def __init__(self, scope: cdk.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(
self,
"vpc",
cidr="10.24.0.0/16",
max_azs=2,
subnet_configuration=[
ec2.SubnetConfiguration(name="public",
cidr_mask=20,
subnet_type=ec2.SubnetType.PUBLIC),
ec2.SubnetConfiguration(name="private",
cidr_mask=20,
subnet_type=ec2.SubnetType.PRIVATE)
])
core.Tag.add(scope=vpc, key='Name', value='newCDKVPC')
# create a new security group
sec_group = ec2.SecurityGroup(self,
"sec-group-allow-http",
vpc=vpc,
allow_all_outbound=True)
# add a new ingress rule to allow port 8080 to internal hosts
sec_group.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'),
description="Allow HTTP connection",
connection=ec2.Port.tcp(8080))
# define a new ec2 instance
ec2_instance = ec2.Instance(
self,
"ec2-instance",
instance_name=instanceName,
instance_type=ec2.InstanceType(instanceType),
machine_image=ec2.MachineImage().lookup(name=amiName),
vpc=vpc,
availability_zone="eu-central-1b",
security_group=sec_group,
user_data=user_data)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
db_instance_class: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
stack = core.Stack.of(self)
# TODO: find a way to add role to cluster
role = iam.Role(
self,
'NeptuneRole',
assumed_by=iam.ServicePrincipal('rds.amazonaws.com'),
)
sg = ec2.SecurityGroup(
self,
'SecurityGroup',
vpc=vpc,
)
subnet_group = neptune.CfnDBSubnetGroup(
self,
'SubnetGroup',
db_subnet_group_name='{}-subnet-group'.format(
stack.stack_name.lower()),
db_subnet_group_description='Private subnets',
subnet_ids=[subnet.subnet_id for subnet in vpc.private_subnets])
cluster = neptune.CfnDBCluster(
self,
'Cluster',
db_subnet_group_name=subnet_group.ref,
vpc_security_group_ids=[sg.security_group_id])
neptune.CfnDBInstance(
self,
'Instance',
db_cluster_identifier=cluster.ref,
db_instance_class=db_instance_class,
)
self.endpoint = cluster.attr_endpoint
self.role = role
self.security_group = sg
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.security_group = ec2.SecurityGroup(
self,
'EndpointSecurity',
vpc=vpc,
allow_all_outbound=True,
description='SG for AWS Resources in isolated subnet')
self.security_group.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port(protocol=ec2.Protocol.ALL,
string_representation='Any source'))
self.gateways = {}
for svc in ['s3', 'dynamodb']:
self.gateways[svc] = ec2.GatewayVpcEndpoint(
self,
svc,
vpc=vpc,
service=ec2.GatewayVpcEndpointAwsService(name=svc))
self.interfaces = {}
for svc in [
'ssm', 'ec2messages', 'ec2', 'ssmmessages', 'kms',
'elasticloadbalancing', 'elasticfilesystem', 'lambda',
'states', 'events', 'execute-api', 'kinesis-streams',
'kinesis-firehose', 'logs', 'sns', 'sqs', 'secretsmanager',
'config', 'ecr.api', 'ecr.dkr'
]:
self.interfaces[svc] = ec2.InterfaceVpcEndpoint(
self,
svc,
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService(name=svc),
open=True,
private_dns_enabled=True,
lookup_supported_azs=False,
security_groups=[self.security_group])
def __init__(self, scope: core.Construct, construct_id: str, vpc: ec2.Vpc,
role: iam_.Role, subnet: ec2.PrivateSubnet, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.security_group = ec2.SecurityGroup(self, "WorkshopGroup", vpc=vpc)
instance_id = "Workshop"
sm.CfnNotebookInstance(
self,
instance_id,
instance_type='ml.t2.medium',
volume_size_in_gb=20,
security_group_ids=[self.security_group.security_group_id],
subnet_id=subnet.subnet_id,
notebook_instance_name=instance_id,
role_arn=role.role_arn,
direct_internet_access='Enabled',
root_access='Enabled',
default_code_repository=
"https://github.com/NASA-IMPACT/workshop_notebooks")
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
elasticfilestore = efs.CfnFileSystem(
self, "efs-storage",
encrypted=False,
lifecycle_policies=None
)
sg_efs = ec2.SecurityGroup(
self,
id="sg_efs",
vpc=props['vpc'],
security_group_name="sg_efs"
)
sg_efs.add_ingress_rule(
peer=ec2.Peer.ipv4("10.0.0.0/16"),
connection=ec2.Port.tcp(2049)
)
def _add_security_groups(self, vpc: ec2.Vpc) -> ec2.SecurityGroup:
"""
Add security group to the stack
:param vpc: VPC of security group
"""
security_group = ec2.SecurityGroup(
self,
'zach-security-group',
vpc=vpc,
description="Allow access to zach instance",
allow_all_outbound=True)
security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.tcp(9622),
'allow ssh access from the world')
security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.udp(500),
'for IKE, to manage encryption keys')
security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.udp(4500),
'for IPSEC NAT-Traversal mode')
return security_group
def __init__(self, scope: core.Construct,
common_stack: CommonResourcesStack, **kwargs):
self.deploy_env = active_environment
self.common_stack = common_stack
# Security Group
self.dms_sg = ec2.SecurityGroup(
scope=scope,
id=f"dms-{self.deploy_env.value}-sg",
vpc=self.common_stack.custom_vpc,
security_group_name=f"dms-{self.deploy_env.value}-sg",
)
# Subnet Group
self.dms_subnet_group = dms.CfnReplicationSubnetGroup(
scope=scope,
id=f"dms-{self.deploy_env.value}-replication-subnet",
replication_subnet_group_description=
"dms replication instance subnet group",
subnet_ids=[
subnet.subnet_id for subnet in self.common_stack.custom_vpc.
public_subnets # use public subnet to avoid costs
],
replication_subnet_group_identifier=
f"dms-{self.deploy_env.value}-replication-subnet",
)
# Replication Instance
self.instance = dms.CfnReplicationInstance(
scope=scope,
id=f"dms-{self.deploy_env.value}-replication-instance",
allocated_storage=100,
publicly_accessible=False,
engine_version="3.4.4",
replication_instance_class="dms.t2.small",
replication_instance_identifier=
f"dms-{self.deploy_env.value}-replication-instance",
vpc_security_group_ids=[self.dms_sg.security_group_id],
replication_subnet_group_identifier=self.dms_subnet_group.
replication_subnet_group_identifier,
)
self.instance.node.add_dependency(self.dms_sg)
self.instance.node.add_dependency(self.dms_subnet_group)
def __init__(self, scope: core.Construct, environment: Environment,
**kwargs) -> None:
self.env = environment.value
super().__init__(scope, id=f'{self.env}-common', **kwargs)
self.custom_vpc = ec2.Vpc(self, f'vpc-{self.env}')
self.orders_rds_sg = ec2.SecurityGroup(
self,
f'orders-{self.env}-sg',
vpc=self.custom_vpc,
allow_all_outbound=True,
security_group_name=f'orders-{self.env}-sg',
)
self.orders_rds_sg.add_ingress_rule(
peer=ec2.Peer.ipv4('37.156.75.55/32'),
connection=ec2.Port.tcp(5432))
for subnet in self.custom_vpc.private_subnets:
self.orders_rds_sg.add_ingress_rule(peer=ec2.Peer.ipv4(
subnet.ipv4_cidr_block),
connection=ec2.Port.tcp(5432))
self.orders_rds = rds.DatabaseInstance(
self,
f'orders-{self.env}-rds',
engine=rds.DatabaseInstanceEngine.POSTGRES,
database_name='orders',
instance_type=ec2.InstanceType('t3.micro'),
vpc=self.custom_vpc,
instance_identifier=f'rds-{self.env}-orders-db',
port=5432,
subnet_group=rds.SubnetGroup(
self,
f'rds-{self.env}-replication-subnet',
description='place RDS on private subnet',
vpc=self.custom_vpc),
security_groups=[self.orders_rds_sg],
removal_policy=core.RemovalPolicy.DESTROY,
**kwargs)
def create_redis_cache(scope: core.Construct, stack_name: str, vpc: IVpc,
config: StackConfig):
subnet_ids = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnet_ids
cache_subnet_group = elasticache.CfnSubnetGroup(
scope,
'cacheSubnetGroup',
cache_subnet_group_name=f'{stack_name}-redis',
description=stack_name,
subnet_ids=subnet_ids,
)
cache_security_group = ec2.SecurityGroup(
scope,
'cacheSecurityGroup',
vpc=vpc,
allow_all_outbound=True,
security_group_name=f'{stack_name}-redis',
description=stack_name,
)
cache = elasticache.CfnCacheCluster(
scope,
'elasticache',
cluster_name=stack_name,
engine='redis',
port=6379,
cache_node_type=config.cache_node_type,
num_cache_nodes=config.num_cache_nodes,
cache_subnet_group_name=cache_subnet_group.cache_subnet_group_name,
vpc_security_group_ids=[cache_security_group.security_group_id],
)
cache_security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.tcp(6379),
'Allow Cache Access')
core.CfnOutput(scope=scope,
id='redisAddress',
value=cache.attr_redis_endpoint_address)
return cache
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
public_subnet = _ec2.SubnetConfiguration(
name="publicSubnet",
cidr_mask=24,
subnet_type=_ec2.SubnetType.PUBLIC
)
private_subnet = _ec2.SubnetConfiguration(
name="privateSubnet",
cidr_mask=24,
subnet_type=_ec2.SubnetType.PRIVATE
)
db_subnet = _ec2.SubnetConfiguration(
name="dbSubnet",
cidr_mask=24,
subnet_type=_ec2.SubnetType.ISOLATED
)
self.vpc = _ec2.Vpc(
self,
"Vpc",
cidr="10.0.0.0/16",
subnet_configuration=[public_subnet, private_subnet, db_subnet],
max_azs=3,
nat_gateways=1
)
self.vpc.sg = _ec2.SecurityGroup(
self,
"vpcSg",
vpc=self.vpc
)
self.vpc.sg.add_ingress_rule(self.vpc.sg, _ec2.Port.tcp(6379)) #Redis
self.vpc.sg.add_ingress_rule(self.vpc.sg, _ec2.Port.tcp(3306)) #Aurora MySQL
core.CfnOutput(self, "outputVpc", value=self.vpc.vpc_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# The code that defines your stack goes here
vpc_name = self.node.try_get_context("vpc_name")
vpc = aws_ec2.Vpc.from_lookup(
self,
"EC2InstanceVPC",
is_default=
True, # set is_default=False if you want to find your own VPC
vpc_name=vpc_name)
sg_ssh_access = aws_ec2.SecurityGroup(
self,
"BastionHostSG",
vpc=vpc,
allow_all_outbound=True,
description='security group for bastion host',
security_group_name='bastion-host-sg')
cdk.Tags.of(sg_ssh_access).add('Name', 'bastion-host')
sg_ssh_access.add_ingress_rule(peer=aws_ec2.Peer.any_ipv4(),
connection=aws_ec2.Port.tcp(22),
description='ssh access')
bastion_host = aws_ec2.BastionHostLinux(
self,
"BastionHost",
vpc=vpc,
instance_type=aws_ec2.InstanceType('t3.nano'),
security_group=sg_ssh_access,
subnet_selection=aws_ec2.SubnetSelection(
subnet_type=aws_ec2.SubnetType.PUBLIC))
cdk.CfnOutput(self,
'BastionHostId',
value=bastion_host.instance_id,
export_name='BastionHostId')
cdk.CfnOutput(self,
'BastionHostPublicDNSName',
value=bastion_host.instance_public_dns_name,
export_name='BastionHostPublicDNSName')
def __configure_neptune(self)->None:
self.subnet_group = n.CfnDBSubnetGroup(self,'SubnetGroup',
db_subnet_group_description='MarketGraph Subnet',
db_subnet_group_name='marketgraph-subnetgroup',
subnet_ids= [net.subnet_id for net in self.vpc._select_subnet_objects(subnet_group_name='MarketGraph')])
self.security_group = ec2.SecurityGroup(self,'SecGroup',
vpc=self.vpc,
allow_all_outbound=True,
description='Security group for MarketGraph feature')
self.security_group.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port(
protocol=ec2.Protocol.TCP,
string_representation='Neptune',
from_port=8182, to_port=8182))
self.neptune_cluster = n.CfnDBCluster(
self,'NeptuneCluster',
db_subnet_group_name=self.subnet_group.db_subnet_group_name,
deletion_protection=False,
iam_auth_enabled=False,
storage_encrypted=True,
db_cluster_identifier='marketgraph',
vpc_security_group_ids=[self.security_group.security_group_id])
counter=0
for net in self.vpc._select_subnet_objects(subnet_group_name='MarketGraph'):
az_name = net.availability_zone
counter+=1
neptune_instance = n.CfnDBInstance(
self,'NeptuneInstance-'+str(counter),
availability_zone=az_name,
db_instance_identifier='marketgraph-instance-'+str(counter),
db_instance_class='db.t3.medium',
allow_major_version_upgrade=False,
auto_minor_version_upgrade=True,
db_cluster_identifier=self.neptune_cluster.db_cluster_identifier,
db_subnet_group_name=self.subnet_group.db_subnet_group_name)
neptune_instance.node.add_dependency(self.neptune_cluster)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self, 'vpc1')
bucket_name = 'my-cdk-bucket'
s3.Bucket(self,
bucket_name,
bucket_name=bucket_name,
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE,
removal_policy=RemovalPolicy.DESTROY)
ec2.Volume(self,
'vol1',
availability_zone='us-east-1a',
size=core.Size.gibibytes(8))
sg = ec2.SecurityGroup(self, 'sg1', vpc=vpc)
sg.add_ingress_rule(Peer.any_ipv4(), Port.tcp(22))
kms.Key(self, 'kms1')
def __init__(self, scope: core.Construct, id: str, vpc: aws_ec2.Vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
aws_ec2.SecurityGroup(self, 'dms-securitygroup', vpc=vpc)
_subnets = []
_subnets.append(
aws_ec2.Subnet(self,
'sbn-dms-1',
availability_zone=vpc.availability_zones[0],
vpc_id=vpc.vpc_id,
cidr_block='10.0.3.0/25').subnet_id)
_subnets.append(
aws_ec2.Subnet(self,
'sbn-dms-2',
availability_zone=vpc.availability_zones[1],
vpc_id=vpc.vpc_id,
cidr_block='10.0.3.128/25').subnet_id)
_subnet_group_id = 'deta-pipeline-dms-subnet'
dms.CfnReplicationSubnetGroup(
self,
'dms-subnet-group',
replication_subnet_group_description='subnet group for dms',
subnet_ids=_subnets,
replication_subnet_group_identifier=_subnet_group_id)
dms.CfnReplicationInstance(
self,
'dms-demo',
replication_instance_class='dms.t3.medium',
allocated_storage=50,
allow_major_version_upgrade=False,
auto_minor_version_upgrade=False,
publicly_accessible=False,
multi_az=False,
replication_subnet_group_identifier=_subnet_group_id)
def __init__(self, scope: core.Construct, id: str, vpc,KeyPairName,ec2_type, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create SQL instances
azs = vpc.availability_zones
self.sql_sg = ec2.SecurityGroup(self, 'SQL-Security-Group',vpc=vpc,allow_all_outbound=True,description='SQL-Security-Group-Nodes',security_group_name='sql-sg-'+id)
self.role = iam.Role(self, 'ec2-sql-role',assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'))
#Grant permission to access the MAD secret
self.role.add_managed_policy(policy=iam.ManagedPolicy.from_aws_managed_policy_name('SecretsManagerReadWrite'))
self.node1 = ec2.Instance(self, "SQL Node1",
instance_type=ec2.InstanceType(instance_type_identifier=ec2_type),
machine_image=windows_ami,
vpc=vpc,
key_name=KeyPairName,
user_data=ec2.UserData.custom(user_data),
availability_zone=azs[0],
role=self.role,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True),
security_group=self.sql_sg
)
self.node2 = ec2.Instance(self, "SQL Node2",
instance_type=ec2.InstanceType(instance_type_identifier=ec2_type),
machine_image=windows_ami,
vpc=vpc,
key_name=KeyPairName,
user_data=ec2.UserData.custom(user_data),
availability_zone=azs[1],
role=self.role,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True),
security_group=self.sql_sg
)
# Open Security group - change to a reference
self.sql_sg.add_ingress_rule(peer=ec2.Peer.ipv4('10.0.0.0/8'),connection=ec2.Port.all_traffic(),description='Allow traffic between SQL nodes + VPC')
core.CfnOutput(self, "node1",value=self.node1.instance_private_ip)
core.CfnOutput(self, "node2",value=self.node2.instance_private_ip)
def cluster_creation(self, name_extension, conf, stage):
# Creating ECS Cluster in the VPC created above
conf_global = conf["global"]["project"]
self.ecs_cluster = _ecs.Cluster(
self, name_extension+"-ecs-cluster",
cluster_name=f"{conf_global}_{stage}",
vpc=self.vpc
)
# Adding service discovery namespace to cluster
self.ecs_cluster.add_default_cloud_map_namespace(
name=name_extension,
)
# Namespace details as CFN output
self.namespace_outputs = {
'ARN': self.ecs_cluster.default_cloud_map_namespace.private_dns_namespace_arn,
'NAME': self.ecs_cluster.default_cloud_map_namespace.private_dns_namespace_name,
'ID': self.ecs_cluster.default_cloud_map_namespace.private_dns_namespace_id,
}
# Cluster Attributes
self.cluster_outputs = {
'NAME': self.ecs_cluster.cluster_name,
'ARN': self.ecs_cluster.cluster_arn,
'SECGRPS': str(self.ecs_cluster.connections.security_groups)
}
self.services_sg = _ec2.SecurityGroup(
self, name_extension+"-ecs-cluster-services-sg",
allow_all_outbound=True,
description="Security group ECS {} services".format(name_extension),
vpc=self.vpc
)
self.services_sg.add_ingress_rule(_ec2.Peer.ipv4("0.0.0.0/0"), _ec2.Port.tcp(80), "allow http access from anywhere")
self.objects_list.append(self.ecs_cluster)
self.objects_list.append(self.services_sg)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
private_subnet1 = ec2.SubnetConfiguration(
cidr_mask=24,
name='PrivateSubnet1',
subnet_type=ec2.SubnetType.PRIVATE)
private_subnet2 = ec2.SubnetConfiguration(
cidr_mask=24,
name='PrivateSubnet2',
subnet_type=ec2.SubnetType.PRIVATE)
public_subnet1 = ec2.SubnetConfiguration(
cidr_mask=25,
name='PublicSubnet1',
subnet_type=ec2.SubnetType.PUBLIC)
public_subnet2 = ec2.SubnetConfiguration(
cidr_mask=25,
name='PublicSubnet2',
subnet_type=ec2.SubnetType.PUBLIC)
vpc = ec2.Vpc(self,
'TestVPC',
cidr='10.100.0.0/16',
subnet_configuration=[
private_subnet1, public_subnet1, private_subnet2,
public_subnet2
])
bastion_ssh_sg = ec2.SecurityGroup(self,
'SSHBastion_SecurityGroup',
vpc=vpc,
security_group_name='Bastion_SSH')
bastion_host = ec2.BastionHostLinux(self, 'Bastion-1', vpc=vpc)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
instances: list, certificate_arn: str, **kwargs):
super().__init__(scope, id, **kwargs)
health_check = elbv2.HealthCheck(path="/",
healthy_http_codes="200-399")
public_target_group = elbv2.ApplicationTargetGroup(
self, "PublicTG", port=8080, vpc=vpc, health_check=health_check)
for instance in instances:
public_target_group.add_target(
elbv2.InstanceTarget(instance.instance_id, port=8080))
self._public_security_group = ec2.SecurityGroup(self,
"PublicLBSG",
vpc=vpc)
self._public_security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.tcp(443))
self._public_lb = elbv2.ApplicationLoadBalancer(
self,
"PublicLB",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnets=vpc.select_subnets(
subnet_type=ec2.SubnetType.PUBLIC).subnets),
internet_facing=True,
security_group=self._public_security_group)
self._public_lb.add_listener(
"PublicLBListener",
certificates=[elbv2.ListenerCertificate(certificate_arn)],
port=443,
default_target_groups=[public_target_group])
core.CfnOutput(self,
"CloudIDE URL",
value="https://{}".format(
self._public_lb.load_balancer_dns_name))
def __init__(self,
scope: core.Construct,
id: str,
region: str,
vpc: str,
ec2_instance_type: str,
ami_id: str,
ssh_key: str,
max_spot_price: str,
ssh_allow_ip_range: str,
asg_size: str,
stack_name: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.asg = autoscaling.AutoScalingGroup(self,
f"{stack_name}-asg",
instance_type=ec2.InstanceType(ec2_instance_type),
machine_image=ec2.MachineImage.generic_linux(ami_map={region: ami_id}
),
vpc=vpc,
key_name=ssh_key,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
allow_all_outbound=True,
associate_public_ip_address=True,
min_capacity=asg_size,
max_capacity=asg_size,
spot_price=max_spot_price
)
sg_ssh_in = ec2.SecurityGroup(self,
"allow-ssh",
vpc=vpc,
allow_all_outbound=True)
sg_ssh_in.add_ingress_rule(ec2.Peer.ipv4(ssh_allow_ip_range),
ec2.Port.tcp(22)
)
self.asg.add_security_group(sg_ssh_in)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.vpc = vpc
userdata = '''#!/bin/sh
yum install httpd -y
systemctl enable httpd
systemctl start httpd
echo "<html><head><title> Example Web Server</title></head>" > /var/www/html/index.html
echo "<body>" >> /var/www/html/index.html
echo "<div><center><h2>Welcome AWS $(hostname -f) </h2>" >> /var/www/html/index.html
echo "<hr/>" >> /var/www/html/index.html
curl http://169.254.169.254/latest/meta-data/instance-id >> /var/www/html/index.html
echo "</center></div></body></html>" >> /var/www/html/index.html'''
websrv = ec2.UserData.for_linux()
websrv.add_commands(userdata)
asg = autoscaling.AutoScalingGroup(
self,
"WebAsg",
instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2,
ec2.InstanceSize.MICRO),
machine_image=ec2.AmazonLinuxImage(),
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnet_group_name="Private"),
min_capacity=1,
max_capacity=1,
user_data=websrv)
alb = elbv2.ApplicationLoadBalancer(
self,
"WebLb",
vpc=vpc,
internet_facing=True,
vpc_subnets=ec2.SubnetSelection(subnet_group_name="Public"))
listener = alb.add_listener("WebListener", port=80)
listener.add_targets("Target", port=80, targets=[asg])
self.webserver_sg = ec2.SecurityGroup(self, "WebServerSg", vpc=vpc)
asg.add_security_group(self.webserver_sg)
def generate_rds_security_group(scope, vpc: ec2.Vpc, beanstalk_app_sg: ec2.SecurityGroup):
sg = ec2.SecurityGroup(
scope=scope,
id="JVSANTOSRDSSG",
description="RDS MySQL Security Group",
security_group_name="JVSANTOSRDSSG",
vpc=vpc,
allow_all_outbound=False
)
sg.add_ingress_rule(
description="Allow MySQL from app",
peer=beanstalk_app_sg,
connection=ec2.Port.tcp(3306)
)
sg.add_egress_rule(
description="Outbound Rule for VPC",
peer=beanstalk_app_sg,
connection=ec2.Port.tcp_range(start_port=1024, end_port=65535),
)
return sg
def get_security_group(self, ec2_params):
security_group = None
if 'security_group' in ec2_params:
security_group = ec2_params['security_group']
else:
if 'security_group_id' in ec2_params and ec2_params[
'security_group_id']:
security_group = ec2.SecurityGroup.from_security_group_id(
self,
"SecurityGroup",
security_group_id=ec2_params['security_group_id'],
mutable=False)
else:
security_group = ec2.SecurityGroup(self,
"SecurityGroup",
vpc=ec2_params['vpc'])
security_group.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port(string_representation="sr",
protocol=ec2.Protocol("UDP"),
from_port=ec2_params['from_port'],
to_port=ec2_params['to_port']))
return security_group
def build_efs_security_group(
scope: core.Construct, context: "Context", team_name: str, vpc: ec2.IVpc, subnet_kind: "SubnetKind"
) -> ec2.SecurityGroup:
name: str = f"orbit-{context.name}-{team_name}-efs-sg"
sg = ec2.SecurityGroup(
scope=scope,
id=name,
security_group_name=name,
vpc=vpc,
allow_all_outbound=True,
)
subnets = (
context.networking.private_subnets + context.networking.public_subnets + context.networking.isolated_subnets
)
for subnet in subnets:
if subnet.kind is subnet_kind:
sg.add_ingress_rule(
peer=ec2.Peer.ipv4(cast(str, subnet.cidr_block)),
connection=ec2.Port.tcp(port=2049),
description=f"Allowing internal access from subnet {subnet.subnet_id}.",
)
core.Tags.of(scope=sg).add(key="Name", value=name)
return sg
def __init__(self, scope: core.Construct, id: str, main_vpc: object,
main_sg: object, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
db_engine = rds.DatabaseInstanceEngine.maria_db(
version=rds.MariaDbEngineVersion.VER_10_4_8)
db_instance = rds.DatabaseInstance(
self,
f"iais-prod-db",
engine=db_engine,
instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2,
ec2.InstanceSize.SMALL),
vpc=main_vpc,
vpc_subnets={"subnet_type": ec2.SubnetType.ISOLATED})
db_sg = ec2.SecurityGroup(self,
f"iais-sg-db-{str}",
vpc=main_vpc,
allow_all_outbound=True,
description="For DB access.")
db_sg.add_ingress_rule(peer=main_sg, connection=ec2.Port.tcp(3306))
def __init__(self, scope: core.Construct, construct_id: str, vpc_cidr,max_azs,nat_gateways,cidr_mask,ingress_rule_sg,tcp_port, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.vpc = ec2.Vpc(
self, "MyVpc",
cidr=vpc_cidr,
max_azs=max_azs,
nat_gateways=nat_gateways,
subnet_configuration=[
ec2.SubnetConfiguration(name="public", cidr_mask=cidr_mask, subnet_type=ec2.SubnetType.PUBLIC),
ec2.SubnetConfiguration(name="private", cidr_mask=cidr_mask, subnet_type=ec2.SubnetType.ISOLATED)
]
)
self.sg = ec2.SecurityGroup(self, "VPC-SG", vpc=self.vpc , allow_all_outbound=True , security_group_name='VPC-sg' )
self.sg.add_ingress_rule(ec2.Peer.ipv4(ingress_rule_sg), connection=ec2.Port.tcp(tcp_port), description='ingress')
tag = core.Tags.of(self).add(key='Owner', value='Yasir-VPC')
VPC_Output = core.CfnOutput(self, 'VPC_OUTPUT', value=self.vpc.vpc_id , description="VPC ID")
SG_Output = core.CfnOutput(self, 'SG_ID_OUTPUT', value=self.sg.security_group_id , description="SG ID")
def __init__(self, scope: core.Stack, id=str, **kwargs):
super().__init__(scope, id, **kwargs)
# This resource alone will create a private/public subnet in each AZ as well as nat/internet gateway(s)
self.vpc = aws_ec2.Vpc(
self,
"BaseVPC",
cidr='10.0.0.0/24',
enable_dns_support=True,
enable_dns_hostnames=True,
)
# Creating ECS Cluster in the VPC created above
self.ecs_cluster = aws_ecs.Cluster(self, "ECSCluster", vpc=self.vpc)
# Adding service discovery namespace to cluster
self.ecs_cluster.add_default_cloud_map_namespace(name="service", )
# Frontend security group frontend service to backend services
self.services_3000_sec_group = aws_ec2.SecurityGroup(
self,
"FrontendToBackendSecurityGroup",
allow_all_outbound=True,
description=
"Security group for frontend service to talk to backend services",
vpc=self.vpc)
# Allow inbound 3000 from ALB to Frontend Service
self.sec_grp_ingress_self_3000 = aws_ec2.CfnSecurityGroupIngress(
self,
"InboundSecGrp3000",
ip_protocol='TCP',
source_security_group_id=self.services_3000_sec_group.
security_group_id,
from_port=3000,
to_port=3000,
group_id=self.services_3000_sec_group.security_group_id)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.vpc = ec2.Vpc(
self,
id="VdbVPCCdk",
cidr="172.15.0.0/21",
enable_dns_support=True,
max_azs=2,
subnet_configuration=[
ec2.SubnetConfiguration(name="public-vdb-cdk-net",
subnet_type=ec2.SubnetType.PUBLIC,
cidr_mask=24),
ec2.SubnetConfiguration(name="private-vdb-cdk-net",
subnet_type=ec2.SubnetType.PRIVATE,
cidr_mask=24)
])
self.vdb_security_group = ec2.SecurityGroup(
self,
id="VdbRdsCdkSecurityGroup",
security_group_name="vdb-cdk-sg",
vpc=self.vpc)
self.vdb_security_group.add_ingress_rule(
ec2.Peer.ipv4("172.15.0.0/24"), ec2.Port.tcp(5000),
"allow access from the world")
self.vdb_security_group.add_ingress_rule(
ec2.Peer.ipv4("172.15.1.0/24"), ec2.Port.tcp(5000),
"allow access from the world")
self.vdb_security_group.add_ingress_rule(
ec2.Peer.ipv4("172.15.2.0/24"), ec2.Port.tcp(5432),
"allow internal access")
self.vdb_security_group.add_ingress_rule(
ec2.Peer.ipv4("172.15.3.0/24"), ec2.Port.tcp(5432),
"allow internal access")
def create_redis(self, vpc: ec2.IVpc):
selection = vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC)
redis_security_group = ec2.SecurityGroup(self,
id='redis-security-group',
vpc=vpc)
redis_security_group.add_ingress_rule(ec2.Peer.any_ipv4(),
ec2.Port.tcp(6379),
"Incoming to Redis")
redis_subnet_group = elasticache.CfnSubnetGroup(
self,
"RedisClusterPrivateSubnetGroup",
cache_subnet_group_name="redis-subnet-group",
description="Tubby Redis Subnet",
subnet_ids=selection.subnet_ids)
redis_parameter_group = elasticache.CfnParameterGroup(
self,
"RedisParameterGroup",
description="Redis Params",
cache_parameter_group_family="redis6.x",
properties={},
)
redis = elasticache.CfnCacheCluster(
self,
"RedisCacheCluster",
engine="redis",
cache_node_type="cache.t2.micro",
num_cache_nodes=1,
cluster_name="startuptoolbag-redis",
vpc_security_group_ids=[redis_security_group.security_group_id],
cache_subnet_group_name=redis_subnet_group.cache_subnet_group_name,
cache_parameter_group_name=redis_parameter_group.ref,
)
return redis
def __init__(self, scope: core.Construct, common: Common,
data_lake: DataLake, **kwargs) -> None:
self.env = common.env
super().__init__(scope, id=f'{self.env}-data-warehouse', **kwargs)
self.redshift_sg = ec2.SecurityGroup(
self,
f'redshift-{self.env}-sg',
vpc=common.custom_vpc,
allow_all_outbound=True,
security_group_name=f'redshift-{self.env}-sg',
)
self.redshift_sg.add_ingress_rule(
peer=ec2.Peer.ipv4('37.156.75.55/32'),
connection=ec2.Port.tcp(5439))
for subnet in common.custom_vpc.private_subnets:
self.redshift_sg.add_ingress_rule(peer=ec2.Peer.ipv4(
subnet.ipv4_cidr_block),
connection=ec2.Port.tcp(5439))
self.redshift_cluster = redshift.Cluster(
self,
f'belisco-{self.env}-redshift',
cluster_name=f'belisco-{self.env}-redshift',
vpc=common.custom_vpc,
cluster_type=redshift.ClusterType.MULTI_NODE,
node_type=redshift.NodeType.DC2_LARGE,
default_database_name='dw',
number_of_nodes=2,
removal_policy=core.RemovalPolicy.DESTROY,
master_user=redshift.Login(master_username='******'),
publicly_accessible=True,
roles=[SpectrumRole(self, data_lake)],
security_groups=[self.redshift_sg],
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
cidr = '10.0.0.0/16'
vpc = ec2.Vpc(self, id='cdk-test-vpc', cidr=cidr, max_azs=1)
security_group = ec2.SecurityGroup(
self,
id='cdk-sg',
vpc=vpc,
security_group_name='cdk-sg',
)
# what is peer
security_group.add_ingress_rule(
peer=ec2.Peer.ipv4(cidr),
connection=ec2.Port.tcp(22),
)
security_group.add_ingress_rule(
peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(80),
)
image_id = ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(
self).image_id
ec2.CfnInstance(self,
id='cdk-instancd',
availability_zone="ap-northeast-1a",
image_id=image_id,
instance_type="t2.small",
security_group_ids=[security_group.security_group_id],
subnet_id=vpc.private_subnets[0].subnet_id,
tags=[{
"key": "Name",
"value": "cdk-instance"
}])
