def create_ec2_instance_profile_resource(template, ecs_cluster_role_resource): return template.add_resource( iam.InstanceProfile( 'EC2InstanceProfile', Roles=[Ref(ecs_cluster_role_resource)] ) )
def add_instance_profile_ecs(self, layer_name, iam_policies, path_prefix): """ Helper function to add role and instance profile resources to this template using the provided iam_policies. The instance_profile will be created at: '/<path_prefix>/<layer_name>/' """ iam_role_obj = iam.Role( layer_name + 'IAMRole', AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['ec2.amazonaws.com', 'ecs.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Path=Join('', ['/' + path_prefix + '/', layer_name, '/'])) if iam_policies is not None: iam_role_obj.Policies = iam_policies iam_role = self.add_resource(iam_role_obj) return self.add_resource( iam.InstanceProfile(layer_name + 'InstancePolicy', Path='/' + path_prefix + '/', Roles=[Ref(iam_role)]))
def ssm_global(): template = Template() ssm_role = iam.Role( 'SsmRole', RoleName="SsmRole", ManagedPolicyArns=[ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::aws:policy/AmazonEC2FullAccess" ], AssumeRolePolicyDocument=PolicyDocument(Statement=[ Statement(Effect=Allow, Action=[Action("sts", "AssumeRole")], Principal=Principal("Service", "ec2.amazonaws.com")) ])) ssm_profile = iam.InstanceProfile('SsmProfile', Roles=[Ref(ssm_role)], InstanceProfileName="SsmProfile") template.add_resource(ssm_role) template.add_resource(ssm_profile) with open( os.path.dirname(os.path.realpath(__file__)) + '/ssm_global.yml', 'w') as cf_file: cf_file.write(template.to_yaml()) return template.to_yaml()
def add_iam_policy(self, policy): if not hasattr(self, 'policies'): self.policies = [] if not isinstance(policy, iam.Policy): raise RuntimeError('Policy must be a troposhere iam.Policy object') self.policies.append(policy) self.instance_role = iam.Role('{}InstanceRole'.format(self.name), AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['ec2.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Path='/', Policies=self.policies) self.instance_profile = iam.InstanceProfile( '{}InstanceProfile'.format(self.name), Path='/', Roles=[Ref(self.instance_role)]) self.resources[self.instance_role.title] = self.instance_role self.resources[self.instance_profile.title] = self.instance_profile
def create_instance_profile(self, layer_name, iam_policies=None): ''' Helper method creates an IAM Role and Instance Profile for the optoinally specified IAM policies @param layer_name [string] friendly name for the Role and Instance Profile used for naming and path organization @param iam_policies [Troposphere.iam.Policy[]] array of IAM Policies to be associated with the Role and Instance Profile created ''' iam_role_obj = iam.Role( layer_name + 'IAMRole', AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['ec2.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Path=Join('', [ '/' + self.globals.get('environment_name', 'environmentbase') + '/', layer_name, '/' ])) if iam_policies != None: iam_role_obj.Policies = iam_policies iam_role = self.template.add_resource(iam_role_obj) return self.template.add_resource( iam.InstanceProfile( layer_name + 'InstancePolicy', Path='/' + self.globals.get('environment_name', 'environmentbase') + '/', Roles=[Ref(iam_role)]))
def add_role(self): self.Ec2Role = self.template.add_resource( iam.Role("Ec2Role", RoleName="ec2-role", Policies=[ iam.Policy( PolicyName="ec2-policy", PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Action": [ "ec2:DescribeInstances", "elasticloadbalancing:Describe*", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*", "cloudwatch:PutMetricData", "autoscaling:Describe*" ], "Effect": "Allow", "Resource": ["*"] }, { "Sid": "Stmt1456922473000", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": ["arn:aws:logs:*:*:*"] }] }, ) ], AssumeRolePolicyDocument={ "Version": "2008-10-17", "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] } }] })) self.inst_profile = self.template.add_resource( iam.InstanceProfile("InstanceProfile", Roles=[Ref(self.Ec2Role)]))
def add_instance_profile(self, stack_name, template, provision_refs): role = template.add_resource( iam.Role( "Role", RoleName=f'{stack_name}-role', Policies=[ iam.Policy( PolicyName=f'{stack_name}-s3-policy', PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Sid": "Troposphere0", "Effect": "Allow", "Action": [ "s3:PutAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:HeadBucket" ], "Resource": "*" }, { "Sid": "Troposphere1", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::shipchain-network-dist", f"arn:aws:s3:::shipchain-network-dist/jumpstart/{stack_name}/*" ] }] }) ], AssumeRolePolicyDocument={ "Version": "2008-10-17", "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] } }] })) provision_refs.instance_profile = template.add_resource( iam.InstanceProfile("InstanceProfile", Roles=[Ref(role)]))
def _build_template(self, template): t = super(EC2Profile, self)._build_template(template) role = t.resources[self.name] instance_profile = t.add_resource( iam.InstanceProfile("{}EC2Profile".format(self.name), Path="/", Roles=[Ref(role)])) t.add_output([ Output('{}InstanceProfile'.format(self.name), Value=Ref(instance_profile)) ])
def create_role(self, name, assumerole_policy): t = self.template v = self.get_variables() role_kwargs = { 'AssumeRolePolicyDocument': assumerole_policy, } attached_policies = v['AttachedPolicies'] if attached_policies: role_kwargs['ManagedPolicyArns'] = attached_policies path = v['Path'] if path: role_kwargs['Path'] = path role = t.add_resource(iam.Role(name, **role_kwargs)) t.add_output(Output(name + "RoleName", Value=Ref(role))) t.add_output(Output(name + "RoleArn", Value=GetAtt(role.title, "Arn"))) if v['InstanceProfile']: profile_kwargs = { 'Roles': [ Ref(role), ], } if path: profile_kwargs['Path'] = path instance_profile = t.add_resource( iam.InstanceProfile(name + 'InstanceProfile', **profile_kwargs)) t.add_output( Output("InstanceProfileName", Value=Ref(instance_profile))) t.add_output( Output("InstanceProfileArn", Value=GetAtt(instance_profile.title, "Arn"))) self.roles.append(role) return role
def add_iam_role(self): self.iam_role = self.template.add_resource( iam.Role("iamRole", Path="/", AssumeRolePolicyDocument={ "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ iam.Policy(PolicyName="Ec2Access", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": ["ec2:DescribeInstances"], "Resource": "*" }], }), iam.Policy( PolicyName="DynamoDB", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": "dynamodb:*", "Resource": "arn:aws:dynamodb:" + self.region + ":" + self.account_id + ":table/terminateDB" }] }) ])) self.cfninstanceprofile = self.template.add_resource( iam.InstanceProfile("InstanceProfile", Roles=[Ref(self.iam_role)]))
def __init__(self, parameters, groups, roles): super(Users, self).__init__() self.DanielPilch = iam.User( "DanielPilch", Path="/", LoginProfile=iam.LoginProfile(Password=Ref( parameters.DefaultPassword.title), PasswordResetRequired=True), ) self.CIUser = iam.User("CIUser", ) # User to group memberships self.AWSEngineersMembership = iam.UserToGroupAddition( "AWSEngineersMembership", GroupName=Ref(groups.AWSEngineers), Users=[ Ref(self.DanielPilch), ], ) self.CIDeploymentMembership = iam.UserToGroupAddition( "CIDeploymentMembership", GroupName=Ref(groups.CIDeploymentServices), Users=[ Ref(self.CIUser), ], ) # EC2 Baseline Instance Profile self.EC2BaselineProfile = iam.InstanceProfile( "EC2BaselineProfile", Path="/", Roles=[Ref(roles.EC2Baseline)], InstanceProfileName="EC2BaselineProfile")
def add_profile(self, access_to): InstancePolicy1 = iam.Policy( "InstancePolicy1", PolicyName="InstancePolicy1", PolicyDocument={ "Version": "2012-10-17", "Statement": [ { "Action": [access_to], "Resource": ["*"], "Effect": "Allow", } ], }, ) role = iam.Role( "InstanceRole1", AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Effect": "Allow", } ], }, Policies=[InstancePolicy1], ) profile = iam.InstanceProfile( "InstanceProfile1", Roles=[Ref(role)], InstanceProfileName="someString", ) self.t.add_resource(role) self.t.add_resource(profile)
iam.Role( "TaskRole", AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['ecs-tasks.amazonaws.com'] }, 'Action': ["sts:AssumeRole"] }] }, )) # Create Instance Profile InstanceProfile = t.add_resource( iam.InstanceProfile("InstanceProfile", Roles=[Ref(InstanceRole)])) # Create the Policies and associate them with the above roles # Policy to read/write to the ECR Repository ECRAccessPolicy = t.add_resource( iam.PolicyType( "ECRAccessPolicy", PolicyName="shibboleth-ecr", PolicyDocument={ 'Version': '2012-10-17', 'Statement': [ { 'Action': ['ecr:GetAuthorizationToken'], 'Resource': ['*'], 'Effect': 'Allow'
), awacs.aws.Statement( Effect=awacs.aws.Allow, Action=[ awacs.aws.Action('autoscaling', 'Describe*'), awacs.aws.Action('elasticloadbalancing', 'Describe*'), ], Resource=['*'], ), ], ), Roles=[Ref(ROLE)], )) INSTANCE_PROFILE = TEMPLATE.add_resource( iam.InstanceProfile( 'InstanceProfile', Roles=[Ref(ROLE)], )) INSTANCE_TYPE = TEMPLATE.add_parameter( Parameter( 'InstanceType', Type=STRING, Default=M4_LARGE, AllowedValues=[ M4_LARGE, M4_XLARGE, M4_2XLARGE, M4_4XLARGE, M4_10XLARGE ], )) KEY_NAME = TEMPLATE.add_parameter(Parameter( 'KeyName', Type=KEY_PAIR_NAME,
), ] ) logs_writer_policy = iam.Policy( 'LogsWriterPolicy', PolicyName='LogsWriterPolicy', PolicyDocument=logs_writer_policy_doc ) our_only_role = stack.add_resource(iam.Role('OurOnlyRole', AssumeRolePolicyDocument=trust.get_default_assumerole_policy(), Policies=[logs_writer_policy], )) instance_profile = stack.add_resource(iam.InstanceProfile( 'OurOnlyInstanceProfile', Roles=[Ref(our_only_role)], )) default_instance_sg = stack.add_resource(ec2.SecurityGroup( 'DefaultInstanceSG', GroupDescription='Default group for instances to be in', SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol='6', CidrIp='172.31.22.10/32', ToPort=22, FromPort=22, ) ] ))
def attach(self): """Attached an IAM Role, IAM Policy, and EC2 Instance Profile to a CloudFormation template and returns the template." """ self.template.add_resource( iam.Role( 'RoleResource', AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com", "opsworks.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, ManagedPolicyArns=[ "arn:aws:iam::aws:policy/AmazonS3FullAccess", ], Path="/")) # Inline policy for the given role defined in the Roles attribute. self.template.add_resource( iam.PolicyType( 'LogPolicyResource', PolicyName=Ref(self.template.parameters['LogPolicyName']), PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Resource": ["*"], "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ] }] }, Roles=[Ref(self.template.resources['RoleResource'])])) # Inline policy for the given role defined in the Roles attribute. self.template.add_resource( iam.PolicyType( 'DefaultPolicyResource', PolicyName='DefaultPolicyName', PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Resource": ["*"], "Action": ["cloudformation:*"] }] }, Roles=[Ref(self.template.resources['RoleResource'])])) self.template.add_resource( iam.InstanceProfile( 'InstanceProfileResource', Path="/", Roles=[Ref(self.template.resources['RoleResource'])])) self.template.add_resource( LogGroup('LogGroupResource', RetentionInDays=Ref( self.template.parameters['LogRetentionDays']), DeletionPolicy='Delete')) self.template.add_output( Output("LogGroupName", Description="LogGroupName (Physical ID)", Value=Ref(self.template.resources['LogGroupResource']))) return self.template
Action=[Action('lambda', 'InvokeFunction')], Resource=[ 'arn:aws:lambda:eu-west-1:*:function:delete_cfn_stack' ]), ] }), ], # ManagedPolicyArns=[ # 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' # ] )) emr_instance_profile = template.add_resource( iam.InstanceProfile( 'EMRInstanceProfile', InstanceProfileName='GenericEMRInstanceProfile', Roles=[Ref(emr_job_flow_role)], )) # Output template.add_output([ Output('EMRServiceRole', Value=Ref(emr_service_role), Description='Service role needed by EMR'), Output('EMRInstanceProfile', Value=Ref(emr_instance_profile), Description='Instance profile for nodes in EMR cluster'), Output('EMRJobFlowRole', Value=Ref(emr_job_flow_role), Description='Job Flow role needed by EMR'), Output('EMRInstanceProfileArn',
"EMRJobFlowRole", AssumeRolePolicyDocument={ "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, ManagedPolicyArns=[ 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' ])) emr_instance_profile = template.add_resource( iam.InstanceProfile("EMRInstanceProfile", Roles=[Ref(emr_job_flow_role)])) # EMR Cluster Resource cluster = template.add_resource( emr.Cluster("EMRSampleCluster", Name="EMR Sample Cluster", ReleaseLabel='emr-4.4.0', BootstrapActions=[ emr.BootstrapActionConfig( Name='Dummy bootstrap action', ScriptBootstrapAction=emr.ScriptBootstrapActionConfig( Path='/bin/sh', Args=['echo', 'Hello World'])) ], Configurations=[ emr.Configuration(Classification="core-site",
def main(): t = Template("A template to create a load balanced autoscaled Web flask deployment using ansible.") addMapping(t) ### VPC CONFIGURATION ### vpc = ec2.VPC( "MainVPC", CidrBlock="10.1.0.0/16" ) t.add_resource(vpc) vpc_id = Ref(vpc) subnet_1 = ec2.Subnet( "WebAppSubnet1", t, AvailabilityZone="us-east-1a", CidrBlock="10.1.0.0/24", MapPublicIpOnLaunch=True, VpcId=vpc_id, ) subnet_1_id = Ref(subnet_1) subnet_2 = ec2.Subnet( "WebAppSubnet2", t, AvailabilityZone="us-east-1b", CidrBlock="10.1.1.0/24", MapPublicIpOnLaunch=True, VpcId=vpc_id, ) subnet_2_id = Ref(subnet_2) ### NETWORKING ### igw = ec2.InternetGateway("internetGateway", t) gateway_to_internet = ec2.VPCGatewayAttachment( "GatewayToInternet", t, VpcId=vpc_id, InternetGatewayId=Ref(igw) ) route_table = ec2.RouteTable( "subnetRouteTable", t, VpcId=vpc_id ) route_table_id = Ref(route_table) internet_route = ec2.Route( "routeToInternet", t, DependsOn=gateway_to_internet, DestinationCidrBlock="0.0.0.0/0", GatewayId=Ref(igw), RouteTableId=route_table_id ) subnet_1_route_assoc = ec2.SubnetRouteTableAssociation( "Subnet1RouteAssociation", t, RouteTableId=route_table_id, SubnetId=Ref(subnet_1) ) subnet_2_route_assoc = ec2.SubnetRouteTableAssociation( "Subnet2RouteAssociation", t, RouteTableId=route_table_id, SubnetId=Ref(subnet_2) ) http_ingress = { "CidrIp": "0.0.0.0/0", "Description": "Allow HTTP traffic in from internet.", "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, } ssh_ingress = { "CidrIp": "0.0.0.0/0", "Description": "Allow SSH traffic in from internet.", "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, } elb_sg = ec2.SecurityGroup( "elbSecurityGroup", t, GroupName="WebGroup", GroupDescription="Allow web traffic in from internet to ELB", VpcId=vpc_id, SecurityGroupIngress=[ http_ingress ]) ssh_sg = ec2.SecurityGroup( "sshSecurityGroup", t, GroupName="SSHGroup", GroupDescription="Allow SSH traffic in from internet", VpcId=vpc_id, SecurityGroupIngress=[ ssh_ingress ] ) elb_sg_id = Ref(elb_sg) ssh_sg_id = Ref(ssh_sg) autoscale_ingress = { "SourceSecurityGroupId": elb_sg_id, "Description": "Allow web traffic in from ELB", "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80 } autoscale_sg = ec2.SecurityGroup( "WebAutoscaleSG", t, GroupName="AutoscaleGroup", GroupDescription="Allow web traffic in from elb on port 80", VpcId=vpc_id, SecurityGroupIngress=[ autoscale_ingress ] ) autoscale_sg_id = Ref(autoscale_sg) # BUCKETS app_bucket = s3.Bucket( "CodeDeployApplicationBucket", t, ) ### LOAD BALANCING ### Web_elb = elb.LoadBalancer( "WebElb", t, Name="WebElb", # TODO: Fix for name conflict Subnets=[subnet_1_id, subnet_2_id], SecurityGroups=[elb_sg_id] ) Web_target_group = elb.TargetGroup( "WebTargetGroup", t, DependsOn=Web_elb, HealthCheckPath="/health", HealthCheckPort=80, HealthCheckProtocol="HTTP", Matcher=elb.Matcher(HttpCode="200"), Name="NginxTargetGroup", Port=80, Protocol="HTTP", VpcId=vpc_id ) Web_listener = elb.Listener( "WebListener", t, LoadBalancerArn=Ref(Web_elb), DefaultActions=[ elb.Action("forwardAction", TargetGroupArn=Ref(Web_target_group), Type="forward" ) ], Port=80, Protocol="HTTP" ) ### AUTOSCALING ### # Everything after sudo -u ubuntu is one command # The sudo command is required to properly set file permissions when # running the ansible script as it assumes running from non root user lc_user_data = Base64(Join("\n", [ "#!/bin/bash", "apt-add-repository -y ppa:ansible/ansible", "apt-get update && sudo apt-get -y upgrade", "apt-get -y install git", "apt-get -y install ansible", "cd /home/ubuntu/", "sudo -H -u ubuntu bash -c '" "export LC_ALL=C.UTF-8 && " "export LANG=C.UTF-8 && " "ansible-pull -U https://github.com/DameonSmith/aws-meetup-ansible.git --extra-vars \"user=ubuntu\"'" ])) web_instance_role = iam.Role( "webInstanceCodeDeployRole", t, AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': 'ec2.amazonaws.com' }, 'Action': 'sts:AssumeRole' }] }, Policies=[ iam.Policy( PolicyName="CodeDeployS3Policy", PolicyDocument=aws.Policy( Version='2012-10-17', Statement=[ aws.Statement( Sid='CodeDeployS3', Effect=aws.Allow, Action=[ aws_s3.PutObject, aws_s3.GetObject, aws_s3.GetObjectVersion, aws_s3.DeleteObject, aws_s3.ListObjects, aws_s3.ListBucket, aws_s3.ListBucketVersions, aws_s3.ListAllMyBuckets, aws_s3.ListMultipartUploadParts, aws_s3.ListBucketMultipartUploads, aws_s3.ListBucketByTags, ], Resource=[ GetAtt(app_bucket, 'Arn'), Join('', [ GetAtt(app_bucket, 'Arn'), '/*', ]), "arn:aws:s3:::aws-codedeploy-us-east-2/*", "arn:aws:s3:::aws-codedeploy-us-east-1/*", "arn:aws:s3:::aws-codedeploy-us-west-1/*", "arn:aws:s3:::aws-codedeploy-us-west-2/*", "arn:aws:s3:::aws-codedeploy-ca-central-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-1/*", "arn:aws:s3:::aws-codedeploy-eu-west-2/*", "arn:aws:s3:::aws-codedeploy-eu-west-3/*", "arn:aws:s3:::aws-codedeploy-eu-central-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*", "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*", "arn:aws:s3:::aws-codedeploy-ap-south-1/*", "arn:aws:s3:::aws-codedeploy-sa-east-1/*", ] ) ] ) ) ] ) web_instance_profile = iam.InstanceProfile( "webInstanceProfile", t, Path='/', Roles=[Ref(web_instance_role)], ) Web_launch_config = autoscaling.LaunchConfiguration( "webLaunchConfig", t, ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), # TODO: Remove magic string SecurityGroups=[ssh_sg_id, autoscale_sg_id], IamInstanceProfile=Ref(web_instance_profile), InstanceType="t2.micro", BlockDeviceMappings= [{ "DeviceName": "/dev/sdk", "Ebs": {"VolumeSize": "10"} }], UserData= lc_user_data, KeyName="advanced-cfn", ) Web_autoscaler = autoscaling.AutoScalingGroup( "WebAutoScaler", t, LaunchConfigurationName=Ref(Web_launch_config), MinSize="2", # TODO: Change to parameter MaxSize="2", VPCZoneIdentifier=[subnet_2_id, subnet_1_id], TargetGroupARNs= [Ref(Web_target_group)] ) t.add_output([ Output( "ALBDNS", Description="The DNS name for the application load balancer.", Value=GetAtt(Web_elb, "DNSName") ) ]) # DEVTOOLS CONFIG codebuild_service_role = iam.Role( "CMSCodeBuildServiceRole", t, AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['codebuild.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Policies=[ iam.Policy( PolicyName="CloudWatchLogsPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='logs', Effect=aws.Allow, Action=[ aws_logs.CreateLogGroup, aws_logs.CreateLogStream, aws_logs.PutLogEvents ], Resource=['*'] ) ] ) ), iam.Policy( PolicyName="s3AccessPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='codebuilder', Effect=aws.Allow, Action=[ aws_s3.PutObject, aws_s3.GetObject, aws_s3.GetObjectVersion, aws_s3.DeleteObject ], Resource=[ GetAtt(app_bucket, 'Arn'), Join('', [ GetAtt(app_bucket, 'Arn'), '/*', ]) ] ) ] ) ) ] ) github_repo = Parameter( "GithubRepoLink", Description="Name of the repository you wish to connect to codebuild.", Type="String" ) artifact_key = Parameter( "ArtifactKey", Description="The key for the artifact that codebuild creates.", Type="String" ) t.add_parameter(github_repo) t.add_parameter(artifact_key) cms_code_build_project = codebuild.Project( "CMSBuild", t, Name="CMS-Build", Artifacts=codebuild.Artifacts( Location=Ref(app_bucket), Name=Ref(artifact_key), NamespaceType="BUILD_ID", Type="S3", Packaging="ZIP" ), Description="Code build for CMS", Environment=codebuild.Environment( ComputeType="BUILD_GENERAL1_SMALL", Image="aws/codebuild/python:3.6.5", Type="LINUX_CONTAINER", ), ServiceRole=GetAtt(codebuild_service_role, 'Arn'), Source=codebuild.Source( "CMSSourceCode", Auth=codebuild.SourceAuth( "GitHubAuth", Type="OAUTH" ), Location=Ref(github_repo), Type="GITHUB" ), Triggers=codebuild.ProjectTriggers( Webhook=True ) ) codedeploy_service_role = iam.Role( "CMSDeploymentGroupServiceRole", t, AssumeRolePolicyDocument={ 'Statement': [{ 'Effect': 'Allow', 'Principal': { 'Service': ['codedeploy.amazonaws.com'] }, 'Action': ['sts:AssumeRole'] }] }, Policies=[ iam.Policy( PolicyName="CloudWatchLogsPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='logs', Effect=aws.Allow, Action=[ aws_logs.CreateLogGroup, aws_logs.CreateLogStream, aws_logs.PutLogEvents ], Resource=['*'] ) ] ) ), iam.Policy( PolicyName="s3AccessPolicy", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='codebuilder', Effect=aws.Allow, Action=[ aws_s3.PutObject, aws_s3.GetObject, aws_s3.GetObjectVersion, aws_s3.DeleteObject ], Resource=[ GetAtt(app_bucket, 'Arn'), Join('', [ GetAtt(app_bucket, 'Arn'), '/*' ]) ] ) ] ) ), iam.Policy( PolicyName="autoscalingAccess", PolicyDocument=aws.Policy( Version="2012-10-17", Statement=[ aws.Statement( Sid='codebuilder', Effect=aws.Allow, Action=[ aws.Action('autoscaling', '*'), aws.Action('elasticloadbalancing', '*') ], Resource=[ '*' ] ) ] ) ) ] ) cms_codedeploy_application = codedeploy.Application( "CMSCodeDeployApplication", t, ) cms_deployment_group = codedeploy.DeploymentGroup( "CMSDeploymentGroup", t, DependsOn=[cms_codedeploy_application], ApplicationName=Ref(cms_codedeploy_application), AutoScalingGroups=[Ref(Web_autoscaler)], LoadBalancerInfo=codedeploy.LoadBalancerInfo( "CodeDeployLBInfo", TargetGroupInfoList=[ codedeploy.TargetGroupInfoList( "WebTargetGroup", Name=GetAtt(Web_target_group, "TargetGroupName") ) ] ), ServiceRoleArn=GetAtt(codedeploy_service_role, 'Arn') ) print(t.to_yaml())
def main(): template = Template() template.add_resource( ecs.Cluster("ECSCluster", ClusterName="WorldCheckCluster")) template.add_resource( iam.Role("ECSTaskRole", AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ecs-tasks.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] })) template.add_resource( iam.Role( "ECSServiceSchedulerRole", AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ecs.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ iam.Policy(PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets" ], "Resource": "*" }] }, PolicyName="ecs-service") ])) template.add_resource( iam.Role("EC2InstanceRole", AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ iam.Policy(PolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecs:Submit*", "logs:CreateLogStream", "logs:PutLogEvents", "ec2:DescribeTags", "cloudwatch:PutMetricData" ], "Resource": "*" }] }, PolicyName="ecs-service") ])) template.add_resource( iam.InstanceProfile("EC2InstanceProfile", Roles=[Ref("EC2InstanceRole")])) with open("user-data.sh", "r") as f: user_data_content = f.readlines() template.add_resource( ec2.Instance( "EC2Instance", ImageId="ami-13f7226a", InstanceType="t2.micro", SecurityGroups=["default"], UserData=Base64(Join('', [Sub(x) for x in user_data_content])), IamInstanceProfile=Ref("EC2InstanceProfile"), )) template.add_resource( ecs.TaskDefinition( "ECSTaskDefinition", TaskRoleArn=Ref("ECSTaskRole"), ContainerDefinitions=[ ecs.ContainerDefinition( Name="SimpleServer", Memory="128", Image="abbas123456/simple-server:latest", PortMappings=[ecs.PortMapping(ContainerPort=8000)], ) ])) template.add_resource( elb.TargetGroup( "ECSTargetGroup", VpcId="vpc-925497f6", Port=8000, Protocol="HTTP", )) template.add_resource( elb.LoadBalancer( "LoadBalancer", Subnets=["subnet-a321c8fb", "subnet-68fa271e", "subnet-689d350c"], SecurityGroups=["sg-0202bd65"])) template.add_resource( elb.Listener( "LoadBalancerListener", DefaultActions=[ elb.Action(Type="forward", TargetGroupArn=Ref("ECSTargetGroup")) ], LoadBalancerArn=Ref("LoadBalancer"), Port=80, Protocol="HTTP", )) template.add_resource( ecs.Service("ECSService", Cluster=Ref("ECSCluster"), DesiredCount=1, LoadBalancers=[ ecs.LoadBalancer(ContainerPort=8000, ContainerName="SimpleServer", TargetGroupArn=Ref("ECSTargetGroup")) ], Role=Ref("ECSServiceSchedulerRole"), TaskDefinition=Ref("ECSTaskDefinition"), DependsOn="LoadBalancerListener")) return template.to_json()
def buildInstance(t, args): t.add_resource( ec2.SecurityGroup('WebserverIngressSG', GroupDescription='Global Webserver Access', VpcId=Ref('VPC'), Tags=Tags(Name='Global Webserver Access'))) t.add_resource( ec2.SecurityGroupIngress('WebserverIngressSG80', GroupId=Ref('WebserverIngressSG'), IpProtocol='tcp', CidrIp='0.0.0.0/0', FromPort='80', ToPort='80')) t.add_resource( ec2.SecurityGroupIngress('WebserverIngress443', GroupId=Ref('WebserverIngressSG'), IpProtocol='tcp', CidrIp='0.0.0.0/0', FromPort='443', ToPort='443')) t.add_resource( ec2.SecurityGroup('SysAdminAccessSG', GroupDescription='System Administrator Access', VpcId=Ref('VPC'), Tags=Tags(Name='System Administrator Access'))) if (args.dev): t.add_resource( ec2.SecurityGroupIngress('DevSysadminIngress22', GroupId=Ref('SysAdminAccessSG'), IpProtocol='tcp', CidrIp='0.0.0.0/0', FromPort='22', ToPort='22')) rolePolicyStatements = [{ "Sid": "Stmt1500699052003", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": [Join("", ["arn:aws:s3:::", Ref('S3Bucket')])] }, { "Sid": "Stmt1500699052000", "Effect": "Allow", "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [Join("", ["arn:aws:s3:::", Ref('S3Bucket'), '/Backup/*'])] }, { "Sid": "Stmt1500612724002", "Effect": "Allow", "Action": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*"], "Resource": [OpenEMRKeyARN] }] if (args.recovery): rolePolicyStatements.extend([ { "Sid": "Stmt1500699052004", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": [Join( "", ["arn:aws:s3:::", Ref('RecoveryS3Bucket')])] }, { "Sid": "Stmt1500699052005", "Effect": "Allow", "Action": [ "s3:GetObject", ], "Resource": [ Join("", [ "arn:aws:s3:::", Ref('RecoveryS3Bucket'), '/Backup/*' ]) ] }, ]) t.add_resource( iam.ManagedPolicy('WebserverPolicy', Description='Policy for webserver instance', PolicyDocument={ "Version": "2012-10-17", "Statement": rolePolicyStatements })) t.add_resource( iam.Role('WebserverRole', AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Path='/', ManagedPolicyArns=[Ref('WebserverPolicy')])) t.add_resource( iam.InstanceProfile('WebserverInstanceProfile', Path='/', Roles=[Ref('WebserverRole')])) t.add_resource( ec2.Volume('DockerVolume', DeletionPolicy='Delete' if args.dev else 'Snapshot', Size=Ref('PracticeStorage'), AvailabilityZone=Select("0", GetAZs("")), VolumeType='gp2', Encrypted=True, KmsKeyId=OpenEMRKeyID, Tags=Tags(Name="OpenEMR Practice"))) bootstrapScript = [ "#!/bin/bash -x\n", "exec > /var/log/openemr-cfn-bootstrap 2>&1\n", "cfn-init -v ", " --stack ", ref_stack_name, " --resource WebserverInstance ", " --configsets Setup ", " --region ", ref_region, "\n", "cfn-signal -e $? ", " --stack ", ref_stack_name, " --resource WebserverInstance ", " --region ", ref_region, "\n" ] setupScript = [ "#!/bin/bash -xe\n", "exec > /tmp/cloud-setup.log 2>&1\n", "/root/openemr-devops/packages/standard/ami/ami-configure.sh\n" ] stackPassthroughFile = [ "S3=", Ref('S3Bucket'), "\n", "KMS=", OpenEMRKeyID, "\n" ] if (args.recovery): stackPassthroughFile.extend([ "RECOVERYS3=", Ref('RecoveryS3Bucket'), "\n", "RECOVERY_NEWRDS=", GetAtt('RDSInstance', 'Endpoint.Address'), "\n", ]) if (args.recovery): dockerComposeFile = [ "version: '3.1'\n", "services:\n", " openemr:\n", " restart: always\n", " image: openemr/openemr", docker_version, "\n", " ports:\n", " - 80:80\n", " - 443:443\n", " volumes:\n", " - logvolume01:/var/log\n", " - sitevolume:/var/www/localhost/htdocs/openemr/sites\n", " environment:\n", " MANUAL_SETUP: 1\n", "volumes:\n", " logvolume01: {}\n", " sitevolume: {}\n" ] else: dockerComposeFile = [ "version: '3.1'\n", "services:\n", " openemr:\n", " restart: always\n", " image: openemr/openemr", docker_version, "\n", " ports:\n", " - 80:80\n", " - 443:443\n", " volumes:\n", " - logvolume01:/var/log\n", " - sitevolume:/var/www/localhost/htdocs/openemr/sites\n", " environment:\n", " MYSQL_HOST: '", GetAtt('RDSInstance', 'Endpoint.Address'), "'\n", " MYSQL_ROOT_USER: openemr\n", " MYSQL_ROOT_PASS: '******'RDSPassword'), "'\n", " MYSQL_USER: openemr\n", " MYSQL_PASS: '******'RDSPassword'), "'\n", " OE_USER: admin\n", " OE_PASS: '******'AdminPassword'), "'\n", "volumes:\n", " logvolume01: {}\n", " sitevolume: {}\n" ] bootstrapInstall = cloudformation.InitConfig( files={ "/root/cloud-setup.sh": { "content": Join("", setupScript), "mode": "000500", "owner": "root", "group": "root" }, "/root/cloud-variables": { "content": Join("", stackPassthroughFile), "mode": "000500", "owner": "root", "group": "root" }, "/root/openemr-devops/packages/standard/docker-compose.yaml": { "content": Join("", dockerComposeFile), "mode": "000500", "owner": "root", "group": "root" } }, commands={"01_setup": { "command": "/root/cloud-setup.sh" }}) bootstrapMetadata = cloudformation.Metadata( cloudformation.Init(cloudformation.InitConfigSets(Setup=['Install']), Install=bootstrapInstall)) t.add_resource( ec2.Instance('WebserverInstance', Metadata=bootstrapMetadata, ImageId=FindInMap('RegionData', ref_region, 'OpenEMRMktPlaceAMI'), InstanceType=Ref('WebserverInstanceSize'), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( AssociatePublicIpAddress=True, DeviceIndex="0", GroupSet=[ Ref('ApplicationSecurityGroup'), Ref('WebserverIngressSG'), Ref('SysAdminAccessSG') ], SubnetId=Ref('PublicSubnet1')) ], KeyName=Ref('EC2KeyPair'), IamInstanceProfile=Ref('WebserverInstanceProfile'), Volumes=[{ "Device": "/dev/sdd", "VolumeId": Ref('DockerVolume') }], Tags=Tags(Name='OpenEMR Cloud Standard'), InstanceInitiatedShutdownBehavior='stop', UserData=Base64(Join('', bootstrapScript)), CreationPolicy={"ResourceSignal": { "Timeout": "PT15M" }})) return t
"CFNRolePolicies", PolicyName="CFNaccess", PolicyDocument={ "Statement": [{ "Action": "cloudformation:Describe*", "Resource": "*", "Effect": "Allow" }] }, Roles=[Ref("AmbariAccessRole")], )) AmbariInstanceProfile = t.add_resource( iam.InstanceProfile( "AmbariInstanceProfile", Path="/", Roles=[Ref("AmbariAccessRole")], )) NodeAccessRole = t.add_resource( iam.Role( "NodeAccessRole", Path="/", AssumeRolePolicyDocument={ "Statement": [{ "Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] } }]
def gen_template(config): num_couchbase_servers = config.server_number couchbase_instance_type = config.server_type num_sync_gateway_servers = config.sync_gateway_number sync_gateway_server_type = config.sync_gateway_type num_gateloads = config.load_number gateload_instance_type = config.load_type num_lbs = config.lb_number lb_instance_type = config.lb_type t = Template() t.add_description( 'An Ec2-classic stack with Couchbase Server, Sync Gateway + load testing tools ' ) def createCouchbaseSecurityGroups(t): # Couchbase security group secGrpCouchbase = ec2.SecurityGroup('CouchbaseSecurityGroup') secGrpCouchbase.GroupDescription = "Allow access to Couchbase Server" secGrpCouchbase.SecurityGroupIngress = [ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="8091", ToPort="8091", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # sync gw user port IpProtocol="tcp", FromPort="4984", ToPort="4984", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # sync gw admin port IpProtocol="tcp", FromPort="4985", ToPort="4985", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # expvars IpProtocol="tcp", FromPort="9876", ToPort="9876", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="4369", ToPort="4369", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="5984", ToPort="5984", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="8092", ToPort="8092", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="11209", ToPort="11209", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="11210", ToPort="11210", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="11211", ToPort="11211", CidrIp="0.0.0.0/0", ), ec2.SecurityGroupRule( # couchbase server IpProtocol="tcp", FromPort="21100", ToPort="21299", CidrIp="0.0.0.0/0", ) ] # Add security group to template t.add_resource(secGrpCouchbase) return secGrpCouchbase # # Parameters # keyname_param = t.add_parameter( Parameter( 'KeyName', Type='String', Description='Name of an existing EC2 KeyPair to enable SSH access') ) secGrpCouchbase = createCouchbaseSecurityGroups(t) # Create an IAM Role to give the EC2 instance permissions to # push Cloudwatch Logs, which avoids the need to bake in the # AWS_KEY + AWS_SECRET_KEY into an ~/.aws/credentials file or # env variables mobileTestKitRole = iam.Role( 'MobileTestKit', ManagedPolicyArns=['arn:aws:iam::aws:policy/CloudWatchFullAccess'], AssumeRolePolicyDocument={ 'Version': '2012-10-17', 'Statement': [{ 'Action': 'sts:AssumeRole', 'Principal': { 'Service': 'ec2.amazonaws.com' }, 'Effect': 'Allow', }] }) t.add_resource(mobileTestKitRole) # The InstanceProfile instructs the EC2 instance to use # the mobileTestKitRole created above. It will be referenced # in the instance.IamInstanceProfile property for all EC2 instances created instanceProfile = iam.InstanceProfile( 'EC2InstanceProfile', Roles=[Ref(mobileTestKitRole)], ) t.add_resource(instanceProfile) # Couchbase Server Instances for i in xrange(num_couchbase_servers): name = "couchbaseserver{}".format(i) instance = ec2.Instance(name) instance.ImageId = "ami-6d1c2007" # centos7 instance.InstanceType = couchbase_instance_type instance.SecurityGroups = [Ref(secGrpCouchbase)] instance.KeyName = Ref(keyname_param) instance.Tags = Tags(Name=name, Type="couchbaseserver") instance.IamInstanceProfile = Ref(instanceProfile) instance.BlockDeviceMappings = [ ec2.BlockDeviceMapping(DeviceName="/dev/sda1", Ebs=ec2.EBSBlockDevice( DeleteOnTermination=True, VolumeSize=200, VolumeType="gp2")) ] t.add_resource(instance) # Sync Gw instances (ubuntu ami) for i in xrange(num_sync_gateway_servers): name = "syncgateway{}".format(i) instance = ec2.Instance(name) instance.ImageId = "ami-6d1c2007" # centos7 instance.InstanceType = sync_gateway_server_type instance.SecurityGroups = [Ref(secGrpCouchbase)] instance.KeyName = Ref(keyname_param) instance.IamInstanceProfile = Ref(instanceProfile) instance.BlockDeviceMappings = [ ec2.BlockDeviceMapping(DeviceName="/dev/sda1", Ebs=ec2.EBSBlockDevice( DeleteOnTermination=True, VolumeSize=200, VolumeType="gp2")) ] # Make syncgateway0 a cache writer, and the rest cache readers # See https://github.com/couchbase/sync_gateway/wiki/Distributed-channel-cache-design-notes if i == 0: instance.Tags = Tags(Name=name, Type="syncgateway", CacheType="writer") else: instance.Tags = Tags(Name=name, Type="syncgateway") t.add_resource(instance) # Gateload instances (ubuntu ami) for i in xrange(num_gateloads): name = "gateload{}".format(i) instance = ec2.Instance(name) instance.ImageId = "ami-6d1c2007" # centos7 instance.InstanceType = gateload_instance_type instance.SecurityGroups = [Ref(secGrpCouchbase)] instance.KeyName = Ref(keyname_param) instance.IamInstanceProfile = Ref(instanceProfile) instance.Tags = Tags(Name=name, Type="gateload") instance.BlockDeviceMappings = [ ec2.BlockDeviceMapping(DeviceName="/dev/sda1", Ebs=ec2.EBSBlockDevice( DeleteOnTermination=True, VolumeSize=200, VolumeType="gp2")) ] t.add_resource(instance) # Load Balancer instances (ubuntu ami) for i in xrange(num_lbs): name = "loadbalancer{}".format(i) instance = ec2.Instance(name) instance.ImageId = "ami-6d1c2007" # centos7 instance.InstanceType = lb_instance_type instance.SecurityGroups = [Ref(secGrpCouchbase)] instance.KeyName = Ref(keyname_param) instance.IamInstanceProfile = Ref(instanceProfile) instance.Tags = Tags(Name=name, Type="loadbalancer") instance.BlockDeviceMappings = [ ec2.BlockDeviceMapping(DeviceName="/dev/sda1", Ebs=ec2.EBSBlockDevice( DeleteOnTermination=True, VolumeSize=200, VolumeType="gp2")) ] t.add_resource(instance) return t.to_json()
"Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ iam.Policy( PolicyName='{}InstancePolicy'.format(STACK_NAME), PolicyDocument=instance_policy_doc, ), ])) instance_profile = template.add_resource( iam.InstanceProfile('InstanceProfile', Roles=[Ref(instance_role)], InstanceProfileName='TweeterUploaderInstanceProfile')) # Define Instance Metadata instance_metadata = Metadata( Init({ 'config': InitConfig( commands={'update_yum_packages': { 'command': 'yum update -y' }}, files=InitFiles({ # setup .bashrc ec2-user '/home/ec2-user/.bashrc': InitFile(content=Join( '',
def emit_configuration(): # Parameters here jenkins_instance_class = template.add_parameter( Parameter( 'JenkinsInstanceType', Type='String', Default='t2.micro', Description='Chef jenkins instance type', AllowedValues=cfn.usable_instances(), ConstraintDescription='Instance size must be a valid instance type' )) # jenkins IAM role jenkins_role_name = '.'.join(['jenkins', CLOUDNAME, CLOUDENV]) jenkins_iam_role = template.add_resource( iam.Role('JenkinsIamRole', AssumeRolePolicyDocument=ASSUME_ROLE_POLICY, Path="/", Policies=[ iam.Policy(PolicyName='JenkinsPolicy', PolicyDocument=json.loads( cfn.load_template( "jenkins_policy.json.j2", { "env": CLOUDENV, "cloud": CLOUDNAME, "region": "us-east-1" }))), iam.Policy(PolicyName='JenkinsDefaultPolicy', PolicyDocument=json.loads( cfn.load_template( "default_policy.json.j2", { "env": CLOUDENV, "cloud": CLOUDNAME, "region": "us-east-1" }))) ], DependsOn=cfn.vpcs[0].title)) jenkins_instance_profile = template.add_resource( iam.InstanceProfile("JenkinsInstanceProfile", Path="/", Roles=[Ref(jenkins_iam_role)], DependsOn=jenkins_iam_role.title)) jenkins_user_data = cfn.load_template("default-init.bash.j2", { "env": CLOUDENV, "cloud": CLOUDNAME, "deploy": "jenkins" }) ingress_rules = [ ec2.SecurityGroupRule(IpProtocol=p[0], CidrIp=DEFAULT_ROUTE, FromPort=p[1], ToPort=p[1]) for p in [('tcp', 22), ('tcp', 80), ('tcp', 443)] ] security_group = template.add_resource( ec2.SecurityGroup( "JenkinsSecurityGroup", GroupDescription='Security Group for jenkins instances', VpcId=Ref(cfn.vpcs[0]), SecurityGroupIngress=ingress_rules, DependsOn=cfn.vpcs[0].title, Tags=Tags(Name='.'.join(['jenkins-sg', CLOUDNAME, CLOUDENV])))) launch_cfg = template.add_resource( autoscaling.LaunchConfiguration( "JenkinsLaunchConfiguration", ImageId=FindInMap('RegionMap', Ref("AWS::Region"), int(cfn.Amis.EBS)), InstanceType=Ref(jenkins_instance_class), IamInstanceProfile=Ref(jenkins_instance_profile), AssociatePublicIpAddress=not USE_PRIVATE_SUBNETS, BlockDeviceMappings=[ ec2.BlockDeviceMapping( DeviceName='/dev/sda1', Ebs=ec2.EBSBlockDevice(DeleteOnTermination=True)) ], KeyName=Ref(cfn.keyname), SecurityGroups=[Ref(security_group)], DependsOn=[jenkins_instance_profile.title, security_group.title], UserData=Base64(jenkins_user_data))) asg_name = '.'.join(['jenkins', CLOUDNAME, CLOUDENV]) asg = template.add_resource( autoscaling.AutoScalingGroup( "JenkinsASG", AvailabilityZones=cfn.get_asg_azs(), DesiredCapacity="1", LaunchConfigurationName=Ref(launch_cfg), MinSize="1", MaxSize="1", NotificationConfiguration=autoscaling.NotificationConfiguration( TopicARN=Ref(cfn.alert_topic), NotificationTypes=[ EC2_INSTANCE_TERMINATE, EC2_INSTANCE_TERMINATE_ERROR, EC2_INSTANCE_LAUNCH, EC2_INSTANCE_LAUNCH_ERROR ]), VPCZoneIdentifier=[ Ref(sn) for sn in cfn.get_vpc_subnets(cfn.vpcs[0], cfn.SubnetTypes.PLATFORM) ]))
def add_iam_role(self): self.iam_role = self.template.add_resource( iam.Role( "s3AcessPolicies", Path="/", AssumeRolePolicyDocument={ "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ iam.Policy(PolicyName="ListAllMyBuckets", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }], }), iam.Policy( PolicyName="AllowAccessToBucket", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket", "s3:GetBucketLocation"], "Resource": Join("", [ "arn:aws:s3:::", ImportValue( 'deploy-dev-s3bucket-s3bucketname') ]) }] }), iam.Policy( PolicyName="AllowWriteToBucket", PolicyDocument={ "Statement": [{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": Join("", [ "arn:aws:s3:::", ImportValue( 'deploy-dev-s3bucket-s3bucketname'), "/*" ]) }] }) ])) self.cfninstanceprofile = self.template.add_resource( iam.InstanceProfile("CFNInstanceProfile", Roles=[Ref(self.iam_role)]))
def buildInstance(t, args): t.add_resource( ec2.SecurityGroup('WebserverSG', GroupDescription='Global Webserver Access', VpcId=Ref('VPC'), Tags=Tags(Name='Global Webserver Access'))) t.add_resource( ec2.SecurityGroupIngress('WebserverSGIngress1', GroupId=Ref('WebserverSG'), IpProtocol='tcp', CidrIp='0.0.0.0/0', FromPort='22', ToPort='22')) t.add_resource( ec2.SecurityGroupIngress('WebserverSGIngress2', GroupId=Ref('WebserverSG'), IpProtocol='tcp', CidrIp='0.0.0.0/0', FromPort='80', ToPort='80')) t.add_resource( ec2.SecurityGroupIngress('WebserverSGIngress3', GroupId=Ref('WebserverSG'), IpProtocol='tcp', CidrIp='0.0.0.0/0', FromPort='443', ToPort='443')) rolePolicyStatements = [{ "Sid": "Stmt1500699052003", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": [Join("", ["arn:aws:s3:::", Ref('S3Bucket')])] }, { "Sid": "Stmt1500699052000", "Effect": "Allow", "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": [Join("", ["arn:aws:s3:::", Ref('S3Bucket'), '/Backup/*'])] }, { "Sid": "Stmt1500612724002", "Effect": "Allow", "Action": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*"], "Resource": [OpenEMRKeyARN] }] t.add_resource( iam.ManagedPolicy('WebserverPolicy', Description='Policy for webserver instance', PolicyDocument={ "Version": "2012-10-17", "Statement": rolePolicyStatements })) t.add_resource( iam.Role('WebserverRole', AssumeRolePolicyDocument={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Path='/', ManagedPolicyArns=[Ref('WebserverPolicy')])) t.add_resource( iam.InstanceProfile('WebserverInstanceProfile', Path='/', Roles=[Ref('WebserverRole')])) t.add_resource( ec2.Volume('DockerVolume', DeletionPolicy='Delete' if args.dev else 'Snapshot', Size=Ref('PracticeStorage'), AvailabilityZone=Select("0", GetAZs("")), VolumeType='gp2', Encrypted=True, KmsKeyId=OpenEMRKeyID, Tags=Tags(Name="OpenEMR Practice"))) bootstrapScript = [ "#!/bin/bash -x\n", "exec > /tmp/part-001.log 2>&1\n", "apt-get -y update\n", "apt-get -y install python-pip\n", "pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz\n", "cfn-init -v ", " --stack ", ref_stack_name, " --resource WebserverInstance ", " --configsets Setup ", " --region ", ref_region, "\n", "cfn-signal -e $? ", " --stack ", ref_stack_name, " --resource WebserverInstance ", " --region ", ref_region, "\n" ] setupScript = [ "#!/bin/bash -xe\n", "exec > /tmp/cloud-setup.log 2>&1\n", "DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" --force-yes\n", "mkfs -t ext4 /dev/xvdd\n", "mkdir /mnt/docker\n", "cat /root/fstab.append >> /etc/fstab\n", "mount /mnt/docker\n", "ln -s /mnt/docker /var/lib/docker\n", "apt-get -y install python-boto awscli\n", "S3=", Ref('S3Bucket'), "\n", "KMS=", OpenEMRKeyID, "\n", "touch /root/cloud-backups-enabled\n", "echo $S3 > /root/.cloud-s3.txt\n", "echo $KMS > /root/.cloud-kms.txt\n", "touch /tmp/mypass\n", "chmod 500 /tmp/mypass\n", "openssl rand -base64 32 >> /tmp/mypass\n", "aws s3 cp /tmp/mypass s3://$S3/Backup/passphrase.txt --sse aws:kms --sse-kms-key-id $KMS\n", "rm /tmp/mypass\n", "curl -L https://raw.githubusercontent.com/openemr/openemr-devops/master/packages/lightsail/launch.sh > /root/launch.sh\n", "chmod +x /root/launch.sh && /root/launch.sh -s 0\n" ] fstabFile = ["/dev/xvdd /mnt/docker ext4 defaults,nofail 0 0\n"] bootstrapInstall = cloudformation.InitConfig( files={ "/root/cloud-setup.sh": { "content": Join("", setupScript), "mode": "000500", "owner": "root", "group": "root" }, "/root/fstab.append": { "content": Join("", fstabFile), "mode": "000400", "owner": "root", "group": "root" } }, commands={"01_setup": { "command": "/root/cloud-setup.sh" }}) bootstrapMetadata = cloudformation.Metadata( cloudformation.Init(cloudformation.InitConfigSets(Setup=['Install']), Install=bootstrapInstall)) t.add_resource( ec2.Instance('WebserverInstance', Metadata=bootstrapMetadata, ImageId=FindInMap('RegionData', ref_region, 'UbuntuAMI'), InstanceType=Ref('InstanceSize'), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( AssociatePublicIpAddress=True, DeviceIndex="0", GroupSet=[Ref('WebserverSG')], SubnetId=Ref('PublicSubnet1')) ], KeyName=Ref('EC2KeyPair'), IamInstanceProfile=Ref('WebserverInstanceProfile'), Volumes=[{ "Device": "/dev/sdd", "VolumeId": Ref('DockerVolume') }], Tags=Tags(Name='OpenEMR Express Plus'), InstanceInitiatedShutdownBehavior='stop', UserData=Base64(Join('', bootstrapScript)), CreationPolicy={"ResourceSignal": { "Timeout": "PT25M" }})) return t
'Statement': [ { 'Action': 'sts:AssumeRole', 'Principal': { 'Service': 'ec2.amazonaws.com' }, 'Effect': 'Allow' } ] } ) ) ec2_instance_profile = template.add_resource( iam.InstanceProfile( 'EC2InstanceProfile', Roles=[Ref(ecs_cluster_role)] ) ) ecs_cluster = template.add_resource( ecs.Cluster( 'ApiCluster' ) ) launch_template = template.add_resource( ec2.LaunchTemplate( 'LaunchTemplate', LaunchTemplateName=Ref(api_launch_template_name), LaunchTemplateData=ec2.LaunchTemplateData( ImageId='ami-066826c6a40879d75',
dict( Effect="Allow", Action=[ "logs:Create*", "logs:PutLogEvents", ], Resource="arn:aws:logs:*:*:*", ) ], ), ), ]) # ECS container instance profile container_instance_profile = iam.InstanceProfile( "ContainerInstanceProfile", template=template, Path="/", Roles=[Ref(container_instance_role)], ) container_instance_configuration_name = "MainContainerLaunchConfiguration" container_instance_configuration = LaunchConfiguration( container_instance_configuration_name, template=template, KeyName=Ref(secret_key), Metadata=Metadata( cloudformation.Init( dict(config=cloudformation.InitConfig( commands=dict(register_cluster=dict(command=Join( "", [
def create_template(self): """Create template (main function called by Stacker).""" template = self.template # variables = self.get_variables() template.add_version('2010-09-09') template.add_description('Kubernetes IAM policies - V1.0.0') # Resources nodeinstancerole = template.add_resource( iam.Role( 'NodeInstanceRole', AssumeRolePolicyDocument=make_simple_assume_policy( 'ec2.amazonaws.com'), ManagedPolicyArns=[ IAM_POLICY_ARN_PREFIX + i for i in [ 'AmazonEKSWorkerNodePolicy', 'AmazonEKS_CNI_Policy', 'AmazonEC2ContainerRegistryReadOnly', # SSM agent not shipped ootb # 'AmazonSSMManagedInstanceCore' ] ])) template.add_output( Output('NodeInstanceRole', Description='The node instance role name', Value=nodeinstancerole.ref())) template.add_output( Output('NodeInstanceRoleArn', Description='The node instance role ARN', Value=nodeinstancerole.get_att('Arn'))) nodeinstanceprofile = template.add_resource( iam.InstanceProfile('NodeInstanceProfile', Path='/', Roles=[nodeinstancerole.ref()])) template.add_output( Output('NodeInstanceProfile', Description='The node instance profile', Value=nodeinstanceprofile.ref())) template.add_output( Output('NodeInstanceProfileArn', Description='The node instance profile ARN', Value=nodeinstanceprofile.get_att('Arn'))) template.add_resource( iam.Role( 'ClusterAutoScalerInstanceRole', AssumeRolePolicyDocument=make_simple_assume_policy( 'ec2.amazonaws.com'), Policies=[ iam.Policy( PolicyName='cluster-autoscaler', PolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement( Action=[ awacs.autoscaling. DescribeAutoScalingGroups, # noqa awacs.autoscaling. DescribeAutoScalingInstances, # noqa awacs.autoscaling.DescribeTags, awacs.autoscaling. SetDesiredCapacity, # noqa awacs.autoscaling. TerminateInstanceInAutoScalingGroup ], # noqa pylint: disable=line-too-long Effect=Allow, Resource=['*']) ])) ]))