def define_subnet_network_acl(self, subnet, acl): name = "%s%s" % (subnet, acl.name) a = ec2.SubnetNetworkAclAssociation( name, DeletionPolicy=self.deletion_policy) a.SubnetId = Ref(subnet) a.NetworkAclId = Ref(acl) self._add_resource(a)
def gen_public_subnet_az(self, az_index, cidr_block): name = f"PublicSubnet{az_index}" subnet = ec2.Subnet( name, VpcId=Ref(self.vpc), CidrBlock=cidr_block, AvailabilityZone=Select(str(az_index), GetAZs(Ref("AWS::Region"))), ) self.template.add_resource(subnet) self.export_value(Ref(subnet), name) route_table_association = ec2.SubnetRouteTableAssociation( f"{name}RouteTableAssociation", SubnetId=Ref(subnet), RouteTableId=Ref(self.public_route_table), ) self.template.add_resource(route_table_association) network_acl_association = ec2.SubnetNetworkAclAssociation( f"{name}NetworkAclAssociation", SubnetId=Ref(subnet), NetworkAclId=Ref(self.network_acl), ) self.template.add_resource(network_acl_association)
def dump_base_yaml(cfn_file): template = Template() vpc_cidr_param = template.add_parameter( Parameter( "vpcCidrParam", Description="string of vpc cidr block to use", Type="String", )) subnet_cidr_param = template.add_parameter( Parameter( "subnetCidrParam", Description="string of subnet cidr block to use", Type="String", )) igw = template.add_resource( ec2.InternetGateway( "Igw", Tags=resource_tags, )) vpc = template.add_resource( ec2.VPC( "Vpc", CidrBlock=Ref(vpc_cidr_param), EnableDnsSupport=True, EnableDnsHostnames=True, InstanceTenancy="default", Tags=resource_tags, )) igwa = template.add_resource( ec2.VPCGatewayAttachment( "IgwA", VpcId=Ref(vpc), InternetGatewayId=Ref(igw), )) route_tbl = template.add_resource( ec2.RouteTable( "RouteTable", VpcId=Ref(vpc), Tags=resource_tags, )) default_route = template.add_resource( ec2.Route("defaultRoute", DestinationCidrBlock="0.0.0.0/0", GatewayId=Ref(igw), RouteTableId=Ref(route_tbl))) subnet = template.add_resource( ec2.Subnet( "Subnet", VpcId=Ref(vpc), CidrBlock=Ref(subnet_cidr_param), MapPublicIpOnLaunch=True, AvailabilityZone=Select(0, GetAZs()), Tags=resource_tags, )) route_tbl_asoc = template.add_resource( ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc", RouteTableId=Ref(route_tbl), SubnetId=Ref(subnet))) priv_route_tbl = template.add_resource( ec2.RouteTable( "PrivRouteTable", VpcId=Ref(vpc), Tags=resource_tags, )) priv_subnet = template.add_resource( ec2.Subnet( "PrivSubnet", VpcId=Ref(vpc), CidrBlock="10.10.1.0/24", MapPublicIpOnLaunch=False, AvailabilityZone=Select(0, GetAZs()), Tags=resource_tags, )) route_tbl_asoc = template.add_resource( ec2.SubnetRouteTableAssociation("RouteTblPrivSubnetAsoc", RouteTableId=Ref(priv_route_tbl), SubnetId=Ref(priv_subnet))) ngw_elastic_ip = template.add_resource( ec2.EIP( "MyNgwEip", Tags=resource_tags, )) nat_gateway = template.add_resource( ec2.NatGateway( "MyNatGateway", AllocationId=GetAtt(ngw_elastic_ip, "AllocationId"), SubnetId=Ref(subnet), )) private_out_route = template.add_resource( ec2.Route("privateOutRoute", DestinationCidrBlock="0.0.0.0/0", NatGatewayId=Ref(nat_gateway), RouteTableId=Ref(priv_route_tbl))) first_network_acl = template.add_resource( ec2.NetworkAcl( "MyFirstNetAcl", Tags=resource_tags, VpcId=Ref(vpc), )) network_out_second_acl_entry = template.add_resource( ec2.NetworkAclEntry( "MyPrivOutNetAclEntry", NetworkAclId=Ref(first_network_acl), CidrBlock="0.0.0.0/0", Protocol=-1, Egress=True, RuleAction="allow", RuleNumber=100, )) network_inbound_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyInNetAclEntry", NetworkAclId=Ref(first_network_acl), CidrBlock="74.77.86.69/32", Protocol=6, RuleAction="allow", RuleNumber=100, PortRange=ec2.PortRange(From=22, To=22))) private_to_public_client_ports_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPriv2PubClientPortsNetAclEntry", NetworkAclId=Ref(first_network_acl), CidrBlock="10.10.1.0/24", Protocol=6, RuleAction="allow", RuleNumber=101, PortRange=ec2.PortRange(From=1024, To=65535))) public_to_internet_client_ports_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPub2DefaultClientPortsNetAclEntry", NetworkAclId=Ref(first_network_acl), CidrBlock="0.0.0.0/0", Protocol=6, RuleAction="allow", RuleNumber=102, PortRange=ec2.PortRange(From=1024, To=65535))) public_to_private_icmpv4_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPubIcmpv4NetAclEntry", NetworkAclId=Ref(first_network_acl), CidrBlock="10.10.1.0/24", Protocol=1, Icmp=ec2.ICMP(Code=-1, Type=-1), RuleAction="allow", RuleNumber=103)) second_network_acl = template.add_resource( ec2.NetworkAcl( "MySecondNetAcl", Tags=resource_tags, VpcId=Ref(vpc), )) network_out_second_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPriv2InternetClientPortsNetAclEntry", NetworkAclId=Ref(second_network_acl), CidrBlock="0.0.0.0/0", Protocol=6, RuleAction="allow", RuleNumber=100, PortRange=ec2.PortRange(From=1024, To=65535))) public_to_private_ssh_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPrivSshNetAclEntry", NetworkAclId=Ref(second_network_acl), CidrBlock="10.10.0.0/24", Protocol=6, RuleAction="allow", RuleNumber=101, PortRange=ec2.PortRange(From=22, To=22))) public_to_private_http_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPrivHttpNetAclEntry", NetworkAclId=Ref(second_network_acl), CidrBlock="10.10.0.0/24", Protocol=6, RuleAction="allow", RuleNumber=102, PortRange=ec2.PortRange(From=80, To=80))) private_to_public_icmpv4_acl_entry = template.add_resource( ec2.NetworkAclEntry("MyPrivIcmpv4NetAclEntry", NetworkAclId=Ref(second_network_acl), CidrBlock="10.10.0.0/24", Protocol=1, Icmp=ec2.ICMP(Code=-1, Type=-1), RuleAction="allow", RuleNumber=103)) network_out_second_acl_entry = template.add_resource( ec2.NetworkAclEntry( "MyPubOutNetAclEntry", NetworkAclId=Ref(second_network_acl), CidrBlock="0.0.0.0/0", Protocol=-1, Egress=True, RuleAction="allow", RuleNumber=100, )) subnet_nacl_asociation = template.add_resource( ec2.SubnetNetworkAclAssociation("subNaclAsoc", NetworkAclId=Ref(first_network_acl), SubnetId=Ref(subnet))) priv_subnet_nacl_asociation = template.add_resource( ec2.SubnetNetworkAclAssociation("privSubNaclAsoc", NetworkAclId=Ref(second_network_acl), SubnetId=Ref(priv_subnet))) template.add_output([ Output( "VpcId", Description="InstanceId of the newly created EC2 instance", Value=Ref(vpc), Export=Export("VpcId-jdix"), ), Output( "SubnetId", Description="InstanceId of the newly created EC2 instance", Value=Ref(subnet), Export=Export("SubnetId-jdix"), ), Output( "PrivSubnetId", Description="InstanceId of the newly created EC2 instance", Value=Ref(priv_subnet), Export=Export("PrivSubnetId-jdix"), ), ]) template_out_yaml(cfn_file, template)
def configure_vpc(config, template): stack = config['stack'] region = config['region'] public_subnets = [] private_subnets = [] vpcs_file = read_yaml_file('configuration/vpcs.yaml') vpcs = vpcs_file['vpcs'] connections = vpcs_file['connections'] eips = read_yaml_file('configuration/eips.yaml') if stack not in vpcs: sys.stderr.write('%s: not found in vpcs\n' % stack) sys.exit(1) if stack not in eips: sys.stderr.write('%s: not found in eips; execute "bin/manage-eips"\n' % stack) sys.exit(1) vpc = template.add_resource( ec2.VPC( 'VPC', CidrBlock=vpcs[stack]['cidr'], InstanceTenancy='default', Tags=Tags(Name=config['description'], ), )) internet_gateway = template.add_resource( ec2.InternetGateway( 'InternetGateway', Tags=Tags(Name=config['description'], ), )) internet_gateway_attachment = template.add_resource( ec2.VPCGatewayAttachment( 'InternetGatewayAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway), # DeletionPolicy='Retain', )) public_route_table = template.add_resource( ec2.RouteTable( 'PublicRouteTable', VpcId=Ref(vpc), Tags=Tags(Name='%s - Public Routing Table' % stack, ), )) private_route_table = template.add_resource( ec2.RouteTable( 'PrivateRouteTable', VpcId=Ref(vpc), Tags=Tags(Name='%s - Private Routing Table' % stack, ), )) # default public subnet route is through the Internet Gateway default_public_route = template.add_resource( ec2.Route( 'DefaultPublicRoute', GatewayId=Ref(internet_gateway), DestinationCidrBlock='0.0.0.0/0', RouteTableId=Ref(public_route_table), DependsOn=Name(internet_gateway_attachment), )) network_acl = template.add_resource( ec2.NetworkAcl( 'NetworkAcl', VpcId=Ref(vpc), Tags=Tags(Name=config['description'], ), )) # It's standard practice to leave Network ACL's completely permissive # (not to be confused with SecurityGroups) template.add_resource( ec2.NetworkAclEntry( 'NetworkAclEntryIngressFromVpc', Protocol='-1', RuleNumber='100', CidrBlock='0.0.0.0/0', Egress=False, RuleAction='allow', NetworkAclId=Ref(network_acl), )) template.add_resource( ec2.NetworkAclEntry( 'NetworkAclEntryEgress', Protocol='-1', RuleNumber='100', CidrBlock='0.0.0.0/0', Egress=True, RuleAction='allow', NetworkAclId=Ref(network_acl), )) for subnet_config in config['subnets']: if subnet_config['public']: subnet_list = public_subnets subnet_route_table = public_route_table label = 'PublicSubnet' else: subnet_list = private_subnets subnet_route_table = private_route_table label = 'PrivateSubnet' label += subnet_config['zone'].upper() subnet = template.add_resource( ec2.Subnet( label, VpcId=Ref(vpc), AvailabilityZone=region + subnet_config['zone'], CidrBlock=subnet_config['cidr'], Tags=Tags( Name='%s %s' % (config['description'], label), IsPublic=subnet_config['public'], ), )) subnet_list.append({ 'label': label, 'object': subnet, 'config': subnet_config, }) template.add_resource( ec2.SubnetRouteTableAssociation( 'SubnetRouteTableAssociation%s' % label, SubnetId=Ref(subnet), RouteTableId=Ref(subnet_route_table), )) template.add_resource( ec2.SubnetNetworkAclAssociation( 'SubnetAclAssociation%s' % label, SubnetId=Ref(subnet), NetworkAclId=Ref(network_acl), )) if 'create_s3_endpoint' in config and config['create_s3_endpoint']: s3_endpoint = template.add_resource( ec2.VPCEndpoint( 'S3Endpoint', RouteTableIds=[Ref(private_route_table)], PolicyDocument={ 'Version': '2012-10-17', 'Statement': [{ 'Action': '*', 'Effect': 'Allow', 'Resource': '*', 'Principal': '*' }] }, VpcId=Ref(vpc), ServiceName='com.amazonaws.' + region + '.s3', ))
CidrBlock=GetAtt(hyp3_vpc, "CidrBlock"), Protocol=-1, RuleAction="allow", RuleNumber=200, Egress=False)) local_acl_entry = t.add_resource( ec2.NetworkAclEntry('LocalAclEntry', NetworkAclId=Ref(local_network_acl), CidrBlock=Ref(local_cidr_range), Protocol=-1, RuleAction="allow", RuleNumber=100, Egress=False)) all_traffic_out_entry = t.add_resource( ec2.NetworkAclEntry('OutputBoundTrafficEntry', NetworkAclId=Ref(local_network_acl), CidrBlock='0.0.0.0/0', Protocol=-1, RuleAction="allow", RuleNumber=100, Egress=True)) restricted_subnet_acl_association = t.add_resource( ec2.SubnetNetworkAclAssociation("RestrictedSubnetAclAssociation", SubnetId=Ref(restricted_subnet), NetworkAclId=Ref(local_network_acl))) t.add_output(Output('VPCId', Value=Ref(hyp3_vpc), Description='VPC Id'))
def multiaz_subnets( name_prefix: str, cidr_block: str, region: str, vpc: object = None, vpc_id: str = None, no_of_subnets: int = 4, network_acl: object = None, network_acl_id: str = None, route_table: object = None, route_table_id: str = None, ) -> list: """Split given CIDR block into subnets over multiple AZs Either `vpc` or both `vpc_id` and `region` are required. If a network ACL or route table are passed as parameters, they will be associated with the subnets. `vpc`, `network_acl` and `route_table` are expected to be Troposphere resource objects which can be passed to Ref and GetAtt functions. As an alternative, `vpc_id`, `region`, `network_acl_id` `route_table_id` can be passed directly. If both resource and *_id are specified, the *_id will take precedence. Returns a list of Troposphere resources that describes the subnets and can be attached to a Template object. Returned subnet objects have the following keys set in their Metadata attribute: az: full availability zone name ("eu-west-1a") az_index: uppercase AZ, without the region part ("A") suffix: the suffix that was added to the name to form a unique resource title. Probably a single digit. Args: name_prefix (str): Prefix each resource with this string. Use to assure unique name for the resource in the calling Template cidr_block (str): IP range to split into subnets region (str): AWS region vpc (object, optional): VPC Troposphere resource. One of vpc or vpc_id is required. Defaults to None. vpc_id (str, optional): VPC ID. One of vpc or vpc_id is required. Defaults to None. no_of_subnets (int, optional): Create this many subnets. must be a power of 2. Defaults to 4. network_acl (object, optional): Network ACL Troposphere resource. Defaults to None. network_acl_id (str, optional): Network ACL ID. Defaults to None. route_table (object, optional): Route table resource. Defaults to None. route_table_id (str, optional): Route table ID. Defaults to None. Raises: ValueError: If neither vpc nor vpc_id were specified. Returns: list: Troposphere resources to be added to Template. """ if vpc is None and vpc_id is None: raise ValueError("One of vpc or vpc_id must be specified") if vpc_id is None: vpc_id = Ref(vpc) # Resource names only accept alphanumeric prefix = alphanum(name_prefix).lower().capitalize() net_split = split_net_across_zones(cidr_block, region, no_of_subnets) resources = list() for index, net_segment in enumerate(net_split): # set subnet az_index = net_segment["az"][-1:].upper() subnet = t_ec2.Subnet( title=f"{prefix}{index+1}", AvailabilityZone=net_segment["az"], CidrBlock=net_segment["cidr"], VpcId=vpc_id, Tags=[{ "Key": "Name", "Value": f"{name_prefix} {az_index}" }], ) subnet.Metadata = {} subnet.Metadata["az"] = net_segment["az"].lower() subnet.Metadata["az_index"] = az_index subnet.Metadata["suffix"] = index + 1 resources.append(subnet) # associate network ACL with subnet if network_acl_id is None and network_acl is not None: network_acl_id = Ref(network_acl) if network_acl_id is not None: resources.append( t_ec2.SubnetNetworkAclAssociation( title=f"{subnet.title}NaclAssociation", SubnetId=Ref(subnet), NetworkAclId=network_acl_id, )) if route_table_id is None and route_table is not None: route_table_id = Ref(route_table) if route_table_id is not None: resources.append( t_ec2.SubnetRouteTableAssociation( title=f"{subnet.title}RouteAssociation", SubnetId=Ref(subnet), RouteTableId=route_table_id, )) return resources
def west_vpc_stack(cfn_file): template = Template() vpc_cidr_param = template.add_parameter( Parameter( "vpcCidrParam", Description="string of vpc cidr block to use", Type="String", )) subnet_cidr_param = template.add_parameter( Parameter( "subnetCidrParam", Description="string of subnet cidr block to use", Type="String", )) east_peer_cidr_param = template.add_parameter( Parameter( "eastPeerCidrParam", Type="String", )) vpc = template.add_resource( ec2.VPC( "Vpc", CidrBlock=Ref(vpc_cidr_param), EnableDnsSupport=True, EnableDnsHostnames=True, InstanceTenancy="default", Tags=resource_tags, )) route_tbl = template.add_resource( ec2.RouteTable( "RouteTable", VpcId=Ref(vpc), Tags=resource_tags, )) subnet = template.add_resource( ec2.Subnet( "Subnet", VpcId=Ref(vpc), CidrBlock=Ref(subnet_cidr_param), MapPublicIpOnLaunch=True, AvailabilityZone=Select(0, GetAZs()), Tags=resource_tags, )) route_tbl_asoc = template.add_resource( ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc", RouteTableId=Ref(route_tbl), SubnetId=Ref(subnet))) # stage 3: delete me and update to remove peering stack # peer_route=template.add_resource( # ec2.Route( # "peerRoute", # DestinationCidrBlock=Ref(east_peer_cidr_param), # VpcPeeringConnectionId="pcx-0d27f0252e6c8ac93", # RouteTableId=Ref(route_tbl) # ) # ) # /stage3 my_net_acl = template.add_resource( ec2.NetworkAcl( "MyFirstNetAcl", Tags=resource_tags, VpcId=Ref(vpc), )) template.add_resource( ec2.NetworkAclEntry( "MyAllOutNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock="0.0.0.0/0", Protocol=-1, Egress=True, RuleAction="allow", RuleNumber=100, )) template.add_resource( ec2.NetworkAclEntry("MyPriv2PubNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock=Ref(east_peer_cidr_param), Protocol=-1, RuleAction="allow", RuleNumber=101)) template.add_resource( ec2.SubnetNetworkAclAssociation("subNaclAsoc", NetworkAclId=Ref(my_net_acl), SubnetId=Ref(subnet))) # # stage 4: vpc endpoint connection # s3_bucket=template.add_resource( # s3.Bucket( # "MyBucketForServiceConnection", # BucketName="bucket-for-service-connection-lab-4-2-3-jdix" # ) # ) # vpc_endpoint=template.add_resource( # ec2.VPCEndpoint( # "MyVpcS3Endpoint", # VpcId=Ref(vpc), # ServiceName="com.amazonaws.us-west-2.s3", # RouteTableIds=[Ref(route_tbl)], # PolicyDocument={ # "Statement": [ # { # "Principal": "*", # "Action": "*", # "Effect": "Allow", # "Resource": [ # Join("", ["arn:aws:s3:::", Ref(s3_bucket)]), # Join("", ["arn:aws:s3:::", Ref(s3_bucket), '/*']) # ], # } # ] # } # ) # ) # endpoint acls # template.add_resource( # ec2.NetworkAclEntry( # "MyS3ClientPortsNetAclEntry1", # NetworkAclId=Ref(my_net_acl), # CidrBlock="3.5.76.0/22", # Protocol=6, # RuleAction="allow", # RuleNumber=102, # PortRange=ec2.PortRange(From=1024, To=65535) # ) # ) # template.add_resource( # ec2.NetworkAclEntry( # "MyS3ClientPortsNetAclEntry2", # NetworkAclId=Ref(my_net_acl), # CidrBlock="3.5.80.0/21", # Protocol=6, # RuleAction="allow", # RuleNumber=103, # PortRange=ec2.PortRange(From=1024, To=65535) # ) # ) # template.add_resource( # ec2.NetworkAclEntry( # "MyS3ClientPortsNetAclEntry3", # NetworkAclId=Ref(my_net_acl), # CidrBlock="52.218.128.0/17", # Protocol=6, # RuleAction="allow", # RuleNumber=104, # PortRange=ec2.PortRange(From=1024, To=65535) # ) # ) # template.add_resource( # ec2.NetworkAclEntry( # "MyS3ClientPortsNetAclEntry4", # NetworkAclId=Ref(my_net_acl), # CidrBlock="52.92.128.0/17", # Protocol=6, # RuleAction="allow", # RuleNumber=105, # PortRange=ec2.PortRange(From=1024, To=65535) # ) # ) # bucket policy # template.add_resource( # s3.BucketPolicy( # "bucketPolicyForVpcEndpoint", # Bucket=Ref(s3_bucket), # PolicyDocument={ # "Version": "2012-10-17", # "Statement": [ # { # "Action": "*", # "Principal": "*", # "Resource": [ # Join("", ["arn:aws:s3:::", Ref(s3_bucket)]), # Join("", ["arn:aws:s3:::", Ref(s3_bucket), '/*']) # ], # "Effect": "Allow", # "Condition": { # "StringEquals": { # "aws:SourceVpce": Ref(vpc_endpoint) # }, # "StringEquals": { # "aws:SourceVpc": Ref(vpc) # } # } # } # ] # } # ) # ) # endpoint policy # /stage4 template.add_output([ Output( "VpcId", Description="InstanceId of the newly created EC2 instance", Value=Ref(vpc), Export=Export("VpcId-jdix"), ), Output( "SubnetId", Description="InstanceId of the newly created EC2 instance", Value=Ref(subnet), Export=Export("SubnetId-jdix"), ), ]) template_out_yaml(cfn_file, template)
def east_vpc_stack(cfn_file): template = Template() vpc_cidr_param = template.add_parameter( Parameter( "vpcCidrParam", Description="string of vpc cidr block to use", Type="String", )) subnet_cidr_param = template.add_parameter( Parameter( "subnetCidrParam", Description="string of subnet cidr block to use", Type="String", )) west_peer_cidr_param = template.add_parameter( Parameter( "westPeerCidrParam", Type="String", )) igw = template.add_resource( ec2.InternetGateway( "Igw", Tags=resource_tags, )) vpc = template.add_resource( ec2.VPC( "Vpc", CidrBlock=Ref(vpc_cidr_param), EnableDnsSupport=True, EnableDnsHostnames=True, InstanceTenancy="default", Tags=resource_tags, )) igwa = template.add_resource( ec2.VPCGatewayAttachment( "IgwA", VpcId=Ref(vpc), InternetGatewayId=Ref(igw), )) route_tbl = template.add_resource( ec2.RouteTable( "RouteTable", VpcId=Ref(vpc), Tags=resource_tags, )) default_route = template.add_resource( ec2.Route("defaultRoute", DestinationCidrBlock="0.0.0.0/0", GatewayId=Ref(igw), RouteTableId=Ref(route_tbl))) # stage 3: delete me and update to remove peering stack # peer_route=template.add_resource( # ec2.Route( # "peerRoute", # DestinationCidrBlock=Ref(west_peer_cidr_param), # VpcPeeringConnectionId="pcx-0d27f0252e6c8ac93", # RouteTableId=Ref(route_tbl) # ) # ) # /stage3 subnet = template.add_resource( ec2.Subnet( "Subnet", VpcId=Ref(vpc), CidrBlock=Ref(subnet_cidr_param), MapPublicIpOnLaunch=True, AvailabilityZone=Select(0, GetAZs()), Tags=resource_tags, )) route_tbl_asoc = template.add_resource( ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc", RouteTableId=Ref(route_tbl), SubnetId=Ref(subnet))) my_net_acl = template.add_resource( ec2.NetworkAcl( "MyFirstNetAcl", Tags=resource_tags, VpcId=Ref(vpc), )) template.add_resource( ec2.NetworkAclEntry( "MyAllOutNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock="0.0.0.0/0", Protocol=-1, Egress=True, RuleAction="allow", RuleNumber=100, )) template.add_resource( ec2.NetworkAclEntry("MyInNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock="74.77.86.69/32", Protocol=6, RuleAction="allow", RuleNumber=100, PortRange=ec2.PortRange(From=22, To=22))) template.add_resource( ec2.NetworkAclEntry("MyPriv2PubNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock=Ref(west_peer_cidr_param), Protocol=-1, RuleAction="allow", RuleNumber=101)) template.add_resource( ec2.NetworkAclEntry("MyClientPortsNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock="0.0.0.0/0", Protocol=6, RuleAction="allow", RuleNumber=102, PortRange=ec2.PortRange(From=1024, To=65535))) template.add_resource( ec2.SubnetNetworkAclAssociation("subNaclAsoc", NetworkAclId=Ref(my_net_acl), SubnetId=Ref(subnet))) template.add_output([ Output( "VpcId", Description="InstanceId of the newly created EC2 instance", Value=Ref(vpc), Export=Export("VpcId-jdix"), ), Output( "SubnetId", Description="InstanceId of the newly created EC2 instance", Value=Ref(subnet), Export=Export("SubnetId-jdix"), ), ]) template_out_yaml(cfn_file, template)
Protocol='-1', RuleAction='allow', RuleNumber='100')) public_subnet_acl_outbound = t.add_resource( ec2.NetworkAclEntry('PublicSubnetACLEgress', CidrBlock='0.0.0.0/0', Egress='true', NetworkAclId=Ref(public_subnet_acl), Protocol='-1', RuleAction='allow', RuleNumber='100')) public_subnet_1_acl_association = t.add_resource( ec2.SubnetNetworkAclAssociation('PublicSubnet1ACLAssociation', SubnetId=Ref(public_subnet_1), NetworkAclId=Ref(public_subnet_acl))) public_subnet_2_acl_association = t.add_resource( ec2.SubnetNetworkAclAssociation('PublicSubnet2ACLAssociation', SubnetId=Ref(public_subnet_2), NetworkAclId=Ref(public_subnet_acl))) public_subnet_3_acl_association = t.add_resource( ec2.SubnetNetworkAclAssociation('PublicSubnet3ACLAssociation', Condition='3AZCondition', SubnetId=Ref(public_subnet_3), NetworkAclId=Ref(public_subnet_acl))) public_subnet_4_acl_association = t.add_resource( ec2.SubnetNetworkAclAssociation('PublicSubnet4ACLAssociation',
# Create Inbound rules for NACL connected to Private Subnet 1B "PrivateSubnet1BNetworkAclEntryInbound": ec2.NetworkAclEntry("PrivateSubnet1BNetworkAclEntryInbound", Condition="CreatePrivateSubnet1BCondition", CidrBlock="10.0.0.0/16", Egress="true", NetworkAclId=Ref("PrivateSubnet1BNetworkAcl"), Protocol="-1", RuleAction="allow", RuleNumber="100"), # Associate the created NACL with the Private Subnet 1B "PrivateSubnet1BNetworkAclAssociation": ec2.SubnetNetworkAclAssociation( "PrivateSubnet1BNetworkAclAssociation", Condition="CreatePrivateSubnet1BCondition", SubnetId=Ref("PrivateSubnet1B"), NetworkAclId=Ref("PrivateSubnet1BNetworkAcl")), #Create Public Subnet 2 in AZ2 "PublicSubnet2": ec2.Subnet("PublicSubnet2", Condition="CreatePublicSubnet2Condition", CidrBlock=Ref("CIDRPublicSubnet2"), VpcId=Ref("VPC"), AvailabilityZone=Ref("AvailabilityZone2"), MapPublicIpOnLaunch="True", Tags=Tags(IoCluster=Ref("AWS::StackName"), Name=Join("-", [Ref("AWS::StackName"), "PublicSubnet2"]))),
vpc, '10.0.%s.0/24' % index, Join('', [Ref('AWS::Region'), Select(index, Ref(availability_zones))]), ) # Public Subnet Associations t.add_resource( ec2.SubnetRouteTableAssociation('%sPublicRouteTableAssociation' % public_subnet.title, SubnetId=Ref(public_subnet), RouteTableId=Ref(public_route_table))) t.add_resource( ec2.SubnetNetworkAclAssociation('%sPublicSubnetNetworkAclAssociation' % public_subnet.title, SubnetId=Ref(public_subnet), NetworkAclId=Ref(public_network_acl))) # NAT Device(s) are placed in the public subnet(s) name = 'NATDevice%s' % (index + 1) nat_device = t.add_resource( ec2.Instance(name, InstanceType=Ref(nat_instance_type_param), KeyName=Ref(keyname_param), SourceDestCheck=False, ImageId=FindInMap('AWSNATAMI', Ref('AWS::Region'), 'AMI'), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( Description='ENI for NAT device', GroupSet=[Ref(nat_security_group)], SubnetId=Ref(public_subnet),
CidrIp='0.0.0.0/0') ], VpcId=Ref(stack_vpc), Tags=Tags(Name='PublicSecurityGroup') )) # network acls public_subnet_acl = t.add_resource(ec2.NetworkAcl( 'PublicACL', VpcId=Ref(stack_vpc), Tags=Tags(Name='PublicACL') )) subnetNetworkAclAssociation = t.add_resource(ec2.SubnetNetworkAclAssociation( 'SubnetNetworkAclAssociation', SubnetId=Ref(subnet_public), NetworkAclId=Ref(public_subnet_acl), )) # outbound acls for Public network t.add_resource(ec2.NetworkAclEntry( 'sshOutbound', NetworkAclId=Ref(public_subnet_acl), RuleNumber='90', Protocol='6', PortRange=ec2.PortRange(To='22', From='22'), Egress='true', RuleAction='allow', CidrBlock='0.0.0.0/0', )) t.add_resource(ec2.NetworkAclEntry(
def configure(self): self.vpc_metadata = constants.ENVIRONMENTS[self.env]['vpc'] self.set_description('VPC, Routes, Base Security Groups, and NATs') common_vpc_tags = [ec2.Tag('Name', self.env) ] + self.get_tags(service_override='VPC') _vpc = self.add_resource( ec2.VPC('VPC', CidrBlock=self.vpc_metadata['cidrblock'], EnableDnsSupport=True, EnableDnsHostnames=True, Tags=common_vpc_tags)) _dhcp_options = self.add_resource( ec2.DHCPOptions('DHCPOptions', DomainName="node.{}.{}".format( self.env, constants.TAG), DomainNameServers=['AmazonProvidedDNS'], Tags=common_vpc_tags)) self.add_resource( ec2.VPCDHCPOptionsAssociation('VPCDHCPOptionsAssociation', DhcpOptionsId=Ref(_dhcp_options), VpcId=Ref(_vpc))) _internet_gateway = self.add_resource( ec2.InternetGateway('InternetGateway', Tags=self.get_tags( service_override='InternetGateway', role_override='InternetGateway'))) self.add_resource( ec2.VPCGatewayAttachment('AttachInternetGateway', VpcId=Ref(_vpc), InternetGatewayId=Ref(_internet_gateway))) # route_tables stores all ec2.RouteTables generated and adds them to # a private vpc s3 endpoint route_tables = [] _public_route_table = self.add_resource( ec2.RouteTable('PublicRouteTable', VpcId=Ref(_vpc), Tags=self.get_tags( service_override='PublicRouteTable', role_override='PublicRouteTable'))) route_tables.append(_public_route_table) # Public Subnet Routes and ACLs self.add_resource( ec2.Route('PublicRoute', RouteTableId=Ref(_public_route_table), DestinationCidrBlock='0.0.0.0/0', GatewayId=Ref(_internet_gateway))) _public_network_acl = self.add_resource( ec2.NetworkAcl('PublicNetworkAcl', VpcId=Ref(_vpc), Tags=self.get_tags( service_override='PublicNetworkAcl', role_override='PublicNetworkAcl'))) self.add_resource( ec2.NetworkAclEntry('IngressPublicNetworkAclEntry', NetworkAclId=Ref(_public_network_acl), RuleNumber=100, Protocol='-1', RuleAction='allow', Egress=False, CidrBlock='0.0.0.0/0', PortRange=ec2.PortRange(From=1, To=65535))) self.add_resource( ec2.NetworkAclEntry('EgressPublicNetworkAclEntry', NetworkAclId=Ref(_public_network_acl), RuleNumber=101, Protocol='-1', RuleAction='allow', Egress=True, CidrBlock='0.0.0.0/0', PortRange=ec2.PortRange(From=1, To=65535))) # Private Network ACLs _private_network_acl = self.add_resource( ec2.NetworkAcl('PrivateNetworkAcl', VpcId=Ref(_vpc), Tags=self.get_tags( service_override='PrivateNetworkAcl', role_override='PrivateNetworkAcl'))) self.add_resource( ec2.NetworkAclEntry('IngressPrivateNetworkAclEntry', NetworkAclId=Ref(_private_network_acl), RuleNumber=100, Protocol='-1', RuleAction='allow', Egress=False, CidrBlock='0.0.0.0/0', PortRange=ec2.PortRange(From=1, To=65535))) self.add_resource( ec2.NetworkAclEntry('EgressPrivateNetworkAclEntry', NetworkAclId=Ref(_private_network_acl), RuleNumber=101, Protocol='-1', RuleAction='allow', Egress=True, CidrBlock='0.0.0.0/0', PortRange=ec2.PortRange(From=1, To=65535))) # Default security groups - referenced by name by constants/default-security-groups # _nat_security_group = self.add_resource( # ec2.SecurityGroup( # 'NATSecurityGroup', # VpcId=Ref(_vpc), # GroupDescription='Security Group for NAT Instances', # SecurityGroupIngress=[ # {'IpProtocol': '-1', 'FromPort': 1, 'ToPort': 65535, 'CidrIp': self.vpc_metadata['cidrblock']}, # {'IpProtocol': '-1', 'FromPort': 1, 'ToPort': 65535, 'CidrIp': '10.0.0.0/8'} # ], # Tags=self.get_tags(service_override='NAT', role_override='NAT-SecurityGroup') # ) # ) # _consul_security_group = self.add_resource( # ec2.SecurityGroup( # 'ConsulSecurityGroup', # VpcId=Ref(_vpc), # GroupDescription='Security Group for Consul access', # SecurityGroupIngress=[ # {'IpProtocol': 'tcp', 'FromPort': 8300, 'ToPort': 8302, 'CidrIp': '10.0.0.0/8'}, # consul server rpc/serf # {'IpProtocol': 'udp', 'FromPort': 8300, 'ToPort': 8302, 'CidrIp': '10.0.0.0/8'}, # consul server rpc/serf # {'IpProtocol': 'tcp', 'FromPort': 8400, 'ToPort': 8400, 'CidrIp': '10.0.0.0/8'}, # consul client rpc # {'IpProtocol': 'tcp', 'FromPort': 8500, 'ToPort': 8500, 'CidrIp': '10.0.0.0/8'}, # consul http # {'IpProtocol': 'tcp', 'FromPort': 8600, 'ToPort': 8600, 'CidrIp': '10.0.0.0/8'}, # consul dns # {'IpProtocol': 'udp', 'FromPort': 8600, 'ToPort': 8600, 'CidrIp': '10.0.0.0/8'} # consul dns # ], # Tags=[ # ec2.Tag('ivy:team', self.TEAM['email']), # ec2.Tag('ivy:environment', self.env), # ec2.Tag('ivy:service', 'Consul'), # ec2.Tag('ivy:role', 'Consul-SecurityGroup') # ] # ) # ) # _ssh_security_group = self.add_resource( # ec2.SecurityGroup( # 'InternalSecurityGroup', # VpcId=Ref(_vpc), # GroupDescription='Internal Rules', # SecurityGroupIngress=[ # {'IpProtocol': 'icmp', 'FromPort': -1, 'ToPort': -1, 'CidrIp': '10.0.0.0/8'}, # {'IpProtocol': 'tcp', 'FromPort': 22, 'ToPort': 22, 'CidrIp': '10.0.0.0/8'} # ], # SecurityGroupEgress=[ # {'IpProtocol': '-1', 'FromPort': 0, 'ToPort': 65535, 'CidrIp': '0.0.0.0/0'} # ], # Tags=[ # ec2.Tag('ivy:team', self.TEAM['email']), # ec2.Tag('ivy:environment', self.env), # ec2.Tag('ivy:service', 'infrastructure'), # ec2.Tag('ivy:role', 'internal') # ] # ) # ) # # self.add_security_group(Ref(_nat_security_group), Ref(_consul_security_group), Ref(_ssh_security_group)) ## This sets up all private and public AZs for index, zone in enumerate(self.vpc_metadata['zones'], 1): _public_subnet = self.add_resource( ec2.Subnet( 'PublicSubnet{}'.format(index), VpcId=Ref(_vpc), CidrBlock=zone['public-cidrblock'], AvailabilityZone=zone['availability-zone'], MapPublicIpOnLaunch=True, Tags=self.get_tags( service_override='PublicSubnet', role_override='PublicSubnet{}'.format(index)) + [ ec2.Tag('Name', '{}-PublicSubnet{}'.format( self.env, index)) ])) self.add_resource( ec2.SubnetRouteTableAssociation( 'PublicSubnetRouteTableAssociation{}'.format(index), SubnetId=Ref(_public_subnet), RouteTableId=Ref(_public_route_table))) self.add_resource( ec2.SubnetNetworkAclAssociation( 'PublicSubnetNetworkAclAssociation{}'.format(index), SubnetId=Ref(_public_subnet), NetworkAclId=Ref(_public_network_acl))) # Allow VPCs with no private subnets (save money on NAT instances for VPCs with only public instances) if zone.get('private-cidrblock'): _private_subnet = self.add_resource( ec2.Subnet( 'PrivateSubnet{}'.format(index), VpcId=Ref(_vpc), CidrBlock=zone['private-cidrblock'], AvailabilityZone=zone['availability-zone'], Tags=self.get_tags( service_override='PrivateSubnet', role_override='PrivateSubnet{}'.format(index)) + [ ec2.Tag( 'Name', '{}-PrivateSubnet{}'.format( self.env, index)) ])) # Private subnets get their own route table for AZ-specific NATs _private_route_table = self.add_resource( ec2.RouteTable( 'PrivateRouteTable{}'.format(index), VpcId=Ref(_vpc), Tags=self.get_tags( service_override='PrivateRouteTable', role_override='PrivateRouteTable{}'.format( index)))) route_tables.append(_private_route_table) # Create an EIP to be used with the NAT instance or gateway _nat_eip = self.add_resource( ec2.EIP('NATInstanceEIP{}'.format(index), Domain='vpc')) # Use VPC NAT Gateway _nat_gw = self.add_resource( ec2.NatGateway('NATGateway{}'.format(index), AllocationId=GetAtt(_nat_eip, "AllocationId"), SubnetId=Ref(_public_subnet))) # Create a route via the NAT GW for the private route table self.add_resource( ec2.Route('PrivateRoute{}'.format(index), RouteTableId=Ref(_private_route_table), DestinationCidrBlock='0.0.0.0/0', NatGatewayId=Ref(_nat_gw))) self.add_resource( ec2.SubnetRouteTableAssociation( 'PrivateSubnetRouteTableAssociation{}'.format(index), SubnetId=Ref(_private_subnet), RouteTableId=Ref(_private_route_table))) self.add_resource( ec2.SubnetNetworkAclAssociation( 'PrivateSubnetNetworkAclAssociation{}'.format(index), SubnetId=Ref(_private_subnet), NetworkAclId=Ref(_private_network_acl))) # use route_table to create a VPC S3 endpoint self.add_resource( ec2.VPCEndpoint('S3VPCEndpoint', RouteTableIds=[Ref(rt) for rt in route_tables], ServiceName='com.amazonaws.{}.s3'.format( self.region), VpcId=Ref(_vpc)))
def west_vpc_stack(cfn_file): template = Template() vpc_cidr_param = template.add_parameter( Parameter( "vpcCidrParam", Description="string of vpc cidr block to use", Type="String", )) subnet_cidr_param = template.add_parameter( Parameter( "subnetCidrParam", Description="string of subnet cidr block to use", Type="String", )) east_peer_cidr_param = template.add_parameter( Parameter( "eastPeerCidrParam", Type="String", )) vpc = template.add_resource( ec2.VPC( "Vpc", CidrBlock=Ref(vpc_cidr_param), EnableDnsSupport=True, EnableDnsHostnames=True, InstanceTenancy="default", Tags=resource_tags, )) route_tbl = template.add_resource( ec2.RouteTable( "RouteTable", VpcId=Ref(vpc), Tags=resource_tags, )) subnet = template.add_resource( ec2.Subnet( "Subnet", VpcId=Ref(vpc), CidrBlock=Ref(subnet_cidr_param), MapPublicIpOnLaunch=True, AvailabilityZone=Select(0, GetAZs()), Tags=resource_tags, )) route_tbl_asoc = template.add_resource( ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc", RouteTableId=Ref(route_tbl), SubnetId=Ref(subnet))) # delete me and update to remove peering stack peer_route = template.add_resource( ec2.Route("peerRoute", DestinationCidrBlock=Ref(east_peer_cidr_param), VpcPeeringConnectionId="pcx-0d27f0252e6c8ac93", RouteTableId=Ref(route_tbl))) my_net_acl = template.add_resource( ec2.NetworkAcl( "MyFirstNetAcl", Tags=resource_tags, VpcId=Ref(vpc), )) template.add_resource( ec2.NetworkAclEntry( "MyAllOutNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock="0.0.0.0/0", Protocol=-1, Egress=True, RuleAction="allow", RuleNumber=100, )) template.add_resource( ec2.NetworkAclEntry("MyPriv2PubNetAclEntry", NetworkAclId=Ref(my_net_acl), CidrBlock=Ref(east_peer_cidr_param), Protocol=-1, RuleAction="allow", RuleNumber=101)) template.add_resource( ec2.SubnetNetworkAclAssociation("subNaclAsoc", NetworkAclId=Ref(my_net_acl), SubnetId=Ref(subnet))) template.add_output([ Output( "VpcId", Description="InstanceId of the newly created EC2 instance", Value=Ref(vpc), Export=Export("VpcId-jdix"), ), Output( "SubnetId", Description="InstanceId of the newly created EC2 instance", Value=Ref(subnet), Export=Export("SubnetId-jdix"), ), ]) template_out_yaml(cfn_file, template)
def sg_subnet_vpc(self, template, provision_refs): ref_stack_id = Ref('AWS::StackId') if 'aws_vpc_id' in self.app.config['provision']: vpc = self.app.config['provision']['aws_vpc_id'] use_subnet = self.app.config['provision']['aws_subnet_id'] use_subnet2 = self.app.config['provision']['aws_subnet2_id'] use_sg = self.app.config['provision']['aws_sg_id'] use_alb_sg = self.app.config['provision']['alb_sg_id'] self.app.log.info( 'Using your AWS subnet, make sure the routes and ports are configured correctly' ) else: vpc = Ref( template.add_resource( ec2.VPC('VPC', CidrBlock='10.0.0.0/16', Tags=Tags(Application=ref_stack_id)))) internet_gateway = template.add_resource( ec2.InternetGateway('InternetGateway', Tags=Tags(Application=ref_stack_id))) template.add_resource( ec2.VPCGatewayAttachment( 'AttachGateway', VpcId=vpc, InternetGatewayId=Ref(internet_gateway))) route_table = template.add_resource( ec2.RouteTable('RouteTable', VpcId=vpc, Tags=Tags(Application=ref_stack_id))) subnet = template.add_resource( ec2.Subnet('Subnet', CidrBlock='10.0.0.0/24', VpcId=vpc, AvailabilityZone=Select(0, GetAZs("")), Tags=Tags(Application=ref_stack_id))) subnet2 = template.add_resource( ec2.Subnet('Subnet2', CidrBlock='10.0.1.0/24', VpcId=vpc, AvailabilityZone=Select(1, GetAZs("")), Tags=Tags(Application=ref_stack_id))) template.add_resource( ec2.Route( 'Route', DependsOn='AttachGateway', GatewayId=Ref('InternetGateway'), DestinationCidrBlock='0.0.0.0/0', RouteTableId=Ref(route_table), )) template.add_resource( ec2.SubnetRouteTableAssociation( 'SubnetRouteTableAssociation', SubnetId=Ref(subnet), RouteTableId=Ref(route_table), )) template.add_resource( ec2.SubnetRouteTableAssociation( 'Subnet2RouteTableAssociation', SubnetId=Ref(subnet2), RouteTableId=Ref(route_table), )) network_acl = template.add_resource( ec2.NetworkAcl( 'NetworkAcl', VpcId=vpc, Tags=Tags(Application=ref_stack_id), )) template.add_resource( ec2.NetworkAclEntry( 'InboundSSHNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='100', Protocol='6', PortRange=ec2.PortRange(From='22', To='22'), Egress='false', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.NetworkAclEntry( 'InboundResponsePortsNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='101', Protocol='6', PortRange=ec2.PortRange(From='1024', To='65535'), Egress='false', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.NetworkAclEntry( 'InboundICMPNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='102', Protocol='1', Icmp=ec2.ICMP(Code=-1, Type=-1), Egress='false', RuleAction='allow', CidrBlock='0.0.0.0/0', )) # Only used when Blockscout is deployed template.add_resource( ec2.NetworkAclEntry( 'InboundHttpsNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='103', Protocol='6', PortRange=ec2.PortRange(From='443', To='443'), Egress='false', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.NetworkAclEntry( 'OutBoundHTTPNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='100', Protocol='6', PortRange=ec2.PortRange(From='80', To='80'), Egress='true', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.NetworkAclEntry( 'OutBoundHTTPSNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='101', Protocol='6', PortRange=ec2.PortRange(From='443', To='443'), Egress='true', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.NetworkAclEntry( 'OutBoundResponsePortsNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='102', Protocol='6', PortRange=ec2.PortRange(From='1024', To='65535'), Egress='true', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.NetworkAclEntry( 'OutboundICMPNetworkAclEntry', NetworkAclId=Ref(network_acl), RuleNumber='103', Protocol='1', Icmp=ec2.ICMP(Code=-1, Type=-1), Egress='true', RuleAction='allow', CidrBlock='0.0.0.0/0', )) template.add_resource( ec2.SubnetNetworkAclAssociation( 'SubnetNetworkAclAssociation', SubnetId=Ref(subnet), NetworkAclId=Ref(network_acl), )) template.add_resource( ec2.SubnetNetworkAclAssociation( 'Subnet2NetworkAclAssociation', SubnetId=Ref(subnet2), NetworkAclId=Ref(network_acl), )) use_subnet = Ref(subnet) use_subnet2 = Ref(subnet2) alb_security_group = template.add_resource( ec2.SecurityGroup( 'ALBSecurityGroup', GroupDescription= 'ALB allows traffic from public, is used to terminate SSL', SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', FromPort='46658', ToPort='46658', CidrIp='0.0.0.0/0'), ], VpcId=vpc, )) use_alb_sg = Ref(alb_security_group) instance_security_group = template.add_resource( ec2.SecurityGroup( 'InstanceSecurityGroup', GroupDescription='Enable tendermint and SSH for all nodes', SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', FromPort='22', ToPort='22', CidrIp='0.0.0.0/0'), ec2.SecurityGroupRule(IpProtocol='tcp', FromPort='46656', ToPort='46656', CidrIp='0.0.0.0/0'), ec2.SecurityGroupRule(IpProtocol='tcp', FromPort='46658', ToPort='46658', CidrIp='0.0.0.0/0'), ec2.SecurityGroupRule(IpProtocol='icmp', FromPort='-1', ToPort='-1', CidrIp='0.0.0.0/0'), ], VpcId=vpc, )) use_sg = Ref(instance_security_group) provision_refs.vpc = vpc provision_refs.security_group_ec2 = use_sg provision_refs.security_group_alb = use_alb_sg provision_refs.subnets.append(use_subnet) provision_refs.subnets.append(use_subnet2)
CidrBlock=f"10.0.{i}.0/24", MapPublicIpOnLaunch=True, VpcId=Ref(vpc), Tags=Tags(Name=f"10.0.{i}.0/24-PUBLIC"), ) ) subnetRouteTable = t.add_resource( ec2.SubnetRouteTableAssociation( f"Subnet{i}RT", RouteTableId=Ref(routeTable), SubnetId=Ref(subnet) ) ) subnetNACL = t.add_resource( ec2.SubnetNetworkAclAssociation( f"Subnet{i}NACL", NetworkAclId=Ref(nacl), SubnetId=Ref(subnet) ) ) # Private subnets for i in range(4, 7): privateSubnet = t.add_resource( ec2.Subnet( f"Subnet{i}", AvailabilityZone=Select(i - 4, GetAZs(Ref("AWS::Region"))), CidrBlock=f"10.0.{i}.0/24", MapPublicIpOnLaunch=False, VpcId=Ref(vpc), Tags=Tags(Name=f"10.0.{i}.0/24-PRIVATE"), ) )
def __init__(self): super(VPC, self).__init__() self.vpc = ec2.VPC( "VPC", CidrBlock="172.1.0.0/16", InstanceTenancy="default", EnableDnsSupport=True, EnableDnsHostnames=True, Tags=Tags(Name=Ref("AWS::StackName")), ) self.internet_gateway = ec2.InternetGateway( "InternetGateway", Tags=Tags(Name=Join( "", [Ref("AWS::StackName"), "-internet-gateway"]), ), ) self.internet_gateway_attachment = ec2.VPCGatewayAttachment( "InternetGatewayAttachment", InternetGatewayId=Ref(self.internet_gateway), VpcId=Ref(self.vpc), ) self.public_route_table = ec2.RouteTable( "PublicRouteTable", VpcId=Ref(self.vpc), Tags=Tags(Name=Join( "-", [Ref("AWS::StackName"), "public-route-table"]), ), ) self.private_route_table = ec2.RouteTable( "PrivateRouteTable", VpcId=Ref(self.vpc), Tags=Tags(Name=Join( "-", [Ref("AWS::StackName"), "private-route-table"]), ), ) self.vpc_s3_endpoint = ec2.VPCEndpoint( "VPCS3Endpoint", ServiceName=Join( "", ["com.amazonaws.", Ref("AWS::Region"), ".s3"]), VpcId=Ref(self.vpc), RouteTableIds=[ Ref(self.public_route_table), Ref(self.private_route_table) ], ) self.route_to_internet = ec2.Route( "RouteToInternet", DestinationCidrBlock="0.0.0.0/0", GatewayId=Ref(self.internet_gateway), RouteTableId=Ref(self.public_route_table), DependsOn=self.internet_gateway_attachment.title, ) # private subnets self.private_subnet_1 = ec2.Subnet( "PrivateSubnet1", AvailabilityZone=Select(0, GetAZs()), CidrBlock="172.1.1.0/24", MapPublicIpOnLaunch=False, Tags=Tags(Name=Join( "", [Ref("AWS::StackName"), "-private-subnet-1"]), ), VpcId=Ref(self.vpc), ) self.private_subnet_1_route_table_association = ec2.SubnetRouteTableAssociation( "PrivateSubnet1RouteTableAssociation", RouteTableId=Ref(self.private_route_table), SubnetId=Ref(self.private_subnet_1), ) self.private_subnet_2 = ec2.Subnet( "PrivateSubnet2", AvailabilityZone=Select(1, GetAZs()), CidrBlock="172.1.2.0/24", MapPublicIpOnLaunch=False, Tags=Tags(Name=Join( "", [Ref("AWS::StackName"), "-private-subnet-2"]), ), VpcId=Ref(self.vpc), ) self.private_subnet_2_route_table_association = ec2.SubnetRouteTableAssociation( "PrivateSubnet2RouteTableAssociation", RouteTableId=Ref(self.private_route_table), SubnetId=Ref(self.private_subnet_2), ) self.private_network_aCL = ec2.NetworkAcl( "PrivateNetworkACL", VpcId=Ref(self.vpc), Tags=Tags(Name=Join("", [Ref("AWS::StackName"), "-private-nacl"]), ), ) self.private_subnet_1_network_acl_association = ec2.SubnetNetworkAclAssociation( "PrivateSubnet1NetworkAclAssociation", SubnetId=Ref(self.private_subnet_1), NetworkAclId=Ref(self.private_network_aCL), ) self.private_subnet_2_network_acl_association = ec2.SubnetNetworkAclAssociation( "PrivateSubnet2NetworkAclAssociation", SubnetId=Ref(self.private_subnet_2), NetworkAclId=Ref(self.private_network_aCL), ) self.private_network_acl_entry_in = ec2.NetworkAclEntry( "PrivateNetworkAclEntryIn", CidrBlock="172.1.0.0/16", Egress=False, NetworkAclId=Ref(self.private_network_aCL), Protocol=-1, RuleAction="allow", RuleNumber=200, ) self.private_network_acl_entry_out = ec2.NetworkAclEntry( "PrivateNetworkAclEntryOut", CidrBlock="172.1.0.0/16", Egress=True, NetworkAclId=Ref(self.private_network_aCL), Protocol=-1, RuleAction="allow", RuleNumber=200, ) # public subnets self.public_subnet_1 = ec2.Subnet( "PublicSubnet1", AvailabilityZone=Select(0, GetAZs()), CidrBlock="172.1.128.0/24", MapPublicIpOnLaunch=True, Tags=Tags(Name=Join( "", [Ref("AWS::StackName"), "-public-subnet-1"]), ), VpcId=Ref(self.vpc), ) self.public_subnet_1_route_table_association = ec2.SubnetRouteTableAssociation( "PublicSubnet1RouteTableAssociation", RouteTableId=Ref(self.public_route_table), SubnetId=Ref(self.public_subnet_1), ) self.public_subnet_2 = ec2.Subnet( "PublicSubnet2", AvailabilityZone=Select(1, GetAZs()), CidrBlock="172.1.129.0/24", MapPublicIpOnLaunch=True, Tags=Tags(Name=Join( "", [Ref("AWS::StackName"), "-public-subnet-2"]), ), VpcId=Ref(self.vpc), ) self.public_subnet_2_route_table_association = ec2.SubnetRouteTableAssociation( "PublicSubnet2RouteTableAssociation", RouteTableId=Ref(self.public_route_table), SubnetId=Ref(self.public_subnet_2), )
outBoundResponsePortsNetworkAclEntry = t.add_resource( ec2.NetworkAclEntry( 'OutBoundResponsePortsNetworkAclEntry', NetworkAclId=Ref(networkAcl), RuleNumber='102', Protocol='6', PortRange=ec2.PortRange(To='65535', From='1024'), Egress='true', RuleAction='allow', CidrBlock=ALLOW_ALL_CIDR, )) subnetNetworkAclAssociation = t.add_resource( ec2.SubnetNetworkAclAssociation( 'SubnetNetworkAclAssociation', SubnetId=Ref(subnet), NetworkAclId=Ref(networkAcl), )) instanceSecurityGroup = t.add_resource( ec2.SecurityGroup( 'InstanceSecurityGroup', GroupDescription='Enable SSH access via port 22', SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol='tcp', FromPort='22', ToPort='22', CidrIp=ALLOW_ALL_CIDR), ec2.SecurityGroupRule( IpProtocol='tcp',