def _create_sgs(self, bastion_id=None): #TODO: if infra left up for a while, security groups cant be deleted. are they modified when running? Need a tag? # Create the security groups first master_sg = ec2.SecurityGroup("master-sg", vpc_id=self.vpc_id, description="security group for communication with the eks master plance", __opts__=ResourceOptions(parent=self)) worker_sg = ec2.SecurityGroup("worker-sg", vpc_id=self.vpc_id, description="security group for communication with the worker nodes", __opts__=ResourceOptions(parent=self)) # Create the egress/ingress rules for the master master_sg_egress = ec2.SecurityGroupRule("master-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=master_sg.id, description="master sg egress", __opts__=ResourceOptions(parent=self)) current_ip = Util.get_workstation_ip() master_sg_ingress_workstation = ec2.SecurityGroupRule("master-sg-ingress-from-workstation", type="ingress", from_port=443, to_port=443, protocol=-1, security_group_id=master_sg.id, cidr_blocks=["%s/32" % current_ip], description="ingress to masters from workstation", __opts__=ResourceOptions(parent=self)) master_sg_ingress_nodes = ec2.SecurityGroupRule("master-sg-ingress-from-workers", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=master_sg.id, source_security_group_id=worker_sg.id, description="master ingress from workers", __opts__=ResourceOptions(parent=self)) # Create the egress/ingress rules for the workers worker_sg_egress = ec2.SecurityGroupRule("worker-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, description="worker sg egress", __opts__=ResourceOptions(parent=self)) worker_sg_ingress_itself = ec2.SecurityGroupRule("worker-sg-ingress-itself", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, self=True, description="worker ingress from itself", __opts__=ResourceOptions(parent=self)) worker_sg_ingress_master = ec2.SecurityGroupRule("worker-sg-ingress-master", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, source_security_group_id=master_sg.id, description="worker ingress from master", __opts__=ResourceOptions(parent=self)) worker_sg_ingress_bastion = ec2.SecurityGroupRule("worker-sg-ingress-bastion", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=worker_sg.id, source_security_group_id=bastion_id, description="worker ingress from bastion host", __opts__=ResourceOptions(parent=self)) self.master_sg = master_sg.id self.worker_sg = worker_sg.id
def _create_security_groups(self, vpcid): pub_name = "%s-public-sg" % self.name public_sg = ec2.SecurityGroup(pub_name, description=pub_name, vpc_id=vpcid, tags=self.sg_tags, __opts__=ResourceOptions(parent=self)) priv_name = "%s-private-sg" % self.name private_sg = ec2.SecurityGroup(priv_name, description=priv_name, vpc_id=vpcid, tags=self.sg_tags, __opts__=ResourceOptions(parent=self)) """ Set up public rules: 1. ingress from itself to itself 2. ingress from private to public 3. egress rule for all 4. ingress rule for current IP address on 22 """ pub_ingress_itself = ec2.SecurityGroupRule( "public-ingress-from-itself", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=public_sg.id, self=True, description="public ingress to/from itself", __opts__=ResourceOptions(parent=self)) pub_ingress_private = ec2.SecurityGroupRule( "public-ingress-from-private", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=public_sg.id, source_security_group_id=private_sg.id, description="public ingress from private", __opts__=ResourceOptions(parent=self)) pub_egress = ec2.SecurityGroupRule( "public-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=public_sg.id, description="egress traffic from public sg", __opts__=ResourceOptions(parent=self)) current_ip = Util.get_workstation_ip() pub_ingress_current_ip = ec2.SecurityGroupRule( "public-ingress-from-current-ip", type="ingress", from_port=22, to_port=22, protocol="TCP", security_group_id=public_sg.id, cidr_blocks=[("%s/32" % current_ip)], description="ingress from current IP", __opts__=ResourceOptions(parent=self)) """ Set up private rules: 1. ingress from public to it 2. ingress from itself to itself 3. egress rule for all """ priv_ingress_itself = ec2.SecurityGroupRule( "private-ingress-from-itself", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=private_sg.id, self=True, description="private ingress to itself", __opts__=ResourceOptions(parent=self)) priv_ingress_public = ec2.SecurityGroupRule( "private-ingress-from-public", type="ingress", from_port=0, to_port=0, protocol=-1, security_group_id=private_sg.id, source_security_group_id=public_sg.id, description="private ingress from public", __opts__=ResourceOptions(parent=self)) priv_egress = ec2.SecurityGroupRule( "private-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0, to_port=0, protocol=-1, security_group_id=private_sg.id, description="egress traffic from private sg", __opts__=ResourceOptions(parent=self)) return {"public": public_sg.id, "private": private_sg.id}
'protocol': '-1', 'fromPort': 0, 'toPort': 0, 'cidrBlocks': ['0.0.0.0/0'] }], tags={ 'Name': 'infra private security group (front-back-autoscaling)', 'Creator': 'timc' }) # use an ec2.SecurityGroupRule instead of subnet private_sg_in_rule_1 = ec2.SecurityGroupRule( resource_name='new-private-sg-in-rule-1', description='accept traffic from bastion host', security_group_id=private_sg, # TypeError if not present source_security_group_id=public_sg.id, type='ingress', protocol='tcp', # TypeError if not present from_port='22', # TypeError if not present to_port='22', # TypeError if not present ) # TODO add ebs_block_devices # TODO add volume_tags # TODO add iam_instance_profile # TODO add user_data private_server_1 = ec2.Instance( resource_name='new-private-ec2-1', ami=_ami, # TypeError if not present instance_type=_instance_type, # TypeError if not present security_groups=[private_sg.id],
def __init__( self, name, opts=None, ): super().__init__("nuage:aws:DevelopmentEnvironment:VPC", f"{name}VpcEnvironment", None, opts) vpc = ec2.Vpc( f"{name}Vpc", cidr_block="172.32.0.0/16", enable_dns_hostnames=True, enable_dns_support=True, ) subnet_1 = ec2.Subnet( f"{name}VpcSubnetA", availability_zone="eu-west-1a", vpc_id=vpc.id, cidr_block="172.32.0.0/20", opts=ResourceOptions(depends_on=[vpc]), ) subnet_2 = ec2.Subnet( f"{name}VpcSubnetB", availability_zone="eu-west-1b", vpc_id=vpc.id, cidr_block="172.32.16.0/20", opts=ResourceOptions(depends_on=[vpc]), ) subnet_3 = ec2.Subnet( f"{name}VpcSubnetC", availability_zone="eu-west-1c", vpc_id=vpc.id, cidr_block="172.32.32.0/20", opts=ResourceOptions(depends_on=[vpc]), ) private_subnet_1 = ec2.Subnet( f"{name}VpcPrivateSubnetA", availability_zone="eu-west-1a", vpc_id=vpc.id, cidr_block="172.32.48.0/20", opts=ResourceOptions(depends_on=[vpc]), ) security_group = ec2.SecurityGroup( f"{name}SecurityGroup", vpc_id=vpc.id, opts=ResourceOptions(depends_on=[vpc]), ) security_group_rule = ec2.SecurityGroupRule( f"{name}SSHRule", security_group_id=security_group.id, type="ingress", protocol="tcp", from_port=22, to_port=22, cidr_blocks=["0.0.0.0/0"], ) security_group_rule = ec2.SecurityGroupRule( f"{name}InboundRule", security_group_id=security_group.id, type="ingress", protocol="all", from_port=0, to_port=65535, source_security_group_id=security_group.id, ) security_group_rule = ec2.SecurityGroupRule( f"{name}OutboundRule", security_group_id=security_group.id, type="egress", protocol="all", from_port=0, to_port=65535, cidr_blocks=["0.0.0.0/0"], ) subnets = [subnet_1, subnet_2, subnet_3] gateway = ec2.InternetGateway( f"{name}InternetGateway", vpc_id=vpc.id, opts=ResourceOptions(depends_on=[vpc]), ) gateway_route = ec2.Route( f"{name}GatewayRoute", destination_cidr_block="0.0.0.0/0", gateway_id=gateway.id, route_table_id=vpc.default_route_table_id, ) elastic_ip = ec2.Eip(f"{name}Eip", vpc=True, opts=ResourceOptions(depends_on=[gateway])) nat_gateway = ec2.NatGateway( f"{name}NatGateway", subnet_id=subnet_1.id, allocation_id=elastic_ip.id, opts=ResourceOptions(depends_on=[subnet_1, elastic_ip]), ) private_route_table = ec2.RouteTable( f"{name}PrivateRouteTable", routes=[ { "cidr_block": "0.0.0.0/0", "nat_gateway_id": nat_gateway.id, }, ], vpc_id=vpc.id, opts=ResourceOptions(depends_on=[private_subnet_1]), ) private_route_table_assoc = ec2.RouteTableAssociation( f"{name}PrivateRouteTableAssoc", route_table_id=private_route_table.id, subnet_id=private_subnet_1.id, ) outputs = { "vpc": vpc, "security_group": security_group, "public_subnets": [subnet_1, subnet_2, subnet_3], "private_subnet": private_subnet_1, "nat_gateway": nat_gateway, } self.set_outputs(outputs)