def __init__(self, scope: Construct, construct_id: str,
env: Environment) -> None:
super().__init__(scope, construct_id, env=env)
smol_table = SmolTable(self, "SmolTable", table_name=TABLE_NAME)
smol_vpc = Vpc.from_lookup(self, "CoreVPC", vpc_name=VPC_NAME)
smol_subnets = SubnetSelection(
one_per_az=True,
subnet_type=SubnetType.PRIVATE,
)
smol_lambda = Function(
self,
"SmolAPI",
code=Code.from_asset_image(directory=abspath("./")),
environment={
"CAPTCHA_KEY": environ["CAPTCHA_KEY"],
"SAFE_BROWSING_KEY": environ["SAFE_BROWSING_KEY"],
},
function_name=FUNCTION_NAME,
handler=Handler.FROM_IMAGE,
log_retention=RetentionDays.ONE_WEEK,
memory_size=MEMORY_ALLOCATION,
reserved_concurrent_executions=RESERVED_CONCURRENCY,
runtime=Runtime.FROM_IMAGE,
timeout=Duration.seconds(TIMEOUT_SEC),
tracing=Tracing.ACTIVE,
vpc=smol_vpc,
vpc_subnets=smol_subnets,
)
smol_table.table.grant(smol_lambda, "dynamodb:DescribeTable")
smol_table.table.grant(smol_lambda, "dynamodb:GetItem")
smol_table.table.grant(smol_lambda, "dynamodb:PutItem")
SmolTarget(self, "SmolTarget", smol_lambda, API_HOST)
def select_vpc(self, scope: BaseApp) -> Vpc:
vpc_filters = scope.environment_config.get("vpcSelectionFilter", {})
return Vpc.from_lookup(
self,
scope.prefixed_str("vpc"),
vpc_id=vpc_filters.get("vpcId"),
vpc_name=vpc_filters.get("vpcName"),
is_default=vpc_filters.get("isDefault"),
tags=vpc_filters.get("tags"),
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
attribute_tagged_group = Group(self, "Flexible Tagged")
access_project = core.CfnTag(key="access-project", value="elysian")
access_team = core.CfnTag(key="access-team", value="webdev")
access_cost_center = core.CfnTag(key="cost-center", value="2600")
flexible_boundary_policy = CfnManagedPolicy(
self,
"FlexiblePermissionBoundary",
policy_document=json.loads(flexible_policy_permission_boundary),
)
CfnUser(
self,
"Developer",
tags=[access_project, access_team, access_cost_center],
groups=[attribute_tagged_group.group_name],
permissions_boundary=flexible_boundary_policy.ref,
)
# Add AWS managed policy for EC2 Read Only access for the console.
attribute_tagged_group.add_managed_policy(
ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonEC2ReadOnlyAccess"
)
)
# Import a json policy and create CloudFormation Managed Policy
CfnManagedPolicy(
self,
"FlexibleAttributePolicy",
policy_document=json.loads(full_attribute_based_policy),
groups=[attribute_tagged_group.group_name],
)
vpc = Vpc.from_lookup(self, "AttributeTaggedVPC", is_default=True)
instance_type = InstanceType("t2.micro")
ami = MachineImage.latest_amazon_linux()
blocked_instance = Instance(
self,
"Blocked Instance",
machine_image=ami,
instance_type=instance_type,
vpc=vpc,
)
# Re-use the AMI from t
image_id = blocked_instance.instance.image_id
# Can only add tags to CfnInstance as of cdk v1.31
valid_instance = CfnInstance(
self,
"Valid Instance",
image_id=image_id,
instance_type="t2.micro",
tags=[access_project, access_team, access_cost_center],
)
# Empty group as it's not need to complete our tests.
test_security_group = SecurityGroup(
self, "EmptySecurityGroup", vpc=vpc)
core.CfnOutput(
self,
"BlockedInstance",
value=blocked_instance.instance_id,
export_name="elysian-blocked-instance",
)
core.CfnOutput(
self,
"ValidInstance",
value=valid_instance.ref,
export_name="elysian-valid-instance",
)
core.CfnOutput(
self,
"TestSecurityGroup",
value=test_security_group.security_group_id,
export_name="test-elysian-sg",
)
core.CfnOutput(
self, "DefaultAMI", value=image_id, export_name="default-elysian-ami"
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
username_tagged = Group(self, "Username Tagged")
developer = User(self, "Developer")
developer.add_to_group(username_tagged)
# Add AWS managed policy for EC2 Read Only access for the console.
username_tagged.add_managed_policy(
ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonEC2ReadOnlyAccess"
)
)
# Import a json policy and create CloudFormation Managed Policy
CfnManagedPolicy(
self,
"UserTaggedPolicy",
policy_document=json.loads(username_based_policy),
groups=[username_tagged.group_name],
)
vpc = Vpc.from_lookup(self, "UsernameTaggedVPC", is_default=True)
instance_type = InstanceType("t2.micro")
ami = MachineImage.latest_amazon_linux()
blocked_instance = Instance(
self,
"Blocked Instance",
machine_image=ami,
instance_type=instance_type,
vpc=vpc,
)
# Re-use the AMI from t
image_id = blocked_instance.instance.image_id
# Can only add tags to CfnInstance as of 1.31
dev_username_tag = core.CfnTag(
key="username", value=developer.user_name)
valid_instance = CfnInstance(
self,
"Valid Instance",
image_id=image_id,
instance_type="t2.micro",
tags=[dev_username_tag],
)
# Empty group as it's not need to complete our tests.
test_security_group = SecurityGroup(
self, "EmptySecurityGroup", vpc=vpc)
core.CfnOutput(
self,
"BlockedInstance",
value=blocked_instance.instance_id,
export_name="username-blocked-instance",
)
core.CfnOutput(
self,
"ValidInstance",
value=valid_instance.ref,
export_name="username-valid-instance",
)
core.CfnOutput(
self,
"TestSecurityGroup",
value=test_security_group.security_group_id,
export_name="test-username-sg",
)
core.CfnOutput(
self, "DefaultAMI", value=image_id, export_name="default-username-ami"
)