def alb_listener_443(self): """ ALB port 443 """ app_target_group = elbv2.CfnTargetGroup( self, "AppTG", name='pelican-tg', health_check_path="/health-check.do", health_check_protocol='HTTP', port=9000, protocol="HTTP", target_type="instance", vpc_id='vpc-44a44b44', targets=[{'id': self.instance_id, 'port': 9000}] ) self.listener_443 = elbv2.CfnListener( scope=self, id='Listener443', default_actions=[ elbv2.CfnListener.ActionProperty( target_group_arn=app_target_group.ref, type="forward" ) ], certificates=[elbv2.CfnListener.CertificateProperty(certificate_arn=self.sel_cert_arn)], load_balancer_arn=self.lb.ref, port=443, protocol="HTTPS" )
def add_listener_80(self): elbv2.CfnListener( scope=self, id='Listener80', default_actions=[ elbv2.CfnListener.ActionProperty( type='redirect', redirect_config=elbv2.CfnListener.RedirectConfigProperty( status_code='HTTP_301', host='#{host}', path='/#{path}', query='#{query}', port='443', protocol='HTTPS' ) ) ], load_balancer_arn=self.lb.ref, port=80, protocol="HTTP" )
def __init__(self, scope: core.Construct, id: str, data, iam_vars) -> None: super().__init__(scope, id) # VPC vpc = ec2.CfnVPC(self, "cdk-vpc", cidr_block=data["vpc"]) igw = ec2.CfnInternetGateway(self, id="igw") ec2.CfnVPCGatewayAttachment(self, id="igw-attach", vpc_id=vpc.ref, internet_gateway_id=igw.ref) public_route_table = ec2.CfnRouteTable(self, id="public_route_table", vpc_id=vpc.ref) ec2.CfnRoute(self, id="public_route", route_table_id=public_route_table.ref, destination_cidr_block="0.0.0.0/0", gateway_id=igw.ref) public_subnets = [] for i, s in enumerate(data["subnets"]["public"]): subnet = ec2.CfnSubnet(self, id="public_{}".format(s), cidr_block=s, vpc_id=vpc.ref, availability_zone=core.Fn.select( i, core.Fn.get_azs()), map_public_ip_on_launch=True) public_subnets.append(subnet) ec2.CfnSubnetRouteTableAssociation( self, id="public_{}_association".format(s), route_table_id=public_route_table.ref, subnet_id=subnet.ref) eip = ec2.CfnEIP(self, id="natip") nat = ec2.CfnNatGateway(self, id="nat", allocation_id=eip.attr_allocation_id, subnet_id=public_subnets[0].ref) private_route_table = ec2.CfnRouteTable(self, id="private_route_table", vpc_id=vpc.ref) ec2.CfnRoute(self, id="private_route", route_table_id=private_route_table.ref, destination_cidr_block="0.0.0.0/0", nat_gateway_id=nat.ref) private_subnets = [] for i, s in enumerate(data["subnets"]["private"]): subnet = ec2.CfnSubnet(self, id="private_{}".format(s), cidr_block=s, vpc_id=vpc.ref, availability_zone=core.Fn.select( i, core.Fn.get_azs()), map_public_ip_on_launch=False) private_subnets.append(subnet) ec2.CfnSubnetRouteTableAssociation( self, id="private_{}_association".format(s), route_table_id=private_route_table.ref, subnet_id=subnet.ref) # Security groups lb_sg = ec2.CfnSecurityGroup(self, id="lb", group_description="LB SG", vpc_id=vpc.ref) lambda_sg = ec2.CfnSecurityGroup(self, id="lambda", group_description="Lambda SG", vpc_id=vpc.ref) public_prefix = ec2.CfnPrefixList(self, id="cidr_prefix", address_family="IPv4", max_entries=1, prefix_list_name="public", entries=[{ "cidr": "0.0.0.0/0", "description": "Public" }]) _sg_rules = [{ 'sg': lb_sg.attr_group_id, 'rules': [{ "direction": "ingress", "description": "HTTP from Internet", "from_port": 80, "to_port": 80, "protocol": "tcp", "cidr_blocks": public_prefix.ref }, { "direction": "egress", "description": "LB to Lambda", "from_port": 80, "to_port": 80, "protocol": "tcp", "source_security_group_id": lambda_sg.attr_group_id }] }, { "sg": lambda_sg.attr_group_id, "rules": [{ "direction": "ingress", "description": "HTTP from LB", "from_port": 80, "to_port": 80, "protocol": "tcp", "source_security_group_id": lb_sg.attr_group_id }, { "direction": "egress", "description": "All to Internet", "from_port": 0, "to_port": 65535, "protocol": "tcp", "cidr_blocks": public_prefix.ref }] }] for ruleset in _sg_rules: for rule in ruleset["rules"]: if rule["direction"] == "ingress": ec2.CfnSecurityGroupIngress( self, id=rule["description"].replace(" ", "_"), description=rule["description"], to_port=rule["to_port"], from_port=rule["from_port"], ip_protocol=rule["protocol"], group_id=ruleset["sg"], source_prefix_list_id=rule["cidr_blocks"] if "cidr_blocks" in rule else None, source_security_group_id=rule[ "source_security_group_id"] if "source_security_group_id" in rule else None) else: ec2.CfnSecurityGroupEgress( self, id=rule["description"].replace(" ", "_"), description=rule["description"], to_port=rule["to_port"], from_port=rule["from_port"], ip_protocol=rule["protocol"], group_id=ruleset["sg"], destination_prefix_list_id=rule["cidr_blocks"] if "cidr_blocks" in rule else None, destination_security_group_id=rule[ "source_security_group_id"] if "source_security_group_id" in rule else None) # IAM assume_policy_doc = iam.PolicyDocument() for statement in iam_vars["assume"]["Statement"]: _statement = iam.PolicyStatement(actions=[statement["Action"]], ) _statement.add_service_principal(statement["Principal"]["Service"]) assume_policy_doc.add_statements(_statement) role = iam.CfnRole(self, id="iam_role", path="/", assume_role_policy_document=assume_policy_doc) role_policy_doc = iam.PolicyDocument() for statement in iam_vars["policy"]["Statement"]: _statement = iam.PolicyStatement(actions=statement["Action"], resources=["*"]) role_policy_doc.add_statements(_statement) policy = iam.CfnPolicy(self, id="iam_policy", policy_document=role_policy_doc, policy_name="cdkPolicy", roles=[role.ref]) # Lambda shutil.make_archive("../lambda", 'zip', "../lambda/") s3_client = boto3.client('s3') s3_client.upload_file("../lambda.zip", "cloudevescops-zdays-demo", "cdk.zip") function = lmd.CfnFunction(self, id="lambda_function", handler="lambda.lambda_handler", role=role.attr_arn, runtime="python3.7", code={ "s3Bucket": "cloudevescops-zdays-demo", "s3Key": "cdk.zip" }, vpc_config={ "securityGroupIds": [lambda_sg.ref], "subnetIds": [s.ref for s in private_subnets] }, environment={"variables": { "TOOL": "CDK" }}) # LB lb = alb.CfnLoadBalancer(self, id="alb", name="lb-cdk", scheme="internet-facing", type="application", subnets=[s.ref for s in public_subnets], security_groups=[lb_sg.ref]) lmd.CfnPermission(self, id="lambda_permis", action="lambda:InvokeFunction", function_name=function.ref, principal="elasticloadbalancing.amazonaws.com") tg = alb.CfnTargetGroup(self, id="alb_tg", name="lambda-cdk", target_type="lambda", health_check_enabled=True, health_check_interval_seconds=40, health_check_path="/", health_check_timeout_seconds=30, targets=[{ "id": function.get_att("Arn").to_string() }], matcher={"httpCode": "200"}) alb.CfnListener(self, id="listener", default_actions=[{ "type": "forward", "targetGroupArn": tg.ref }], load_balancer_arn=lb.ref, port=80, protocol="HTTP") core.CfnOutput(self, id="fqdn", value=lb.attr_dns_name)
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) vpc = ec2.Vpc(self, id="MyVPC", nat_gateways=0, cidr="192.168.0.0/20", max_azs=3, subnet_configuration=[]) pub_subnet = ec2.PublicSubnet(self, id="PublicSubnet", availability_zone="eu-central-1c", cidr_block="192.168.0.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=True) igw = ec2.CfnInternetGateway( self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")]) ec2.CfnVPCGatewayAttachment(self, id="IGW_Assoc", vpc_id=vpc.vpc_id, internet_gateway_id=igw.ref) pub_subnet.add_route(id="default_route-sub01", router_id=igw.ref, router_type=ec2.RouterType('GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) # Elastic IP eip_01 = ec2.CfnEIP(self, id="EIP01") # NAT gateway ngw = ec2.CfnNatGateway(self, id="NAT_GW", allocation_id=eip_01.attr_allocation_id, subnet_id=pub_subnet.subnet_id, tags=[core.CfnTag(key="Name", value="NAT_GW")]) subnet01 = ec2.Subnet(self, id="Subnet01", availability_zone="eu-central-1a", cidr_block="192.168.1.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=False) subnet02 = ec2.Subnet(self, id="Subnet02", availability_zone="eu-central-1b", cidr_block="192.168.2.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=False) subnet01.add_route(id="default_route-sub01", router_id=ngw.ref, router_type=ec2.RouterType('NAT_GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) subnet02.add_route(id="default_route-sub02", router_id=ngw.ref, router_type=ec2.RouterType('NAT_GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) sg_lb = ec2.CfnSecurityGroup( self, id="SG_ALB", group_description="SG for the APP LB", group_name="SG_ALB", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_ALB")]) sg_ec2i = ec2.CfnSecurityGroup( self, id="SG_Instances", group_description="SG for the Instances", group_name="SG_Instances", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_Instances")]) # my_home_ip = requests.get("https://api.ipify.org").text my_home_ip = "94.112.113.195" ports_pub = {'tcp': [22, 80], 'icmp': [-1]} for protocol, ports_list in ports_pub.items(): for port in ports_list: ec2.CfnSecurityGroupIngress( self, id=f"sg_alb_in_{protocol}_{port}", group_id=sg_lb.attr_group_id, ip_protocol=protocol, cidr_ip=f"{my_home_ip}/32", to_port=port, from_port=port, description=f"{protocol.upper()} {port} from home IP") ec2.CfnSecurityGroupIngress( self, id=f"sg_ec2i_in_{protocol}_{port}", group_id=sg_ec2i.attr_group_id, ip_protocol=protocol, to_port=port, from_port=port, source_security_group_id=sg_lb.ref, description=f"{protocol.upper()} {port} from the ALB SG") with open( "/home/dragos/Documents/AWS_CDK/app_lb_sample/app_lb_sample/configure.sh", 'r') as config_file: ud = core.Fn.base64(config_file.read()) bastion_host = ec2.CfnInstance( self, id="bastion", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=pub_subnet.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_lb.ref], tags=[core.CfnTag(key="Name", value="bastion")]) instance01 = ec2.CfnInstance( self, id="WebServer01", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=subnet01.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_ec2i.ref], user_data=ud, tags=[core.CfnTag(key="Name", value="WebServer01")]) instance02 = ec2.CfnInstance( self, id="WebServer02", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=subnet02.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_ec2i.ref], user_data=ud, tags=[core.CfnTag(key="Name", value="WebServer02")]) # health_check = elbv2.HealthCheck(enabled=True, # healthy_http_codes="200", # path="/index.html", # protocol=elbv2.Protocol("HTTP")) target01 = elbv2.CfnTargetGroup.TargetDescriptionProperty( id=instance01.ref) target02 = elbv2.CfnTargetGroup.TargetDescriptionProperty( id=instance02.ref) tg = elbv2.CfnTargetGroup( self, id="TG-WEB-HTTP", name="TG-WEB-HTTP", health_check_enabled=True, health_check_path="/index.html", health_check_port="80", matcher=elbv2.CfnTargetGroup.MatcherProperty(http_code="200"), port=80, protocol="HTTP", # CASE SENSITIVE target_type="instance", # CASE SENSITIVE targets=[target01, target02], vpc_id=vpc.vpc_id) alb = elbv2.CfnLoadBalancer( self, id="MyALB-HTTP", ip_address_type="ipv4", name="MyALB-HTTP", scheme="internet-facing", security_groups=[sg_lb.ref], type="application", subnets=[subnet01.subnet_id, subnet02.subnet_id]) def_act = Listener.ActionProperty(type="forward", authenticate_cognito_config=None, authenticate_oidc_config=None, fixed_response_config=None, forward_config=None, order=50000, redirect_config=None, target_group_arn=tg.ref) listener = elbv2.CfnListener(self, id="Listener01", load_balancer_arn=alb.ref, port=80, protocol="HTTP", default_actions=[def_act])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Parameter LatestAmiId = core.CfnParameter( self, "LatestAmiId", type="AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>", default= "/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2") # S3 Bucket source_bucket = "sourcebucketname%s" % (core.Aws.ACCOUNT_ID) # Resources CloudFormationLogs = logs.LogGroup( self, 'CloudFormationLogs', retention=logs.RetentionDays('ONE_WEEK')) WebInstance1 = ec2.CfnInstance( self, 'WebInstance1', additional_info=None, affinity=None, iam_instance_profile=core.Fn.import_value( "WebServerInstanceProfileOutput"), image_id=LatestAmiId.value_as_string, instance_type='t3.micro', network_interfaces=[{ "deviceIndex": "0", "groupSet": [core.Fn.import_value("WebSecurityGroupOutput")], "subnetId": core.Fn.import_value("PrivateSubnet1") }], tags=[core.CfnTag(key="Name", value="WebServer1")], user_data=core.Fn.base64("""#!/bin/bash -ex yum update -y /opt/aws/bin/cfn-init -v --stack {StackName} --resource WebInstance1 --configsets InstallAndDeploy --region {Region} # Signal the status from cfn-init (via $?) /opt/aws/bin/cfn-signal -e $? --stack {StackName} --resource WebInstance1 --region {Region} """.format(StackName=core.Aws.STACK_NAME, Region=core.Aws.REGION))) WebInstance1.cfn_options.metadata = { "AWS::CloudFormation::Authentication": { "rolebased": { "type": "S3", "buckets": [source_bucket], "roleName": core.Fn.import_value("WebServerRoleOutput") } }, "AWS::CloudFormation::Init": { "configSets": { "InstallAndDeploy": ["Install", "InstallLogs", "Deploy"] }, "Install": { "packages": { "yum": { "python36": [], "python36-devel": [], "nginx": [], "gcc": [] } }, "files": { "/etc/cfn/cfn-hup.conf": { "content": """ [main] stack={} region={} interval=1 verbose=true""".format(core.Aws.STACK_ID, core.Aws.REGION), "mode": "000400", "owner": "root", "group": "root" }, "/etc/cfn/hooks.d/cfn-auto-reloader.conf": { "content": """ [cfn-auto-reloader-hook] triggers=post.update path=Resources.WebInstance1.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v --stack {} --resource WebInstance1 --configsets InstallAndDeploy --region {} runas=root""".format(core.Aws.STACK_NAME, core.Aws.REGION), "mode": "000400", "owner": "root", "group": "root" } }, "services": { "sysvinit": { "nginx": { "enabled": "true", "ensureRunning": "true" }, "cfn-hup": { "enabled": "true", "ensureRunning": "true", "files": [ "/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-auto-reloader.conf" ] } } }, "commands": { "01_unblock_nginx": { "command": "chkconfig nginx on" }, "02_install_xray": { "command": "curl https://s3.dualstack.us-east-2.amazonaws.com/aws-xray-assets.us-east-2/xray-daemon/aws-xray-daemon-3.x.rpm -o /tmp/xray.rpm && yum install -y /tmp/xray.rpm\n", "cwd": "/tmp", "ignoreErrors": "true" } } }, "InstallLogs": { "packages": { "yum": { "awslogs": [] } }, "files": { "/etc/awslogs/awslogs.conf": { "content": """ [general] state_file= /var/awslogs/state/agent-state [yum] file = /var/log/yum.log log_group_name = %s log_stream_name = {{hostname}} - {{instance_id}} yum.log [messages] file = /var/log/messages log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} messages.log [cfn-hup] file = /var/log/cfn-hup.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cfn-hup.log [cfn-init] file = /var/log/cfn-init.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cfn-init.log [cfn-init-cmd] file = /var/log/cfn-init-cmd.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cfn-init-cmd.log [cloud-init] file = /var/log/cloud-init.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cloud-init.log [cloud-init-output] file = /var/log/cloud-init-output.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cloud-init.log [handler] file = /var/log/handler.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} handler.log [uwsgi] file = /var/log/uwsgi.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} uwsgi.log [nginx_access] file = /var/log/nginx/access.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} nginx_access.log [nginx_error] file = /var/log/nginx/error.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} nginx_error.log """.format(CloudFormationLogs=CloudFormationLogs. log_group_name), "group": "root", "owner": "root", "mode": "000400" }, "/etc/awslogs/awscli.conf": { "content": """ [plugins] cwlogs = cwlogs [default] region = {} """.format(core.Aws.REGION), "mode": "000444", "owner": "root", "group": "root" } }, "commands": { "01_create_state_directory": { "command": "mkdir -p /var/awslogs/state" } }, "services": { "sysvinit": { "awslogs": { "enabled": "true", "ensureRunning": "true", "files": ["/etc/awslogs/awslogs.conf"] } } } }, "Deploy": { "sources": { "/photos": "https://s3.amazonaws.com/{}/deploy-app.zip".format( source_bucket) }, "commands": { "01_pip_uwsgi": { "command": "pip-3.6 install uwsgi", "cwd": "/photos", "ignoreErrors": "false" }, "02_pip_flask_app_requirements": { "command": "pip-3.6 install -r requirements.txt", "cwd": "/photos/FlaskApp", "ignoreErrors": "false" }, "03_stop_uwsgi": { "command": "stop uwsgi", "ignoreErrors": "true" }, "04_stop_nginx": { "command": "service nginx stop" }, "05_copy_config": { "command": "mv -f nginx.conf /etc/nginx/nginx.conf && mv -f uwsgi.conf /etc/init/uwsgi.conf", "cwd": "/photos/Deploy", "ignoreErrors": "false" }, "06_create_database": { "command": "python3 database_create_tables.py", "cwd": "/photos/Deploy", "ignoreErrors": "false" }, "07_start_uwsgi": { "command": "start uwsgi" }, "08_restart_nginx": { "command": "service nginx start" } } } } } WebInstance1.cfn_options.creation_policy = core.CfnCreationPolicy( resource_signal=core.CfnResourceSignal(timeout='PT10M')) WebInstance2 = ec2.CfnInstance( self, 'WebInstance2', additional_info=None, affinity=None, iam_instance_profile=core.Fn.import_value( "WebServerInstanceProfileOutput"), image_id=LatestAmiId.value_as_string, instance_type='t3.micro', network_interfaces=[{ "deviceIndex": "0", "groupSet": [core.Fn.import_value("WebSecurityGroupOutput")], "subnetId": core.Fn.import_value("PrivateSubnet2") }], tags=[core.CfnTag(key="Name", value="WebServer2")], user_data=core.Fn.base64("""#!/bin/bash -ex yum update -y /opt/aws/bin/cfn-init -v --stack {StackName} --resource WebInstance2 --configsets InstallAndDeploy --region {Region} # Signal the status from cfn-init (via $?) /opt/aws/bin/cfn-signal -e $? --stack {StackName} --resource WebInstance2 --region {Region} """.format(StackName=core.Aws.STACK_NAME, Region=core.Aws.REGION))) WebInstance2.cfn_options.metadata = { "AWS::CloudFormation::Authentication": { "rolebased": { "type": "S3", "buckets": [source_bucket], "roleName": core.Fn.import_value("WebServerRoleOutput") } }, "AWS::CloudFormation::Init": { "configSets": { "InstallAndDeploy": ["Install", "InstallLogs", "Deploy"] }, "Install": { "packages": { "yum": { "python36": [], "python36-devel": [], "nginx": [], "gcc": [] } }, "files": { "/etc/cfn/cfn-hup.conf": { "content": """ [main] stack={} region={} interval=1 verbose=true""".format(core.Aws.STACK_ID, core.Aws.REGION), "mode": "000400", "owner": "root", "group": "root" }, "/etc/cfn/hooks.d/cfn-auto-reloader.conf": { "content": """ [cfn-auto-reloader-hook] triggers=post.update path=Resources.WebInstance1.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v --stack {} --resource WebInstance2 --configsets InstallAndDeploy --region {} runas=root""".format(core.Aws.STACK_NAME, core.Aws.REGION), "mode": "000400", "owner": "root", "group": "root" } }, "services": { "sysvinit": { "nginx": { "enabled": "true", "ensureRunning": "true" }, "cfn-hup": { "enabled": "true", "ensureRunning": "true", "files": [ "/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-auto-reloader.conf" ] } } }, "commands": { "01_unblock_nginx": { "command": "chkconfig nginx on" }, "02_install_xray": { "command": "curl https://s3.dualstack.us-east-2.amazonaws.com/aws-xray-assets.us-east-2/xray-daemon/aws-xray-daemon-3.x.rpm -o /tmp/xray.rpm && yum install -y /tmp/xray.rpm\n", "cwd": "/tmp", "ignoreErrors": "true" } } }, "InstallLogs": { "packages": { "yum": { "awslogs": [] } }, "files": { "/etc/awslogs/awslogs.conf": { "content": """ [general] state_file= /var/awslogs/state/agent-state [yum] file = /var/log/yum.log log_group_name = %s log_stream_name = {{hostname}} - {{instance_id}} yum.log [messages] file = /var/log/messages log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} messages.log [cfn-hup] file = /var/log/cfn-hup.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cfn-hup.log [cfn-init] file = /var/log/cfn-init.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cfn-init.log [cfn-init-cmd] file = /var/log/cfn-init-cmd.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cfn-init-cmd.log [cloud-init] file = /var/log/cloud-init.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cloud-init.log [cloud-init-output] file = /var/log/cloud-init-output.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} cloud-init.log [handler] file = /var/log/handler.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} handler.log [uwsgi] file = /var/log/uwsgi.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} uwsgi.log [nginx_access] file = /var/log/nginx/access.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} nginx_access.log [nginx_error] file = /var/log/nginx/error.log log_group_name = {CloudFormationLogs} log_stream_name = {{hostname}} - {{instance_id}} nginx_error.log """.format(CloudFormationLogs=CloudFormationLogs. log_group_name), "group": "root", "owner": "root", "mode": "000400" }, "/etc/awslogs/awscli.conf": { "content": """ [plugins] cwlogs = cwlogs [default] region = {} """.format(core.Aws.REGION), "mode": "000444", "owner": "root", "group": "root" } }, "commands": { "01_create_state_directory": { "command": "mkdir -p /var/awslogs/state" } }, "services": { "sysvinit": { "awslogs": { "enabled": "true", "ensureRunning": "true", "files": ["/etc/awslogs/awslogs.conf"] } } } }, "Deploy": { "sources": { "/photos": "https://s3.amazonaws.com/{}/deploy-app.zip".format( source_bucket) }, "commands": { "01_pip_uwsgi": { "command": "pip-3.6 install uwsgi", "cwd": "/photos", "ignoreErrors": "false" }, "02_pip_flask_app_requirements": { "command": "pip-3.6 install -r requirements.txt", "cwd": "/photos/FlaskApp", "ignoreErrors": "false" }, "03_stop_uwsgi": { "command": "stop uwsgi", "ignoreErrors": "true" }, "04_stop_nginx": { "command": "service nginx stop" }, "05_copy_config": { "command": "mv -f nginx.conf /etc/nginx/nginx.conf && mv -f uwsgi.conf /etc/init/uwsgi.conf", "cwd": "/photos/Deploy", "ignoreErrors": "false" }, "06_create_database": { "command": "python3 database_create_tables.py", "cwd": "/photos/Deploy", "ignoreErrors": "false" }, "07_start_uwsgi": { "command": "start uwsgi" }, "08_restart_nginx": { "command": "service nginx start" } } } } } WebInstance2.cfn_options.creation_policy = core.CfnCreationPolicy( resource_signal=core.CfnResourceSignal(timeout='PT10M')) DefaultTargetGroup = elasticloadbalancingv2.CfnTargetGroup( self, 'DefaultTargetGroup', health_check_interval_seconds=15, health_check_path="/", health_check_protocol="HTTP", health_check_timeout_seconds=10, healthy_threshold_count=2, unhealthy_threshold_count=2, matcher={'httpCode': '200-299'}, port=80, protocol="HTTP", vpc_id=core.Fn.import_value("VPC"), target_group_attributes=[{ "key": "deregistration_delay.timeout_seconds", "value": "30" }], targets=[{ "id": WebInstance1.ref, "port": 80 }, { "id": WebInstance2.ref, "port": 80 }]) HttpListener = elasticloadbalancingv2.CfnListener( self, 'HttpListener', default_actions=[{ "type": "forward", "targetGroupArn": DefaultTargetGroup.ref }], load_balancer_arn=core.Fn.import_value("LoadBalancerArn"), port=80, protocol="HTTP")
def __init__(self, scope: core.Construct, id: str, application_port, ingress_security_group_ids, ssl_certificate_arn, ssl_policy, subnet_ids, vpc_id): super().__init__(scope, id) # Use low level constructs to build security groups as it allows us to name the # ingress rules properly. It's also easier to map the low level construct params # to their cfn equivalent app_sg = ec2.CfnSecurityGroup( self, id='SharedApplicationSecurityGroup', group_description='Shared Fargate Security Group', vpc_id=vpc_id) app_lb_sg = ec2.CfnSecurityGroup( self, id='SharedApplicationLBSecurityGroup', group_description='Shared ALB Security Group', vpc_id=vpc_id, security_group_egress=[{ 'ipProtocol': 'tcp', 'fromPort': application_port, 'toPort': application_port, 'destinationSecurityGroupId': app_sg.ref }]) app_sg_ingress = ec2.CfnSecurityGroupIngress( self, id='SharedApplicationSecurityGroupIngress', group_id=app_sg.ref, source_security_group_id=app_lb_sg.ref, ip_protocol='tcp', from_port=application_port, to_port=application_port) for index, sg in enumerate(ingress_security_group_ids): ec2.CfnSecurityGroupIngress( self, id=f"SharedApplicationLBSecurityGroupIngress{index}", group_id=app_lb_sg.ref, source_security_group_id=sg, ip_protocol='tcp', from_port=443, to_port=443) lb = elbv2.CfnLoadBalancer(self, id='SharedLoadBalancer', scheme='internal', security_groups=[app_lb_sg.ref], subnets=subnet_ids) listener = elbv2.CfnListener( self, id='SharedListener', certificates=[{ 'certificateArn': ssl_certificate_arn }], default_actions=[{ 'type': 'fixed-response', 'fixedResponseConfig': { 'contentType': 'text/plain', 'messageBody': 'You have reached the the Load Balancer, but not matched any of the listener rules', 'statusCode': '200' } }], load_balancer_arn=lb.ref, port=443, protocol='HTTPS', ssl_policy=ssl_policy) core.CfnOutput( self, id=SHARED_LB_DNS_NAME, description='Shared Load Balancer DNS Name', export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_DNS_NAME}", value=lb.attr_dns_name) core.CfnOutput( self, id=SHARED_LB_HOSTED_ZONE_ID, description='Shared Load Balancer Canonical Hosted Zone ID', export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_HOSTED_ZONE_ID}", value=lb.attr_canonical_hosted_zone_id) core.CfnOutput( self, id=SHARED_LB_LISTENER, description='Shared Load Balancer Listener', export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_LISTENER}", value=listener.ref) core.CfnOutput( self, id=SHARED_SERVICE_SECURITY_GROUP, description='Shared Fargate Security Group', export_name= f"{core.Aws.STACK_NAME}:{SHARED_SERVICE_SECURITY_GROUP}", value=app_sg.ref)