def __init__(self, scope:core.Construct, id:str,landing_zone:IVpcLandingZone, **kwargs): super().__init__(scope,id, **kwargs) # Create the primary domain self.virtual_world = r53.PrivateHostedZone(self,'VirtualWorld', zone_name='virtual.world', vpc=landing_zone.vpc, comment='Primary domain name') # Create the real world self.real_world = r53.PrivateHostedZone(self,'RealWorld', zone_name='real.world', vpc=landing_zone.vpc, comment='Name resolution back to physical realm') # Add the public records... # https://abram.com.au/converting-pem-to-pfx-certificates/ with open('chatham.json','r') as f: json = loads(f.read()) for zone in [self.real_world]: for entry in json: ip = entry['ip'] name = entry['name'] record_name = '{}.{}'.format(name,zone.zone_name) r53.ARecord(self,record_name, zone=self.real_world, record_name=record_name, target= r53.RecordTarget.from_ip_addresses(ip))
def __init__(self, scope: core.Construct, id: builtins.str, landing_zone: IVpcLandingZone) -> None: super().__init__(scope, id) self.__landing_zone = landing_zone # Setup DNS... self.trader_dns_zone = r53.PrivateHostedZone( self, 'Trader', zone_name='trader.fsi'.format(landing_zone.zone_name.lower()), vpc=landing_zone.vpc, comment='HomeNet Financial Services Domain') # Create a key and delegate access to IAM... self.key = kms.Key( self, 'Key', alias='homenet/fsi', enable_key_rotation=True, policy=iam.PolicyDocument(statements=[ iam.PolicyStatement(effect=iam.Effect.ALLOW, principals=[ iam.AccountPrincipal( core.Stack.of(self).account) ], actions=['kms:*'], resources=['*']) ])) # Create central resources... self.tda_secret = sm.Secret( self, 'AmeritradeSecrets', removal_policy=core.RemovalPolicy.DESTROY, secret_name='HomeNet-{}-Ameritrade-Secrets'.format( self.landing_zone.zone_name)) self.bucket = s3.Bucket(self, 'Bucket', bucket_name='homenet-{}.{}.trader.fsi'.format( self.landing_zone.zone_name, core.Stack.of(self).region).lower(), versioned=True) r53.ARecord(self, 'BucketAlias', zone=self.trader_dns_zone, record_name=self.bucket.bucket_domain_name, target=r53.RecordTarget.from_alias( dns_targets.BucketWebsiteTarget(self.bucket))) # self.fspace = space.CfnEnvironment(self,'Finspace', # name='HomeNet-FsiCoreSvc', # kms_key_id= self.key.key_id, # description="HomeNet Financial Servicing Catalog") self.finspace = FinSpaceEnvironment() self.key.grant_admin(iam.ServicePrincipal(service='finspace'))
def __init__(self, scope: core.Construct, id: str, context: InfraContext, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.__vpc = ec2.Vpc( self, 'FinSurf', cidr='10.50.0.0/16', nat_gateway_subnets=ec2.SubnetSelection( subnet_group_name='Egress'), enable_dns_hostnames=True, enable_dns_support=True, nat_gateways=2, max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration(name='Egress', subnet_type=ec2.SubnetType.PUBLIC, cidr_mask=28), ec2.SubnetConfiguration(name='EarningApi', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='Alexa', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='FriendlyNamed', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='AccountLinking', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='PortfolioMgmt', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='Collections', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='MarketGraph', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ec2.SubnetConfiguration(name='MapReduce', subnet_type=ec2.SubnetType.PRIVATE, cidr_mask=24), ]) self.__hostedZone = dns.PrivateHostedZone( self, 'PrivateFinSurfZone', vpc=self.vpc, zone_name=context.environment.region + '.finsurf.internal', comment='Internal zone for FinSurf application')
def __init__(self, scope: core.Construct, construct_id: str, env, **kwargs) -> None: super().__init__(scope, construct_id, env=env, **kwargs) # The code that defines your stack goes here if self.node.try_get_context("tags"): self.user_defined_tags = self.node.try_get_context("tags").split(' ') else: self.user_defined_tags = None vpc = ec2.Vpc(self, "VPC_EMQ", max_azs=2, cidr="10.10.0.0/16", # configuration will create 3 groups in 2 AZs = 6 subnets. subnet_configuration=[ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.PUBLIC, name="Public", cidr_mask=24 ), ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.PRIVATE, name="Private", cidr_mask=24 ), ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.ISOLATED, name="DB", cidr_mask=24 ) ], nat_gateways=2 ) self.vpc = vpc # Route53 int_zone = r53.PrivateHostedZone(self, r53_zone_name, zone_name = 'int.emqx', vpc = vpc ) self.int_zone = int_zone # Define cfn parameters # ec2_type = CfnParameter(self, "ec2-instance-type", # type="String", default="m5.2xlarge", # description="Specify the instance type you want").value_as_string key_name = CfnParameter(self, "ssh key", type="String", default="key_ireland", description="Specify your SSH key").value_as_string sg = ec2.SecurityGroup(self, id = 'sg_int', vpc = vpc) self.sg = sg sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), 'SSH frm anywhere') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(1883), 'MQTT TCP Port') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(8883), 'MQTT TCP/TLS Port') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.udp(14567), 'MQTT Quic Port') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(18083), 'WEB UI') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(4369), 'EMQX dist port 1') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(4370), 'EMQX dist port 2') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(8081), 'EMQX dashboard') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(2379), 'etcd client port') sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(2380), 'etcd peer port') # Create Bastion Server bastion = ec2.BastionHostLinux(self, "Bastion", vpc=vpc, subnet_selection=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), instance_name="BastionHostLinux", instance_type=ec2.InstanceType(instance_type_identifier="t3.nano")) bastion.instance.instance.add_property_override("KeyName", key_name) bastion.connections.allow_from_any_ipv4( ec2.Port.tcp(22), "Internet access SSH") # Create NLB nlb = elb.NetworkLoadBalancer(self, "emq-elb", vpc=vpc, internet_facing=False, cross_zone_enabled=True, load_balancer_name="emq-nlb") r53.ARecord(self, "AliasRecord", zone = int_zone, record_name = loadbalancer_dnsname, target = r53.RecordTarget.from_alias(r53_targets.LoadBalancerTarget(nlb)) ) self.nlb = nlb listener = nlb.add_listener("port1883", port=1883) listenerTLS = nlb.add_listener("port8883", port=8883) # TLS, emqx terminataion listenerQuic = nlb.add_listener("port14567", port=14567, protocol=elbv2.Protocol.UDP) listenerUI = nlb.add_listener("port80", port=80) # Create Autoscaling Group with desired 2*EC2 hosts # asg = autoscaling.AutoScalingGroup(self, "emq-asg", # vpc=vpc, # vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE), # instance_type=ec2.InstanceType( # instance_type_identifier=ec2_type), # machine_image=linux_ami, # security_group = sg, # key_name=key_name, # user_data=ec2.UserData.custom(user_data), # health_check=HealthCheck.elb(grace=Duration.seconds(60)), # desired_capacity=3, # min_capacity=2, # max_capacity=4 # ) # if self.user_defined_tags: # core.Tags.of(asg).add(*self.user_defined_tags) # # NLB cannot associate with a security group therefore NLB object has no Connection object # # Must modify manuall inbound rule of the newly created asg security group to allow access # # from NLB IP only # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(1883), "Allow NLB access 1883 port of EC2 in Autoscaling Group") # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(18083), "Allow NLB access WEB UI") # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(4369), "Allow emqx cluster distribution port 1") # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(4370), "Allow emqx cluster distribution port 2") # asg.connections.allow_from_any_ipv4( # ec2.Port.udp(4369), "Allow emqx cluster discovery port 1") # asg.connections.allow_from_any_ipv4( # ec2.Port.udp(4370), "Allow emqx cluster discovery port 2") # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(8081), "Allow emqx cluster dashboard access") # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(2379), "Allow emqx cluster discovery port (etcd)") # asg.connections.allow_from_any_ipv4( # ec2.Port.tcp(2380), "Allow emqx cluster discovery port (etcd)") # asg.connections.allow_from(bastion, # ec2.Port.tcp(22), "Allow SSH from the bastion only") self.setup_emqx(numEmqx, vpc, int_zone, sg, key_name) listener.add_targets('ec2', port=1883, targets= [ target.InstanceTarget(x) for x in self.emqx_vms]) # @todo we need ssl terminataion listenerUI.add_targets('ec2', port=18083, targets=[ target.InstanceTarget(x) for x in self.emqx_vms]) listenerQuic.add_targets('ec2', port=14567, protocol=elbv2.Protocol.UDP, targets=[ target.InstanceTarget(x) for x in self.emqx_vms]) listenerTLS.add_targets('ec2', port=8883, targets=[ target.InstanceTarget(x) for x in self.emqx_vms]) """ db_mysql = rds.DatabaseInstance(self, "EMQ_MySQL_DB", engine=rds.DatabaseInstanceEngine.mysql( version=rds.MysqlEngineVersion.VER_5_7_30), instance_type=ec2.InstanceType.of( ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL), vpc=vpc, multi_az=True, allocated_storage=100, storage_type=rds.StorageType.GP2, cloudwatch_logs_exports=["audit", "error", "general", "slowquery"], deletion_protection=False, delete_automated_backups=False, backup_retention=core.Duration.days(7), parameter_group=rds.ParameterGroup.from_parameter_group_name( self, "para-group-mysql", parameter_group_name="default.mysql5.7"), ) asg_security_groups = asg.connections.security_groups for asg_sg in asg_security_groups: db_mysql.connections.allow_default_port_from(asg_sg, "EC2 Autoscaling Group access MySQL") """ #self.setup_monitoring() self.setup_etcd(vpc, int_zone, sg, key_name) self.setup_loadgen(numLg, vpc, int_zone, sg, key_name, nlb.load_balancer_dns_name) self.setup_monitoring() core.CfnOutput(self, "Output", value=nlb.load_balancer_dns_name) core.CfnOutput(self, "SSH Entrypoint", value=bastion.instance_public_ip) core.CfnOutput(self, "SSH cmds", value="ssh -A -l ec2-user %s -L8888:%s:80 -L 9999:%s:80 -L 13000:%s:3000" % (bastion.instance_public_ip, nlb.load_balancer_dns_name, self.mon_lb, self.mon_lb) )
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here demords = rds.DatabaseInstance( self, "RDS", master_username="******", master_user_password=core.SecretValue.plain_text(rdspwd), database_name="db1", engine_version="8.0.16", delete_automated_backups=True, engine=rds.DatabaseInstanceEngine.MYSQL, # instance_identifier="cdkdemords2", vpc=vpc, port=3306, instance_type=ec2.InstanceType.of( ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL, ), removal_policy=core.RemovalPolicy.DESTROY, deletion_protection=False, ) # The code that is version for 1.62.0 . #vpc = ec2.Vpc(self, 'rdsvpc', #cidr="10.0.0.0/16", #enable_dns_hostnames=True, #enable_dns_support=True, #nat_gateways=0, #subnet_configuration=[ec2.SubnetConfiguration( # cidr_mask=20, # name='PublicSubnet', # subnet_type=ec2.SubnetType.PUBLIC, # )]) #rdspg = rds.ParameterGroup(self, 'dbpg',engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_16)) #demords = rds.DatabaseInstance( # self, "RDS", # master_username="******", # master_user_password=core.SecretValue.plain_text(rdspwd), # database_name="db1", # delete_automated_backups=True, # parameter_group=rdspg, # # instance_identifier="cdkdemords2", # vpc=vpc, # engine=rds.DatabaseInstanceEngine.mysql(version=rds.MysqlEngineVersion.VER_8_0_16), # port=3306, # instance_type=ec2.InstanceType("t3.small"), # removal_policy=core.RemovalPolicy.DESTROY, # deletion_protection=False, # vpc_subnets={ # "subnet_type": ec2.SubnetType.PUBLIC # } #) #external_ip = requests.get('https://checkip.amazonaws.com').text.rstrip() #your_public_ip = str(external_ip + "/32") #demords.connections.allow_default_port_from(other=ec2.Peer.ipv4(your_public_ip)) demords.connections.allow_default_port_from( other=ec2.Peer.ipv4(vpc.vpc_cidr_block)) zone = r53.PrivateHostedZone(self, 'cdkdemo-zone', vpc=vpc, zone_name="example.io") cname = r53.CnameRecord( self, 'cdk-rds-cname-record', zone=zone, domain_name=demords.db_instance_endpoint_address, record_name="cdkdemo", ttl=core.Duration.minutes(1)) core.CfnOutput(self, 'rds-passwd', value=rdspwd) core.CfnOutput(self, 'rds-host-url', value=demords.db_instance_endpoint_address) core.CfnOutput(self, 'rds-cname', value=cname.domain_name)