def __init__(self, scope: core.Construct, id: str, out_nw_stack: outNwStack, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Contexts
PRJ = self.node.try_get_context("prj")
# Parameters
# Functions
def nametag(x): return core.CfnTag(
key="Name", value="{}/{}".format(PRJ, x))
# ### Resources
# Tgw
self.tgw = ec2.CfnTransitGateway(
self, "tgw",
auto_accept_shared_attachments="enable",
default_route_table_association="disable",
default_route_table_propagation="disable",
description="transit gateway({})".format(PRJ),
tags=[nametag("tgw")]
)
# Tgw Attachment for Outbound-VPC
self.out_tgw_attachment = ec2.CfnTransitGatewayAttachment(
self, "outTgwAttachment",
vpc_id=out_nw_stack.vpc.ref,
subnet_ids=[out_nw_stack.tgw_subnet.ref],
transit_gateway_id=self.tgw.ref,
tags=[nametag("outTgwAttachment")]
)
def __init__(self, scope: core.Construct, id: str, cidr_ranges: list, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# TODO: replace by CDK construct when available
tg = ec2.CfnTransitGateway(
self, 'TransitGateway',
auto_accept_shared_attachments='enable',
default_route_table_association='enable',
default_route_table_propagation='enable',
dns_support='enable',
)
role = iam.Role(
self, 'Ec2SsmRole',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore')
],
)
for i, cidr_range in enumerate(cidr_ranges):
TransitMemberVpc(
self, 'Member{}'.format(i + 1),
cidr_range=cidr_range,
transit_gateway=tg,
role=role,
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.gateway = ec2.CfnTransitGateway(
self,
'TransitGateway',
amazon_side_asn=64512,
auto_accept_shared_attachments='enable',
default_route_table_association='enable',
default_route_table_propagation='enable',
description='HomeNet TransitGateway',
dns_support='enable',
vpn_ecmp_support='enable',
tags=[core.CfnTag(key='Name', value='HomeNet/TGW')])
def __init__(self, scope:core.Construct, id:str, landing_zone:LandingZone, peers:List[LandingZone], amazon_asn:int, **kwargs):
"""
Configure the Transit Gateways
"""
super().__init__(scope,id, **kwargs)
self.landing_zone = landing_zone
self.peers = peers
self.gateway = ec2.CfnTransitGateway(self,'TransitGateway',
amazon_side_asn=amazon_asn,
auto_accept_shared_attachments='enable',
default_route_table_association='enable',
default_route_table_propagation='enable',
description='HomeNet TransitGateway',
dns_support='enable',
vpn_ecmp_support='enable',
tags=[
core.CfnTag(key='Name',value='HomeNet/TGW')
])
entries = []
for peer in peers:
if peer == landing_zone:
continue
entries.append(ec2.CfnPrefixList.EntryProperty(cidr=peer.cidr_block,description=peer.zone_name))
ec2.CfnPrefixList(self,'PeerPrefix',
address_family='IPv4',
entries= entries,
max_entries=100,
prefix_list_name='nbachmei.homenet.tgw-peers',
tags=[core.CfnTag(key='Name',value='HomeNet TGW Prefixes')])
ec2.CfnTransitGatewayAttachment(self,'VpcAttachment',
subnet_ids= landing_zone.vpc.select_subnets(subnet_group_name='TGW').subnet_ids,
transit_gateway_id= self.gateway.ref,
vpc_id= landing_zone.vpc.vpc_id,
tags=[core.CfnTag(key='Name',value='HomeNet')])
ssm.CfnParameter(self,'RegionalGatewayParameter',
name='/homenet/{}/transit-gateway/gateway-id'.format(landing_zone.region),
value=self.gateway.ref,
type='String')
self.__add_peers()
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# def __init__(self, scope: core.Construct, id: str, cidr_range: str, tgw_asn: int, **kwargs) -> None:
# super().__init__(scope, id, **kwargs)
this_dir = path.dirname(__file__)
# VPC Creation
self.vpc = ec2.Vpc(
self,
"TransitVPC",
max_azs=1,
cidr="172.16.0.0/24",
# configuration will create 1 subnet in a single AZ.
subnet_configuration=[
ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.ISOLATED,
name="Isolated",
cidr_mask=25)
])
# Transit Gateway creation
self.tgw = ec2.CfnTransitGateway(
self,
id="TGW-USe1",
amazon_side_asn=64512,
auto_accept_shared_attachments="enable",
default_route_table_association="enable",
default_route_table_propagation="enable",
tags=[core.CfnTag(key='Name', value="tgw-us-east-1")])
# Transit Gateway attachment to the VPC
self.tgw_attachment = ec2.CfnTransitGatewayAttachment(
self,
id="TGW-Attachment",
transit_gateway_id=self.tgw.ref,
vpc_id=self.vpc.vpc_id,
subnet_ids=[
subnet.subnet_id for subnet in self.vpc.isolated_subnets
],
tags=[
core.CfnTag(key='Name',
value=f"tgw-{self.vpc.vpc_id}-attachment")
])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.defaultVpc = aws_ec2.Vpc(
self,
"Default",
cidr='10.0.0.0/24',
nat_gateways=2,
subnet_configuration=[
aws_ec2.SubnetConfiguration(
name="public",
cidr_mask=27,
reserved=False,
subnet_type=aws_ec2.SubnetType.PUBLIC),
aws_ec2.SubnetConfiguration(
name="private",
cidr_mask=27,
reserved=False,
subnet_type=aws_ec2.SubnetType.PRIVATE)
])
self.eksVpc = aws_ec2.Vpc(
self,
"EKSvpc",
cidr='192.168.0.0/24',
subnet_configuration=[
aws_ec2.SubnetConfiguration(
name="private",
cidr_mask=26,
reserved=False,
subnet_type=aws_ec2.SubnetType.ISOLATED)
])
self.transitGw = aws_ec2.CfnTransitGateway(
self,
"DefaultTransitGw",
default_route_table_association="disable",
)
self.tgAttachmentPrivate = aws_ec2.CfnTransitGatewayAttachment(
self,
"DefaultTGAttachment",
transit_gateway_id=self.transitGw.ref,
vpc_id=self.defaultVpc.vpc_id,
subnet_ids=[
self.defaultVpc.private_subnets[0].subnet_id,
self.defaultVpc.private_subnets[1].subnet_id
],
tags=None)
self.tgAttachmentPrivate.add_depends_on(self.transitGw)
self.tgAttachmentEks = aws_ec2.CfnTransitGatewayAttachment(
self,
"EksTGAttachment",
transit_gateway_id=self.transitGw.ref,
vpc_id=self.eksVpc.vpc_id,
subnet_ids=[
self.eksVpc.isolated_subnets[0].subnet_id,
self.eksVpc.isolated_subnets[1].subnet_id
],
tags=None)
self.tgAttachmentEks.add_depends_on(self.transitGw)
isolatedSubnetRoutes = core.Construct(self, 'Isolated Subnet Routes')
for (i, subnet) in enumerate(self.eksVpc.isolated_subnets):
aws_ec2.CfnRoute(
isolatedSubnetRoutes,
id=f"Default Route EKS {i}",
route_table_id=subnet.route_table.route_table_id,
destination_cidr_block="0.0.0.0/0",
transit_gateway_id=self.transitGw.ref).add_depends_on(
self.tgAttachmentEks)
privateSubnetRoutes = core.Construct(self, 'Private Subnet Routes')
for (i, subnet) in enumerate(self.defaultVpc.private_subnets):
aws_ec2.CfnRoute(
privateSubnetRoutes,
id=f"Eks route defalt {i}",
route_table_id=subnet.route_table.route_table_id,
destination_cidr_block=self.eksVpc.vpc_cidr_block,
transit_gateway_id=self.transitGw.ref).add_depends_on(
self.tgAttachmentEks)
publicSubnetRoutes = core.Construct(self, 'Public Subnet Routes')
for (i, subnet) in enumerate(self.defaultVpc.public_subnets):
aws_ec2.CfnRoute(
publicSubnetRoutes,
id=f"Eks route defalt {i}",
route_table_id=subnet.route_table.route_table_id,
destination_cidr_block=self.eksVpc.vpc_cidr_block,
transit_gateway_id=self.transitGw.ref).add_depends_on(
self.tgAttachmentEks)
self.transitGwRT = aws_ec2.CfnTransitGatewayRouteTable(
self,
'transitGw Route Table',
transit_gateway_id=self.transitGw.ref,
tags=None)
self.transitGwRoute = aws_ec2.CfnTransitGatewayRoute(
self,
'transitGW Route',
transit_gateway_route_table_id=self.transitGwRT.ref,
destination_cidr_block='0.0.0.0/0',
transit_gateway_attachment_id=self.tgAttachmentPrivate.ref)
self.TGRouteTableAssociationDefaultVPC = aws_ec2.CfnTransitGatewayRouteTableAssociation(
self,
'DefaultVPC Association',
transit_gateway_attachment_id=self.tgAttachmentPrivate.ref,
transit_gateway_route_table_id=self.transitGwRoute.
transit_gateway_route_table_id)
self.TGRouteTablePropagationDefaultVPC = aws_ec2.CfnTransitGatewayRouteTablePropagation(
self,
'DefaultVPC Propagation',
transit_gateway_attachment_id=self.tgAttachmentPrivate.ref,
transit_gateway_route_table_id=self.transitGwRoute.
transit_gateway_route_table_id)
self.TGRouteTableAssociationEksVPC = aws_ec2.CfnTransitGatewayRouteTableAssociation(
self,
'EksVPC Association',
transit_gateway_attachment_id=self.tgAttachmentEks.ref,
transit_gateway_route_table_id=self.transitGwRoute.
transit_gateway_route_table_id)
self.TGRouteTablePropagationEksVPC = aws_ec2.CfnTransitGatewayRouteTablePropagation(
self,
'EksVPC Propagation',
transit_gateway_attachment_id=self.tgAttachmentEks.ref,
transit_gateway_route_table_id=self.transitGwRoute.
transit_gateway_route_table_id)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = _ec2.Vpc.from_lookup(self, "my_vpc", is_default=True)
self.nat_vpc = _ec2.Vpc(
self,
id="nat_vpc",
cidr="10.77.4.0/24",
enable_dns_hostnames=True,
enable_dns_support=True,
max_azs=1,
nat_gateways=1,
subnet_configuration=[
_ec2.SubnetConfiguration(cidr_mask=25,
name='nat-public',
subnet_type=_ec2.SubnetType.PUBLIC),
_ec2.SubnetConfiguration(cidr_mask=25,
name='nat-private',
subnet_type=_ec2.SubnetType.PRIVATE)
])
self.app_vpc = _ec2.Vpc(
self,
id="app_vpc",
cidr="10.77.5.0/24",
enable_dns_hostnames=True,
enable_dns_support=True,
max_azs=1,
nat_gateways=0,
subnet_configuration=[
_ec2.SubnetConfiguration(cidr_mask=25,
name='app-public1',
subnet_type=_ec2.SubnetType.PUBLIC),
_ec2.SubnetConfiguration(cidr_mask=25,
name='app-private1',
subnet_type=_ec2.SubnetType.ISOLATED)
])
self.tgw = _ec2.CfnTransitGateway(
self,
id='tgw-test',
amazon_side_asn=65520,
auto_accept_shared_attachments="enable",
default_route_table_association="enable",
default_route_table_propagation="enable",
tags=[core.CfnTag(key='Name', value='TGW-PoC')])
self.tgw_nat_attachment = _ec2.CfnTransitGatewayAttachment(
self,
id="tgw-natvpc",
transit_gateway_id=self.tgw.ref,
vpc_id=self.nat_vpc.vpc_id,
subnet_ids=[
subnet.subnet_id for subnet in self.nat_vpc.private_subnets
],
tags=[core.CfnTag(key='Name', value='TGW-Nat-Attachment')])
self.tgw_app_attachment = _ec2.CfnTransitGatewayAttachment(
self,
id="tgw-appvpc",
transit_gateway_id=self.tgw.ref,
vpc_id=self.app_vpc.vpc_id,
subnet_ids=[
subnet.subnet_id for subnet in self.app_vpc.isolated_subnets
],
tags=[core.CfnTag(key='Name', value='TGW-App-Attachment')])
def __init__(self, scope: core.Construct, id: str, cidr_range: str,
tgw_asn: int, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# VPC Creation
self.vpc = ec2.Vpc(
self,
f"{kwargs['env']['region']}-vpc",
max_azs=1,
cidr=cidr_range,
# configuration will create 1 subnet in a single AZ.
subnet_configuration=[
ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.ISOLATED,
name="Isolated",
cidr_mask=25)
])
# Transit Gateway creation
self.tgw = ec2.CfnTransitGateway(
self,
id=f"TGW-{kwargs['env']['region']}",
amazon_side_asn=tgw_asn,
auto_accept_shared_attachments="enable",
default_route_table_association="enable",
default_route_table_propagation="enable",
tags=[
core.CfnTag(key='Name', value=f"tgw-{kwargs['env']['region']}")
])
# Transit Gateway attachment to the VPC
self.tgw_attachment = ec2.CfnTransitGatewayAttachment(
self,
id=f"tgw-vpc-{kwargs['env']['region']}",
transit_gateway_id=self.tgw.ref,
vpc_id=self.vpc.vpc_id,
subnet_ids=[
subnet.subnet_id for subnet in self.vpc.isolated_subnets
],
tags=[
core.CfnTag(key='Name',
value=f"tgw-{self.vpc.vpc_id}-attachment")
])
# VPC Endpoint creation for SSM (3 Endpoints needed)
ec2.InterfaceVpcEndpoint(
self,
"VPCe - SSM",
service=ec2.InterfaceVpcEndpointService(
core.Fn.sub("com.amazonaws.${AWS::Region}.ssm")),
private_dns_enabled=True,
vpc=self.vpc,
)
ec2.InterfaceVpcEndpoint(
self,
"VPCe - EC2 Messages",
service=ec2.InterfaceVpcEndpointService(
core.Fn.sub("com.amazonaws.${AWS::Region}.ec2messages")),
private_dns_enabled=True,
vpc=self.vpc,
)
ec2.InterfaceVpcEndpoint(
self,
"VPCe - SSM Messages",
service=ec2.InterfaceVpcEndpointService(
core.Fn.sub("com.amazonaws.${AWS::Region}.ssmmessages")),
private_dns_enabled=True,
vpc=self.vpc,
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
security_vpc = ec2.Vpc(
self,
"SecurityVPC",
cidr="10.0.0.0/16",
nat_gateways=0,
max_azs=2,
subnet_configuration=[
ec2.SubnetConfiguration(cidr_mask=24,
name="untrust",
subnet_type=ec2.SubnetType.PUBLIC),
ec2.SubnetConfiguration(cidr_mask=24,
name="trust",
subnet_type=ec2.SubnetType.ISOLATED),
ec2.SubnetConfiguration(cidr_mask=28,
name="transit",
subnet_type=ec2.SubnetType.ISOLATED),
ec2.SubnetConfiguration(cidr_mask=28,
name='fw_mgmt',
subnet_type=ec2.SubnetType.ISOLATED)
])
#Expose subnets for child stacks
# self.subnets = {
# 'fw_mgmt': security_vpc.select_subnets(subnet_group_name="fw_mgmt"),
# 'untrust': security_vpc.select_subnets(subnet_group_name='untrust'),
# 'trust': security_vpc.select_subnets(subnet_group_name='trust')
# }
security_vpc.add_gateway_endpoint(
"S3GW", service=ec2.GatewayVpcEndpointAwsService.S3)
management_vpc = ec2.Vpc(self,
"ManagmentVPC",
cidr="10.255.0.0/16",
max_azs=1,
subnet_configuration=[
ec2.SubnetConfiguration(
cidr_mask=24,
name="Management",
subnet_type=ec2.SubnetType.PUBLIC)
])
management_host = ec2.Instance(
self,
"ManagementHost",
instance_type=ec2.InstanceType("t2.micro"),
vpc=management_vpc,
machine_image=ec2.MachineImage.latest_windows(
ec2.WindowsVersion("WINDOWS_SERVER_2019_ENGLISH_FULL_BASE")),
key_name='joeycoak-alz-network-us-east-1',
)
# rdp = ec2.Port(
# protocol=ec2.Protocol("TCP"),
# string_representation="RDP",
# to_port=3389,
# from_port=3389
# )
management_host.connections.allow_from_any_ipv4(
ec2.Port.tcp(3389), "Allow RDP Inbound")
interface_endpoint_services = ("ec2", "ssm", "secretsmanager")
for endpoint_service in interface_endpoint_services:
security_vpc.add_interface_endpoint(
"{}-Endpoint".format(endpoint_service),
service=ec2.InterfaceVpcEndpointService(
"com.amazonaws.{region}.{endpoint_service}".format(
region=self.region,
endpoint_service=endpoint_service)),
subnets=ec2.SubnetSelection(subnet_group_name="fw_mgmt"))
ec2.CfnTransitGateway(self,
"MyCdkTgw",
default_route_table_propagation="disable",
default_route_table_association="disable")