def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) vpc = ec2.Vpc( self, "vpc", cidr="10.24.0.0/16", max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration(name="public", cidr_mask=20, subnet_type=ec2.SubnetType.PUBLIC), ec2.SubnetConfiguration(name="private", cidr_mask=20, subnet_type=ec2.SubnetType.PRIVATE) ]) core.Tag.add(scope=vpc, key='Name', value='newCDKVPC') # create a new security group sec_group = ec2.SecurityGroup(self, "sec-group-allow-http", vpc=vpc, allow_all_outbound=True) # add a new ingress rule to allow port 8080 to internal hosts sec_group.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), description="Allow HTTP connection", connection=ec2.Port.tcp(8080)) # define a new ec2 instance ec2_instance = ec2.Instance( self, "ec2-instance", instance_name=instanceName, instance_type=ec2.InstanceType(instanceType), machine_image=ec2.MachineImage().lookup(name=amiName), vpc=vpc, availability_zone="eu-central-1b", security_group=sec_group, user_data=user_data)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, db_instance_class: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) stack = core.Stack.of(self) # TODO: find a way to add role to cluster role = iam.Role( self, 'NeptuneRole', assumed_by=iam.ServicePrincipal('rds.amazonaws.com'), ) sg = ec2.SecurityGroup( self, 'SecurityGroup', vpc=vpc, ) subnet_group = neptune.CfnDBSubnetGroup( self, 'SubnetGroup', db_subnet_group_name='{}-subnet-group'.format( stack.stack_name.lower()), db_subnet_group_description='Private subnets', subnet_ids=[subnet.subnet_id for subnet in vpc.private_subnets]) cluster = neptune.CfnDBCluster( self, 'Cluster', db_subnet_group_name=subnet_group.ref, vpc_security_group_ids=[sg.security_group_id]) neptune.CfnDBInstance( self, 'Instance', db_cluster_identifier=cluster.ref, db_instance_class=db_instance_class, ) self.endpoint = cluster.attr_endpoint self.role = role self.security_group = sg
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.security_group = ec2.SecurityGroup( self, 'EndpointSecurity', vpc=vpc, allow_all_outbound=True, description='SG for AWS Resources in isolated subnet') self.security_group.add_ingress_rule( peer=ec2.Peer.any_ipv4(), connection=ec2.Port(protocol=ec2.Protocol.ALL, string_representation='Any source')) self.gateways = {} for svc in ['s3', 'dynamodb']: self.gateways[svc] = ec2.GatewayVpcEndpoint( self, svc, vpc=vpc, service=ec2.GatewayVpcEndpointAwsService(name=svc)) self.interfaces = {} for svc in [ 'ssm', 'ec2messages', 'ec2', 'ssmmessages', 'kms', 'elasticloadbalancing', 'elasticfilesystem', 'lambda', 'states', 'events', 'execute-api', 'kinesis-streams', 'kinesis-firehose', 'logs', 'sns', 'sqs', 'secretsmanager', 'config', 'ecr.api', 'ecr.dkr' ]: self.interfaces[svc] = ec2.InterfaceVpcEndpoint( self, svc, vpc=vpc, service=ec2.InterfaceVpcEndpointAwsService(name=svc), open=True, private_dns_enabled=True, lookup_supported_azs=False, security_groups=[self.security_group])
def __init__(self, scope: core.Construct, construct_id: str, vpc: ec2.Vpc, role: iam_.Role, subnet: ec2.PrivateSubnet, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.security_group = ec2.SecurityGroup(self, "WorkshopGroup", vpc=vpc) instance_id = "Workshop" sm.CfnNotebookInstance( self, instance_id, instance_type='ml.t2.medium', volume_size_in_gb=20, security_group_ids=[self.security_group.security_group_id], subnet_id=subnet.subnet_id, notebook_instance_name=instance_id, role_arn=role.role_arn, direct_internet_access='Enabled', root_access='Enabled', default_code_repository= "https://github.com/NASA-IMPACT/workshop_notebooks")
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) elasticfilestore = efs.CfnFileSystem( self, "efs-storage", encrypted=False, lifecycle_policies=None ) sg_efs = ec2.SecurityGroup( self, id="sg_efs", vpc=props['vpc'], security_group_name="sg_efs" ) sg_efs.add_ingress_rule( peer=ec2.Peer.ipv4("10.0.0.0/16"), connection=ec2.Port.tcp(2049) )
def _add_security_groups(self, vpc: ec2.Vpc) -> ec2.SecurityGroup: """ Add security group to the stack :param vpc: VPC of security group """ security_group = ec2.SecurityGroup( self, 'zach-security-group', vpc=vpc, description="Allow access to zach instance", allow_all_outbound=True) security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(9622), 'allow ssh access from the world') security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.udp(500), 'for IKE, to manage encryption keys') security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.udp(4500), 'for IPSEC NAT-Traversal mode') return security_group
def __init__(self, scope: core.Construct, common_stack: CommonResourcesStack, **kwargs): self.deploy_env = active_environment self.common_stack = common_stack # Security Group self.dms_sg = ec2.SecurityGroup( scope=scope, id=f"dms-{self.deploy_env.value}-sg", vpc=self.common_stack.custom_vpc, security_group_name=f"dms-{self.deploy_env.value}-sg", ) # Subnet Group self.dms_subnet_group = dms.CfnReplicationSubnetGroup( scope=scope, id=f"dms-{self.deploy_env.value}-replication-subnet", replication_subnet_group_description= "dms replication instance subnet group", subnet_ids=[ subnet.subnet_id for subnet in self.common_stack.custom_vpc. public_subnets # use public subnet to avoid costs ], replication_subnet_group_identifier= f"dms-{self.deploy_env.value}-replication-subnet", ) # Replication Instance self.instance = dms.CfnReplicationInstance( scope=scope, id=f"dms-{self.deploy_env.value}-replication-instance", allocated_storage=100, publicly_accessible=False, engine_version="3.4.4", replication_instance_class="dms.t2.small", replication_instance_identifier= f"dms-{self.deploy_env.value}-replication-instance", vpc_security_group_ids=[self.dms_sg.security_group_id], replication_subnet_group_identifier=self.dms_subnet_group. replication_subnet_group_identifier, ) self.instance.node.add_dependency(self.dms_sg) self.instance.node.add_dependency(self.dms_subnet_group)
def __init__(self, scope: core.Construct, environment: Environment, **kwargs) -> None: self.env = environment.value super().__init__(scope, id=f'{self.env}-common', **kwargs) self.custom_vpc = ec2.Vpc(self, f'vpc-{self.env}') self.orders_rds_sg = ec2.SecurityGroup( self, f'orders-{self.env}-sg', vpc=self.custom_vpc, allow_all_outbound=True, security_group_name=f'orders-{self.env}-sg', ) self.orders_rds_sg.add_ingress_rule( peer=ec2.Peer.ipv4('37.156.75.55/32'), connection=ec2.Port.tcp(5432)) for subnet in self.custom_vpc.private_subnets: self.orders_rds_sg.add_ingress_rule(peer=ec2.Peer.ipv4( subnet.ipv4_cidr_block), connection=ec2.Port.tcp(5432)) self.orders_rds = rds.DatabaseInstance( self, f'orders-{self.env}-rds', engine=rds.DatabaseInstanceEngine.POSTGRES, database_name='orders', instance_type=ec2.InstanceType('t3.micro'), vpc=self.custom_vpc, instance_identifier=f'rds-{self.env}-orders-db', port=5432, subnet_group=rds.SubnetGroup( self, f'rds-{self.env}-replication-subnet', description='place RDS on private subnet', vpc=self.custom_vpc), security_groups=[self.orders_rds_sg], removal_policy=core.RemovalPolicy.DESTROY, **kwargs)
def create_redis_cache(scope: core.Construct, stack_name: str, vpc: IVpc, config: StackConfig): subnet_ids = vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE).subnet_ids cache_subnet_group = elasticache.CfnSubnetGroup( scope, 'cacheSubnetGroup', cache_subnet_group_name=f'{stack_name}-redis', description=stack_name, subnet_ids=subnet_ids, ) cache_security_group = ec2.SecurityGroup( scope, 'cacheSecurityGroup', vpc=vpc, allow_all_outbound=True, security_group_name=f'{stack_name}-redis', description=stack_name, ) cache = elasticache.CfnCacheCluster( scope, 'elasticache', cluster_name=stack_name, engine='redis', port=6379, cache_node_type=config.cache_node_type, num_cache_nodes=config.num_cache_nodes, cache_subnet_group_name=cache_subnet_group.cache_subnet_group_name, vpc_security_group_ids=[cache_security_group.security_group_id], ) cache_security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(6379), 'Allow Cache Access') core.CfnOutput(scope=scope, id='redisAddress', value=cache.attr_redis_endpoint_address) return cache
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) public_subnet = _ec2.SubnetConfiguration( name="publicSubnet", cidr_mask=24, subnet_type=_ec2.SubnetType.PUBLIC ) private_subnet = _ec2.SubnetConfiguration( name="privateSubnet", cidr_mask=24, subnet_type=_ec2.SubnetType.PRIVATE ) db_subnet = _ec2.SubnetConfiguration( name="dbSubnet", cidr_mask=24, subnet_type=_ec2.SubnetType.ISOLATED ) self.vpc = _ec2.Vpc( self, "Vpc", cidr="10.0.0.0/16", subnet_configuration=[public_subnet, private_subnet, db_subnet], max_azs=3, nat_gateways=1 ) self.vpc.sg = _ec2.SecurityGroup( self, "vpcSg", vpc=self.vpc ) self.vpc.sg.add_ingress_rule(self.vpc.sg, _ec2.Port.tcp(6379)) #Redis self.vpc.sg.add_ingress_rule(self.vpc.sg, _ec2.Port.tcp(3306)) #Aurora MySQL core.CfnOutput(self, "outputVpc", value=self.vpc.vpc_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # The code that defines your stack goes here vpc_name = self.node.try_get_context("vpc_name") vpc = aws_ec2.Vpc.from_lookup( self, "EC2InstanceVPC", is_default= True, # set is_default=False if you want to find your own VPC vpc_name=vpc_name) sg_ssh_access = aws_ec2.SecurityGroup( self, "BastionHostSG", vpc=vpc, allow_all_outbound=True, description='security group for bastion host', security_group_name='bastion-host-sg') cdk.Tags.of(sg_ssh_access).add('Name', 'bastion-host') sg_ssh_access.add_ingress_rule(peer=aws_ec2.Peer.any_ipv4(), connection=aws_ec2.Port.tcp(22), description='ssh access') bastion_host = aws_ec2.BastionHostLinux( self, "BastionHost", vpc=vpc, instance_type=aws_ec2.InstanceType('t3.nano'), security_group=sg_ssh_access, subnet_selection=aws_ec2.SubnetSelection( subnet_type=aws_ec2.SubnetType.PUBLIC)) cdk.CfnOutput(self, 'BastionHostId', value=bastion_host.instance_id, export_name='BastionHostId') cdk.CfnOutput(self, 'BastionHostPublicDNSName', value=bastion_host.instance_public_dns_name, export_name='BastionHostPublicDNSName')
def __configure_neptune(self)->None: self.subnet_group = n.CfnDBSubnetGroup(self,'SubnetGroup', db_subnet_group_description='MarketGraph Subnet', db_subnet_group_name='marketgraph-subnetgroup', subnet_ids= [net.subnet_id for net in self.vpc._select_subnet_objects(subnet_group_name='MarketGraph')]) self.security_group = ec2.SecurityGroup(self,'SecGroup', vpc=self.vpc, allow_all_outbound=True, description='Security group for MarketGraph feature') self.security_group.add_ingress_rule( peer=ec2.Peer.any_ipv4(), connection=ec2.Port( protocol=ec2.Protocol.TCP, string_representation='Neptune', from_port=8182, to_port=8182)) self.neptune_cluster = n.CfnDBCluster( self,'NeptuneCluster', db_subnet_group_name=self.subnet_group.db_subnet_group_name, deletion_protection=False, iam_auth_enabled=False, storage_encrypted=True, db_cluster_identifier='marketgraph', vpc_security_group_ids=[self.security_group.security_group_id]) counter=0 for net in self.vpc._select_subnet_objects(subnet_group_name='MarketGraph'): az_name = net.availability_zone counter+=1 neptune_instance = n.CfnDBInstance( self,'NeptuneInstance-'+str(counter), availability_zone=az_name, db_instance_identifier='marketgraph-instance-'+str(counter), db_instance_class='db.t3.medium', allow_major_version_upgrade=False, auto_minor_version_upgrade=True, db_cluster_identifier=self.neptune_cluster.db_cluster_identifier, db_subnet_group_name=self.subnet_group.db_subnet_group_name) neptune_instance.node.add_dependency(self.neptune_cluster)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, 'vpc1') bucket_name = 'my-cdk-bucket' s3.Bucket(self, bucket_name, bucket_name=bucket_name, access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE, removal_policy=RemovalPolicy.DESTROY) ec2.Volume(self, 'vol1', availability_zone='us-east-1a', size=core.Size.gibibytes(8)) sg = ec2.SecurityGroup(self, 'sg1', vpc=vpc) sg.add_ingress_rule(Peer.any_ipv4(), Port.tcp(22)) kms.Key(self, 'kms1')
def __init__(self, scope: core.Construct, id: str, vpc: aws_ec2.Vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) aws_ec2.SecurityGroup(self, 'dms-securitygroup', vpc=vpc) _subnets = [] _subnets.append( aws_ec2.Subnet(self, 'sbn-dms-1', availability_zone=vpc.availability_zones[0], vpc_id=vpc.vpc_id, cidr_block='10.0.3.0/25').subnet_id) _subnets.append( aws_ec2.Subnet(self, 'sbn-dms-2', availability_zone=vpc.availability_zones[1], vpc_id=vpc.vpc_id, cidr_block='10.0.3.128/25').subnet_id) _subnet_group_id = 'deta-pipeline-dms-subnet' dms.CfnReplicationSubnetGroup( self, 'dms-subnet-group', replication_subnet_group_description='subnet group for dms', subnet_ids=_subnets, replication_subnet_group_identifier=_subnet_group_id) dms.CfnReplicationInstance( self, 'dms-demo', replication_instance_class='dms.t3.medium', allocated_storage=50, allow_major_version_upgrade=False, auto_minor_version_upgrade=False, publicly_accessible=False, multi_az=False, replication_subnet_group_identifier=_subnet_group_id)
def __init__(self, scope: core.Construct, id: str, vpc,KeyPairName,ec2_type, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Create SQL instances azs = vpc.availability_zones self.sql_sg = ec2.SecurityGroup(self, 'SQL-Security-Group',vpc=vpc,allow_all_outbound=True,description='SQL-Security-Group-Nodes',security_group_name='sql-sg-'+id) self.role = iam.Role(self, 'ec2-sql-role',assumed_by=iam.ServicePrincipal('ec2.amazonaws.com')) #Grant permission to access the MAD secret self.role.add_managed_policy(policy=iam.ManagedPolicy.from_aws_managed_policy_name('SecretsManagerReadWrite')) self.node1 = ec2.Instance(self, "SQL Node1", instance_type=ec2.InstanceType(instance_type_identifier=ec2_type), machine_image=windows_ami, vpc=vpc, key_name=KeyPairName, user_data=ec2.UserData.custom(user_data), availability_zone=azs[0], role=self.role, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True), security_group=self.sql_sg ) self.node2 = ec2.Instance(self, "SQL Node2", instance_type=ec2.InstanceType(instance_type_identifier=ec2_type), machine_image=windows_ami, vpc=vpc, key_name=KeyPairName, user_data=ec2.UserData.custom(user_data), availability_zone=azs[1], role=self.role, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True), security_group=self.sql_sg ) # Open Security group - change to a reference self.sql_sg.add_ingress_rule(peer=ec2.Peer.ipv4('10.0.0.0/8'),connection=ec2.Port.all_traffic(),description='Allow traffic between SQL nodes + VPC') core.CfnOutput(self, "node1",value=self.node1.instance_private_ip) core.CfnOutput(self, "node2",value=self.node2.instance_private_ip)
def cluster_creation(self, name_extension, conf, stage): # Creating ECS Cluster in the VPC created above conf_global = conf["global"]["project"] self.ecs_cluster = _ecs.Cluster( self, name_extension+"-ecs-cluster", cluster_name=f"{conf_global}_{stage}", vpc=self.vpc ) # Adding service discovery namespace to cluster self.ecs_cluster.add_default_cloud_map_namespace( name=name_extension, ) # Namespace details as CFN output self.namespace_outputs = { 'ARN': self.ecs_cluster.default_cloud_map_namespace.private_dns_namespace_arn, 'NAME': self.ecs_cluster.default_cloud_map_namespace.private_dns_namespace_name, 'ID': self.ecs_cluster.default_cloud_map_namespace.private_dns_namespace_id, } # Cluster Attributes self.cluster_outputs = { 'NAME': self.ecs_cluster.cluster_name, 'ARN': self.ecs_cluster.cluster_arn, 'SECGRPS': str(self.ecs_cluster.connections.security_groups) } self.services_sg = _ec2.SecurityGroup( self, name_extension+"-ecs-cluster-services-sg", allow_all_outbound=True, description="Security group ECS {} services".format(name_extension), vpc=self.vpc ) self.services_sg.add_ingress_rule(_ec2.Peer.ipv4("0.0.0.0/0"), _ec2.Port.tcp(80), "allow http access from anywhere") self.objects_list.append(self.ecs_cluster) self.objects_list.append(self.services_sg)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here private_subnet1 = ec2.SubnetConfiguration( cidr_mask=24, name='PrivateSubnet1', subnet_type=ec2.SubnetType.PRIVATE) private_subnet2 = ec2.SubnetConfiguration( cidr_mask=24, name='PrivateSubnet2', subnet_type=ec2.SubnetType.PRIVATE) public_subnet1 = ec2.SubnetConfiguration( cidr_mask=25, name='PublicSubnet1', subnet_type=ec2.SubnetType.PUBLIC) public_subnet2 = ec2.SubnetConfiguration( cidr_mask=25, name='PublicSubnet2', subnet_type=ec2.SubnetType.PUBLIC) vpc = ec2.Vpc(self, 'TestVPC', cidr='10.100.0.0/16', subnet_configuration=[ private_subnet1, public_subnet1, private_subnet2, public_subnet2 ]) bastion_ssh_sg = ec2.SecurityGroup(self, 'SSHBastion_SecurityGroup', vpc=vpc, security_group_name='Bastion_SSH') bastion_host = ec2.BastionHostLinux(self, 'Bastion-1', vpc=vpc)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, instances: list, certificate_arn: str, **kwargs): super().__init__(scope, id, **kwargs) health_check = elbv2.HealthCheck(path="/", healthy_http_codes="200-399") public_target_group = elbv2.ApplicationTargetGroup( self, "PublicTG", port=8080, vpc=vpc, health_check=health_check) for instance in instances: public_target_group.add_target( elbv2.InstanceTarget(instance.instance_id, port=8080)) self._public_security_group = ec2.SecurityGroup(self, "PublicLBSG", vpc=vpc) self._public_security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443)) self._public_lb = elbv2.ApplicationLoadBalancer( self, "PublicLB", vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnets=vpc.select_subnets( subnet_type=ec2.SubnetType.PUBLIC).subnets), internet_facing=True, security_group=self._public_security_group) self._public_lb.add_listener( "PublicLBListener", certificates=[elbv2.ListenerCertificate(certificate_arn)], port=443, default_target_groups=[public_target_group]) core.CfnOutput(self, "CloudIDE URL", value="https://{}".format( self._public_lb.load_balancer_dns_name))
def __init__(self, scope: core.Construct, id: str, region: str, vpc: str, ec2_instance_type: str, ami_id: str, ssh_key: str, max_spot_price: str, ssh_allow_ip_range: str, asg_size: str, stack_name: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.asg = autoscaling.AutoScalingGroup(self, f"{stack_name}-asg", instance_type=ec2.InstanceType(ec2_instance_type), machine_image=ec2.MachineImage.generic_linux(ami_map={region: ami_id} ), vpc=vpc, key_name=ssh_key, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), allow_all_outbound=True, associate_public_ip_address=True, min_capacity=asg_size, max_capacity=asg_size, spot_price=max_spot_price ) sg_ssh_in = ec2.SecurityGroup(self, "allow-ssh", vpc=vpc, allow_all_outbound=True) sg_ssh_in.add_ingress_rule(ec2.Peer.ipv4(ssh_allow_ip_range), ec2.Port.tcp(22) ) self.asg.add_security_group(sg_ssh_in)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.vpc = vpc userdata = '''#!/bin/sh yum install httpd -y systemctl enable httpd systemctl start httpd echo "<html><head><title> Example Web Server</title></head>" > /var/www/html/index.html echo "<body>" >> /var/www/html/index.html echo "<div><center><h2>Welcome AWS $(hostname -f) </h2>" >> /var/www/html/index.html echo "<hr/>" >> /var/www/html/index.html curl http://169.254.169.254/latest/meta-data/instance-id >> /var/www/html/index.html echo "</center></div></body></html>" >> /var/www/html/index.html''' websrv = ec2.UserData.for_linux() websrv.add_commands(userdata) asg = autoscaling.AutoScalingGroup( self, "WebAsg", instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO), machine_image=ec2.AmazonLinuxImage(), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_group_name="Private"), min_capacity=1, max_capacity=1, user_data=websrv) alb = elbv2.ApplicationLoadBalancer( self, "WebLb", vpc=vpc, internet_facing=True, vpc_subnets=ec2.SubnetSelection(subnet_group_name="Public")) listener = alb.add_listener("WebListener", port=80) listener.add_targets("Target", port=80, targets=[asg]) self.webserver_sg = ec2.SecurityGroup(self, "WebServerSg", vpc=vpc) asg.add_security_group(self.webserver_sg)
def generate_rds_security_group(scope, vpc: ec2.Vpc, beanstalk_app_sg: ec2.SecurityGroup): sg = ec2.SecurityGroup( scope=scope, id="JVSANTOSRDSSG", description="RDS MySQL Security Group", security_group_name="JVSANTOSRDSSG", vpc=vpc, allow_all_outbound=False ) sg.add_ingress_rule( description="Allow MySQL from app", peer=beanstalk_app_sg, connection=ec2.Port.tcp(3306) ) sg.add_egress_rule( description="Outbound Rule for VPC", peer=beanstalk_app_sg, connection=ec2.Port.tcp_range(start_port=1024, end_port=65535), ) return sg
def get_security_group(self, ec2_params): security_group = None if 'security_group' in ec2_params: security_group = ec2_params['security_group'] else: if 'security_group_id' in ec2_params and ec2_params[ 'security_group_id']: security_group = ec2.SecurityGroup.from_security_group_id( self, "SecurityGroup", security_group_id=ec2_params['security_group_id'], mutable=False) else: security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=ec2_params['vpc']) security_group.add_ingress_rule( peer=ec2.Peer.any_ipv4(), connection=ec2.Port(string_representation="sr", protocol=ec2.Protocol("UDP"), from_port=ec2_params['from_port'], to_port=ec2_params['to_port'])) return security_group
def build_efs_security_group( scope: core.Construct, context: "Context", team_name: str, vpc: ec2.IVpc, subnet_kind: "SubnetKind" ) -> ec2.SecurityGroup: name: str = f"orbit-{context.name}-{team_name}-efs-sg" sg = ec2.SecurityGroup( scope=scope, id=name, security_group_name=name, vpc=vpc, allow_all_outbound=True, ) subnets = ( context.networking.private_subnets + context.networking.public_subnets + context.networking.isolated_subnets ) for subnet in subnets: if subnet.kind is subnet_kind: sg.add_ingress_rule( peer=ec2.Peer.ipv4(cast(str, subnet.cidr_block)), connection=ec2.Port.tcp(port=2049), description=f"Allowing internal access from subnet {subnet.subnet_id}.", ) core.Tags.of(scope=sg).add(key="Name", value=name) return sg
def __init__(self, scope: core.Construct, id: str, main_vpc: object, main_sg: object, **kwargs) -> None: super().__init__(scope, id, **kwargs) db_engine = rds.DatabaseInstanceEngine.maria_db( version=rds.MariaDbEngineVersion.VER_10_4_8) db_instance = rds.DatabaseInstance( self, f"iais-prod-db", engine=db_engine, instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL), vpc=main_vpc, vpc_subnets={"subnet_type": ec2.SubnetType.ISOLATED}) db_sg = ec2.SecurityGroup(self, f"iais-sg-db-{str}", vpc=main_vpc, allow_all_outbound=True, description="For DB access.") db_sg.add_ingress_rule(peer=main_sg, connection=ec2.Port.tcp(3306))
def __init__(self, scope: core.Construct, construct_id: str, vpc_cidr,max_azs,nat_gateways,cidr_mask,ingress_rule_sg,tcp_port, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.vpc = ec2.Vpc( self, "MyVpc", cidr=vpc_cidr, max_azs=max_azs, nat_gateways=nat_gateways, subnet_configuration=[ ec2.SubnetConfiguration(name="public", cidr_mask=cidr_mask, subnet_type=ec2.SubnetType.PUBLIC), ec2.SubnetConfiguration(name="private", cidr_mask=cidr_mask, subnet_type=ec2.SubnetType.ISOLATED) ] ) self.sg = ec2.SecurityGroup(self, "VPC-SG", vpc=self.vpc , allow_all_outbound=True , security_group_name='VPC-sg' ) self.sg.add_ingress_rule(ec2.Peer.ipv4(ingress_rule_sg), connection=ec2.Port.tcp(tcp_port), description='ingress') tag = core.Tags.of(self).add(key='Owner', value='Yasir-VPC') VPC_Output = core.CfnOutput(self, 'VPC_OUTPUT', value=self.vpc.vpc_id , description="VPC ID") SG_Output = core.CfnOutput(self, 'SG_ID_OUTPUT', value=self.sg.security_group_id , description="SG ID")
def __init__(self, scope: core.Stack, id=str, **kwargs): super().__init__(scope, id, **kwargs) # This resource alone will create a private/public subnet in each AZ as well as nat/internet gateway(s) self.vpc = aws_ec2.Vpc( self, "BaseVPC", cidr='10.0.0.0/24', enable_dns_support=True, enable_dns_hostnames=True, ) # Creating ECS Cluster in the VPC created above self.ecs_cluster = aws_ecs.Cluster(self, "ECSCluster", vpc=self.vpc) # Adding service discovery namespace to cluster self.ecs_cluster.add_default_cloud_map_namespace(name="service", ) # Frontend security group frontend service to backend services self.services_3000_sec_group = aws_ec2.SecurityGroup( self, "FrontendToBackendSecurityGroup", allow_all_outbound=True, description= "Security group for frontend service to talk to backend services", vpc=self.vpc) # Allow inbound 3000 from ALB to Frontend Service self.sec_grp_ingress_self_3000 = aws_ec2.CfnSecurityGroupIngress( self, "InboundSecGrp3000", ip_protocol='TCP', source_security_group_id=self.services_3000_sec_group. security_group_id, from_port=3000, to_port=3000, group_id=self.services_3000_sec_group.security_group_id)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.vpc = ec2.Vpc( self, id="VdbVPCCdk", cidr="172.15.0.0/21", enable_dns_support=True, max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration(name="public-vdb-cdk-net", subnet_type=ec2.SubnetType.PUBLIC, cidr_mask=24), ec2.SubnetConfiguration(name="private-vdb-cdk-net", subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24) ]) self.vdb_security_group = ec2.SecurityGroup( self, id="VdbRdsCdkSecurityGroup", security_group_name="vdb-cdk-sg", vpc=self.vpc) self.vdb_security_group.add_ingress_rule( ec2.Peer.ipv4("172.15.0.0/24"), ec2.Port.tcp(5000), "allow access from the world") self.vdb_security_group.add_ingress_rule( ec2.Peer.ipv4("172.15.1.0/24"), ec2.Port.tcp(5000), "allow access from the world") self.vdb_security_group.add_ingress_rule( ec2.Peer.ipv4("172.15.2.0/24"), ec2.Port.tcp(5432), "allow internal access") self.vdb_security_group.add_ingress_rule( ec2.Peer.ipv4("172.15.3.0/24"), ec2.Port.tcp(5432), "allow internal access")
def create_redis(self, vpc: ec2.IVpc): selection = vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC) redis_security_group = ec2.SecurityGroup(self, id='redis-security-group', vpc=vpc) redis_security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(6379), "Incoming to Redis") redis_subnet_group = elasticache.CfnSubnetGroup( self, "RedisClusterPrivateSubnetGroup", cache_subnet_group_name="redis-subnet-group", description="Tubby Redis Subnet", subnet_ids=selection.subnet_ids) redis_parameter_group = elasticache.CfnParameterGroup( self, "RedisParameterGroup", description="Redis Params", cache_parameter_group_family="redis6.x", properties={}, ) redis = elasticache.CfnCacheCluster( self, "RedisCacheCluster", engine="redis", cache_node_type="cache.t2.micro", num_cache_nodes=1, cluster_name="startuptoolbag-redis", vpc_security_group_ids=[redis_security_group.security_group_id], cache_subnet_group_name=redis_subnet_group.cache_subnet_group_name, cache_parameter_group_name=redis_parameter_group.ref, ) return redis
def __init__(self, scope: core.Construct, common: Common, data_lake: DataLake, **kwargs) -> None: self.env = common.env super().__init__(scope, id=f'{self.env}-data-warehouse', **kwargs) self.redshift_sg = ec2.SecurityGroup( self, f'redshift-{self.env}-sg', vpc=common.custom_vpc, allow_all_outbound=True, security_group_name=f'redshift-{self.env}-sg', ) self.redshift_sg.add_ingress_rule( peer=ec2.Peer.ipv4('37.156.75.55/32'), connection=ec2.Port.tcp(5439)) for subnet in common.custom_vpc.private_subnets: self.redshift_sg.add_ingress_rule(peer=ec2.Peer.ipv4( subnet.ipv4_cidr_block), connection=ec2.Port.tcp(5439)) self.redshift_cluster = redshift.Cluster( self, f'belisco-{self.env}-redshift', cluster_name=f'belisco-{self.env}-redshift', vpc=common.custom_vpc, cluster_type=redshift.ClusterType.MULTI_NODE, node_type=redshift.NodeType.DC2_LARGE, default_database_name='dw', number_of_nodes=2, removal_policy=core.RemovalPolicy.DESTROY, master_user=redshift.Login(master_username='******'), publicly_accessible=True, roles=[SpectrumRole(self, data_lake)], security_groups=[self.redshift_sg], vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) cidr = '10.0.0.0/16' vpc = ec2.Vpc(self, id='cdk-test-vpc', cidr=cidr, max_azs=1) security_group = ec2.SecurityGroup( self, id='cdk-sg', vpc=vpc, security_group_name='cdk-sg', ) # what is peer security_group.add_ingress_rule( peer=ec2.Peer.ipv4(cidr), connection=ec2.Port.tcp(22), ) security_group.add_ingress_rule( peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(80), ) image_id = ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image( self).image_id ec2.CfnInstance(self, id='cdk-instancd', availability_zone="ap-northeast-1a", image_id=image_id, instance_type="t2.small", security_group_ids=[security_group.security_group_id], subnet_id=vpc.private_subnets[0].subnet_id, tags=[{ "key": "Name", "value": "cdk-instance" }])