def add_interfaces(self, services:List[str]): for svc in services: if not svc in self.interfaces: self.interfaces[svc] = ec2.InterfaceVpcEndpoint( self, svc, vpc=self.vpc, service=ec2.InterfaceVpcEndpointAwsService(name=svc), open=True, private_dns_enabled=True, lookup_supported_azs=True, security_groups=[self.security_group]) return self
def create_endpoints(self) -> None: endpoints = { "SQS": ec2.InterfaceVpcEndpointAwsService.SQS, "CLOUDWATCH_LOGS": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS, "CLOUDWATCH_MONITORING": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH, "KMS ": ec2.InterfaceVpcEndpointAwsService.KMS, "ECR": ec2.InterfaceVpcEndpointAwsService.ECR, "ECR_DOCKER": ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER, "CODE_ARTIFACT_API": ec2.InterfaceVpcEndpointAwsService(name="codeartifact.api"), "CODE_ARTIFACT_REPOSITORIES": ec2.InterfaceVpcEndpointAwsService( name="codeartifact.repositories"), } for name, service in endpoints.items(): ec2.InterfaceVpcEndpoint( self, name, vpc=self.instance, service=service, subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.ISOLATED), private_dns_enabled=True, security_groups=[self.mwaa_sg], ) self.instance.add_gateway_endpoint( "s3-endpoint", service=ec2.GatewayVpcEndpointAwsService.S3, subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.ISOLATED)], )
def create_gateway_endpoint( self, service_name: str, vpc: _ec2.Vpc, gateway_endpoint_policy: _iam.PolicyStatement = None): """create gateway endpoint""" vpc_endpoint = _ec2.GatewayVpcEndpoint( self, id=service_name.upper() + "VPCEndPoint", vpc=vpc, service=_ec2.InterfaceVpcEndpointAwsService(service_name)) if gateway_endpoint_policy is not None: vpc_endpoint.add_to_policy(gateway_endpoint_policy)
def create_interface_endpoint( self, service_name: str, security_group: _ec2.ISecurityGroup, vpc: _ec2.Vpc, interface_endpoint_policy: _iam.PolicyStatement = None): """create interface endpoint""" vpc_endpoint = _ec2.InterfaceVpcEndpoint( self, id=service_name.upper() + "VPCEndPoint", vpc=vpc, service=_ec2.InterfaceVpcEndpointAwsService(service_name), private_dns_enabled=True, security_groups=[security_group]) if interface_endpoint_policy is not None: vpc_endpoint.add_to_policy(interface_endpoint_policy)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.security_group = ec2.SecurityGroup( self, 'EndpointSecurity', vpc=vpc, allow_all_outbound=True, description='SG for AWS Resources in isolated subnet') self.security_group.add_ingress_rule( peer=ec2.Peer.any_ipv4(), connection=ec2.Port(protocol=ec2.Protocol.ALL, string_representation='Any source')) self.gateways = {} for svc in ['s3', 'dynamodb']: self.gateways[svc] = ec2.GatewayVpcEndpoint( self, svc, vpc=vpc, service=ec2.GatewayVpcEndpointAwsService(name=svc)) self.interfaces = {} for svc in [ 'ssm', 'ec2messages', 'ec2', 'ssmmessages', 'kms', 'elasticloadbalancing', 'elasticfilesystem', 'lambda', 'states', 'events', 'execute-api', 'kinesis-streams', 'kinesis-firehose', 'logs', 'sns', 'sqs', 'secretsmanager', 'config', 'ecr.api', 'ecr.dkr' ]: self.interfaces[svc] = ec2.InterfaceVpcEndpoint( self, svc, vpc=vpc, service=ec2.InterfaceVpcEndpointAwsService(name=svc), open=True, private_dns_enabled=True, lookup_supported_azs=False, security_groups=[self.security_group])
def _create_vpc_endpoints(self) -> None: vpc_gateway_endpoints = { "s3": ec2.GatewayVpcEndpointAwsService.S3, "dynamodb": ec2.GatewayVpcEndpointAwsService.DYNAMODB, } vpc_interface_endpoints = { "cloudwatch_endpoint": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH, "cloudwatch_logs_endpoint": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS, "cloudwatch_events": ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_EVENTS, "ecr_docker_endpoint": ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER, "ecr_endpoint": ec2.InterfaceVpcEndpointAwsService.ECR, "ec2_endpoint": ec2.InterfaceVpcEndpointAwsService.EC2, "ecs": ec2.InterfaceVpcEndpointAwsService.ECS, "ecs_agent": ec2.InterfaceVpcEndpointAwsService.ECS_AGENT, "ecs_telemetry": ec2.InterfaceVpcEndpointAwsService.ECS_TELEMETRY, "git_endpoint": ec2.InterfaceVpcEndpointAwsService.CODECOMMIT_GIT, "ssm_endpoint": ec2.InterfaceVpcEndpointAwsService.SSM, "ssm_messages_endpoint": ec2.InterfaceVpcEndpointAwsService.SSM_MESSAGES, "secrets_endpoint": ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER, "kms_endpoint": ec2.InterfaceVpcEndpointAwsService.KMS, "sagemaker_endpoint": ec2.InterfaceVpcEndpointAwsService.SAGEMAKER_API, "sagemaker_runtime": ec2.InterfaceVpcEndpointAwsService.SAGEMAKER_RUNTIME, "notebook_endpoint": ec2.InterfaceVpcEndpointAwsService.SAGEMAKER_NOTEBOOK, "athena_endpoint": ec2.InterfaceVpcEndpointAwsService("athena"), "glue_endpoint": ec2.InterfaceVpcEndpointAwsService("glue"), "sqs": ec2.InterfaceVpcEndpointAwsService.SQS, "step_function_endpoint": ec2.InterfaceVpcEndpointAwsService("states"), "sns_endpoint": ec2.InterfaceVpcEndpointAwsService.SNS, "kinesis_firehose_endpoint": ec2.InterfaceVpcEndpointAwsService("kinesis-firehose"), "api_gateway": ec2.InterfaceVpcEndpointAwsService.APIGATEWAY, "sts_endpoint": ec2.InterfaceVpcEndpointAwsService.STS, "efs": ec2.InterfaceVpcEndpointAwsService.ELASTIC_FILESYSTEM, "elb": ec2.InterfaceVpcEndpointAwsService.ELASTIC_LOAD_BALANCING, "autoscaling": ec2.InterfaceVpcEndpointAwsService("autoscaling"), "cloudformation_endpoint": ec2.InterfaceVpcEndpointAwsService("cloudformation"), "codebuild_endpoint": ec2.InterfaceVpcEndpointAwsService("codebuild"), } for name, gateway_vpc_endpoint_service in vpc_gateway_endpoints.items( ): self.vpc.add_gateway_endpoint( id=name, service=gateway_vpc_endpoint_service, subnets=[ ec2.SubnetSelection(subnets=self.nodes_subnets.subnets), ], ) self._vpc_security_group = ec2.SecurityGroup(self, "vpc-sg", vpc=self.vpc, allow_all_outbound=False) # Adding ingress rule to VPC CIDR self._vpc_security_group.add_ingress_rule( peer=ec2.Peer.ipv4(self.vpc.vpc_cidr_block), connection=ec2.Port.all_tcp()) for name, interface_service in vpc_interface_endpoints.items(): self.vpc.add_interface_endpoint( id=name, service=interface_service, subnets=ec2.SubnetSelection( subnets=self.nodes_subnets.subnets), private_dns_enabled=True, security_groups=[self._vpc_security_group], ) # Adding CodeArtifact VPC endpoints self.vpc.add_interface_endpoint( id="code_artifact_repo_endpoint", service=cast( ec2.IInterfaceVpcEndpointService, ec2.InterfaceVpcEndpointAwsService( "codeartifact.repositories")), subnets=ec2.SubnetSelection(subnets=self.nodes_subnets.subnets), private_dns_enabled=False, security_groups=[self._vpc_security_group], ) self.vpc.add_interface_endpoint( id="code_artifact_api_endpoint", service=cast( ec2.IInterfaceVpcEndpointService, ec2.InterfaceVpcEndpointAwsService("codeartifact.api")), subnets=ec2.SubnetSelection(subnets=self.nodes_subnets.subnets), private_dns_enabled=False, security_groups=[self._vpc_security_group], ) # Adding Lambda and Redshift endpoints with CDK low level APIs endpoint_url_template = "com.amazonaws.{}.{}" ec2.CfnVPCEndpoint( self, "redshift_endpoint", vpc_endpoint_type="Interface", service_name=endpoint_url_template.format(self.region, "redshift"), vpc_id=self.vpc.vpc_id, security_group_ids=[self._vpc_security_group.security_group_id], subnet_ids=self.nodes_subnets.subnet_ids, private_dns_enabled=True, ) ec2.CfnVPCEndpoint( self, "lambda_endpoint", vpc_endpoint_type="Interface", service_name=endpoint_url_template.format(self.region, "lambda"), vpc_id=self.vpc.vpc_id, security_group_ids=[self._vpc_security_group.security_group_id], subnet_ids=self.nodes_subnets.subnet_ids, private_dns_enabled=True, )
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc(self, 'AWS-Cookbook-VPC', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) database_name = "AWSCookbookRecipe408" rds_cluster = rds.ServerlessCluster( self, 'DBCluster', engine=rds.DatabaseClusterEngine.AURORA_POSTGRESQL, parameter_group=rds.ParameterGroup.from_parameter_group_name( self, 'ParameterGroup', 'default.aurora-postgresql10'), vpc=vpc, cluster_identifier='awscookbookrecipe408', default_database_name=database_name, # enable_data_api=True, deletion_protection=False, removal_policy=RemovalPolicy.DESTROY, vpc_subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'RdsDataInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'rds-data' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) # -------- Begin EC2 Helper --------- vpc.add_interface_endpoint( 'VPCSSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCEC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCSSMMessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) iam_role = iam.Role( self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance = ec2.Instance( self, "Instance", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, ) CfnOutput(self, 'InstanceId', value=instance.instance_id) # -------- End EC2 Helper --------- # outputs CfnOutput(self, 'VpcId', value=vpc.vpc_id) CfnOutput(self, 'SecretArn', value=rds_cluster.secret.secret_full_arn) CfnOutput(self, 'ClusterArn', value=rds_cluster.cluster_arn) CfnOutput(self, 'ClusterIdentifier', value=rds_cluster.cluster_identifier) CfnOutput(self, 'DatabaseName', value=database_name) CfnOutput(self, 'InstanceRoleName', value=instance.role.role_name)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # create s3 bucket s3_Bucket = s3.Bucket(self, "AWS-Cookbook-Recipe-402", removal_policy=RemovalPolicy.DESTROY) aws_s3_deployment.BucketDeployment( self, 'S3Deployment', destination_bucket=s3_Bucket, sources=[aws_s3_deployment.Source.asset("./s3_content")], retain_on_delete=False) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc(self, 'AWS-Cookbook-VPC', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) vpc.add_interface_endpoint( 'VPCSecretsManagerInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'secretsmanager' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCRDSInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'rds' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_gateway_endpoint( 's3GateWayEndPoint', service=ec2.GatewayVpcEndpointAwsService('s3'), subnets=[ ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) ], ) rds_security_group = ec2.SecurityGroup( self, 'rds_security_group', description='Security Group for the RDS Instance', allow_all_outbound=True, vpc=vpc) rds_instance = rds.DatabaseInstance( self, 'DBInstance', engine=rds.DatabaseInstanceEngine.mysql( version=rds.MysqlEngineVersion.VER_8_0_23), instance_type=ec2.InstanceType("m5.large"), vpc=vpc, database_name='AWSCookbookRecipe402', instance_identifier='awscookbookrecipe402', delete_automated_backups=True, deletion_protection=False, removal_policy=RemovalPolicy.DESTROY, allocated_storage=8, vpc_subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), security_groups=[rds_security_group]) # -------- Begin EC2 Helper --------- vpc.add_interface_endpoint( 'VPCSSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCEC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCSSMMessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) iam_role = iam.Role( self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance = ec2.Instance( self, "Instance", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, ) CfnOutput(self, 'InstanceId', value=instance.instance_id) # -------- End EC2 Helper --------- rds_instance.secret.grant_read(instance) # allow connection from ec2 instance to DB rds_instance.connections.allow_from(instance.connections, ec2.Port.tcp(3306), "Ingress") s3_Bucket.grant_read(instance) # outputs CfnOutput(self, 'VpcId', value=vpc.vpc_id) CfnOutput(self, 'RdsSecurityGroup', value=rds_security_group.security_group_id) CfnOutput(self, 'RdsDatabaseId', value=rds_instance.instance_identifier) CfnOutput(self, 'RdsEndpoint', value=rds_instance.db_instance_endpoint_address) CfnOutput(self, 'RdsPort', value=rds_instance.db_instance_endpoint_port) CfnOutput(self, 'BucketName', value=s3_Bucket.bucket_name) isolated_subnets = vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) CfnOutput(self, 'IsolatedSubnets', value=', '.join(map(str, isolated_subnets.subnet_ids))) CfnOutput(self, 'InstanceRoleName', value=iam_role.role_name) CfnOutput(self, 'RdsSecretArn', value=rds_instance.secret.secret_full_arn)
def provision_vpc(self, name: str, vpc: VPC): self.public_subnet_name = f"{name}-public" self.private_subnet_name = f"{name}-private" if not vpc.create: self.vpc = ec2.Vpc.from_lookup("Vpc", vpc_id=vpc.id) return nat_provider = ec2.NatProvider.gateway() self.vpc = ec2.Vpc( self.scope, "VPC", max_azs=vpc.max_azs, cidr=vpc.cidr, subnet_configuration=[ ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.PUBLIC, name=self.public_subnet_name, cidr_mask=24, # can't use token ids ), ec2.SubnetConfiguration( subnet_type=ec2.SubnetType.PRIVATE, name=self.private_subnet_name, cidr_mask=24, # can't use token ids ), ], gateway_endpoints={ "S3": ec2.GatewayVpcEndpointOptions( service=ec2.GatewayVpcEndpointAwsService.S3), }, nat_gateway_provider=nat_provider, ) cdk.Tags.of(self.vpc).add("Name", name) cdk.CfnOutput(self.scope, "vpc-output", value=self.vpc.vpc_cidr_block) # ripped off this: https://github.com/aws/aws-cdk/issues/9573 pod_cidr = ec2.CfnVPCCidrBlock(self.scope, "PodCidr", vpc_id=self.vpc.vpc_id, cidr_block="100.64.0.0/16") c = 0 for az in self.vpc.availability_zones: pod_subnet = ec2.PrivateSubnet( self.scope, # this can't be okay f"{name}-pod-{c}", # Can't use parameter/token in this name vpc_id=self.vpc.vpc_id, availability_zone=az, cidr_block=f"100.64.{c}.0/18", ) pod_subnet.add_default_nat_route([ gw for gw in nat_provider.configured_gateways if gw.az == az ][0].gateway_id) pod_subnet.node.add_dependency(pod_cidr) # TODO: need to tag c += 64 for endpoint in [ "ec2", # Only these first three have predefined consts "sts", "ecr.api", "autoscaling", "ecr.dkr", ]: # TODO: Do we need an s3 interface as well? or just the gateway? self.vpc_endpoint = ec2.InterfaceVpcEndpoint( self.scope, f"{endpoint}-ENDPOINT", vpc=self.vpc, service=ec2.InterfaceVpcEndpointAwsService(endpoint, port=443), # private_dns_enabled=True, subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE), )
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) isolated_subnets = ec2.SubnetConfiguration( name="isolated_subnets", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24 ) # create VPCs vpc1 = ec2.Vpc( self, 'AWS-Cookbook-VPC1-211', cidr='10.10.0.0/23', max_azs=1, subnet_configuration=[isolated_subnets] ) vpc1.add_interface_endpoint( 'VPC1SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc1.add_interface_endpoint( 'VPC1EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc1.add_interface_endpoint( 'VPC1SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc2 = ec2.Vpc( self, 'AWS-Cookbook-VPC2-209', cidr='10.20.0.0/23', max_azs=1, subnet_configuration=[isolated_subnets] ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE ) iam_role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore")) instance1 = ec2.Instance( self, "Instance1", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc1, ) instance2 = ec2.Instance( self, "Instance2", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc2, ) # outputs CfnOutput( self, 'VpcId1', value=vpc1.vpc_id ) CfnOutput( self, 'InstanceId1', value=instance1.instance_id ) CfnOutput( self, 'InstanceId2', value=instance2.instance_id ) CfnOutput( self, 'InstanceIp1', value=instance1.instance_private_ip ) CfnOutput( self, 'InstanceIp2', value=instance2.instance_private_ip ) CfnOutput( self, 'InstanceSg1', value=instance1.connections.security_groups[0].security_group_id ) CfnOutput( self, 'InstanceSg2', value=instance2.connections.security_groups[0].security_group_id ) CfnOutput( self, 'VpcId2', value=vpc2.vpc_id ) vpc1_subnet_list = vpc1.select_subnets(subnet_type=ec2.SubnetType.ISOLATED) CfnOutput( self, 'VpcSubnetRtId1', value=vpc1_subnet_list.subnets[0].route_table.route_table_id ) vpc2_subnet_list = vpc2.select_subnets(subnet_type=ec2.SubnetType.ISOLATED) CfnOutput( self, 'VpcSubnetRtId2', value=vpc2_subnet_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'VpcCidr1', value=vpc1.vpc_cidr_block ) CfnOutput( self, 'VpcCidr2', value=vpc2.vpc_cidr_block )
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.ISOLATED, cidr_mask=24) # create VPC vpc1 = ec2.Vpc(self, 'AWS-Cookbook-VPC1-211', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) vpc1.add_interface_endpoint( 'VPC1SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection(one_per_az=False, subnet_type=ec2.SubnetType.ISOLATED), ) vpc1.add_interface_endpoint( 'VPC1EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection(one_per_az=False, subnet_type=ec2.SubnetType.ISOLATED), ) vpc1.add_interface_endpoint( 'VPC1SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection(one_per_az=False, subnet_type=ec2.SubnetType.ISOLATED), ) vpc2 = ec2.Vpc(self, 'AWS-Cookbook-VPC2-211', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) VPC2SSMInterfaceEndpoint = vpc2.add_interface_endpoint( 'VPC2SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection(one_per_az=False, subnet_type=ec2.SubnetType.ISOLATED), ) vpc2.add_interface_endpoint( 'VPC2EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection(one_per_az=False, subnet_type=ec2.SubnetType.ISOLATED), ) vpc2.add_interface_endpoint( 'VPC2SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection(one_per_az=False, subnet_type=ec2.SubnetType.ISOLATED), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) iam_role = iam.Role( self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance1 = ec2.Instance( self, "Instance1", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc1, ) instance2 = ec2.Instance( self, "Instance2", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc2, ) # outputs core.CfnOutput(self, 'VPC1Id', value=vpc1.vpc_id) core.CfnOutput(self, 'VPC2Id', value=vpc2.vpc_id) core.CfnOutput(self, 'Instance1ID', value=instance1.instance_id) core.CfnOutput(self, 'Instance2ID', value=instance2.instance_id) vpc1_isoalted_subnets = vpc1.select_subnets( subnet_type=ec2.SubnetType.ISOLATED) core.CfnOutput(self, 'VPC1Subnets', value=', '.join( map(str, vpc1_isoalted_subnets.subnet_ids))) core.CfnOutput(self, 'VPC2InterfaceEndpointSG', value=VPC2SSMInterfaceEndpoint.security_group_id) vpc2_isolated_subnets_list = vpc2.select_subnets( subnet_type=ec2.SubnetType.ISOLATED) core.CfnOutput(self, 'VPC2Subnet1ID', value=vpc2_isolated_subnets_list.subnets[0].subnet_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # create s3 bucket s3_Bucket = s3.Bucket(self, "AWS-Cookbook-Recipe-404", removal_policy=RemovalPolicy.DESTROY, auto_delete_objects=True) aws_s3_deployment.BucketDeployment( self, 'S3Deployment', destination_bucket=s3_Bucket, sources=[aws_s3_deployment.Source.asset("./s3_content")], retain_on_delete=False) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc(self, 'AWS-Cookbook-VPC', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) vpc.add_interface_endpoint( 'VPCSecretsManagerInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'secretsmanager' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_gateway_endpoint( 's3GateWayEndPoint', service=ec2.GatewayVpcEndpointAwsService('s3'), subnets=[ ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) ], ) subnet_group = rds.SubnetGroup( self, 'rds_subnet_group', description='VPC Subnet Group for RDS', vpc=vpc, vpc_subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)) rds_instance = rds.DatabaseInstance( self, 'DBInstance', engine=rds.DatabaseInstanceEngine.mysql( version=rds.MysqlEngineVersion.VER_8_0_23), instance_type=ec2.InstanceType("m5.large"), vpc=vpc, multi_az=False, database_name='AWSCookbookRecipe404', instance_identifier='awscookbook404db-orig', delete_automated_backups=True, deletion_protection=False, # iam_authentication= removal_policy=RemovalPolicy.DESTROY, allocated_storage=8, subnet_group=subnet_group) # mkdir -p lambda-layers/sqlparse/python # cd layers/sqlparse/python # pip install sqlparse --target="." # cd ../../../ # create Lambda Layer sqlparse = aws_lambda.LayerVersion( self, "sqlparse", code=aws_lambda.AssetCode('lambda-layers/sqlparse'), compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8], description="sqlparse", license= "https://github.com/andialbrecht/sqlparse/blob/master/LICENSE") pymysql = aws_lambda.LayerVersion( self, "pymysql", code=aws_lambda.AssetCode('lambda-layers/pymysql'), compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8], description="pymysql", license="MIT") smartopen = aws_lambda.LayerVersion( self, "smartopen", code=aws_lambda.AssetCode('lambda-layers/smart_open'), compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8], description="smartopen", license="MIT") lambda_function = aws_lambda.Function( self, 'LambdaRDS', code=aws_lambda.AssetCode("./mysql-lambda/"), handler="lambda_function.lambda_handler", environment={ "DB_SECRET_ARN": rds_instance.secret.secret_arn, "S3_BUCKET": s3_Bucket.bucket_name }, layers=[sqlparse, pymysql, smartopen], memory_size=1024, runtime=aws_lambda.Runtime.PYTHON_3_8, timeout=Duration.seconds(600), vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)) rds_instance.secret.grant_read(lambda_function) rds_instance.connections.allow_from(lambda_function.connections, ec2.Port.tcp(3306), "Ingress") s3_Bucket.grant_read(lambda_function) create_params = { "FunctionName": lambda_function.function_arn, } on_create = custom_resources.AwsSdkCall( action='invoke', service='Lambda', parameters=create_params, physical_resource_id=custom_resources.PhysicalResourceId.of( 'LambdaRDS')) policy_statement = iam.PolicyStatement( actions=["lambda:InvokeFunction"], effect=iam.Effect.ALLOW, resources=[lambda_function.function_arn], ) policy = custom_resources.AwsCustomResourcePolicy.from_statements( statements=[policy_statement]) custom_resources.AwsCustomResource( self, 'CustomResource', policy=policy, on_create=on_create, log_retention=logs.RetentionDays.TWO_WEEKS) # outputs CfnOutput(self, 'RdsSubnetGroup', value=subnet_group.subnet_group_name) CfnOutput(self, 'RdsDatabaseId', value=rds_instance.instance_identifier)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.current_dir = os.path.dirname(__file__) self.vpc = ec2.Vpc( self, "VPC", cidr="10.0.0.0/21", max_azs=2, subnet_configuration=[ ec2.SubnetConfiguration( cidr_mask=28, name="Database", subnet_type=ec2.SubnetType.ISOLATED, ), ec2.SubnetConfiguration(cidr_mask=28, name="Private", subnet_type=ec2.SubnetType.PRIVATE), ec2.SubnetConfiguration(cidr_mask=28, name="Public", subnet_type=ec2.SubnetType.PUBLIC) ], nat_gateways=3) self.qs_security_group = ec2.SecurityGroup( self, "quicksight-sg", vpc=self.vpc, allow_all_outbound=True, description="QuickSight security group") self.bastion = ec2.BastionHostLinux( self, "BastionHost", vpc=self.vpc, subnet_selection=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PUBLIC)) self.bastion.connections.allow_from_any_ipv4(ec2.Port.tcp(22), "Internet access SSH") self.vpc.add_interface_endpoint( "redshift_endpoint", service=ec2.InterfaceVpcEndpointAwsService("redshift")) self.vpc.add_interface_endpoint( "rds_endpoint", service=ec2.InterfaceVpcEndpointAwsService("rds")) self.redshift_secret = secrets.Secret( self, 'redshift-admin', secret_name='redshift-admin', description= "This secret has generated admin secret password for Redshift cluster", generate_secret_string=secrets.SecretStringGenerator( secret_string_template='{"username": "******"}', generate_string_key='password', password_length=32, exclude_characters='"@\\\/', exclude_punctuation=True)) self.rs_security_group = ec2.SecurityGroup(self, "redshift-sg", vpc=self.vpc, allow_all_outbound=True, description="Redshift SG") self.rs_security_group.add_ingress_rule(self.rs_security_group, ec2.Port.all_tcp(), 'Redshift-basic') self.rs_security_group.add_ingress_rule( # https://docs.aws.amazon.com/quicksight/latest/user/regions.html ec2.Peer.ipv4('52.23.63.224/27'), ec2.Port.tcp(5439), 'QuickSight-IP') self.rs_security_group.add_ingress_rule(self.qs_security_group, ec2.Port.tcp(5439), 'QuickSight-sg') # self.rs_security_group.add_egress_rule( # self.rs_security_group, # ec2.Port.all_tcp(), # 'Allow outbound for QuickSight' # ) self.redshift_cluster = redshift.Cluster( self, "datasource-redshift", master_user=redshift.Login( master_username="******", master_password=self.redshift_secret.secret_value_from_json( 'password')), vpc=self.vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.ISOLATED), security_groups=[self.rs_security_group]) self.rds_secret = secrets.Secret( self, 'rds-admin', secret_name='rds-admin', description= "This secret has generated admin secret password for RDS cluster", generate_secret_string=secrets.SecretStringGenerator( secret_string_template='{"username": "******"}', generate_string_key='password', password_length=32, exclude_characters='"@\\\/', exclude_punctuation=True)) self.rds_cluster = rds.DatabaseCluster( self, "datasource-rds", engine=rds.DatabaseClusterEngine.aurora_postgres( version=rds.AuroraPostgresEngineVersion.VER_11_9), instance_props={ "vpc_subnets": { "subnet_type": ec2.SubnetType.ISOLATED }, "vpc": self.vpc }, credentials=rds.Credentials.from_secret(self.rds_secret)) self.rds_cluster.connections.allow_default_port_from( self.bastion, "EC2 Bastion access Aurora") self.rds_cluster.connections.allow_default_port_from( self.qs_security_group, "QuickSight-sg") self.rds_cluster.connections.allow_default_port_from( # https://docs.aws.amazon.com/quicksight/latest/user/regions.html ec2.Peer.ipv4('52.23.63.224/27'), "QuickSight-IP") self.qs_security_group.add_ingress_rule(self.rs_security_group, ec2.Port.all_tcp(), 'AllTCP') for rds_group in self.rds_cluster.connections.security_groups: self.qs_security_group.add_ingress_rule(rds_group, ec2.Port.all_tcp(), 'AllTCP') # self.qs_security_group.add_egress_rule( # self.rs_security_group, # ec2.Port.all_tcp(), # 'AllTCP' # ) core.CfnOutput(self, "vpcId", value=self.vpc.vpc_id) core.CfnOutput(self, "redshiftUsername", value="admin") core.CfnOutput(self, "redshiftPassword", value="redshift-admin") core.CfnOutput(self, "redshiftClusterId", value=self.redshift_cluster.cluster_name) core.CfnOutput(self, "redshiftHost", value=self.redshift_cluster.cluster_endpoint.hostname) core.CfnOutput(self, "redshiftDB", value="dev") core.CfnOutput(self, "rdsUsername", value="administrator") core.CfnOutput(self, "rdsPassword", value="rds-admin") core.CfnOutput(self, "rdsClusterId", value=self.rds_cluster.cluster_identifier) core.CfnOutput(self, "namespace", value="default") core.CfnOutput(self, "version", value="1") core.CfnOutput(self, "quicksightSecurityGroupId", value=self.qs_security_group.security_group_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) isolated_subnets = ec2.SubnetConfiguration( name="Isolated", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc(self, 'AWS-Cookbook-VPC', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) # -------- Begin EC2 Helper --------- vpc.add_interface_endpoint( 'VPCSSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCEC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCSSMMessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) vpc.add_gateway_endpoint( 's3GateWayEndPoint', service=ec2.GatewayVpcEndpointAwsService('s3'), subnets=[ ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) ], ) iam_role = iam.Role( self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance1_sg = ec2.SecurityGroup(self, 'instance1_sg', vpc=vpc) instance1 = ec2.Instance( self, "Instance1", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, security_group=instance1_sg, vpc_subnets=ec2.SubnetSelection(subnets=[vpc.isolated_subnets[0]])) instance2_sg = ec2.SecurityGroup(self, 'instance2_sg', vpc=vpc) instance2 = ec2.Instance( self, "Instance2", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, security_group=instance2_sg, vpc_subnets=ec2.SubnetSelection(subnets=[vpc.isolated_subnets[1]])) # outputs CfnOutput(self, 'InstanceId1', value=instance1.instance_id) CfnOutput(self, 'InstanceId2', value=instance2.instance_id) CfnOutput(self, 'InstanceSgId1', value=instance1_sg.security_group_id) CfnOutput(self, 'InstanceSgId2', value=instance2_sg.security_group_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) attachments_subnets = ec2.SubnetConfiguration( name="ATTACHMENTS", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=28) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=28) public_subnets = ec2.SubnetConfiguration( name="PUBLIC", subnet_type=ec2.SubnetType.PUBLIC, cidr_mask=28) private_subnets = ec2.SubnetConfiguration( name="PRIVATE", subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT, cidr_mask=28) # create VPC vpc1 = ec2.Vpc( self, 'AWS-Cookbook-210-VPC1', cidr='10.10.0.0/26', subnet_configuration=[isolated_subnets, attachments_subnets] ) vpc1.add_interface_endpoint( 'VPC1SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc1.add_interface_endpoint( 'VPC1EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc1.add_interface_endpoint( 'VPC1SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc2 = ec2.Vpc( self, 'AWS-Cookbook-210-VPC2', cidr='10.10.0.128/25', subnet_configuration=[public_subnets, private_subnets, isolated_subnets, attachments_subnets] ) vpc2.add_interface_endpoint( 'VPC2SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc2.add_interface_endpoint( 'VPC2EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc2.add_interface_endpoint( 'VPC2SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc3 = ec2.Vpc( self, 'AWS-Cookbook-210-VPC3', cidr='10.10.0.64/26', subnet_configuration=[isolated_subnets, attachments_subnets] ) vpc3.add_interface_endpoint( 'VPC3SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc3.add_interface_endpoint( 'VPC3EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc3.add_interface_endpoint( 'VPC3SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE ) iam_role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonEC2RoleforSSM")) security_group_instance1 = ec2.SecurityGroup( self, "Instance1SG", vpc=vpc1, allow_all_outbound=True ) security_group_instance1.add_ingress_rule( ec2.Peer.any_ipv4(), ec2.Port.all_icmp() ) instance1 = ec2.Instance( self, "Instance1", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc1, security_group=security_group_instance1 ) security_group_instance2 = ec2.SecurityGroup( self, "Instance2SG", vpc=vpc2, allow_all_outbound=True ) security_group_instance2.add_ingress_rule( ec2.Peer.any_ipv4(), ec2.Port.all_icmp() ) instance2 = ec2.Instance( self, "Instance2", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc2, security_group=security_group_instance2 ) security_group_instance3 = ec2.SecurityGroup( self, "Instance3SG", vpc=vpc3, allow_all_outbound=True ) security_group_instance3.add_ingress_rule( ec2.Peer.any_ipv4(), ec2.Port.all_icmp() ) instance3 = ec2.Instance( self, "Instance3", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc3, security_group=security_group_instance3 ) # outputs CfnOutput( self, 'VpcId1', value=vpc1.vpc_id ) CfnOutput( self, 'VpcId2', value=vpc2.vpc_id ) CfnOutput( self, 'VpcId3', value=vpc3.vpc_id ) CfnOutput( self, 'InstanceId1', value=instance1.instance_id ) CfnOutput( self, 'InstanceId2', value=instance2.instance_id ) CfnOutput( self, 'InstanceId3', value=instance3.instance_id ) vpc1_attachment_subnets = vpc1.select_subnets(subnet_group_name="ATTACHMENTS") CfnOutput( self, 'AttachmentSubnetsVpc1', value=', '.join(map(str, vpc1_attachment_subnets.subnet_ids)) ) vpc2_attachment_subnets = vpc2.select_subnets(subnet_group_name="ATTACHMENTS") CfnOutput( self, 'AttachmentSubnetsVpc2', value=', '.join(map(str, vpc2_attachment_subnets.subnet_ids)) ) vpc3_attachment_subnets = vpc3.select_subnets(subnet_group_name="ATTACHMENTS") CfnOutput( self, 'AttachmentSubnetsVpc3', value=', '.join(map(str, vpc3_attachment_subnets.subnet_ids)) ) vpc1_isolated_subnets_list = vpc1.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) CfnOutput( self, 'Vpc1RtId1', value=vpc1_isolated_subnets_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'Vpc1RtId2', value=vpc1_isolated_subnets_list.subnets[1].route_table.route_table_id ) vpc2_public_subnets_list = vpc2.select_subnets(subnet_type=ec2.SubnetType.PUBLIC) CfnOutput( self, 'Vpc2PublicSubnetId1', value=vpc2_public_subnets_list.subnets[0].subnet_id ) CfnOutput( self, 'Vpc2PublicSubnetId2', value=vpc2_public_subnets_list.subnets[1].subnet_id ) CfnOutput( self, 'Vpc2PublicRtId1', value=vpc2_public_subnets_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'Vpc2PublicRtId2', value=vpc2_public_subnets_list.subnets[1].route_table.route_table_id ) vpc2_isolated_subnets_list = vpc2.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT) CfnOutput( self, 'Vpc2RtId1', value=vpc2_isolated_subnets_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'Vpc2RtId2', value=vpc2_isolated_subnets_list.subnets[1].route_table.route_table_id ) vpc3_isolated_subnets_list = vpc3.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) CfnOutput( self, 'Vpc3RtId1', value=vpc3_isolated_subnets_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'Vpc3RtId2', value=vpc3_isolated_subnets_list.subnets[1].route_table.route_table_id ) vpc2_attachment_subnets_list = vpc2.select_subnets(subnet_group_name="ATTACHMENTS") CfnOutput( self, 'Vpc2AttachRtId1', value=vpc2_attachment_subnets_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'Vpc2AttachRtId2', value=vpc2_attachment_subnets_list.subnets[1].route_table.route_table_id )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.current_dir = os.path.dirname(__file__) self.quicksight_migration_source_assume_role = iam.Role( self, 'quicksight-migration-source-assume-role', description='Role for the Quicksight dashboard migration Lambdas to assume', role_name='quicksight-migration-source-assume-role', max_session_duration=core.Duration.seconds(3600), assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'), inline_policies={ 'AllowAccess': iam.PolicyDocument( statements=[ iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=[ "quicksight:*", ], resources=["*"] ), iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=[ "ssm:GetParameter", ], resources=["arn:aws:ssm:*:*:parameter/infra/config"] ) ] ) } ) self.quicksight_migration_source_assume_role.assume_role_policy.add_statements( iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=['sts:AssumeRole'], principals=[iam.AccountPrincipal("499080683179")] ) ) self.quicksight_migration_target_assume_role = iam.Role( self, 'quicksight-migration-target-assume-role', description='Role for the Quicksight dashboard migration Lambdas to assume', role_name='quicksight-migration-target-assume-role', max_session_duration=core.Duration.seconds(3600), assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'), inline_policies={ 'AllowAccess': iam.PolicyDocument( statements=[ iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=[ "quicksight:*", ], resources=["*"] ), iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=[ "ssm:GetParameter", ], resources=["arn:aws:ssm:*:*:parameter/infra/config"] ) ] ) } ) self.quicksight_migration_target_assume_role.assume_role_policy.add_statements( iam.PolicyStatement( effect=iam.Effect.ALLOW, actions=['sts:AssumeRole'], principals=[iam.AccountPrincipal("499080683179")] ) ) self.vpc = ec2.Vpc(self, "VPC", cidr="10.0.0.0/21", max_azs=3, subnet_configuration=[ ec2.SubnetConfiguration( cidr_mask=28, name="Database", subnet_type=ec2.SubnetType.ISOLATED, ) ] ) self.vpc.add_interface_endpoint("redshift_endpoint", service=ec2.InterfaceVpcEndpointAwsService("redshift") ) self.vpc.add_interface_endpoint("rds_endpoint", service=ec2.InterfaceVpcEndpointAwsService("rds") ) self.redshift_secret = secrets.Secret(self,'redshift-admin', secret_name='redshift-admin', description="This secret has generated admin secret password for Redshift cluster", generate_secret_string=secrets.SecretStringGenerator( secret_string_template='{"username": "******"}', generate_string_key='password', password_length=32, exclude_characters='"@\\\/', exclude_punctuation=True ) ) self.redshift_cluster = redshift.Cluster(self, "datasource-redshift", master_user=redshift.Login( master_username="******", master_password=self.redshift_secret.secret_value_from_json('password') ), vpc=self.vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.ISOLATED ) ) self.rds_secret = secrets.Secret(self,'rds-admin', secret_name='rds-admin', description="This secret has generated admin secret password for RDS cluster", generate_secret_string=secrets.SecretStringGenerator( secret_string_template='{"username": "******"}', generate_string_key='password', password_length=32, exclude_characters='"@\\\/', exclude_punctuation=True ) ) self.rds_cluster = rds.DatabaseCluster(self, "datasource-rds", engine=rds.DatabaseClusterEngine.aurora_mysql( version=rds.AuroraMysqlEngineVersion.VER_2_08_1), instance_props={ "vpc_subnets": { "subnet_type": ec2.SubnetType.ISOLATED }, "vpc": self.vpc }, credentials=rds.Credentials.from_secret(self.rds_secret) ) ssm.StringParameter(self, 'InfraConfigParam', parameter_name='/infra/config', string_value=json.dumps(self.to_dict()))
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) public_subnets = ec2.SubnetConfiguration( name="Public", subnet_type=ec2.SubnetType.PUBLIC, cidr_mask=24) tier2_subnets = ec2.SubnetConfiguration( name="Tier2", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc( self, 'AWS-Cookbook-VPC', max_azs=2, cidr='10.10.0.0/22', subnet_configuration=[public_subnets, tier2_subnets] ) tier2_subnet_list = vpc.select_subnets(subnet_group_name="Tier2") # -------- Begin EC2 Helper --------- vpc.add_interface_endpoint( 'VPCSSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc.add_interface_endpoint( 'VPCEC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) vpc.add_interface_endpoint( 'VPCSSMMessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED ), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE ) iam_role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonEC2RoleforSSM")) instance1 = ec2.Instance( self, "Instance1", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnets=[tier2_subnet_list.subnets[0]] ) ) instance2 = ec2.Instance( self, "Instance2", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnets=[tier2_subnet_list.subnets[0]] ) ) CfnOutput( self, 'InstanceId1', value=instance1.instance_id ) CfnOutput( self, 'InstanceId2', value=instance2.instance_id ) # -------- End EC2 Helper --------- # outputs CfnOutput( self, 'VpcId', value=vpc.vpc_id ) public_subnets = vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC) CfnOutput( self, 'VpcPublicSubnet1', value=public_subnets.subnets[0].subnet_id ) CfnOutput( self, 'PrivateRtId1', value=tier2_subnet_list.subnets[0].route_table.route_table_id ) CfnOutput( self, 'PrivateRtId2', value=tier2_subnet_list.subnets[1].route_table.route_table_id )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) self.current_dir = os.path.dirname(__file__) self.vpc = ec2.Vpc(self, "VPC", cidr="10.0.0.0/21", max_azs=3, subnet_configuration=[ ec2.SubnetConfiguration( cidr_mask=28, name="Database", subnet_type=ec2.SubnetType.ISOLATED, ) ]) self.vpc.add_interface_endpoint( "redshift_endpoint", service=ec2.InterfaceVpcEndpointAwsService("redshift")) self.vpc.add_interface_endpoint( "rds_endpoint", service=ec2.InterfaceVpcEndpointAwsService("rds")) self.redshift_secret = secrets.Secret( self, 'redshift-admin', secret_name='redshift-admin', description= "This secret has generated admin secret password for Redshift cluster", generate_secret_string=secrets.SecretStringGenerator( secret_string_template='{"username": "******"}', generate_string_key='password', password_length=32, exclude_characters='"@\\\/', exclude_punctuation=True)) self.redshift_cluster = redshift.Cluster( self, "datasource-redshift", master_user=redshift.Login( master_username="******", master_password=self.redshift_secret.secret_value_from_json( 'password')), vpc=self.vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.ISOLATED)) self.rds_secret = secrets.Secret( self, 'rds-admin', secret_name='rds-admin', description= "This secret has generated admin secret password for RDS cluster", generate_secret_string=secrets.SecretStringGenerator( secret_string_template='{"username": "******"}', generate_string_key='password', password_length=32, exclude_characters='"@\\\/', exclude_punctuation=True)) self.rds_cluster = rds.DatabaseCluster( self, "datasource-rds", engine=rds.DatabaseClusterEngine.aurora_mysql( version=rds.AuroraMysqlEngineVersion.VER_2_08_1), instance_props={ "vpc_subnets": { "subnet_type": ec2.SubnetType.ISOLATED }, "vpc": self.vpc }, credentials=rds.Credentials.from_secret(self.rds_secret)) core.CfnOutput(self, "vpcId", value=self.vpc.vpc_id) core.CfnOutput(self, "redshiftUsername", value="admin") core.CfnOutput(self, "redshiftPassword", value=self.redshift_secret.secret_name) core.CfnOutput(self, "redshiftClusterId", value=self.redshift_cluster.cluster_name) core.CfnOutput(self, "redshiftHost", value=self.redshift_cluster.cluster_endpoint.hostname) core.CfnOutput(self, "redshiftDB", value="dev") core.CfnOutput(self, "rdsUsername", value="admin") core.CfnOutput(self, "rdsPassword", value=self.rds_secret.secret_name) core.CfnOutput(self, "rdsClusterId", value=self.rds_cluster.cluster_identifier) core.CfnOutput(self, "namespace", value="default") core.CfnOutput(self, "version", value="1")
def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # Create a VPC (2 AZ, each with private + public subnets and all the required components) vpc = ec2.Vpc(self, "Target_VPC", cidr="10.0.0.0/16") # Sec Grp sg = ec2.SecurityGroup(self, 'SecurityGroup', vpc=vpc, allow_all_outbound=True, security_group_name="VpcEndpoint_sg") sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443)) #VPC endpoit vpc_endpoint = ec2.InterfaceVpcEndpoint( self, 'ApiVpcEndpoint', vpc=vpc, private_dns_enabled=True, security_groups=[sg], service=ec2.InterfaceVpcEndpointAwsService(name="execute-api", port=443)) handler = lambda_.Function( self, "sayHi_fn", runtime=lambda_.Runtime.NODEJS_14_X, code=lambda_.Code.from_asset("resources/lambda"), handler="app.main") """ api = apigateway.RestApi(self, "sayHi_api", rest_api_name="Say Hi API", description="This service greets" ) integration = apigateway.LambdaIntegration(handler, request_templates={"application/json": '{ "statusCode": "200" }'} ) api.root.add_method("GET", integration) """ apigateway.LambdaRestApi( self, "sayHiPrivateLambdaRestAPI", endpoint_types=[apigateway.EndpointType.PRIVATE], handler=handler, policy=iam.PolicyDocument(statements=[ iam.PolicyStatement(principals=[iam.AnyPrincipal()], actions=['execute-api:Invoke'], resources=['execute-api:/*'], effect=iam.Effect.DENY, conditions={ "StringNotEquals": { "aws:SourceVpce": vpc_endpoint.vpc_endpoint_id } }), iam.PolicyStatement(principals=[iam.AnyPrincipal()], actions=['execute-api:Invoke'], resources=['execute-api:/*'], effect=iam.Effect.ALLOW) ]))
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # create s3 bucket s3_Bucket = s3.Bucket(self, "AWS-Cookbook-Recipe209", removal_policy=RemovalPolicy.DESTROY) aws_s3_deployment.BucketDeployment( self, 'S3Deployment', destination_bucket=s3_Bucket, sources=[aws_s3_deployment.Source.asset("./s3_content")], retain_on_delete=False) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc(self, 'AWS-Cookbook-VPC', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) vpc.add_interface_endpoint( 'VPC1SSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPC1EC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPC1SSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) iam_role = iam.Role( self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance = ec2.Instance( self, "Instance", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, ) # Grant the EC2 Instance access to the s3 bucket by adding an IAM policy to the role instance.add_to_role_policy( iam.PolicyStatement(effect=iam.Effect.ALLOW, resources=[s3_Bucket.bucket_arn + '/*'], actions=["s3:*"])) # outputs CfnOutput(self, 'VpcId', value=vpc.vpc_id) CfnOutput(self, 'InstanceId', value=instance.instance_id) isolated_subnets_list = vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) CfnOutput( self, 'RtId1', value=isolated_subnets_list.subnets[0].route_table.route_table_id) CfnOutput( self, 'RtId2', value=isolated_subnets_list.subnets[1].route_table.route_table_id) CfnOutput(self, 'BucketName', value=s3_Bucket.bucket_name)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # create s3 bucket s3_Bucket = s3.Bucket(self, "AWS-Cookbook-Recipe-407", removal_policy=RemovalPolicy.DESTROY) aws_s3_deployment.BucketDeployment( self, 'S3Deployment', destination_bucket=s3_Bucket, sources=[aws_s3_deployment.Source.asset("./s3_content")], retain_on_delete=False) isolated_subnets = ec2.SubnetConfiguration( name="ISOLATED", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=24) # create VPC vpc = ec2.Vpc(self, 'AWS-Cookbook-VPC', cidr='10.10.0.0/23', subnet_configuration=[isolated_subnets]) vpc.add_interface_endpoint( 'VPCSSMInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssm' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCEC2MessagesInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ec2messages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCSSMMessagedInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'ssmmessages' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_interface_endpoint( 'VPCSecretsManagerInterfaceEndpoint', service=ec2.InterfaceVpcEndpointAwsService( 'secretsmanager' ), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames' private_dns_enabled=True, subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED), ) vpc.add_gateway_endpoint( 's3GateWayEndPoint', service=ec2.GatewayVpcEndpointAwsService('s3'), subnets=[ ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) ], ) ami = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) iam_role = iam.Role( self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) iam_role.add_managed_policy( iam.ManagedPolicy.from_aws_managed_policy_name( "service-role/AmazonEC2RoleforSSM")) instance = ec2.Instance( self, "Instance", instance_type=ec2.InstanceType("t3.nano"), machine_image=ami, role=iam_role, vpc=vpc, ) subnet_group = rds.SubnetGroup( self, 'rds_subnet_group', description='VPC Subnet Group for RDS', vpc=vpc, vpc_subnets=ec2.SubnetSelection( one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)) source_rds_security_group = ec2.SecurityGroup( self, 'source_rds_security_group', description='Security Group for the Source RDS Instance', allow_all_outbound=True, vpc=vpc) source_db_name = 'AWSCookbookRecipe407Source' source_rds_instance = rds.DatabaseInstance( self, 'source_rds_instance', engine=rds.DatabaseInstanceEngine.mysql( version=rds.MysqlEngineVersion.VER_5_7_33), instance_type=ec2.InstanceType("m5.large"), vpc=vpc, multi_az=False, database_name=source_db_name, instance_identifier='awscookbook407SourceDb', delete_automated_backups=True, deletion_protection=False, # iam_authentication= removal_policy=RemovalPolicy.DESTROY, allocated_storage=8, subnet_group=subnet_group, security_groups=[source_rds_security_group]) source_rds_instance.connections.allow_from(instance.connections, ec2.Port.tcp(3306), "Ingress") target_rds_security_group = ec2.SecurityGroup( self, 'target_rds_security_group', description='Security Group for the Target RDS Instance', allow_all_outbound=True, vpc=vpc) target_db_name = 'AWSCookbookRecipe407Target' target_rds_instance = rds.DatabaseInstance( self, 'target_rds_instance', engine=rds.DatabaseInstanceEngine.mysql( version=rds.MysqlEngineVersion.VER_5_7_26), instance_type=ec2.InstanceType("m5.large"), vpc=vpc, multi_az=False, database_name=target_db_name, instance_identifier='awscookbook407TargetDb', delete_automated_backups=True, deletion_protection=False, # iam_authentication= removal_policy=RemovalPolicy.DESTROY, allocated_storage=8, subnet_group=subnet_group, security_groups=[target_rds_security_group]) target_rds_instance.connections.allow_from(instance.connections, ec2.Port.tcp(3306), "Ingress") # mkdir -p lambda-layers/sqlparse/python # cd layers/sqlparse/python # pip install sqlparse --target="." # cd ../../../ # create Lambda Layer sqlparse = aws_lambda.LayerVersion( self, "sqlparse", code=aws_lambda.AssetCode('lambda-layers/sqlparse'), compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8], description="sqlparse", license= "https://github.com/andialbrecht/sqlparse/blob/master/LICENSE") pymysql = aws_lambda.LayerVersion( self, "pymysql", code=aws_lambda.AssetCode('lambda-layers/pymysql'), compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8], description="pymysql", license="MIT") smartopen = aws_lambda.LayerVersion( self, "smartopen", code=aws_lambda.AssetCode('lambda-layers/smart_open'), compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8], description="smartopen", license="MIT") lambda_function = aws_lambda.Function( self, 'LambdaRDS', code=aws_lambda.AssetCode("./mysql-lambda/"), handler="lambda_function.lambda_handler", environment={ "DB_SECRET_ARN": source_rds_instance.secret.secret_arn, "S3_BUCKET": s3_Bucket.bucket_name }, layers=[sqlparse, pymysql, smartopen], memory_size=1024, runtime=aws_lambda.Runtime.PYTHON_3_8, timeout=Duration.seconds(600), vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)) source_rds_instance.secret.grant_read(lambda_function) source_rds_instance.connections.allow_from(lambda_function.connections, ec2.Port.tcp(3306), "Ingress") s3_Bucket.grant_read(lambda_function) # outputs CfnOutput(self, 'VpcId', value=vpc.vpc_id) CfnOutput(self, 'InstanceId', value=instance.instance_id) CfnOutput(self, 'SourceRdsDatabaseId', value=source_rds_instance.instance_identifier) CfnOutput(self, 'SourceRdsSecurityGroup', value=source_rds_security_group.security_group_id) CfnOutput(self, 'SourceDbName', value=source_db_name) CfnOutput(self, 'SourceRdsSecretArn', value=source_rds_instance.secret.secret_full_arn) CfnOutput(self, 'SourceRdsEndpoint', value=source_rds_instance.db_instance_endpoint_address) CfnOutput(self, 'TargetRdsDatabaseId', value=target_rds_instance.instance_identifier) CfnOutput(self, 'TargetRdsSecurityGroup', value=target_rds_security_group.security_group_id) CfnOutput(self, 'TargetDbName', value=target_db_name) CfnOutput(self, 'TargetRdsSecretArn', value=target_rds_instance.secret.secret_full_arn) CfnOutput(self, 'TargetRdsEndpoint', value=target_rds_instance.db_instance_endpoint_address) isolated_subnets = vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE_ISOLATED) CfnOutput(self, 'IsolatedSubnets', value=', '.join(map(str, isolated_subnets.subnet_ids))) CfnOutput(self, 'LambdaArn', value=lambda_function.function_arn) CfnOutput(self, 'RdsSourceSecretName', value=source_rds_instance.secret.secret_name) CfnOutput(self, 'RdsTargetSecretName', value=target_rds_instance.secret.secret_name)