"), ec2.SecurityGroupRule(IpProtocol="udp", FromPort=53, ToPort=53, CidrIp="0.0.0.0/0"), ec2.SecurityGroupRule(IpProtocol="tcp", FromPort=80, ToPort=80, CidrIp="0.0.0.0/0") ], Tags=ec2.Tags(Name="euca.me"))) role = template.add_resource( iam.Role("Role", AssumeRolePolicyDocument=Policy(
def add_resources(self): self.MasterPublicLBSG = self.template.add_resource( ec2.SecurityGroup( "MasterPublicLBSG", GroupDescription="Loadbalancer SG For Jmeter Public", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=22, ToPort=22, CidrIp=Ref(self.AdminCidrBlock), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterMasterPublicLBSG"), )) self.MasterEc2SG = self.template.add_resource( ec2.SecurityGroup( "MasterEc2SG", GroupDescription= "Allow communication between Rest Api Load Balancers and Rest Api Ec2s", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=22, ToPort=22, SourceSecurityGroupId=Ref(self.MasterPublicLBSG), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterMasterEC2InstanceSG"), )) self.SlavePublicLBSG = self.template.add_resource( ec2.SecurityGroup( "SlavePublicLBSG", GroupDescription= "Security Group for Private JMeter Slave Load Balancer", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=22, ToPort=22, SourceSecurityGroupId=Ref(self.MasterEc2SG), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=24000, ToPort=26999, SourceSecurityGroupId=Ref(self.MasterEc2SG), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterSlavePublicLBSG"), )) self.SlaveEc2SG = self.template.add_resource( ec2.SecurityGroup( "SlaveEc2SG", GroupDescription= "Security Group for Private JMeter Slave Load Balancer", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=22, ToPort=22, SourceSecurityGroupId=Ref(self.SlavePublicLBSG), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=22, ToPort=22, SourceSecurityGroupId=Ref(self.MasterEc2SG), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=24000, ToPort=26999, SourceSecurityGroupId=Ref(self.SlavePublicLBSG), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterSlaveEC2InstanceSG"), )) self.SlaveSGInterNodeCommunicationIngress = self.template.add_resource( ec2.SecurityGroup( "SlaveSGInterNodeCommunicationIngress", GroupDescription= "Security Group for Private JMeter Slave Load Balancer", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=22, ToPort=22, SourceSecurityGroupId=Ref(self.SlaveEc2SG), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterSlaveNodeCommuncationSG"), )) self.MasterPublicLoadBalancer = self.template.add_resource( elasticloadbalancing.LoadBalancer( "MasterPublicLoadBalancer", LoadBalancerName=self. environment_parameters["ClientEnvironmentKey"] + "-JMeterMasterPubELB", Scheme="internet-facing", Listeners=[ elasticloadbalancing.Listener(LoadBalancerPort="22", InstancePort="22", Protocol="TCP", InstanceProtocol="TCP") ], Instances=[], SecurityGroups=[Ref(self.MasterPublicLBSG)], Subnets=[Ref(self.RESTPubSubnet1)], CrossZone=True, HealthCheck=elasticloadbalancing.HealthCheck( Target=Join("", ["TCP:", "22"]), HealthyThreshold="3", UnhealthyThreshold="10", Interval="10", Timeout="5", ), Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterMasterPublicLB"), )) self.SlavePublicLoadBalancer = self.template.add_resource( elasticloadbalancing.LoadBalancer( "SlavePublicLoadBalancer", LoadBalancerName=self. environment_parameters["ClientEnvironmentKey"] + "-JMeterSlavePubELB", Scheme="internet-facing", Listeners=[ elasticloadbalancing.Listener(LoadBalancerPort="22", InstancePort="22", Protocol="TCP", InstanceProtocol="TCP") ], Instances=[], SecurityGroups=[Ref(self.SlavePublicLBSG)], Subnets=[Ref(self.RESTPrivSubnet1)], CrossZone=True, HealthCheck=elasticloadbalancing.HealthCheck( Target=Join("", ["TCP:", "22"]), HealthyThreshold="3", UnhealthyThreshold="10", Interval="10", Timeout="5", ), Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterSlavePublicLB"), )) self.MasterLaunchConfiguration = self.template.add_resource( LaunchConfiguration( "MasterLaunchConfiguration", ImageId=Ref(self.JmeterMasterImageId), InstanceType=Ref(self.MasterInstanceType), IamInstanceProfile=Ref(self.IAMInstanceProfile), KeyName=Ref(self.ServerKeyName), SecurityGroups=[Ref(self.MasterEc2SG)], )) self.MasterAutoScalingGroup = self.template.add_resource( AutoScalingGroup( "MasterAutoScaling", AutoScalingGroupName=self. environment_parameters["ClientEnvironmentKey"] + "-JMeterMasterAutoScalingGroup", LaunchConfigurationName=Ref(self.MasterLaunchConfiguration), LoadBalancerNames=[Ref(self.MasterPublicLoadBalancer)], MaxSize="1", MinSize="1", DesiredCapacity="1", VPCZoneIdentifier=[ Ref(self.RESTPubSubnet1), Ref(self.RESTPubSubnet2) ], Tags=[ AutoScalingTag( "Name", self.environment_parameters["ClientEnvironmentKey"] + "-JMeterMasterEC2", True), AutoScalingTag( "Environment", self.environment_parameters["EnvironmentName"], True), AutoScalingTag( "ResourceOwner", self.environment_parameters["ResourceOwner"], True), AutoScalingTag("ClientCode", self.environment_parameters["ClientCode"], True), ], )) self.SlaveLaunchConfiguration = self.template.add_resource( LaunchConfiguration( "SlaveLaunchConfiguration", ImageId=Ref(self.JMeterSlaveImageId), InstanceType=Ref(self.SlaveInstanceType), IamInstanceProfile=Ref(self.IAMInstanceProfile), KeyName=Ref(self.ServerKeyName), SecurityGroups=[Ref(self.SlaveEc2SG)], )) self.SlaveAutoScalingGroup = self.template.add_resource( AutoScalingGroup( "SlaveAutoScaling", AutoScalingGroupName=self. environment_parameters["ClientEnvironmentKey"] + "JMeterSlaveAutoScalingGroup", LaunchConfigurationName=Ref(self.SlaveLaunchConfiguration), LoadBalancerNames=[Ref(self.SlavePublicLoadBalancer)], MaxSize="1", MinSize="1", DesiredCapacity="1", VPCZoneIdentifier=[ Ref(self.RESTPrivSubnet1), Ref(self.RESTPrivSubnet2) ], Tags=[ AutoScalingTag( "Name", self.environment_parameters["ClientEnvironmentKey"] + "-JMeterSlaveEC2", True), AutoScalingTag( "Environment", self.environment_parameters["EnvironmentName"], True), AutoScalingTag( "ResourceOwner", self.environment_parameters["ResourceOwner"], True), AutoScalingTag("ClientCode", self.environment_parameters["ClientCode"], True), ], )) self.TestExecutionLengthSSMParameter = self.template.add_resource( SSMParameter( "TestExecutionLengthSSMParameter", Description="The length of time the JMeter Test can Run", Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterTestExecutionLength", Type="String", Value=Ref(self.TestExecutionLengthSSMParameterValue), )) self.JMXFileNameSSMParameter = self.template.add_resource( SSMParameter( "JMXFileNameSSMParameter", Description="The Name of the JMX File", Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterJMXFileName", Type="String", Value=Ref(self.JMXFileNameSSMParameterValue), )) self.S3JMXFileLocationSSMParameter = self.template.add_resource( SSMParameter( "S3JMXFileLocationSSMParameter", Description="Location of the JMX File in S3", Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterS3JMXFileLocation", Type="String", Value=Ref(self.S3JMXFileLocationSSMParameterValue), )) self.JMXResultsFileNameSSMParameter = self.template.add_resource( SSMParameter( "JMXResultsFileNameSSMParameter", Description="The Name of The JMX Results File", Name=self.environment_parameters["ClientEnvironmentKey"] + "-JMeterJMXResultsFileName", Type="String", Value=Ref(self.JMXResultsFileNameSSMParameterValue), ))
}, "eu-west-3": { "AMI": "ami-55b40228", "MonitorAMI": "ami-fbb40286" }, }) LoadBalancerSecurityGroup = t.add_resource( ec2.SecurityGroup( "LoadBalancerSecurityGroup", GroupDescription= "Enables remote access to port 80 and 443 for the StorReduce load balancer", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp=Ref(RemoteAccessCIDRParam), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="443", ToPort="443", CidrIp=Ref(RemoteAccessCIDRParam), ), ], VpcId=Ref(VpcIdParam))) MonitorSecurityGroup = t.add_resource( ec2.SecurityGroup( "MonitorSecurityGroup", GroupDescription=
"sa-east-1": {"AMI": "ami-a41869c8"}, "us-east-1": {"AMI": "ami-1d4e7a66"}, "us-east-2": {"AMI": "ami-dbbd9dbe"}, "us-west-1": {"AMI": "ami-969ab1f6"}, "us-west-2": {"AMI": "ami-8803e0f0"}, }) # EC2 security group security_group = template.add_resource(ec2.SecurityGroup( 'SecurityGroup', GroupDescription='Allows SSH access from SshCidr and HTTP/HTTPS access from anywhere.', VpcId=Ref(vpc), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol='tcp', FromPort=22, ToPort=22, CidrIp=Ref(ssh_cidr), ), ec2.SecurityGroupRule( IpProtocol='tcp', FromPort=80, ToPort=80, CidrIp='0.0.0.0/0', ), ec2.SecurityGroupRule( IpProtocol='tcp', FromPort=443, ToPort=443, CidrIp='0.0.0.0/0', ), ]
def add_resources(self): self.RestApiPublicLBSG = self.template.add_resource( ec2.SecurityGroup( "RestApiPublicLBSG", GroupDescription= "Loadbalancer Security Group For Rest Api Public LB", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=3389, ToPort=3389, CidrIp=Ref(self.AdminCidrBlock), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiPubLBSG"), )) self.RestApiPrivateLBSG = self.template.add_resource( ec2.SecurityGroup( "RestApiPrivateLBSG", GroupDescription= "Loadbalancer Security Group For Rest Api Private LB", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=3389, ToPort=3389, CidrIp=Ref(self.AdminCidrBlock), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=80, ToPort=80, CidrIp=Ref(self.AdminCidrBlock), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=80, ToPort=80, SourceSecurityGroupId=Ref(self.KongEC2SecurityGroup), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiPrivLBSG"), )) self.RestApiSG = self.template.add_resource( ec2.SecurityGroup( "RestApiSG", GroupDescription= "Allow communication between Rest Api Load Balancers and Rest Api Ec2s", VpcId=Ref(self.VpcId), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=3389, ToPort=3389, SourceSecurityGroupId=Ref(self.RestApiPublicLBSG), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=80, ToPort=80, SourceSecurityGroupId=Ref(self.RestApiPublicLBSG), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=80, ToPort=80, SourceSecurityGroupId=Ref(self.RestApiPrivateLBSG), ), ], Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiEc2SG"), )) self.ApiEc2ToKongPrivateALBIngress = self.template.add_resource( ec2.SecurityGroupIngress( "ApiEc2ToKongPrivateALBIngress", DependsOn=self.RestApiSG, GroupId=Ref(self.KongPrivateLoadBalancerSecurityGroup), IpProtocol="tcp", FromPort=8443, ToPort=8444, SourceSecurityGroupId=Ref(self.RestApiSG), )) self.RestApiPublicLoadBalancer = self.template.add_resource( elasticloadbalancing.LoadBalancer( "RestApiPublicLoadBalancer", LoadBalancerName=self. environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiPubLB", Scheme="internet-facing", Listeners=[ elasticloadbalancing.Listener( LoadBalancerPort="3389", InstancePort="3389", Protocol="TCP", InstanceProtocol="TCP", ) ], Instances=[], SecurityGroups=[Ref(self.RestApiPublicLBSG)], Subnets=[Ref(self.RESTPubSubnet1), Ref(self.RESTPubSubnet2)], ConnectionDrainingPolicy=elasticloadbalancing. ConnectionDrainingPolicy( Enabled=True, Timeout=300, ), CrossZone=True, HealthCheck=elasticloadbalancing.HealthCheck( Target=Join("", ["TCP:", "3389"]), HealthyThreshold="3", UnhealthyThreshold="5", Interval="10", Timeout="5", ), Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiPubLB"), )) self.RestApiPrivateLoadBalancer = self.template.add_resource( elasticloadbalancing.LoadBalancer( "RestApiPrivateLoadBalancer", LoadBalancerName=self. environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiPrivLB", Scheme="internal", Listeners=[ elasticloadbalancing.Listener( LoadBalancerPort="3389", InstancePort="3389", Protocol="TCP", InstanceProtocol="TCP", ), elasticloadbalancing.Listener( LoadBalancerPort="80", InstancePort="80", Protocol="TCP", InstanceProtocol="TCP", ) ], Instances=[], SecurityGroups=[Ref(self.RestApiPrivateLBSG)], Subnets=[Ref(self.RESTPrivSubnet1), Ref(self.RESTPrivSubnet2)], ConnectionDrainingPolicy=elasticloadbalancing. ConnectionDrainingPolicy( Enabled=True, Timeout=120, ), CrossZone=True, HealthCheck=elasticloadbalancing.HealthCheck( Target=Join("", ["HTTP:", "80", "/swagger/index.html"]), HealthyThreshold="3", UnhealthyThreshold="5", Interval="30", Timeout="5", ), Tags=self.base_tags + Tags(Name=self.environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiPrivLB"), )) self.RestApiLaunchConfiguration = self.template.add_resource( LaunchConfiguration( "RestApiLaunchConfiguration", ImageId=self.ami_id, InstanceType=Ref(self.RestApiInstanceType), IamInstanceProfile=Ref(self.RestApiIAMInstanceProfile), KeyName=Ref(self.RestApiKeyName), SecurityGroups=[Ref(self.RestApiSG)], UserData=Base64( Join('', [ "<persist>true</persist>\n", "<powershell>\n", "$ClientCode = '" + self.environment_parameters["ClientEnvironmentKey"] + "'\n", "$bootstrapRepository = (Get-SSMParameterValue -Names $ClientCode-bootstrapRepository -WithDecryption $true).Parameters[0].Value\n", "\n", "$region = '" + self.environment_parameters["EnvironmentRegion"] + "'\n", "$keyPrefix = 'bootstrap/rest/powershell/'\n", "\n", "$localPath = 'C:/bootstrap/rest/powershell'\n", "\n", "if (-Not (Test-Path -Path $localPath)){New-Item -Path $localPath -ItemType directory -Force | out-null}\n", "$artifacts = Get-S3Object -BucketName $bootstrapRepository -KeyPrefix $keyPrefix -Region $region\n", "foreach($artifact in $artifacts) {$localFileName = $artifact.Key -replace $keyPrefix, '' \n", "if ($localFileName -ne '') {$localFilePath = Join-Path $localPath $localFileName \n", "Copy-S3Object -BucketName $bootstrapRepository -Key $artifact.Key -LocalFile $localFilePath -Region $region}} \n", "\n", "$cmdExecuteBootStrapping = 'C:\\bootstrap\\rest\\powershell\\ExecuteScripts.ps1' \n", "Invoke-Expression \"$cmdExecuteBootStrapping\" \n", "</powershell>", "\n" ])))) self.RestApiAutoScalingGroup = self.template.add_resource( AutoScalingGroup( "RestApiAutoscalingGroup", AutoScalingGroupName=self. environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApiAutoScalingGroup", LaunchConfigurationName=Ref(self.RestApiLaunchConfiguration), LoadBalancerNames=[ Ref(self.RestApiPublicLoadBalancer), Ref(self.RestApiPrivateLoadBalancer) ], MaxSize=Ref(self.RestApiASGGroupMaxSize), MinSize=Ref(self.RestApiASGGroupMinSize), DesiredCapacity=Ref(self.RestApiASGGroupDesiredSize), HealthCheckType=Ref(self.RestApiASGHealthCheckType), HealthCheckGracePeriod=Ref( self.RestApiASGHealthCheckGracePeriod), Cooldown=Ref(self.RestApiASGCoolDown), LifecycleHookSpecificationList=[ LifecycleHookSpecification( HeartbeatTimeout=Ref( self.RestApiASGLifeCycleHeartBeatTimeout), LifecycleTransition=Ref( self.RestApiASGLifeCycleTransition), LifecycleHookName=self. environment_parameters["ClientEnvironmentKey"] + "-REST-API-LCH"), ], VPCZoneIdentifier=[ Ref(self.RESTPrivSubnet1), Ref(self.RESTPrivSubnet2) ], Tags=[ AutoScalingTag( "Name", self.environment_parameters["ClientEnvironmentKey"] + "-LoyaltyRestApi-Ec2", True), AutoScalingTag( "Environment", self.environment_parameters["EnvironmentName"], True), AutoScalingTag( "ResourceOwner", self.environment_parameters["ResourceOwner"], True), AutoScalingTag( "ClientCode", self.environment_parameters["ClientEnvironmentKey"], True), ], ))
def add_security_group(template): ''' Takes a given Template object and adds properly configured AWS security group to enable QF2 to cluster, replicate, and serve clients. Ports enabled by default: TCP 21, 80, 111, 443, 445, 2049, 3712, 8000 UDP 111, 2049 All traffic is allowed between members of the security group for clustering. ''' sg_in = [] sg_out = [] # Ingress TCP ports for port in ['21', '80', '111', '443', '445', '2049', '3712', '8000']: sg_in.append( ec2.SecurityGroupRule( Description= 'TCP ports for NFS, SMB, FTP, Management, and Replication', IpProtocol='tcp', FromPort=port, ToPort=port, CidrIp='0.0.0.0/0')) # Ingress UDP ports for port in ['111', '2049']: sg_in.append( ec2.SecurityGroupRule(Description='UDP ports for NFS', IpProtocol='udp', FromPort=port, ToPort=port, CidrIp='0.0.0.0/0')) # Egress rule for all ports and protocols sg_out.append( ec2.SecurityGroupRule(Description='Outbound traffic', IpProtocol='-1', FromPort=0, ToPort=0, CidrIp='0.0.0.0/0')) template.add_resource( ec2.SecurityGroup( SECURITY_GROUP_NAME, GroupDescription= 'Enable ports for NFS/SMB/FTP, Management, Replication, and ' 'Clustering.', SecurityGroupIngress=sg_in, SecurityGroupEgress=sg_out, VpcId=Ref('VpcId'))) # Self referencing security rules need to be added after the group is # created. This rule is enabling all traffic between members of the # security group for clustering. template.add_resource( ec2.SecurityGroupIngress( 'QumuloSecurityGroupNodeRule', DependsOn=SECURITY_GROUP_NAME, Description='Qumulo Internode Communication', GroupId=Ref(SECURITY_GROUP_NAME), IpProtocol='-1', FromPort=0, ToPort=0, SourceSecurityGroupId=Ref(SECURITY_GROUP_NAME)))
}, Roles=[Ref(TaskExecutionRole)], )) # Create CloudWatch Log Group GhostLogGroup = t.add_resource(logs.LogGroup("GhostLogGroup", )) # Create Security group that allows traffic into the ALB alb_security_group = ec2.SecurityGroup( "ALBSecurityGroup", GroupDescription="Ghost ALB Security Group", VpcId=Ref(db_vpc), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="443", ToPort="443", CidrIp="0.0.0.0/0", ), ]) t.add_resource(alb_security_group) # Create Security group for the host/ENI/Fargate that allows 2368 ghost_host_security_group = ec2.SecurityGroup( "GhostHostSecurityGroup", GroupDescription="Ghost ECS Security Group.",
}, "us-west-2": { "Windows2016Base": "ami-07f35a597a32e470d", "AmazonLinux2": "ami-0cb72367e98845d43", }, } ) resources['sg'] = tpl.add_resource( ec2.SecurityGroup( "InstanceSg", GroupDescription="Enable SSH and HTTP access on the inbound port", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=FindInMap("Global", "ConnectPortByOs", Ref(params['os'])), ToPort=FindInMap("Global", "ConnectPortByOs", Ref(params['os'])), CidrIp=Ref(params['pub_loc']), ) ] ) ) resources['ec2'] = tpl.add_resource( ec2.Instance( "Ec2Instance", ImageId=FindInMap("AmiByOs", Ref("AWS::Region"), Ref(params['os'])), InstanceType=Ref(params['instance_type']), KeyName=If(conditions['has_kp'], Ref(params['keyname']), Ref("AWS::NoValue")), SecurityGroups=[ Ref(resources['sg']), ],
template.add_parameter(subnet_id) vpc_id = Parameter("VpcId", Type="AWS::EC2::VPC::Id", Default="vpc-ebe0c38e", Description="Id of the VPC which will hold the instance") template.add_parameter(vpc_id) # security group sg = ec2.SecurityGroup(app_name_capitalize + 'SG', GroupDescription="Security Group for base instance.", Tags=Tags(Name=app_name + '-base-instance-sg', Custo=app_name), SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0"), ec2.SecurityGroupRule(IpProtocol="tcp", FromPort="9090", ToPort="9090", CidrIp="0.0.0.0/0"), ec2.SecurityGroupRule(IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0"), ec2.SecurityGroupRule(IpProtocol="tcp", FromPort="443", ToPort="443", CidrIp="0.0.0.0/0") ], VpcId=Ref(vpc_id))
} }) myvpcsecuritygroup = t.add_resource( SecurityGroup("myVPCSecurityGroup", GroupDescription="Security group for RDS DB Instance.", VpcId=Ref(vpcid))) instance_sg = t.add_resource( ec2.SecurityGroup( "InstanceSecurityGroup", GroupDescription="Enable SSH and HTTP access on the inbound port", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=Ref(subnet), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="8080", ToPort="8080", CidrIp=Ref(subnet), ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="8000", ToPort="8000", CidrIp=Ref(subnet), ), ec2.SecurityGroupRule(
t.add_parameter(Parameter("VpcId", Type="AWS::EC2::VPC::Id", Description="VPC")) t.add_parameter( Parameter("PublicSubnet", Description="PublicSubnet", Type="List<AWS::EC2::Subnet::Id>", ConstraintDescription="PublicSubnet")) t.add_resource( ec2.SecurityGroup("SecurityGroup", GroupDescription="Allow SSH and private network access", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=0, ToPort=65535, CidrIp="172.16.0.0/12", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=PublicCidrIp, ), ], VpcId=Ref("VpcId"))) t.add_resource(Cluster('ECSCluster', )) t.add_resource( Role(
t.add_condition('CreateSecurityGroupCondition', Equals(Ref(param_sg), '')) # # Resources # cache_sg = t.add_resource( ec2.SecurityGroup( 'CacheSecurityGroup', Condition='CreateSecurityGroupCondition', VpcId=Ref(param_vpcid), GroupDescription='Enable cache access', SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol='tcp', FromPort='11211', ToPort='11211', CidrIp=Ref(param_client_location), ) ], )) cache_subnet_group = t.add_resource( elasticache.SubnetGroup('CacheSubnetGroup', Description='Cache subnet group', SubnetIds=Ref(param_subnetids))) cache_cluster = t.add_resource( elasticache.CacheCluster( 'CacheCluster', Engine='memcached', CacheNodeType=Ref(param_cache_node_type),
], ) ]))) t.add_resource( ec2.SecurityGroup( "LoadBalancerSecurityGroup", GroupDescription="Web load balancer security group.", VpcId=ImportValue( Join("-", [ Select(0, Split("-", Ref("AWS::StackName"))), "cluster-vpc-id" ])), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="3000", ToPort="3000", CidrIp="0.0.0.0/0", ), ], )) t.add_resource( elb.LoadBalancer( "LoadBalancer", Scheme="internet-facing", Subnets=Split( ',', ImportValue( Join("-", [ Select(0, Split("-", Ref("AWS::StackName"))), "cluster-public-subnets"
] # # Resources # rds_sg = t.add_resource(ec2.SecurityGroup( 'RdsSecurityGroup', Condition='CreateSecurityGroupCondition', VpcId=Ref(param_vpcid), GroupDescription='Enable local postgres access', SecurityGroupIngress=[ If('PostgresCondition', ec2.SecurityGroupRule( IpProtocol='tcp', FromPort='5432', ToPort='5432', CidrIp=Ref(param_db_client_location), ), Ref(AWS_NO_VALUE)), If('MysqlCondition', ec2.SecurityGroupRule( IpProtocol='tcp', FromPort='3306', ToPort='3306', CidrIp=Ref(param_db_client_location), ), Ref(AWS_NO_VALUE)), ], )) subnet_group = t.add_resource(rds.DBSubnetGroup(
def GenerateStepPublisherLayer(): t = Template() t.add_description("""\ StepScheduler Layer """) stackname_param = t.add_parameter( Parameter( "StackName", Description="Environment Name (default: hackathon)", Type="String", Default="hackathon", )) vpcid_param = t.add_parameter( Parameter( "VpcId", Type="String", Description="VpcId of your existing Virtual Private Cloud (VPC)", Default="vpc-fab00e9f")) subnets = t.add_parameter( Parameter( "Subnets", Type="CommaDelimitedList", Description=( "The list SubnetIds, for public subnets in the " "region and in your Virtual Private Cloud (VPC) - minimum one" ), Default="subnet-b68f3bef,subnet-9a6208ff,subnet-bfdd4fc8")) keypair_param = t.add_parameter( Parameter("KeyPair", Description="Name of an existing EC2 KeyPair to enable SSH " "access to the instance", Type="String", Default="glueteam")) scheduler_ami_id_param = t.add_parameter( Parameter( "SchedulerAmiId", Description="Scheduler server AMI ID (default: ami-a10897d6)", Type="String", Default="ami-a10897d6")) cluster_ami_id_param = t.add_parameter( Parameter("ClusterAmiId", Description="Cluster server AMI ID (default: ami-3db4ca4a)", Type="String", Default="ami-3db4ca4a")) iam_role_param = t.add_parameter( Parameter( "IamRole", Description="IAM Role name", Type="String", )) hashkeyname_param = t.add_parameter( Parameter( "HaskKeyElementName", Description="HashType PrimaryKey Name (default: id)", Type="String", AllowedPattern="[a-zA-Z0-9]*", MinLength="1", MaxLength="2048", ConstraintDescription="must contain only alphanumberic characters", Default="id")) crontab_tablename_param = t.add_parameter( Parameter( "CrontabTablename", Description="Crontab Table Name", Type="String", )) containerlauncher_param = t.add_parameter( Parameter( "Containerlauncher", Description= "Container Launcher zip file (default: containerLauncher-1.0.zip)", Type="String", Default="containerLauncher-1.0.zip")) zipfileversion_param = t.add_parameter( Parameter( "ZipfileVersion", Description="Container Launcher zip file version", Type="String", )) # --------- Lambda Container Launcher lambda_function = t.add_resource( Function( "containerLauncher", Code=Code( S3Bucket="hackathon-glueteam-lambda", S3Key=Ref(containerlauncher_param), S3ObjectVersion=Ref(zipfileversion_param), ), Description=Join('', [Ref(stackname_param), " container Launcher"]), MemorySize=256, Handler="com.philips.glueteam.DockerLauncher::myHandler", Runtime="java8", Timeout=60, Role=Join('', [ "arn:aws:iam::", Ref("AWS::AccountId"), ":role/", Ref(iam_role_param) ]), )) townclock_topic = t.add_resource( sns.Topic( "TownClock", Subscription=[ sns.Subscription(Endpoint=GetAtt("containerLauncher", "Arn"), Protocol="lambda"), ], )) # --------- Scheduler instance scheduler_sg = t.add_resource( ec2.SecurityGroup( 'SchedulerSG', GroupDescription='Security group for Scheduler host', VpcId=Ref(vpcid_param), Tags=Tags(Name=Join("", [Ref(stackname_param), "SchedulerSG"])), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="8080", ToPort="8080", CidrIp="0.0.0.0/0", ), ])) cluster = t.add_resource(ecs.Cluster("ECSCluster", )) scheduler_host = t.add_resource( ec2.Instance( 'SchedulerHost', ImageId=Ref(scheduler_ami_id_param), InstanceType='t2.micro', KeyName=Ref(keypair_param), IamInstanceProfile=Ref(iam_role_param), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( AssociatePublicIpAddress=True, SubnetId=Select(0, Ref(subnets)), DeleteOnTermination=True, GroupSet=[ Ref(scheduler_sg), ], DeviceIndex=0, ), ], Tags=Tags(Name=Join("", [Ref(stackname_param), "Scheduler"]), Id=Join("", [Ref(stackname_param), "Scheduler"])), UserData=Base64( Join('', [ '#!/bin/bash\n', 'yum update -y aws-cfn-bootstrap\n', 'sns_topic_arn="', Ref(townclock_topic), '"\n', 'region="', Ref("AWS::Region"), '"\n', 'crontab_tablename="', Ref(crontab_tablename_param), '"\n', 'ecs_clustername="', Ref(cluster), '"\n', 'publish_source=https://raw.githubusercontent.com/hngkr/hackathon/master/ansible/files/unreliable-town-clock-publish\n', 'publish=/usr/local/bin/unreliable-town-clock-publish\n', 'curl -s --location --retry 10 -o $publish $publish_source\n', 'chmod +x $publish\n', 'cat <<EOF >/etc/cron.d/unreliable-town-clock\n', '*/2 * * * * ec2-user $publish "$sns_topic_arn" "$region" "$crontab_tablename" "$ecs_clustername"\n', 'EOF\n', ])), )) cluster_sg = t.add_resource( ec2.SecurityGroup( 'ClusterSG', GroupDescription='Security group for Cluster host', VpcId=Ref(vpcid_param), Tags=Tags(Name=Join("", [Ref(stackname_param), "ClusterSG"])), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ])) cluster_host = t.add_resource( ec2.Instance( 'ClusterHost', ImageId=Ref(cluster_ami_id_param), InstanceType='t2.micro', KeyName=Ref(keypair_param), # TODO: Should have multiple separate iam roles for townclock / clusterhost IamInstanceProfile=Ref(iam_role_param), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( AssociatePublicIpAddress=True, SubnetId=Select(0, Ref(subnets)), DeleteOnTermination=True, GroupSet=[ Ref(cluster_sg), ], DeviceIndex=0, ), ], Tags=Tags(Name=Join("", [Ref(stackname_param), "ClusterNode"]), Id=Join("", [Ref(stackname_param), "ClusterNode"])), UserData=Base64( Join('', [ '#!/bin/bash\n', 'mkdir /etc/ecs\n', 'cat <<EOF >/etc/ecs/ecs.config\n', 'ECS_CLUSTER=', Ref(cluster), '\n', 'EOF\n', ])), )) # --------- Expected DynamoDB Tables dirtylist_table = t.add_resource( dynamodb.Table( "DirtyList", AttributeDefinitions=[ dynamodb.AttributeDefinition(Ref(hashkeyname_param), "S"), ], KeySchema=[dynamodb.Key(Ref(hashkeyname_param), "HASH")], ProvisionedThroughput=dynamodb.ProvisionedThroughput(1, 1))) runlog_table = t.add_resource( dynamodb.Table( "RunLog", AttributeDefinitions=[ dynamodb.AttributeDefinition(Ref(hashkeyname_param), "S"), ], KeySchema=[dynamodb.Key(Ref(hashkeyname_param), "HASH")], ProvisionedThroughput=dynamodb.ProvisionedThroughput(1, 1))) # --------- Outputs t.add_output( [Output( "clusterid", Description="Cluster Id", Value=Ref(cluster), )]) t.add_output([ Output( "dirtylist", Description="DirtyList Tablename", Value=Ref(dirtylist_table), ) ]) t.add_output([ Output( "runlog", Description="Runlog Tablename", Value=Ref(runlog_table), ) ]) t.add_output([ Output( "lambdafunctionname", Description="Lambda Function Name", Value=Ref(lambda_function), ) ]) t.add_output([ Output( "clocktowertopicarn", Description="Clock Tower Topic Arn", Value=Ref(townclock_topic), ) ]) return t
def GenerateDockerRegistryLayer(): t = Template() t.add_description("""\ DockerRegistry Layer """) stackname_param = t.add_parameter( Parameter( "StackName", Description="Environment Name (default: test)", Type="String", Default="test", )) vpcid_param = t.add_parameter( Parameter( "VpcId", Type="String", Description="VpcId of your existing Virtual Private Cloud (VPC)", Default="vpc-fab00e9f")) subnets = t.add_parameter( Parameter( "Subnets", Type="CommaDelimitedList", Description=( "The list SubnetIds, for public subnets in the " "region and in your Virtual Private Cloud (VPC) - minimum one" ), Default="subnet-b68f3bef,subnet-9a6208ff,subnet-bfdd4fc8")) keypair_param = t.add_parameter( Parameter("KeyPair", Description="Name of an existing EC2 KeyPair to enable SSH " "access to the instance", Type="String", Default="glueteam")) registry_ami_id_param = t.add_parameter( Parameter("RegistryAmiId", Description="Registry server AMI ID", Type="String", Default="ami-a10897d6")) iam_role_param = t.add_parameter( Parameter( "IamRole", Description="IAM Role name", Type="String", )) s3bucket_param = t.add_parameter( Parameter( "BucketName", Description="S3 Bucket Name (default: )", Type="String", Default="", )) # --------- Docker registry registry_sg = t.add_resource( ec2.SecurityGroup( 'RegistrySG', GroupDescription='Security group for Registry host', VpcId=Ref(vpcid_param), Tags=Tags(Name=Join("", [Ref(stackname_param), "RegistrySG"])), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0", ), ])) registry_eip = t.add_resource(ec2.EIP( 'RegistryEIP', Domain='vpc', )) registry_eth0 = t.add_resource( ec2.NetworkInterface( "RegistryEth0", Description=Join("", [Ref(stackname_param), "Registry Eth0"]), GroupSet=[ Ref(registry_sg), ], SourceDestCheck=True, SubnetId=Select(0, Ref(subnets)), Tags=Tags( Name=Join("", [Ref(stackname_param), "Registry Interface 0"]), Interface="eth0", ))) registry_host = t.add_resource( ec2.Instance( 'RegistryHost', ImageId=Ref(registry_ami_id_param), InstanceType='t2.micro', KeyName=Ref(keypair_param), IamInstanceProfile=Ref(iam_role_param), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( NetworkInterfaceId=Ref(registry_eth0), DeviceIndex="0", ), ], Tags=Tags(Name=Join("", [Ref(stackname_param), "Registry"]), Id=Join("", [Ref(stackname_param), "Registry"])), UserData=Base64( Join('', [ '#!/bin/bash\n', 'yum update -y aws-cfn-bootstrap\n', 'mkdir -p /root/build/redis /root/build/registry\n', 'touch /root/build/redis/Dockerfile\n', 'touch /root/build/redis/redis.conf\n', 'touch /root/build/registry/Dockerfile\n', ])), )) registry_eip_assoc = t.add_resource( ec2.EIPAssociation( "RegistryEIPAssoc", NetworkInterfaceId=Ref(registry_eth0), AllocationId=GetAtt("RegistryEIP", "AllocationId"), PrivateIpAddress=GetAtt("RegistryEth0", "PrimaryPrivateIpAddress"), )) return t
t.add_parameter( Parameter( "KeyPair", Description="Name of an existing EC2 KeyPair to SSH", Type="AWS::EC2::KeyPair::KeyName", ConstraintDescription="must be the name of an existing EC2 KeyPair.", )) t.add_resource( ec2.SecurityGroup( "SecurityGroup", GroupDescription="Allow SSH and TCP/{} access".format(ApplicationPort), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=ApplicationPort, ToPort=ApplicationPort, CidrIp="0.0.0.0/0", ), ], )) ud = Base64( Join('\n', [ "#!/bin/bash", "yum install --enablerepo=epel -y git", "pip install ansible", AnsiblePullCmd,
def create_rds_instance(self): rds_security_group_name = 'sgDatabaseServer' rds_security_group = self.add_resource( ec2.SecurityGroup( rds_security_group_name, GroupDescription='Enables access to database servers', VpcId=Ref(self.vpc_id), SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [POSTGRESQL] ], SecurityGroupEgress=[ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [POSTGRESQL] ], Tags=self.get_tags(Name=rds_security_group_name))) rds_subnet_group_name = 'dbsngDatabaseServer' rds_subnet_group = self.add_resource( rds.DBSubnetGroup(rds_subnet_group_name, DBSubnetGroupDescription= 'Private subnets for the RDS instances', SubnetIds=Ref(self.private_subnets), Tags=self.get_tags(Name=rds_subnet_group_name))) rds_parameter_group = self.add_resource( rds.DBParameterGroup( 'dbpgDatabaseServer', Family='postgres9.4', Description='Parameter group for the RDS instances', Parameters={'log_min_duration_statement': '500'})) rds_database_name = 'DatabaseServer' return self.add_resource( rds.DBInstance( rds_database_name, AllocatedStorage=128, AllowMajorVersionUpgrade=False, AutoMinorVersionUpgrade=True, BackupRetentionPeriod=30, DBInstanceClass=Ref(self.rds_instance_type), DBName=Ref(self.rds_db_name), DBParameterGroupName=Ref(rds_parameter_group), DBSubnetGroupName=Ref(rds_subnet_group), Engine='postgres', EngineVersion='9.4.1', MasterUsername=Ref(self.rds_username), MasterUserPassword=Ref(self.rds_password), MultiAZ=True, PreferredBackupWindow='04:00-04:30', # 12:00AM-12:30AM ET PreferredMaintenanceWindow= 'sun:04:30-sun:05:30', # SUN 12:30AM-01:30AM ET StorageType='gp2', VPCSecurityGroups=[Ref(rds_security_group)], Tags=self.get_tags(Name=rds_database_name)))