def _create_sgs(self, bastion_id=None):
#TODO: if infra left up for a while, security groups cant be deleted. are they modified when running? Need a tag?
# Create the security groups first
master_sg = ec2.SecurityGroup("master-sg", vpc_id=self.vpc_id, description="security group for communication with the eks master plance",
__opts__=ResourceOptions(parent=self))
worker_sg = ec2.SecurityGroup("worker-sg", vpc_id=self.vpc_id, description="security group for communication with the worker nodes",
__opts__=ResourceOptions(parent=self))
# Create the egress/ingress rules for the master
master_sg_egress = ec2.SecurityGroupRule("master-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0,
to_port=0, protocol=-1, security_group_id=master_sg.id, description="master sg egress",
__opts__=ResourceOptions(parent=self))
current_ip = Util.get_workstation_ip()
master_sg_ingress_workstation = ec2.SecurityGroupRule("master-sg-ingress-from-workstation", type="ingress", from_port=443, to_port=443,
protocol=-1, security_group_id=master_sg.id, cidr_blocks=["%s/32" % current_ip],
description="ingress to masters from workstation", __opts__=ResourceOptions(parent=self))
master_sg_ingress_nodes = ec2.SecurityGroupRule("master-sg-ingress-from-workers", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=master_sg.id, source_security_group_id=worker_sg.id,
description="master ingress from workers", __opts__=ResourceOptions(parent=self))
# Create the egress/ingress rules for the workers
worker_sg_egress = ec2.SecurityGroupRule("worker-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0,
to_port=0, protocol=-1, security_group_id=worker_sg.id, description="worker sg egress",
__opts__=ResourceOptions(parent=self))
worker_sg_ingress_itself = ec2.SecurityGroupRule("worker-sg-ingress-itself", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=worker_sg.id, self=True, description="worker ingress from itself",
__opts__=ResourceOptions(parent=self))
worker_sg_ingress_master = ec2.SecurityGroupRule("worker-sg-ingress-master", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=worker_sg.id, source_security_group_id=master_sg.id,
description="worker ingress from master", __opts__=ResourceOptions(parent=self))
worker_sg_ingress_bastion = ec2.SecurityGroupRule("worker-sg-ingress-bastion", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=worker_sg.id, source_security_group_id=bastion_id,
description="worker ingress from bastion host", __opts__=ResourceOptions(parent=self))
self.master_sg = master_sg.id
self.worker_sg = worker_sg.id
def _create_security_groups(self, vpcid):
pub_name = "%s-public-sg" % self.name
public_sg = ec2.SecurityGroup(pub_name,
description=pub_name,
vpc_id=vpcid,
tags=self.sg_tags,
__opts__=ResourceOptions(parent=self))
priv_name = "%s-private-sg" % self.name
private_sg = ec2.SecurityGroup(priv_name,
description=priv_name,
vpc_id=vpcid,
tags=self.sg_tags,
__opts__=ResourceOptions(parent=self))
"""
Set up public rules:
1. ingress from itself to itself
2. ingress from private to public
3. egress rule for all
4. ingress rule for current IP address on 22
"""
pub_ingress_itself = ec2.SecurityGroupRule(
"public-ingress-from-itself",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=public_sg.id,
self=True,
description="public ingress to/from itself",
__opts__=ResourceOptions(parent=self))
pub_ingress_private = ec2.SecurityGroupRule(
"public-ingress-from-private",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=public_sg.id,
source_security_group_id=private_sg.id,
description="public ingress from private",
__opts__=ResourceOptions(parent=self))
pub_egress = ec2.SecurityGroupRule(
"public-egress",
type="egress",
cidr_blocks=["0.0.0.0/0"],
from_port=0,
to_port=0,
protocol=-1,
security_group_id=public_sg.id,
description="egress traffic from public sg",
__opts__=ResourceOptions(parent=self))
current_ip = Util.get_workstation_ip()
pub_ingress_current_ip = ec2.SecurityGroupRule(
"public-ingress-from-current-ip",
type="ingress",
from_port=22,
to_port=22,
protocol="TCP",
security_group_id=public_sg.id,
cidr_blocks=[("%s/32" % current_ip)],
description="ingress from current IP",
__opts__=ResourceOptions(parent=self))
"""
Set up private rules:
1. ingress from public to it
2. ingress from itself to itself
3. egress rule for all
"""
priv_ingress_itself = ec2.SecurityGroupRule(
"private-ingress-from-itself",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=private_sg.id,
self=True,
description="private ingress to itself",
__opts__=ResourceOptions(parent=self))
priv_ingress_public = ec2.SecurityGroupRule(
"private-ingress-from-public",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=private_sg.id,
source_security_group_id=public_sg.id,
description="private ingress from public",
__opts__=ResourceOptions(parent=self))
priv_egress = ec2.SecurityGroupRule(
"private-egress",
type="egress",
cidr_blocks=["0.0.0.0/0"],
from_port=0,
to_port=0,
protocol=-1,
security_group_id=private_sg.id,
description="egress traffic from private sg",
__opts__=ResourceOptions(parent=self))
return {"public": public_sg.id, "private": private_sg.id}
'protocol': '-1',
'fromPort': 0,
'toPort': 0,
'cidrBlocks': ['0.0.0.0/0']
}],
tags={
'Name': 'infra private security group (front-back-autoscaling)',
'Creator': 'timc'
})
# use an ec2.SecurityGroupRule instead of subnet
private_sg_in_rule_1 = ec2.SecurityGroupRule(
resource_name='new-private-sg-in-rule-1',
description='accept traffic from bastion host',
security_group_id=private_sg, # TypeError if not present
source_security_group_id=public_sg.id,
type='ingress',
protocol='tcp', # TypeError if not present
from_port='22', # TypeError if not present
to_port='22', # TypeError if not present
)
# TODO add ebs_block_devices
# TODO add volume_tags
# TODO add iam_instance_profile
# TODO add user_data
private_server_1 = ec2.Instance(
resource_name='new-private-ec2-1',
ami=_ami, # TypeError if not present
instance_type=_instance_type, # TypeError if not present
security_groups=[private_sg.id],
def __init__(
self,
name,
opts=None,
):
super().__init__("nuage:aws:DevelopmentEnvironment:VPC",
f"{name}VpcEnvironment", None, opts)
vpc = ec2.Vpc(
f"{name}Vpc",
cidr_block="172.32.0.0/16",
enable_dns_hostnames=True,
enable_dns_support=True,
)
subnet_1 = ec2.Subnet(
f"{name}VpcSubnetA",
availability_zone="eu-west-1a",
vpc_id=vpc.id,
cidr_block="172.32.0.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
subnet_2 = ec2.Subnet(
f"{name}VpcSubnetB",
availability_zone="eu-west-1b",
vpc_id=vpc.id,
cidr_block="172.32.16.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
subnet_3 = ec2.Subnet(
f"{name}VpcSubnetC",
availability_zone="eu-west-1c",
vpc_id=vpc.id,
cidr_block="172.32.32.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
private_subnet_1 = ec2.Subnet(
f"{name}VpcPrivateSubnetA",
availability_zone="eu-west-1a",
vpc_id=vpc.id,
cidr_block="172.32.48.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
security_group = ec2.SecurityGroup(
f"{name}SecurityGroup",
vpc_id=vpc.id,
opts=ResourceOptions(depends_on=[vpc]),
)
security_group_rule = ec2.SecurityGroupRule(
f"{name}SSHRule",
security_group_id=security_group.id,
type="ingress",
protocol="tcp",
from_port=22,
to_port=22,
cidr_blocks=["0.0.0.0/0"],
)
security_group_rule = ec2.SecurityGroupRule(
f"{name}InboundRule",
security_group_id=security_group.id,
type="ingress",
protocol="all",
from_port=0,
to_port=65535,
source_security_group_id=security_group.id,
)
security_group_rule = ec2.SecurityGroupRule(
f"{name}OutboundRule",
security_group_id=security_group.id,
type="egress",
protocol="all",
from_port=0,
to_port=65535,
cidr_blocks=["0.0.0.0/0"],
)
subnets = [subnet_1, subnet_2, subnet_3]
gateway = ec2.InternetGateway(
f"{name}InternetGateway",
vpc_id=vpc.id,
opts=ResourceOptions(depends_on=[vpc]),
)
gateway_route = ec2.Route(
f"{name}GatewayRoute",
destination_cidr_block="0.0.0.0/0",
gateway_id=gateway.id,
route_table_id=vpc.default_route_table_id,
)
elastic_ip = ec2.Eip(f"{name}Eip",
vpc=True,
opts=ResourceOptions(depends_on=[gateway]))
nat_gateway = ec2.NatGateway(
f"{name}NatGateway",
subnet_id=subnet_1.id,
allocation_id=elastic_ip.id,
opts=ResourceOptions(depends_on=[subnet_1, elastic_ip]),
)
private_route_table = ec2.RouteTable(
f"{name}PrivateRouteTable",
routes=[
{
"cidr_block": "0.0.0.0/0",
"nat_gateway_id": nat_gateway.id,
},
],
vpc_id=vpc.id,
opts=ResourceOptions(depends_on=[private_subnet_1]),
)
private_route_table_assoc = ec2.RouteTableAssociation(
f"{name}PrivateRouteTableAssoc",
route_table_id=private_route_table.id,
subnet_id=private_subnet_1.id,
)
outputs = {
"vpc": vpc,
"security_group": security_group,
"public_subnets": [subnet_1, subnet_2, subnet_3],
"private_subnet": private_subnet_1,
"nat_gateway": nat_gateway,
}
self.set_outputs(outputs)