def __init__(self, scope: core.Construct, id: str, vpc, asg_security_groups, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Creat DB Low Level API - MySQL M-AZs db_security_group = ec2.CfnSecurityGroup( self, "dbSG", group_description="All EC2 access DB", group_name="DB_SG", vpc_id=vpc.vpc_id) for asg_sg in asg_security_groups: ec2.CfnSecurityGroupIngress( self, "SG_ingress", ip_protocol="tcp", description="ASG EC2 access DB", to_port=3306, from_port=3306, group_id=db_security_group.attr_group_id, source_security_group_id=asg_sg.security_group_id) subnet_ids = [] for i in vpc.isolated_subnets: subnet_ids.append(i.subnet_id) db_subnet_group = rds.CfnDBSubnetGroup( self, "db_subnet", db_subnet_group_description="DB_subnet", db_subnet_group_name="db_subnet", subnet_ids=subnet_ids) db_mysql = rds.CfnDBInstance( self, "MyDB", db_name="mysqldb", db_instance_class="db.t2.small", allocated_storage="100", storage_type="gp2", engine="MySQL", engine_version="5.7.22", master_username=db_master_username, master_user_password=db_master_user_password, multi_az=True, vpc_security_groups=[db_security_group.attr_group_id], db_subnet_group_name=db_subnet_group.db_subnet_group_name, backup_retention_period=7, allow_major_version_upgrade=False, enable_cloudwatch_logs_exports=[ "audit", "error", "general", "slowquery" ], delete_automated_backups=False) db_mysql.add_depends_on(db_subnet_group) db_mysql.add_depends_on(db_security_group)
def create_rds_cluster(scope: core.Construct, stack_name: str, vpc: IVpc, database_name: str, database_username: str, datbase_password: str, database_encrypted: bool): subnet_ids = [] for subnet in vpc.private_subnets: subnet_ids.append(subnet.subnet_id) db_subnet_group = rds.CfnDBSubnetGroup( scope=scope, id='dbSubnetGroup', db_subnet_group_description='Subnet group to access RDS', db_subnet_group_name=stack_name, subnet_ids=subnet_ids, ) db_scurity_group = ec2.SecurityGroup( scope=scope, id='dbSecurityGroup', vpc=vpc, allow_all_outbound=True, description=stack_name, ) db_scurity_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(5432)) database = rds.CfnDBCluster( scope=scope, id='database', database_name=database_name, db_cluster_identifier=stack_name, engine=rds.DatabaseInstanceEngine.POSTGRES, engine_mode='serverless', master_username=database_username, master_user_password=core.SecretValue.plain_text( datbase_password).to_string(), port=5432, db_subnet_group_name=db_subnet_group.db_subnet_group_name, vpc_security_group_ids=[db_scurity_group.security_group_id], storage_encrypted=database_encrypted, scaling_configuration=rds.CfnDBCluster.ScalingConfigurationProperty( auto_pause=True, max_capacity=2, min_capacity=1, seconds_until_auto_pause=3600, )) database.add_depends_on(db_subnet_group) return database
def __init__(self, scope: core.Construct, id: str, secret_param, db_param, vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) secret = rds.DatabaseSecret(self,id="MasterUserSecret",username='******') ssm.StringParameter(self, "Secrete_Parameter", parameter_name=secret_param, string_value= secret.secret_arn) dbSubnetGroup = rds.CfnDBSubnetGroup (self, 'AuroraSubnetGroup', db_subnet_group_description = 'Subnet group to access aurora', subnet_ids = vpc.subnet_list, db_subnet_group_name = 'aurora-subnet-group' ) self.aurora_serverless = rds.CfnDBCluster(self, 'Serverless DB', master_username=secret.secret_value_from_json("username").to_string(), master_user_password=secret.secret_value_from_json("password").to_string(), engine = 'aurora', engine_mode = 'serverless', enable_http_endpoint = True, db_subnet_group_name = dbSubnetGroup.db_subnet_group_name, port = 3306, vpc_security_group_ids = [vpc.security_group.security_group_id], scaling_configuration=rds.CfnDBCluster.ScalingConfigurationProperty( auto_pause=True, min_capacity=1, max_capacity=2, seconds_until_auto_pause=300 ) ) self.aurora_serverless.node.add_dependency(dbSubnetGroup) self.aurora_serverless.node.add_dependency(vpc.security_group) secret_attached = sm.CfnSecretTargetAttachment( self, id="secret_attachment", secret_id=secret.secret_arn, target_id=self.aurora_serverless.ref, target_type="AWS::RDS::DBCluster", ) secret_attached.node.add_dependency(self.aurora_serverless) cluster_arn= "arn:aws:rds:{}:{}:cluster:{}".format(self.region,self.account,self.aurora_serverless.ref) ssm.StringParameter(self, "Database_Parameter", parameter_name=db_param, string_value= cluster_arn)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Exercise 9 db_password_parameters = core.CfnParameter( self, "DBPassword", no_echo=True, description="New account and RDS password", min_length=1, max_length=41, constraint_description= "the password must be between 1 and 41 characters", default="DBPassword") # DBSecurityGroup: db_security_group = ec2.CfnSecurityGroup( self, "DBSecurityGroup", group_description="DB traffic", vpc_id=core.Fn.import_value("VPC"), security_group_ingress=[{ "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "sourceSecurityGroupId": core.Fn.import_value("WebSecurityGroupOutput"), }, { "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "sourceSecurityGroupId": core.Fn.import_value("EdxProjectCloud9Sg"), }, { "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "sourceSecurityGroupId": core.Fn.import_value("LambdaSecurityGroupOutput"), }], security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # MyDBSubnetGroup my_db_subnet_group = rds.CfnDBSubnetGroup( self, "DBSubnetGroup", db_subnet_group_description="MyDBSubnetGroup", subnet_ids=[ core.Fn.import_value("PrivateSubnet1"), core.Fn.import_value("PrivateSubnet2") ]) # RDSCluster rds_cluster = rds.CfnDBCluster( self, "RDSCluster", db_cluster_identifier="edx-photos-db", database_name="Photos", master_username="******", master_user_password=db_password_parameters.value_as_string, engine_mode="serverless", scaling_configuration={ "autoPause": True, "maxCapacity": 4, "minCapacity": 2 }, engine="aurora", db_subnet_group_name=my_db_subnet_group.ref, vpc_security_group_ids=[db_security_group.ref]) rds_cluster.apply_removal_policy(core.RemovalPolicy.DESTROY) # Output core.CfnOutput(self, "MyDBEndpoint", value=rds_cluster.attr_endpoint_address, description="MyDB Endpoint", export_name="MyDBEndpoint")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here # Create a VPC myvpc = ec2.Vpc(self, "CDKVPC", cidr=vars.cidr) # SG for ELB creation websitefrontendSG = ec2.SecurityGroup( self, 'websitefrontendSG', vpc=myvpc, security_group_name='websitefrontendSG') websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(80)) websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(443)) # Create ALB in VPC alb = elb.ApplicationLoadBalancer( self, 'websitefrontend-public', vpc=myvpc, load_balancer_name='websitefrontend-public', security_group=websitefrontendSG, internet_facing=True) # Add target group to ALB catalogtargetgroup = elb.ApplicationTargetGroup( self, 'CatalogTargetGroup', port=80, vpc=myvpc, target_type=elb.TargetType.IP) if not vars.sslcert: # Add http listener to ALB alblistenerhttp = elb.ApplicationListener( self, 'alblistenerhttp', load_balancer=alb, default_target_groups=[catalogtargetgroup], port=80) if vars.sslcert: # Add http listener to ALB alblistenerhttp = elb.ApplicationListener(self, 'alblistenerhttp', load_balancer=alb, port=80) elb.ApplicationListenerRule(self, 'httpredirectionrule', listener=alblistenerhttp, redirect_response=elb.RedirectResponse( status_code='HTTP_301', port='443', protocol='HTTPS')) # OPTIONAL - Add https listener to ALB & attach certificate alblistenerhttps = elb.ApplicationListener( self, 'alblistenerhttps', load_balancer=alb, default_target_groups=[catalogtargetgroup], port=443, certificate_arns=[vars.sslcert_arn]) # OPTIONAL - Redirect HTTP to HTTPS alblistenerhttp.add_redirect_response(id='redirectionrule', port='443', status_code='HTTP_301', protocol='HTTPS') if vars.customdomain: # OPTIONAL - Update DNS with ALB webshopxyz_zone = r53.HostedZone.from_hosted_zone_attributes( self, id='customdomain', hosted_zone_id=vars.hosted_zone_id, zone_name=vars.zone_name) webshop_root_record = r53.ARecord( self, 'ALBAliasRecord', zone=webshopxyz_zone, target=r53.RecordTarget.from_alias( alias.LoadBalancerTarget(alb))) # SG for ECS creation ECSSG = ec2.SecurityGroup(self, 'ECSSecurityGroup', vpc=myvpc, security_group_name='ECS') ECSSG.add_ingress_rule(peer=websitefrontendSG, connection=ec2.Port.tcp(80)) # SG for MySQL creation MySQLSG = ec2.SecurityGroup(self, 'DBSecurityGroup', vpc=myvpc, security_group_name='DB') MySQLSG.add_ingress_rule(peer=ECSSG, connection=ec2.Port.tcp(3306)) # Create DB subnet group subnetlist = [] for subnet in myvpc.private_subnets: subnetlist.append(subnet.subnet_id) subnetgr = rds.CfnDBSubnetGroup( self, 'democlustersubnetgroup', db_subnet_group_name='democlustersubnetgroup', db_subnet_group_description='DemoCluster', subnet_ids=subnetlist) # Create secret db passwd secret = sm.SecretStringGenerator( exclude_characters="\"'@/\\", secret_string_template='{"username": "******"}', generate_string_key='password', password_length=40) dbpass = sm.Secret(self, 'democlusterpass', secret_name='democlusterpass', generate_secret_string=secret) # Create Aurora serverless MySQL instance dbcluster = rds.CfnDBCluster( self, 'DemoCluster', engine='aurora', engine_mode='serverless', engine_version='5.6', db_cluster_identifier='DemoCluster', master_username=dbpass.secret_value_from_json( 'username').to_string(), master_user_password=dbpass.secret_value_from_json( 'password').to_string(), storage_encrypted=True, port=3306, vpc_security_group_ids=[MySQLSG.security_group_id], scaling_configuration=rds.CfnDBCluster. ScalingConfigurationProperty(auto_pause=True, max_capacity=4, min_capacity=1, seconds_until_auto_pause=300), db_subnet_group_name=subnetgr.db_subnet_group_name) dbcluster.add_override('DependsOn', 'democlustersubnetgroup') # Attach database to secret attach = sm.CfnSecretTargetAttachment( self, 'RDSAttachment', secret_id=dbpass.secret_arn, target_id=dbcluster.ref, target_type='AWS::RDS::DBCluster') # Upload image into ECR repo ecrdemoimage = ecra.DockerImageAsset(self, 'ecrdemoimage', directory='../', repository_name='demorepo', exclude=['cdk.out']) # Create ECS fargate cluster ecscluster = ecs.Cluster(self, "ecsCluster", vpc=myvpc) # Create task role for productsCatalogTask getsecretpolicystatement = iam.PolicyStatement(actions=[ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], resources=[ dbpass.secret_arn ], effect=iam.Effect.ALLOW) getsecretpolicydocument = iam.PolicyDocument( statements=[getsecretpolicystatement]) taskrole = iam.Role( self, 'TaskRole', assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'), role_name='TaskRoleforproductsCatalogTask', inline_policies=[getsecretpolicydocument]) # Create task definition taskdefinition = ecs.FargateTaskDefinition(self, 'productsCatalogTask', cpu=1024, memory_limit_mib=2048, task_role=taskrole) # Add container to task definition productscatalogcontainer = taskdefinition.add_container( 'productscatalogcontainer', image=ecs.ContainerImage.from_docker_image_asset( asset=ecrdemoimage), environment={ "region": vars.region, "secretname": "democlusterpass" }) productscatalogcontainer.add_port_mappings( ecs.PortMapping(container_port=80, host_port=80)) # Create service and associate it with the cluster catalogservice = ecs.FargateService( self, 'catalogservice', task_definition=taskdefinition, assign_public_ip=False, security_group=ECSSG, vpc_subnets=ec2.SubnetSelection(subnets=myvpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE).subnets), cluster=ecscluster, desired_count=2) # Add autoscaling to the service scaling = catalogservice.auto_scale_task_count(max_capacity=20, min_capacity=1) scaling.scale_on_cpu_utilization( 'ScaleOnCPU', target_utilization_percent=70, scale_in_cooldown=core.Duration.seconds(amount=1), scale_out_cooldown=core.Duration.seconds(amount=0)) # Associate the fargate service with load balancer targetgroup catalogservice.attach_to_application_target_group(catalogtargetgroup)
def __init__(self, scope: core.Construct, id: str, vpc, **kwargs) -> None: super().__init__(scope, id, **kwargs) db_master_user_name = "admin_user" secret = rds.DatabaseSecret(self, id="MasterUserSecret", username=db_master_user_name) subnet_ids = [] for subnet in vpc.isolated_subnets: subnet_ids.append(subnet.subnet_id) subnet_group = rds.CfnDBSubnetGroup( self, id="AuroraServerlessSubnetGroup", db_subnet_group_description= 'Aurora Postgres Serverless Subnet Group', subnet_ids=subnet_ids, db_subnet_group_name= 'auroraserverlesssubnetgroup' # needs to be all lowercase ) db_cluster_name = "aurora-serverless-postgres-db" security_group = ec2.SecurityGroup( self, id="SecurityGroup", vpc=vpc, description="Allow ssh access to ec2 instances", allow_all_outbound=True) security_group.add_ingress_rule(ec2.Peer.ipv4('10.0.0.0/16'), ec2.Port.tcp(5432), "allow psql through") self.db = rds.CfnDBCluster( self, id="AuroraServerlessDB", engine=rds.DatabaseClusterEngine.AURORA_POSTGRESQL.name, engine_mode="serverless", db_subnet_group_name=subnet_group.db_subnet_group_name, vpc_security_group_ids=[security_group.security_group_id], availability_zones=vpc.availability_zones, db_cluster_identifier=db_cluster_name, #db_cluster_parameter_group_name= database_name="slsdb", master_username=secret.secret_value_from_json( "username").to_string(), master_user_password=secret.secret_value_from_json( "password").to_string(), port=5432, deletion_protection=False, scaling_configuration=rds.CfnDBCluster. ScalingConfigurationProperty(auto_pause=True, min_capacity=2, max_capacity=16, seconds_until_auto_pause=300), enable_cloudwatch_logs_exports=[ "error", "general", "slowquery", "audit" ], enable_http_endpoint=True #kms_key_id= #tags= ) self.db.node.add_dependency(subnet_group) self.db.node.add_dependency(security_group) #secret_attached = secret.attach(target=self) #secret.add_target_attachment(id="secret_attachment", target=self.db) secret_attached = sm.CfnSecretTargetAttachment( self, id="secret_attachment", secret_id=secret.secret_arn, target_id=self.db.ref, target_type="AWS::RDS::DBCluster", ) secret_attached.node.add_dependency(self.db) core.CfnOutput( self, id="StackName", value=self.stack_name, description="Stack Name", export_name= f"{self.region}:{self.account}:{self.stack_name}:stack-name") core.CfnOutput( self, id="DatabaseName", value=self.db.database_name, description="Database Name", export_name= f"{self.region}:{self.account}:{self.stack_name}:database-name") core.CfnOutput( self, id="DatabaseClusterArn", value= f"arn:aws:rds:{self.region}:{self.account}:cluster:{self.db.ref}", description="Database Cluster Arn", export_name= f"{self.region}:{self.account}:{self.stack_name}:database-cluster-arn" ) core.CfnOutput( self, id="DatabaseSecretArn", value=secret.secret_arn, description="Database Secret Arn", export_name= f"{self.region}:{self.account}:{self.stack_name}:database-secret-arn" ) core.CfnOutput( self, id="DatabaseClusterID", value=self.db.db_cluster_identifier, description="Database Cluster Id", export_name= f"{self.region}:{self.account}:{self.stack_name}:database-cluster-id" ) core.CfnOutput( self, id="AuroraEndpointAddress", value=self.db.attr_endpoint_address, description="Aurora Endpoint Address", export_name= f"{self.region}:{self.account}:{self.stack_name}:aurora-endpoint-address" ) core.CfnOutput( self, id="DatabaseMasterUserName", value=db_master_user_name, description="Database Master User Name", export_name= f"{self.region}:{self.account}:{self.stack_name}:database-master-username" )
def __init__(self, scope: core.Construct, id: str, vpc, public_subnet_a, public_subnet_c, public_subnet_d, ec2_sg_id, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = "test" # print(ec2_sg_id.ref) # RdsSecurityGroup RdsSecurityGroupStg = ec2.CfnSecurityGroup(self, "RdsSecurityGroupStg", group_name = 'stg-'+prefix+'-db01', group_description = 'stg-'+prefix+'-db01', vpc_id = vpc.ref, security_group_ingress = [ ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=3306, from_port=3306, cidr_ip='0.0.0.0/0', ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=3306, from_port=3306, source_security_group_id=ec2_sg_id.ref, ), ], security_group_egress = [ { "ipProtocol" : "tcp", "fromPort" : 0, "toPort" : 65535, "cidrIp" : "0.0.0.0/0" } ], ) # MyDBSubnetGroup rds_subnet_group = rds.CfnDBSubnetGroup(self, "DBSubnetGroup", db_subnet_group_description = "DBSubnetGroup", subnet_ids = [ public_subnet_a.ref, public_subnet_c.ref, public_subnet_d.ref ] ) DBParameterGroupStg = rds.CfnDBParameterGroup(self, "DBParameterGroupStg", description = 'stg-'+prefix+'db01', family = "MySQL5.6", parameters = { 'character_set_client': "utf8", 'character_set_connection': "utf8", 'character_set_database': "utf8", 'character_set_results': "utf8", 'character_set_server': "utf8", 'collation_connection': "utf8_general_ci", 'collation_server': "utf8_general_ci", 'long_query_time': "1.2", 'slow_query_log': "1", 'time_zone': "Asia/Tokyo", }, tags=[ core.CfnTag(key="Name", value='stg-'+prefix+'db01') ] ) rds_params = { 'db_instance_identifier': "stg-test-db01", 'engine': "mysql", 'engine_version': '5.6.39', 'db_instance_class': 'db.t3.micro', 'allocated_storage': '5', 'storage_type': 'gp2', 'db_name': "test", 'master_username': "******", 'master_user_password': "******", 'db_subnet_group_name' : rds_subnet_group.ref, 'publicly_accessible': False, 'multi_az': False, 'preferred_backup_window': "18:00-18:30", 'preferred_maintenance_window': "sat:19:00-sat:19:30", 'auto_minor_version_upgrade': False, 'db_parameter_group_name': DBParameterGroupStg.ref, 'vpc_security_groups': [RdsSecurityGroupStg.ref], 'copy_tags_to_snapshot': True, 'backup_retention_period': 7, # 'enable_performance_insights': True, 'delete_automated_backups': True, 'deletion_protection': False, 'availability_zone': "us-east-1a", 'enable_cloudwatch_logs_exports': ["error","slowquery"] # 'storage_encrypted': False, } self.rds = rds.CfnDBInstance(self, 'staff-rds', **rds_params, tags=[ core.CfnTag(key="Name", value='stg-'+prefix+'db01') ] ) core.CfnOutput(self, "OutputVpc", value=vpc.ref) core.CfnOutput(self, "OutputRds", value=self.rds.ref)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) ### VPC and subnets vpc = ec2.Vpc(self, "vpc", cidr="172.20.0.0/24", nat_gateways=0, max_azs=2, enable_dns_hostnames=True, enable_dns_support=True, subnet_configuration=[ ec2.SubnetConfiguration( cidr_mask=26, name="roundcube", subnet_type=ec2.SubnetType.PUBLIC) ]) ### Define an image and create instance amzn_linux = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE) # Import role route53_role = iam.Role.from_role_arn( self, "role_id", "arn:aws:iam::585823398980:role/ec2WriteOvpnZone") instance = ec2.Instance(self, "instance", instance_type=ec2.InstanceType("t3a.nano"), machine_image=amzn_linux, vpc=vpc, role=route53_role, key_name="roundcube-key") instance.connections.allow_from(ec2.Peer.ipv4("109.255.202.235/32"), ec2.Port.tcp(22), "Allow ssh") instance.connections.allow_from(ec2.Peer.ipv4("109.255.202.235/32"), ec2.Port.tcp(443), "Allow HTTPS") ### Aurora cluster aurora_secret = sm.Secret( self, "secret", generate_secret_string=sm.SecretStringGenerator( generate_string_key="password", secret_string_template='{"username": "******"}', exclude_punctuation=True, password_length=30)) # no l2 construct for serverless yet db_subnet_list = [] for sn in vpc.public_subnets: db_subnet_list.append(sn.subnet_id) db_subnets = rds.CfnDBSubnetGroup( self, "db-subnet-group", db_subnet_group_description="subnet group", subnet_ids=db_subnet_list) rds.CfnDBCluster( self, "db-cluster", database_name="roundcube", db_cluster_identifier="serverless-cluster", master_username=aurora_secret.secret_value_from_json( 'username').to_string(), master_user_password=aurora_secret.secret_value_from_json( 'password').to_string(), engine="aurora", engine_mode="serverless", enable_http_endpoint=True, scaling_configuration=rds.CfnDBCluster. ScalingConfigurationProperty( auto_pause=True, min_capacity=1, max_capacity=1, seconds_until_auto_pause=900, ), deletion_protection=False, db_subnet_group_name=db_subnets.ref) # rds.DatabaseCluster(self, "aurora_cluster", # engine = rds.DatabaseClusterEngine.aurora_postgres(version = rds.AuroraPostgresEngineVersion.VER_11_7), # default_database_name = "roundcube", # #parameter_group = pgroup, # master_user = rds.Login(username = "******"), # removal_policy = core.RemovalPolicy.DESTROY, # instance_props = rds.InstanceProps( # vpc = vpc, # instance_type = ec2.InstanceType.of( # ec2.InstanceClass.MEMORY5, # ec2.InstanceSize.LARGE # ) # ) # ) ### Resource group rg.CfnGroup(self, "env-group", name="roundcube", resource_query=rg.CfnGroup.ResourceQueryProperty( type="TAG_FILTERS_1_0", query=rg.CfnGroup.QueryProperty( resource_type_filters=["AWS::AllSupported"], tag_filters=[ rg.CfnGroup.TagFilterProperty( key="resource-group", values=["roundcube"]) ])))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = "test" cidr = "192.168.0.0/16" # def name(s): return "{0}/{1}".format(prefix, s) def name(s): return "{0} {1}".format(prefix, s) # VPC self.vpc = ec2.CfnVPC(self, "vpc", cidr_block=cidr, enable_dns_hostnames=True, enable_dns_support=True, tags=[core.CfnTag(key="Name", value=prefix)]) # InternetGateway igw = ec2.CfnInternetGateway( self, "igw", tags=[core.CfnTag(key="Name", value=prefix)]) igw_attachment = ec2.CfnVPCGatewayAttachment( self, "igw_attachment", vpc_id=self.vpc.ref, internet_gateway_id=igw.ref) dhcpoptions = ec2.CfnDHCPOptions( self, "dhcpoptions", domain_name="ec2.internal " + prefix, domain_name_servers=["AmazonProvidedDNS"], tags=[core.CfnTag(key="Name", value=prefix)]) dhcpoptionsassociation = ec2.CfnVPCDHCPOptionsAssociation( self, "dhcpoptionsassociation", dhcp_options_id=dhcpoptions.ref, vpc_id=self.vpc.ref) # PrivateSubnetA # private_subnet_a = ec2.CfnSubnet( # self, "private_a", # vpc_id=vpc.ref, # cidr_block="192.168.0.0/24", # availability_zone="ap-northeast-1a", # tags=[ # core.CfnTag(key="Name", value=name("private_a")) # ] # ) # PrivateSubnetC # private_subnet_c = ec2.CfnSubnet( # self, "private_c", # vpc_id=vpc.ref, # cidr_block="192.168.1.0/24", # availability_zone="ap-northeast-1c", # tags=[ # core.CfnTag(key="Name", value=name("private_c")) # ] # ) # PublicSubnetA self.public_subnet_a = ec2.CfnSubnet( self, "public_a", vpc_id=self.vpc.ref, cidr_block="192.168.0.0/20", # availability_zone="ap-northeast-1a", availability_zone="us-east-1a", tags=[core.CfnTag(key="Name", value=prefix + " public_a")]) # PublicSubnetC self.public_subnet_c = ec2.CfnSubnet( self, "public_c", vpc_id=self.vpc.ref, cidr_block="192.168.16.0/20", availability_zone="us-east-1c", tags=[core.CfnTag(key="Name", value=prefix + " public_c")]) self.public_subnet_d = ec2.CfnSubnet( self, "public_d", vpc_id=self.vpc.ref, cidr_block="192.168.32.0/20", availability_zone="us-east-1d", tags=[core.CfnTag(key="Name", value=prefix + " public_d")]) # EIP1 (for NATGW) # eip1 = ec2.CfnEIP( # self, "eip1", # domain="vpc", # ) # eip1.add_depends_on(igw_attachment) # EIP2 (for NATGW) # eip2 = ec2.CfnEIP( # self, "eip2", # domain="vpc", # ) # eip2.add_depends_on(igw_attachment) # NatGatewayA # natgw_a = ec2.CfnNatGateway( # self, "natgw_a", # allocation_id=eip1.attr_allocation_id, # subnet_id=self.public_subnet_a.ref, # tags=[ # core.CfnTag(key="Name", value=name("natgw_a")) # ] # ) # NatGatewayC # natgw_c = ec2.CfnNatGateway( # self, "natgw_c", # allocation_id=eip2.attr_allocation_id, # subnet_id=public_subnet_c.ref, # tags=[ # core.CfnTag(key="Name", value=name("natgw_c")) # ] # ) # RouteTable of PrivateSubnetA # rtb_private_a = ec2.CfnRouteTable( # self, "rtb_private_a", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_private_a")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_private_a_association", # route_table_id=rtb_private_a.ref, # subnet_id=private_subnet_a.ref # ) # ec2.CfnRoute( # self, "route_private_a", # route_table_id=rtb_private_a.ref, # destination_cidr_block="0.0.0.0/0", # nat_gateway_id=natgw_a.ref # ) # RouteTable of PrivateSubnetC # rtb_private_c = ec2.CfnRouteTable( # self, "rtb_private_c", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_private_c")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_private_c_association", # route_table_id=rtb_private_c.ref, # subnet_id=private_subnet_c.ref # ) # ec2.CfnRoute( # self, "route_private_c", # route_table_id=rtb_private_c.ref, # destination_cidr_block="0.0.0.0/0", # nat_gateway_id=natgw_c.ref # ) # RouteTable of PublicSubnetA self.rtb_public_a = ec2.CfnRouteTable( self, "rtb_public_a", vpc_id=self.vpc.ref, tags=[core.CfnTag(key="Name", value=prefix + "rtb_public_a")]) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_a_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_a.ref) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_c_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_c.ref) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_d_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_d.ref) ec2.CfnRoute(self, "route_public_a", route_table_id=self.rtb_public_a.ref, destination_cidr_block="0.0.0.0/0", gateway_id=igw.ref) # RouteTable of PublicSubnetC # rtb_public_c = ec2.CfnRouteTable( # self, "rtb_public_c", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_public_c")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_public_c_association", # route_table_id=rtb_public_c.ref, # subnet_id=public_subnet_c.ref # ) # ec2.CfnRoute( # self, "route_public_c", # route_table_id=rtb_public_c.ref, # destination_cidr_block="0.0.0.0/0", # gateway_id=igw.ref # ) ami_id = ec2.AmazonLinuxImage(generation=ec2.AmazonLinuxGeneration. AMAZON_LINUX_2).get_image(self).image_id # security_group = ec2.SecurityGroup( # self, # id='test', # vpc=self.vpc, # security_group_name='test-security-group' # ) # security_group.add_ingress_rule( # peer=ec2.Peer.ipv4(cidr), # connection=ec2.Port.tcp(22), # ) # red_web_inst = ec2.CfnInstance(self, # "testInstance01", # image_id = ami_id, # instance_type = "t3a.micro", # monitoring = False, # key_name = "stg-intrinio-www01", # security_group_ids=[security_group.security_group_id], # block_device_mappings = [{ # "deviceName": "/dev/xvda", # "ebs": { # "volumeSize": 10, # "volumeType": "io1", # "iops": 150, # "deleteOnTermination": True # } # } # ], # tags = [ # { "key": "Name", "value": prefix } # ], # network_interfaces = [{ # "deviceIndex": "0", # "associatePublicIpAddress": True, # "subnetId": self.public_subnet_a.ref, # # "groupSet": [web_sg.security_group_id] # }], #https: //github.com/aws/aws-cdk/issues/3419 # ) # RdsSecurityGroup RdsSecurityGroupStg = ec2.CfnSecurityGroup( self, "RdsSecurityGroupStg", group_name='stg-' + prefix + '-db01', group_description='stg-' + prefix + '-db01', vpc_id=self.vpc.ref, security_group_ingress=[{ "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "cidrIp": "0.0.0.0/0" }], security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # MyDBSubnetGroup rds_subnet_group = rds.CfnDBSubnetGroup( self, "DBSubnetGroup", db_subnet_group_description="DBSubnetGroup", subnet_ids=[ self.public_subnet_a.ref, self.public_subnet_c.ref, self.public_subnet_d.ref ]) DBParameterGroupStg = rds.CfnDBParameterGroup( self, "DBParameterGroupStg", description='stg-' + prefix + 'db01', family="MySQL5.6", parameters={ 'character_set_client': "utf8", 'character_set_connection': "utf8", 'character_set_database': "utf8", 'character_set_results': "utf8", 'character_set_server': "utf8", 'collation_connection': "utf8_general_ci", 'collation_server': "utf8_general_ci", 'long_query_time': "1.2", 'slow_query_log': "1", 'time_zone': "Asia/Tokyo", }, tags=[core.CfnTag(key="Name", value='stg-' + prefix + 'db01')]) rds_params = { 'db_instance_identifier': "stg-test-db01", 'engine': "mysql", 'engine_version': '5.6.39', 'db_instance_class': 'db.t3.micro', 'allocated_storage': '5', 'storage_type': 'gp2', 'db_name': "test", 'master_username': "******", 'master_user_password': "******", 'db_subnet_group_name': rds_subnet_group.ref, 'publicly_accessible': False, 'multi_az': False, 'preferred_backup_window': "18:00-18:30", 'preferred_maintenance_window': "sat:19:00-sat:19:30", 'auto_minor_version_upgrade': False, 'db_parameter_group_name': DBParameterGroupStg.ref, 'vpc_security_groups': [RdsSecurityGroupStg.ref], 'copy_tags_to_snapshot': True, 'backup_retention_period': 7, # 'enable_performance_insights': True, 'delete_automated_backups': True, 'deletion_protection': False, 'availability_zone': "us-east-1a", 'enable_cloudwatch_logs_exports': ["error", "slowquery"] # 'storage_encrypted': False, } self.rds = rds.CfnDBInstance( self, 'staff-rds', **rds_params, tags=[core.CfnTag(key="Name", value='stg-' + prefix + 'db01')]) core.CfnOutput(self, "OutputVpc", value=self.vpc.ref) core.CfnOutput(self, "OutputRds", value=self.rds.ref)
def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None: super().__init__(scope, id, **kwargs) # secrets manager for DB password self.db_secret = secrets.Secret( self, "DBSecret", secret_name=f"{scope.full_app_name}-db-secret", generate_secret_string=secrets.SecretStringGenerator( secret_string_template=json.dumps({"username": "******"}), exclude_punctuation=True, include_space=False, generate_string_key="password", ), ) self.db_secret_arn = ssm.StringParameter( self, "DBSecretArn", parameter_name=f"{scope.full_app_name}-secret-arn", string_value=self.db_secret.secret_arn, ) self.db_security_group = ec2.CfnSecurityGroup( self, "DBSecurityGroup", vpc_id=scope.vpc.vpc_id, group_description="DBSecurityGroup", security_group_ingress=[ ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=5432, from_port=5432, source_security_group_id=scope.vpc.vpc_default_security_group, ) ], ) self.db_subnet_group = rds.CfnDBSubnetGroup( self, "CfnDBSubnetGroup", subnet_ids=scope.vpc.select_subnets( subnet_type=ec2.SubnetType.ISOLATED ).subnet_ids, db_subnet_group_description=f"{scope.full_app_name}-db-subnet-group", ) self.db_config = { "engine_mode": "serverless", "engine": "aurora-postgresql", "engine_version": "10.7", # "port": 5432, "enable_http_endpoint": True, "master_username": self.db_secret.secret_value_from_json( "username" ).to_string(), "master_user_password": self.db_secret.secret_value_from_json( "password" ).to_string(), "vpc_security_group_ids": [ self.db_security_group.get_att("GroupId").to_string() ], "db_subnet_group_name": self.db_subnet_group.ref, } self.rds_cluster = rds.CfnDBCluster( self, "DBCluster", **self.db_config )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) vpc = ec2.Vpc(self, "VPC") db_master_user_name = os.getenv("DB_USERNAME", "admin_user") self.secret = rds.DatabaseSecret( self, id="MasterUserSecret", username=db_master_user_name ) rds.CfnDBSubnetGroup( self, "rdsSubnetGroup", db_subnet_group_description="private subnets for rds", subnet_ids=vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE ).subnet_ids, ) db_name = os.getenv("DB_NAME", "anonfed") self.db = rds.CfnDBCluster( self, "auroraCluster", engine="aurora-mysql", engine_version="5.7.mysql_aurora.2.08.1", db_cluster_parameter_group_name="default.aurora-mysql5.7", # snapshot_identifier="<snapshot_arn>", # your snapshot engine_mode="serverless", scaling_configuration=rds.CfnDBCluster.ScalingConfigurationProperty( auto_pause=True, min_capacity=1, max_capacity=4, seconds_until_auto_pause=300, ), db_subnet_group_name=core.Fn.ref("rdsSubnetGroup"), database_name=db_name, master_username=self.secret.secret_value_from_json("username").to_string(), master_user_password=self.secret.secret_value_from_json( "password" ).to_string(), enable_http_endpoint=True, ) secret_attached = sm.CfnSecretTargetAttachment( self, id="secret_attachment", secret_id=self.secret.secret_arn, target_id=self.db.ref, target_type="AWS::RDS::DBCluster", ) secret_attached.node.add_dependency(self.db) db_ref = f"arn:aws:rds:{self.region}:{self.account}:cluster:{self.db.ref}" migration = SchemaMigrationResource( self, "schemamigration", self.secret.secret_arn, db_name, db_ref ) # Publish the custom resource output core.CfnOutput( self, "ResponseMessage", description="Database Migration", value=migration.response, ) core.CfnOutput( self, id="DatabaseName", value=self.db.database_name, description="Database Name", export_name=f"{self.region}:{self.account}:{self.stack_name}:database-name", ) core.CfnOutput( self, id="DatabaseClusterArn", value=db_ref, description="Database Cluster Arn", export_name=f"{self.region}:{self.account}:{self.stack_name}:database-cluster-arn", ) core.CfnOutput( self, id="DatabaseSecretArn", value=self.secret.secret_arn, description="Database Secret Arn", export_name=f"{self.region}:{self.account}:{self.stack_name}:database-secret-arn", ) core.CfnOutput( self, id="AuroraEndpointAddress", value=self.db.attr_endpoint_address, description="Aurora Endpoint Address", export_name=f"{self.region}:{self.account}:{self.stack_name}:aurora-endpoint-address", ) core.CfnOutput( self, id="DatabaseMasterUserName", value=db_master_user_name, description="Database Master User Name", export_name=f"{self.region}:{self.account}:{self.stack_name}:database-master-username", )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) az1 = core.Fn.select(0, core.Fn.get_azs(region=core.Aws.REGION)) az2 = core.Fn.select(1, core.Fn.get_azs(region=core.Aws.REGION)) ########## # VPC ########## # VPC vpc = ec2.Vpc(self, "vpc", cidr="10.0.0.0/16", subnet_configuration=[]) # Internet gateway internet_gateway = ec2.CfnInternetGateway(self, "internet-gateway") ec2.CfnVPCGatewayAttachment(self, "internet_gateway_attatchment", vpc_id=vpc.vpc_id, internet_gateway_id=internet_gateway.ref) # Public Subnet az1 public_subnet_az1 = ec2.PublicSubnet(self, "subnet-public-1a", availability_zone=az1, cidr_block="10.0.0.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=True) public_subnet_az1.add_route("internet-gateway-route", router_id=internet_gateway.ref, router_type=ec2.RouterType.GATEWAY) # Public Subnet az2 public_subnet_az2 = ec2.PublicSubnet(self, "subnet-public-1c", availability_zone=az2, cidr_block="10.0.1.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=True) public_subnet_az2.add_route("internet-gateway-route", router_id=internet_gateway.ref, router_type=ec2.RouterType.GATEWAY) # Private Subnet az1 private_subnet_az1 = ec2.PrivateSubnet(self, "subnet-private-1a", availability_zone=az1, cidr_block="10.0.2.0/24", vpc_id=vpc.vpc_id) # Private Subnet az2 private_subnet_az2 = ec2.PrivateSubnet(self, "subnet-private-1c", availability_zone=az2, cidr_block="10.0.3.0/24", vpc_id=vpc.vpc_id) ########## # EC2 ########## # # EC2 Security Group ec2_security_group = ec2.SecurityGroup(self, "ec2-security-group", vpc=vpc) # ec2_security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(),connection=ec2.Port.tcp(80)) # User Data user_data = ec2.UserData.for_linux() user_data.add_commands( "yum -y update", "amazon-linux-extras install php7.2 -y", "yum -y install mysql httpd php-mbstring php-xml", "wget http://ja.wordpress.org/latest-ja.tar.gz -P /tmp/", "tar zxvf /tmp/latest-ja.tar.gz -C /tmp", "cp -r /tmp/wordpress/* /var/www/html/", "chown apache:apache -R /var/www/html", "systemctl enable httpd.service", "systemctl start httpd.service") # EC2 Instance instance_az1 = ec2.CfnInstance( self, "wordpress-instance-az1", subnet_id=public_subnet_az1.subnet_id, image_id=ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image( self).image_id, instance_type=ec2.InstanceType.of( instance_class=ec2.InstanceClass.BURSTABLE3, instance_size=ec2.InstanceSize.MICRO).to_string(), security_group_ids=[ec2_security_group.security_group_id], user_data=core.Fn.base64(user_data.render())) core.CfnOutput(self, "EC2 PublicDnsName", value=instance_az1.attr_public_dns_name) ########## # RDS ########## # RDS Security Group rds_security_group = ec2.SecurityGroup(self, "rds-security-group", vpc=vpc) ec2.CfnSecurityGroupIngress( self, "rds-security-group-ingress", group_id=rds_security_group.security_group_id, ip_protocol="tcp", from_port=3306, to_port=3306, source_security_group_id=ec2_security_group.security_group_id) # RDS Subnet Group rds_subnet_group = rds.CfnDBSubnetGroup( self, "rds-subnet-group", db_subnet_group_description="rds-subnet-group", subnet_ids=[ private_subnet_az1.subnet_id, private_subnet_az2.subnet_id ]) # RDS Instance rds_instance = rds.CfnDBInstance( self, "rds-instance", db_instance_identifier="wordpress-rds", engine=rds.DatabaseInstanceEngine.mysql( version=rds.MysqlEngineVersion.VER_8_0_20).engine_type, db_instance_class="db.t3.micro", master_username="******", master_user_password="******", db_name="wordpress", multi_az=False, vpc_security_groups=[rds_security_group.security_group_id], db_subnet_group_name=rds_subnet_group.ref, allocated_storage="20") core.CfnOutput(self, "RDS EndpointAddress", value=rds_instance.attr_endpoint_address) core.CfnOutput(self, "RDS EndpointPort", value=rds_instance.attr_endpoint_port) ########## # ALB ########## # ALB Security Group alb_security_group = ec2.SecurityGroup(self, "alb-security-group", vpc=vpc) alb_security_group.add_ingress_rule(peer=ec2.Peer.any_ipv4(), connection=ec2.Port.tcp(80)) # ALB Instance alb_instance = elb.ApplicationLoadBalancer( self, "alb", vpc=vpc, vpc_subnets=ec2.SubnetSelection( subnets=[public_subnet_az1, public_subnet_az2]), internet_facing=True, security_group=alb_security_group) # ALB Target Group alb_target_group = elb.ApplicationTargetGroup( self, "alb-target-group", vpc=vpc, target_type=elb.TargetType.INSTANCE, targets=[elb.InstanceTarget(instance_az1.ref)], protocol=elb.ApplicationProtocol.HTTP, port=80, health_check=elb.HealthCheck(protocol=elb.ApplicationProtocol.HTTP, path="/wp-includes/images/blank.gif")) # ALB Listener alb_listener = elb.ApplicationListener( self, "alb-listener", load_balancer=alb_instance, default_target_groups=[alb_target_group], protocol=elb.ApplicationProtocol.HTTP, port=80) core.CfnOutput(self, "ALB DNS Name", value=alb_instance.load_balancer_dns_name) # EC2 Security Group Ingress ec2.CfnSecurityGroupIngress( self, "ec2-security-group-ingress", group_id=ec2_security_group.security_group_id, ip_protocol="tcp", from_port=80, to_port=80, source_security_group_id=alb_security_group.security_group_id)