def __init__(self, scope: core.Construct, id: str, vpc,
asg_security_groups, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Creat DB Low Level API - MySQL M-AZs
db_security_group = ec2.CfnSecurityGroup(
self,
"dbSG",
group_description="All EC2 access DB",
group_name="DB_SG",
vpc_id=vpc.vpc_id)
for asg_sg in asg_security_groups:
ec2.CfnSecurityGroupIngress(
self,
"SG_ingress",
ip_protocol="tcp",
description="ASG EC2 access DB",
to_port=3306,
from_port=3306,
group_id=db_security_group.attr_group_id,
source_security_group_id=asg_sg.security_group_id)
subnet_ids = []
for i in vpc.isolated_subnets:
subnet_ids.append(i.subnet_id)
db_subnet_group = rds.CfnDBSubnetGroup(
self,
"db_subnet",
db_subnet_group_description="DB_subnet",
db_subnet_group_name="db_subnet",
subnet_ids=subnet_ids)
db_mysql = rds.CfnDBInstance(
self,
"MyDB",
db_name="mysqldb",
db_instance_class="db.t2.small",
allocated_storage="100",
storage_type="gp2",
engine="MySQL",
engine_version="5.7.22",
master_username=db_master_username,
master_user_password=db_master_user_password,
multi_az=True,
vpc_security_groups=[db_security_group.attr_group_id],
db_subnet_group_name=db_subnet_group.db_subnet_group_name,
backup_retention_period=7,
allow_major_version_upgrade=False,
enable_cloudwatch_logs_exports=[
"audit", "error", "general", "slowquery"
],
delete_automated_backups=False)
db_mysql.add_depends_on(db_subnet_group)
db_mysql.add_depends_on(db_security_group)
def create_rds_cluster(scope: core.Construct, stack_name: str, vpc: IVpc,
database_name: str, database_username: str,
datbase_password: str, database_encrypted: bool):
subnet_ids = []
for subnet in vpc.private_subnets:
subnet_ids.append(subnet.subnet_id)
db_subnet_group = rds.CfnDBSubnetGroup(
scope=scope,
id='dbSubnetGroup',
db_subnet_group_description='Subnet group to access RDS',
db_subnet_group_name=stack_name,
subnet_ids=subnet_ids,
)
db_scurity_group = ec2.SecurityGroup(
scope=scope,
id='dbSecurityGroup',
vpc=vpc,
allow_all_outbound=True,
description=stack_name,
)
db_scurity_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(5432))
database = rds.CfnDBCluster(
scope=scope,
id='database',
database_name=database_name,
db_cluster_identifier=stack_name,
engine=rds.DatabaseInstanceEngine.POSTGRES,
engine_mode='serverless',
master_username=database_username,
master_user_password=core.SecretValue.plain_text(
datbase_password).to_string(),
port=5432,
db_subnet_group_name=db_subnet_group.db_subnet_group_name,
vpc_security_group_ids=[db_scurity_group.security_group_id],
storage_encrypted=database_encrypted,
scaling_configuration=rds.CfnDBCluster.ScalingConfigurationProperty(
auto_pause=True,
max_capacity=2,
min_capacity=1,
seconds_until_auto_pause=3600,
))
database.add_depends_on(db_subnet_group)
return database
def __init__(self, scope: core.Construct, id: str, secret_param, db_param, vpc, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
secret = rds.DatabaseSecret(self,id="MasterUserSecret",username='******')
ssm.StringParameter(self, "Secrete_Parameter", parameter_name=secret_param, string_value= secret.secret_arn)
dbSubnetGroup = rds.CfnDBSubnetGroup (self, 'AuroraSubnetGroup',
db_subnet_group_description = 'Subnet group to access aurora',
subnet_ids = vpc.subnet_list,
db_subnet_group_name = 'aurora-subnet-group'
)
self.aurora_serverless = rds.CfnDBCluster(self, 'Serverless DB',
master_username=secret.secret_value_from_json("username").to_string(),
master_user_password=secret.secret_value_from_json("password").to_string(),
engine = 'aurora',
engine_mode = 'serverless',
enable_http_endpoint = True,
db_subnet_group_name = dbSubnetGroup.db_subnet_group_name,
port = 3306,
vpc_security_group_ids = [vpc.security_group.security_group_id],
scaling_configuration=rds.CfnDBCluster.ScalingConfigurationProperty(
auto_pause=True,
min_capacity=1,
max_capacity=2,
seconds_until_auto_pause=300
)
)
self.aurora_serverless.node.add_dependency(dbSubnetGroup)
self.aurora_serverless.node.add_dependency(vpc.security_group)
secret_attached = sm.CfnSecretTargetAttachment(
self,
id="secret_attachment",
secret_id=secret.secret_arn,
target_id=self.aurora_serverless.ref,
target_type="AWS::RDS::DBCluster",
)
secret_attached.node.add_dependency(self.aurora_serverless)
cluster_arn= "arn:aws:rds:{}:{}:cluster:{}".format(self.region,self.account,self.aurora_serverless.ref)
ssm.StringParameter(self, "Database_Parameter", parameter_name=db_param, string_value= cluster_arn)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Exercise 9
db_password_parameters = core.CfnParameter(
self,
"DBPassword",
no_echo=True,
description="New account and RDS password",
min_length=1,
max_length=41,
constraint_description=
"the password must be between 1 and 41 characters",
default="DBPassword")
# DBSecurityGroup:
db_security_group = ec2.CfnSecurityGroup(
self,
"DBSecurityGroup",
group_description="DB traffic",
vpc_id=core.Fn.import_value("VPC"),
security_group_ingress=[{
"ipProtocol":
"tcp",
"fromPort":
3306,
"toPort":
3306,
"sourceSecurityGroupId":
core.Fn.import_value("WebSecurityGroupOutput"),
}, {
"ipProtocol":
"tcp",
"fromPort":
3306,
"toPort":
3306,
"sourceSecurityGroupId":
core.Fn.import_value("EdxProjectCloud9Sg"),
}, {
"ipProtocol":
"tcp",
"fromPort":
3306,
"toPort":
3306,
"sourceSecurityGroupId":
core.Fn.import_value("LambdaSecurityGroupOutput"),
}],
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# MyDBSubnetGroup
my_db_subnet_group = rds.CfnDBSubnetGroup(
self,
"DBSubnetGroup",
db_subnet_group_description="MyDBSubnetGroup",
subnet_ids=[
core.Fn.import_value("PrivateSubnet1"),
core.Fn.import_value("PrivateSubnet2")
])
# RDSCluster
rds_cluster = rds.CfnDBCluster(
self,
"RDSCluster",
db_cluster_identifier="edx-photos-db",
database_name="Photos",
master_username="******",
master_user_password=db_password_parameters.value_as_string,
engine_mode="serverless",
scaling_configuration={
"autoPause": True,
"maxCapacity": 4,
"minCapacity": 2
},
engine="aurora",
db_subnet_group_name=my_db_subnet_group.ref,
vpc_security_group_ids=[db_security_group.ref])
rds_cluster.apply_removal_policy(core.RemovalPolicy.DESTROY)
# Output
core.CfnOutput(self,
"MyDBEndpoint",
value=rds_cluster.attr_endpoint_address,
description="MyDB Endpoint",
export_name="MyDBEndpoint")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
# Create a VPC
myvpc = ec2.Vpc(self, "CDKVPC", cidr=vars.cidr)
# SG for ELB creation
websitefrontendSG = ec2.SecurityGroup(
self,
'websitefrontendSG',
vpc=myvpc,
security_group_name='websitefrontendSG')
websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(80))
websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(443))
# Create ALB in VPC
alb = elb.ApplicationLoadBalancer(
self,
'websitefrontend-public',
vpc=myvpc,
load_balancer_name='websitefrontend-public',
security_group=websitefrontendSG,
internet_facing=True)
# Add target group to ALB
catalogtargetgroup = elb.ApplicationTargetGroup(
self,
'CatalogTargetGroup',
port=80,
vpc=myvpc,
target_type=elb.TargetType.IP)
if not vars.sslcert:
# Add http listener to ALB
alblistenerhttp = elb.ApplicationListener(
self,
'alblistenerhttp',
load_balancer=alb,
default_target_groups=[catalogtargetgroup],
port=80)
if vars.sslcert:
# Add http listener to ALB
alblistenerhttp = elb.ApplicationListener(self,
'alblistenerhttp',
load_balancer=alb,
port=80)
elb.ApplicationListenerRule(self,
'httpredirectionrule',
listener=alblistenerhttp,
redirect_response=elb.RedirectResponse(
status_code='HTTP_301',
port='443',
protocol='HTTPS'))
# OPTIONAL - Add https listener to ALB & attach certificate
alblistenerhttps = elb.ApplicationListener(
self,
'alblistenerhttps',
load_balancer=alb,
default_target_groups=[catalogtargetgroup],
port=443,
certificate_arns=[vars.sslcert_arn])
# OPTIONAL - Redirect HTTP to HTTPS
alblistenerhttp.add_redirect_response(id='redirectionrule',
port='443',
status_code='HTTP_301',
protocol='HTTPS')
if vars.customdomain:
# OPTIONAL - Update DNS with ALB
webshopxyz_zone = r53.HostedZone.from_hosted_zone_attributes(
self,
id='customdomain',
hosted_zone_id=vars.hosted_zone_id,
zone_name=vars.zone_name)
webshop_root_record = r53.ARecord(
self,
'ALBAliasRecord',
zone=webshopxyz_zone,
target=r53.RecordTarget.from_alias(
alias.LoadBalancerTarget(alb)))
# SG for ECS creation
ECSSG = ec2.SecurityGroup(self,
'ECSSecurityGroup',
vpc=myvpc,
security_group_name='ECS')
ECSSG.add_ingress_rule(peer=websitefrontendSG,
connection=ec2.Port.tcp(80))
# SG for MySQL creation
MySQLSG = ec2.SecurityGroup(self,
'DBSecurityGroup',
vpc=myvpc,
security_group_name='DB')
MySQLSG.add_ingress_rule(peer=ECSSG, connection=ec2.Port.tcp(3306))
# Create DB subnet group
subnetlist = []
for subnet in myvpc.private_subnets:
subnetlist.append(subnet.subnet_id)
subnetgr = rds.CfnDBSubnetGroup(
self,
'democlustersubnetgroup',
db_subnet_group_name='democlustersubnetgroup',
db_subnet_group_description='DemoCluster',
subnet_ids=subnetlist)
# Create secret db passwd
secret = sm.SecretStringGenerator(
exclude_characters="\"'@/\\",
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=40)
dbpass = sm.Secret(self,
'democlusterpass',
secret_name='democlusterpass',
generate_secret_string=secret)
# Create Aurora serverless MySQL instance
dbcluster = rds.CfnDBCluster(
self,
'DemoCluster',
engine='aurora',
engine_mode='serverless',
engine_version='5.6',
db_cluster_identifier='DemoCluster',
master_username=dbpass.secret_value_from_json(
'username').to_string(),
master_user_password=dbpass.secret_value_from_json(
'password').to_string(),
storage_encrypted=True,
port=3306,
vpc_security_group_ids=[MySQLSG.security_group_id],
scaling_configuration=rds.CfnDBCluster.
ScalingConfigurationProperty(auto_pause=True,
max_capacity=4,
min_capacity=1,
seconds_until_auto_pause=300),
db_subnet_group_name=subnetgr.db_subnet_group_name)
dbcluster.add_override('DependsOn', 'democlustersubnetgroup')
# Attach database to secret
attach = sm.CfnSecretTargetAttachment(
self,
'RDSAttachment',
secret_id=dbpass.secret_arn,
target_id=dbcluster.ref,
target_type='AWS::RDS::DBCluster')
# Upload image into ECR repo
ecrdemoimage = ecra.DockerImageAsset(self,
'ecrdemoimage',
directory='../',
repository_name='demorepo',
exclude=['cdk.out'])
# Create ECS fargate cluster
ecscluster = ecs.Cluster(self, "ecsCluster", vpc=myvpc)
# Create task role for productsCatalogTask
getsecretpolicystatement = iam.PolicyStatement(actions=[
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
resources=[
dbpass.secret_arn
],
effect=iam.Effect.ALLOW)
getsecretpolicydocument = iam.PolicyDocument(
statements=[getsecretpolicystatement])
taskrole = iam.Role(
self,
'TaskRole',
assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
role_name='TaskRoleforproductsCatalogTask',
inline_policies=[getsecretpolicydocument])
# Create task definition
taskdefinition = ecs.FargateTaskDefinition(self,
'productsCatalogTask',
cpu=1024,
memory_limit_mib=2048,
task_role=taskrole)
# Add container to task definition
productscatalogcontainer = taskdefinition.add_container(
'productscatalogcontainer',
image=ecs.ContainerImage.from_docker_image_asset(
asset=ecrdemoimage),
environment={
"region": vars.region,
"secretname": "democlusterpass"
})
productscatalogcontainer.add_port_mappings(
ecs.PortMapping(container_port=80, host_port=80))
# Create service and associate it with the cluster
catalogservice = ecs.FargateService(
self,
'catalogservice',
task_definition=taskdefinition,
assign_public_ip=False,
security_group=ECSSG,
vpc_subnets=ec2.SubnetSelection(subnets=myvpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnets),
cluster=ecscluster,
desired_count=2)
# Add autoscaling to the service
scaling = catalogservice.auto_scale_task_count(max_capacity=20,
min_capacity=1)
scaling.scale_on_cpu_utilization(
'ScaleOnCPU',
target_utilization_percent=70,
scale_in_cooldown=core.Duration.seconds(amount=1),
scale_out_cooldown=core.Duration.seconds(amount=0))
# Associate the fargate service with load balancer targetgroup
catalogservice.attach_to_application_target_group(catalogtargetgroup)
def __init__(self, scope: core.Construct, id: str, vpc, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
db_master_user_name = "admin_user"
secret = rds.DatabaseSecret(self,
id="MasterUserSecret",
username=db_master_user_name)
subnet_ids = []
for subnet in vpc.isolated_subnets:
subnet_ids.append(subnet.subnet_id)
subnet_group = rds.CfnDBSubnetGroup(
self,
id="AuroraServerlessSubnetGroup",
db_subnet_group_description=
'Aurora Postgres Serverless Subnet Group',
subnet_ids=subnet_ids,
db_subnet_group_name=
'auroraserverlesssubnetgroup' # needs to be all lowercase
)
db_cluster_name = "aurora-serverless-postgres-db"
security_group = ec2.SecurityGroup(
self,
id="SecurityGroup",
vpc=vpc,
description="Allow ssh access to ec2 instances",
allow_all_outbound=True)
security_group.add_ingress_rule(ec2.Peer.ipv4('10.0.0.0/16'),
ec2.Port.tcp(5432),
"allow psql through")
self.db = rds.CfnDBCluster(
self,
id="AuroraServerlessDB",
engine=rds.DatabaseClusterEngine.AURORA_POSTGRESQL.name,
engine_mode="serverless",
db_subnet_group_name=subnet_group.db_subnet_group_name,
vpc_security_group_ids=[security_group.security_group_id],
availability_zones=vpc.availability_zones,
db_cluster_identifier=db_cluster_name,
#db_cluster_parameter_group_name=
database_name="slsdb",
master_username=secret.secret_value_from_json(
"username").to_string(),
master_user_password=secret.secret_value_from_json(
"password").to_string(),
port=5432,
deletion_protection=False,
scaling_configuration=rds.CfnDBCluster.
ScalingConfigurationProperty(auto_pause=True,
min_capacity=2,
max_capacity=16,
seconds_until_auto_pause=300),
enable_cloudwatch_logs_exports=[
"error", "general", "slowquery", "audit"
],
enable_http_endpoint=True
#kms_key_id=
#tags=
)
self.db.node.add_dependency(subnet_group)
self.db.node.add_dependency(security_group)
#secret_attached = secret.attach(target=self)
#secret.add_target_attachment(id="secret_attachment", target=self.db)
secret_attached = sm.CfnSecretTargetAttachment(
self,
id="secret_attachment",
secret_id=secret.secret_arn,
target_id=self.db.ref,
target_type="AWS::RDS::DBCluster",
)
secret_attached.node.add_dependency(self.db)
core.CfnOutput(
self,
id="StackName",
value=self.stack_name,
description="Stack Name",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:stack-name")
core.CfnOutput(
self,
id="DatabaseName",
value=self.db.database_name,
description="Database Name",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:database-name")
core.CfnOutput(
self,
id="DatabaseClusterArn",
value=
f"arn:aws:rds:{self.region}:{self.account}:cluster:{self.db.ref}",
description="Database Cluster Arn",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:database-cluster-arn"
)
core.CfnOutput(
self,
id="DatabaseSecretArn",
value=secret.secret_arn,
description="Database Secret Arn",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:database-secret-arn"
)
core.CfnOutput(
self,
id="DatabaseClusterID",
value=self.db.db_cluster_identifier,
description="Database Cluster Id",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:database-cluster-id"
)
core.CfnOutput(
self,
id="AuroraEndpointAddress",
value=self.db.attr_endpoint_address,
description="Aurora Endpoint Address",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:aurora-endpoint-address"
)
core.CfnOutput(
self,
id="DatabaseMasterUserName",
value=db_master_user_name,
description="Database Master User Name",
export_name=
f"{self.region}:{self.account}:{self.stack_name}:database-master-username"
)
def __init__(self, scope: core.Construct, id: str, vpc, public_subnet_a, public_subnet_c, public_subnet_d, ec2_sg_id, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = "test"
# print(ec2_sg_id.ref)
# RdsSecurityGroup
RdsSecurityGroupStg = ec2.CfnSecurityGroup(self, "RdsSecurityGroupStg",
group_name = 'stg-'+prefix+'-db01',
group_description = 'stg-'+prefix+'-db01',
vpc_id = vpc.ref,
security_group_ingress = [
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=3306,
from_port=3306,
cidr_ip='0.0.0.0/0',
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=3306,
from_port=3306,
source_security_group_id=ec2_sg_id.ref,
),
],
security_group_egress = [
{
"ipProtocol" : "tcp",
"fromPort" : 0,
"toPort" : 65535,
"cidrIp" : "0.0.0.0/0"
}
],
)
# MyDBSubnetGroup
rds_subnet_group = rds.CfnDBSubnetGroup(self, "DBSubnetGroup",
db_subnet_group_description = "DBSubnetGroup",
subnet_ids = [
public_subnet_a.ref,
public_subnet_c.ref,
public_subnet_d.ref
]
)
DBParameterGroupStg = rds.CfnDBParameterGroup(self, "DBParameterGroupStg",
description = 'stg-'+prefix+'db01',
family = "MySQL5.6",
parameters = {
'character_set_client': "utf8",
'character_set_connection': "utf8",
'character_set_database': "utf8",
'character_set_results': "utf8",
'character_set_server': "utf8",
'collation_connection': "utf8_general_ci",
'collation_server': "utf8_general_ci",
'long_query_time': "1.2",
'slow_query_log': "1",
'time_zone': "Asia/Tokyo",
},
tags=[
core.CfnTag(key="Name", value='stg-'+prefix+'db01')
]
)
rds_params = {
'db_instance_identifier': "stg-test-db01",
'engine': "mysql",
'engine_version': '5.6.39',
'db_instance_class': 'db.t3.micro',
'allocated_storage': '5',
'storage_type': 'gp2',
'db_name': "test",
'master_username': "******",
'master_user_password': "******",
'db_subnet_group_name' : rds_subnet_group.ref,
'publicly_accessible': False,
'multi_az': False,
'preferred_backup_window': "18:00-18:30",
'preferred_maintenance_window': "sat:19:00-sat:19:30",
'auto_minor_version_upgrade': False,
'db_parameter_group_name': DBParameterGroupStg.ref,
'vpc_security_groups': [RdsSecurityGroupStg.ref],
'copy_tags_to_snapshot': True,
'backup_retention_period': 7,
# 'enable_performance_insights': True,
'delete_automated_backups': True,
'deletion_protection': False,
'availability_zone': "us-east-1a",
'enable_cloudwatch_logs_exports': ["error","slowquery"]
# 'storage_encrypted': False,
}
self.rds = rds.CfnDBInstance(self, 'staff-rds', **rds_params,
tags=[
core.CfnTag(key="Name", value='stg-'+prefix+'db01')
]
)
core.CfnOutput(self, "OutputVpc",
value=vpc.ref)
core.CfnOutput(self, "OutputRds",
value=self.rds.ref)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
### VPC and subnets
vpc = ec2.Vpc(self,
"vpc",
cidr="172.20.0.0/24",
nat_gateways=0,
max_azs=2,
enable_dns_hostnames=True,
enable_dns_support=True,
subnet_configuration=[
ec2.SubnetConfiguration(
cidr_mask=26,
name="roundcube",
subnet_type=ec2.SubnetType.PUBLIC)
])
### Define an image and create instance
amzn_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
# Import role
route53_role = iam.Role.from_role_arn(
self, "role_id", "arn:aws:iam::585823398980:role/ec2WriteOvpnZone")
instance = ec2.Instance(self,
"instance",
instance_type=ec2.InstanceType("t3a.nano"),
machine_image=amzn_linux,
vpc=vpc,
role=route53_role,
key_name="roundcube-key")
instance.connections.allow_from(ec2.Peer.ipv4("109.255.202.235/32"),
ec2.Port.tcp(22), "Allow ssh")
instance.connections.allow_from(ec2.Peer.ipv4("109.255.202.235/32"),
ec2.Port.tcp(443), "Allow HTTPS")
### Aurora cluster
aurora_secret = sm.Secret(
self,
"secret",
generate_secret_string=sm.SecretStringGenerator(
generate_string_key="password",
secret_string_template='{"username": "******"}',
exclude_punctuation=True,
password_length=30))
# no l2 construct for serverless yet
db_subnet_list = []
for sn in vpc.public_subnets:
db_subnet_list.append(sn.subnet_id)
db_subnets = rds.CfnDBSubnetGroup(
self,
"db-subnet-group",
db_subnet_group_description="subnet group",
subnet_ids=db_subnet_list)
rds.CfnDBCluster(
self,
"db-cluster",
database_name="roundcube",
db_cluster_identifier="serverless-cluster",
master_username=aurora_secret.secret_value_from_json(
'username').to_string(),
master_user_password=aurora_secret.secret_value_from_json(
'password').to_string(),
engine="aurora",
engine_mode="serverless",
enable_http_endpoint=True,
scaling_configuration=rds.CfnDBCluster.
ScalingConfigurationProperty(
auto_pause=True,
min_capacity=1,
max_capacity=1,
seconds_until_auto_pause=900,
),
deletion_protection=False,
db_subnet_group_name=db_subnets.ref)
# rds.DatabaseCluster(self, "aurora_cluster",
# engine = rds.DatabaseClusterEngine.aurora_postgres(version = rds.AuroraPostgresEngineVersion.VER_11_7),
# default_database_name = "roundcube",
# #parameter_group = pgroup,
# master_user = rds.Login(username = "******"),
# removal_policy = core.RemovalPolicy.DESTROY,
# instance_props = rds.InstanceProps(
# vpc = vpc,
# instance_type = ec2.InstanceType.of(
# ec2.InstanceClass.MEMORY5,
# ec2.InstanceSize.LARGE
# )
# )
# )
### Resource group
rg.CfnGroup(self,
"env-group",
name="roundcube",
resource_query=rg.CfnGroup.ResourceQueryProperty(
type="TAG_FILTERS_1_0",
query=rg.CfnGroup.QueryProperty(
resource_type_filters=["AWS::AllSupported"],
tag_filters=[
rg.CfnGroup.TagFilterProperty(
key="resource-group", values=["roundcube"])
])))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = "test"
cidr = "192.168.0.0/16"
# def name(s): return "{0}/{1}".format(prefix, s)
def name(s):
return "{0} {1}".format(prefix, s)
# VPC
self.vpc = ec2.CfnVPC(self,
"vpc",
cidr_block=cidr,
enable_dns_hostnames=True,
enable_dns_support=True,
tags=[core.CfnTag(key="Name", value=prefix)])
# InternetGateway
igw = ec2.CfnInternetGateway(
self, "igw", tags=[core.CfnTag(key="Name", value=prefix)])
igw_attachment = ec2.CfnVPCGatewayAttachment(
self,
"igw_attachment",
vpc_id=self.vpc.ref,
internet_gateway_id=igw.ref)
dhcpoptions = ec2.CfnDHCPOptions(
self,
"dhcpoptions",
domain_name="ec2.internal " + prefix,
domain_name_servers=["AmazonProvidedDNS"],
tags=[core.CfnTag(key="Name", value=prefix)])
dhcpoptionsassociation = ec2.CfnVPCDHCPOptionsAssociation(
self,
"dhcpoptionsassociation",
dhcp_options_id=dhcpoptions.ref,
vpc_id=self.vpc.ref)
# PrivateSubnetA
# private_subnet_a = ec2.CfnSubnet(
# self, "private_a",
# vpc_id=vpc.ref,
# cidr_block="192.168.0.0/24",
# availability_zone="ap-northeast-1a",
# tags=[
# core.CfnTag(key="Name", value=name("private_a"))
# ]
# )
# PrivateSubnetC
# private_subnet_c = ec2.CfnSubnet(
# self, "private_c",
# vpc_id=vpc.ref,
# cidr_block="192.168.1.0/24",
# availability_zone="ap-northeast-1c",
# tags=[
# core.CfnTag(key="Name", value=name("private_c"))
# ]
# )
# PublicSubnetA
self.public_subnet_a = ec2.CfnSubnet(
self,
"public_a",
vpc_id=self.vpc.ref,
cidr_block="192.168.0.0/20",
# availability_zone="ap-northeast-1a",
availability_zone="us-east-1a",
tags=[core.CfnTag(key="Name", value=prefix + " public_a")])
# PublicSubnetC
self.public_subnet_c = ec2.CfnSubnet(
self,
"public_c",
vpc_id=self.vpc.ref,
cidr_block="192.168.16.0/20",
availability_zone="us-east-1c",
tags=[core.CfnTag(key="Name", value=prefix + " public_c")])
self.public_subnet_d = ec2.CfnSubnet(
self,
"public_d",
vpc_id=self.vpc.ref,
cidr_block="192.168.32.0/20",
availability_zone="us-east-1d",
tags=[core.CfnTag(key="Name", value=prefix + " public_d")])
# EIP1 (for NATGW)
# eip1 = ec2.CfnEIP(
# self, "eip1",
# domain="vpc",
# )
# eip1.add_depends_on(igw_attachment)
# EIP2 (for NATGW)
# eip2 = ec2.CfnEIP(
# self, "eip2",
# domain="vpc",
# )
# eip2.add_depends_on(igw_attachment)
# NatGatewayA
# natgw_a = ec2.CfnNatGateway(
# self, "natgw_a",
# allocation_id=eip1.attr_allocation_id,
# subnet_id=self.public_subnet_a.ref,
# tags=[
# core.CfnTag(key="Name", value=name("natgw_a"))
# ]
# )
# NatGatewayC
# natgw_c = ec2.CfnNatGateway(
# self, "natgw_c",
# allocation_id=eip2.attr_allocation_id,
# subnet_id=public_subnet_c.ref,
# tags=[
# core.CfnTag(key="Name", value=name("natgw_c"))
# ]
# )
# RouteTable of PrivateSubnetA
# rtb_private_a = ec2.CfnRouteTable(
# self, "rtb_private_a",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_private_a"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_private_a_association",
# route_table_id=rtb_private_a.ref,
# subnet_id=private_subnet_a.ref
# )
# ec2.CfnRoute(
# self, "route_private_a",
# route_table_id=rtb_private_a.ref,
# destination_cidr_block="0.0.0.0/0",
# nat_gateway_id=natgw_a.ref
# )
# RouteTable of PrivateSubnetC
# rtb_private_c = ec2.CfnRouteTable(
# self, "rtb_private_c",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_private_c"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_private_c_association",
# route_table_id=rtb_private_c.ref,
# subnet_id=private_subnet_c.ref
# )
# ec2.CfnRoute(
# self, "route_private_c",
# route_table_id=rtb_private_c.ref,
# destination_cidr_block="0.0.0.0/0",
# nat_gateway_id=natgw_c.ref
# )
# RouteTable of PublicSubnetA
self.rtb_public_a = ec2.CfnRouteTable(
self,
"rtb_public_a",
vpc_id=self.vpc.ref,
tags=[core.CfnTag(key="Name", value=prefix + "rtb_public_a")])
ec2.CfnSubnetRouteTableAssociation(
self,
"rtb_public_a_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_a.ref)
ec2.CfnSubnetRouteTableAssociation(
self,
"rtb_public_c_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_c.ref)
ec2.CfnSubnetRouteTableAssociation(
self,
"rtb_public_d_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_d.ref)
ec2.CfnRoute(self,
"route_public_a",
route_table_id=self.rtb_public_a.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref)
# RouteTable of PublicSubnetC
# rtb_public_c = ec2.CfnRouteTable(
# self, "rtb_public_c",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_public_c"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_public_c_association",
# route_table_id=rtb_public_c.ref,
# subnet_id=public_subnet_c.ref
# )
# ec2.CfnRoute(
# self, "route_public_c",
# route_table_id=rtb_public_c.ref,
# destination_cidr_block="0.0.0.0/0",
# gateway_id=igw.ref
# )
ami_id = ec2.AmazonLinuxImage(generation=ec2.AmazonLinuxGeneration.
AMAZON_LINUX_2).get_image(self).image_id
# security_group = ec2.SecurityGroup(
# self,
# id='test',
# vpc=self.vpc,
# security_group_name='test-security-group'
# )
# security_group.add_ingress_rule(
# peer=ec2.Peer.ipv4(cidr),
# connection=ec2.Port.tcp(22),
# )
# red_web_inst = ec2.CfnInstance(self,
# "testInstance01",
# image_id = ami_id,
# instance_type = "t3a.micro",
# monitoring = False,
# key_name = "stg-intrinio-www01",
# security_group_ids=[security_group.security_group_id],
# block_device_mappings = [{
# "deviceName": "/dev/xvda",
# "ebs": {
# "volumeSize": 10,
# "volumeType": "io1",
# "iops": 150,
# "deleteOnTermination": True
# }
# }
# ],
# tags = [
# { "key": "Name", "value": prefix }
# ],
# network_interfaces = [{
# "deviceIndex": "0",
# "associatePublicIpAddress": True,
# "subnetId": self.public_subnet_a.ref,
# # "groupSet": [web_sg.security_group_id]
# }], #https: //github.com/aws/aws-cdk/issues/3419
# )
# RdsSecurityGroup
RdsSecurityGroupStg = ec2.CfnSecurityGroup(
self,
"RdsSecurityGroupStg",
group_name='stg-' + prefix + '-db01',
group_description='stg-' + prefix + '-db01',
vpc_id=self.vpc.ref,
security_group_ingress=[{
"ipProtocol": "tcp",
"fromPort": 3306,
"toPort": 3306,
"cidrIp": "0.0.0.0/0"
}],
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# MyDBSubnetGroup
rds_subnet_group = rds.CfnDBSubnetGroup(
self,
"DBSubnetGroup",
db_subnet_group_description="DBSubnetGroup",
subnet_ids=[
self.public_subnet_a.ref, self.public_subnet_c.ref,
self.public_subnet_d.ref
])
DBParameterGroupStg = rds.CfnDBParameterGroup(
self,
"DBParameterGroupStg",
description='stg-' + prefix + 'db01',
family="MySQL5.6",
parameters={
'character_set_client': "utf8",
'character_set_connection': "utf8",
'character_set_database': "utf8",
'character_set_results': "utf8",
'character_set_server': "utf8",
'collation_connection': "utf8_general_ci",
'collation_server': "utf8_general_ci",
'long_query_time': "1.2",
'slow_query_log': "1",
'time_zone': "Asia/Tokyo",
},
tags=[core.CfnTag(key="Name", value='stg-' + prefix + 'db01')])
rds_params = {
'db_instance_identifier': "stg-test-db01",
'engine': "mysql",
'engine_version': '5.6.39',
'db_instance_class': 'db.t3.micro',
'allocated_storage': '5',
'storage_type': 'gp2',
'db_name': "test",
'master_username': "******",
'master_user_password': "******",
'db_subnet_group_name': rds_subnet_group.ref,
'publicly_accessible': False,
'multi_az': False,
'preferred_backup_window': "18:00-18:30",
'preferred_maintenance_window': "sat:19:00-sat:19:30",
'auto_minor_version_upgrade': False,
'db_parameter_group_name': DBParameterGroupStg.ref,
'vpc_security_groups': [RdsSecurityGroupStg.ref],
'copy_tags_to_snapshot': True,
'backup_retention_period': 7,
# 'enable_performance_insights': True,
'delete_automated_backups': True,
'deletion_protection': False,
'availability_zone': "us-east-1a",
'enable_cloudwatch_logs_exports': ["error", "slowquery"]
# 'storage_encrypted': False,
}
self.rds = rds.CfnDBInstance(
self,
'staff-rds',
**rds_params,
tags=[core.CfnTag(key="Name", value='stg-' + prefix + 'db01')])
core.CfnOutput(self, "OutputVpc", value=self.vpc.ref)
core.CfnOutput(self, "OutputRds", value=self.rds.ref)
def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
super().__init__(scope, id, **kwargs)
# secrets manager for DB password
self.db_secret = secrets.Secret(
self,
"DBSecret",
secret_name=f"{scope.full_app_name}-db-secret",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template=json.dumps({"username": "******"}),
exclude_punctuation=True,
include_space=False,
generate_string_key="password",
),
)
self.db_secret_arn = ssm.StringParameter(
self,
"DBSecretArn",
parameter_name=f"{scope.full_app_name}-secret-arn",
string_value=self.db_secret.secret_arn,
)
self.db_security_group = ec2.CfnSecurityGroup(
self,
"DBSecurityGroup",
vpc_id=scope.vpc.vpc_id,
group_description="DBSecurityGroup",
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=5432,
from_port=5432,
source_security_group_id=scope.vpc.vpc_default_security_group,
)
],
)
self.db_subnet_group = rds.CfnDBSubnetGroup(
self,
"CfnDBSubnetGroup",
subnet_ids=scope.vpc.select_subnets(
subnet_type=ec2.SubnetType.ISOLATED
).subnet_ids,
db_subnet_group_description=f"{scope.full_app_name}-db-subnet-group",
)
self.db_config = {
"engine_mode": "serverless",
"engine": "aurora-postgresql",
"engine_version": "10.7",
# "port": 5432,
"enable_http_endpoint": True,
"master_username": self.db_secret.secret_value_from_json(
"username"
).to_string(),
"master_user_password": self.db_secret.secret_value_from_json(
"password"
).to_string(),
"vpc_security_group_ids": [
self.db_security_group.get_att("GroupId").to_string()
],
"db_subnet_group_name": self.db_subnet_group.ref,
}
self.rds_cluster = rds.CfnDBCluster(
self, "DBCluster", **self.db_config
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self, "VPC")
db_master_user_name = os.getenv("DB_USERNAME", "admin_user")
self.secret = rds.DatabaseSecret(
self, id="MasterUserSecret", username=db_master_user_name
)
rds.CfnDBSubnetGroup(
self,
"rdsSubnetGroup",
db_subnet_group_description="private subnets for rds",
subnet_ids=vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE
).subnet_ids,
)
db_name = os.getenv("DB_NAME", "anonfed")
self.db = rds.CfnDBCluster(
self,
"auroraCluster",
engine="aurora-mysql",
engine_version="5.7.mysql_aurora.2.08.1",
db_cluster_parameter_group_name="default.aurora-mysql5.7",
# snapshot_identifier="<snapshot_arn>", # your snapshot
engine_mode="serverless",
scaling_configuration=rds.CfnDBCluster.ScalingConfigurationProperty(
auto_pause=True,
min_capacity=1,
max_capacity=4,
seconds_until_auto_pause=300,
),
db_subnet_group_name=core.Fn.ref("rdsSubnetGroup"),
database_name=db_name,
master_username=self.secret.secret_value_from_json("username").to_string(),
master_user_password=self.secret.secret_value_from_json(
"password"
).to_string(),
enable_http_endpoint=True,
)
secret_attached = sm.CfnSecretTargetAttachment(
self,
id="secret_attachment",
secret_id=self.secret.secret_arn,
target_id=self.db.ref,
target_type="AWS::RDS::DBCluster",
)
secret_attached.node.add_dependency(self.db)
db_ref = f"arn:aws:rds:{self.region}:{self.account}:cluster:{self.db.ref}"
migration = SchemaMigrationResource(
self, "schemamigration", self.secret.secret_arn, db_name, db_ref
)
# Publish the custom resource output
core.CfnOutput(
self,
"ResponseMessage",
description="Database Migration",
value=migration.response,
)
core.CfnOutput(
self,
id="DatabaseName",
value=self.db.database_name,
description="Database Name",
export_name=f"{self.region}:{self.account}:{self.stack_name}:database-name",
)
core.CfnOutput(
self,
id="DatabaseClusterArn",
value=db_ref,
description="Database Cluster Arn",
export_name=f"{self.region}:{self.account}:{self.stack_name}:database-cluster-arn",
)
core.CfnOutput(
self,
id="DatabaseSecretArn",
value=self.secret.secret_arn,
description="Database Secret Arn",
export_name=f"{self.region}:{self.account}:{self.stack_name}:database-secret-arn",
)
core.CfnOutput(
self,
id="AuroraEndpointAddress",
value=self.db.attr_endpoint_address,
description="Aurora Endpoint Address",
export_name=f"{self.region}:{self.account}:{self.stack_name}:aurora-endpoint-address",
)
core.CfnOutput(
self,
id="DatabaseMasterUserName",
value=db_master_user_name,
description="Database Master User Name",
export_name=f"{self.region}:{self.account}:{self.stack_name}:database-master-username",
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
az1 = core.Fn.select(0, core.Fn.get_azs(region=core.Aws.REGION))
az2 = core.Fn.select(1, core.Fn.get_azs(region=core.Aws.REGION))
##########
# VPC
##########
# VPC
vpc = ec2.Vpc(self, "vpc", cidr="10.0.0.0/16", subnet_configuration=[])
# Internet gateway
internet_gateway = ec2.CfnInternetGateway(self, "internet-gateway")
ec2.CfnVPCGatewayAttachment(self,
"internet_gateway_attatchment",
vpc_id=vpc.vpc_id,
internet_gateway_id=internet_gateway.ref)
# Public Subnet az1
public_subnet_az1 = ec2.PublicSubnet(self,
"subnet-public-1a",
availability_zone=az1,
cidr_block="10.0.0.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
public_subnet_az1.add_route("internet-gateway-route",
router_id=internet_gateway.ref,
router_type=ec2.RouterType.GATEWAY)
# Public Subnet az2
public_subnet_az2 = ec2.PublicSubnet(self,
"subnet-public-1c",
availability_zone=az2,
cidr_block="10.0.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
public_subnet_az2.add_route("internet-gateway-route",
router_id=internet_gateway.ref,
router_type=ec2.RouterType.GATEWAY)
# Private Subnet az1
private_subnet_az1 = ec2.PrivateSubnet(self,
"subnet-private-1a",
availability_zone=az1,
cidr_block="10.0.2.0/24",
vpc_id=vpc.vpc_id)
# Private Subnet az2
private_subnet_az2 = ec2.PrivateSubnet(self,
"subnet-private-1c",
availability_zone=az2,
cidr_block="10.0.3.0/24",
vpc_id=vpc.vpc_id)
##########
# EC2
##########
# # EC2 Security Group
ec2_security_group = ec2.SecurityGroup(self,
"ec2-security-group",
vpc=vpc)
# ec2_security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(),connection=ec2.Port.tcp(80))
# User Data
user_data = ec2.UserData.for_linux()
user_data.add_commands(
"yum -y update", "amazon-linux-extras install php7.2 -y",
"yum -y install mysql httpd php-mbstring php-xml",
"wget http://ja.wordpress.org/latest-ja.tar.gz -P /tmp/",
"tar zxvf /tmp/latest-ja.tar.gz -C /tmp",
"cp -r /tmp/wordpress/* /var/www/html/",
"chown apache:apache -R /var/www/html",
"systemctl enable httpd.service", "systemctl start httpd.service")
# EC2 Instance
instance_az1 = ec2.CfnInstance(
self,
"wordpress-instance-az1",
subnet_id=public_subnet_az1.subnet_id,
image_id=ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(
self).image_id,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.BURSTABLE3,
instance_size=ec2.InstanceSize.MICRO).to_string(),
security_group_ids=[ec2_security_group.security_group_id],
user_data=core.Fn.base64(user_data.render()))
core.CfnOutput(self,
"EC2 PublicDnsName",
value=instance_az1.attr_public_dns_name)
##########
# RDS
##########
# RDS Security Group
rds_security_group = ec2.SecurityGroup(self,
"rds-security-group",
vpc=vpc)
ec2.CfnSecurityGroupIngress(
self,
"rds-security-group-ingress",
group_id=rds_security_group.security_group_id,
ip_protocol="tcp",
from_port=3306,
to_port=3306,
source_security_group_id=ec2_security_group.security_group_id)
# RDS Subnet Group
rds_subnet_group = rds.CfnDBSubnetGroup(
self,
"rds-subnet-group",
db_subnet_group_description="rds-subnet-group",
subnet_ids=[
private_subnet_az1.subnet_id, private_subnet_az2.subnet_id
])
# RDS Instance
rds_instance = rds.CfnDBInstance(
self,
"rds-instance",
db_instance_identifier="wordpress-rds",
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0_20).engine_type,
db_instance_class="db.t3.micro",
master_username="******",
master_user_password="******",
db_name="wordpress",
multi_az=False,
vpc_security_groups=[rds_security_group.security_group_id],
db_subnet_group_name=rds_subnet_group.ref,
allocated_storage="20")
core.CfnOutput(self,
"RDS EndpointAddress",
value=rds_instance.attr_endpoint_address)
core.CfnOutput(self,
"RDS EndpointPort",
value=rds_instance.attr_endpoint_port)
##########
# ALB
##########
# ALB Security Group
alb_security_group = ec2.SecurityGroup(self,
"alb-security-group",
vpc=vpc)
alb_security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(),
connection=ec2.Port.tcp(80))
# ALB Instance
alb_instance = elb.ApplicationLoadBalancer(
self,
"alb",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnets=[public_subnet_az1, public_subnet_az2]),
internet_facing=True,
security_group=alb_security_group)
# ALB Target Group
alb_target_group = elb.ApplicationTargetGroup(
self,
"alb-target-group",
vpc=vpc,
target_type=elb.TargetType.INSTANCE,
targets=[elb.InstanceTarget(instance_az1.ref)],
protocol=elb.ApplicationProtocol.HTTP,
port=80,
health_check=elb.HealthCheck(protocol=elb.ApplicationProtocol.HTTP,
path="/wp-includes/images/blank.gif"))
# ALB Listener
alb_listener = elb.ApplicationListener(
self,
"alb-listener",
load_balancer=alb_instance,
default_target_groups=[alb_target_group],
protocol=elb.ApplicationProtocol.HTTP,
port=80)
core.CfnOutput(self,
"ALB DNS Name",
value=alb_instance.load_balancer_dns_name)
# EC2 Security Group Ingress
ec2.CfnSecurityGroupIngress(
self,
"ec2-security-group-ingress",
group_id=ec2_security_group.security_group_id,
ip_protocol="tcp",
from_port=80,
to_port=80,
source_security_group_id=alb_security_group.security_group_id)
