def __init__(self, scope: Construct, stack_id: str, *, props: StorageTierMongoDBProps, **kwargs): """ Initialize a new instance of StorageTierMongoDB :param scope: The scope of this construct. :param stack_id: The ID of this construct. :param props: The properties for this construct. :param kwargs: Any kwargs that need to be passed on to the parent class. """ super().__init__(scope, stack_id, props=props, **kwargs) server_cert = X509CertificatePem( self, 'MongoCert', subject=DistinguishedName(cn=f'mongo.{props.dns_zone.zone_name}', o='RFDK-Sample', ou='MongoServer'), signing_certificate=props.root_ca) client_cert = X509CertificatePem(self, 'DeadlineMongoCert', subject=DistinguishedName( cn='SampleUser', o='RFDK-Sample', ou='MongoClient'), signing_certificate=props.root_ca) client_pkcs12 = X509CertificatePkcs12(self, 'DeadlineMongoPkcs12', source_certificate=client_cert) availability_zone = props.vpc.availability_zones[0] mongo_vpc_subnet = SubnetSelection( subnet_type=SubnetType.PRIVATE, availability_zones=[availability_zone]), mongo_db = MongoDbInstance( self, 'MongoDb', vpc=props.vpc, vpc_subnets=mongo_vpc_subnet, key_name=props.key_pair_name, instance_type=props.database_instance_type, mongo_db=MongoDbApplicationProps( user_sspl_acceptance=props.accept_sspl_license, version=MongoDbVersion.COMMUNITY_3_6, hostname='mongo', dns_zone=props.dns_zone, server_certificate=server_cert)) _mongo_db_post_install_setup = MongoDbPostInstallSetup( self, 'MongoDbPostInstall', vpc=props.vpc, vpc_subnets=mongo_vpc_subnet, mongo_db=mongo_db, users=MongoDbUsers(x509_auth_users=[ MongoDbX509User(certificate=client_cert, roles=json.dumps([{ 'role': 'readWriteAnyDatabase', 'db': 'admin' }, { 'role': 'clusterMonitor', 'db': 'admin' }])) ])) self.database = DatabaseConnection.for_mongo_db_instance( database=mongo_db, client_certificate=client_pkcs12)
def __init__(self, scope: Construct, stack_id: str, *, props: SEPStackProps, **kwargs): """ Initialize a new instance of SEPStack :param scope: The scope of this construct. :param stack_id: The ID of this construct. :param props: The properties for this construct. :param kwargs: Any kwargs that need to be passed on to the parent class. """ super().__init__(scope, stack_id, **kwargs) # The VPC that all components of the render farm will be created in. vpc = Vpc( self, 'Vpc', max_azs=2, ) recipes = ThinkboxDockerRecipes( self, 'Image', stage=Stage.from_directory(props.docker_recipes_stage_path), ) repository = Repository( self, 'Repository', vpc=vpc, version=recipes.version, repository_installation_timeout=Duration.minutes(20), # TODO - Evaluate deletion protection for your own needs. These properties are set to RemovalPolicy.DESTROY # to cleanly remove everything when this stack is destroyed. If you would like to ensure # that these resources are not accidentally deleted, you should set these properties to RemovalPolicy.RETAIN # or just remove the removal_policy parameter. removal_policy=RepositoryRemovalPolicies( database=RemovalPolicy.DESTROY, filesystem=RemovalPolicy.DESTROY, ), ) host = 'renderqueue' zone_name = 'deadline-test.internal' # Internal DNS zone for the VPC. dns_zone = PrivateHostedZone( self, 'DnsZone', vpc=vpc, zone_name=zone_name, ) ca_cert = X509CertificatePem( self, 'RootCA', subject=DistinguishedName(cn='SampleRootCA', ), ) server_cert = X509CertificatePem( self, 'RQCert', subject=DistinguishedName( cn=f'{host}.{dns_zone.zone_name}', o='RFDK-Sample', ou='RenderQueueExternal', ), signing_certificate=ca_cert, ) render_queue = RenderQueue( self, 'RenderQueue', vpc=vpc, version=recipes.version, images=recipes.render_queue_images, repository=repository, # TODO - Evaluate deletion protection for your own needs. This is set to false to # cleanly remove everything when this stack is destroyed. If you would like to ensure # that this resource is not accidentally deleted, you should set this to true. deletion_protection=False, hostname=RenderQueueHostNameProps( hostname=host, zone=dns_zone, ), traffic_encryption=RenderQueueTrafficEncryptionProps( external_tls=RenderQueueExternalTLSProps( rfdk_certificate=server_cert, ), internal_protocol=ApplicationProtocol.HTTPS, ), ) # Creates the Resource Tracker Access role. This role is required to exist in your account so the resource tracker will work properly # Note: If you already have a Resource Tracker IAM role in your account you can remove this code. Role( self, 'ResourceTrackerRole', assumed_by=ServicePrincipal('lambda.amazonaws.com'), managed_policies=[ ManagedPolicy.from_aws_managed_policy_name( 'AWSThinkboxDeadlineResourceTrackerAccessPolicy') ], role_name='DeadlineResourceTrackerAccessRole', ) fleet = SpotEventPluginFleet( self, 'SpotEventPluginFleet', vpc=vpc, render_queue=render_queue, deadline_groups=['group_name'], instance_types=[ InstanceType.of(InstanceClass.BURSTABLE3, InstanceSize.LARGE) ], worker_machine_image=props.worker_machine_image, max_capacity=1, ) # Optional: Add additional tags to both spot fleet request and spot instances. Tags.of(fleet).add('name', 'SEPtest') ConfigureSpotEventPlugin( self, 'ConfigureSpotEventPlugin', vpc=vpc, render_queue=render_queue, spot_fleets=[fleet], configuration=SpotEventPluginSettings( enable_resource_tracker=True, ), )
def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps, **kwargs): """ Initialize a new instance of ServiceTier :param scope: The scope of this construct. :param stack_id: The ID of this construct. :param props: The properties for this construct. :param kwargs: Any kwargs that need to be passed on to the parent class. """ super().__init__(scope, stack_id, **kwargs) # Bastion instance for convenience (e.g. SSH into RenderQueue and WorkerFleet instances). # Not a critical component of the farm, so this can be safely removed. An alternative way # to access your hosts is also provided by the Session Manager, which is also configured # later in this example. self.bastion = BastionHostLinux( self, 'Bastion', vpc=props.vpc, subnet_selection=SubnetSelection(subnet_type=SubnetType.PUBLIC), block_devices=[ BlockDevice(device_name='/dev/xvda', volume=BlockDeviceVolume.ebs(50, encrypted=True)) ]) # Mounting the root of the EFS file-system to the bastion access for convenience. # This can safely be removed. MountableEfs(self, filesystem=props.mountable_file_system.file_system ).mount_to_linux_instance(self.bastion.instance, location='/mnt/efs') self.version = VersionQuery(self, 'Version', version=props.deadline_version) repository = Repository( self, 'Repository', vpc=props.vpc, database=props.database, file_system=props.mountable_file_system, repository_installation_timeout=Duration.minutes(20), repository_installation_prefix='/', version=self.version) images = ThinkboxDockerImages( self, 'Images', version=self.version, user_aws_thinkbox_eula_acceptance=props.accept_aws_thinkbox_eula) server_cert = X509CertificatePem( self, 'RQCert', subject=DistinguishedName( cn=f'renderqueue.{props.dns_zone.zone_name}', o='RFDK-Sample', ou='RenderQueueExternal'), signing_certificate=props.root_ca) self.render_queue = RenderQueue( self, 'RenderQueue', vpc=props.vpc, images=images, repository=repository, hostname=RenderQueueHostNameProps(hostname='renderqueue', zone=props.dns_zone), traffic_encryption=RenderQueueTrafficEncryptionProps( external_tls=RenderQueueExternalTLSProps( rfdk_certificate=server_cert), internal_protocol=ApplicationProtocol.HTTPS), version=self.version, # TODO - Evaluate deletion protection for your own needs. This is set to false to # cleanly remove everything when this stack is destroyed. If you would like to ensure # that this resource is not accidentally deleted, you should set this to true. deletion_protection=False) self.render_queue.connections.allow_default_port_from(self.bastion) # This is an optional feature that will set up your EC2 instances to be enabled for use with # the Session Manager. RFDK deploys EC2 instances that aren't available through a public subnet, # so connecting to them by SSH isn't easy. This is an option to quickly access hosts without # using a bastion instance. # It's important to note that the permissions need to be granted to the render queue's ASG, # rather than the render queue itself. SessionManagerHelper.grant_permissions_to(self.render_queue.asg) if props.ubl_licenses: if not props.ubl_certs_secret_arn: raise ValueError( 'UBL certificates secret ARN is required when using UBL but was not specified.' ) ubl_cert_secret = Secret.from_secret_arn( self, 'ublcertssecret', props.ubl_certs_secret_arn) self.ubl_licensing = UsageBasedLicensing( self, 'UsageBasedLicensing', vpc=props.vpc, images=images, licenses=props.ubl_licenses, render_queue=self.render_queue, certificate_secret=ubl_cert_secret, ) # Another optional usage of the SessionManagerHelper that demonstrates how to configure the UBL # construct's ASG for access. Note that this construct also requires you to apply the permissions # to its ASG property. SessionManagerHelper.grant_permissions_to(self.ubl_licensing.asg) else: self.ubl_licensing = None
def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps, **kwargs): """ Initialize a new instance of ServiceTier :param scope: The scope of this construct. :param stack_id: The ID of this construct. :param props: The properties for this construct. :param kwargs: Any kwargs that need to be passed on to the parent class. """ super().__init__(scope, stack_id, **kwargs) # A bastion host to connect to the render farm with. # The bastion host is for convenience (e.g. SSH into RenderQueue and WorkerFleet instances). # This is not a critical component of the farm, so can safely be removed. self.bastion = BastionHostLinux( self, 'Bastion', vpc=props.vpc, subnet_selection=SubnetSelection(subnet_type=SubnetType.PUBLIC), block_devices=[ BlockDevice(device_name='/dev/xvda', volume=BlockDeviceVolume.ebs(50, encrypted=True)) ]) # Granting the bastion access to the file system mount for convenience. # This can also safely be removed. props.file_system.mount_to_linux_instance(self.bastion.instance, location='/mnt/efs') recipes = ThinkboxDockerRecipes(self, 'Image', stage=Stage.from_directory( props.docker_recipes_stage_path)) repository = Repository( self, 'Repository', vpc=props.vpc, version=recipes.version, database=props.database, file_system=props.file_system, repository_installation_timeout=Duration.minutes(20)) server_cert = X509CertificatePem( self, 'RQCert', subject=DistinguishedName( cn=f'renderqueue.{props.dns_zone.zone_name}', o='RFDK-Sample', ou='RenderQueueExternal'), signing_certificate=props.root_ca) self.render_queue = RenderQueue( self, 'RenderQueue', vpc=props.vpc, version=recipes.version, images=recipes.render_queue_images, repository=repository, hostname=RenderQueueHostNameProps(hostname='renderqueue', zone=props.dns_zone), traffic_encryption=RenderQueueTrafficEncryptionProps( external_tls=RenderQueueExternalTLSProps( rfdk_certificate=server_cert), internal_protocol=ApplicationProtocol.HTTPS), # TODO - Evaluate deletion protection for your own needs. This is set to false to # cleanly remove everything when this stack is destroyed. If you would like to ensure # that this resource is not accidentally deleted, you should set this to true. deletion_protection=False) self.render_queue.connections.allow_default_port_from(self.bastion) if props.ubl_licenses: if not props.ubl_certs_secret_arn: raise ValueError( 'UBL certificates secret ARN is required when using UBL but was not specified.' ) ubl_cert_secret = Secret.from_secret_arn( self, 'ublcertssecret', props.ubl_certs_secret_arn) self.ubl_licensing = UsageBasedLicensing( self, 'usagebasedlicensing', vpc=props.vpc, images=recipes.ubl_images, licenses=props.ubl_licenses, render_queue=self.render_queue, certificate_secret=ubl_cert_secret, )