def create_elb(self, subnet1, subnet2, elb_sg):
load_balancer = self.t.add_resource(
LoadBalancer(
"LoadBalancer",
ConnectionDrainingPolicy=ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
Subnets=[Ref(subnet1), Ref(subnet2)],
HealthCheck=HealthCheck(
Target="TCP:80",
HealthyThreshold="2",
UnhealthyThreshold="9",
Interval="20",
Timeout="15",
),
Listeners=[
Listener(
LoadBalancerPort="80",
InstancePort="80",
Protocol="HTTP",
),
],
CrossZone=True,
SecurityGroups=[Ref(elb_sg)],
LoadBalancerName="webapp-elb",
Scheme="internet-facing",
))
return load_balancer
def _load_balancer(self):
return LoadBalancer(
"LoadBalancer",
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
AccessLoggingPolicy=elb.AccessLoggingPolicy(
EmitInterval=5,
Enabled=True,
S3BucketName=self.config['elb_logging_bucket'],
S3BucketPrefix="ELB",
),
Subnets=self.config['public_subnet'],
HealthCheck=elb.HealthCheck(
Target="HTTP:80/",
HealthyThreshold="5",
UnhealthyThreshold="2",
Interval="20",
Timeout="15",
),
Listeners=[
elb.Listener(
LoadBalancerPort=self.config['elb_port'],
InstancePort=self.config['instance_port'],
Protocol="HTTP",
InstanceProtocol="HTTP",
),
],
CrossZone=True,
SecurityGroups=self.config['elb_sg'],
LoadBalancerName="duy%sELB" % self.config['env'],
Scheme="internet-facing",
)
def create_prediction_service_elb(self):
t = self.template
prediction_service_elastic_load_balancer = t.add_resource(
LoadBalancer("Euro2016ElasticLoadBalancer",
LoadBalancerName=Ref("ELBName"),
Subnets=Ref("ELBSubnetIds"),
Listeners=[{
"InstancePort": "8000",
"LoadBalancerPort": "80",
"Protocol": "HTTP"
}, {
"InstancePort": "8000",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"SSLCertificateId": Ref("SSLCertificateId")
}],
SecurityGroups=Ref("ELBSecurityGroups"),
HealthCheck=HealthCheck(
HealthyThreshold="3",
Interval="30",
Target="HTTP:8000/status",
Timeout="5",
UnhealthyThreshold="5",
),
CrossZone=True,
Tags=[Tag("Name",
"euro2016-prediction-service-elb")]))
return prediction_service_elastic_load_balancer
def getTemplate(self):
#elbHealthCheckJson = simplejson.loads(simplejson.dumps(self.elbHealthCheckConfig))
self.template.add_resource(
LoadBalancer(
self.elbname,
ConnectionDrainingPolicy=self.getConnectionDrainingPolicy(),
Subnets=[self.subnet],
HealthCheck=elb.HealthCheck(
Target=self.elbHealthCheckConfig['Target'],
HealthyThreshold=self.
elbHealthCheckConfig['HealthyThreshold'],
UnhealthyThreshold=self.
elbHealthCheckConfig['UnhealthyThreshold'],
Interval=self.elbHealthCheckConfig['Interval'],
Timeout=self.elbHealthCheckConfig['Timeout'],
),
Listeners=[
self.getELBListener(),
],
Scheme="internal",
SecurityGroups=[self.externalSecurityGroup],
LoadBalancerName=Join("_", [self.friendlyName, self.branch]),
CrossZone=True,
))
return self.template
def create_load_balancer(self, elb_args):
'''
Method creates a elastic load balancer and adds it to the resources list
@param elb_args [dict] collection of keyword arguments for the elastic load balancer
'''
health_check_args = elb_args['health_check']
health_check = elb.HealthCheck(
Target=health_check_args['target'],
HealthyThreshold=health_check_args['healthy_threshold'],
UnhealthyThreshold=health_check_args['unhealthy_threshold'],
Interval=health_check_args['interval'],
Timeout=health_check_args['timeout'],
)
listener_args = elb_args['listener']
listener = elb.Listener(
LoadBalancerPort=listener_args['load_balancer_port'],
InstancePort=listener_args['instance_port'],
Protocol=listener_args['protocol'],
InstanceProtocol=listener_args['instance_protocol'],
)
self.load_balancer = LoadBalancer(
"LoadBalancer",
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
Subnets=self.subnets,
HealthCheck=health_check,
Listeners=[
listener,
],
CrossZone=True,
SecurityGroups=[Ref(self.load_balancer_security_group)],
LoadBalancerName="Cloudformation-Loadbalancer",
Scheme="internet-facing",
)
self.add_resource(self.load_balancer)
if elb_args.has_key('output_dns'):
self.add_output(
Output("ELBDNS",
Description="DNS Name of ELB",
Value=Join(
"",
["http://",
GetAtt(self.load_balancer, "DNSName")])))
def add_elb(self):
t = self.template
self.elbSg = t.add_resource(
SecurityGroup(
'ElbSecurityGroup',
VpcId=Ref(self.vpcIdParam),
GroupDescription='Security group for ELB.',
SecurityGroupIngress=[
SecurityGroupRule(ToPort='80',
FromPort='80',
IpProtocol='tcp',
CidrIp="0.0.0.0/0")
#TODO HTTPS
],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'ElbSecurityGroup']))
]))
self.elbListener = Listener('ElbListener',
LoadBalancerPort="80",
InstancePort="80",
Protocol="HTTP",
InstanceProtocol="HTTP")
self.elbHealthCheck = HealthCheck(Target="TCP:80",
Timeout="2",
Interval="5",
HealthyThreshold="2",
UnhealthyThreshold="2")
publicSubnetIds = [
self.sceptreUserData['subnets']['publicInfraAZ1Id'],
self.sceptreUserData['subnets']['publicInfraAZ2Id'],
self.sceptreUserData['subnets']['publicInfraAZ3Id']
]
self.elb = t.add_resource(
LoadBalancer('Elb',
Listeners=[self.elbListener],
Scheme='internet-facing',
HealthCheck=self.elbHealthCheck,
CrossZone=True,
Subnets=publicSubnetIds,
SecurityGroups=[Ref(self.elbSg)],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'Elb']))]))
return 0
LoadBalancer = t.add_resource(
LoadBalancer(
"LoadBalancer",
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
Subnets=["subnet-094ce924", "subnet-c6bb2f8f"],
HealthCheck=elb.HealthCheck(
Target="HTTP:80/",
HealthyThreshold="5",
UnhealthyThreshold="2",
Interval="20",
Timeout="15",
),
Listeners=[
elb.Listener(
LoadBalancerPort="80",
InstancePort="80",
Protocol="HTTP",
InstanceProtocol="HTTP",
),
],
CrossZone=True,
SecurityGroups=["sg-4cde2431"],
LoadBalancerName="api-lb",
Scheme="internet-facing",
))
AutoscalingGroup = t.add_resource(
t.add_description("ELB with Proxy Protocol enabled for ports 80 and 443")
elb = t.add_resource(LoadBalancer(
"ElasticLoadBalancer",
Listeners=[
Listener(
LoadBalancerPort="80",
InstancePort="80",
Protocol="TCP"
),
Listener(
LoadBalancerPort="443",
InstancePort="443",
Protocol="TCP"
),
],
Policies=[
{
"PolicyName": "EnableProxyProtocol",
"PolicyType": "ProxyProtocolPolicyType",
"Attributes": [{
"Name": "ProxyProtocol",
"Value": "true"
}],
"InstancePorts": ["80", "443"]
}
]
))
print(t.to_json())
rule.CidrIp = ip
rule.FromPort = 22
rule.ToPort = 22
rule.GroupId = Ref(home_ssh)
rule.IpProtocol = 'tcp'
home_ssh_rules.append(rule)
t.add_resource(rule)
# load balancer
elb_listener_80 = Listener(config['name'] + 'Ssl')
elb_listener_80.InstancePort = 80
elb_listener_80.LoadBalancerPort = 80
elb_listener_80.Protocol = 'HTTP'
elb_listener_80.InstanceProtocol = 'HTTP'
load_balancer = LoadBalancer(config['name'] + "Elb")
load_balancer.CrossZone = True
load_balancer.Listeners = [elb_listener_80]
load_balancer.Subnets = [Ref(subnet.title) for subnet in app_subnets]
load_balancer.SecurityGroups = [Ref(elb_sg)]
t.add_resource(load_balancer)
# launch configuration for consul server
consul_block_device = EBSBlockDevice(config['name'] + 'Ebs')
consul_block_device.DeleteOnTermination = config['consul_launch_config']['block_device']['delete_on_termination']
consul_block_device_mapping = BlockDeviceMapping(config['name'] + 'ConsulBlockDeviceMapping')
consul_block_device_mapping.DeviceName = '/dev/sda1'
consul_block_device_mapping.Ebs = consul_block_device
consul_launch_config = LaunchConfiguration(config['name'] + 'ConsulLaunchConfig')
LoadBalancer = t.add_resource(
LoadBalancer(
"LoadBalancer",
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
Subnets=[Ref(PublicSubnet1), Ref(PublicSubnet2)],
HealthCheck=elb.HealthCheck(
Target="HTTP:80/",
HealthyThreshold="5",
UnhealthyThreshold="2",
Interval="20",
Timeout="15",
),
Listeners=[
elb.Listener(
LoadBalancerPort="443",
InstancePort="80",
Protocol="HTTPS",
InstanceProtocol="HTTP",
SSLCertificateId=Ref(SSLCertificateId),
),
],
CrossZone=True,
SecurityGroups=[Ref(LoadBalancerSecurityGroup)],
LoadBalancerName="api-lb",
Scheme="internet-facing",
))
AutoscalingGroup = t.add_resource(
Condition="Is-EC2-VPC",
))
# @alias component @app:@elb to ElasticLoadBalancer
ElasticLoadBalancer = t.add_resource(
LoadBalancer(
"ElasticLoadBalancer",
HealthCheck=HealthCheck(
HealthyThreshold="2",
Interval="10",
Target="HTTP:80/",
Timeout="5",
UnhealthyThreshold="5",
),
LBCookieStickinessPolicy=[{
"PolicyName": "CookieBasedPolicy",
"CookieExpirationPeriod": "30"
}],
CrossZone="true",
Listeners=[{
"InstancePort": "80",
"PolicyNames": ["CookieBasedPolicy"],
"LoadBalancerPort": "80",
"Protocol": "HTTP"
}],
AvailabilityZones=GetAZs(""),
))
# @alias component @app:@db to MySQLDatabase
MySQLDatabase = t.add_resource(
DBInstance(
"MySQLDatabase",
def create_load_balancer(template,
name,
vpc_id,
subnets=None,
region='us-east-1',
availability_zones=None,
elb_port=80,
security_groups=None,
http_health_check_url=None,
instance_port=8080,
ssl_cert=None):
health_target = "HTTP:{}/{}".format(instance_port,
http_health_check_url) if http_health_check_url else "TCP:{}".format(
instance_port)
health_check = elb.HealthCheck(
Target=health_target,
HealthyThreshold="2",
UnhealthyThreshold="10",
Interval="30",
Timeout="15"
)
if not security_groups:
security_groups = [
template.add_resource(ec2.SecurityGroup(
"ELBSecurityGroup" + name,
GroupDescription="ELB SG",
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=elb_port,
ToPort=elb_port,
CidrIp="0.0.0.0/0"
),
],
VpcId=vpc_id
))
]
security_group_refs = [Ref(sg) for sg in security_groups]
if not subnets:
subnets = _get_vpc_subnets(vpc_id, region)
if not availability_zones:
availability_zones = _all_az(region)
listeners = [
elb.Listener(
LoadBalancerPort=elb_port,
InstancePort=instance_port,
Protocol="HTTP",
InstanceProtocol="HTTP"
)]
if ssl_cert:
listeners.append(elb.Listener(
LoadBalancerPort="443",
InstancePort=instance_port,
Protocol="HTTPS",
InstanceProtocol="HTTP",
SSLCertificateId=ssl_cert
))
elb_name = "LoadBalancer" + name
lb = template.add_resource(LoadBalancer(
elb_name,
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
HealthCheck=health_check,
Listeners=listeners,
CrossZone=True,
SecurityGroups=security_group_refs,
LoadBalancerName=name,
Scheme="internet-facing",
Subnets=subnets
))
template.add_output(Output(
"HostUrl" + name,
Description="Microservice endpoint",
Value=Join("", ["http://", GetAtt(lb, "DNSName")])
))
return {
'elb': {'name': elb_name, 'elb': lb},
'security_groups': security_groups
}
)
],
)
)
ELB = template.add_resource(
LoadBalancer(
"ELB",
AvailabilityZones=GetAZs(""),
Listeners=[
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP",
"InstanceProtocol": "HTTP",
}
],
HealthCheck=HealthCheck(
Target="HTTP:80/",
HealthyThreshold="2",
UnhealthyThreshold="10",
Interval="30",
Timeout="5",
),
)
)
ELBAttachment = template.add_resource(
ElasticLoadBalancerAttachment(
"ELBAttachment",
ElasticLoadBalancerName=Ref(ELB),
def add_kippo_sensors(self):
# Create the ELB
self.template.add_resource(
LoadBalancer(
'Elb',
Listeners=[
Listener(
InstancePort=80,
LoadBalancerPort=80,
Protocol='http',
),
Listener(
InstancePort=443,
LoadBalancerPort=443,
Protocol='tcp', # Plain TCP forwarding for HTTPS/SSL
),
],
CrossZone=True,
Subnets=Ref('ElbSubnetIdList'),
SecurityGroups=[Ref('ElbSecurityGroup')],
Scheme='internet-facing',
HealthCheck=HealthCheck(
Target='HTTP:80/kippo-graph/',
HealthyThreshold=2,
UnhealthyThreshold=5,
Interval=120,
Timeout=60,
),
))
self.template.add_output(
Output(
'ElbEndpoint',
Description='ELB endpoint address',
Value=GetAtt('Elb', 'DNSName'),
))
self.template.add_resource(
LaunchConfiguration(
'LaunchConfiguration',
KeyName=Ref('KeyName'),
ImageId=FindInMap('Ec2AmiMap', Ref('AWS::Region'), 'AmiId'),
InstanceType=Ref('Ec2InstanceType'),
SecurityGroups=[Ref('Ec2SecurityGroup')],
AssociatePublicIpAddress=True,
UserData=Base64(
Join('\n', [
'#cloud-config',
'repo_upgrade: security',
'runcmd:',
' - "/usr/bin/wget -O /tmp/configure_kippo_sensor.sh https://raw.githubusercontent.com/cdodd/aws-kippo-cluster/master/bootstrap/configure_kippo_sensor.sh"',
Join(
'',
[
' - "bash /tmp/configure_kippo_sensor.sh',
' ',
GetAtt('RdsInstance', 'Endpoint.Address'),
' ',
Ref('RdsRootPassword'),
' ',
Ref('RealSshPort'),
'"',
],
),
])),
))
self.template.add_resource(
AutoScalingGroup(
'Asg',
DesiredCapacity=Ref('KippoSensorCount'),
HealthCheckGracePeriod=1800,
HealthCheckType='ELB',
LaunchConfigurationName=Ref('LaunchConfiguration'),
LoadBalancerNames=[Ref('Elb')],
MaxSize=Ref('KippoSensorCount'),
MinSize=Ref('KippoSensorCount'),
Tags=[Tag(key='Name', value='kippo-sensor', propogate='true')],
VPCZoneIdentifier=Ref('Ec2SubnetIdList'),
))
def elb(self, template):
"""
Create an ELB resource configuration from the config file data
and add them to the troposphere template. Outputs for each ELB's
DNSName are created.
Args:
template:
The cloudformation template file
"""
# REQUIRED FIELDS AND MAPPING
# Note, 'name' field is used internally to help label
# logical ids, and as part of the DNS record name.
required_fields = {"listeners": "Listeners", "scheme": "Scheme", "name": None, "hosted_zone": "HostedZoneName"}
elb_list = []
elb_sgs = []
# COULD HAVE MULTIPLE ELB'S (PUBLIC / PRIVATE etc)
for elb in self.data["elb"]:
safe_name = elb["name"].replace("-", "").replace(".", "").replace("_", "")
# TEST FOR REQUIRED FIELDS AND EXIT IF MISSING ANY
for i in required_fields.keys():
if i not in elb.keys():
print "\n\n[ERROR] Missing ELB fields [%s]" % i
sys.exit(1)
load_balancer = LoadBalancer(
"ELB" + safe_name,
Subnets=[Ref("SubnetA"), Ref("SubnetB"), Ref("SubnetC")],
Listeners=elb["listeners"],
Scheme=elb["scheme"],
ConnectionDrainingPolicy=ConnectionDrainingPolicy(Enabled=True, Timeout=120),
Policies=[
Policy(
Attributes=[{"Name": "Reference-Security-Policy", "Value": "ELBSecurityPolicy-2015-05"}],
PolicyType="SSLNegotiationPolicyType",
PolicyName="PinDownSSLNegotiationPolicy201505",
)
],
)
if "health_check" in elb:
load_balancer.HealthCheck = HealthCheck(**elb["health_check"])
for listener in load_balancer.Listeners:
if listener["Protocol"] == "HTTPS":
try:
cert_name = elb["certificate_name"]
except KeyError:
raise errors.CfnConfigError("HTTPS listener but no certificate_name specified")
try:
self.ssl()[cert_name]["cert"]
self.ssl()[cert_name]["key"]
except KeyError:
raise errors.CfnConfigError("Couldn't find ssl cert {0} in config file".format(cert_name))
listener["SSLCertificateId"] = Join(
"",
[
"arn:aws:iam::",
Ref("AWS::AccountId"),
":server-certificate/",
"{0}-{1}".format(cert_name, self.stack_name),
],
)
# if not present, add the default cipher policy
if "PolicyNames" not in listener:
logging.debug(
"ELB Listener for port 443 has no SSL Policy. " + "Using default ELBSecurityPolicy-2015-05"
)
listener["PolicyNames"] = ["PinDownSSLNegotiationPolicy201505"]
elb_list.append(load_balancer)
dns_record = RecordSetGroup(
"DNS" + safe_name,
HostedZoneName=elb["hosted_zone"],
Comment="Zone apex alias targeted to ElasticLoadBalancer.",
RecordSets=[
RecordSet(
"TitleIsIgnoredForThisResource",
Name="%s.%s" % (elb["name"], elb["hosted_zone"]),
Type="A",
AliasTarget=AliasTarget(
GetAtt(load_balancer, "CanonicalHostedZoneNameID"), GetAtt(load_balancer, "DNSName")
),
)
],
)
elb_list.append(dns_record)
elb_role_policies = PolicyType(
"Policy" + safe_name,
PolicyName=safe_name + "BaseHost",
PolicyDocument={
"Statement": [
{
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
],
"Resource": [
Join(
"",
[
"arn:aws:elasticloadbalancing:",
Ref("AWS::Region"),
":",
Ref("AWS::AccountId"),
":loadbalancer/",
Ref(load_balancer),
],
)
],
"Effect": "Allow",
}
]
},
Roles=[Ref("BaseHostRole")],
)
elb_list.append(elb_role_policies)
if "security_groups" in elb:
load_balancer.SecurityGroups = []
for sg_name, sg_rules in elb["security_groups"].items():
sg = SecurityGroup(
sg_name, GroupDescription=sg_name, SecurityGroupIngress=sg_rules, VpcId=Ref("VPC")
)
load_balancer.SecurityGroups.append(Ref(sg))
elb_sgs.append(sg)
else:
sg = SecurityGroup(
"DefaultSG" + safe_name,
GroupDescription="DefaultELBSecurityGroup",
SecurityGroupIngress=[
{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": "0.0.0.0/0"},
{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0"},
],
VpcId=Ref("VPC"),
)
load_balancer.SecurityGroups = [Ref(sg)]
elb_sgs.append(sg)
# Add outputs
output_name = "ELB" + safe_name
logging.debug("config:elb:Adding output to ELB '%s'" % (output_name))
template.add_output(Output(output_name, Description="ELB DNSName", Value=GetAtt(load_balancer, "DNSName")))
# Update template with ELB resources
map(template.add_resource, elb_list)
map(template.add_resource, elb_sgs)
template = self._attach_elbs(template)
CraftElb = t.add_resource(
LoadBalancer(
"CraftElb",
ConnectionDrainingPolicy=ConnectionDrainingPolicy(
Enabled=True,
Timeout="120",
),
Subnets=[
Ref(CraftElbSubnetAz1),
Ref(CraftElbSubnetAz2),
Ref(CraftElbSubnetAz3)
],
HealthCheck=HealthCheck(
HealthyThreshold="2",
Interval="10",
Target="TCP:80",
Timeout="5",
UnhealthyThreshold="5",
),
Listeners=[{
"InstancePort": "80",
"LoadBalancerPort": "80",
"Protocol": "HTTP",
"InstanceProtocol": "HTTP"
}],
CrossZone="true",
SecurityGroups=[Ref(ElbSecurityGroups)],
LoadBalancerName=Ref(ElbName),
Scheme="internet-facing",
))
)
load_balancer = template.add_resource(LoadBalancer(
'WebAuthorLoadBalancer',
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120
),
CrossZone=True,
HealthCheck=elb.HealthCheck(
HealthyThreshold='5',
Interval='20',
Target='HTTPS:443/',
Timeout='15',
UnhealthyThreshold='2',
),
Listeners=[
elb.Listener(
LoadBalancerPort='443',
InstancePort='443',
InstanceProtocol='HTTPS',
Protocol='HTTPS',
SSLCertificateId=FindInMap('EnvironmentAttributeMap', Ref(param_environment), 'SSLCertificateId')
)
],
SecurityGroups=[Ref('WebAuthorLoadBalancerSecurityGroup')],
Scheme='internal',
Subnets=FindInMap('EnvironmentAttributeMap', Ref(param_environment), 'PublicSubnetArray')
)
)
def define_networking(t):
t.add_resource(
VPC("VPC",
CidrBlock=Ref(t.parameters["vpcCidrBlock"]),
InstanceTenancy="default",
EnableDnsSupport=True,
EnableDnsHostnames=False,
Tags=troposphere.cloudformation.Tags(Name=Join(
" ", ["BIG-IQ VPC:", Ref("AWS::StackName")]))))
t.add_resource(
Subnet("Subnet1",
CidrBlock=Ref(t.parameters["subnet1CidrBlock"]),
VpcId=Ref(t.resources["VPC"]),
AvailabilityZone=Ref(t.parameters["subnet1Az"]),
Tags=Tags(
Name=Join(" ", ["BIG-IQ Subnet 1:",
Ref("AWS::StackName")]))))
t.add_resource(
Subnet("Subnet2",
CidrBlock=Ref(t.parameters["subnet2CidrBlock"]),
VpcId=Ref(t.resources["VPC"]),
AvailabilityZone=Ref(t.parameters["subnet2Az"]),
Tags=Tags(
Name=Join(" ", ["Big-IQ Subnet 2:",
Ref("AWS::StackName")]))))
t.add_resource(
RouteTable("RouteTable1",
VpcId=Ref(t.resources["VPC"]),
Tags=Tags(Name=Join(
" ", ["BIG-IQ Route Table 1:",
Ref("AWS::StackName")]))))
t.add_resource(
RouteTable("RouteTable2",
VpcId=Ref(t.resources["VPC"]),
Tags=Tags(Name=Join(
" ", ["BIG-IQ Route Table 2:",
Ref("AWS::StackName")]))))
t.add_resource(
SubnetRouteTableAssociation("Subnet1RouteTableAssociation",
SubnetId=Ref(t.resources["Subnet1"]),
RouteTableId=Ref(
t.resources["RouteTable1"])))
t.add_resource(
SubnetRouteTableAssociation("Subnet2RouteTableAssociation",
SubnetId=Ref(t.resources["Subnet2"]),
RouteTableId=Ref(
t.resources["RouteTable2"])))
t.add_resource(
InternetGateway(
"IGW",
Tags=Tags(Name=Join(
" ", ["BIG-IQ Internet Gateway:",
Ref("AWS::StackName")]))))
t.add_resource(
VPCGatewayAttachment("IGWAttachment",
VpcId=Ref(t.resources["VPC"]),
InternetGatewayId=Ref(t.resources["IGW"])))
t.add_resource(
Route("Route1Default",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(t.resources["RouteTable1"]),
GatewayId=Ref(t.resources["IGW"])))
t.add_resource(
Route("Route2Default",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(t.resources["RouteTable2"]),
GatewayId=Ref(t.resources["IGW"])))
t.add_resource(NetworkAcl("VPCAcl", VpcId=Ref(t.resources["VPC"])))
t.add_resource(
SecurityGroup(
"SecurityGroup",
GroupName=Join(" ",
["BIG-IQ SG:", Ref("AWS::StackName")]),
GroupDescription="vpc-sg",
VpcId=Ref(t.resources["VPC"]),
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp",
FromPort="443",
ToPort="443",
CidrIp="0.0.0.0/0"),
SecurityGroupRule(IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0"),
SecurityGroupRule(IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0"),
SecurityGroupRule(
IpProtocol=
"tcp", # TODO Determine actual ports which should be open
FromPort="1",
ToPort="65356",
CidrIp=Ref(t.parameters["vpcCidrBlock"]))
]))
t.add_resource(
SecurityGroup("ElbSecurityGroup",
GroupName=Join(
" ", ["ELB-SG-", Ref("AWS::StackName")]),
GroupDescription="vpc-sg",
VpcId=Ref(t.resources["VPC"]),
SecurityGroupIngress=[]))
t.add_resource(
LoadBalancer(
"ClassicELB",
SecurityGroups=[Ref(t.resources["ElbSecurityGroup"])],
HealthCheck=HealthCheck(HealthyThreshold="10",
Interval="30",
Target="TCP:22",
Timeout="5",
UnhealthyThreshold="2"),
Listeners=[
Listener(LoadBalancerPort="80",
InstancePort="80",
Protocol="TCP",
InstanceProtocol="TCP")
],
LoadBalancerName=Join("", ["ELB-", Ref("AWS::StackName")]),
Scheme="internet-facing",
Subnets=[Ref(t.resources["Subnet1"]),
Ref(t.resources["Subnet2"])]))
elb_identifier = ""
if rolemap[role]["elb"]["subnet"] in public_prefixes:
elb_identifier = "pubsub" + rolemap[role]["elb"]["subnet"].upper()
elb = t.add_resource(
LoadBalancer(
"elb" + role.upper(),
Subnets=Split(",", Ref(elb_identifier)),
Listeners=[
Listener(
LoadBalancerPort=80,
InstancePort=80,
Protocol='HTTP',
),
],
SecurityGroups=[Ref("defaultSG"),
Ref(elbSecurityGroup)],
HealthCheck=HealthCheck(
Target=rolemap[role]["elb"]["healthcheck"],
HealthyThreshold="2",
UnhealthyThreshold="2",
Interval="10",
Timeout="5"),
ConnectionDrainingPolicy=ConnectionDrainingPolicy(Enabled=True,
Timeout=300),
CrossZone=True,
Tags=Tags(Environment=Ref("environment"), Service=role)))
loadbalancer = [Ref(elb)]
identifier = ""
if rolemap[role]["instance"]["subnet"] in public_prefixes:
def elb_asg_lc_template(app, env, nameSGRDS, rdsPort, instanceType, ami,
subnets, elbPort, elbCidrBlock, ec2Port,
desiredCapacity, minSize, maxSize, region, nameBucket,
officeIP):
template = Template()
sgELB = template.add_resource(
SecurityGroup(
"SecurityGroupELB" + app + env,
GroupDescription="Security group for " + app + "-" + env,
VpcId=ImportValue("VPC" + env),
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol="tcp",
FromPort=elbPort,
ToPort=elbPort,
CidrIp=elbCidrBlock,
)
],
SecurityGroupEgress=[
SecurityGroupRule(IpProtocol="-1",
ToPort=0,
FromPort=65535,
CidrIp="0.0.0.0/0")
],
Tags=Tags(
env=env,
Name="sg-ELB" + app + "-" + env,
app=app,
),
))
sgEC2 = template.add_resource(
SecurityGroup(
"SecurityGroupEC2" + app + env,
GroupDescription="Security group for EC2 " + app + "-" + env,
VpcId=ImportValue("VPC" + env),
DependsOn="SecurityGroupELB" + app + env,
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol="tcp",
FromPort=ec2Port,
ToPort=ec2Port,
SourceSecurityGroupId=Ref(sgELB),
),
SecurityGroupRule(
IpProtocol="tcp",
FromPort=22,
ToPort=22,
CidrIp=officeIP,
),
],
SecurityGroupEgress=[
SecurityGroupRule(IpProtocol="-1",
ToPort=0,
FromPort=65535,
CidrIp="0.0.0.0/0")
],
Tags=Tags(
env=env,
Name="sg-EC2-" + app + "-" + env,
app=app,
),
))
addIngressRDS = template.add_resource(
SecurityGroupIngress(
"ingressSGRDS" + app + env,
SourceSecurityGroupId=Ref(sgEC2),
Description="From EC2 instances",
GroupId=ImportValue("SG-" + nameSGRDS + "-" + app + "-" + env),
IpProtocol="tcp",
FromPort=rdsPort,
ToPort=rdsPort,
DependsOn="SecurityGroupEC2" + app + env,
))
launchConfig = template.add_resource(
LaunchConfiguration("LaunchConfiguration" + app + env,
InstanceType=instanceType,
ImageId=ami,
SecurityGroups=[Ref(sgEC2)],
IamInstanceProfile=ImportValue("Role-" + app +
"-" + env)))
bucketPolicy = template.add_resource(
BucketPolicy("BucketPolicy" + nameBucket + app + env,
Bucket=ImportValue("Bucket" + nameBucket + app + env),
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["s3:PutObject"],
"Effect":
"Allow",
"Resource":
Join("", [
"arn:aws:s3:::",
ImportValue("Bucket" + nameBucket + app +
env), "/AWSLogs/",
Ref("AWS::AccountId"), "/*"
]),
"Principal": {
"AWS": ["156460612806"]
}
}]
}))
lb = template.add_resource(
LoadBalancer("LoadBalancer" + app + env,
ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy(
Enabled=True,
Timeout=120,
),
Subnets=subnets,
HealthCheck=elb.HealthCheck(
"HealthCheck",
Target="TCP:" + str(ec2Port),
HealthyThreshold="5",
UnhealthyThreshold="5",
Interval="30",
Timeout="15",
),
Listeners=[
elb.Listener(
LoadBalancerPort=elbPort,
InstancePort=ec2Port,
Protocol="HTTP",
InstanceProtocol="HTTP",
),
],
CrossZone=True,
SecurityGroups=[Ref(sgELB)],
LoadBalancerName="lb-" + app + "-" + env,
Scheme="internet-facing",
AccessLoggingPolicy=AccessLoggingPolicy(
"LoggingELB" + app + env,
EmitInterval=5,
Enabled=True,
S3BucketName=ImportValue("Bucket" + nameBucket + app +
env),
)))
asg = template.add_resource(
AutoScalingGroup(
"AutoscalingGroup" + app + env,
DesiredCapacity=desiredCapacity,
Tags=[Tag("Environment", env, True)],
LaunchConfigurationName=Ref(launchConfig),
MinSize=minSize,
MaxSize=maxSize,
LoadBalancerNames=[Ref(lb)],
AvailabilityZones=GetAZs(region),
VPCZoneIdentifier=subnets,
HealthCheckType="ELB",
HealthCheckGracePeriod=300,
UpdatePolicy=UpdatePolicy(
AutoScalingReplacingUpdate=AutoScalingReplacingUpdate(
WillReplace=True, ),
AutoScalingRollingUpdate=AutoScalingRollingUpdate(
PauseTime='PT5M',
MinInstancesInService="1",
MaxBatchSize='1',
WaitOnResourceSignals=True,
))))
return (template.to_json())
SecurityGroupIngress=[
{ "ToPort": "443", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": "443" },
{ "ToPort": "80", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": "80" }
],
VpcId=Ref(AlchemyVPC),
GroupDescription="Enable all communication on private subnet",
SecurityGroupEgress=[{ "ToPort": "8080", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": "8080" }],
))
ElasticLoadBalancer = t.add_resource(LoadBalancer(
"ElasticLoadBalancer",
Subnets= [Ref(publicASubnet), Ref(publicBSubnet)],
Listeners=[{
"InstancePort": "8080",
"Protocol": "HTTP",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "80"
}],
CrossZone="true",
SecurityGroups=[Ref(LoadBalancerSecurityGroup)],
Tags=Tags(Name=Join("",[Ref(ClusterName), " ELB"]))
))
### END OF LOAD BALANCER SETUP ###
### AUTO SCALING GROUP SETUP ###
CoreOSSecurityGroup = t.add_resource(SecurityGroup(
"CoreOSSecurityGroup",
SecurityGroupIngress=[{ "ToPort": "65535", "IpProtocol": "-1", "CidrIp": "10.0.0.0/16", "FromPort": "0" }],
VpcId=Ref(AlchemyVPC),