class NetworkTier(Stack): """ The network tier consists of all constructs that are required for the foundational networking between the various components of the Deadline render farm. """ @builtins.property # type: ignore @jsii.member(jsii_name="availabilityZones") def availability_zones(self) -> typing.List[builtins.str]: """ This overrides the availability zones the Stack will use. The zones that we set here are what our VPC will use, so adding local zones to this return value will enable us to then deploy infrastructure to them. """ return config.availability_zones_standard + config.availability_zones_local def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None: """ Initializes a new instance of NetworkTier """ super().__init__(scope, stack_id, **kwargs) # We're creating a SubnetSelection with only the standard availability zones to be used to put # the NAT gateway in and the VPC interface endpoints, because the local zones do no have # these available. standard_zone_subnets = SubnetSelection( availability_zones=config.availability_zones_standard, subnet_type=SubnetType.PUBLIC) # The VPC that all components of the render farm will be created in. We are using the `availability_zones()` # method to override the availability zones that this VPC will use. self.vpc = Vpc(self, 'Vpc', max_azs=len(self.availability_zones), subnet_configuration=[ SubnetConfiguration(name='Public', subnet_type=SubnetType.PUBLIC, cidr_mask=28), SubnetConfiguration(name='Private', subnet_type=SubnetType.PRIVATE, cidr_mask=18) ], nat_gateway_subnets=standard_zone_subnets) # Add interface endpoints for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_interface_endpoint(service_name, service=service, subnets=standard_zone_subnets) # Add gateway endpoints for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_gateway_endpoint(service_name, service=service, subnets=[standard_zone_subnets]) # Internal DNS zone for the VPC. self.dns_zone = PrivateHostedZone(self, 'DnsZone', vpc=self.vpc, zone_name='deadline-test.internal')
class NetworkTier(Stack): """ The network tier consists of all constructs that are required for the foundational networking between the various components of the Deadline render farm. """ def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None: """ Initializes a new instance of NetworkTier :param scope: The scope of this construct. :param stack_id: The ID of this construct. :param kwargs: The stack properties. """ super().__init__(scope, stack_id, **kwargs) # The VPC that all components of the render farm will be created in. self.vpc = Vpc( self, 'Vpc', max_azs=2, subnet_configuration=[ SubnetConfiguration( name='Public', subnet_type=SubnetType.PUBLIC, cidr_mask=28 ), SubnetConfiguration( name='Private', subnet_type=SubnetType.PRIVATE, cidr_mask=18 # 16,382 IP addresses ) ] ) # VPC flow logs are a security best-practice as they allow us # to capture information about the traffic going in and out of # the VPC. For more information, see the README for this app. self.vpc.add_flow_log( 'NetworkTierFlowLogs', destination=FlowLogDestination.to_cloud_watch_logs(), traffic_type=FlowLogTrafficType.ALL ) # TODO - Create a NetworkAcl for your VPC that only allows # network traffic required for your render farm. This is a # security best-practice to ensure the safety of your farm. # The default network ACLs allow all traffic by default, # whereas custom network ACLs deny all traffic by default. # For more information, see the README for this app. # # Example code to create a custom network ACL: # acl = NetworkAcl( # self, # 'ACL', # vpc=self.vpc, # subnet_selection=SubnetSelection( # subnets=self.vpc.public_subnets # ) # ) # # You can optionally add rules to allow traffic (e.g. SSH): # acl.add_entry( # 'SSH', # cidr=AclCidr.ipv4( # # some-ipv4-address-cidr # ), # traffic=AclTraffic.tcp_port(22), # rule_number=1 # ) endpoint_subnets = SubnetSelection(subnet_type=SubnetType.PRIVATE) # Add interface endpoints for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_interface_endpoint( f'{service_name}{idx}', service=service, subnets=endpoint_subnets ) # Add gateway endpoints for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_gateway_endpoint( service_name, service=service, subnets=[endpoint_subnets] ) # Internal DNS zone for the VPC. self.dns_zone = PrivateHostedZone( self, 'DnsZone', vpc=self.vpc, zone_name='deadline-test.internal' )
class DataLakeFoundations(NestedStack): @property def raw_s3_bucket(self): return self.__raw_s3_bucket @property def clean_s3_bucket(self): return self.__clean_s3_bucket @property def curated_s3_bucket(self): return self.__curated_s3_bucket @property def raw_glue_db(self): return self.__raw_glue_db @property def clean_glue_db(self): return self.__clean_glue_db @property def curated_glue_db(self): return self.__curated_glue_db @property def audit_glue_db(self): return self.__audit_glue_db @property def logs_s3_bucket(self): return self.__logs_s3_bucket @property def vpc(self): return self.__vpc @property def private_subnets_selection(self): return self.__private_subnets @property def public_subnets_selection(self): return self.__public_subnets @property def admin_group(self): return self.__admin_group @property def analysts_group(self): return self.__analysts_group @property def developers_group(self): return self.__developers_group def __init__(self, scope: Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # implement the glue data catalog databases used in the data lake catalog = DataLakeCatalog(self, 'DataLakeCatalog') self.__raw_glue_db = catalog.raw_database self.__clean_glue_db = catalog.clean_database self.__curated_glue_db = catalog.transform_database self.__audit_glue_db = Database(self, 'AuditGlueDB', database_name='ara_audit_data_' + self.account) # implement the S3 buckets for the data lake storage = DataLakeStorage(self, 'DataLakeStorage') self.__logs_s3_bucket = AutoEmptyBucket( self, 'Logs', bucket_name='ara-logs-' + self.account, uuid=AutoEmptyConfig.FOUNDATIONS_UUID ).bucket self.__raw_s3_bucket = storage.raw_bucket self.__clean_s3_bucket = storage.clean_bucket self.__curated_s3_bucket = storage.transform_bucket AuditTrailGlue(self, 'GlueAudit', log_bucket=self.__logs_s3_bucket, audit_bucket=self.__curated_s3_bucket, audit_db=self.__audit_glue_db, audit_table=self.__curated_s3_bucket.bucket_name ) # the vpc used for the overall data lake (same vpc, different subnet for modules) self.__vpc = Vpc(self, 'Vpc') self.__public_subnets = self.__vpc.select_subnets(subnet_type=SubnetType.PUBLIC) self.__private_subnets = self.__vpc.select_subnets(subnet_type=SubnetType.PRIVATE) self.__vpc.add_gateway_endpoint("S3GatewayEndpoint", service=GatewayVpcEndpointAwsService.S3, subnets=[SubnetSelection(subnet_type=SubnetType.PUBLIC), SubnetSelection(subnet_type=SubnetType.PRIVATE)]) # IAM groups self.__admin_group = Group(self, 'GroupAdmins', group_name='ara-admins') self.__analysts_group = Group(self, 'GroupAnalysts', group_name='ara-analysts') self.__developers_group = Group(self, 'GroupDevelopers', group_name='ara-developers')