def add_gateways(self)->IVpcEndpointsForAWSServices:
for svc in ['s3', 'dynamodb']:
self.gateways[svc] = ec2.GatewayVpcEndpoint(
self, svc,
vpc=self.vpc,
service=ec2.GatewayVpcEndpointAwsService(
name=svc))
return self
def vpc_creation(self, name_extension, conf, stage):
resource_name = name_extension + "-vpc.main"
self.vpc = _ec2.Vpc(
self,
resource_name,
cidr=conf[stage]["vpc_cidr"],
max_azs=conf[stage]["vpc_az"],
nat_gateway_provider=_ec2.NatProvider.gateway(),
nat_gateways=conf[stage]["nat_gateways_num"],
subnet_configuration=[
_ec2.SubnetConfiguration(
subnet_type=_ec2.SubnetType.PUBLIC,
name="Public",
cidr_mask=conf[stage]["subnet_cidr_mask"]),
_ec2.SubnetConfiguration(
subnet_type=_ec2.SubnetType.PRIVATE,
name="Private",
cidr_mask=conf[stage]["subnet_cidr_mask"]),
],
)
endpoints_list = [
("logs", _ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS),
("ecr", _ec2.InterfaceVpcEndpointAwsService.ECR),
("ecr_dk", _ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER),
]
for ep_str, svc in endpoints_list:
ep = _ec2.InterfaceVpcEndpoint(
self,
ep_str,
vpc=self.vpc,
service=svc,
subnets={"subnet_type": _ec2.SubnetType.PRIVATE})
self.objects_list.append(ep)
self.s3_ep = _ec2.GatewayVpcEndpoint(
self,
"s3",
vpc=self.vpc,
service=_ec2.GatewayVpcEndpointAwsService.S3,
subnets=[
_ec2.SubnetSelection(subnet_type=_ec2.SubnetType.PRIVATE)
])
self.objects_list.append(self.s3_ep)
self.objects_list.append(self.vpc)
core.Tag.add(self.vpc, "Name", conf[stage]["vpc_name"])
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.security_group = ec2.SecurityGroup(
self,
'EndpointSecurity',
vpc=vpc,
allow_all_outbound=True,
description='SG for AWS Resources in isolated subnet')
self.security_group.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port(protocol=ec2.Protocol.ALL,
string_representation='Any source'))
self.gateways = {}
for svc in ['s3', 'dynamodb']:
self.gateways[svc] = ec2.GatewayVpcEndpoint(
self,
svc,
vpc=vpc,
service=ec2.GatewayVpcEndpointAwsService(name=svc))
self.interfaces = {}
for svc in [
'ssm', 'ec2messages', 'ec2', 'ssmmessages', 'kms',
'elasticloadbalancing', 'elasticfilesystem', 'lambda',
'states', 'events', 'execute-api', 'kinesis-streams',
'kinesis-firehose', 'logs', 'sns', 'sqs', 'secretsmanager',
'config', 'ecr.api', 'ecr.dkr'
]:
self.interfaces[svc] = ec2.InterfaceVpcEndpoint(
self,
svc,
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService(name=svc),
open=True,
private_dns_enabled=True,
lookup_supported_azs=False,
security_groups=[self.security_group])
def __init__(self, scope: core.Construct, id: str, vpc_id: str, az_cidr: dict, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self._subnets = []
stack_id = id
for az in az_cidr.keys():
cidr_per_zone=az_cidr.get(az)
for cidr in cidr_per_zone:
subnet = ec2.Subnet(
self,
id=stack_id+"-"+az,
availability_zone=az,
cidr_block=cidr,
vpc_id=vpc_id,
map_public_ip_on_launch=False
)
self.add(subnet)
vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=vpc_id)
selected_subnets = ec2.SubnetSelection(subnets=self._subnets)
ec2.InterfaceVpcEndpoint(self, stack_id+"ec2",
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService.E_C2,
subnets=selected_subnets
)
ec2.InterfaceVpcEndpoint(self, stack_id+"ecr",
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService.ECR,
subnets=selected_subnets
)
ec2.InterfaceVpcEndpoint(self, stack_id+"drk",
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
subnets=selected_subnets
)
ec2.GatewayVpcEndpoint(self, stack_id+"s3",
vpc=vpc,
service=ec2.GatewayVpcEndpointAwsService.S3,
subnets=[selected_subnets]
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create a new ECR Repository
repo = ecr.Repository(
self, 'Repository'
)
# Reference the existing VPC with the name EnvironmentStack/VPC
vpc = ec2.Vpc.from_lookup(self, 'VPC', vpc_name='EnvironmentStack/VPC')
jsonPolicyDocument = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": repo.repository_arn,
"Condition": {
"StringEquals": {
"aws:SourceVpc": vpc.vpc_id
}
}
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": vpc.vpc_id
}
}
}
]
}
policyDocument=iam.PolicyDocument.from_json(jsonPolicyDocument)
# Create an IAM Role that has full access to this repository - but only from this VPC
ecrAccessRole = iam.Role(
self, "ECRAccessRole",
assumed_by=iam.CompositePrincipal(
iam.ServicePrincipal("codebuild.amazonaws.com"),
iam.ServicePrincipal("ec2.amazonaws.com")
),
inline_policies=[policyDocument]
)
instance_profile = iam.CfnInstanceProfile(
self, "InstanceProfile",
roles=[ecrAccessRole.role_name]
)
# Create a security group for our endpoints
security_group = ec2.SecurityGroup(
self, "ECR-SG",
vpc=vpc,
allow_all_outbound=True
)
# Allow 443 inbound on our Security Group
security_group.add_ingress_rule(
ec2.Peer.ipv4(vpc.vpc_cidr_block),
ec2.Port.tcp(443)
)
# Create VPC Endpoint for ECR API
ecrEndpoint = ec2.InterfaceVpcEndpoint(
self, 'ecr',
service=ec2.InterfaceVpcEndpointAwsService.ECR,
private_dns_enabled=True,
vpc=vpc,
security_groups=[security_group],
subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE
)
)
# Create VPC Endpoint for ECR Docker
ecrEndpointDocker = ec2.InterfaceVpcEndpoint(
self, 'ecrdkr',
service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
private_dns_enabled=True,
vpc=vpc,
security_groups=[security_group],
subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE
)
)
# Create Gateway Endpoint for S3
s3Endpoint = ec2.GatewayVpcEndpoint(
self, 's3',
service=ec2.GatewayVpcEndpointAwsService.S3,
vpc=vpc,
subnets=[ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE
)]
)