def __init__(self, scope: core.Construct, id: str, vpc_cidr: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self._vpc = ec2.Vpc( self, id, cidr=vpc_cidr, enable_dns_hostnames=True, enable_dns_support=True, max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PUBLIC, name="BASTION", cidr_mask=24), ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PRIVATE, name="ECS", cidr_mask=24), ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PUBLIC, name="DBS", cidr_mask=24) ], nat_gateway_provider=ec2.NatProvider.gateway(), nat_gateway_subnets=ec2.SubnetSelection( one_per_az=True, subnet_group_name="BASTION"), gateway_endpoints={ 's3': ec2.GatewayVpcEndpointOptions( service=ec2.GatewayVpcEndpointAwsService.S3, subnets=[ ec2.SubnetSelection(one_per_az=True, subnet_type=ec2.SubnetType.PUBLIC) ]) })
def create_endpoints(self) -> None: endpoints = { "ECS": ec2.InterfaceVpcEndpointAwsService.ECS, "ECR": ec2.InterfaceVpcEndpointAwsService.ECR, "ECR_DOCKER": ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER, "CLOUDWATCH_LOGS": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS, "SECRETS_MANAGER": ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER, } for name, service in endpoints.items(): ec2.InterfaceVpcEndpoint( self, name, vpc=self.instance, service=service, subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.ISOLATED), private_dns_enabled=True, security_groups=[self.vpc_endpoint_sg], ) self.instance.add_gateway_endpoint( "s3-endpoint", service=ec2.GatewayVpcEndpointAwsService.S3, subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.ISOLATED)], )
def __init__(self, scope: core.Construct, **kwargs) -> None: self.deploy_env = active_environment super().__init__(scope, id=f"{self.deploy_env.value}-common-stack", **kwargs) self.custom_vpc = ec2.Vpc(self, f"vpc-{self.deploy_env.value}") self.orders_rds_sg = ec2.SecurityGroup( self, f"orders-{self.deploy_env.value}-sg", vpc=self.custom_vpc, allow_all_outbound=True, security_group_name=f"orders-{self.deploy_env.value}-sg", ) self.orders_rds_sg.add_ingress_rule( peer=ec2.Peer.ipv4("0.0.0.0/0"), connection=ec2.Port.tcp(5432) ) for subnet in self.custom_vpc.private_subnets: self.orders_rds_sg.add_ingress_rule( peer=ec2.Peer.ipv4(subnet.ipv4_cidr_block), connection=ec2.Port.tcp(5432) ) self.orders_rds_parameter_group = rds.ParameterGroup( self, f"orders-{self.deploy_env.value}-rds-parameter-group", description="Parameter group to allow CDC from RDS using DMS.", engine=rds.DatabaseInstanceEngine.postgres( version=rds.PostgresEngineVersion.VER_12_4 ), parameters={"rds.logical_replication": "1", "wal_sender_timeout": "0"}, ) self.orders_rds = rds.DatabaseInstance( self, f"orders-{self.deploy_env.value}-rds", engine=rds.DatabaseInstanceEngine.postgres( version=rds.PostgresEngineVersion.VER_12_4 ), database_name="orders", instance_type=ec2.InstanceType("t3.micro"), vpc=self.custom_vpc, instance_identifier=f"rds-{self.deploy_env.value}-orders-db", port=5432, vpc_placement=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), subnet_group=rds.SubnetGroup( self, f"rds-{self.deploy_env.value}-subnet", description="place RDS on public subnet", vpc=self.custom_vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), ), parameter_group=self.orders_rds_parameter_group, security_groups=[self.orders_rds_sg], removal_policy=core.RemovalPolicy.DESTROY, **kwargs, )
def __init__(self, scope: core.Construct, id: str, eksname: str, codebucket: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # //*************************************************// # //******************* NETWORK ********************// # //************************************************// # create VPC self._vpc = ec2.Vpc(self, 'eksVpc', max_azs=2) core.Tags.of(self._vpc).add('Name', eksname + 'EksVpc') self._log_bucket = s3.Bucket.from_bucket_name(self, 'vpc_logbucket', codebucket) self._vpc.add_flow_log("FlowLogCloudWatch", destination=ec2.FlowLogDestination.to_s3( self._log_bucket), traffic_type=ec2.FlowLogTrafficType.REJECT) # VPC endpoint security group self._vpc_endpoint_sg = ec2.SecurityGroup( self, 'EndpointSg', security_group_name='SparkOnEKS-VPCEndpointSg', vpc=self._vpc, description='Security Group for Endpoint', ) self._vpc_endpoint_sg.add_ingress_rule( ec2.Peer.ipv4(self._vpc.vpc_cidr_block), ec2.Port.tcp(port=443)) core.Tags.of(self._vpc_endpoint_sg).add('Name', 'SparkOnEKS-VPCEndpointSg') # Add VPC endpoint self._vpc.add_gateway_endpoint( "S3GatewayEndpoint", service=ec2.GatewayVpcEndpointAwsService.S3, subnets=[ ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE) ]) self._vpc.add_interface_endpoint( "EcrDockerEndpoint", service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER, security_groups=[self._vpc_endpoint_sg]) self._vpc.add_interface_endpoint( "CWLogsEndpoint", service=ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS, security_groups=[self._vpc_endpoint_sg]) self._vpc.add_interface_endpoint( "AthenaEndpoint", service=ec2.InterfaceVpcEndpointAwsService.ATHENA, security_groups=[self._vpc_endpoint_sg]) self._vpc.add_interface_endpoint( "KMSEndpoint", service=ec2.InterfaceVpcEndpointAwsService.KMS, security_groups=[self._vpc_endpoint_sg])
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) # VPCの作成 # https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_ec2/Vpc.html vpc = ec2.Vpc( self, 'VPC', cidr='10.0.0.0/16', max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration(cidr_mask=24, name='Public', subnet_type=ec2.SubnetType.PUBLIC), ec2.SubnetConfiguration(cidr_mask=24, name='Private', subnet_type=ec2.SubnetType.PRIVATE) ]) # VPCエンドポイントのためのセキュリティーグループ endpoint_sg = ec2.SecurityGroup(self, 'EndpointSecurityGroup', vpc=vpc) # S3のVPCエンドポイントの作成 s3_endpoint = vpc.add_gateway_endpoint( id='S3Endpoint', service=ec2.GatewayVpcEndpointAwsService.S3, subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)]) # ECRのDockerのVPCエンドポイントの作成 ecr_docker_endpoint = vpc.add_interface_endpoint( id='EcrDockerEndpoint', service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER, private_dns_enabled=True, security_groups=[endpoint_sg], subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)) # CloudWatch LogsのVPCエンドポイントの作成 cloudwatch_logs_endpoint = vpc.add_interface_endpoint( id='CloudWatchLogsEndpoint', service=ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS, private_dns_enabled=True, security_groups=[endpoint_sg], subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)) # DynamoDBのVPCエンドポイントの作成 dynamodb_endpoint = vpc.add_gateway_endpoint( id='DynamoDbEndpoint', service=ec2.GatewayVpcEndpointAwsService.DYNAMODB, subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)]) self.output_props = props.copy() self.output_props['vpc'] = vpc self.output_props['endpoint_sg'] = endpoint_sg
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = props['vpc'] internal_sg = props['internal_sg'] bastion_sg = props['bastion_sg'] # Bastion用Linux bastion_linux = ec2.Instance( self, 'BastionLinux', instance_type=ec2.InstanceType('t3.micro'), machine_image=ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2), key_name=self.node.try_get_context('key_name'), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), security_group=internal_sg ) bastion_linux.role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore')) bastion_linux.add_security_group(bastion_sg) # Bastion用Windows bastion_windows = ec2.Instance( self, 'BastionWindows', instance_type=ec2.InstanceType('t3.large'), machine_image=ec2.MachineImage.latest_windows( version=ec2.WindowsVersion.WINDOWS_SERVER_2016_JAPANESE_FULL_BASE), key_name=self.node.try_get_context('key_name'), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), security_group=internal_sg ) bastion_windows.role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore')) bastion_windows.add_security_group(bastion_sg) # Radius用EC2ホスト radius_host = ec2.Instance( self, 'RadiusHost', instance_type=ec2.InstanceType('t3.small'), machine_image=ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2), key_name=self.node.try_get_context('key_name'), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), security_group=internal_sg ) radius_host.role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name('AmazonSSMManagedInstanceCore')) self.output_props = props.copy()
def __init__(self, scope: core.Construct, environment: Environment, **kwargs) -> None: self.env = environment.value super().__init__(scope, id=f'{self.env}-common', **kwargs) self.custom_vpc = ec2.Vpc( self, f'vpc-{self.env}' ) self.orders_rds_sg = ec2.SecurityGroup( self, f'orders-{self.env}-sg', vpc=self.custom_vpc, allow_all_outbound=True, security_group_name=f'orders-{self.env}-sg', ) self.orders_rds_sg.add_ingress_rule( peer=ec2.Peer.ipv4('37.156.75.55/32'), connection=ec2.Port.tcp(5432) ) for subnet in self.custom_vpc.private_subnets: self.orders_rds_sg.add_ingress_rule( peer=ec2.Peer.ipv4(subnet.ipv4_cidr_block), connection=ec2.Port.tcp(5432) ) self.orders_rds = rds.DatabaseInstance( self, f'orders-{self.env}-rds', engine=rds.DatabaseInstanceEngine.postgres(version=rds.PostgresEngineVersion.VER_11_2), database_name='orders', instance_type=ec2.InstanceType('t3.micro'), vpc=self.custom_vpc, instance_identifier=f'rds-{self.env}-orders-db', port=5432, vpc_placement=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), subnet_group=rds.SubnetGroup( self, f'rds-{self.env}-subnet', description='place RDS on public subnet', vpc=self.custom_vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC) ), security_groups=[ self.orders_rds_sg ], removal_policy=core.RemovalPolicy.DESTROY, **kwargs )
def __init__(self, scope: core.Construct, construct_id: str, vpc: ec2.Vpc, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # The code that defines your stack goes here env_name = self.node.try_get_context("env") eks_role = iam.Role( self, "eksadmin", assumed_by=iam.ServicePrincipal(service='ec2.amazonaws.com'), role_name='eks-cluster-role', managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name='AdministratorAccess') ]) eks_instance_profile = iam.CfnInstanceProfile( self, 'instanceprofile', roles=[eks_role.role_name], instance_profile_name='eks-cluster-role') cluster = eks.Cluster( self, 'prod', cluster_name='ie-prod-snow-common', version=eks.KubernetesVersion.V1_19, vpc=vpc, vpc_subnets=[ ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE) ], default_capacity=0, masters_role=eks_role) nodegroup = cluster.add_nodegroup_capacity( 'eks-nodegroup', instance_types=[ ec2.InstanceType('t3.large'), ec2.InstanceType('m5.large'), ec2.InstanceType('c5.large') ], disk_size=50, min_size=2, max_size=2, desired_size=2, subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), remote_access=eks.NodegroupRemoteAccess( ssh_key_name='ie-prod-snow-common'), capacity_type=eks.CapacityType.SPOT)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc.from_lookup(self,'vpc', vpc_id='vpc-082a9f3f7200f4513' ) k8s_admin = iam.Role(self, "k8sadmin", assumed_by=iam.ServicePrincipal(service='ec2.amazonaws.com'), role_name='eks-master-role', managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name( managed_policy_name='AdministratorAccess' ) ] ) k8s_instance_profile = iam.CfnInstanceProfile(self, 'instanceprofile', roles=[k8s_admin.role_name], instance_profile_name='eks-master-role' ) cluster = eks.Cluster(self, 'dev', cluster_name='eks-cdk-demo', version='1.15', vpc=vpc, vpc_subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE)], default_capacity=0, kubectl_enabled=True, #security_group=k8s_sg, masters_role= k8s_admin ) #cluster.aws_auth.add_user_mapping(adminuser, {groups['system:masters']}) ng = cluster.add_nodegroup('eks-ng', nodegroup_name='eks-ng', instance_type=ec2.InstanceType('t3.medium'), disk_size=5, min_size=1, max_size=1, desired_size=1, subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), remote_access=eks.NodegroupRemoteAccess(ssh_key_name='k8s-nodes') )
def __init__(self, scope: core.Construct, id: str, repository_name: str, directory: str, subnet_group_name: str, context: InfraContext, securityGroups: typing.Optional[typing.List[ ec2.SecurityGroup]] = None, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.repo = assets.DockerImageAsset(self, 'Repo', directory=os.path.join( src_root_dir, directory), repository_name=repository_name) self.function = lambda_.DockerImageFunction( self, 'ContainerFunction', code=lambda_.DockerImageCode.from_ecr( repository=self.repo.repository, tag=self.repo.image_uri.split(':')[-1] ), # lambda_.DockerImageCode.from_image_asset(directory=os.path.join(src_root_dir,directory)), description='Python container lambda function for ' + repository_name, timeout=core.Duration.minutes(1), tracing=lambda_.Tracing.ACTIVE, vpc=context.networking.vpc, vpc_subnets=ec2.SubnetSelection( subnet_group_name=subnet_group_name), security_groups=securityGroups)
def _create_backend_store(self): """ Create a RDS as a backend store for MLflow server """ # Creates a security group for AWS RDS self.sg_rds = ec2.SecurityGroup(scope=self, id="SGRDS", vpc=self.vpc, security_group_name="sg_rds") # Adds an ingress rule which allows resources in the VPC's CIDR to access the database. self.sg_rds.add_ingress_rule(peer=ec2.Peer.ipv4("10.0.0.0/24"), connection=ec2.Port.tcp(self.port)) backend_store_id = f"{self.stack_name}-{self.component_id}-backend-store" self.database = rds.DatabaseInstance( scope=self, id=backend_store_id, database_name=self.dbname, port=self.port, credentials=rds.Credentials.from_username( username=self.username, password=self.db_password_secret.secret_value ), engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_19), instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL), vpc=self.vpc, security_groups=[self.sg_rds], vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), # multi_az=True, removal_policy=RemovalPolicy.DESTROY, deletion_protection=False, )
def __init__(self, scope: core.Construct, id: str, vpc: aws_ec2.Vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) _subnets = [] _subnets.append( aws_ec2.Subnet(self, 'sbn-redshift-1', availability_zone=vpc.availability_zones[0], vpc_id=vpc.vpc_id, cidr_block='10.0.4.0/25')) _subnets.append( aws_ec2.Subnet(self, 'sbn-redshift-2', availability_zone=vpc.availability_zones[1], vpc_id=vpc.vpc_id, cidr_block='10.0.4.128/25')) _cluster_subnet_group = aws_redshift.ClusterSubnetGroup( self, 'deta-pipeline-redshift-subnet', description='redshift cluster subnet', vpc=vpc, vpc_subnets=aws_ec2.SubnetSelection(subnets=_subnets)) aws_redshift.Cluster( self, 'destination-redshift', master_user=aws_redshift.Login(master_username='******'), vpc=vpc, subnet_group=_cluster_subnet_group)
def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = props['vpc_dr'] internal_sg = props['internal_sg_dr'] bastion_sg = props['bastion_sg_dr'] # Bastion用EC2ホスト bastion_windows = ec2.Instance( self, 'Bastion', instance_type=ec2.InstanceType('t3.large'), machine_image=ec2.MachineImage.latest_windows( version=ec2.WindowsVersion. WINDOWS_SERVER_2016_JAPANESE_FULL_BASE), key_name=self.node.try_get_context('key_name'), vpc=vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), security_group=internal_sg) bastion_windows.role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( 'AmazonSSMManagedInstanceCore')) bastion_windows.add_security_group(bastion_sg) self.output_props = props.copy()
def build_file_system( scope: core.Construct, name: str, efs_life_cycle: str, vpc: ec2.IVpc, efs_security_group: ec2.ISecurityGroup, subnets: List[ec2.ISubnet], team_kms_key: kms.Key, ) -> efs.FileSystem: fs_name: str = f"orbit-{name}-fs" efs_fs: efs.FileSystem = efs.FileSystem( scope=scope, id=fs_name, file_system_name=fs_name, vpc=vpc, encrypted=True, lifecycle_policy=efs.LifecyclePolicy[efs_life_cycle] if efs_life_cycle else None, performance_mode=efs.PerformanceMode.GENERAL_PURPOSE, throughput_mode=efs.ThroughputMode.BURSTING, security_group=efs_security_group, vpc_subnets=ec2.SubnetSelection(subnets=subnets), kms_key=cast(Optional[kms.IKey], team_kms_key), ) return efs_fs
def setup_emqx(self, N, vpc, zone, sg, key): self.emqx_vms = [] for n in range(0, N): name = "emqx-%d" % n vm = ec2.Instance(self, id = name, instance_type = ec2.InstanceType(instance_type_identifier=emqx_ins_type), machine_image = linux_ami, user_data = ec2.UserData.custom(user_data), security_group = sg, key_name = key, vpc = vpc, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), ) self.emqx_vms.append(vm) r53.ARecord(self, id = name + '.int.emqx', record_name = name + '.int.emqx', zone = zone, target = r53.RecordTarget([vm.instance_private_ip]) ) # tagging if self.user_defined_tags: core.Tags.of(vm).add(*self.user_defined_tags) core.Tags.of(vm).add('service', 'emqx')
def __init__(self, scope: core.Construct, id: str, vpc, config, **kwargs) -> None: super().__init__(scope, id, **kwargs) prj_name = self.node.try_get_context("project_name") env_name = self.node.try_get_context("env") name = config['ec2']['name'] key = config['ec2']['ssh_key'] ubuntu_ami = ec2.GenericLinuxImage( {"ap-southeast-1": "ami-028be27cf930f7a43"}) # Create bastion host self.bastion = ec2.Instance( self, 'Instance', instance_type=ec2.InstanceType("t3.small"), instance_name=f"{name}-bastion", key_name=f"{key}", machine_image=ubuntu_ami, vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE), ) self.bastion.apply_removal_policy(core.RemovalPolicy.DESTROY) self.bastion.connections.allow_from_any_ipv4( port_range=ec2.Port.tcp(22), description='Allow public SSH connections') self.bastion.connections.allow_from_any_ipv4( port_range=ec2.Port.icmp_ping(), description='Allow public ICMP ping') core.CfnOutput(self, f'{name}-private-ip', value=self.bastion.instance_private_ip)
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) #import vpc info vpc = aws_ec2.Vpc.from_lookup(self, "vpc", vpc_id="vpc-1f39b977") #import user-data scripts with open("userdata_scripts/setup.sh", mode="r") as file: user_data = file.read() #get latest ami from any region aws_linux_ami = aws_ec2.MachineImage.latest_amazon_linux( generation=aws_ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=aws_ec2.AmazonLinuxEdition.STANDARD, storage=aws_ec2.AmazonLinuxStorage.EBS, virtualization=aws_ec2.AmazonLinuxVirt.HVM) #ec2 test_server = aws_ec2.Instance( self, "ec2id", instance_type=aws_ec2.InstanceType( instance_type_identifier="t2.micro"), instance_name="TestServer01", machine_image=aws_linux_ami, vpc=vpc, vpc_subnets=aws_ec2.SubnetSelection( subnet_type=aws_ec2.SubnetType.PUBLIC), key_name="SAA-C01", user_data=aws_ec2.UserData.custom(user_data)) #add custom ebs for ec2 test_server.instance.add_property_override( "BlockDeviceMappings", [{ "DeviceName": "/dev/sdb", "Ebs": { "VolumeSize": "10", "VolumeType": "io1", "Iops": "100", "DeleteOnTermination": "true" } }]) #allow web traffic test_server.connections.allow_from_any_ipv4( aws_ec2.Port.tcp(80), description="allow web traffic") # add permission to instances profile test_server.role.add_managed_policy( aws_iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonSSMManagedInstanceCore")) test_server.role.add_managed_policy( aws_iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3ReadOnlyAccess")) output_server_ip = core.CfnOutput(self, "serverip01", description="test server ip", value=test_server.instance_public_ip)
def __init__(self, app: core.App, id: str, **kwargs) -> None: super().__init__(app, id, **kwargs) vpc = ec2.Vpc(self, "VPC") # Security group for our test instance my_sg = ec2.SecurityGroup(self, "my_sg", vpc=vpc, description="My sg for testing", allow_all_outbound=True) # Add ssh from anywhere my_sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), "Allow ssh access from anywhere") asg = autoscaling.AutoScalingGroup( self, "ASG", vpc=vpc, instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO), machine_image=ec2.AmazonLinuxImage(), ) asg.add_security_group(my_sg) # add our security group, expects object ## Classic Elastic Load Balancer #lb = elb.LoadBalancer( # self, "ELB", # vpc=vpc, # internet_facing=True, # health_check={"port": 22} #) #lb.add_target(asg) # #listener = lb.add_listener( # external_port=8000, # external_protocol=elb.LoadBalancingProtocol.TCP, # internal_port=22, # internal_protocol=elb.LoadBalancingProtocol.TCP #) #listener.connections.allow_default_port_from_any_ipv4("Open to the world") # Network Load Balancer nlb = elbv2.NetworkLoadBalancer( self, "NLB", vpc=vpc, internet_facing=True, cross_zone_enabled=True, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC)) my_target = elbv2.NetworkTargetGroup(self, "MyTargetGroup", port=22, vpc=vpc) listener = nlb.add_listener("Listener", port=8000, default_target_groups=[my_target]) my_target.add_target(asg)
def create_asg_by_service(self, name, userdata_path, key_name, port): role = self.output_props["default_role"] sg = self.output_props["sg"] nlb = self.output_props["nlb"] userdata = ec2.UserData.for_linux() with open(userdata_path, "rb") as f: userdata.add_commands(str(f.read(), 'utf-8')) asg = autoscaling.AutoScalingGroup( self, name, vpc=self.output_props['vpc'], instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MICRO), machine_image=ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2), key_name=key_name, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE), user_data=userdata, security_group=sg, spot_price="0.005", min_capacity=1, max_capacity=3, desired_capacity=1, role=role, ) nlb.add_listener(name, port=port, protocol=lb.Protocol.TCP) \ .add_targets(name, port=port, targets=[asg])
def create_asg(self, vpc): asg = autoscaling.AutoScalingGroup( self, 'SingleInstanceAsg', vpc=vpc, machine_image=ecs.EcsOptimizedAmi(), instance_type=ec2.InstanceType('t2.micro'), vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), associate_public_ip_address=True, # We only need 1 instance in the ASG max_capacity=1, desired_capacity=1, ) security_group = ec2.SecurityGroup( self, 'GhostSg', vpc=vpc, ) # Allow ingress traffic to port 80 security_group.add_ingress_rule( peer=ec2.Peer.any_ipv4(), connection=ec2.Port.tcp(80), ) # Allow NFS traffic for mounting EFS volumes security_group.add_ingress_rule(peer=ec2.Peer.ipv4('10.0.0.0/16'), connection=ec2.Port.tcp(2049)) asg.add_security_group(security_group) return asg
def __init__(self, scope: core.Construct, id: str, vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) prj_name = self.node.try_get_context("project_name") env_name = self.node.try_get_context("env") rds_sg = ec2.SecurityGroup(self, 'rds-sg', vpc=vpc, security_group_name=prj_name + env_name + '-rds-sg', description="SG for RDS", allow_all_outbound=True) for subnet in vpc.private_subnets: rds_sg.add_ingress_rule( peer=ec2.Peer.ipv4(subnet.ipv4_cidr_block), connection=ec2.Port.tcp(3306), description='Allow all private subnet to access RDS') db_mysql = rds.DatabaseCluster( self, 'mysql', default_database_name=prj_name + env_name, engine=rds.DatabaseClusterEngine.aurora_mysql( version=rds.AuroraMysqlEngineVersion.VER_5_7_12), instances=1, instance_props=rds.InstanceProps( vpc=vpc, instance_type=ec2.InstanceType( instance_type_identifier="t3.small"), vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE)), removal_policy=core.RemovalPolicy.DESTROY)
def _create_network(self): """ Create VPC, PrivateSubnet, SecrityGroup for RDS """ public_subnet_config = ec2.SubnetConfiguration( cidr_mask=24, name=f"{self.name_prefix}-subnet-public", subnet_type=ec2.SubnetType.PUBLIC) private_subnet_config = ec2.SubnetConfiguration( cidr_mask=24, name=f"{self.name_prefix}-subnet-private", subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT) self.vpc = ec2.Vpc( self, "VPC", cidr=self.context['vpc']['cidr'], subnet_configuration=[public_subnet_config, private_subnet_config], nat_gateways=1, max_azs=2) self.security_group = ec2.SecurityGroup( self, "SecurityGroupForRDS", vpc=self.vpc, security_group_name=f"{self.name_prefix}-security-group-name") self.security_group.add_ingress_rule( self.security_group, ec2.Port.tcp(3306), "allow access from my security group") self.subnet_selection = ec2.SubnetSelection( one_per_az=False, subnets=self.vpc.private_subnets, )
def __init__(self, scope: core.Construct, id: str, vpc, sg, redissg, kmskey, **kwargs) -> None: super().__init__(scope, id, **kwargs) rdskey = kms.Key.from_key_arn(self, "rdskey", key_arn=kmskey) db_mysql = rds.DatabaseCluster( self, "Dev_MySQL", default_database_name="msadev", engine=rds.DatabaseClusterEngine.AURORA_MYSQL, engine_version="5.7.12", master_user=rds.Login(username="******"), instance_props=rds.InstanceProps( vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.ISOLATED), instance_type=ec2.InstanceType( instance_type_identifier="t3.medium")), instances=1, parameter_group=rds.ClusterParameterGroup. from_parameter_group_name( self, "paramter-group-msadev", parameter_group_name="default.aurora-mysql5.7"), kms_key=rdskey) sgId = ec2.SecurityGroup.from_security_group_id(self, "sgid", sg) redis_sg = ec2.SecurityGroup.from_security_group_id( self, "redissgid", redissg) db_mysql.connections.allow_default_port_from(sgId, "Access from Bastion") db_mysql.connections.allow_default_port_from(redis_sg, "Access from Redis")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, 'vpc1' ) bucket_name = 'my-cdk-bucket' s3.Bucket(self, bucket_name, bucket_name=bucket_name, access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE, removal_policy=RemovalPolicy.DESTROY) ec2.Volume(self, 'vol1', availability_zone='us-east-1a', size=core.Size.gibibytes(8)) sg = ec2.SecurityGroup(self, 'sg1', vpc=vpc) sg.add_ingress_rule(Peer.any_ipv4(), Port.tcp(22)) kms.Key(self, 'kms1') rds.DatabaseInstance(self, 'rds1', engine=rds.DatabaseInstanceEngine.postgres(version=PostgresEngineVersion.VER_12), master_username='******', vpc=vpc, vpc_placement=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC))
def __init__(self, scope: core.Construct, construct_id: str, vpc, ec2_capacity=False, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.cluster = ecs.Cluster(self, "CdkCluster", cluster_name="cdk-ecs", vpc=vpc) if ec2_capacity: key_name = os.getenv("EC2_KEY_PAIR_NAME") asg = self.cluster.add_capacity("CdkClusterCapacity", instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3_AMD, ec2.InstanceSize.SMALL), key_name=key_name, cooldown=cdk_core.Duration.seconds(30), min_capacity=1, max_capacity=5) # note: CDK doesn't support ECS capacity providers yet asg.scale_to_track_metric("CpuReservationScalingPolicy", metric=self.cluster.metric_cpu_reservation(), target_value=50) asg.scale_to_track_metric("MemoryReservationScalingPolicy", metric=self.cluster.metric_memory_reservation(), target_value=50) bastion = ec2.BastionHostLinux(self, "CdkBastion", vpc=vpc, subnet_selection=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC)) bastion.allow_ssh_access_from(ec2.Peer.any_ipv4()) bastion.instance.instance.key_name = key_name asg.connections.allow_from(bastion, ec2.Port.tcp(22))
def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc, sg: ec2.ISecurityGroup, stage={}, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix_name = f'{stage["vpc_prefix"]}-{stage["stage_name"]}-{self.node.try_get_context("customer")}' bastion_host = ec2.Instance( self, f'{prefix_name}-public-bastion', instance_type=ec2.InstanceType('t3.micro'), machine_image=ec2.AmazonLinuxImage( edition=ec2.AmazonLinuxEdition.STANDARD, generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE), vpc=vpc, key_name=stage["key_name"], vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), security_group=sg) core.Tags.of(bastion_host).add("Name", f'{prefix_name}-public-bastion') core.CfnOutput(self, 'my-bastion-id', value=bastion_host.instance_id)
def __init__(self, scope: core.Construct, id: str, vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) amzn_linux = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) linux = ec2.MachineImage.generic_linux( {"ap-south-1": "ami-0b9d66ddb2a9f47d1"}) data = open("./scripts/userdata/userdata.sh", "rb").read() user_data = ec2.UserData.for_linux() user_data.add_commands(str(data, 'utf-8')) self.auto_scaling_group = autoscaling.AutoScalingGroup( self, "FirstASG", instance_type=ec2.InstanceType('t2.micro'), machine_image=ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2), vpc=vpc, user_data=user_data, desired_capacity=6, key_name="ap-south-1", min_capacity=1, vpc_subnets=ec2.SubnetSelection( availability_zones=["ap-south-1a", "ap-south-1b"]))
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, config: dict, region: str, **kwargs): super().__init__(scope, id, **kwargs) self._region = region ### EC2 Server for Jenkins image = ec2.GenericLinuxImage( { region: config["ami_id"], }, ) self._role = iam.Role(self, "InstanceRole", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) for policy in config["iam_role_policies"]: self._role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name(policy)) subnet = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE).subnets[0] subnet_selection = ec2.SubnetSelection(subnets=[subnet]) self.security_group = ec2.SecurityGroup( self, "EC2SG", vpc=vpc ) self._instance = ec2.Instance( self, "EC2", instance_type=ec2.InstanceType(config["instance_type"]), machine_image=image, vpc=vpc, vpc_subnets=subnet_selection, role=self._role, security_group=self.security_group ) core.CfnOutput(self, "CodeServerInstanceID", value=self._instance.instance_id)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = _ec2.Vpc.from_lookup(self, "importedVPC", vpc_id="vpc-d0a193aa") # Read BootStrap Script with open("bootstrap_scripts/install_httpd.sh", mode="r") as file: user_data = file.read() # WebServer Instance 001 web_server = _ec2.Instance( self, "WebServer001Id", instance_type=_ec2.InstanceType( instance_type_identifier="t2.micro"), instance_name="WebServer001", machine_image=_ec2.MachineImage.generic_linux( {"us-east-1": "ami-0fc61db8544a617ed"}), vpc=vpc, vpc_subnets=_ec2.SubnetSelection( subnet_type=_ec2.SubnetType.PUBLIC), user_data=_ec2.UserData.custom(user_data)) output_1 = core.CfnOutput( self, "webServer001Ip", description="WebServer Public Ip Address", value=f"http://{web_server.instance_public_ip}") # Allow Web Traffic to WebServer web_server.connections.allow_from_any_ipv4( _ec2.Port.tcp(80), description="Allow Web Traffic")
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # vpc self.vpc = ec2.Vpc( self, "Vpc", max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PUBLIC, name="Public", cidr_mask=24), ec2.SubnetConfiguration(subnet_type=ec2.SubnetType.PRIVATE, name="Private", cidr_mask=24) ], nat_gateway_provider=ec2.NatProvider.gateway(), nat_gateways=2, ) core.CfnOutput(self, "VpcID", value=self.vpc.vpc_id) self.load_balancer = elbv2.ApplicationLoadBalancer( self, "ExternalEndpoint", vpc=self.vpc, internet_facing=True, vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), ) core.CfnOutput(self, "ExternalDNSName", value=self.load_balancer.load_balancer_dns_name)