def create_firewall_rules(vpc): # Create lambda, rds, redis security groups to allow traffic between them lambda_sg = ec2.SecurityGroup("lambdaSG", description="Lambda security group", egress=[{ "from_port": 0, "to_port": 0, "cidr_blocks": ["0.0.0.0/0"], "protocol": -1 }], vpc_id=vpc.id) # Create SG for redis, rds rds_sg = ec2.SecurityGroup( "AllowLambdaToRdsIngress", description="Rds Security Group", vpc_id=vpc.id, ingress=[{ "from_port": 3306, "to_port": 3306, "protocol": "tcp", "security_groups": [lambda_sg.id], }], egress=[{ "from_port": 0, "to_port": 0, "protocol": -1, "cidr_blocks": ["0.0.0.0/0"], }], ) redis_sg = ec2.SecurityGroup( "AllowLambdaToRedisIngress", description="Redis security group", vpc_id=vpc.id, ingress=[{ "from_port": 6379, "to_port": 6379, "protocol": "tcp", "security_groups": [lambda_sg.id], }], egress=[{ "from_port": 0, "to_port": 0, "cidr_blocks": ["0.0.0.0/0"], "protocol": -1 }], ) return {"lambda_sg": lambda_sg, "redis_sg": redis_sg, "rds_sg": rds_sg}
def create_security_group(self): master_egress_rules = [{ "cidr_blocks": ["0.0.0.0/0"], "from_port": 0, "protocol": "-1", "to_port": 0 }] # PULUMI DEVS configure your own subnet ID's. self.master_security_group = ec2.SecurityGroup( self.cluster_name + "-master-securitygroup", egress=master_egress_rules, vpc_id="vpc-229b4f47", opts=pulumi.ResourceOptions(parent=self))
def _create_sgs(self, bastion_id=None): #TODO: if infra left up for a while, security groups cant be deleted. are they modified when running? Need a tag? # Create the security groups first master_sg = ec2.SecurityGroup("master-sg", vpc_id=self.vpc_id, description="security group for communication with the eks master plance", __opts__=ResourceOptions(parent=self)) worker_sg = ec2.SecurityGroup("worker-sg", vpc_id=self.vpc_id, description="security group for communication with the worker nodes", __opts__=ResourceOptions(parent=self)) # Create the egress/ingress rules for the master master_sg_egress = ec2.SecurityGroupRule("master-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=master_sg.id, description="master sg egress", __opts__=ResourceOptions(parent=self)) current_ip = Util.get_workstation_ip() master_sg_ingress_workstation = ec2.SecurityGroupRule("master-sg-ingress-from-workstation", type="ingress", from_port=443, to_port=443, protocol=-1, security_group_id=master_sg.id, cidr_blocks=["%s/32" % current_ip], description="ingress to masters from workstation", __opts__=ResourceOptions(parent=self)) master_sg_ingress_nodes = ec2.SecurityGroupRule("master-sg-ingress-from-workers", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=master_sg.id, source_security_group_id=worker_sg.id, description="master ingress from workers", __opts__=ResourceOptions(parent=self)) # Create the egress/ingress rules for the workers worker_sg_egress = ec2.SecurityGroupRule("worker-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, description="worker sg egress", __opts__=ResourceOptions(parent=self)) worker_sg_ingress_itself = ec2.SecurityGroupRule("worker-sg-ingress-itself", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, self=True, description="worker ingress from itself", __opts__=ResourceOptions(parent=self)) worker_sg_ingress_master = ec2.SecurityGroupRule("worker-sg-ingress-master", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, source_security_group_id=master_sg.id, description="worker ingress from master", __opts__=ResourceOptions(parent=self)) worker_sg_ingress_bastion = ec2.SecurityGroupRule("worker-sg-ingress-bastion", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, source_security_group_id=bastion_id, description="worker ingress from bastion host", __opts__=ResourceOptions(parent=self)) self.master_sg = master_sg.id self.worker_sg = worker_sg.id
f'vpc-route-table-assoc-{zone}', route_table_id=eks_route_table.id, subnet_id=vpc_subnet.id, ) subnet_ids.append(vpc_subnet.id) ## Security Group eks_security_group = ec2.SecurityGroup( 'eks-cluster-sg', vpc_id=vpc.id, description='Allow all HTTP(s) traffic to EKS Cluster', tags={'Name': 'pulumi-cluster-sg'}, ingress=[{ 'cidr_blocks': ['0.0.0.0/0'], 'from_port': '443', 'to_port': '443', 'protocol': 'tcp', 'description': 'Allow pods to communicate with the cluster API Server.' }, { 'cidr_blocks': ['0.0.0.0/0'], 'from_port': '80', 'to_port': '80', 'protocol': 'tcp', 'description': 'Allow internet access to pods' }])
import pulumi from pulumi_aws import ec2, ebs COUNT = 4 AZONE = "us-west-2c" # difficulty trying to automate an AMI selection AMI = "ami-7172b611" sg_web = ec2.SecurityGroup("web-in", ingress=[{ 'protocol': 'tcp', 'from_port': 80, 'to_port': 80, 'cidr_blocks': ["0.0.0.0/0"] }]) instances_web = [] for i in range(COUNT): inst = ec2.Instance('Terraform Demo {}'.format(i), ami=AMI, availability_zone=AZONE, instance_type="t2.micro", vpc_security_group_ids=[sg_web.id]) instances_web.append(inst) volumes_web = [] for i in range(COUNT): vol = ebs.Volume( 'Terraform Demo {}'.format(i), # strange that you can set the azone for instances with pulumi config # but it doesn't take for volumes
instance = ec2.Instance( 'web-server-www;', instance_type="t2.micro", tags={"Owner": "Chris"}, # AMI for Amazon Linux 2 us-east-2 (Ohio) ami="ami-0f7919c33c90f5b58", user_data=user_data) group = ec2.SecurityGroup( 'web-secgrp', ingress=[ # SSH { "protocol": "tcp", "from_port": 22, "to_port": 22, "cidr_blocks": ["0.0.0.0/0"] }, # HTTP { "protocol": "tcp", "from_port": 80, "to_port": 80, "cidr_blocks": ["0.0.0.0/0"] }, ]) group_attachment = ec2.NetworkInterfaceSecurityGroupAttachment( "web-secgrp-attchment", network_interface_id=instance.primary_network_interface_id, security_group_id=group.id)
route_table_id=eks_route_table.id, subnet_id=vpc_subnet.id, ) subnet_ids.append(vpc_subnet.id) ## Security Group eks_security_group = ec2.SecurityGroup( 'eks-cluster-sg', vpc_id=vpc.id, description='Allow all HTTP(s) traffic to EKS Cluster', tags={ 'Name': 'template-cluster-sg', }, ingress=[ ec2.SecurityGroupIngressArgs( cidr_blocks=['0.0.0.0/0'], from_port=443, to_port=443, protocol='tcp', description='Allow pods to communicate with the cluster API Server.' ), ec2.SecurityGroupIngressArgs( cidr_blocks=['0.0.0.0/0'], from_port=80, to_port=80, protocol='tcp', description='Allow internet access to pods'), ], )
# NOTE Pulumi-generated security groups have no outbound rules, a departure from usual where it's completely open. public_sg = ec2.SecurityGroup( resource_name='new-public-sg', description='HTTP and SSH ingress', vpc_id=vpc.id, ingress=[ { 'protocol': 'tcp', 'fromPort': 22, 'toPort': 22, 'cidrBlocks': ['0.0.0.0/0'] }, { 'protocol': 'tcp', 'fromPort': 80, 'toPort': 80, 'cidrBlocks': ['0.0.0.0/0'] }, ], egress=[{ 'protocol': '-1', 'fromPort': 0, 'toPort': 0, 'cidrBlocks': ['0.0.0.0/0'] }], tags={ 'Name': 'infra public security group (front-back-autoscaling)', 'Creator': 'timc' }) # TODO add ebs_block_devices
def _create_security_groups(self, vpcid): pub_name = "%s-public-sg" % self.name public_sg = ec2.SecurityGroup(pub_name, description=pub_name, vpc_id=vpcid, tags=self.sg_tags, __opts__=ResourceOptions(parent=self)) priv_name = "%s-private-sg" % self.name private_sg = ec2.SecurityGroup(priv_name, description=priv_name, vpc_id=vpcid, tags=self.sg_tags, __opts__=ResourceOptions(parent=self)) """ Set up public rules: 1. ingress from itself to itself 2. ingress from private to public 3. egress rule for all 4. ingress rule for current IP address on 22 """ pub_ingress_itself = ec2.SecurityGroupRule( "public-ingress-from-itself", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=public_sg.id, self=True, description="public ingress to/from itself", __opts__=ResourceOptions(parent=self)) pub_ingress_private = ec2.SecurityGroupRule( "public-ingress-from-private", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=public_sg.id, source_security_group_id=private_sg.id, description="public ingress from private", __opts__=ResourceOptions(parent=self)) pub_egress = ec2.SecurityGroupRule( "public-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=public_sg.id, description="egress traffic from public sg", __opts__=ResourceOptions(parent=self)) current_ip = Util.get_workstation_ip() pub_ingress_current_ip = ec2.SecurityGroupRule( "public-ingress-from-current-ip", type="ingress", from_port=22, to_port=22, protocol="TCP", security_group_id=public_sg.id, cidr_blocks=[("%s/32" % current_ip)], description="ingress from current IP", __opts__=ResourceOptions(parent=self)) """ Set up private rules: 1. ingress from public to it 2. ingress from itself to itself 3. egress rule for all """ priv_ingress_itself = ec2.SecurityGroupRule( "private-ingress-from-itself", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=private_sg.id, self=True, description="private ingress to itself", __opts__=ResourceOptions(parent=self)) priv_ingress_public = ec2.SecurityGroupRule( "private-ingress-from-public", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=private_sg.id, source_security_group_id=public_sg.id, description="private ingress from public", __opts__=ResourceOptions(parent=self)) priv_egress = ec2.SecurityGroupRule( "private-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=private_sg.id, description="egress traffic from private sg", __opts__=ResourceOptions(parent=self)) return {"public": public_sg.id, "private": private_sg.id}
db = dynamodb.Table("mytable", attributes=[{ "name": "Id", "type": "S" }], hash_key="Id", read_capacity=1, write_capacity=1) ## EC2 eip = ec2.Eip("myeip") security_group = ec2.SecurityGroup("mysecuritygroup", ingress=[{ "protocol": "tcp", "from_port": 80, "to_port": 80, "cidr_blocks": ["0.0.0.0/0"] }]) vpc = ec2.Vpc("myvpc", cidr_block="10.0.0.0/16") igw = ec2.InternetGateway("myinternetgateway", vpc_id=vpc.id) public_route_table = ec2.RouteTable("myroutetable", routes=[{ "cidr_block": "0.0.0.0/0", "gateway_id": igw.id }], vpc_id=vpc.id)
def AwsgiHandler(self, name, zone, domain, package, func, __opts__, **lambdaargs): """ Define a handler to accept requests, using awsgi """ func = package.function(f"{name}-function", func, **lambdaargs, **opts(parent=self)) invoke_policy = lambda_.Permission( f'{name}-function-permission', function=func, action='lambda:InvokeFunction', principal='elasticloadbalancing.amazonaws.com', **opts(parent=func)) netinfo = get_public_subnets(opts=__opts__) @netinfo.apply def vpc_id(info): vpc, subnets, is_v6 = info return vpc.id @netinfo.apply def netstack(info): vpc, subnets, is_v6 = info return 'dualstack' if is_v6 else 'ipv4' @netinfo.apply def subnet_ids(info): vpc, subnets, is_v6 = info return [sn.id for sn in subnets] cert = Certificate(f"{name}-cert", domain=domain, zone=zone, **opts(parent=self)) # TODO: Cache this sg = ec2.SecurityGroup(f"{name}-sg", vpc_id=vpc_id, ingress=[ { 'from_port': 80, 'to_port': 80, 'protocol': "tcp", 'cidr_blocks': ['0.0.0.0/0'], }, { 'from_port': 443, 'to_port': 443, 'protocol': "tcp", 'cidr_blocks': ['0.0.0.0/0'], }, { 'from_port': 80, 'to_port': 80, 'protocol': "tcp", 'ipv6_cidr_blocks': ['::/0'], }, { 'from_port': 443, 'to_port': 443, 'protocol': "tcp", 'ipv6_cidr_blocks': ['::/0'], }, ], egress=[ { 'from_port': 0, 'to_port': 0, 'protocol': "-1", 'cidr_blocks': ['0.0.0.0/0'], }, { 'from_port': 0, 'to_port': 0, 'protocol': "-1", 'ipv6_cidr_blocks': ['::/0'], }, ], **opts(parent=self)) alb = elb.LoadBalancer(f"{name}-alb", load_balancer_type='application', subnets=subnet_ids, ip_address_type=netstack, security_groups=[sg], enable_http2=True, **opts(parent=self)) target = elb.TargetGroup( f"{name}-target", target_type='lambda', lambda_multi_value_headers_enabled= False, # AWSGI does not support this yet health_check={ 'enabled': True, 'path': '/', 'matcher': '200-299', 'interval': 30, 'timeout': 5, }, **opts(parent=self)) elb.TargetGroupAttachment(f"{name}-target-func", target_group_arn=target.arn, target_id=func.arn, **opts(depends_on=[invoke_policy], parent=self)) elb.Listener(f"{name}-http", load_balancer_arn=alb.arn, port=80, protocol='HTTP', default_actions=[{ 'type': 'forward', 'target_group_arn': target.arn, }], **opts(parent=self)) elb.Listener(f"{name}-https", load_balancer_arn=alb.arn, port=443, protocol='HTTPS', ssl_policy='ELBSecurityPolicy-TLS-1-2-Ext-2018-06', certificate_arn=cert.cert_arn, default_actions=[{ 'type': 'forward', 'target_group_arn': target.arn, }], **opts(parent=self)) a_aaaa( f"{name}-record", name=domain, zone_id=zone.zone_id, aliases=[ { 'name': alb.dns_name, 'zone_id': alb.zone_id, 'evaluate_target_health': True, }, ], **opts(parent=self), )
import pulumi from pulumi_aws import ec2, get_ami, GetAmiFilterArgs group = ec2.SecurityGroup('web-secgrp', ingress=[ # Uncomment to fail a test: #{ "protocol": "tcp", "from_port": 22, "to_port": 22, "cidr_blocks": ["0.0.0.0/0"] }, { "protocol": "tcp", "from_port": 80, "to_port": 80, "cidr_blocks": ["0.0.0.0/0"] }, ]) user_data = '#!/bin/bash echo "Hello, World!" > index.html nohup python -m SimpleHTTPServer 80 &' ami_id = get_ami( most_recent=True, owners=["099720109477"], filters=[ GetAmiFilterArgs( name="name", values=["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] )] ).id server = ec2.Instance('web-server-www', instance_type="t2.micro", vpc_security_group_ids=[ group.id ], # reference the group object above # Comment out to fail a test: tags={'Name': 'webserver'}, # name tag # Uncomment to fail a test: #user_data=user_data) # start a simple web server ami=ami_id)
rta = ec2.RouteTableAssociation('new-rta', route_table_id=rt.id, subnet_id=subnet.id) sg = ec2.SecurityGroup(resource_name='new-sg', description='HTTP and SSH ingress', vpc_id=vpc.id, ingress=[ { 'protocol': 'tcp', 'fromPort': 22, 'toPort': 22, 'cidrBlocks': ['0.0.0.0/0'] }, { 'protocol': 'tcp', 'fromPort': 80, 'toPort': 80, 'cidrBlocks': ['0.0.0.0/0'] }, ], tags={ 'Name': 'infra security group', 'Creator': 'timc' }) bucket = s3.Bucket(resource_name='new-bucket', tags={ 'Name': 'infra bucket', 'Creator': 'timc'
def __init__(self): resource_specs = ParseYAML(resource_type).getSpecs() aws_vpc_id = VPCs.VPCId() for sg_name, sg_configuration in resource_specs.items(): # AWS Security Groups Dynamic Variables resource_name = sg_name resource_description = sg_configuration["description"] resource_vpc = sg_configuration["vpc"] resource_ingress_rules = sg_configuration["ingress"] resource_egress_rules = sg_configuration["egress"] resource_tags = None resource_tags = sg_configuration[ "tags"] if "tags" in sg_configuration else None # Getting list of tags from configuration file tags_list = {} if resource_tags is not None: for each_tag_name, each_tag_value in resource_tags.items(): tags_list.update({each_tag_name: each_tag_value}) # Adding mandatory tags tags_list.update({"Name": resource_name}) tags_list.update({ "Project/Stack": pulumi.get_project() + "/" + pulumi.get_stack() }) tags_list.update(resource_mandatory_tags) this_vpc = aws_vpc_id[str(resource_vpc)] # Empty dictionaries that'll be populated with rules # coming from each individual security group, # being ingress or egress ingress_rules_list = {} egress_rules_list = {} # Gathering all ingress rules and return the results # to the right dictionary defined above for each_ingress_rule in resource_ingress_rules.items(): for each_ingress_rule_key, each_ingress_rule_value in [ each_ingress_rule ]: ingress_rules_list.update( {each_ingress_rule_key: each_ingress_rule_value}) combined_ingress_rules = list(ingress_rules_list.values()) # Gathering all egress rules and return the results # to the right dictionary defined above for each_egress_rule in resource_egress_rules.items(): for each_egress_rule_key, each_egress_rule_value in [ each_egress_rule ]: egress_rules_list.update( {each_egress_rule_key: each_egress_rule_value}) combined_egress_rules = list(egress_rules_list.values()) # Create Security Group security_group = net.SecurityGroup( resource_name, description=resource_description, name=resource_name, vpc_id=this_vpc, ingress=combined_ingress_rules, egress=combined_egress_rules, tags=tags_list) # Update resource dictionary sg_ids_dict.update({security_group._name: security_group.id}) # Exporting each security group created for future reference pulumi.export(security_group._name, security_group.id)
# Lets use Pulumi to get the AMI image pulumi_ami = aws.get_ami(filters=[{ "name": "image-id", "values": [ec2_image_id] }], owners=[ec2_image_owner]) # Create a EC2 security group pulumi_security_group = ec2.SecurityGroup( 'pulumi-secgrp', description='pulumi: enable SSH access & outgoing connections', ingress=[{ 'protocol': 'tcp', 'from_port': ec2_ssh_port, 'to_port': ec2_ssh_port, 'cidr_blocks': ['0.0.0.0/0'] }], egress=[{ 'protocol': '-1', 'from_port': 0, 'to_port': 0, 'cidr_blocks': ['0.0.0.0/0'] }]) # Create EC2 instance ec2_instance = ec2.Instance(ec2_instance_name, key_name=ec2_keypair_name, instance_type=ec2_instance_size, security_groups=[pulumi_security_group.name], ami=pulumi_ami.id)
if ami == '': ami = get_linux_ami(instance_type) pulumi.info(msg="ami={}".format(ami)) web_group = ec2.SecurityGroup('web-secgrp', description='Enable HTTP/HTTPS access', ingress=[{ 'protocol': 'tcp', 'from_port': 80, 'to_port': 80, 'cidr_blocks': ['0.0.0.0/0'] }, { 'protocol': 'tcp', 'from_port': 443, 'to_port': 443, 'cidr_blocks': ['0.0.0.0/0'] }], egress=[{ 'protocol': 'tcp', 'from_port': 0, 'to_port': 80, 'cidr_blocks': ['0.0.0.0/0'] }, { 'protocol': 'tcp', 'from_port': 0, 'to_port': 443, 'cidr_blocks': ['0.0.0.0/0'] }]) pulumi.info( msg="aws_cidr_allowed={}".format(env.get_secret('aws_cidr_allowed'))) ssh_group = ec2.SecurityGroup('ssh-secgrp',
"mytable", attributes=[dynamodb.TableAttributeArgs( name="Id", type="S", )], hash_key="Id", read_capacity=1, write_capacity=1) ## EC2 eip = ec2.Eip("myeip") security_group = ec2.SecurityGroup("mysecuritygroup", ingress=[ ec2.SecurityGroupIngressArgs( protocol="tcp", from_port=80, to_port=80, cidr_blocks=["0.0.0.0/0"]) ]) vpc = ec2.Vpc("myvpc", cidr_block="10.0.0.0/16") igw = ec2.InternetGateway("myinternetgateway", vpc_id=vpc.id) public_route_table = ec2.RouteTable("myroutetable", routes=[ ec2.RouteTableRouteArgs( cidr_block="0.0.0.0/0", gateway_id=igw.id) ], vpc_id=vpc.id)
# https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/r/security_group.html.markdown eks_cluster_sg = ec2.SecurityGroup( 'eks-cluster-sg', vpc_id=vpc.id, description='Allow all traffic and associate with our vpc', tags={'Name': 'eks-cluster-sg'}, egress=[{ 'cidr_blocks': ["0.0.0.0/0"], 'from_port': '0', 'to_port': '0', 'self': False, 'protocol': '-1', 'description': 'Allow internet access.' }], ingress=[{ 'cidr_blocks': ["0.0.0.0/0"], 'from_port': '443', 'to_port': '443', 'protocol': 'tcp', 'description': 'Allow pods to communicate with the cluster API Server.' }, { 'cidr_blocks': ["0.0.0.0/0"], 'from_port': '80', 'to_port': '80', 'protocol': 'tcp', 'description': 'Allow internet access to pods' }])
def __init__(self, name: str, args: VpcArgs, opts: ResourceOptions = None): super().__init__('custom:resource:VPC', name, {}, opts) vpc_name = name + '-vpc' self.vpc = ec2.Vpc(vpc_name, cidr_block=args.cidr_block, instance_tenancy=args.instance_tenancy, enable_dns_hostnames=args.enable_dns_hostnames, enable_dns_support=args.enable_dns_support, tags={'Name': vpc_name}, opts=ResourceOptions(parent=self)) igw_name = name + '-igw' self.igw = ec2.InternetGateway(igw_name, vpc_id=self.vpc.id, tags={'Name': igw_name}, opts=ResourceOptions(parent=self)) rt_name = name + '-rt' self.route_table = ec2.RouteTable(rt_name, vpc_id=self.vpc.id, routes=[ ec2.RouteTableRouteArgs( cidr_block='0.0.0.0/0', gateway_id=self.igw.id, ) ], tags={'Name': rt_name}, opts=ResourceOptions(parent=self)) # Subnets, at least across two zones. all_zones = get_availability_zones() # limiting to 2 zones for speed and to meet minimal requirements. zone_names = [all_zones.names[0], all_zones.names[1]] self.subnets = [] subnet_name_base = f'{name}-subnet' for zone in zone_names: vpc_subnet = ec2.Subnet( f'{subnet_name_base}-{zone}', assign_ipv6_address_on_creation=False, vpc_id=self.vpc.id, map_public_ip_on_launch=True, cidr_block=f'10.100.{len(self.subnets)}.0/24', availability_zone=zone, tags={ 'Name': f'{subnet_name_base}-{zone}', }, opts=ResourceOptions(parent=self)) ec2.RouteTableAssociation(f'vpc-route-table-assoc-{zone}', route_table_id=self.route_table.id, subnet_id=vpc_subnet.id, opts=ResourceOptions(parent=self)) self.subnets.append(vpc_subnet) # Security Groups rds_sg_name = f'{name}-rds-sg' self.rds_security_group = ec2.SecurityGroup( rds_sg_name, vpc_id=self.vpc.id, description='Allow client access.', tags={'Name': rds_sg_name}, ingress=[ ec2.SecurityGroupIngressArgs(cidr_blocks=['0.0.0.0/0'], from_port=3306, to_port=3306, protocol='tcp', description='Allow rds access.'), ], egress=[ ec2.SecurityGroupEgressArgs( protocol='-1', from_port=0, to_port=0, cidr_blocks=['0.0.0.0/0'], ) ], opts=ResourceOptions(parent=self)) fe_sg_name = f'{name}-fe-sg' self.fe_security_group = ec2.SecurityGroup( fe_sg_name, vpc_id=self.vpc.id, description='Allow all HTTP(s) traffic.', tags={'Name': fe_sg_name}, ingress=[ ec2.SecurityGroupIngressArgs(cidr_blocks=['0.0.0.0/0'], from_port=443, to_port=443, protocol='tcp', description='Allow https.'), ec2.SecurityGroupIngressArgs(cidr_blocks=['0.0.0.0/0'], from_port=80, to_port=80, protocol='tcp', description='Allow http access'), ], egress=[ ec2.SecurityGroupEgressArgs( protocol='-1', from_port=0, to_port=0, cidr_blocks=['0.0.0.0/0'], ) ], opts=ResourceOptions(parent=self)) self.register_outputs({})
# Copyright 2016-2020, Pulumi Corporation. All rights reserved. import pulumi from pulumi_aws import ec2 from ami import get_linux_ami size = 't2.micro' group = ec2.SecurityGroup('web-secgrp', description='Enable HTTP access', ingress=[ ec2.SecurityGroupIngressArgs( protocol='tcp', from_port=80, to_port=80, cidr_blocks=['0.0.0.0/0']) ]) server = ec2.Instance('web-server-www', instance_type=size, security_groups=[group.name], ami=get_linux_ami(size)) pulumi.export('public_ip', server.public_ip) pulumi.export('public_dns', server.public_dns)
["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"] }]) # Create a Security Group allowing ssh access group = ec2.SecurityGroup(f"nextcloud-secgrp-{env}", description='Enable SSH and HTTP/S access', ingress=[{ 'protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'cidr_blocks': ['0.0.0.0/0'] }, { 'protocol': 'tcp', 'from_port': 443, 'to_port': 443, 'cidr_blocks': ['0.0.0.0/0'] }, { 'protocol': 'tcp', 'from_port': 80, 'to_port': 80, 'cidr_blocks': ['0.0.0.0/0'] }], egress=[{ 'protocol': '-1', 'from_port': 0, 'to_port': 0, 'cidr_blocks': ['0.0.0.0/0'] }]) # Create an EC2 (using the ami previously retrieved) instance = ec2.Instance( f"nextcloud-webserver-www-{env}",
# Copyright 2016-2018, Pulumi Corporation. All rights reserved. import pulumi from pulumi_aws import ec2 from ami import get_linux_ami size = 't2.micro' group = ec2.SecurityGroup('web-secgrp', description='Enable HTTP access', ingress=[{ 'protocol': 'tcp', 'from_port': 80, 'to_port': 80, 'cidr_blocks': ['0.0.0.0/0'] }]) server = ec2.Instance('web-server-www', instance_type=size, security_groups=[group.name], ami=get_linux_ami(size)) pulumi.export('public_ip', server.public_ip) pulumi.export('public_dns', server.public_dns)
def __init__( self, name, opts=None, ): super().__init__("nuage:aws:DevelopmentEnvironment:VPC", f"{name}VpcEnvironment", None, opts) vpc = ec2.Vpc( f"{name}Vpc", cidr_block="172.32.0.0/16", enable_dns_hostnames=True, enable_dns_support=True, ) subnet_1 = ec2.Subnet( f"{name}VpcSubnetA", availability_zone="eu-west-1a", vpc_id=vpc.id, cidr_block="172.32.0.0/20", opts=ResourceOptions(depends_on=[vpc]), ) subnet_2 = ec2.Subnet( f"{name}VpcSubnetB", availability_zone="eu-west-1b", vpc_id=vpc.id, cidr_block="172.32.16.0/20", opts=ResourceOptions(depends_on=[vpc]), ) subnet_3 = ec2.Subnet( f"{name}VpcSubnetC", availability_zone="eu-west-1c", vpc_id=vpc.id, cidr_block="172.32.32.0/20", opts=ResourceOptions(depends_on=[vpc]), ) private_subnet_1 = ec2.Subnet( f"{name}VpcPrivateSubnetA", availability_zone="eu-west-1a", vpc_id=vpc.id, cidr_block="172.32.48.0/20", opts=ResourceOptions(depends_on=[vpc]), ) security_group = ec2.SecurityGroup( f"{name}SecurityGroup", vpc_id=vpc.id, opts=ResourceOptions(depends_on=[vpc]), ) security_group_rule = ec2.SecurityGroupRule( f"{name}SSHRule", security_group_id=security_group.id, type="ingress", protocol="tcp", from_port=22, to_port=22, cidr_blocks=["0.0.0.0/0"], ) security_group_rule = ec2.SecurityGroupRule( f"{name}InboundRule", security_group_id=security_group.id, type="ingress", protocol="all", from_port=0, to_port=65535, source_security_group_id=security_group.id, ) security_group_rule = ec2.SecurityGroupRule( f"{name}OutboundRule", security_group_id=security_group.id, type="egress", protocol="all", from_port=0, to_port=65535, cidr_blocks=["0.0.0.0/0"], ) subnets = [subnet_1, subnet_2, subnet_3] gateway = ec2.InternetGateway( f"{name}InternetGateway", vpc_id=vpc.id, opts=ResourceOptions(depends_on=[vpc]), ) gateway_route = ec2.Route( f"{name}GatewayRoute", destination_cidr_block="0.0.0.0/0", gateway_id=gateway.id, route_table_id=vpc.default_route_table_id, ) elastic_ip = ec2.Eip(f"{name}Eip", vpc=True, opts=ResourceOptions(depends_on=[gateway])) nat_gateway = ec2.NatGateway( f"{name}NatGateway", subnet_id=subnet_1.id, allocation_id=elastic_ip.id, opts=ResourceOptions(depends_on=[subnet_1, elastic_ip]), ) private_route_table = ec2.RouteTable( f"{name}PrivateRouteTable", routes=[ { "cidr_block": "0.0.0.0/0", "nat_gateway_id": nat_gateway.id, }, ], vpc_id=vpc.id, opts=ResourceOptions(depends_on=[private_subnet_1]), ) private_route_table_assoc = ec2.RouteTableAssociation( f"{name}PrivateRouteTableAssoc", route_table_id=private_route_table.id, subnet_id=private_subnet_1.id, ) outputs = { "vpc": vpc, "security_group": security_group, "public_subnets": [subnet_1, subnet_2, subnet_3], "private_subnet": private_subnet_1, "nat_gateway": nat_gateway, } self.set_outputs(outputs)