def __init__(self, scope: core.Construct, id: str, vpc: aws_ec2.Vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
_subnets = []
_subnets.append(
aws_ec2.Subnet(self,
'sbn-redshift-1',
availability_zone=vpc.availability_zones[0],
vpc_id=vpc.vpc_id,
cidr_block='10.0.4.0/25'))
_subnets.append(
aws_ec2.Subnet(self,
'sbn-redshift-2',
availability_zone=vpc.availability_zones[1],
vpc_id=vpc.vpc_id,
cidr_block='10.0.4.128/25'))
_cluster_subnet_group = aws_redshift.ClusterSubnetGroup(
self,
'deta-pipeline-redshift-subnet',
description='redshift cluster subnet',
vpc=vpc,
vpc_subnets=aws_ec2.SubnetSelection(subnets=_subnets))
aws_redshift.Cluster(
self,
'destination-redshift',
master_user=aws_redshift.Login(master_username='******'),
vpc=vpc,
subnet_group=_cluster_subnet_group)
def __init__(self, scope: core.Construct, id: str, vpc: aws_ec2.Vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
_subnets = []
_subnets.append(
aws_ec2.Subnet(self,
'sbn-sourcedb-1',
availability_zone=vpc.availability_zones[0],
vpc_id=vpc.vpc_id,
cidr_block='10.0.1.0/24'))
_subnets.append(
aws_ec2.Subnet(self,
'sbn-sourcedb-2',
availability_zone=vpc.availability_zones[1],
vpc_id=vpc.vpc_id,
cidr_block='10.0.2.0/24'))
db_security_group = aws_ec2.SecurityGroup(self, 'sg-src-db', vpc=vpc)
db_security_group.add_ingress_rule(
peer=aws_ec2.Peer.ipv4('10.0.5.192/26'),
connection=aws_ec2.Port(
protocol=aws_ec2.Protocol.TCP,
string_representation="to allow traffic from the cmd",
from_port=5432,
to_port=5432))
_postgres_instance = rds.DatabaseInstance(
self,
'src_ora',
engine=rds.DatabaseInstanceEngine.POSTGRES,
vpc=vpc,
vpc_subnets=aws_ec2.SubnetSelection(subnets=_subnets),
security_groups=[db_security_group])
core.CfnOutput(self,
'secret_name',
value=_postgres_instance.secret.secret_name)
self._secret_name = _postgres_instance.secret.secret_name
self._secret_arn = _postgres_instance.secret.secret_arn
def __init__(self, app: core.Construct, stack_name: str, vpc: aws_ec2.Vpc,
subnet_cidr: str, subnet_name: str, availability_zone: str,
is_public_subnet: bool):
super().__init__(scope=app, id=f"{stack_name}-subnet-{subnet_name}")
self.subnet = aws_ec2.Subnet(scope=self,
id=subnet_name,
cidr_block=subnet_cidr,
vpc_id=vpc.vpc_id,
availability_zone=availability_zone,
map_public_ip_on_launch=is_public_subnet)
def __init__(self, scope: core.Construct, id: str, vpc: aws_ec2.Vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
aws_ec2.SecurityGroup(self, 'dms-securitygroup', vpc=vpc)
_subnets = []
_subnets.append(
aws_ec2.Subnet(self,
'sbn-dms-1',
availability_zone=vpc.availability_zones[0],
vpc_id=vpc.vpc_id,
cidr_block='10.0.3.0/25').subnet_id)
_subnets.append(
aws_ec2.Subnet(self,
'sbn-dms-2',
availability_zone=vpc.availability_zones[1],
vpc_id=vpc.vpc_id,
cidr_block='10.0.3.128/25').subnet_id)
_subnet_group_id = 'deta-pipeline-dms-subnet'
dms.CfnReplicationSubnetGroup(
self,
'dms-subnet-group',
replication_subnet_group_description='subnet group for dms',
subnet_ids=_subnets,
replication_subnet_group_identifier=_subnet_group_id)
dms.CfnReplicationInstance(
self,
'dms-demo',
replication_instance_class='dms.t3.medium',
allocated_storage=50,
allow_major_version_upgrade=False,
auto_minor_version_upgrade=False,
publicly_accessible=False,
multi_az=False,
replication_subnet_group_identifier=_subnet_group_id)
def __init__(self, scope: core.Construct, id: str, vpc_id: str, az_cidr: dict, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self._subnets = []
stack_id = id
for az in az_cidr.keys():
cidr_per_zone=az_cidr.get(az)
for cidr in cidr_per_zone:
subnet = ec2.Subnet(
self,
id=stack_id+"-"+az,
availability_zone=az,
cidr_block=cidr,
vpc_id=vpc_id,
map_public_ip_on_launch=False
)
self.add(subnet)
vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=vpc_id)
selected_subnets = ec2.SubnetSelection(subnets=self._subnets)
ec2.InterfaceVpcEndpoint(self, stack_id+"ec2",
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService.E_C2,
subnets=selected_subnets
)
ec2.InterfaceVpcEndpoint(self, stack_id+"ecr",
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService.ECR,
subnets=selected_subnets
)
ec2.InterfaceVpcEndpoint(self, stack_id+"drk",
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
subnets=selected_subnets
)
ec2.GatewayVpcEndpoint(self, stack_id+"s3",
vpc=vpc,
service=ec2.GatewayVpcEndpointAwsService.S3,
subnets=[selected_subnets]
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = aws_ec2.Vpc(self,
"network",
cidr="10.0.0.0/16",
max_azs=2,
subnet_configuration=[])
cmd_subnet = aws_ec2.Subnet(
self,
'sbn-cmd-1',
availability_zone=vpc.availability_zones[0],
vpc_id=vpc.vpc_id,
cidr_block='10.0.5.192/26')
vpc.add_interface_endpoint(
'secretmanager',
service=aws_ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
subnets=aws_ec2.SubnetSelection(subnets=[cmd_subnet]))
self.vpc = vpc
self.cmd_subnet = cmd_subnet
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self,
id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=3,
subnet_configuration=[])
pub_subnet = ec2.PublicSubnet(self,
id="PublicSubnet",
availability_zone="eu-central-1c",
cidr_block="192.168.0.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
igw = ec2.CfnInternetGateway(
self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")])
ec2.CfnVPCGatewayAttachment(self,
id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
pub_subnet.add_route(id="default_route-sub01",
router_id=igw.ref,
router_type=ec2.RouterType('GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
# Elastic IP
eip_01 = ec2.CfnEIP(self, id="EIP01")
# NAT gateway
ngw = ec2.CfnNatGateway(self,
id="NAT_GW",
allocation_id=eip_01.attr_allocation_id,
subnet_id=pub_subnet.subnet_id,
tags=[core.CfnTag(key="Name", value="NAT_GW")])
subnet01 = ec2.Subnet(self,
id="Subnet01",
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=False)
subnet02 = ec2.Subnet(self,
id="Subnet02",
availability_zone="eu-central-1b",
cidr_block="192.168.2.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=False)
subnet01.add_route(id="default_route-sub01",
router_id=ngw.ref,
router_type=ec2.RouterType('NAT_GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
subnet02.add_route(id="default_route-sub02",
router_id=ngw.ref,
router_type=ec2.RouterType('NAT_GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
sg_lb = ec2.CfnSecurityGroup(
self,
id="SG_ALB",
group_description="SG for the APP LB",
group_name="SG_ALB",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_ALB")])
sg_ec2i = ec2.CfnSecurityGroup(
self,
id="SG_Instances",
group_description="SG for the Instances",
group_name="SG_Instances",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Instances")])
# my_home_ip = requests.get("https://api.ipify.org").text
my_home_ip = "94.112.113.195"
ports_pub = {'tcp': [22, 80], 'icmp': [-1]}
for protocol, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_alb_in_{protocol}_{port}",
group_id=sg_lb.attr_group_id,
ip_protocol=protocol,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocol.upper()} {port} from home IP")
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_ec2i_in_{protocol}_{port}",
group_id=sg_ec2i.attr_group_id,
ip_protocol=protocol,
to_port=port,
from_port=port,
source_security_group_id=sg_lb.ref,
description=f"{protocol.upper()} {port} from the ALB SG")
with open(
"/home/dragos/Documents/AWS_CDK/app_lb_sample/app_lb_sample/configure.sh",
'r') as config_file:
ud = core.Fn.base64(config_file.read())
bastion_host = ec2.CfnInstance(
self,
id="bastion",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=pub_subnet.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_lb.ref],
tags=[core.CfnTag(key="Name", value="bastion")])
instance01 = ec2.CfnInstance(
self,
id="WebServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet01.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_ec2i.ref],
user_data=ud,
tags=[core.CfnTag(key="Name", value="WebServer01")])
instance02 = ec2.CfnInstance(
self,
id="WebServer02",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet02.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_ec2i.ref],
user_data=ud,
tags=[core.CfnTag(key="Name", value="WebServer02")])
# health_check = elbv2.HealthCheck(enabled=True,
# healthy_http_codes="200",
# path="/index.html",
# protocol=elbv2.Protocol("HTTP"))
target01 = elbv2.CfnTargetGroup.TargetDescriptionProperty(
id=instance01.ref)
target02 = elbv2.CfnTargetGroup.TargetDescriptionProperty(
id=instance02.ref)
tg = elbv2.CfnTargetGroup(
self,
id="TG-WEB-HTTP",
name="TG-WEB-HTTP",
health_check_enabled=True,
health_check_path="/index.html",
health_check_port="80",
matcher=elbv2.CfnTargetGroup.MatcherProperty(http_code="200"),
port=80,
protocol="HTTP", # CASE SENSITIVE
target_type="instance", # CASE SENSITIVE
targets=[target01, target02],
vpc_id=vpc.vpc_id)
alb = elbv2.CfnLoadBalancer(
self,
id="MyALB-HTTP",
ip_address_type="ipv4",
name="MyALB-HTTP",
scheme="internet-facing",
security_groups=[sg_lb.ref],
type="application",
subnets=[subnet01.subnet_id, subnet02.subnet_id])
def_act = Listener.ActionProperty(type="forward",
authenticate_cognito_config=None,
authenticate_oidc_config=None,
fixed_response_config=None,
forward_config=None,
order=50000,
redirect_config=None,
target_group_arn=tg.ref)
listener = elbv2.CfnListener(self,
id="Listener01",
load_balancer_arn=alb.ref,
port=80,
protocol="HTTP",
default_actions=[def_act])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
demo_vpc = aws_ec2.Vpc(self,
"network",
cidr="10.10.0.0/16",
max_azs=2,
subnet_configuration=[])
demo_subnets = []
demo_subnets.append(
aws_ec2.Subnet(self,
'sbn-demo-1',
availability_zone=demo_vpc.availability_zones[0],
vpc_id=demo_vpc.vpc_id,
cidr_block='10.10.0.0/25'))
demo_subnets.append(
aws_ec2.Subnet(self,
'sbn-demo-2',
availability_zone=demo_vpc.availability_zones[1],
vpc_id=demo_vpc.vpc_id,
cidr_block='10.10.0.128/25'))
demo_vpc.add_interface_endpoint(
'secretmanager',
service=aws_ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
subnets=aws_ec2.SubnetSelection(subnets=demo_subnets))
db_subnet_group = aws_rds.SubnetGroup(
self,
'sbng-demo-rds',
description='demo db subnet group',
vpc=demo_vpc,
removal_policy=core.RemovalPolicy.DESTROY,
vpc_subnets=aws_ec2.SubnetSelection(subnets=demo_subnets))
db_security_group = aws_ec2.SecurityGroup(self,
'sg-demo-rds',
vpc=demo_vpc)
db_security_group.add_ingress_rule(
peer=aws_ec2.Peer.ipv4('10.10.0.0/16'),
connection=aws_ec2.Port(
protocol=aws_ec2.Protocol.TCP,
string_representation="to allow from the vpc internal",
from_port=3306,
to_port=3306))
mysql_instance = aws_rds.DatabaseInstance(
self,
'mys-demo-rds',
engine=aws_rds.DatabaseInstanceEngine.MYSQL,
vpc=demo_vpc,
vpc_subnets=aws_ec2.SubnetSelection(subnets=demo_subnets),
security_groups=[db_security_group],
iam_authentication=True)
db_secret = mysql_instance.secret
role_init_db = aws_iam.Role(
self,
'cmd_role_init_src_db',
assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"))
lambda_base_policy_statement = aws_iam.PolicyStatement(
resources=['*'],
actions=[
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
])
role_init_db.add_to_policy(lambda_base_policy_statement)
role_init_db.add_to_policy(
aws_iam.PolicyStatement(resources=[db_secret.secret_arn],
actions=[
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
]))
db_user = '******'
func_init_db = aws_lambda.Function(
self,
'func_init_db',
function_name='demo-rds_func_init_db',
handler='handler.init',
runtime=aws_lambda.Runtime.PYTHON_3_8,
code=aws_lambda.Code.asset('./app_stack/func_init_db'),
role=role_init_db,
timeout=core.Duration.seconds(10),
allow_public_subnet=False,
vpc=demo_vpc,
vpc_subnets=aws_ec2.SubnetSelection(subnets=demo_subnets),
environment={
'db_secret': db_secret.secret_name,
'db_user': db_user
})
# When the role_name specified as static value, it could be occurring with KMS related exception.
# It's because re-created lambda function with static name of role would be refer to the role which is not exsisted.
# https://github.com/serverless/examples/issues/279
role_test_db = aws_iam.Role(
self,
'demo_role_test_db',
assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
role_name=db_user)
role_test_db.add_to_policy(lambda_base_policy_statement)
role_test_db.add_to_policy(
aws_iam.PolicyStatement(resources=[
'arn:aws:rds-db:%s:%s:dbuser:*/*' % (REGION, ACCOUNT)
],
actions=[
"rds-db:connect",
]))
role_test_db.add_to_policy(
aws_iam.PolicyStatement(resources=[db_secret.secret_arn],
actions=[
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
]))
func_test_db = aws_lambda.Function(
self,
'func_test_db',
function_name='demo-rds_test_iam_auth',
handler='handler.init',
runtime=aws_lambda.Runtime.PYTHON_3_8,
code=aws_lambda.Code.asset('./app_stack/func_test_db'),
role=role_test_db,
timeout=core.Duration.seconds(10),
allow_public_subnet=False,
vpc=demo_vpc,
vpc_subnets=aws_ec2.SubnetSelection(subnets=demo_subnets),
environment={
'db_secret': db_secret.secret_name,
'db_user': db_user
})
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self, id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=1,
subnet_configuration=[])
subnet = ec2.Subnet(self, id="MySubnet",
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
igw = ec2.CfnInternetGateway(self, id="MyIGW",
tags=[core.CfnTag(key="Name", value="IGW")])
ec2.CfnVPCGatewayAttachment(self, id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
subnet.add_route(id="default_route",
router_id=igw.ref,
router_type=ec2.RouterType('GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
sg_public = ec2.CfnSecurityGroup(self, id="SG_PUBLIC",
group_description="SG for the Public Subnet",
group_name="SG_PUBLIC",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Public")])
my_home_ip = requests.get("https://api.ipify.org").text
ports_pub = {'tcp': [22, 80],
'icmp': [-1]
}
for protocol, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(self, id=f"sg_pub_in_{protocol}_{port}",
group_id=sg_public.attr_group_id,
ip_protocol=protocol,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocol.upper()} {port} from home IP")
with open("/home/dragos/Documents/AWS_CDK/instance_creation/instance_creation/configure.sh", 'r') as config_file:
ud = core.Fn.base64(config_file.read())
instance = ec2.CfnInstance(self, id="MyInstance",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_public.ref],
tags=[core.CfnTag(key="Name", value="MyInstance")])
# COMMENT
instance.user_data = ud