def add_simple_ads(self, name, password, shortname, size, hosted_zone):
"""
Helper method creates a Directory Service Instance in AWS
@param name [string] Sets name for Directory Service Instance
@param
"""
print "Creating Simple AD: %s" % name
simple_ad = directoryservice.SimpleAD(
name,
CreateAlias=True,
Name=hosted_zone[:-1],
Password=password,
ShortName=shortname,
Size=size,
VpcSettings=directoryservice.VpcSettings(
SubnetIds=[
Ref(self.parameters.get('privateAZ0')),
Ref(self.parameters.get('privateAZ1'))
],
VpcId=Ref(self.parameters.get('vpcId'))))
self.add_resource(simple_ad)
dhcp_opts = DHCPOptions(
name + 'dhcpopts',
DomainName=hosted_zone[:-1],
DomainNameServers=GetAtt(simple_ad, 'DnsIpAddresses'),
NetbiosNameServers=GetAtt(simple_ad, 'DnsIpAddresses'))
self.add_resource(dhcp_opts)
self.add_resource(
VPCDHCPOptionsAssociation(name + 'dhcpoptsassociation',
DhcpOptionsId=Ref(dhcp_opts),
VpcId=Ref(self.parameters.get('vpcId'))))
def add_vpc_core(template, vpc_cidr):
"""
Function to create the core resources of the VPC
and add them to the core VPC template
:param template: VPC Template()
:param vpc_cidr: str of the VPC CIDR i.e. 192.168.0.0/24
:return: tuple() with the vpc and igw object
"""
vpc = VPCType(
VPC_T,
template=template,
CidrBlock=vpc_cidr,
EnableDnsHostnames=True,
EnableDnsSupport=True,
Tags=Tags(
Name=If(USE_STACK_NAME_CON_T, Ref("AWS::StackName"),
Ref(ROOT_STACK_NAME)),
EnvironmentName=If(USE_STACK_NAME_CON_T, Ref("AWS::StackName"),
Ref(ROOT_STACK_NAME)),
),
Metadata=metadata,
)
igw = InternetGateway(IGW_T, template=template)
VPCGatewayAttachment(
"VPCGatewayAttachement",
template=template,
InternetGatewayId=Ref(igw),
VpcId=Ref(vpc),
Metadata=metadata,
)
dhcp_opts = DHCPOptions(
"VpcDhcpOptions",
template=template,
DomainName=If(
USE_STACK_NAME_CON_T,
Sub(f"svc.${{AWS::StackName}}.${{{PRIVATE_DNS_ZONE_NAME.title}}} "
f"${{AWS::StackName}}.${{{PRIVATE_DNS_ZONE_NAME.title}}}"),
Sub(f"svc.${{{ROOT_STACK_NAME_T}}}.${{{PRIVATE_DNS_ZONE_NAME.title}}} "
f"${{{ROOT_STACK_NAME_T}}}.${{{PRIVATE_DNS_ZONE_NAME.title}}}"
),
),
DomainNameServers=["AmazonProvidedDNS"],
Tags=Tags(Name=Sub(f"dhcp-${{{vpc.title}}}")),
Metadata=metadata,
)
VPCDHCPOptionsAssociation(
"VpcDhcpOptionsAssociate",
template=template,
DhcpOptionsId=Ref(dhcp_opts),
VpcId=Ref(vpc),
Metadata=metadata,
)
return (vpc, igw)
DBSubnetGroup(
"RdsSubnetGroupTest",
SubnetIds=[
Ref("SubnetTestRdsAz1"),
Ref("SubnetTestRdsAz2"),
Ref("SubnetTestRdsAz3")
],
DBSubnetGroupDescription="Subnets for RDS Test",
))
DhcpOptions = t.add_resource(
DHCPOptions(
"DhcpOptions",
Tags=Tags(
Name="VPC_DHCP",
project="ShelterMutual",
),
DomainNameServers=["AmazonProvidedDNS"],
DomainName="sheltermutual-aws.internal",
))
PrivateSubnetRouteTableAssociationSubnetTestRdsAz1 = t.add_resource(
SubnetRouteTableAssociation(
"PrivateSubnetRouteTableAssociationSubnetTestRdsAz1",
SubnetId=Ref("SubnetTestRdsAz1"),
RouteTableId=Ref("PrivateRouteTableAz1"),
))
PublicRoute = t.add_resource(
Route(
"PublicRoute",
Tags=tags('ServiceVPC'),
))
# Internet Gateway
internet_gateway = t.add_resource(
InternetGateway("InternetGateway", Tags=tags('InternetGateway')))
t.add_resource(
VPCGatewayAttachment("VpcGatewayAttachment",
InternetGatewayId=Ref(internet_gateway),
VpcId=Ref(vpc)))
# VPC DHCP Options
dhcp_opts = t.add_resource(
DHCPOptions("DhcpOptions",
DomainName=Join("", [Ref("AWS::Region"), ".compute.internal"]),
DomainNameServers=["AmazonProvidedDNS"],
Tags=tags('DhcpOptions')))
dhcp_opts_assoc = t.add_resource(
VPCDHCPOptionsAssociation("VpcDhcpOptionsAssociation",
DhcpOptionsId=Ref(dhcp_opts),
VpcId=Ref(vpc)))
# Security Group
sg = t.add_resource(
SecurityGroup("BastionSG",
GroupDescription="Used for source/dest rules",
VpcId=Ref(vpc),
Tags=tags('VPC-Bastion-SG')))
# Outputs
cloud_watch_alarm_topic = Topic(
"CloudWatchAlarmTopic",
TopicName="Api{e}-{e}-CloudWatchAlarms".format(e=env))
template.add_resource(cloud_watch_alarm_topic)
dhcp_options = DHCPOptions("DomainName",
DomainName=Join(
"", [Ref("AWS::Region"), ".compute.internal"]),
DomainNameServers=["AmazonProvidedDNS"],
Tags=[{
"Key": "Environment",
"Value": "Api{e}".format(e=env)
}, {
"Key":
"Name",
"Value":
"Api{e}-{e}-DhcpOptions".format(e=env)
}, {
"Key": "Owner",
"Value": "Foo industries"
}, {
"Key": "Service",
"Value": "ServiceVPC"
}, {
"Key": "VPC",
"Value": env
}])
template.add_resource(dhcp_options)
internet_gateway = InternetGateway(
"InternetGateway",
Tags=[{
def attach_dhcp_options(template, vpc):
dhcpopts = DHCPOptions("sgdemodhcpoptions", DomainNameServers = ["AmazonProvidedDNS"], DomainName = If("RegionIsUsEast1", "ec2.internal", Join("", [Ref("AWS::Region"), ".compute.internal"])))
template.add_resource(dhcpopts)
dhcpassoc = VPCDHCPOptionsAssociation("sgdemodchpassoc", VpcId = Ref(vpc), DhcpOptionsId = Ref(dhcpopts))
template.add_resource(dhcpassoc)
return dhcpopts
def create_template():
template = Template(Description="Simple public VPC")
availability_zones = template.add_parameter(
Parameter(
"AvailabilityZones",
Type="String",
))
vpc = template.add_resource(
VPC(
"Vpc",
CidrBlock="10.10.0.0/16",
EnableDnsHostnames=False,
EnableDnsSupport=True,
Tags=Tags(Name=StackName),
))
dhcp_options = template.add_resource(
DHCPOptions(
"DhcpOptions",
NtpServers=["169.254.169.123"],
DomainNameServers=["AmazonProvidedDNS"],
Tags=Tags(Name=StackName),
))
template.add_resource(
VPCDHCPOptionsAssociation(
"VpcDhcpOptionsAssociation",
VpcId=Ref(vpc),
DhcpOptionsId=Ref(dhcp_options),
))
internet_gateway = template.add_resource(
InternetGateway(
"InternetGateway",
Tags=Tags(Name=StackName),
))
vpc_gateway_attachment = template.add_resource(
VPCGatewayAttachment(
"VpcGatewayAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway),
))
subnet = template.add_resource(
Subnet(
"Subnet0",
MapPublicIpOnLaunch=True,
VpcId=Ref(vpc),
CidrBlock=Select(0, Cidr(GetAtt(vpc, "CidrBlock"), 8, 8)),
AvailabilityZone=Select(0, Split(",", Ref(availability_zones))),
Tags=Tags(Name=StackName),
))
route_table = template.add_resource(
RouteTable(
"RouteTable0",
VpcId=Ref(vpc),
Tags=Tags(Name=StackName),
))
internet_route = template.add_resource(
Route(
"InternetRoute0",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(internet_gateway),
RouteTableId=Ref(route_table),
DependsOn=[vpc_gateway_attachment],
))
template.add_resource(
SubnetRouteTableAssociation(
"SubnetRouteTableAssocation0",
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet),
))
template.add_output(Output(
"VpcId",
Value=Ref(vpc),
))
template.add_output(Output(
"SubnetIds",
Value=Ref(subnet),
))
return template
def generate_vpc_template(layers, az_count, cidr_block):
TPL = Template()
TPL.set_description('VPC - Version 2019-06-05')
TPL.set_metadata({'Author': 'https://github.com/johnpreston'})
VPC = VPCType('VPC',
CidrBlock=cidr_block,
EnableDnsHostnames=True,
EnableDnsSupport=True,
Tags=Tags(Name=Ref('AWS::StackName'),
EnvironmentName=Ref('AWS::StackName')))
IGW = InternetGateway("InternetGateway")
IGW_ATTACH = VPCGatewayAttachment("VPCGatewayAttachement",
InternetGatewayId=Ref(IGW),
VpcId=Ref(VPC))
DHCP_OPTIONS = DHCPOptions('VpcDhcpOptions',
DomainName=Sub(f'${{AWS::StackName}}.local'),
DomainNameServers=['AmazonProvidedDNS'],
Tags=Tags(Name=Sub(f'DHCP-${{{VPC.title}}}')))
DHCP_ATTACH = VPCDHCPOptionsAssociation('VpcDhcpOptionsAssociate',
DhcpOptionsId=Ref(DHCP_OPTIONS),
VpcId=Ref(VPC))
DNS_HOSTED_ZONE = HostedZone(
'VpcHostedZone',
VPCs=[HostedZoneVPCs(VPCId=Ref(VPC), VPCRegion=Ref('AWS::Region'))],
Name=Sub(f'${{AWS::StackName}}.local'),
HostedZoneTags=Tags(Name=Sub(f'ZoneFor-${{{VPC.title}}}')))
TPL.add_resource(VPC)
TPL.add_resource(IGW)
TPL.add_resource(IGW_ATTACH)
TPL.add_resource(DHCP_OPTIONS)
TPL.add_resource(DHCP_ATTACH)
TPL.add_resource(DNS_HOSTED_ZONE)
STORAGE_RTB = TPL.add_resource(
RouteTable('StorageRtb', VpcId=Ref(VPC), Tags=Tags(Name='StorageRtb')))
STORAGE_SUBNETS = []
for count, subnet_cidr in zip(az_count, layers['stor']):
subnet = Subnet(
f'StorageSubnet{alpha[count].upper()}',
CidrBlock=subnet_cidr,
VpcId=Ref(VPC),
AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Storage-{alpha[count]}'),
Usage="Storage"))
subnet_assoc = TPL.add_resource(
SubnetRouteTableAssociation(
f'StorageSubnetAssoc{alpha[count].upper()}',
SubnetId=Ref(subnet),
RouteTableId=Ref(STORAGE_RTB)))
STORAGE_SUBNETS.append(subnet)
TPL.add_resource(subnet)
PUBLIC_RTB = TPL.add_resource(
RouteTable('PublicRtb', VpcId=Ref(VPC), Tags=Tags(Name='PublicRtb')))
PUBLIC_ROUTE = TPL.add_resource(
Route('PublicDefaultRoute',
GatewayId=Ref(IGW),
RouteTableId=Ref(PUBLIC_RTB),
DestinationCidrBlock='0.0.0.0/0'))
PUBLIC_SUBNETS = []
NAT_GATEWAYS = []
for count, subnet_cidr in zip(az_count, layers['pub']):
subnet = Subnet(
f'PublicSubnet{alpha[count].upper()}',
CidrBlock=subnet_cidr,
VpcId=Ref(VPC),
AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
MapPublicIpOnLaunch=True,
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Public-{alpha[count]}')))
eip = TPL.add_resource(
EIP(f"NatGatewayEip{alpha[count].upper()}", Domain='vpc'))
nat = NatGateway(f"NatGatewayAz{alpha[count].upper()}",
AllocationId=GetAtt(eip, 'AllocationId'),
SubnetId=Ref(subnet))
subnet_assoc = TPL.add_resource(
SubnetRouteTableAssociation(
f'PublicSubnetsRtbAssoc{alpha[count].upper()}',
RouteTableId=Ref(PUBLIC_RTB),
SubnetId=Ref(subnet)))
NAT_GATEWAYS.append(nat)
PUBLIC_SUBNETS.append(subnet)
TPL.add_resource(nat)
TPL.add_resource(subnet)
APP_SUBNETS = []
APP_RTBS = []
for count, subnet_cidr, nat in zip(az_count, layers['app'], NAT_GATEWAYS):
SUFFIX = alpha[count].upper()
subnet = Subnet(
f'AppSubnet{SUFFIX}',
CidrBlock=subnet_cidr,
VpcId=Ref(VPC),
AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-App-{alpha[count]}')))
APP_SUBNETS.append(subnet)
rtb = RouteTable(f'AppRtb{alpha[count].upper()}',
VpcId=Ref(VPC),
Tags=Tags(Name=f'AppRtb{alpha[count].upper()}'))
APP_RTBS.append(rtb)
route = Route(f'AppRoute{alpha[count].upper()}',
NatGatewayId=Ref(nat),
RouteTableId=Ref(rtb),
DestinationCidrBlock='0.0.0.0/0')
subnet_assoc = SubnetRouteTableAssociation(
f'SubnetRtbAssoc{alpha[count].upper()}',
RouteTableId=Ref(rtb),
SubnetId=Ref(subnet))
TPL.add_resource(subnet)
TPL.add_resource(rtb)
TPL.add_resource(route)
TPL.add_resource(subnet_assoc)
APP_S3_ENDPOINT = VPCEndpoint(
'AppS3Endpoint',
VpcId=Ref(VPC),
RouteTableIds=[Ref(rtb) for rtb in APP_RTBS],
ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
VpcEndpointType='Gateway',
)
PUBLIC_S3_ENDPOINT = VPCEndpoint(
'PublicS3Endpoint',
VpcId=Ref(VPC),
RouteTableIds=[Ref(PUBLIC_RTB)],
ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
VpcEndpointType='Gateway',
)
STORAGE_S3_ENDPOINT = VPCEndpoint(
'StorageS3Endpoint',
VpcId=Ref(VPC),
RouteTableIds=[Ref(STORAGE_RTB)],
ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
VpcEndpointType='Gateway')
RESOURCES = []
for count in az_count:
resource = TPL.add_resource(EIP(f'Eip{count}', Domain='vpc'))
RESOURCES.append(resource)
TPL.add_resource(APP_S3_ENDPOINT)
TPL.add_resource(PUBLIC_S3_ENDPOINT)
TPL.add_resource(STORAGE_S3_ENDPOINT)
SG_RULES = []
for subnet in layers['app']:
RULE = SecurityGroupRule(
IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp=subnet,
)
SG_RULES.append(RULE)
ENDPOINT_SG = TPL.add_resource(
SecurityGroup(
'VpcEndpointSecurityGroup',
VpcId=Ref(VPC),
GroupDescription='SG for all Interface VPC Endpoints',
SecurityGroupIngress=SG_RULES,
Tags=Tags(Name="sg-endpoints"),
))
APP_SNS_ENDPOINT = VPCEndpoint(
'AppSNSEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.sns'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SNS_ENDPOINT)
APP_SQS_ENDPOINT = VPCEndpoint(
'AppSQSEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.sqs'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SQS_ENDPOINT)
APP_ECR_API_ENDPOINT = VPCEndpoint(
'AppECRAPIEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.api'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_ECR_API_ENDPOINT)
APP_ECR_DKR_ENDPOINT = VPCEndpoint(
'AppECRDKREndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.dkr'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_ECR_DKR_ENDPOINT)
APP_SECRETS_MANAGER_ENDPOINT = VPCEndpoint(
'AppSecretsManagerEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.secretsmanager'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SECRETS_MANAGER_ENDPOINT)
APP_SSM_ENDPOINT = VPCEndpoint(
'AppSSMEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ssm'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SSM_ENDPOINT)
APP_SSM_MESSAGES_ENDPOINT = VPCEndpoint(
'AppSSMMessagesEndpoint',
VpcId=Ref(VPC),
SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
ServiceName=Sub('com.amazonaws.${AWS::Region}.ssmmessages'),
VpcEndpointType='Interface',
PrivateDnsEnabled=True)
TPL.add_resource(APP_SSM_MESSAGES_ENDPOINT)
################################################################################
#
# OUTPUTS
#
TPL.add_output(object_outputs(VPC, name_is_id=True))
TPL.add_output(object_outputs(APP_SQS_ENDPOINT, name_is_id=True))
TPL.add_output(object_outputs(APP_SNS_ENDPOINT, name_is_id=True))
TPL.add_output(
comments_outputs([{
'EIP':
Join(',',
[GetAtt(resource, "AllocationId") for resource in RESOURCES])
}, {
'PublicSubnets':
Join(',', [Ref(subnet) for subnet in PUBLIC_SUBNETS])
}, {
'StorageSubnets':
Join(',', [Ref(subnet) for subnet in STORAGE_SUBNETS])
}, {
'ApplicationSubnets':
Join(',', [Ref(subnet) for subnet in APP_SUBNETS])
}, {
'StackName': Ref('AWS::StackName')
}, {
'VpcZoneId': Ref(DNS_HOSTED_ZONE)
}]))
return TPL