def add_acl_entry(t, acl, egress, name, number, proto, port, cidr):
if egress:
egress = "true"
else:
egress = "false"
if isinstance(port, (list, tuple)):
port_range = PortRange(From="%d" % (port[0], ), To="%d" % (port[1], ))
else:
port_str = "%d" % (port, )
port_range = PortRange(From=port_str, To=port_str)
t.add_resource(
NetworkAclEntry(
name,
NetworkAclId=Ref(acl),
RuleNumber="%d" % (number, ),
Protocol="%d" % (proto, ),
PortRange=port_range,
Egress=egress,
RuleAction="allow",
CidrBlock=cidr,
))
def acl_entry(template,
acl_table,
name,
number,
protocol=-1,
from_port=None,
to_port=None,
cidr='0.0.0.0/0',
action='ALLOW',
egress=False):
"""Create an entry in a network acl table"""
acl_entry = NetworkAclEntry(name, template)
acl_entry.NetworkAclId = Ref(acl_table)
acl_entry.CidrBlock = cidr
acl_entry.Egress = egress
acl_entry.Protocol = protocol
if from_port or to_port:
acl_entry.PortRange = PortRange(From=from_port, To=to_port)
acl_entry.RuleAction = action
acl_entry.RuleNumber = number
return acl_entry
def create_network(self):
self.vpc_nw_acl = self.template.add_resource(
ec2.NetworkAcl(VPC_NETWORK_ACCESS_LIST,
VpcId=self.vpc.Ref(),
Tags=self.__set_tags("NetworkAcl")))
self.inbound_rule = self.template.add_resource(
ec2.NetworkAclEntry(VPC_NETWORK_ACL_INBOUND_RULE,
NetworkAclId=self.vpc_nw_acl.Ref(),
RuleNumber=100,
Protocol="6",
PortRange=PortRange(To="443", From="443"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0"))
self.outbound_rule = self.template.add_resource(
ec2.NetworkAclEntry(VPC_NETWORK_ACL_OUTBOUND_RULE,
NetworkAclId=self.vpc_nw_acl.Ref(),
RuleNumber=200,
Protocol="6",
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0"))
networkAcl = t.add_resource(
NetworkAcl(
"NetworkAcl",
VpcId=Ref(VPCResource),
Tags=Tags(Application=ref_stack_id),
)
)
inBoundPrivateNetworkAclEntry = t.add_resource(
NetworkAclEntry(
"InboundHTTPNetworkAclEntry",
NetworkAclId=Ref(networkAcl),
RuleNumber="100",
Protocol="6",
PortRange=PortRange(To="80", From="80"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
inboundSSHNetworkAclEntry = t.add_resource(
NetworkAclEntry(
"InboundSSHNetworkAclEntry",
NetworkAclId=Ref(networkAcl),
RuleNumber="101",
Protocol="6",
PortRange=PortRange(To="22", From="22"),
Egress="false",
RuleAction="allow",
def generate(env, output):
"""Cloud Platform, Viaplay \n
Simple program that generates the cloudformation to cloud environment context. \n
Written by Felipe Ribeiro <*****@*****.**>, April 2019 \n
Github: https://github.com/gohackfelipe/v-play
"""
logging.info('Initial configurations to create the cloudformation file.')
template = Template()
template.add_description("Service VPC")
logging.info('Adding description on template')
template.add_metadata({
"DependsOn": [],
"Environment": env,
"StackName": '{}-{}'.format(env, 'VPC'),
})
logging.info('Adding metadata on template')
internet_gateway = template.add_resource(
InternetGateway("InternetGateway",
Tags=Tags(Environment=env,
Name='{}-{}'.format(env,
'InternetGateway'))))
logging.info('Adding InternetGateway on template')
vpc = template.add_resource(
VPC('VPC',
CidrBlock='10.0.0.0/16',
EnableDnsHostnames="true",
EnableDnsSupport="true",
InstanceTenancy="default",
Tags=Tags(Environment=env, Name='{}-{}'.format(env,
'ServiceVPC'))))
logging.info('Adding VPC on template')
template.add_resource(
VPCGatewayAttachment(
"VpcGatewayAttachment",
VpcId=Ref("VPC"),
InternetGatewayId=Ref("InternetGateway"),
))
logging.info('Adding VpcGatewayAttachment on template')
network_acl = template.add_resource(
NetworkAcl(
'VpcNetworkAcl',
VpcId=Ref(vpc),
Tags=Tags(Environment=env, Name='{}-{}'.format(env, 'NetworkAcl')),
))
logging.info('Creating Network ALC on template')
template.add_resource(
NetworkAclEntry(
'VpcNetworkAclInboundRule',
NetworkAclId=Ref(network_acl),
RuleNumber=100,
Protocol='6',
PortRange=PortRange(To='443', From='443'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
logging.info('Adding Network ALC Inbound Rule on template')
template.add_resource(
NetworkAclEntry(
'VpcNetworkAclOutboundRule',
NetworkAclId=Ref(network_acl),
RuleNumber=200,
Protocol='6',
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
logging.info('Adding Network ALC Outbound Rule on template')
# Outputs
template.add_output([
Output('InternetGateway', Value=Ref(internet_gateway)),
Output('VPCID', Value=Ref(vpc))
])
logging.info('Adding Output on template')
if (not output):
print(template.to_json())
logging.info('Printing the cloudformation content on screen.')
else:
createFile(output, template.to_json())
VpcId=Ref(VPC),
CidrBlock=FindInMap("SubnetMap", "TEST-RDS-AZ1", "CIDR"),
AvailabilityZone=Select("0", GetAZs("")),
Tags=Tags(
Name="SubnetTestRdsAz1",
project="ShelterMutual",
),
))
RdsTestNaclIngress200 = t.add_resource(
NetworkAclEntry(
"RdsTestNaclIngress200",
NetworkAclId=Ref("RdsTestNacl"),
RuleNumber="200",
Protocol="6",
PortRange=PortRange(To="3306", From="3306"),
Egress="false",
RuleAction="allow",
CidrBlock=FindInMap("SubnetMap", "TEST-PRIVATE-AZ2", "CIDR"),
))
AttachGateway = t.add_resource(
VPCGatewayAttachment(
"AttachGateway",
VpcId=Ref(VPC),
InternetGatewayId=Ref(InternetGateway),
))
RdsTestNaclIngress300 = t.add_resource(
NetworkAclEntry(
"RdsTestNaclIngress300",
Client1NetworkAcl = t.add_resource(NetworkAcl("Client1NetworkAcl",
VpcId=Ref(VPC),
))
Client1NetworkAclAssociation = t.add_resource(SubnetNetworkAclAssociation
("Client1NetworkAclAssociation",
NetworkAclId=Ref(Client1NetworkAcl),
SubnetId=Ref(Client1Subnet)))
Client1NetworkAclInboundAllowSubnet = t.add_resource(NetworkAclEntry
("Client1NetworkAclInboundAllowSubnet",
NetworkAclId=Ref(Client1NetworkAcl),
RuleNumber=100,
CidrBlock="10.62.1.0/24",
RuleAction="allow",
PortRange=PortRange(To="-1", From="-1"),
Protocol="-1",
Egress="false",
))
Client1NetworkAclInbooundDenyVpc = t.add_resource(NetworkAclEntry
("Client1NetworkAclInboundDenyVpc",
NetworkAclId=Ref(Client1NetworkAcl),
RuleNumber=110,
CidrBlock="10.62.0.0/16",
RuleAction="deny",
PortRange=PortRange(To="-1", From="-1"),
Protocol="-1",
Egress="false",
))
Client1NetworkAclInboundAllowAll = t.add_resource(NetworkAclEntry
("Client1NetworkAclInboundAllowAll",
def build(ssh_keypair_name):
template = Template()
template.set_version("2010-09-09")
keyname_param = template.add_parameter(
Parameter(
"KeyName",
ConstraintDescription="must be the name of an existing EC2 KeyPair.",
Description="Name of an existing EC2 KeyPair to enable SSH access to \
the instance",
Type="AWS::EC2::KeyPair::KeyName",
Default=ssh_keypair_name,
)
)
sshlocation_param = template.add_parameter(
Parameter(
"SSHLocation",
Description=" The IP address range that can be used to SSH to the EC2 \
instances",
Type="String",
MinLength="9",
MaxLength="18",
Default="0.0.0.0/0",
AllowedPattern=r"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=("must be a valid IP CIDR range of the form x.x.x.x/x."),
)
)
instanceType_param = template.add_parameter(
Parameter(
"InstanceType",
Type="String",
Description="WebServer EC2 instance type",
Default="t3a.small",
AllowedValues=[
"t2.micro",
"t2.small",
"t2.medium",
"t3a.small",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"g2.2xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
],
ConstraintDescription="must be a valid EC2 instance type.",
)
)
template.add_mapping(
"AWSRegion2AMI",
{
"us-east-1": {"image": "ami-0d915a031cabac0e0"},
"us-east-2": {"image": "ami-0b97435028ca44fcc"},
"us-west-1": {"image": "ami-068d0753a46192935"},
"us-west-2": {"image": "ami-0c457f229774da543"},
"eu-west-1": {"image": "ami-046c6a0123bf94619"},
"eu-west-2": {"image": "ami-0dbe8ba0cd21ea12b"},
"eu-west-3": {"image": "ami-041bf9180061ce7ea"},
"eu-central-1": {"image": "ami-0f8184e6f30cc0c33"},
"eu-north-1": {"image": "ami-08dd1b893371bcaac"},
"ap-south-1": {"image": "ami-0ff23052091536db2"},
"ap-southeast-1": {"image": "ami-0527e82bae7c51958"},
"ap-southeast-2": {"image": "ami-0bae8773e653a32ec"},
"ap-northeast-1": {"image": "ami-060741a96307668be"},
"ap-northeast-2": {"image": "ami-0d991ac4f545a6b34"},
"sa-east-1": {"image": "ami-076f350d5a5ec448d"},
"ca-central-1": {"image": "ami-0071deaa12b66d1bf"},
},
)
vpc = template.add_resource(VPC("VPC", CidrBlock="10.0.0.0/16"))
subnet = template.add_resource(Subnet("Subnet", CidrBlock="10.0.0.0/24", VpcId=Ref(vpc)))
internet_gateway = template.add_resource(InternetGateway("InternetGateway"))
attach_gateway = template.add_resource(
VPCGatewayAttachment("AttachGateway", VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway))
)
route_table = template.add_resource(RouteTable("RouteTable", VpcId=Ref(vpc)))
template.add_resource(
Route(
"Route",
DependsOn=attach_gateway,
GatewayId=Ref(internet_gateway),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(route_table),
)
)
template.add_resource(
SubnetRouteTableAssociation("SubnetRouteTableAssociation", SubnetId=Ref(subnet), RouteTableId=Ref(route_table),)
)
network_acl = template.add_resource(NetworkAcl("NetworkAcl", VpcId=Ref(vpc),))
template.add_resource(
NetworkAclEntry(
"InboundHTTPNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="100",
Protocol="6",
PortRange=PortRange(To="80", From="80"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"InboundSSHNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="101",
Protocol="6",
PortRange=PortRange(To="22", From="22"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"InboundResponsePortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="102",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"OutBoundHTTPNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="100",
Protocol="6",
PortRange=PortRange(To="80", From="80"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"OutBoundHTTPSNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="101",
Protocol="6",
PortRange=PortRange(To="443", From="443"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"OutBoundResponsePortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="102",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
SubnetNetworkAclAssociation("SubnetNetworkAclAssociation", SubnetId=Ref(subnet), NetworkAclId=Ref(network_acl),)
)
instance_security_group = template.add_resource(
SecurityGroup(
"InstanceSecurityGroup",
GroupDescription="Enable SSH access via port 22",
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=Ref(sshlocation_param)),
SecurityGroupRule(IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0"),
],
VpcId=Ref(vpc),
)
)
server_instance = template.add_resource(
Instance(
"ServerInstance",
ImageId=FindInMap("AWSRegion2AMI", Ref("AWS::Region"), "image"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[Ref(instance_security_group)],
AssociatePublicIpAddress="true",
DeviceIndex="0",
DeleteOnTermination="true",
SubnetId=Ref(subnet),
)
],
)
)
template.add_output([Output("ServerIP", Value=GetAtt(server_instance, "PublicIp"))])
return template
def __init__(self, parameters):
super(Vpc, self).__init__()
# Virtual Private Cloud
self.vpc = VPC(
"VPC",
CidrBlock=Ref(parameters.VPCCIDR),
EnableDnsHostnames=True,
Tags=Tags(
Name=Ref(AWS_STACK_NAME),
)
)
# Public NACL
self.GeneralPublicNACL = NetworkAcl(
"GeneralPublicNACL",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "public"]),
),
)
# Private NACL
self.GeneralPrivateNACL = NetworkAcl(
"GeneralPrivateNACL",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "private"]),
),
)
# NACL Rules
self.PublicNACLIngressRule100 = NetworkAclEntry(
"PublicNACLIngressRule100",
NetworkAclId=Ref(self.GeneralPublicNACL),
RuleNumber="100",
Protocol="-1",
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.PublicNACLEgressRule100 = NetworkAclEntry(
"PublicNACLEgressRule100",
NetworkAclId=Ref(self.GeneralPublicNACL),
RuleNumber="100",
Protocol="-1",
Egress=True,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.PrivateNACLEgressRule100 = NetworkAclEntry(
"PrivateNACLEgressRule100",
NetworkAclId=Ref(self.GeneralPrivateNACL),
RuleNumber="100",
Protocol="-1",
Egress=True,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.PrivateNACLIngressRule100 = NetworkAclEntry(
"PrivateNACLIngressRule100",
NetworkAclId=Ref(self.GeneralPrivateNACL),
RuleNumber="100",
Protocol="-1",
Egress=False,
RuleAction="allow",
CidrBlock=Ref(parameters.VPCCIDR),
)
self.PrivateNACLIngressRule220 = NetworkAclEntry(
"PrivateNACLIngressRule220",
NetworkAclId=Ref(self.GeneralPrivateNACL),
RuleNumber="220",
Protocol="-1",
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.PrivateNACLIngressRule400 = NetworkAclEntry(
"PrivateNACLIngressRule400",
NetworkAclId=Ref(self.GeneralPrivateNACL),
RuleNumber="400",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.PrivateNACLIngressRule420 = NetworkAclEntry(
"PrivateNACLIngressRule420",
NetworkAclId=Ref(self.GeneralPrivateNACL),
RuleNumber="420",
Protocol="1",
Egress=False,
RuleAction="allow",
Icmp=ICMP(
Code="-1",
Type="-1"
),
CidrBlock="0.0.0.0/0",
)
self.PrivateNACLIngressRule440 = NetworkAclEntry(
"PrivateNACLIngressRule440",
NetworkAclId=Ref(self.GeneralPrivateNACL),
RuleNumber="440",
Protocol="17",
PortRange=PortRange(To="65535", From="1024"),
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
# Shared services
self.GeneralPrivateSubnetA = Subnet(
"GeneralPrivateSubnetA",
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "general-private-a"]),
),
VpcId=Ref(self.vpc),
MapPublicIpOnLaunch=False,
CidrBlock=Ref(parameters.GeneralPrivateSubnetACIDR),
AvailabilityZone=Ref(parameters.AvailabilityZoneA),
)
self.GeneralPrivateSubnetB = Subnet(
"GeneralPrivateSubnetB",
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "general-private-b"]),
),
VpcId=Ref(self.vpc),
MapPublicIpOnLaunch=False,
CidrBlock=Ref(parameters.GeneralPrivateSubnetBCIDR),
AvailabilityZone=Ref(parameters.AvailabilityZoneB),
)
self.SharedServicesPublicSubnetA = Subnet(
"SharedServicesPublicSubnetA",
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(parameters.AvailabilityZoneA),
CidrBlock=Ref(parameters.SharedServicesPublicSubnetACIDR),
MapPublicIpOnLaunch=False,
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "shared-public-a"]),
)
)
self.SharedServicesPublicSubnetB = Subnet(
"SharedServicesPublicSubnetB",
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(parameters.AvailabilityZoneB),
CidrBlock=Ref(parameters.SharedServicesPublicSubnetBCIDR),
MapPublicIpOnLaunch=False,
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "shared-public-b"]),
)
)
self.SharedServicesPrivateSubnetA = Subnet(
"SharedServicesPrivateSubnetA",
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(parameters.AvailabilityZoneA),
CidrBlock=Ref(parameters.SharedServicesPrivateSubnetACIDR),
MapPublicIpOnLaunch=False,
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "shared-private-a"]),
)
)
self.SharedServicesPrivateSubnetB = Subnet(
"SharedServicesPrivateSubnetB",
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(parameters.AvailabilityZoneB),
CidrBlock=Ref(parameters.SharedServicesPrivateSubnetBCIDR),
MapPublicIpOnLaunch=False,
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "shared-private-b"]),
)
)
self.SharedServicesPublicNACLSubnetAAssocation = SubnetNetworkAclAssociation(
"SharedServicesPublicNACLSubnetAAssocation",
SubnetId=Ref(self.SharedServicesPublicSubnetA),
NetworkAclId=Ref(self.GeneralPublicNACL),
)
self.SharedServicesPublicNACLSubnetBAssocation = SubnetNetworkAclAssociation(
"SharedServicesPublicNACLSubnetBAssocation",
SubnetId=Ref(self.SharedServicesPublicSubnetB),
NetworkAclId=Ref(self.GeneralPublicNACL),
)
self.SharedServicesPrivateNACLSubnetAAssocation = SubnetNetworkAclAssociation(
"SharedServicesPrivateNACLSubnetAAssocation",
SubnetId=Ref(self.SharedServicesPrivateSubnetA),
NetworkAclId=Ref(self.GeneralPrivateNACL),
)
self.SharedServicesPrivateNACLSubnetBAssocation = SubnetNetworkAclAssociation(
"SharedServicesPrivateNACLSubnetBAssocation",
SubnetId=Ref(self.SharedServicesPrivateSubnetB),
NetworkAclId=Ref(self.GeneralPrivateNACL),
)
self.GeneralPrivateNACLSubnetAAssocation = SubnetNetworkAclAssociation(
"GeneralPrivateNACLSubnetAAssocation",
SubnetId=Ref(self.GeneralPrivateSubnetA),
NetworkAclId=Ref(self.GeneralPrivateNACL),
)
self.GeneralPrivateNACLSubnetBAssocation = SubnetNetworkAclAssociation(
"GeneralPrivateNACLSubnetBAssocation",
SubnetId=Ref(self.GeneralPrivateSubnetB),
NetworkAclId=Ref(self.GeneralPrivateNACL),
)
# Route tables
self.PublicRouteTable = RouteTable(
"PublicRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "public"]),
),
)
self.PrivateARouteTable = RouteTable(
"PrivateARouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "private-a"]),
),
)
self.PrivateBRouteTable = RouteTable(
"PrivateBRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "private-b"]),
),
)
# Internet Gateway
self.InternetGateway = InternetGateway(
"InternetGateway",
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME)]),
),
)
self.VPNAttachment = VPCGatewayAttachment(
"VPNAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.InternetGateway)
)
# NAT Gateways
self.NATGatewayAEIP = EIP(
"NATGatewayAEIP",
Domain=Ref(self.vpc),
Condition="DeployNATGateways"
)
self.NATGatewayBEIP = EIP(
"NATGatewayBEIP",
Domain=Ref(self.vpc),
Condition="DeployNATGateways"
)
self.NATGatewayA = NatGateway(
"NATGatewayA",
SubnetId=Ref(self.SharedServicesPublicSubnetA),
AllocationId=GetAtt(self.NATGatewayAEIP, "AllocationId"),
Condition="DeployNATGateways"
)
self.NATGatewayB = NatGateway(
"NATGatewayB",
SubnetId=Ref(self.SharedServicesPublicSubnetB),
AllocationId=GetAtt(self.NATGatewayBEIP, "AllocationId"),
Condition="DeployNATGateways"
)
# S3 VPC enpoint connection
self.VPCS3Endpoint = VPCEndpoint(
"VPCS3Endpoint",
VpcId=Ref(self.vpc),
ServiceName=Join("", ["com.amazonaws.", Ref(AWS_REGION), ".s3"]),
RouteTableIds=[Ref(self.PublicRouteTable), Ref(self.PrivateARouteTable), Ref(self.PrivateBRouteTable)],
)
# Security Groups
self.ICMPSecurityGroup = SecurityGroup(
"ICMPSecurityGroup",
SecurityGroupIngress=[{ "ToPort": "-1", "IpProtocol": "icmp", "CidrIp": "0.0.0.0/0", "FromPort": "-1" }],
VpcId=Ref(self.vpc),
GroupDescription="Allows servers to be reached by ICMP",
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "icmp"]),
),
)
self.OpenPublicSSHSecurityGroup = SecurityGroup(
"OpenPublicSSHSecurityGroup",
SecurityGroupIngress=[{ "ToPort": "22", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": "22" }],
VpcId=Ref(self.vpc),
GroupDescription="Allows instance to be publically managed over SSH from anywhere, probably a bad idea",
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "open-public-ssh"]),
),
)
# Route Tables
self.GeneralPrivateSubnetARouteTable = SubnetRouteTableAssociation(
"GeneralPrivateSubnetARouteTable",
SubnetId=Ref(self.GeneralPrivateSubnetA),
RouteTableId=Ref(self.PrivateARouteTable),
)
self.GeneralPrivateSubnetBRouteTable = SubnetRouteTableAssociation(
"GeneralPrivateSubnetBRouteTable",
SubnetId=Ref(self.GeneralPrivateSubnetB),
RouteTableId=Ref(self.PrivateBRouteTable),
)
self.SharedServicesPublicSubnetARouteTable = SubnetRouteTableAssociation(
"SharedServicesPublicSubnetARouteTable",
SubnetId=Ref(self.SharedServicesPublicSubnetA),
RouteTableId=Ref(self.PublicRouteTable),
)
self.SharedServicesPublicSubnetBRouteTable = SubnetRouteTableAssociation(
"SharedServicesPublicSubnetBRouteTable",
SubnetId=Ref(self.SharedServicesPublicSubnetB),
RouteTableId=Ref(self.PublicRouteTable),
)
self.SharedServicesPrivateSubnetARouteTable = SubnetRouteTableAssociation(
"SharedServicesPrivateSubnetARouteTable",
SubnetId=Ref(self.SharedServicesPrivateSubnetA),
RouteTableId=Ref(self.PrivateARouteTable),
)
self.SharedServicesPrivateSubnetBRouteTable = SubnetRouteTableAssociation(
"SharedServicesPrivateSubnetBRouteTable",
SubnetId=Ref(self.SharedServicesPrivateSubnetB),
RouteTableId=Ref(self.PrivateBRouteTable),
)
# Routes
self.PublicSharedRoute = Route(
"PublicSharedRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.InternetGateway),
RouteTableId=Ref(self.PublicRouteTable),
)
self.PrivateANATRoute = Route(
"PrivateANATRoute",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(self.PrivateARouteTable),
NatGatewayId=Ref(self.NATGatewayB),
#DependsOn=self.NATGatewayA,
Condition="DeployNATGateways"
)
self.PrivateBNATRoute = Route(
"PrivateBNATRoute",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(self.PrivateBRouteTable),
NatGatewayId=Ref(self.NATGatewayB),
#DependsOn=self.NATGatewayB,
Condition="DeployNATGateways"
)
# Internal Zone standard
self.InternalZone = HostedZone(
"InternalZone",
VPCs=[
HostedZoneVPCs(
VPCId=Ref(self.vpc),
VPCRegion=Ref("AWS::Region"),
)],
HostedZoneConfig=HostedZoneConfiguration(
Comment="Internal (private) zone for name resolution"
),
HostedZoneTags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "internal"]),
),
Name=Ref(parameters.DomainName),
)
# Internal Zone production website
self.InternalZoneProductionWebsite = HostedZone(
"InternalZoneProductionWebsite",
VPCs=[
HostedZoneVPCs(
VPCId=Ref(self.vpc),
VPCRegion=Ref("AWS::Region"),
)],
HostedZoneConfig=HostedZoneConfiguration(
Comment="Internal (private) zone for name resolution for public website"
),
HostedZoneTags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "internal-public-site"]),
),
Name="sharpe.capital",
Condition="CreateProductionZone"
)
# Custom Security Groups
self.OpenPublicSSHSecurityGroup = SecurityGroup(
"OpenPublicSSHSecurityGroup",
GroupDescription="Allows server to be publically managed over SSH from anywhere",
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0"
),
],
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "open-public-ssh-access"]),
),
)
# Public Load Balancer NACL
self.PublicLBNACL = NetworkAcl(
"PublicLBNACL",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Ref(AWS_STACK_NAME),
),
)
self.PublicLBRouteTable = RouteTable(
"PublicLBRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(
Name=Ref(AWS_STACK_NAME),
),
)
self.LBPublicSubnetA = Subnet(
"LBPublicSubnetA",
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(parameters.AvailabilityZoneA),
CidrBlock=Ref(parameters.LBSubnetACIDR),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "lb-public-a"]),
),
)
self.LBPublicSubnetB = Subnet(
"LBPublicSubnetB",
VpcId=Ref(self.vpc),
AvailabilityZone=Ref(parameters.AvailabilityZoneB),
CidrBlock=Ref(parameters.LBSubnetBCIDR),
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "lb-public-b"]),
),
)
self.LBNACLIn100 = NetworkAclEntry(
"LBNACLIn100",
NetworkAclId=Ref(self.PublicLBNACL),
RuleNumber=100,
Protocol=6,
PortRange=PortRange(To=443, From=443),
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.LBNACLIn200 = NetworkAclEntry(
"LBNACLIn200",
NetworkAclId=Ref(self.PublicLBNACL),
RuleNumber=200,
Protocol=6,
PortRange=PortRange(To=80, From=80),
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.LBNACLIn300 = NetworkAclEntry(
"LBNACLIn300",
NetworkAclId=Ref(self.PublicLBNACL),
RuleNumber=300,
Protocol=6,
PortRange=PortRange(To=65535, From=1024),
Egress=False,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.LBNACLOut100 = NetworkAclEntry(
"LBNACLOut100",
NetworkAclId=Ref(self.PublicLBNACL),
RuleNumber=100,
Protocol=6,
PortRange=PortRange(To=65535, From=1024),
Egress=True,
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
self.LBRouteTableAssociationA = SubnetRouteTableAssociation(
"LBRouteTableAssociationA",
SubnetId=Ref(self.LBPublicSubnetA),
RouteTableId=Ref(self.PublicLBRouteTable),
)
self.LBRouteTableAssociationB = SubnetRouteTableAssociation(
"LBRouteTableAssociationB",
SubnetId=Ref(self.LBPublicSubnetB),
RouteTableId=Ref(self.PublicLBRouteTable),
)
self.LBNACLAssociationB = SubnetNetworkAclAssociation(
"LBNACLAssociationB",
SubnetId=Ref(self.LBPublicSubnetB),
NetworkAclId=Ref(self.PublicLBNACL),
)
self.LBNACLAssociationA = SubnetNetworkAclAssociation(
"LBNACLAssociationA",
SubnetId=Ref(self.LBPublicSubnetA),
NetworkAclId=Ref(self.PublicLBNACL),
)
self.LBInternetGatewayRoute = Route(
"LBInternetGatewayRoute",
GatewayId=Ref(self.InternetGateway),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(self.PublicLBRouteTable),
)
self.LBICMPSecurityGroup = SecurityGroup(
"LBICMPSecurityGroup",
SecurityGroupIngress=[{ "ToPort": "-1", "IpProtocol": "icmp", "CidrIp": "0.0.0.0/0", "FromPort": "-1" }],
VpcId=Ref(self.vpc),
GroupDescription="Allows servers to be reached by ICMP",
Tags=Tags(
Name=Join("-", [Ref(AWS_STACK_NAME), "icmp"]),
),
)
self.LBSecurityGroup = SecurityGroup(
"LBSecurityGroup",
SecurityGroupIngress=[{ "ToPort": 80, "FromPort": 80, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0" },
{ "ToPort": 443, "FromPort": 443, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0" }],
VpcId=Ref(self.vpc),
GroupDescription="Securty group for public facing web load balancers",
Tags=Tags(
Name=Ref(AWS_STACK_NAME),
),
)
def set_cloudformation_settings(cloudformation_template, ref_stack_id):
my_VPC = cloudformation_template.add_resource(
VPC('VPC',
CidrBlock='172.31.0.0/16',
Tags=Tags(Application=ref_stack_id)))
subnet = cloudformation_template.add_resource(
Subnet('Subnet',
CidrBlock='172.31.0.0/22',
VpcId=Ref(my_VPC),
MapPublicIpOnLaunch=True,
Tags=Tags(Application=ref_stack_id)))
internetGateway = cloudformation_template.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id)))
gatewayAttachment = cloudformation_template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(my_VPC),
InternetGatewayId=Ref(internetGateway)))
routeTable = cloudformation_template.add_resource(
RouteTable('RouteTable',
VpcId=Ref(my_VPC),
Tags=Tags(Application=ref_stack_id)))
route = cloudformation_template.add_resource(
Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routeTable),
))
subnetRouteTableAssociation = cloudformation_template.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(subnet),
RouteTableId=Ref(routeTable),
))
networkAcl = cloudformation_template.add_resource(
NetworkAcl(
'NetworkAcl',
VpcId=Ref(my_VPC),
Tags=Tags(Application=ref_stack_id),
))
inBoundPrivateNetworkAclEntry = cloudformation_template.add_resource(
NetworkAclEntry(
'InboundHTTPNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='80', From='80'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
inboundSSHNetworkAclEntry = cloudformation_template.add_resource(
NetworkAclEntry(
'InboundSSHNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='22', From='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
inboundResponsePortsNetworkAclEntry = cloudformation_template.add_resource(
NetworkAclEntry(
'InboundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='102',
Protocol='6',
PortRange=PortRange(To='65535', From='1024'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundHTTPNetworkAclEntry = cloudformation_template.add_resource(
NetworkAclEntry(
'OutBoundHTTPNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='80', From='80'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundHTTPSNetworkAclEntry = cloudformation_template.add_resource(
NetworkAclEntry(
'OutBoundHTTPSNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='443', From='443'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundResponsePortsNetworkAclEntry = cloudformation_template.add_resource(
NetworkAclEntry(
'OutBoundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='102',
Protocol='6',
PortRange=PortRange(To='65535', From='1024'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
subnetNetworkAclAssociation = cloudformation_template.add_resource(
SubnetNetworkAclAssociation(
'SubnetNetworkAclAssociation',
SubnetId=Ref(subnet),
NetworkAclId=Ref(networkAcl),
))
return cloudformation_template, subnet
def __init__(self):
u""" Infrastructure Class Contructor """
self.aws = AWS()
self.ami = AMI()
self.ref_stack_id = Ref('AWS::StackId')
self.ami_id = self.ami.minimal_linux_ami()
# NOTE: Troposphere doesn't have a template feature to make KeyPairs
# So handle this ad-hoc for now.
self.keypair_name = 'test-deploy-keypair'
if self.keypair_doesnt_exist():
self.create_keypair(self.keypair_name)
self.deployment_bucket_prefix = 'test-deploy-bucket-'
self.deployment_bucket_name = '{}{}'.format(
self.deployment_bucket_prefix,
uuid.uuid4().hex[:12].lower())
self.deployment_bucket_location = None
if self.deploy_bucket_doesnt_exist():
self.deployment_bucket_location = self.create_deploy_bucket(
self.deployment_bucket_name)
else:
self.deployment_bucket_location = self.get_bucket_url(
self.deployment_bucket_name)
self.server_certificate_name = 'test-deploy-certificate'
self.server_certificate_arn = None
if self.server_certificate_doesnt_exist():
self.server_certificate_arn = self.upload_server_certificate()
self.template = Template()
self.template.add_version('2010-09-09')
self.template.add_description(
'AWS Cloudformation Template for autoscaled, load balance controlled EC2 service'
)
self.template.add_parameter(
Parameter('KeyName',
Description='Name of an existing EC2 KeyPair',
Default=self.keypair_name,
Type='String'))
self.template.add_parameter(
Parameter('AmiId',
Description='Lastest Minimal Linux AMI',
Default=self.ami_id,
Type='String'))
self.template.add_parameter(
Parameter('DeployBucketName',
Description='Name of the deployment_bucket',
Default=self.deployment_bucket_name,
Type='String'))
self.template.add_parameter(
Parameter('DeployBucketLocation',
Description='Location of the deployment_bucket',
Default=self.deployment_bucket_location,
Type='String'))
self.template.add_parameter(
Parameter('ServerCertificateArn',
Description='Certificate ARN for the Load Balancer',
Default=self.server_certificate_arn,
Type='String'))
self.sshlocation = self.template.add_parameter(
Parameter(
'SSHLocation',
Description=
'The IP address range that can be used to SSH to the EC2 instances',
Type='String',
MinLength='9',
MaxLength='18',
Default='0.0.0.0/0',
AllowedPattern=
r"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=(
"must be a valid IP CIDR range of the form x.x.x.x/x.")))
self.vpc = self.template.add_resource(
VPC('TestDeployVpc',
CidrBlock='10.0.0.0/16',
Tags=Tags(Application=self.ref_stack_id)))
self.subnet = self.template.add_resource(
Subnet('TestDeploySubnet',
VpcId=Ref(self.vpc),
CidrBlock='10.0.0.0/24',
Tags=Tags(Application=self.ref_stack_id)))
self.gateway = self.template.add_resource(
InternetGateway('TestDeployGateway',
Tags=Tags(Application=self.ref_stack_id)))
self.gatewayattach = self.template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.gateway)))
self.route_table = self.template.add_resource(
RouteTable('RouteTable',
VpcId=Ref(self.vpc),
Tags=Tags(Application=self.ref_stack_id)))
self.route = self.template.add_resource(
Route('Route',
DependsOn='AttachGateway',
GatewayId=Ref('TestDeployGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(self.route_table)))
self.subnet_route_association = self.template.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(self.subnet),
RouteTableId=Ref(self.route_table),
DependsOn=['TestDeploySubnet', 'RouteTable']))
self.network_acl = self.template.add_resource(
NetworkAcl('NetworkAcl',
VpcId=Ref(self.vpc),
Tags=Tags(Application=self.ref_stack_id)))
self.inbound_private_http = self.template.add_resource(
NetworkAclEntry('InboundHTTP',
NetworkAclId=Ref(self.network_acl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='80', From='80'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.inbound_private_http_alt = self.template.add_resource(
NetworkAclEntry('InboundHTTPAlt',
NetworkAclId=Ref(self.network_acl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='8000', From='8000'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.inbound_private_https = self.template.add_resource(
NetworkAclEntry('InboundHTTPS',
NetworkAclId=Ref(self.network_acl),
RuleNumber='102',
Protocol='6',
PortRange=PortRange(To='443', From='443'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.inbound_ssh = self.template.add_resource(
NetworkAclEntry('InboundSSH',
NetworkAclId=Ref(self.network_acl),
RuleNumber='103',
Protocol='6',
PortRange=PortRange(To='22', From='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.inbound_response = self.template.add_resource(
NetworkAclEntry('InboundResponsePorts',
NetworkAclId=Ref(self.network_acl),
RuleNumber='104',
Protocol='6',
PortRange=PortRange(To='65535', From='1024'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.outbound_http = self.template.add_resource(
NetworkAclEntry('OutboundHTTP',
NetworkAclId=Ref(self.network_acl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='80', From='80'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.outbound_https = self.template.add_resource(
NetworkAclEntry('OutboundHTTPS',
NetworkAclId=Ref(self.network_acl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='443', From='443'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.outbound_response = self.template.add_resource(
NetworkAclEntry('OutboundResponsePorts',
NetworkAclId=Ref(self.network_acl),
RuleNumber='102',
Protocol='6',
PortRange=PortRange(To='65535', From='1024'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
self.subnet_network_association = self.template.add_resource(
SubnetNetworkAclAssociation(
'SubnetNetworkACLAssociation',
SubnetId=Ref(self.subnet),
NetworkAclId=Ref(self.network_acl),
DependsOn=['TestDeploySubnet', 'NetworkAcl']))
self.instance_security_group = self.template.add_resource(
SecurityGroup('InstanceSecurityGroup',
GroupDescription='Open all ports',
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(IpProtocol='tcp',
FromPort='1024',
ToPort='65535',
CidrIp='0.0.0.0/0')
],
SecurityGroupEgress=[
SecurityGroupRule(IpProtocol='tcp',
FromPort='1',
ToPort='65535',
CidrIp='0.0.0.0/0')
],
VpcId=Ref(self.vpc)))
self.instance = self.template.add_resource(
Instance(
'TestDeployInstance',
ImageId=Ref('AmiId'),
InstanceType='t2.micro',
KeyName=Ref('KeyName'),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[Ref('InstanceSecurityGroup')],
AssociatePublicIpAddress='true',
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref('TestDeploySubnet'))
],
UserData=Base64(
Join('', [
"#!/bin/bash\n",
"apt-get update\n",
"apt-get -y install python python-pip python-setuptools\n",
"mkdir aws-cfn-bootstrap-latest\n",
"curl https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz | tar xz -C aws-cfn-bootstrap-latest --strip-components 1\n",
"easy_install aws-cfn-bootstrap-latest\n",
"/usr/local/bin/cfn-init --stack ",
{
"Ref": "AWS::StackName"
},
" --resource TestDeployInstance",
" --region ",
{
"Ref": "AWS::Region"
},
"\n",
"/usr/local/bin/cfn-signal --exit-code $? '",
{
"Ref": "WaitHandle"
},
"'\n"
"\n",
"python -m SimpleHTTPServer 8000 2>&1 >/dev/null &\n",
])),
DependsOn=['InstanceSecurityGroup', 'TestDeploySubnet'],
Tags=Tags(Application=self.ref_stack_id)))
def create_template(key_pair, region, type_instance):
""" Create the Cloud Formation Template """
# Create references for the CFT
ref_stack_id = Ref('AWS::StackId')
ref_region = Ref('AWS::Region')
ref_stack_name = Ref('AWS:StackName')
# Add the template header
t = Template()
t.add_version('2010-09-09')
t.add_description(PROJECT + ": " +\
'AWS Cloud Formation Template for creating a custom VPC with '\
'public subnet to host a simple web server on a single EC2 instance '\
'with a security group that allows public HTTP and SSH traffic.')
# Add the VPC
vpc = t.add_resource(
VPC('VPC',
CidrBlock=VPC_CIDR,
Tags=Tags(Application=ref_stack_id,
Name=NAME_PREFIX + 'vpc',
Project=PROJECT)))
# Add a public Subnet for our web server
public_subnet = t.add_resource(
Subnet('Subnet',
CidrBlock=SUBNET_CIDR,
VpcId=Ref(vpc),
Tags=Tags(Application=ref_stack_id,
Name=NAME_PREFIX + 'public-subnet',
Project=PROJECT)))
# Add an IGW for public access
internet_gateway = t.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id,
Name=NAME_PREFIX + 'igw',
Project=PROJECT)))
# Attach our IGW to our VPC
gateway_attachment = t.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway)))
# Add a custom Route Table for public access
route_table = t.add_resource(
RouteTable('RouteTable',
VpcId=Ref(vpc),
Tags=Tags(Application=ref_stack_id,
Name=NAME_PREFIX + 'publicroutetable',
Project=PROJECT)))
# Add a public Route to our Route Table through our IGW
public_route = t.add_resource(
Route('Route',
DependsOn='AttachGateway',
GatewayId=Ref(internet_gateway),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(route_table)))
# Associate our public Subnet with our public Route Table
subnet_route_table_assoc = t.add_resource(
SubnetRouteTableAssociation('SubnetRouteTableAssociation',
SubnetId=Ref(public_subnet),
RouteTableId=Ref(route_table)))
# Add a new Network ACL for our public Subnet
network_acl = t.add_resource(
NetworkAcl('NetworkAcl',
VpcId=Ref(vpc),
Tags=Tags(Application=ref_stack_id,
Name=NAME_PREFIX + 'networkacl',
Project=PROJECT)))
# Inbound ACL Rule for HTTP
inboundHttpAclEntry = t.add_resource(
NetworkAclEntry('InboundHTTPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='100',
Protocol=6,
PortRange=PortRange(To='80', From='80'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Inbound ACL Rule for HTTPS
inboundHttpsAclEntry = t.add_resource(
NetworkAclEntry('InboundHTTPSNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='200',
Protocol=6,
PortRange=PortRange(To='443', From='443'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Inbound ACL Rule for SSH
inboundSshAclEntry = t.add_resource(
NetworkAclEntry('InboundSSHNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='300',
Protocol=6,
PortRange=PortRange(To='22', From='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Inbound ACL Rule for Ephemeral Response Ports
inboundResponsePortsAclEntry = t.add_resource(
NetworkAclEntry('InboundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='400',
Protocol=6,
PortRange=PortRange(To='65535', From='1024'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Outbound ACL Rule for HTTP
outboundHttpAclEntry = t.add_resource(
NetworkAclEntry('OutboundHTTPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='100',
Protocol=6,
PortRange=PortRange(To='80', From='80'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Outbound ACL Rule for HTTPS
outboundHttpsAclEntry = t.add_resource(
NetworkAclEntry('OutboundHTTPSNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='200',
Protocol=6,
PortRange=PortRange(To='443', From='443'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Outbound ACL Rule for SSH
outboundSshAclEntry = t.add_resource(
NetworkAclEntry('OutboundSSHNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='300',
Protocol=6,
PortRange=PortRange(To='22', From='22'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Outbound ACL Rule for Ephemeral Response Ports
outboundResponsePortsAclEntry = t.add_resource(
NetworkAclEntry('OutboundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='400',
Protocol=6,
PortRange=PortRange(To='65535', From='1024'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0'))
# Associate our public Subnet with our new Network ACL
subnet_network_acl_assoc = t.add_resource(
SubnetNetworkAclAssociation('SubnetNetworkAclAssociation',
SubnetId=Ref(public_subnet),
NetworkAclId=Ref(network_acl)))
# Add a Security Group for our Web Server
webserver_security_group = t.add_resource(
SecurityGroup('SecurityGroup',
GroupDescription='Web Server SG',
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol='tcp',
ToPort='80',
FromPort='80',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(IpProtocol='tcp',
ToPort='22',
FromPort='22',
CidrIp='0.0.0.0/0')
],
VpcId=Ref(vpc)))
# Add the Web Server Instance
instance = t.add_resource(
Instance(
'WebServerInstance',
ImageId=supported_regions_ami_map[region],
InstanceType=type_instance,
KeyName=key_pair,
NetworkInterfaces=
[
NetworkInterfaceProperty(
GroupSet=[Ref(webserver_security_group)],
AssociatePublicIpAddress='true',
DeviceIndex='0',
DeleteOnTermination='true',
SubnetId=Ref(public_subnet))
],
UserData=Base64(
Join(
'\n',
[
'#!/bin/bash -x',
'yum install httpd -y',
'yum update -y',
'echo "<html><h1>Automation for the People</h1></html>" ' \
'> /var/www/html/index.html',
'service httpd start',
'chkconfig httpd on'
])),
Tags=Tags(
Application=ref_stack_id,
Name=NAME_PREFIX+'webserver',
Project=PROJECT)))
# Add Outputs to the Template for the VPC ID and URL
t.add_output([
Output('VPC', Description='VPC ID', Value=Ref(vpc)),
Output('URL',
Description='Web Server URL',
Value=Join('',
['http://',
GetAtt('WebServerInstance', 'PublicIp')]))
])
return t
from troposphere import (Output, Ref)
from troposphere.ec2 import (PortRange, NetworkAcl, NetworkAclEntry)
from . import template as t, tags
from vpc import vpc
# Add resources for Network ACL and Network ACL Entries
nacl = t.add_resource(
NetworkAcl('VpcNetworkAcl', VpcId=Ref(vpc), Tags=tags('NetworkAcl')))
t.add_resource(
NetworkAclEntry('VpcNetworkAclInboundRulePublic443',
CidrBlock="0.0.0.0/0",
Egress=False,
NetworkAclId=Ref(nacl),
PortRange=PortRange(From="443", To="443"),
Protocol="6",
RuleAction="allow",
RuleNumber=20001))
t.add_resource(
NetworkAclEntry('VpcNetworkAclInboundRulePublic80',
CidrBlock="0.0.0.0/0",
Egress=False,
NetworkAclId=Ref(nacl),
PortRange=PortRange(From="80", To="80"),
Protocol="6",
RuleAction="allow",
RuleNumber=20000))
t.add_resource(
def add_vpc_to_template(my_template, ref_stack_id):
sshlocation_param = my_template.add_parameter(
Parameter(
'SSHLocation',
Description=
' The IP address range that can be used to SSH to the EC2 instances',
Type='String',
MinLength='9',
MaxLength='18',
Default='0.0.0.0/0',
AllowedPattern=
"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=(
"must be a valid IP CIDR range of the form x.x.x.x/x."),
))
my_vpc = my_template.add_resource(
VPC('VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(Application=ref_stack_id)))
subnet = my_template.add_resource(
Subnet('Subnet',
CidrBlock='10.0.0.0/24',
VpcId=Ref(VPC),
Tags=Tags(Application=ref_stack_id)))
internetGateway = my_template.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id)))
gatewayAttachment = my_template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(VPC),
InternetGatewayId=Ref(internetGateway)))
routeTable = my_template.add_resource(
RouteTable('RouteTable',
VpcId=Ref(VPC),
Tags=Tags(Application=ref_stack_id)))
route = my_template.add_resource(
Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routeTable),
))
subnetRouteTableAssociation = my_template.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(subnet),
RouteTableId=Ref(routeTable),
))
networkAcl = my_template.add_resource(
NetworkAcl(
'NetworkAcl',
VpcId=Ref(VPC),
Tags=Tags(Application=ref_stack_id),
))
inboundSSHNetworkAclEntry = my_template.add_resource(
NetworkAclEntry(
'InboundSSHNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='22', From='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
subnetNetworkAclAssociation = my_template.add_resource(
SubnetNetworkAclAssociation(
'SubnetNetworkAclAssociation',
SubnetId=Ref(subnet),
NetworkAclId=Ref(networkAcl),
))
networkAcl = t.add_resource(
NetworkAcl(
'NetworkAcl',
VpcId=Ref(VPC),
Tags=Tags(
Application=ref_stack_id),
))
inBoundPrivateNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'InboundHTTPNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='80', From='80'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
inboundSSHNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'InboundSSHNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='22', From='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
def build(ssh_keypair_name):
template = Template()
template.set_version("2010-09-09")
keyname_param = template.add_parameter(
Parameter(
"KeyName",
ConstraintDescription=
"must be the name of an existing EC2 KeyPair.",
Description=
"Name of an existing EC2 KeyPair to enable SSH access to \
the instance",
Type="AWS::EC2::KeyPair::KeyName",
Default=ssh_keypair_name,
))
sshlocation_param = template.add_parameter(
Parameter(
"SSHLocation",
Description=
" The IP address range that can be used to SSH to the EC2 \
instances",
Type="String",
MinLength="9",
MaxLength="18",
Default="0.0.0.0/0",
AllowedPattern=
r"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=(
"must be a valid IP CIDR range of the form x.x.x.x/x."),
))
vpc = template.add_resource(VPC("VPC", CidrBlock="10.0.0.0/16"))
subnet = template.add_resource(
Subnet(
"Subnet",
CidrBlock="10.0.0.0/24",
VpcId=Ref(vpc),
))
internet_gateway = template.add_resource(
InternetGateway("InternetGateway"))
attach_gateway = template.add_resource(
VPCGatewayAttachment("AttachGateway",
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway)))
route_table = template.add_resource(
RouteTable("RouteTable", VpcId=Ref(vpc)))
template.add_resource(
Route(
"Route",
DependsOn=attach_gateway,
GatewayId=Ref(internet_gateway),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(route_table),
))
template.add_resource(
SubnetRouteTableAssociation(
"SubnetRouteTableAssociation",
SubnetId=Ref(subnet),
RouteTableId=Ref(route_table),
))
network_acl = template.add_resource(
NetworkAcl("NetworkAcl", VpcId=Ref(vpc)))
template.add_resource(
NetworkAclEntry(
"InboundSSHNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="101",
Protocol="6",
PortRange=PortRange(To="22", From="22"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
template.add_resource(
NetworkAclEntry(
"InboundResponsePortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="102",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
template.add_resource(
NetworkAclEntry(
"OutBoundResponsePortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="103",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
template.add_resource(
NetworkAclEntry(
"OutBoundHTTPPortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="104",
Protocol="6",
PortRange=PortRange(To="80", From="80"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
template.add_resource(
NetworkAclEntry(
"OutBoundHTTPSPortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="105",
Protocol="6",
PortRange=PortRange(To="443", From="443"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
template.add_resource(
NetworkAclEntry(
"OutBoundSSHPortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="106",
Protocol="6",
PortRange=PortRange(To="22", From="22"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
template.add_resource(
SubnetNetworkAclAssociation("SubnetNetworkAclAssociation",
SubnetId=Ref(subnet),
NetworkAclId=Ref(network_acl)))
emr_security_group = template.add_resource(
SecurityGroup(
"EMRSecurityGroup",
GroupDescription="Enable SSH access via port 22",
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp=Ref(sshlocation_param)),
],
VpcId=Ref(vpc),
))
emr_service_role = template.add_resource(
iam.Role(
"EMRServiceRole",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["elasticmapreduce.amazonaws.com"]
},
"Action": ["sts:AssumeRole"],
}]
},
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"
],
))
emr_job_flow_role = template.add_resource(
iam.Role(
"EMRJobFlowRole",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"
],
))
emr_instance_profile = template.add_resource(
iam.InstanceProfile("EMRInstanceProfile",
Roles=[Ref(emr_job_flow_role)]))
cluster = template.add_resource(
emr.Cluster(
"EMRCluster",
ReleaseLabel="emr-6.0.0",
JobFlowRole=Ref(emr_instance_profile),
ServiceRole=Ref(emr_service_role),
Instances=emr.JobFlowInstancesConfig(
Ec2KeyName=Ref(keyname_param),
Ec2SubnetId=Ref(subnet),
EmrManagedMasterSecurityGroup=Ref(emr_security_group),
EmrManagedSlaveSecurityGroup=Ref(emr_security_group),
MasterInstanceGroup=emr.InstanceGroupConfigProperty(
Name="Master Instance",
InstanceCount="1",
InstanceType=M4_LARGE,
Market="ON_DEMAND",
),
CoreInstanceGroup=emr.InstanceGroupConfigProperty(
Name="Core Instance",
EbsConfiguration=emr.EbsConfiguration(
EbsBlockDeviceConfigs=[
emr.EbsBlockDeviceConfigs(
VolumeSpecification=emr.VolumeSpecification(
SizeInGB="10", VolumeType="gp2"),
VolumesPerInstance="1",
)
],
EbsOptimized="true",
),
InstanceCount="1",
InstanceType=M4_LARGE,
),
),
Applications=[emr.Application(Name="Spark")],
VisibleToAllUsers="true",
))
template.add_output(
[Output("MasterPublicDNS", Value=GetAtt(cluster, "MasterPublicDNS"))])
return template
CidrBlock=Ref(VPCCIDR),
EnableDnsHostnames="true",
Tags=Tags(
Application=Ref("AWS::StackName"),
Network="VPN Connected VPC",
),
)
)
OutBoundPrivateNetworkAclEntry = t.add_resource(
NetworkAclEntry(
"OutBoundPrivateNetworkAclEntry",
NetworkAclId=Ref(PrivateNetworkAcl),
RuleNumber="100",
Protocol="6",
PortRange=PortRange(To="65535", From="0"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
VPNGatewayResource = t.add_resource(
VPNGateway(
"VPNGateway",
Type="ipsec.1",
Tags=Tags(
Application=Ref("AWS::StackName"),
),
)
)
def add_vpc(t):
t.add_resource(
VPC("VPC",
EnableDnsSupport="true",
CidrBlock="10.100.0.0/16",
EnableDnsHostnames="true",
Tags=Tags(
Application=Ref("AWS::StackName"),
Network=f"{vpc_name} VPC",
Name=f"{vpc_name} VPC".format(reg),
)))
# Add the internet gateway
t.add_resource(
InternetGateway("InternetGateway",
Tags=Tags(
Application=Ref("AWS::StackName"),
Network=f"{vpc_name} Spot Instance VPC",
Name=f"{vpc_name} VPC IGW",
)))
t.add_resource(
VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref("VPC"),
InternetGatewayId=Ref("InternetGateway"),
))
t.add_resource(
NetworkAcl("NetworkAcl",
VpcId=Ref("VPC"),
Tags=Tags(
Application=Ref("AWS::StackName"),
Network=f"{vpc_name} VPC",
)))
t.add_resource(
NetworkAclEntry(
"InboundNetworkAclEntry",
NetworkAclId=Ref("NetworkAcl"),
RuleNumber="100",
Protocol="-1",
PortRange=PortRange(To="65535", From="0"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
t.add_resource(
NetworkAclEntry(
"OutboundNetworkAclEntry",
NetworkAclId=Ref("NetworkAcl"),
RuleNumber="100",
Protocol="-1",
PortRange=PortRange(To="65535", From="0"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
))
t.add_resource(
RouteTable("RouteTable",
VpcId=Ref("VPC"),
Tags=Tags(Application=Ref("AWS::StackName"),
Network=f"{vpc_name} VPC",
Name="Public IGW Routing Table")))
t.add_resource(
Route(
"IGWRoute",
DependsOn='IGWAttachment',
GatewayId=Ref("InternetGateway"),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref("RouteTable"),
))
#loop through usable availability zones for the aws account and create a subnet for each zone
#in the same loop generate subnet associations for the network acl and the route table
for i, az in list(enumerate(availableazs, start=1)):
zone = az[-1].upper()
t.add_resource(
Subnet(f"PublicSubnet{zone}",
VpcId=Ref("VPC"),
CidrBlock=f"10.100.{i}.0/24",
AvailabilityZone=f"{az}",
MapPublicIpOnLaunch=True,
Tags=Tags(
Application=Ref("AWS::StackName"),
Network=f"{vpc_name} VPC",
Name=f"Public Subnet {zone}",
)))
t.add_resource(
Subnet(f"PrivateSubnet{zone}",
VpcId=Ref("VPC"),
CidrBlock=f"10.100.{i+100}.0/24",
AvailabilityZone=f"{az}",
Tags=Tags(
Application=Ref("AWS::StackName"),
Network=f"{vpc_name} VPC",
Name=f"Private Subnet {zone}",
)))
t.add_resource(
SubnetNetworkAclAssociation(
f"SubnetNetworkAclAssociation{zone}",
SubnetId=Ref(f"PublicSubnet{zone}"),
NetworkAclId=Ref("NetworkAcl"),
))
t.add_resource(
SubnetRouteTableAssociation(
f"SubnetRouteTableAssociation{zone}",
SubnetId=Ref(f"PublicSubnet{zone}"),
RouteTableId=Ref("RouteTable"),
))
add_security_groups(t)
def generate_template(environment):
'''
Generates the required template based on the given environment.
Parameters:
environment: str
The environment for which the template is to be generated.
Ex: Experimental, Development, Production
Returns:
template: obj
A Template(troposphere) object with all the requiured attributes.
'''
template = Template()
template.set_description('Service VPC')
template.set_metadata({
"DependsOn": [],
"Environment": environment,
"StackName": f'{environment}-VPC'
})
internet_gateway = template.add_resource(
InternetGateway("InternetGateway",
Tags=Tags(Environment=environment,
Name=f'{environment}-InternetGateway')))
vpc = template.add_resource(
VPC("VPC",
CidrBlock="10.0.0.0/16",
EnableDnsHostnames=True,
EnableDnsSupport=True,
InstanceTenancy="default",
Tags=Tags(Environment=environment,
Name=f'{environment}-ServiceVPC')))
gateway_attachment = template.add_resource(
VPCGatewayAttachment("VpcGatewayAttachment",
InternetGatewayId=Ref(internet_gateway),
VpcId=Ref(vpc)))
network_acl = template.add_resource(
NetworkAcl(
"VpcNetworkAcl",
VpcId=Ref(vpc),
Tags=Tags(Environment=environment,
Name=f'{environment}-NetworkAcl'),
))
network_acl_inbound_rule = template.add_resource(
NetworkAclEntry("VpcNetworkAclInboundRule",
CidrBlock="0.0.0.0/0",
Egress=False,
NetworkAclId=Ref(network_acl),
PortRange=PortRange(To='443', From='443'),
Protocol=6,
RuleAction="allow",
RuleNumber=100))
network_acl_outbound_rule = template.add_resource(
NetworkAclEntry("VpcNetworkAclOutboundRule",
CidrBlock="0.0.0.0/0",
Egress=True,
NetworkAclId=Ref(network_acl),
Protocol=6,
RuleAction="allow",
RuleNumber=200))
template.add_output([
Output("InternetGateway", Value=Ref(internet_gateway)),
Output("VPCID", Value=Ref(vpc))
])
return template
def sg_subnet_vpc(self, t):
from troposphere import Base64
from troposphere import Ref, Tags, Template
from troposphere.ec2 import PortRange, NetworkAcl, Route, \
VPCGatewayAttachment, SubnetRouteTableAssociation, Subnet, RouteTable, \
VPC, NetworkInterfaceProperty, NetworkAclEntry, \
SubnetNetworkAclAssociation, EIP, Instance, InternetGateway, \
SecurityGroupRule, SecurityGroup
from troposphere.policies import CreationPolicy, ResourceSignal
from troposphere.cloudformation import Init, InitFile, InitFiles, \
InitConfig, InitService, InitServices
ref_stack_id = Ref('AWS::StackId')
ref_region = Ref('AWS::Region')
ref_stack_name = Ref('AWS::StackName')
if 'aws_vpc_id' in self.app.config['provision']:
use_vpc = self.app.config['provision']['aws_vpc_id']
use_subnet = self.app.config['provision']['aws_subnet_id']
use_sg = self.app.config['provision']['aws_sg_id']
self.app.log.info(
'Using your AWS subnet, make sure the routes and ports are configured correctly'
)
else:
VPC = t.add_resource(
VPC('VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(Application=ref_stack_id)))
use_vpc = Ref(VPC)
internetGateway = t.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id)))
gatewayAttachment = t.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=use_vpc,
InternetGatewayId=Ref(internetGateway)))
routeTable = t.add_resource(
RouteTable('RouteTable',
VpcId=use_vpc,
Tags=Tags(Application=ref_stack_id)))
subnet = t.add_resource(
Subnet('Subnet',
CidrBlock='10.0.0.0/24',
VpcId=use_vpc,
Tags=Tags(Application=ref_stack_id)))
route = t.add_resource(
Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routeTable),
))
subnetRouteTableAssociation = t.add_resource(
SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(subnet),
RouteTableId=Ref(routeTable),
))
networkAcl = t.add_resource(
NetworkAcl(
'NetworkAcl',
VpcId=use_vpc,
Tags=Tags(Application=ref_stack_id),
))
inBoundPrivateNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'InboundHTTPNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='46656', From='46656'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
inboundSSHNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'InboundSSHNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='22', From='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
inboundResponsePortsNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'InboundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='102',
Protocol='6',
PortRange=PortRange(To='65535', From='1024'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundHTTPNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'OutBoundHTTPNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='100',
Protocol='6',
PortRange=PortRange(To='80', From='80'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundHTTPSNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'OutBoundHTTPSNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='101',
Protocol='6',
PortRange=PortRange(To='443', From='443'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundResponsePortsNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'OutBoundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='102',
Protocol='6',
PortRange=PortRange(To='65535', From='1024'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
outBoundLoomNetworkAclEntry = t.add_resource(
NetworkAclEntry(
'OutBoundLoomNetworkAclEntry',
NetworkAclId=Ref(networkAcl),
RuleNumber='103',
Protocol='6',
PortRange=PortRange(To='46656', From='46656'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
subnetNetworkAclAssociation = t.add_resource(
SubnetNetworkAclAssociation(
'SubnetNetworkAclAssociation',
SubnetId=Ref(subnet),
NetworkAclId=Ref(networkAcl),
))
use_subnet = Ref(subnet)
instanceSecurityGroup = t.add_resource(
SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='Enable SSH access via port 22',
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(IpProtocol='tcp',
FromPort='46657',
ToPort='46657',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(IpProtocol='tcp',
FromPort='46656',
ToPort='46656',
CidrIp='0.0.0.0/0')
],
VpcId=use_vpc,
))
use_sg = Ref(instanceSecurityGroup)
return use_sg, use_subnet, use_vpc
"""Network ACL CREATION"""
t.add_resource(ec2.NetworkAcl(
'tronetacl',
VpcId=Ref('trovpc'),
))
""" Network ACL ENTRY 1 """
t.add_resource(ec2.NetworkAclEntry(
'tronetaclent1',
NetworkAclId=Ref('tronetacl'),
RuleNumber='100',
RuleAction='allow',
Protocol='-1',
CidrBlock='0.0.0.0/0',
PortRange=PortRange(To="80", From="80"),
Egress=False,
))
""" Network ACL ENTRY 2 """
t.add_resource(ec2.NetworkAclEntry(
'tronetaclent2',
NetworkAclId=Ref('tronetacl'),
RuleNumber='200',
RuleAction='Deny',
Protocol='6',
CidrBlock='0.0.0.0/0',
PortRange=PortRange(To="22",From="22"),
Egress='false',
))
NetworkAcl('NetworkAcl',
VpcId=Ref(vpc),
Tags=Tags(
Application=ref_stack_id,
Network="Public",
)))
inboundHTTPPublicNetworkAclEntry = t.add_resource(
NetworkAclEntry('InboundHTTPNetworkAclEntry',
NetworkAclId=Ref(publicNetworkACL),
RuleNumber=100,
Protocol=-1,
RuleAction="allow",
Egress=False,
CidrBlock="0.0.0.0/0",
PortRange=PortRange(From=80, To=80)))
inboundHTTPSPublicNetworkAclEntry = t.add_resource(
NetworkAclEntry('InboundHTTPSNetworkAclEntry',
NetworkAclId=Ref(publicNetworkACL),
RuleNumber=110,
Protocol=-1,
RuleAction="allow",
Egress=False,
CidrBlock="0.0.0.0/0",
PortRange=PortRange(From=443, To=443)))
inboundSSHPublicNetworkAclEntry = t.add_resource(
NetworkAclEntry('InboundSSHNetworkAclEntry',
NetworkAclId=Ref(publicNetworkACL),
RuleNumber=120,