コード例 #1
0
ファイル: hosted_zone.py プロジェクト: MIams-REISys/amazonia
    def create_hosted_zone(self, domain, vpcs):
        """
        Creates a route53 hosted zone object either public (vpcs=None) or private (vpcs=[vpc1,...])
        AWS: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html
        Troposphere: https://github.com/cloudtools/troposphere/blob/master/troposphere/route53.py
        :param domain: The domain you would like for your hosted zone. MUST be 'something.something' (eg 'example.com')
        :param vpcs: A list of VPCs to associate this hosted zone with (if none, a public hosted zone is created)
        """

        hz_type = 'private' if vpcs else 'public'

        hz_config = route53.HostedZoneConfiguration(
            Comment=Join('', [
                hz_type, ' hosted zone created by Amazonia for stack: ',
                Ref('AWS::StackName')
            ]))

        hz = self.template.add_resource(
            route53.HostedZone(hz_type + 'HostedZone',
                               HostedZoneConfig=hz_config,
                               Name=domain))

        if vpcs:
            hz.VPCs = []
            for vpc in vpcs:
                hz.VPCs.append(
                    HostedZoneVPCs(VPCId=vpc, VPCRegion=Ref('AWS::Region')))

        return hz
コード例 #2
0
def create_private_dns(template, hosted_zone_name, vpc_id, region):
    hosted_zone = template.add_resource(HostedZone(
        "HostedZone",
        Name=hosted_zone_name,
        VPCs=[HostedZoneVPCs(VPCId=vpc_id, VPCRegion=region)]
    ))

    template.add_output(Output(
        "HostedZone",
        Description="Hosted zone for internal access",
        Value=hosted_zone_name
    ))

    return hosted_zone
コード例 #3
0
ファイル: vpc.py プロジェクト: jeffpierce/stacker_blueprints
 def create_internal_zone(self):
     t = self.template
     t.add_resource(
         HostedZone("InternalZone",
                    Name=Ref("InternalDomain"),
                    VPCs=[
                        HostedZoneVPCs(VPCId=VPC_ID,
                                       VPCRegion=Ref("AWS::Region"))
                    ],
                    Condition="HasInternalDomain"))
     t.add_output(
         Output("InternalZoneId",
                Value=Ref("InternalZone"),
                Condition="HasInternalDomain"))
     t.add_output(
         Output("InternalZoneName",
                Value=Ref("InternalDomain"),
                Condition="HasInternalDomain"))
コード例 #4
0
    def create_internal_zone(self):
        t = self.template
        variables = self.get_variables()

        if variables["InternalDomain"]:
            t.add_resource(
                HostedZone("InternalZone",
                           Name=variables["InternalDomain"],
                           VPCs=[
                               HostedZoneVPCs(VPCId=VPC_ID,
                                              VPCRegion=Ref("AWS::Region"))
                           ]))
            t.add_output(Output(
                "InternalZoneId",
                Value=Ref("InternalZone"),
            ))
            t.add_output(
                Output(
                    "InternalZoneName",
                    Value=variables["InternalDomain"],
                ))
コード例 #5
0
ファイル: test_dns.py プロジェクト: tilne/aws-parallelcluster
 def create_hosted_zone():
     hosted_zone_template = Template()
     hosted_zone_template.set_version("2010-09-09")
     hosted_zone_template.set_description(
         "Hosted zone stack created for testing existing DNS")
     hosted_zone_template.add_resource(
         HostedZone(
             "HostedZoneResource",
             Name=domain_name,
             VPCs=[
                 HostedZoneVPCs(VPCId=vpc_stack.cfn_outputs["VpcId"],
                                VPCRegion=region)
             ],
         ))
     hosted_zone_stack = CfnStack(
         name=hosted_zone_stack_name,
         region=region,
         template=hosted_zone_template.to_json(),
     )
     cfn_stacks_factory.create_stack(hosted_zone_stack)
     return hosted_zone_stack.cfn_resources[
         "HostedZoneResource"], domain_name
コード例 #6
0
ファイル: dns.py プロジェクト: weblox/weblox
from troposphere import Template
from troposphere.route53 import HostedZone, HostedZoneVPCs

domain = "weblox.io"
region = "eu-west-1"

template = Template(domain.replace(".", "") + "dns")

public_dns = HostedZone(domain.replace(".", "") + "publicdns",
                        Name="public." + region + "." + domain)

private_dns = HostedZone(domain.replace(".", "") + "privatedns",
                         Name="private." + region + "." + domain,
                         VPCs=[
                             HostedZoneVPCs(VPCId="vpc-0e2786487ff4f2ef4",
                                            VPCRegion="eu-west-1")
                         ])

template.add_resource(public_dns)
template.add_resource(private_dns)

print(template.to_yaml())
コード例 #7
0
ファイル: vpc.py プロジェクト: danpilch/aws
    def __init__(self, parameters):
        super(Vpc, self).__init__()

        # Virtual Private Cloud
        self.vpc = VPC(
            "VPC",
            CidrBlock=Ref(parameters.VPCCIDR),
            EnableDnsHostnames=True,
            Tags=Tags(
                Name=Ref(AWS_STACK_NAME),
            )
        )
        
        # Public NACL
        self.GeneralPublicNACL = NetworkAcl(
            "GeneralPublicNACL",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "public"]),
            ),
        )

        # Private NACL
        self.GeneralPrivateNACL = NetworkAcl(
            "GeneralPrivateNACL",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "private"]),
            ),
        )

        # NACL Rules
        self.PublicNACLIngressRule100 = NetworkAclEntry(
            "PublicNACLIngressRule100",
            NetworkAclId=Ref(self.GeneralPublicNACL),
            RuleNumber="100",
            Protocol="-1",
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )

        self.PublicNACLEgressRule100 = NetworkAclEntry(
            "PublicNACLEgressRule100",
            NetworkAclId=Ref(self.GeneralPublicNACL),
            RuleNumber="100",
            Protocol="-1",
            Egress=True,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )

        self.PrivateNACLEgressRule100 = NetworkAclEntry(
            "PrivateNACLEgressRule100",
            NetworkAclId=Ref(self.GeneralPrivateNACL),
            RuleNumber="100",
            Protocol="-1",
            Egress=True,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )
        
        self.PrivateNACLIngressRule100 = NetworkAclEntry(
            "PrivateNACLIngressRule100",
            NetworkAclId=Ref(self.GeneralPrivateNACL),
            RuleNumber="100",
            Protocol="-1",
            Egress=False,
            RuleAction="allow",
            CidrBlock=Ref(parameters.VPCCIDR),
        )

        self.PrivateNACLIngressRule220 = NetworkAclEntry(
            "PrivateNACLIngressRule220",
            NetworkAclId=Ref(self.GeneralPrivateNACL),
            RuleNumber="220",
            Protocol="-1",
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )

        self.PrivateNACLIngressRule400 = NetworkAclEntry(
            "PrivateNACLIngressRule400",
            NetworkAclId=Ref(self.GeneralPrivateNACL),
            RuleNumber="400",
            Protocol="6",
            PortRange=PortRange(To="65535", From="1024"),
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )

        self.PrivateNACLIngressRule420 = NetworkAclEntry(
            "PrivateNACLIngressRule420",
            NetworkAclId=Ref(self.GeneralPrivateNACL),
            RuleNumber="420",
            Protocol="1",
            Egress=False,
            RuleAction="allow",
            Icmp=ICMP(
                Code="-1",
                Type="-1"
            ),
            CidrBlock="0.0.0.0/0",
        )

        self.PrivateNACLIngressRule440 = NetworkAclEntry(
            "PrivateNACLIngressRule440",
            NetworkAclId=Ref(self.GeneralPrivateNACL),
            RuleNumber="440",
            Protocol="17",
            PortRange=PortRange(To="65535", From="1024"),
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )

        # Shared services 
        self.GeneralPrivateSubnetA = Subnet(
            "GeneralPrivateSubnetA",
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "general-private-a"]),
            ),
            VpcId=Ref(self.vpc),
            MapPublicIpOnLaunch=False,
            CidrBlock=Ref(parameters.GeneralPrivateSubnetACIDR),
            AvailabilityZone=Ref(parameters.AvailabilityZoneA),
        )

        self.GeneralPrivateSubnetB = Subnet(
            "GeneralPrivateSubnetB",
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "general-private-b"]),
            ),
            VpcId=Ref(self.vpc),
            MapPublicIpOnLaunch=False,
            CidrBlock=Ref(parameters.GeneralPrivateSubnetBCIDR),
            AvailabilityZone=Ref(parameters.AvailabilityZoneB),
        )

        self.SharedServicesPublicSubnetA = Subnet(
            "SharedServicesPublicSubnetA",
            VpcId=Ref(self.vpc),
            AvailabilityZone=Ref(parameters.AvailabilityZoneA),
            CidrBlock=Ref(parameters.SharedServicesPublicSubnetACIDR),
            MapPublicIpOnLaunch=False,
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "shared-public-a"]),
            )
        )
        
        self.SharedServicesPublicSubnetB = Subnet(
            "SharedServicesPublicSubnetB",
            VpcId=Ref(self.vpc),
            AvailabilityZone=Ref(parameters.AvailabilityZoneB),
            CidrBlock=Ref(parameters.SharedServicesPublicSubnetBCIDR),
            MapPublicIpOnLaunch=False,
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "shared-public-b"]),
            )
        )
        
        self.SharedServicesPrivateSubnetA = Subnet(
            "SharedServicesPrivateSubnetA",
            VpcId=Ref(self.vpc),
            AvailabilityZone=Ref(parameters.AvailabilityZoneA),
            CidrBlock=Ref(parameters.SharedServicesPrivateSubnetACIDR),
            MapPublicIpOnLaunch=False,
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "shared-private-a"]),
            )
        )
        
        self.SharedServicesPrivateSubnetB = Subnet(
            "SharedServicesPrivateSubnetB",
            VpcId=Ref(self.vpc),
            AvailabilityZone=Ref(parameters.AvailabilityZoneB),
            CidrBlock=Ref(parameters.SharedServicesPrivateSubnetBCIDR),
            MapPublicIpOnLaunch=False,
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "shared-private-b"]),
            )
        )

        self.SharedServicesPublicNACLSubnetAAssocation = SubnetNetworkAclAssociation(
            "SharedServicesPublicNACLSubnetAAssocation",
            SubnetId=Ref(self.SharedServicesPublicSubnetA),
            NetworkAclId=Ref(self.GeneralPublicNACL),
        )

        self.SharedServicesPublicNACLSubnetBAssocation = SubnetNetworkAclAssociation(
            "SharedServicesPublicNACLSubnetBAssocation",
            SubnetId=Ref(self.SharedServicesPublicSubnetB),
            NetworkAclId=Ref(self.GeneralPublicNACL),
        )
        
        self.SharedServicesPrivateNACLSubnetAAssocation = SubnetNetworkAclAssociation(
            "SharedServicesPrivateNACLSubnetAAssocation",
            SubnetId=Ref(self.SharedServicesPrivateSubnetA),
            NetworkAclId=Ref(self.GeneralPrivateNACL),
        )

        self.SharedServicesPrivateNACLSubnetBAssocation = SubnetNetworkAclAssociation(
            "SharedServicesPrivateNACLSubnetBAssocation",
            SubnetId=Ref(self.SharedServicesPrivateSubnetB),
            NetworkAclId=Ref(self.GeneralPrivateNACL),
        )

        self.GeneralPrivateNACLSubnetAAssocation = SubnetNetworkAclAssociation(
            "GeneralPrivateNACLSubnetAAssocation",
            SubnetId=Ref(self.GeneralPrivateSubnetA),
            NetworkAclId=Ref(self.GeneralPrivateNACL),
        )
        
        self.GeneralPrivateNACLSubnetBAssocation = SubnetNetworkAclAssociation(
            "GeneralPrivateNACLSubnetBAssocation",
            SubnetId=Ref(self.GeneralPrivateSubnetB),
            NetworkAclId=Ref(self.GeneralPrivateNACL),
        )

        # Route tables
        self.PublicRouteTable = RouteTable(
            "PublicRouteTable",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "public"]),
            ),  
        )

        self.PrivateARouteTable = RouteTable(
            "PrivateARouteTable",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "private-a"]),
            ),
        )

        self.PrivateBRouteTable = RouteTable(
            "PrivateBRouteTable",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "private-b"]),
            ),
        )

        # Internet Gateway
        self.InternetGateway = InternetGateway(
            "InternetGateway",
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME)]),
            ),
        )

        self.VPNAttachment = VPCGatewayAttachment(
            "VPNAttachment",
            VpcId=Ref(self.vpc),
            InternetGatewayId=Ref(self.InternetGateway)
        )

        # NAT Gateways
        self.NATGatewayAEIP = EIP(
            "NATGatewayAEIP",
            Domain=Ref(self.vpc),
            Condition="DeployNATGateways"
        )
        
        self.NATGatewayBEIP = EIP(
            "NATGatewayBEIP",
            Domain=Ref(self.vpc),
            Condition="DeployNATGateways"
        )

        self.NATGatewayA = NatGateway(
            "NATGatewayA",
            SubnetId=Ref(self.SharedServicesPublicSubnetA),
            AllocationId=GetAtt(self.NATGatewayAEIP, "AllocationId"),
            Condition="DeployNATGateways"
        )
        
        self.NATGatewayB = NatGateway(
            "NATGatewayB",
            SubnetId=Ref(self.SharedServicesPublicSubnetB),
            AllocationId=GetAtt(self.NATGatewayBEIP, "AllocationId"),
            Condition="DeployNATGateways"
        )

        # S3 VPC enpoint connection 
        self.VPCS3Endpoint = VPCEndpoint(
            "VPCS3Endpoint",
            VpcId=Ref(self.vpc),
            ServiceName=Join("", ["com.amazonaws.", Ref(AWS_REGION), ".s3"]),
            RouteTableIds=[Ref(self.PublicRouteTable), Ref(self.PrivateARouteTable), Ref(self.PrivateBRouteTable)],
        )

        # Security Groups
        self.ICMPSecurityGroup = SecurityGroup(
            "ICMPSecurityGroup",
            SecurityGroupIngress=[{ "ToPort": "-1", "IpProtocol": "icmp", "CidrIp": "0.0.0.0/0", "FromPort": "-1" }],
            VpcId=Ref(self.vpc),
            GroupDescription="Allows servers to be reached by ICMP",
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "icmp"]),
            ),
        )

        self.OpenPublicSSHSecurityGroup = SecurityGroup(
            "OpenPublicSSHSecurityGroup",
            SecurityGroupIngress=[{ "ToPort": "22", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": "22" }],
            VpcId=Ref(self.vpc),
            GroupDescription="Allows instance to be publically managed over SSH from anywhere, probably a bad idea",
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "open-public-ssh"]),
            ),
        )

        # Route Tables
        self.GeneralPrivateSubnetARouteTable = SubnetRouteTableAssociation(
            "GeneralPrivateSubnetARouteTable",
            SubnetId=Ref(self.GeneralPrivateSubnetA),
            RouteTableId=Ref(self.PrivateARouteTable),
        )
        
        self.GeneralPrivateSubnetBRouteTable = SubnetRouteTableAssociation(
            "GeneralPrivateSubnetBRouteTable",
            SubnetId=Ref(self.GeneralPrivateSubnetB),
            RouteTableId=Ref(self.PrivateBRouteTable),
        )
        
        self.SharedServicesPublicSubnetARouteTable = SubnetRouteTableAssociation(
            "SharedServicesPublicSubnetARouteTable",
            SubnetId=Ref(self.SharedServicesPublicSubnetA),
            RouteTableId=Ref(self.PublicRouteTable),
        )

        self.SharedServicesPublicSubnetBRouteTable = SubnetRouteTableAssociation(
            "SharedServicesPublicSubnetBRouteTable",
            SubnetId=Ref(self.SharedServicesPublicSubnetB),
            RouteTableId=Ref(self.PublicRouteTable),
        )

        self.SharedServicesPrivateSubnetARouteTable = SubnetRouteTableAssociation(
            "SharedServicesPrivateSubnetARouteTable",
            SubnetId=Ref(self.SharedServicesPrivateSubnetA),
            RouteTableId=Ref(self.PrivateARouteTable),
        )

        self.SharedServicesPrivateSubnetBRouteTable = SubnetRouteTableAssociation(
            "SharedServicesPrivateSubnetBRouteTable",
            SubnetId=Ref(self.SharedServicesPrivateSubnetB),
            RouteTableId=Ref(self.PrivateBRouteTable),
        )
        
        # Routes
        self.PublicSharedRoute = Route(
            "PublicSharedRoute",
            DestinationCidrBlock="0.0.0.0/0",
            GatewayId=Ref(self.InternetGateway),
            RouteTableId=Ref(self.PublicRouteTable),
        )
    
        self.PrivateANATRoute = Route(
            "PrivateANATRoute",
            DestinationCidrBlock="0.0.0.0/0",
            RouteTableId=Ref(self.PrivateARouteTable),
            NatGatewayId=Ref(self.NATGatewayB),
            #DependsOn=self.NATGatewayA,
            Condition="DeployNATGateways"
        )

        self.PrivateBNATRoute = Route(
            "PrivateBNATRoute",
            DestinationCidrBlock="0.0.0.0/0",
            RouteTableId=Ref(self.PrivateBRouteTable),
            NatGatewayId=Ref(self.NATGatewayB),
            #DependsOn=self.NATGatewayB,
            Condition="DeployNATGateways"
        )

        # Internal Zone standard
        self.InternalZone = HostedZone(
            "InternalZone",
            VPCs=[
                HostedZoneVPCs(
                    VPCId=Ref(self.vpc), 
                    VPCRegion=Ref("AWS::Region"),
            )],
            HostedZoneConfig=HostedZoneConfiguration(
                Comment="Internal (private) zone for name resolution"
            ),
            HostedZoneTags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "internal"]),
            ),
            Name=Ref(parameters.DomainName),
        )
        
        # Internal Zone production website
        self.InternalZoneProductionWebsite = HostedZone(
            "InternalZoneProductionWebsite",
            VPCs=[
                HostedZoneVPCs(
                    VPCId=Ref(self.vpc), 
                    VPCRegion=Ref("AWS::Region"),
            )],
            HostedZoneConfig=HostedZoneConfiguration(
                Comment="Internal (private) zone for name resolution for public website"
            ),
            HostedZoneTags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "internal-public-site"]),
            ),
            Name="sharpe.capital",
            Condition="CreateProductionZone"
        )

        # Custom Security Groups
        self.OpenPublicSSHSecurityGroup = SecurityGroup(
            "OpenPublicSSHSecurityGroup",
            GroupDescription="Allows server to be publically managed over SSH from anywhere",
            SecurityGroupIngress=[
                SecurityGroupRule(
                    IpProtocol="tcp", 
                    FromPort="22",
                    ToPort="22",
                    CidrIp="0.0.0.0/0"
                ),
            ],
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "open-public-ssh-access"]),
            ),
        )

        # Public Load Balancer NACL 
        self.PublicLBNACL = NetworkAcl(
            "PublicLBNACL",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Ref(AWS_STACK_NAME),
            ),
        )
        
        self.PublicLBRouteTable = RouteTable(
            "PublicLBRouteTable",
            VpcId=Ref(self.vpc),
            Tags=Tags(
                Name=Ref(AWS_STACK_NAME),
            ),
        )
        
        self.LBPublicSubnetA = Subnet(
            "LBPublicSubnetA",
            VpcId=Ref(self.vpc),
            AvailabilityZone=Ref(parameters.AvailabilityZoneA),
            CidrBlock=Ref(parameters.LBSubnetACIDR),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "lb-public-a"]),
            ),
        )
        
        self.LBPublicSubnetB = Subnet(
            "LBPublicSubnetB",
            VpcId=Ref(self.vpc),
            AvailabilityZone=Ref(parameters.AvailabilityZoneB),
            CidrBlock=Ref(parameters.LBSubnetBCIDR),
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "lb-public-b"]),
            ),
        )
        
        self.LBNACLIn100 = NetworkAclEntry(
            "LBNACLIn100",
            NetworkAclId=Ref(self.PublicLBNACL),
            RuleNumber=100,
            Protocol=6,
            PortRange=PortRange(To=443, From=443),
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )

        self.LBNACLIn200 = NetworkAclEntry(
            "LBNACLIn200",
            NetworkAclId=Ref(self.PublicLBNACL),
            RuleNumber=200,
            Protocol=6,
            PortRange=PortRange(To=80, From=80),
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )
        
        self.LBNACLIn300 = NetworkAclEntry(
            "LBNACLIn300",
            NetworkAclId=Ref(self.PublicLBNACL),
            RuleNumber=300,
            Protocol=6,
            PortRange=PortRange(To=65535, From=1024),
            Egress=False,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )
        
        self.LBNACLOut100 = NetworkAclEntry(
            "LBNACLOut100",
            NetworkAclId=Ref(self.PublicLBNACL),
            RuleNumber=100,
            Protocol=6,
            PortRange=PortRange(To=65535, From=1024),
            Egress=True,
            RuleAction="allow",
            CidrBlock="0.0.0.0/0",
        )
        
        self.LBRouteTableAssociationA = SubnetRouteTableAssociation(
            "LBRouteTableAssociationA",
            SubnetId=Ref(self.LBPublicSubnetA),
            RouteTableId=Ref(self.PublicLBRouteTable),
        )
        
        self.LBRouteTableAssociationB = SubnetRouteTableAssociation(
            "LBRouteTableAssociationB",
            SubnetId=Ref(self.LBPublicSubnetB),
            RouteTableId=Ref(self.PublicLBRouteTable),
        )
        
        self.LBNACLAssociationB = SubnetNetworkAclAssociation(
            "LBNACLAssociationB",
            SubnetId=Ref(self.LBPublicSubnetB),
            NetworkAclId=Ref(self.PublicLBNACL),
        )
        
        self.LBNACLAssociationA = SubnetNetworkAclAssociation(
            "LBNACLAssociationA",
            SubnetId=Ref(self.LBPublicSubnetA),
            NetworkAclId=Ref(self.PublicLBNACL),
        )
        
        self.LBInternetGatewayRoute = Route(
            "LBInternetGatewayRoute",
            GatewayId=Ref(self.InternetGateway),
            DestinationCidrBlock="0.0.0.0/0",
            RouteTableId=Ref(self.PublicLBRouteTable),
        )
        
        self.LBICMPSecurityGroup = SecurityGroup(
            "LBICMPSecurityGroup",
            SecurityGroupIngress=[{ "ToPort": "-1", "IpProtocol": "icmp", "CidrIp": "0.0.0.0/0", "FromPort": "-1" }],
            VpcId=Ref(self.vpc),
            GroupDescription="Allows servers to be reached by ICMP",
            Tags=Tags(
                Name=Join("-", [Ref(AWS_STACK_NAME), "icmp"]),
            ),
        )
        
        self.LBSecurityGroup = SecurityGroup(
            "LBSecurityGroup",
            SecurityGroupIngress=[{ "ToPort": 80, "FromPort": 80, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0" }, 
                { "ToPort": 443, "FromPort": 443, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0" }],
            VpcId=Ref(self.vpc),
            GroupDescription="Securty group for public facing web load balancers",
            Tags=Tags(
                Name=Ref(AWS_STACK_NAME),
            ),
        )
コード例 #8
0
def generate_vpc_template(layers, az_count, cidr_block):
    TPL = Template()
    TPL.set_description('VPC - Version 2019-06-05')
    TPL.set_metadata({'Author': 'https://github.com/johnpreston'})
    VPC = VPCType('VPC',
                  CidrBlock=cidr_block,
                  EnableDnsHostnames=True,
                  EnableDnsSupport=True,
                  Tags=Tags(Name=Ref('AWS::StackName'),
                            EnvironmentName=Ref('AWS::StackName')))
    IGW = InternetGateway("InternetGateway")
    IGW_ATTACH = VPCGatewayAttachment("VPCGatewayAttachement",
                                      InternetGatewayId=Ref(IGW),
                                      VpcId=Ref(VPC))
    DHCP_OPTIONS = DHCPOptions('VpcDhcpOptions',
                               DomainName=Sub(f'${{AWS::StackName}}.local'),
                               DomainNameServers=['AmazonProvidedDNS'],
                               Tags=Tags(Name=Sub(f'DHCP-${{{VPC.title}}}')))
    DHCP_ATTACH = VPCDHCPOptionsAssociation('VpcDhcpOptionsAssociate',
                                            DhcpOptionsId=Ref(DHCP_OPTIONS),
                                            VpcId=Ref(VPC))
    DNS_HOSTED_ZONE = HostedZone(
        'VpcHostedZone',
        VPCs=[HostedZoneVPCs(VPCId=Ref(VPC), VPCRegion=Ref('AWS::Region'))],
        Name=Sub(f'${{AWS::StackName}}.local'),
        HostedZoneTags=Tags(Name=Sub(f'ZoneFor-${{{VPC.title}}}')))
    TPL.add_resource(VPC)
    TPL.add_resource(IGW)
    TPL.add_resource(IGW_ATTACH)
    TPL.add_resource(DHCP_OPTIONS)
    TPL.add_resource(DHCP_ATTACH)
    TPL.add_resource(DNS_HOSTED_ZONE)
    STORAGE_RTB = TPL.add_resource(
        RouteTable('StorageRtb', VpcId=Ref(VPC), Tags=Tags(Name='StorageRtb')))
    STORAGE_SUBNETS = []
    for count, subnet_cidr in zip(az_count, layers['stor']):
        subnet = Subnet(
            f'StorageSubnet{alpha[count].upper()}',
            CidrBlock=subnet_cidr,
            VpcId=Ref(VPC),
            AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
            Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Storage-{alpha[count]}'),
                      Usage="Storage"))
        subnet_assoc = TPL.add_resource(
            SubnetRouteTableAssociation(
                f'StorageSubnetAssoc{alpha[count].upper()}',
                SubnetId=Ref(subnet),
                RouteTableId=Ref(STORAGE_RTB)))
        STORAGE_SUBNETS.append(subnet)
        TPL.add_resource(subnet)
    PUBLIC_RTB = TPL.add_resource(
        RouteTable('PublicRtb', VpcId=Ref(VPC), Tags=Tags(Name='PublicRtb')))
    PUBLIC_ROUTE = TPL.add_resource(
        Route('PublicDefaultRoute',
              GatewayId=Ref(IGW),
              RouteTableId=Ref(PUBLIC_RTB),
              DestinationCidrBlock='0.0.0.0/0'))
    PUBLIC_SUBNETS = []
    NAT_GATEWAYS = []
    for count, subnet_cidr in zip(az_count, layers['pub']):
        subnet = Subnet(
            f'PublicSubnet{alpha[count].upper()}',
            CidrBlock=subnet_cidr,
            VpcId=Ref(VPC),
            AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
            MapPublicIpOnLaunch=True,
            Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Public-{alpha[count]}')))
        eip = TPL.add_resource(
            EIP(f"NatGatewayEip{alpha[count].upper()}", Domain='vpc'))
        nat = NatGateway(f"NatGatewayAz{alpha[count].upper()}",
                         AllocationId=GetAtt(eip, 'AllocationId'),
                         SubnetId=Ref(subnet))
        subnet_assoc = TPL.add_resource(
            SubnetRouteTableAssociation(
                f'PublicSubnetsRtbAssoc{alpha[count].upper()}',
                RouteTableId=Ref(PUBLIC_RTB),
                SubnetId=Ref(subnet)))
        NAT_GATEWAYS.append(nat)
        PUBLIC_SUBNETS.append(subnet)
        TPL.add_resource(nat)
        TPL.add_resource(subnet)
    APP_SUBNETS = []
    APP_RTBS = []
    for count, subnet_cidr, nat in zip(az_count, layers['app'], NAT_GATEWAYS):
        SUFFIX = alpha[count].upper()
        subnet = Subnet(
            f'AppSubnet{SUFFIX}',
            CidrBlock=subnet_cidr,
            VpcId=Ref(VPC),
            AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
            Tags=Tags(Name=Sub(f'${{AWS::StackName}}-App-{alpha[count]}')))
        APP_SUBNETS.append(subnet)
        rtb = RouteTable(f'AppRtb{alpha[count].upper()}',
                         VpcId=Ref(VPC),
                         Tags=Tags(Name=f'AppRtb{alpha[count].upper()}'))
        APP_RTBS.append(rtb)
        route = Route(f'AppRoute{alpha[count].upper()}',
                      NatGatewayId=Ref(nat),
                      RouteTableId=Ref(rtb),
                      DestinationCidrBlock='0.0.0.0/0')
        subnet_assoc = SubnetRouteTableAssociation(
            f'SubnetRtbAssoc{alpha[count].upper()}',
            RouteTableId=Ref(rtb),
            SubnetId=Ref(subnet))
        TPL.add_resource(subnet)
        TPL.add_resource(rtb)
        TPL.add_resource(route)
        TPL.add_resource(subnet_assoc)

    APP_S3_ENDPOINT = VPCEndpoint(
        'AppS3Endpoint',
        VpcId=Ref(VPC),
        RouteTableIds=[Ref(rtb) for rtb in APP_RTBS],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
        VpcEndpointType='Gateway',
    )
    PUBLIC_S3_ENDPOINT = VPCEndpoint(
        'PublicS3Endpoint',
        VpcId=Ref(VPC),
        RouteTableIds=[Ref(PUBLIC_RTB)],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
        VpcEndpointType='Gateway',
    )
    STORAGE_S3_ENDPOINT = VPCEndpoint(
        'StorageS3Endpoint',
        VpcId=Ref(VPC),
        RouteTableIds=[Ref(STORAGE_RTB)],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
        VpcEndpointType='Gateway')
    RESOURCES = []
    for count in az_count:
        resource = TPL.add_resource(EIP(f'Eip{count}', Domain='vpc'))
        RESOURCES.append(resource)
    TPL.add_resource(APP_S3_ENDPOINT)
    TPL.add_resource(PUBLIC_S3_ENDPOINT)
    TPL.add_resource(STORAGE_S3_ENDPOINT)
    SG_RULES = []
    for subnet in layers['app']:
        RULE = SecurityGroupRule(
            IpProtocol="tcp",
            FromPort="443",
            ToPort="443",
            CidrIp=subnet,
        )
        SG_RULES.append(RULE)

    ENDPOINT_SG = TPL.add_resource(
        SecurityGroup(
            'VpcEndpointSecurityGroup',
            VpcId=Ref(VPC),
            GroupDescription='SG for all Interface VPC Endpoints',
            SecurityGroupIngress=SG_RULES,
            Tags=Tags(Name="sg-endpoints"),
        ))

    APP_SNS_ENDPOINT = VPCEndpoint(
        'AppSNSEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.sns'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SNS_ENDPOINT)

    APP_SQS_ENDPOINT = VPCEndpoint(
        'AppSQSEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.sqs'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SQS_ENDPOINT)

    APP_ECR_API_ENDPOINT = VPCEndpoint(
        'AppECRAPIEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.api'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_ECR_API_ENDPOINT)

    APP_ECR_DKR_ENDPOINT = VPCEndpoint(
        'AppECRDKREndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.dkr'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_ECR_DKR_ENDPOINT)

    APP_SECRETS_MANAGER_ENDPOINT = VPCEndpoint(
        'AppSecretsManagerEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.secretsmanager'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SECRETS_MANAGER_ENDPOINT)

    APP_SSM_ENDPOINT = VPCEndpoint(
        'AppSSMEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ssm'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SSM_ENDPOINT)

    APP_SSM_MESSAGES_ENDPOINT = VPCEndpoint(
        'AppSSMMessagesEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ssmmessages'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SSM_MESSAGES_ENDPOINT)

    ################################################################################
    #
    # OUTPUTS
    #
    TPL.add_output(object_outputs(VPC, name_is_id=True))
    TPL.add_output(object_outputs(APP_SQS_ENDPOINT, name_is_id=True))
    TPL.add_output(object_outputs(APP_SNS_ENDPOINT, name_is_id=True))
    TPL.add_output(
        comments_outputs([{
            'EIP':
            Join(',',
                 [GetAtt(resource, "AllocationId") for resource in RESOURCES])
        }, {
            'PublicSubnets':
            Join(',', [Ref(subnet) for subnet in PUBLIC_SUBNETS])
        }, {
            'StorageSubnets':
            Join(',', [Ref(subnet) for subnet in STORAGE_SUBNETS])
        }, {
            'ApplicationSubnets':
            Join(',', [Ref(subnet) for subnet in APP_SUBNETS])
        }, {
            'StackName': Ref('AWS::StackName')
        }, {
            'VpcZoneId': Ref(DNS_HOSTED_ZONE)
        }]))
    return TPL
コード例 #9
0
    def hosted_zone_vpc(hz_vpc_title, vpcid, vpc_region):

        hostedzonevpc = HostedZoneVPCs(VPCId=vpcid, VPCRegion=vpc_region)

        return hostedzonevpc