def create_elb(self, subnet1, subnet2, elb_sg):
load_balancer = self.t.add_resource(
LoadBalancer(
"LoadBalancer",
ConnectionDrainingPolicy=ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
Subnets=[Ref(subnet1), Ref(subnet2)],
HealthCheck=HealthCheck(
Target="TCP:80",
HealthyThreshold="2",
UnhealthyThreshold="9",
Interval="20",
Timeout="15",
),
Listeners=[
Listener(
LoadBalancerPort="80",
InstancePort="80",
Protocol="HTTP",
),
],
CrossZone=True,
SecurityGroups=[Ref(elb_sg)],
LoadBalancerName="webapp-elb",
Scheme="internet-facing",
))
return load_balancer
def add_elb(self):
t = self.template
self.elbSg = t.add_resource(
SecurityGroup(
'ElbSecurityGroup',
VpcId=Ref(self.vpcIdParam),
GroupDescription='Security group for ELB.',
SecurityGroupIngress=[
SecurityGroupRule(ToPort='80',
FromPort='80',
IpProtocol='tcp',
CidrIp="0.0.0.0/0")
#TODO HTTPS
],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'ElbSecurityGroup']))
]))
self.elbListener = Listener('ElbListener',
LoadBalancerPort="80",
InstancePort="80",
Protocol="HTTP",
InstanceProtocol="HTTP")
self.elbHealthCheck = HealthCheck(Target="TCP:80",
Timeout="2",
Interval="5",
HealthyThreshold="2",
UnhealthyThreshold="2")
publicSubnetIds = [
self.sceptreUserData['subnets']['publicInfraAZ1Id'],
self.sceptreUserData['subnets']['publicInfraAZ2Id'],
self.sceptreUserData['subnets']['publicInfraAZ3Id']
]
self.elb = t.add_resource(
LoadBalancer('Elb',
Listeners=[self.elbListener],
Scheme='internet-facing',
HealthCheck=self.elbHealthCheck,
CrossZone=True,
Subnets=publicSubnetIds,
SecurityGroups=[Ref(self.elbSg)],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'Elb']))]))
return 0
def define_networking(t):
t.add_resource(
VPC("VPC",
CidrBlock=Ref(t.parameters["vpcCidrBlock"]),
InstanceTenancy="default",
EnableDnsSupport=True,
EnableDnsHostnames=False,
Tags=troposphere.cloudformation.Tags(Name=Join(
" ", ["BIG-IQ VPC:", Ref("AWS::StackName")]))))
t.add_resource(
Subnet("Subnet1",
CidrBlock=Ref(t.parameters["subnet1CidrBlock"]),
VpcId=Ref(t.resources["VPC"]),
AvailabilityZone=Ref(t.parameters["subnet1Az"]),
Tags=Tags(
Name=Join(" ", ["BIG-IQ Subnet 1:",
Ref("AWS::StackName")]))))
t.add_resource(
Subnet("Subnet2",
CidrBlock=Ref(t.parameters["subnet2CidrBlock"]),
VpcId=Ref(t.resources["VPC"]),
AvailabilityZone=Ref(t.parameters["subnet2Az"]),
Tags=Tags(
Name=Join(" ", ["Big-IQ Subnet 2:",
Ref("AWS::StackName")]))))
t.add_resource(
RouteTable("RouteTable1",
VpcId=Ref(t.resources["VPC"]),
Tags=Tags(Name=Join(
" ", ["BIG-IQ Route Table 1:",
Ref("AWS::StackName")]))))
t.add_resource(
RouteTable("RouteTable2",
VpcId=Ref(t.resources["VPC"]),
Tags=Tags(Name=Join(
" ", ["BIG-IQ Route Table 2:",
Ref("AWS::StackName")]))))
t.add_resource(
SubnetRouteTableAssociation("Subnet1RouteTableAssociation",
SubnetId=Ref(t.resources["Subnet1"]),
RouteTableId=Ref(
t.resources["RouteTable1"])))
t.add_resource(
SubnetRouteTableAssociation("Subnet2RouteTableAssociation",
SubnetId=Ref(t.resources["Subnet2"]),
RouteTableId=Ref(
t.resources["RouteTable2"])))
t.add_resource(
InternetGateway(
"IGW",
Tags=Tags(Name=Join(
" ", ["BIG-IQ Internet Gateway:",
Ref("AWS::StackName")]))))
t.add_resource(
VPCGatewayAttachment("IGWAttachment",
VpcId=Ref(t.resources["VPC"]),
InternetGatewayId=Ref(t.resources["IGW"])))
t.add_resource(
Route("Route1Default",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(t.resources["RouteTable1"]),
GatewayId=Ref(t.resources["IGW"])))
t.add_resource(
Route("Route2Default",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(t.resources["RouteTable2"]),
GatewayId=Ref(t.resources["IGW"])))
t.add_resource(NetworkAcl("VPCAcl", VpcId=Ref(t.resources["VPC"])))
t.add_resource(
SecurityGroup(
"SecurityGroup",
GroupName=Join(" ",
["BIG-IQ SG:", Ref("AWS::StackName")]),
GroupDescription="vpc-sg",
VpcId=Ref(t.resources["VPC"]),
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="0.0.0.0/0"),
SecurityGroupRule(IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0"),
SecurityGroupRule(IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0"),
SecurityGroupRule(
IpProtocol=
"tcp", # TODO Determine actual ports which should be open
FromPort="1",
ToPort="65356",
CidrIp=Ref(t.parameters["vpcCidrBlock"]))
]))
t.add_resource(
SecurityGroup("ElbSecurityGroup",
GroupName=Join(
" ", ["ELB-SG-", Ref("AWS::StackName")]),
GroupDescription="vpc-sg",
VpcId=Ref(t.resources["VPC"]),
SecurityGroupIngress=[]))
t.add_resource(
LoadBalancer(
"ClassicELB",
SecurityGroups=[Ref(t.resources["ElbSecurityGroup"])],
HealthCheck=HealthCheck(HealthyThreshold="10",
Interval="30",
Target="TCP:22",
Timeout="5",
UnhealthyThreshold="2"),
Listeners=[
Listener(LoadBalancerPort="80",
InstancePort="80",
Protocol="TCP",
InstanceProtocol="TCP")
],
LoadBalancerName=Join("", ["ELB-", Ref("AWS::StackName")]),
Scheme="internet-facing",
Subnets=[Ref(t.resources["Subnet1"]),
Ref(t.resources["Subnet2"])]))
from troposphere import Template
from troposphere.elasticloadbalancing import Listener, LoadBalancer
t = Template()
t.add_description("ELB with Proxy Protocol enabled for ports 80 and 443")
elb = t.add_resource(LoadBalancer(
"ElasticLoadBalancer",
Listeners=[
Listener(
LoadBalancerPort="80",
InstancePort="80",
Protocol="TCP"
),
Listener(
LoadBalancerPort="443",
InstancePort="443",
Protocol="TCP"
),
],
Policies=[
{
"PolicyName": "EnableProxyProtocol",
"PolicyType": "ProxyProtocolPolicyType",
"Attributes": [{
"Name": "ProxyProtocol",
"Value": "true"
}],
"InstancePorts": ["80", "443"]
}
loadbalancer = []
targetgroup = []
if "elb" in rolemap[role]:
elb_identifier = ""
if rolemap[role]["elb"]["subnet"] in public_prefixes:
elb_identifier = "pubsub" + rolemap[role]["elb"]["subnet"].upper()
elb = t.add_resource(
LoadBalancer(
"elb" + role.upper(),
Subnets=Split(",", Ref(elb_identifier)),
Listeners=[
Listener(
LoadBalancerPort=80,
InstancePort=80,
Protocol='HTTP',
),
],
SecurityGroups=[Ref("defaultSG"),
Ref(elbSecurityGroup)],
HealthCheck=HealthCheck(
Target=rolemap[role]["elb"]["healthcheck"],
HealthyThreshold="2",
UnhealthyThreshold="2",
Interval="10",
Timeout="5"),
ConnectionDrainingPolicy=ConnectionDrainingPolicy(Enabled=True,
Timeout=300),
CrossZone=True,
Tags=Tags(Environment=Ref("environment"), Service=role)))
def add_kippo_sensors(self):
# Create the ELB
self.template.add_resource(
LoadBalancer(
'Elb',
Listeners=[
Listener(
InstancePort=80,
LoadBalancerPort=80,
Protocol='http',
),
Listener(
InstancePort=443,
LoadBalancerPort=443,
Protocol='tcp', # Plain TCP forwarding for HTTPS/SSL
),
],
CrossZone=True,
Subnets=Ref('ElbSubnetIdList'),
SecurityGroups=[Ref('ElbSecurityGroup')],
Scheme='internet-facing',
HealthCheck=HealthCheck(
Target='HTTP:80/kippo-graph/',
HealthyThreshold=2,
UnhealthyThreshold=5,
Interval=120,
Timeout=60,
),
))
self.template.add_output(
Output(
'ElbEndpoint',
Description='ELB endpoint address',
Value=GetAtt('Elb', 'DNSName'),
))
self.template.add_resource(
LaunchConfiguration(
'LaunchConfiguration',
KeyName=Ref('KeyName'),
ImageId=FindInMap('Ec2AmiMap', Ref('AWS::Region'), 'AmiId'),
InstanceType=Ref('Ec2InstanceType'),
SecurityGroups=[Ref('Ec2SecurityGroup')],
AssociatePublicIpAddress=True,
UserData=Base64(
Join('\n', [
'#cloud-config',
'repo_upgrade: security',
'runcmd:',
' - "/usr/bin/wget -O /tmp/configure_kippo_sensor.sh https://raw.githubusercontent.com/cdodd/aws-kippo-cluster/master/bootstrap/configure_kippo_sensor.sh"',
Join(
'',
[
' - "bash /tmp/configure_kippo_sensor.sh',
' ',
GetAtt('RdsInstance', 'Endpoint.Address'),
' ',
Ref('RdsRootPassword'),
' ',
Ref('RealSshPort'),
'"',
],
),
])),
))
self.template.add_resource(
AutoScalingGroup(
'Asg',
DesiredCapacity=Ref('KippoSensorCount'),
HealthCheckGracePeriod=1800,
HealthCheckType='ELB',
LaunchConfigurationName=Ref('LaunchConfiguration'),
LoadBalancerNames=[Ref('Elb')],
MaxSize=Ref('KippoSensorCount'),
MinSize=Ref('KippoSensorCount'),
Tags=[Tag(key='Name', value='kippo-sensor', propogate='true')],
VPCZoneIdentifier=Ref('Ec2SubnetIdList'),
))
t.add_resource(elb_ingress_rule)
# ssh for each home egress point
home_ssh_rules = []
for (ip, name) in home_egress_ips:
rule = SecurityGroupIngress(name)
rule.CidrIp = ip
rule.FromPort = 22
rule.ToPort = 22
rule.GroupId = Ref(home_ssh)
rule.IpProtocol = 'tcp'
home_ssh_rules.append(rule)
t.add_resource(rule)
# load balancer
elb_listener_80 = Listener(config['name'] + 'Ssl')
elb_listener_80.InstancePort = 80
elb_listener_80.LoadBalancerPort = 80
elb_listener_80.Protocol = 'HTTP'
elb_listener_80.InstanceProtocol = 'HTTP'
load_balancer = LoadBalancer(config['name'] + "Elb")
load_balancer.CrossZone = True
load_balancer.Listeners = [elb_listener_80]
load_balancer.Subnets = [Ref(subnet.title) for subnet in app_subnets]
load_balancer.SecurityGroups = [Ref(elb_sg)]
t.add_resource(load_balancer)
# launch configuration for consul server
consul_block_device = EBSBlockDevice(config['name'] + 'Ebs')
consul_block_device.DeleteOnTermination = config['consul_launch_config']['block_device']['delete_on_termination']