def sceptre_handler(sceptre_user_data): t = Template() vpc = t.add_resource(VPC( "VirtualPrivateCloud", CidrBlock=sceptre_user_data["cidr_block"], InstanceTenancy="default", EnableDnsSupport=True, EnableDnsHostnames=True, )) igw = t.add_resource(InternetGateway( "InternetGateway", )) t.add_resource(VPCGatewayAttachment( "IGWAttachment", VpcId=Ref(vpc), InternetGatewayId=Ref(igw), )) t.add_output(Output( "VpcId", Description="New VPC ID", Value=Ref(vpc) )) return t.to_json()
def create_igw(self): t = self.template t.add_resource(InternetGateway(self.igw_name)) t.add_resource( VPCGatewayAttachment(self.igw_attachment, VpcId=Ref(self.vpc_name), InternetGatewayId=Ref(self.igw_name)))
def vpc_igw_attachment(vpcigw_title, vpc_id=None, igwid=None): vpc_igw_attachment = VPCGatewayAttachment(title=vpcigw_title, InternetGatewayId=igwid, VpcId=vpc_id) return vpc_igw_attachment
def __add_internet_gateway(self): self.igw = self.template.add_resource( InternetGateway('InternetGateway', Tags=self.tags)) self.template.add_resource( VPCGatewayAttachment('AttachGateway', VpcId=Ref(self.vpc), InternetGatewayId=Ref(self.igw)))
def __create_public_subnet(template: Template, vpc) -> Subnet: public_subnet_cidr = template.add_parameter(parameter=Parameter( title='PublicSubnetCidr', Type='String', Default='192.168.1.0/24')) igw = template.add_resource(resource=InternetGateway(title='SampleIgw')) template.add_resource(resource=VPCGatewayAttachment( title='SampleAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(igw))) public_subnet = template.add_resource( resource=Subnet(title='SamplePublicSubnet', CidrBlock=Ref(public_subnet_cidr), MapPublicIpOnLaunch=True, VpcId=Ref(vpc))) public_route_table = template.add_resource( resource=RouteTable(title='SamplePublicRoteTable', VpcId=Ref(vpc))) template.add_resource(resource=SubnetRouteTableAssociation( title='SamplePublicRoteTableAssociation', RouteTableId=Ref(public_route_table), SubnetId=Ref(public_subnet))) template.add_resource(resource=Route(title='SamplePublicRoute', DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref(igw), RouteTableId=Ref(public_route_table))) return public_subnet
def add_net_gw_vpc_attachment(self): self.net_gw_vpc_attachment = self.template.add_resource( VPCGatewayAttachment( "NatAttachment", VpcId=Ref(self.vpc), InternetGatewayId=Ref(self.internet_gateway), ))
def _create_vpc(self, cidr_block): self.vpc = VPC(camelcase("{self.env}Vpc".format(**locals())), CidrBlock=cidr_block, EnableDnsSupport=True, EnableDnsHostnames=True, InstanceTenancy='default', Tags=[{ 'Key': 'category', 'Value': 'services' }, { 'Key': 'environment', 'Value': self.env }, { 'Key': 'Name', 'Value': "{self.env}-vpc".format(**locals()) }]) self.template.add_resource(self.vpc) self.internet_gateway = InternetGateway( camelcase("{self.env}Ig".format(**locals())), Tags=[{ 'Key': 'Name', 'Value': "{self.env}-internet-gateway".format(**locals()) }, { 'Key': 'environment', 'Value': self.env }]) self.template.add_resource(self.internet_gateway) vpc_gateway_attachment = VPCGatewayAttachment( camelcase("{self.env}Attachment".format(**locals())), InternetGatewayId=Ref(self.internet_gateway), VpcId=Ref(self.vpc)) self.template.add_resource(vpc_gateway_attachment) return None
def attach_gateway(stack): """Add VPC Gateway attachment Resource.""" stack.stack.add_resource( VPCGatewayAttachment( 'GatewayAttachment', VpcId=Ref(stack.vpc), InternetGatewayId=Ref(stack.internet_gateway), ))
def add_attach_gateway(self): ''' Add an internet gateway attachment ''' self.cfn_template.add_resource( VPCGatewayAttachment(title=constants.ATTACH_GW, VpcId=Ref(constants.VPC), InternetGatewayId=Ref(constants.IGW))) return self.cfn_template
def __build_internet_gateway(self, vpc: VPC): internet_gateway = self.__template.add_resource( InternetGateway("InternetGateway", Tags=Tags(Name=Ref("AWS::StackName"), Stack=Ref("AWS::StackId")))) self.__template.add_resource( VPCGatewayAttachment("VPCGatewayAttachment", VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway))) return internet_gateway
def add_vpc_core(template, vpc_cidr): """ Function to create the core resources of the VPC and add them to the core VPC template :param template: VPC Template() :param vpc_cidr: str of the VPC CIDR i.e. 192.168.0.0/24 :return: tuple() with the vpc and igw object """ vpc = VPCType( VPC_T, template=template, CidrBlock=vpc_cidr, EnableDnsHostnames=True, EnableDnsSupport=True, Tags=Tags( Name=If(USE_STACK_NAME_CON_T, Ref("AWS::StackName"), Ref(ROOT_STACK_NAME)), EnvironmentName=If(USE_STACK_NAME_CON_T, Ref("AWS::StackName"), Ref(ROOT_STACK_NAME)), ), Metadata=metadata, ) igw = InternetGateway(IGW_T, template=template) VPCGatewayAttachment( "VPCGatewayAttachement", template=template, InternetGatewayId=Ref(igw), VpcId=Ref(vpc), Metadata=metadata, ) dhcp_opts = DHCPOptions( "VpcDhcpOptions", template=template, DomainName=If( USE_STACK_NAME_CON_T, Sub(f"svc.${{AWS::StackName}}.${{{PRIVATE_DNS_ZONE_NAME.title}}} " f"${{AWS::StackName}}.${{{PRIVATE_DNS_ZONE_NAME.title}}}"), Sub(f"svc.${{{ROOT_STACK_NAME_T}}}.${{{PRIVATE_DNS_ZONE_NAME.title}}} " f"${{{ROOT_STACK_NAME_T}}}.${{{PRIVATE_DNS_ZONE_NAME.title}}}" ), ), DomainNameServers=["AmazonProvidedDNS"], Tags=Tags(Name=Sub(f"dhcp-${{{vpc.title}}}")), Metadata=metadata, ) VPCDHCPOptionsAssociation( "VpcDhcpOptionsAssociate", template=template, DhcpOptionsId=Ref(dhcp_opts), VpcId=Ref(vpc), Metadata=metadata, ) return (vpc, igw)
def __init__(self, title, template, *args, **kwargs): if 'Tags' not in kwargs: kwargs['Tags'] = Tags() super().__init__(title, template, *args, **kwargs) internet_gateway = InternetGateway('internetgateway', template, Tags=kwargs['Tags']) VPCGatewayAttachment('vpcgatewayattachment', template, InternetGatewayId=Ref(internet_gateway), VpcId=Ref(self))
def add_igw(self): t = self.template self.igw = t.add_resource(InternetGateway("InternetGateway", )) t.add_resource( VPCGatewayAttachment( "IGWAttachment", VpcId=Ref(self.vpc), InternetGatewayId=Ref(self.igw), ))
def create_vpc_template(): template = Template() vpc_cidr = template.add_parameter(parameter=Parameter( title='VpcCidr', Type='String', Default='192.168.0.0/16')) subnet_cidr_a = template.add_parameter(parameter=Parameter( title='SubnetCidr1', Type='String', Default='192.168.1.0/24')) subnet_cidr_b = template.add_parameter(parameter=Parameter( title='SubnetCidr2', Type='String', Default='192.168.2.0/24')) vpc = template.add_resource(resource=VPC( title='SampleVpc', CidrBlock=Ref(vpc_cidr), EnableDnsHostnames=True)) igw = template.add_resource(resource=InternetGateway(title='SampleIgw')) template.add_resource(resource=VPCGatewayAttachment( title='SampleAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(igw))) subnet_a = template.add_resource( resource=Subnet(title='SampleSubnetA', AvailabilityZone='us-east-1a', CidrBlock=Ref(subnet_cidr_a), MapPublicIpOnLaunch=True, VpcId=Ref(vpc))) subnet_b = template.add_resource( resource=Subnet(title='SampleSubnetB', AvailabilityZone='us-east-1b', CidrBlock=Ref(subnet_cidr_b), MapPublicIpOnLaunch=True, VpcId=Ref(vpc))) route_table = template.add_resource( resource=RouteTable(title='SampleRoteTable', VpcId=Ref(vpc))) template.add_resource(resource=SubnetRouteTableAssociation( title='SampleRoteTableAssociationA', RouteTableId=Ref(route_table), SubnetId=Ref(subnet_a))) template.add_resource(resource=SubnetRouteTableAssociation( title='SampleRoteTableAssociationB', RouteTableId=Ref(route_table), SubnetId=Ref(subnet_b))) template.add_resource(resource=Route(title='SampleRoute', DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref(igw), RouteTableId=Ref(route_table))) with open('./vpc.yml', mode='w') as file: file.write(template.to_yaml())
def add_igw(self): t = self.template self.igw = t.add_resource( InternetGateway( 'internetGateway', Tags=self.DEFAULT_TAGS + [Tag('Name', self.sceptre_user_data['application'] + '-IGW')])) self.igw_attachment = t.add_resource( VPCGatewayAttachment('internetGatewayAttachment', VpcId=Ref(self.vpc), InternetGatewayId=Ref(self.igw))) return 0
def __build_internet_gateway(self, vpc: VPC): internet_gateway = self.__template.add_resource( InternetGateway( "InternetGateway", Tags=Tags(Name=TAGS_PREFIX + "IG", Stack=Ref("AWS::StackId")), Condition=self.__create_ig, )) self.__template.add_resource( VPCGatewayAttachment( "VPCGatewayAttachment", VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway), Condition=self.__create_ig, )) return Ref(internet_gateway)
def _create_vpc(self): if self.vpc: self.tpl.add_output(Output(self.OUTPUT_VPC, Value=self.vpc)) self.tpl.add_output(Output(self.OUTPUT_SUBNETS, Value=','.join(self.subnets))) return vpc = VPC(self.RESOURCE_EKS_VPC.name, CidrBlock=self.vpc_cidr, Tags=Tags(Name=self.tag_name)) self.tpl.add_resource(vpc) gateway = self.tpl.add_resource(InternetGateway(self.RESOURCE_VPC_INTERNET_GATEWAY.name)) self.tpl.add_resource(VPCGatewayAttachment( self.RESOURCE_VPC_GATEWAY_ATTACHMENT.name, VpcId=Ref(vpc), InternetGatewayId=Ref(gateway), DependsOn=gateway, )) rt = self.tpl.add_resource(RouteTable( self.RESOURCE_VPC_ROUTE_TABLE.name, VpcId=Ref(vpc), DependsOn=gateway, Tags=Tags(Name='public subnet', Network='public'), )) self.tpl.add_resource(Route( self.RESOURCE_VPC_ROUTE.name, RouteTableId=Ref(rt), DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref(gateway), )) self.resources.extend(deepcopy([self.RESOURCE_EKS_VPC, self.RESOURCE_VPC_INTERNET_GATEWAY, self.RESOURCE_VPC_GATEWAY_ATTACHMENT, self.RESOURCE_VPC_ROUTE_TABLE, self.RESOURCE_VPC_ROUTE])) subnets = [] vpc_network = IPNetwork(self.vpc_cidr) prefixlen = IPNetwork(self.vpc_cidr).prefixlen + (len(self.zones) - 1).bit_length() cidrs = list(vpc_network.subnet(prefixlen)) for i, zone in enumerate(self.zones): sname = self.RESOURCE_FORMAT_SUBNET.format(i + 1) staname = self.RESOURCE_FORMAT_SUBNET_RTA.format(i + 1) subnet = self.tpl.add_resource(Subnet( sname, AvailabilityZone=zone, VpcId=Ref(vpc), CidrBlock=str(cidrs[i].cidr), Tags=Tags(Name='{}-{}'.format(self.name, str(i + 1))) )) self.resources.append(Resource(sname, 'EKS VPC {}'.format(sname), Status.not_exist)) self.tpl.add_resource(SubnetRouteTableAssociation( staname, SubnetId=Ref(subnet), RouteTableId=Ref(rt) )) self.resources.append(Resource(staname, 'EKS VPC {}'.format(staname), Status.not_exist)) subnets.append(subnet) self.subnet_refs = [Ref(s) for s in subnets] self.tpl.add_output(Output(self.OUTPUT_VPC, Value=Ref(vpc))) self.tpl.add_output(Output(self.OUTPUT_SUBNETS, Value=Join(',', self.subnet_refs)))
def create_internet_gateway(self): """Create an internet gateway if it does not exist already""" if 'InternetGateway' not in self.network: tag = Tag(Key='Name', Value='{} Internet Gateway'.format(self.data['Name'])) self.network['InternetGateway'] = InternetGateway( title='{}InternetGateway'.format(self.data['Title']), template=self.data['Template'], Tags=[tag] + self.data['Tags']) tag = Tag(Key='Name', Value='{} VPC Gateway Attachment'.format( self.data['Name'])) self.network['VPCGatewayAttachment'] = VPCGatewayAttachment( title='{}VPCGatewayAttachment'.format(self.data['Title']), template=self.data['Template'], VpcId=Ref(self.network['VPC']), InternetGatewayId=Ref(self.network['InternetGateway']))
def _add_resources(self): self.vpc = VPC( "VirtualPrivateCloud", CidrBlock=Ref(self.parameters['CidrBlock']), InstanceTenancy="default", EnableDnsSupport=True, EnableDnsHostnames=True, Tags=Tags( Name=Ref(self.parameters['StackPrefix']) ), ) self.template.add_resource(self.vpc) self.igw = InternetGateway( "InternetGateway", ) self.template.add_resource(self.igw) self.igw_attachment = VPCGatewayAttachment( "IGWAttachment", VpcId=Ref(self.vpc), InternetGatewayId=Ref(self.igw), ) self.template.add_resource(self.igw_attachment)
def add_internet_gateway(self, name, routing_table_name, vpc_name): """ Create Internet Gateway :param name: Name to assign the gateway :param routing_table_name: Name of routing table :param vpc_name: Name of VPC """ self.template.add_resource(InternetGateway(name, )) self.template.add_resource( VPCGatewayAttachment('AttachGateway', VpcId=Ref(vpc_name), InternetGatewayId=Ref(name))) self.template.add_resource( Route( "{}IGRoute".format(vpc_name), DependsOn='AttachGateway', GatewayId=Ref(name), DestinationCidrBlock='0.0.0.0/0', RouteTableId=Ref(routing_table_name), ))
def __create_public_subnet(template: Template, vpc) -> Subnet: igw = template.add_resource(resource=InternetGateway(title='SampleIgw')) template.add_resource(resource=VPCGatewayAttachment( title='SampleAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(igw))) public_route_table = template.add_resource( resource=RouteTable(title='SamplePublicRoteTable', VpcId=Ref(vpc))) for suffix in ['A', 'B']: public_subnet_cidr = template.add_parameter( parameter=Parameter(title='PublicSubnetCidr' + suffix, Type='String', Default=__get_subnet_cidr())) public_subnet = template.add_resource( resource=Subnet(title='SamplePublicSubnet' + suffix, AvailabilityZone=Sub('${AWS::Region}' + suffix.lower()), CidrBlock=Ref(public_subnet_cidr), MapPublicIpOnLaunch=True, VpcId=Ref(vpc))) add_export(template, public_subnet.title + 'Id', Ref(public_subnet)) template.add_resource(resource=SubnetRouteTableAssociation( title='SamplePublicRoteTableAssociation' + suffix, RouteTableId=Ref(public_route_table), SubnetId=Ref(public_subnet))) template.add_resource(resource=Route(title='SamplePublicRoute', DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref(igw), RouteTableId=Ref(public_route_table))) return public_subnet
VpcId=Ref(VPC), MapPublicIpOnLaunch=f.MapPublicIpOnLaunch, AvailabilityZone=Select(f.AvailabilityZone, GetAZs()), Tags=Tags(Name=environmentString + f.name, Stack=Ref("AWS::StackName")))) f.instance = subnet ############################# ADD GATEWAY AND ROLE ########################### internetGateway = template.add_resource( InternetGateway('InternetGateway', Tags=Tags(Name=environmentString + "Internet-Gateway", Stack=Ref("AWS::StackName")))) gatewayAttachment = template.add_resource( VPCGatewayAttachment('AttachGateway', VpcId=Ref(VPC), InternetGatewayId=Ref(internetGateway))) routeTable = template.add_resource( RouteTable('PublicRouteTable', VpcId=Ref(VPC), Tags=Tags(Name=environmentString + "Public-Routes", Stack=Ref("AWS::StackName")))) route = template.add_resource( Route( 'Route', DependsOn='AttachGateway', GatewayId=Ref('InternetGateway'), DestinationCidrBlock='0.0.0.0/0', RouteTableId=Ref(routeTable),
"VPC", CidrBlock = "10.0.0.0/24", EnableDnsHostnames = True, EnableDnsSupport = True, Tags = [ { "Key": "Name", "Value": Join("-", [ Ref(parameters[ "Project" ]), "vpc" ]) }, { "Key": "Project", "Value": Ref(parameters[ "Project" ]) }])) ### Internet Gateway ### resources[ "InternetGateway" ] = template.add_resource(InternetGateway( "InternetGateway", Tags = [ { "Key": "Name", "Value": Join("-", [ Ref(parameters[ "Project" ]), "igw" ]) }, { "Key": "Project", "Value": Ref(parameters[ "Project" ]) }])) resources[ "VPCGatewayAttachmentIGW" ] = template.add_resource(VPCGatewayAttachment( "VPCGatewayAttachmentIGW", DependsOn = [ resource for resource in [ "InternetGateway", "VPC" ] ], InternetGatewayId = Ref(resources[ "InternetGateway" ]), VpcId = Ref(resources[ "VPC" ] ))) ### Routing Tables ### resources[ "PrivateRouteTableA" ] = template.add_resource(RouteTable( "PrivateRouteTableA", DependsOn = [ resource for resource in [ "VPC" ] ], Tags = [ { "Key": "Name", "Value": Join("-", [ Ref(parameters[ "Project" ]), "prv", "a", "rt" ]) }, { "Key": "Project", "Value": Ref(parameters[ "Project" ]) }], VpcId = Ref(resources[ "VPC" ]))) resources[ "PrivateRouteTableB" ] = template.add_resource(RouteTable( "PrivateRouteTableB", DependsOn = [ resource for resource in [ "VPC" ] ],
"ToPort": Ref(RDSPort), "IpProtocol": "tcp", "CidrIp": Ref(VpcCIDR), "FromPort": Ref(RDSPort) }], GroupName=Sub("${EnvironmentName}_rds_internal_sg"), VpcId=Ref("VPC"), GroupDescription=Sub("${EnvironmentName} Internal Security Group"), Tags=Tags( Name=Sub("${EnvironmentName} RDS Internal Security Group"), ), )) IgwAttachment = template.add_resource( VPCGatewayAttachment( "IgwAttachment", VpcId=Ref("VPC"), InternetGatewayId=Ref(Igw), )) PrivateRoute1Table = template.add_resource( RouteTable( "PrivateRoute1Table", VpcId=Ref("VPC"), Tags=Tags(Name=Sub("${EnvironmentName} Private1 Route (AZ1)"), ), )) PrivateRoute1Default = template.add_resource( Route( "PrivateRoute1Default", DestinationCidrBlock="0.0.0.0/0", RouteTableId=Ref(PrivateRoute1Table),
CidrBlock="10.0.0.0/16", )) subnet = t.add_resource(Subnet( "Subnet", CidrBlock="10.0.0.0/24", VpcId=Ref("VPC"), )) internetgateway = t.add_resource(InternetGateway( "InternetGateway", )) gatewayattachment = t.add_resource(VPCGatewayAttachment( "GatewayAttachment", VpcId=Ref("VPC"), InternetGatewayId=Ref("InternetGateway"), )) securitygroupingress1 = SecurityGroupIngress( "SecurityGroupIngress1", CidrIp="10.0.0.0/16", FromPort="80", ToPort="80", IpProtocol="tcp", ) securitygroup = t.add_resource(SecurityGroup( "SecurityGroup", GroupDescription="Security Group", SecurityGroupIngress=[securitygroupingress1],
container_b_subnet_cidr, ) template = Template() vpc = template.add_resource(VPC( "Vpc", CidrBlock=vpc_cidr, )) internet_gateway = template.add_resource(InternetGateway("InternetGateway", )) template.add_resource( VPCGatewayAttachment( "GatewayAttachment", VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway), )) public_route_table = template.add_resource( RouteTable( "PublicRouteTable", VpcId=Ref(vpc), )) public_route = template.add_resource( Route( "PublicRoute", GatewayId=Ref(internet_gateway), DestinationCidrBlock="0.0.0.0/0", RouteTableId=Ref(public_route_table),
template=template, CidrBlock="10.0.0.0/16", ) # Allow outgoing to outside VPC internet_gateway = InternetGateway( "InternetGateway", template=template, ) # Attach Gateway to VPC VPCGatewayAttachment( "GatewayAttachement", template=template, VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway), ) # Public route table public_route_table = RouteTable( "PublicRouteTable", template=template, VpcId=Ref(vpc), ) public_route = Route( "PublicRoute", template=template,
def build_template(sierrafile): template = Template() template.add_version('2010-09-09') template.add_metadata(build_interface(sierrafile.extra_params)) parameters = AttrDict( # Network Parameters vpc_cidr=template.add_parameter(Parameter( 'VpcCidr', Type='String', Default='192.172.0.0/16', )), subnet1_cidr=template.add_parameter(Parameter( 'Subnet1Cidr', Type='String', Default='192.172.1.0/24', )), subnet2_cidr=template.add_parameter(Parameter( 'Subnet2Cidr', Type='String', Default='192.172.2.0/24', )), # ECS Parameters cluster_size=template.add_parameter(Parameter( 'ClusterSize', Type='Number', Default=2, )), instance_type=template.add_parameter(Parameter( 'InstanceType', Type='String', Default='t2.medium' )), key_name=template.add_parameter(Parameter( 'KeyName', Type='AWS::EC2::KeyPair::KeyName', )), image_id=template.add_parameter(Parameter( 'ImageId', Type='AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>', Default=( '/aws/service/ecs/optimized-ami' '/amazon-linux/recommended/image_id' ), Description=( 'An SSM parameter that resolves to a valid AMI ID.' ' This is the AMI that will be used to create ECS hosts.' ' The default is the current recommended ECS-optimized AMI.' ) )), # Other Parameters github_token=template.add_parameter(Parameter( 'GitHubToken', Type='String', NoEcho=True, )), ) # Environment Variable Parameters for env_var_param, env_var_name in sierrafile.extra_params: template.add_parameter(Parameter( env_var_param, Type='String', NoEcho=True, )) # Resource Declarations # # Network network_vpc = template.add_resource(VPC( 'NetworkVpc', CidrBlock=Ref(parameters.vpc_cidr), Tags=Tags(Name=Ref('AWS::StackName')), )) network_ig = template.add_resource(InternetGateway( 'NetworkInternetGateway', Tags=Tags(Name=Ref('AWS::StackName')), )) vpc_attach = template.add_resource(VPCGatewayAttachment( 'NetworkInternetGatewayAttachment', InternetGatewayId=Ref(network_ig), VpcId=Ref(network_vpc), )) route_table = template.add_resource(RouteTable( 'NetworkRouteTable', VpcId=Ref(network_vpc), Tags=Tags(Name=Ref('AWS::StackName')), )) template.add_resource(Route( 'NetworkDefaultRoute', DependsOn=[vpc_attach.title], RouteTableId=Ref(route_table), DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref(network_ig), )) subnet1 = template.add_resource(Subnet( 'NetworkSubnet1', VpcId=Ref(network_vpc), AvailabilityZone=Select(0, GetAZs()), MapPublicIpOnLaunch=True, CidrBlock=Ref(parameters.subnet1_cidr), Tags=Tags(Name=Sub('${AWS::StackName} (Public)')), )) subnet2 = template.add_resource(Subnet( 'NetworkSubnet2', VpcId=Ref(network_vpc), AvailabilityZone=Select(1, GetAZs()), MapPublicIpOnLaunch=True, CidrBlock=Ref(parameters.subnet2_cidr), Tags=Tags(Name=Sub('${AWS::StackName} (Public)')), )) template.add_resource(SubnetRouteTableAssociation( 'NetworkSubnet1RouteTableAssociation', RouteTableId=Ref(route_table), SubnetId=Ref(subnet1), )) template.add_resource(SubnetRouteTableAssociation( 'NetworkSubnet2RouteTableAssociation', RouteTableId=Ref(route_table), SubnetId=Ref(subnet2), )) elb = template.add_resource(LoadBalancer( ELB_NAME, Name=Sub('${AWS::StackName}-elb'), Type='network', Subnets=[Ref(subnet1), Ref(subnet2)], )) # # Cluster ecs_host_role = template.add_resource(Role( 'EcsHostRole', AssumeRolePolicyDocument=PolicyDocument( Statement=[Statement( Effect=Allow, Principal=Principal('Service', 'ec2.amazonaws.com'), Action=[awacs.sts.AssumeRole] )], ), ManagedPolicyArns=[ 'arn:aws:iam::aws:policy/' 'service-role/AmazonEC2ContainerServiceforEC2Role' ] )) ecs_host_profile = template.add_resource(InstanceProfile( 'EcsHostInstanceProfile', Roles=[Ref(ecs_host_role)] )) ecs_host_sg = template.add_resource(SecurityGroup( 'EcsHostSecurityGroup', GroupDescription=Sub('${AWS::StackName}-hosts'), VpcId=Ref(network_vpc), SecurityGroupIngress=[SecurityGroupRule( CidrIp='0.0.0.0/0', IpProtocol='-1' )] )) cluster = template.add_resource(Cluster( 'EcsCluster', ClusterName=Ref('AWS::StackName') )) autoscaling_name = 'EcsHostAutoScalingGroup' launch_conf_name = 'EcsHostLaunchConfiguration' launch_conf = template.add_resource(LaunchConfiguration( launch_conf_name, ImageId=Ref(parameters.image_id), InstanceType=Ref(parameters.instance_type), IamInstanceProfile=Ref(ecs_host_profile), KeyName=Ref(parameters.key_name), SecurityGroups=[Ref(ecs_host_sg)], UserData=Base64(Sub( '#!/bin/bash\n' 'yum install -y aws-cfn-bootstrap\n' '/opt/aws/bin/cfn-init -v' ' --region ${AWS::Region}' ' --stack ${AWS::StackName}' f' --resource {launch_conf_name}\n' '/opt/aws/bin/cfn-signal -e $?' ' --region ${AWS::Region}' ' --stack ${AWS::StackName}' f' --resource {autoscaling_name}\n' )), Metadata={ 'AWS::CloudFormation::Init': { 'config': { 'commands': { '01_add_instance_to_cluster': { 'command': Sub( f'echo ECS_CLUSTER=${{{cluster.title}}}' f' > /etc/ecs/ecs.config' ), } }, 'files': { '/etc/cfn/cfn-hup.conf': { 'mode': 0o400, 'owner': 'root', 'group': 'root', 'content': Sub( '[main]\n' 'stack=${AWS::StackId}\n' 'region=${AWS::Region}\n' ), }, '/etc/cfn/hooks.d/cfn-auto-reloader.conf': { 'content': Sub( '[cfn-auto-reloader-hook]\n' 'triggers=post.update\n' 'path=Resources.ContainerInstances.Metadata' '.AWS::CloudFormation::Init\n' 'action=/opt/aws/bin/cfn-init -v' ' --region ${AWS::Region}' ' --stack ${AWS::StackName}' f' --resource {launch_conf_name}\n' ), }, }, 'services': { 'sysvinit': { 'cfn-hup': { 'enabled': True, 'ensureRunning': True, 'files': [ '/etc/cfn/cfn-hup.conf', '/etc/cfn/hooks.d/cfn-auto-reloader.conf' ] } } } } } } )) autoscaling_group = template.add_resource(AutoScalingGroup( autoscaling_name, VPCZoneIdentifier=[Ref(subnet1), Ref(subnet2)], LaunchConfigurationName=Ref(launch_conf), DesiredCapacity=Ref(parameters.cluster_size), MinSize=Ref(parameters.cluster_size), MaxSize=Ref(parameters.cluster_size), Tags=[{ 'Key': 'Name', 'Value': Sub('${AWS::StackName} - ECS Host'), 'PropagateAtLaunch': True, }], CreationPolicy=CreationPolicy( ResourceSignal=ResourceSignal(Timeout='PT15M'), ), UpdatePolicy=UpdatePolicy( AutoScalingRollingUpdate=AutoScalingRollingUpdate( MinInstancesInService=1, MaxBatchSize=1, PauseTime='PT5M', WaitOnResourceSignals=True, ), ), )) # # Services task_role = template.add_resource(Role( 'TaskExecutionRole', AssumeRolePolicyDocument=PolicyDocument( Statement=[Statement( Effect=Allow, Principal=Principal('Service', 'ecs-tasks.amazonaws.com'), Action=[awacs.sts.AssumeRole], )], ), ManagedPolicyArns=[ 'arn:aws:iam::aws:policy/' 'service-role/AmazonECSTaskExecutionRolePolicy' ], )) artifact_bucket = template.add_resource(Bucket( 'ArtifactBucket', DeletionPolicy='Retain', )) codebuild_role = template.add_resource(Role( 'CodeBuildServiceRole', Path='/', AssumeRolePolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement( Effect=Allow, Principal=Principal( 'Service', 'codebuild.amazonaws.com' ), Action=[ awacs.sts.AssumeRole, ], ), ], ), Policies=[Policy( PolicyName='root', PolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement( Resource=['*'], Effect=Allow, Action=[ awacs.ssm.GetParameters, ], ), Statement( Resource=['*'], Effect=Allow, Action=[ awacs.s3.GetObject, awacs.s3.PutObject, awacs.s3.GetObjectVersion, ], ), Statement( Resource=['*'], Effect=Allow, Action=[ awacs.logs.CreateLogGroup, awacs.logs.CreateLogStream, awacs.logs.PutLogEvents, ], ), ], ), )], )) codepipeline_role = template.add_resource(Role( 'CodePipelineServiceRole', Path='/', AssumeRolePolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement( Effect=Allow, Principal=Principal( 'Service', 'codepipeline.amazonaws.com' ), Action=[ awacs.sts.AssumeRole, ], ), ], ), Policies=[Policy( PolicyName='root', PolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement( Resource=[ Sub(f'${{{artifact_bucket.title}.Arn}}/*') ], Effect=Allow, Action=[ awacs.s3.GetBucketVersioning, awacs.s3.GetObject, awacs.s3.GetObjectVersion, awacs.s3.PutObject, ], ), Statement( Resource=['*'], Effect=Allow, Action=[ awacs.ecs.DescribeServices, awacs.ecs.DescribeTaskDefinition, awacs.ecs.DescribeTasks, awacs.ecs.ListTasks, awacs.ecs.RegisterTaskDefinition, awacs.ecs.UpdateService, awacs.codebuild.StartBuild, awacs.codebuild.BatchGetBuilds, awacs.iam.PassRole, ], ), ], ), )], )) log_group = template.add_resource(LogGroup( 'LogGroup', LogGroupName=Sub('/ecs/${AWS::StackName}'), )) if any(conf.pipeline.enable for conf in sierrafile.services.values()): project = template.add_resource(Project( 'CodeBuildProject', Name=Sub('${AWS::StackName}-build'), ServiceRole=Ref(codebuild_role), Artifacts=Artifacts(Type='CODEPIPELINE'), Source=Source(Type='CODEPIPELINE'), Environment=Environment( ComputeType='BUILD_GENERAL1_SMALL', Image='aws/codebuild/docker:17.09.0', Type='LINUX_CONTAINER', ), )) for name, settings in sierrafile.services.items(): task_definition = template.add_resource(TaskDefinition( f'{name}TaskDefinition', RequiresCompatibilities=['EC2'], Cpu=str(settings.container.cpu), Memory=str(settings.container.memory), NetworkMode='bridge', ExecutionRoleArn=Ref(task_role.title), ContainerDefinitions=[ ContainerDefinition( Name=f'{name}', Image=settings.container.image, Memory=str(settings.container.memory), Essential=True, PortMappings=[ PortMapping( ContainerPort=settings.container.port, Protocol='tcp', ), ], Environment=[ troposphere.ecs.Environment(Name=k, Value=v) for k, v in sierrafile.env_vars.items() if k in settings.get('environment', []) ], LogConfiguration=LogConfiguration( LogDriver='awslogs', Options={ 'awslogs-region': Ref('AWS::Region'), 'awslogs-group': Ref(log_group.title), 'awslogs-stream-prefix': Ref('AWS::StackName'), }, ), ), ], )) target_group = template.add_resource(TargetGroup( f'{name}TargetGroup', Port=settings.container.port, Protocol='TCP', VpcId=Ref(network_vpc), Tags=Tags(Name=Sub(f'${{AWS::StackName}}-{name}')), )) listener = template.add_resource(Listener( f'{name}ElbListener', LoadBalancerArn=Ref(elb), Port=settings.container.port, Protocol='TCP', DefaultActions=[ Action(TargetGroupArn=Ref(target_group), Type='forward') ], )) service = template.add_resource(Service( f'{name}Service', Cluster=Ref(cluster), ServiceName=f'{name}-service', DependsOn=[autoscaling_group.title, listener.title], DesiredCount=settings.container.count, TaskDefinition=Ref(task_definition), LaunchType='EC2', LoadBalancers=[ troposphere.ecs.LoadBalancer( ContainerName=f'{name}', ContainerPort=settings.container.port, TargetGroupArn=Ref(target_group), ), ], )) if settings.pipeline.enable: pipeline = template.add_resource(Pipeline( f'{name}Pipeline', RoleArn=GetAtt(codepipeline_role, 'Arn'), ArtifactStore=ArtifactStore( Type='S3', Location=Ref(artifact_bucket), ), Stages=[ Stages( Name='Source', Actions=[Actions( Name='Source', ActionTypeId=ActionTypeId( Category='Source', Owner='ThirdParty', Version='1', Provider='GitHub', ), OutputArtifacts=[ OutputArtifacts(Name=f'{name}Source'), ], RunOrder='1', Configuration={ 'Owner': settings.pipeline.user, 'Repo': settings.pipeline.repo, 'Branch': settings.pipeline.branch, 'OAuthToken': Ref(parameters.github_token), }, )], ), Stages( Name='Build', Actions=[Actions( Name='Build', ActionTypeId=ActionTypeId( Category='Build', Owner='AWS', Version='1', Provider='CodeBuild', ), InputArtifacts=[ InputArtifacts(Name=f'{name}Source'), ], OutputArtifacts=[ OutputArtifacts(Name=f'{name}Build'), ], RunOrder='1', Configuration={ 'ProjectName': Ref(project), }, )], ), Stages( Name='Deploy', Actions=[Actions( Name='Deploy', ActionTypeId=ActionTypeId( Category='Deploy', Owner='AWS', Version='1', Provider='ECS', ), InputArtifacts=[ InputArtifacts(Name=f'{name}Build') ], RunOrder='1', Configuration={ 'ClusterName': Ref(cluster), 'ServiceName': Ref(service), 'FileName': 'image.json', }, )], ), ], )) template.add_resource(Webhook( f'{name}CodePipelineWebhook', Name=Sub(f'${{AWS::StackName}}-{name}-webhook'), Authentication='GITHUB_HMAC', AuthenticationConfiguration=AuthenticationConfiguration( SecretToken=Ref(parameters.github_token), ), Filters=[FilterRule( JsonPath='$.ref', MatchEquals=f'refs/heads/{settings.pipeline.branch}' )], TargetAction='Source', TargetPipeline=Ref(pipeline), TargetPipelineVersion=1, RegisterWithThirdParty=True, )) return template
def build(ssh_keypair_name): template = Template() template.set_version("2010-09-09") keyname_param = template.add_parameter( Parameter( "KeyName", ConstraintDescription="must be the name of an existing EC2 KeyPair.", Description="Name of an existing EC2 KeyPair to enable SSH access to \ the instance", Type="AWS::EC2::KeyPair::KeyName", Default=ssh_keypair_name, ) ) sshlocation_param = template.add_parameter( Parameter( "SSHLocation", Description=" The IP address range that can be used to SSH to the EC2 \ instances", Type="String", MinLength="9", MaxLength="18", Default="0.0.0.0/0", AllowedPattern=r"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})", ConstraintDescription=("must be a valid IP CIDR range of the form x.x.x.x/x."), ) ) instanceType_param = template.add_parameter( Parameter( "InstanceType", Type="String", Description="WebServer EC2 instance type", Default="t3a.small", AllowedValues=[ "t2.micro", "t2.small", "t2.medium", "t3a.small", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "c3.large", "c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "g2.2xlarge", "r3.large", "r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge", "i2.8xlarge", "hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", ], ConstraintDescription="must be a valid EC2 instance type.", ) ) template.add_mapping( "AWSRegion2AMI", { "us-east-1": {"image": "ami-0d915a031cabac0e0"}, "us-east-2": {"image": "ami-0b97435028ca44fcc"}, "us-west-1": {"image": "ami-068d0753a46192935"}, "us-west-2": {"image": "ami-0c457f229774da543"}, "eu-west-1": {"image": "ami-046c6a0123bf94619"}, "eu-west-2": {"image": "ami-0dbe8ba0cd21ea12b"}, "eu-west-3": {"image": "ami-041bf9180061ce7ea"}, "eu-central-1": {"image": "ami-0f8184e6f30cc0c33"}, "eu-north-1": {"image": "ami-08dd1b893371bcaac"}, "ap-south-1": {"image": "ami-0ff23052091536db2"}, "ap-southeast-1": {"image": "ami-0527e82bae7c51958"}, "ap-southeast-2": {"image": "ami-0bae8773e653a32ec"}, "ap-northeast-1": {"image": "ami-060741a96307668be"}, "ap-northeast-2": {"image": "ami-0d991ac4f545a6b34"}, "sa-east-1": {"image": "ami-076f350d5a5ec448d"}, "ca-central-1": {"image": "ami-0071deaa12b66d1bf"}, }, ) vpc = template.add_resource(VPC("VPC", CidrBlock="10.0.0.0/16")) subnet = template.add_resource(Subnet("Subnet", CidrBlock="10.0.0.0/24", VpcId=Ref(vpc))) internet_gateway = template.add_resource(InternetGateway("InternetGateway")) attach_gateway = template.add_resource( VPCGatewayAttachment("AttachGateway", VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway)) ) route_table = template.add_resource(RouteTable("RouteTable", VpcId=Ref(vpc))) template.add_resource( Route( "Route", DependsOn=attach_gateway, GatewayId=Ref(internet_gateway), DestinationCidrBlock="0.0.0.0/0", RouteTableId=Ref(route_table), ) ) template.add_resource( SubnetRouteTableAssociation("SubnetRouteTableAssociation", SubnetId=Ref(subnet), RouteTableId=Ref(route_table),) ) network_acl = template.add_resource(NetworkAcl("NetworkAcl", VpcId=Ref(vpc),)) template.add_resource( NetworkAclEntry( "InboundHTTPNetworkAclEntry", NetworkAclId=Ref(network_acl), RuleNumber="100", Protocol="6", PortRange=PortRange(To="80", From="80"), Egress="false", RuleAction="allow", CidrBlock="0.0.0.0/0", ) ) template.add_resource( NetworkAclEntry( "InboundSSHNetworkAclEntry", NetworkAclId=Ref(network_acl), RuleNumber="101", Protocol="6", PortRange=PortRange(To="22", From="22"), Egress="false", RuleAction="allow", CidrBlock="0.0.0.0/0", ) ) template.add_resource( NetworkAclEntry( "InboundResponsePortsNetworkAclEntry", NetworkAclId=Ref(network_acl), RuleNumber="102", Protocol="6", PortRange=PortRange(To="65535", From="1024"), Egress="false", RuleAction="allow", CidrBlock="0.0.0.0/0", ) ) template.add_resource( NetworkAclEntry( "OutBoundHTTPNetworkAclEntry", NetworkAclId=Ref(network_acl), RuleNumber="100", Protocol="6", PortRange=PortRange(To="80", From="80"), Egress="true", RuleAction="allow", CidrBlock="0.0.0.0/0", ) ) template.add_resource( NetworkAclEntry( "OutBoundHTTPSNetworkAclEntry", NetworkAclId=Ref(network_acl), RuleNumber="101", Protocol="6", PortRange=PortRange(To="443", From="443"), Egress="true", RuleAction="allow", CidrBlock="0.0.0.0/0", ) ) template.add_resource( NetworkAclEntry( "OutBoundResponsePortsNetworkAclEntry", NetworkAclId=Ref(network_acl), RuleNumber="102", Protocol="6", PortRange=PortRange(To="65535", From="1024"), Egress="true", RuleAction="allow", CidrBlock="0.0.0.0/0", ) ) template.add_resource( SubnetNetworkAclAssociation("SubnetNetworkAclAssociation", SubnetId=Ref(subnet), NetworkAclId=Ref(network_acl),) ) instance_security_group = template.add_resource( SecurityGroup( "InstanceSecurityGroup", GroupDescription="Enable SSH access via port 22", SecurityGroupIngress=[ SecurityGroupRule(IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=Ref(sshlocation_param)), SecurityGroupRule(IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0"), ], VpcId=Ref(vpc), ) ) server_instance = template.add_resource( Instance( "ServerInstance", ImageId=FindInMap("AWSRegion2AMI", Ref("AWS::Region"), "image"), InstanceType=Ref(instanceType_param), KeyName=Ref(keyname_param), NetworkInterfaces=[ NetworkInterfaceProperty( GroupSet=[Ref(instance_security_group)], AssociatePublicIpAddress="true", DeviceIndex="0", DeleteOnTermination="true", SubnetId=Ref(subnet), ) ], ) ) template.add_output([Output("ServerIP", Value=GetAtt(server_instance, "PublicIp"))]) return template
CidrBlock=VPC_NETWORK, InstanceTenancy="default", EnableDnsSupport=True, EnableDnsHostnames=False, Tags=Tags(Name=Ref("AWS::StackName")))) # internet gateway internetGateway = t.add_resource( InternetGateway( "InternetGateway", Tags=Tags(Name=Join("", [Ref("AWS::StackName"), "-gateway"]), ), )) gatewayAttachment = t.add_resource( VPCGatewayAttachment("InternetGatewayAttachment", InternetGatewayId=Ref(internetGateway), VpcId=Ref(vpc))) # public routing table publicRouteTable = t.add_resource( RouteTable( "PublicRouteTable", VpcId=Ref(vpc), Tags=Tags(Name=Join("-", [Ref("AWS::StackName"), "public-rt"]), ), )) privateRouteTable = t.add_resource( RouteTable( "PrivateRouteTable", VpcId=Ref(vpc), Tags=Tags(Name=Join("-", [Ref("AWS::StackName"), "private-rt"]), ),
# the template object t = Template() # create VPC vpc = VPC(config['name'] + 'Vpc') vpc.CidrBlock = config['vpc']['cidr_block'] vpc.EnableDnsSupport = True vpc.EnableDnsHostnames = True vpc.Tags = Tags(Name=config['vpc']['name']) t.add_resource(vpc) # internet gateway internet_gateway = InternetGateway('InternetGateway') t.add_resource(internet_gateway) gateway_attachment = VPCGatewayAttachment('GatewayAttachment') gateway_attachment.VpcId = Ref(vpc) gateway_attachment.InternetGatewayId = Ref('InternetGateway') t.add_resource(gateway_attachment) # route table route_table = RouteTable(config['name'] + 'RouteTable') route_table.VpcId = Ref(config['name'] + 'Vpc') route_table.Tags=Tags( Application = Ref('AWS::StackName'), Name = config['name'] + '-route-table' ) t.add_resource(route_table) # route to igw route_igw = Route(config['name'] + 'Igw')