def __add_internet_gateway(self):
self.igw = self.template.add_resource(
InternetGateway('InternetGateway', Tags=self.tags))
self.template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.igw)))
def sceptre_handler(sceptre_user_data):
t = Template()
vpc = t.add_resource(VPC(
"VirtualPrivateCloud",
CidrBlock=sceptre_user_data["cidr_block"],
InstanceTenancy="default",
EnableDnsSupport=True,
EnableDnsHostnames=True,
))
igw = t.add_resource(InternetGateway(
"InternetGateway",
))
t.add_resource(VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
t.add_output(Output(
"VpcId",
Description="New VPC ID",
Value=Ref(vpc)
))
return t.to_json()
def _create_vpc(self, cidr_block):
self.vpc = VPC(camelcase("{self.env}Vpc".format(**locals())),
CidrBlock=cidr_block,
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy='default',
Tags=[{
'Key': 'category',
'Value': 'services'
}, {
'Key': 'environment',
'Value': self.env
}, {
'Key': 'Name',
'Value': "{self.env}-vpc".format(**locals())
}])
self.template.add_resource(self.vpc)
self.internet_gateway = InternetGateway(
camelcase("{self.env}Ig".format(**locals())),
Tags=[{
'Key': 'Name',
'Value': "{self.env}-internet-gateway".format(**locals())
}, {
'Key': 'environment',
'Value': self.env
}])
self.template.add_resource(self.internet_gateway)
vpc_gateway_attachment = VPCGatewayAttachment(
camelcase("{self.env}Attachment".format(**locals())),
InternetGatewayId=Ref(self.internet_gateway),
VpcId=Ref(self.vpc))
self.template.add_resource(vpc_gateway_attachment)
return None
def __create_public_subnet(template: Template, vpc) -> Subnet:
public_subnet_cidr = template.add_parameter(parameter=Parameter(
title='PublicSubnetCidr', Type='String', Default='192.168.1.0/24'))
igw = template.add_resource(resource=InternetGateway(title='SampleIgw'))
template.add_resource(resource=VPCGatewayAttachment(
title='SampleAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(igw)))
public_subnet = template.add_resource(
resource=Subnet(title='SamplePublicSubnet',
CidrBlock=Ref(public_subnet_cidr),
MapPublicIpOnLaunch=True,
VpcId=Ref(vpc)))
public_route_table = template.add_resource(
resource=RouteTable(title='SamplePublicRoteTable', VpcId=Ref(vpc)))
template.add_resource(resource=SubnetRouteTableAssociation(
title='SamplePublicRoteTableAssociation',
RouteTableId=Ref(public_route_table),
SubnetId=Ref(public_subnet)))
template.add_resource(resource=Route(title='SamplePublicRoute',
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(igw),
RouteTableId=Ref(public_route_table)))
return public_subnet
def create_igw(self):
t = self.template
t.add_resource(InternetGateway(self.igw_name))
t.add_resource(
VPCGatewayAttachment(self.igw_attachment,
VpcId=Ref(self.vpc_name),
InternetGatewayId=Ref(self.igw_name)))
def __build_internet_gateway(self, vpc: VPC):
internet_gateway = self.__template.add_resource(
InternetGateway("InternetGateway",
Tags=Tags(Name=Ref("AWS::StackName"),
Stack=Ref("AWS::StackId"))))
self.__template.add_resource(
VPCGatewayAttachment("VPCGatewayAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway)))
return internet_gateway
def add_vpc_core(template, vpc_cidr):
"""
Function to create the core resources of the VPC
and add them to the core VPC template
:param template: VPC Template()
:param vpc_cidr: str of the VPC CIDR i.e. 192.168.0.0/24
:return: tuple() with the vpc and igw object
"""
vpc = VPCType(
VPC_T,
template=template,
CidrBlock=vpc_cidr,
EnableDnsHostnames=True,
EnableDnsSupport=True,
Tags=Tags(
Name=If(USE_STACK_NAME_CON_T, Ref("AWS::StackName"),
Ref(ROOT_STACK_NAME)),
EnvironmentName=If(USE_STACK_NAME_CON_T, Ref("AWS::StackName"),
Ref(ROOT_STACK_NAME)),
),
Metadata=metadata,
)
igw = InternetGateway(IGW_T, template=template)
VPCGatewayAttachment(
"VPCGatewayAttachement",
template=template,
InternetGatewayId=Ref(igw),
VpcId=Ref(vpc),
Metadata=metadata,
)
dhcp_opts = DHCPOptions(
"VpcDhcpOptions",
template=template,
DomainName=If(
USE_STACK_NAME_CON_T,
Sub(f"svc.${{AWS::StackName}}.${{{PRIVATE_DNS_ZONE_NAME.title}}} "
f"${{AWS::StackName}}.${{{PRIVATE_DNS_ZONE_NAME.title}}}"),
Sub(f"svc.${{{ROOT_STACK_NAME_T}}}.${{{PRIVATE_DNS_ZONE_NAME.title}}} "
f"${{{ROOT_STACK_NAME_T}}}.${{{PRIVATE_DNS_ZONE_NAME.title}}}"
),
),
DomainNameServers=["AmazonProvidedDNS"],
Tags=Tags(Name=Sub(f"dhcp-${{{vpc.title}}}")),
Metadata=metadata,
)
VPCDHCPOptionsAssociation(
"VpcDhcpOptionsAssociate",
template=template,
DhcpOptionsId=Ref(dhcp_opts),
VpcId=Ref(vpc),
Metadata=metadata,
)
return (vpc, igw)
def __init__(self, title, template, *args, **kwargs):
if 'Tags' not in kwargs:
kwargs['Tags'] = Tags()
super().__init__(title, template, *args, **kwargs)
internet_gateway = InternetGateway('internetgateway',
template,
Tags=kwargs['Tags'])
VPCGatewayAttachment('vpcgatewayattachment',
template,
InternetGatewayId=Ref(internet_gateway),
VpcId=Ref(self))
def create_vpc_template():
template = Template()
vpc_cidr = template.add_parameter(parameter=Parameter(
title='VpcCidr', Type='String', Default='192.168.0.0/16'))
subnet_cidr_a = template.add_parameter(parameter=Parameter(
title='SubnetCidr1', Type='String', Default='192.168.1.0/24'))
subnet_cidr_b = template.add_parameter(parameter=Parameter(
title='SubnetCidr2', Type='String', Default='192.168.2.0/24'))
vpc = template.add_resource(resource=VPC(
title='SampleVpc', CidrBlock=Ref(vpc_cidr), EnableDnsHostnames=True))
igw = template.add_resource(resource=InternetGateway(title='SampleIgw'))
template.add_resource(resource=VPCGatewayAttachment(
title='SampleAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(igw)))
subnet_a = template.add_resource(
resource=Subnet(title='SampleSubnetA',
AvailabilityZone='us-east-1a',
CidrBlock=Ref(subnet_cidr_a),
MapPublicIpOnLaunch=True,
VpcId=Ref(vpc)))
subnet_b = template.add_resource(
resource=Subnet(title='SampleSubnetB',
AvailabilityZone='us-east-1b',
CidrBlock=Ref(subnet_cidr_b),
MapPublicIpOnLaunch=True,
VpcId=Ref(vpc)))
route_table = template.add_resource(
resource=RouteTable(title='SampleRoteTable', VpcId=Ref(vpc)))
template.add_resource(resource=SubnetRouteTableAssociation(
title='SampleRoteTableAssociationA',
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet_a)))
template.add_resource(resource=SubnetRouteTableAssociation(
title='SampleRoteTableAssociationB',
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet_b)))
template.add_resource(resource=Route(title='SampleRoute',
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(igw),
RouteTableId=Ref(route_table)))
with open('./vpc.yml', mode='w') as file:
file.write(template.to_yaml())
def add_igw(self):
t = self.template
self.igw = t.add_resource(InternetGateway("InternetGateway", ))
t.add_resource(
VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.igw),
))
def create_internet_gateway(stack):
"""Add VPC Internet Gateway Resource."""
return stack.stack.add_resource(
InternetGateway(
'InternetGateway',
Tags=[
{
'Key': 'Name',
'Value': '{0}'.format(stack.env)
},
],
))
def add_igw(self):
t = self.template
self.igw = t.add_resource(
InternetGateway(
'internetGateway',
Tags=self.DEFAULT_TAGS +
[Tag('Name', self.sceptre_user_data['application'] + '-IGW')]))
self.igw_attachment = t.add_resource(
VPCGatewayAttachment('internetGatewayAttachment',
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.igw)))
return 0
def __build_internet_gateway(self, vpc: VPC):
internet_gateway = self.__template.add_resource(
InternetGateway(
"InternetGateway",
Tags=Tags(Name=TAGS_PREFIX + "IG", Stack=Ref("AWS::StackId")),
Condition=self.__create_ig,
))
self.__template.add_resource(
VPCGatewayAttachment(
"VPCGatewayAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway),
Condition=self.__create_ig,
))
return Ref(internet_gateway)
def create_internet_gateway(self):
"""Create an internet gateway if it does not exist already"""
if 'InternetGateway' not in self.network:
tag = Tag(Key='Name',
Value='{} Internet Gateway'.format(self.data['Name']))
self.network['InternetGateway'] = InternetGateway(
title='{}InternetGateway'.format(self.data['Title']),
template=self.data['Template'],
Tags=[tag] + self.data['Tags'])
tag = Tag(Key='Name',
Value='{} VPC Gateway Attachment'.format(
self.data['Name']))
self.network['VPCGatewayAttachment'] = VPCGatewayAttachment(
title='{}VPCGatewayAttachment'.format(self.data['Title']),
template=self.data['Template'],
VpcId=Ref(self.network['VPC']),
InternetGatewayId=Ref(self.network['InternetGateway']))
def _create_vpc(self):
if self.vpc:
self.tpl.add_output(Output(self.OUTPUT_VPC, Value=self.vpc))
self.tpl.add_output(Output(self.OUTPUT_SUBNETS, Value=','.join(self.subnets)))
return
vpc = VPC(self.RESOURCE_EKS_VPC.name, CidrBlock=self.vpc_cidr, Tags=Tags(Name=self.tag_name))
self.tpl.add_resource(vpc)
gateway = self.tpl.add_resource(InternetGateway(self.RESOURCE_VPC_INTERNET_GATEWAY.name))
self.tpl.add_resource(VPCGatewayAttachment(
self.RESOURCE_VPC_GATEWAY_ATTACHMENT.name, VpcId=Ref(vpc), InternetGatewayId=Ref(gateway),
DependsOn=gateway,
))
rt = self.tpl.add_resource(RouteTable(
self.RESOURCE_VPC_ROUTE_TABLE.name, VpcId=Ref(vpc), DependsOn=gateway,
Tags=Tags(Name='public subnet', Network='public'),
))
self.tpl.add_resource(Route(
self.RESOURCE_VPC_ROUTE.name, RouteTableId=Ref(rt), DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(gateway),
))
self.resources.extend(deepcopy([self.RESOURCE_EKS_VPC, self.RESOURCE_VPC_INTERNET_GATEWAY,
self.RESOURCE_VPC_GATEWAY_ATTACHMENT, self.RESOURCE_VPC_ROUTE_TABLE,
self.RESOURCE_VPC_ROUTE]))
subnets = []
vpc_network = IPNetwork(self.vpc_cidr)
prefixlen = IPNetwork(self.vpc_cidr).prefixlen + (len(self.zones) - 1).bit_length()
cidrs = list(vpc_network.subnet(prefixlen))
for i, zone in enumerate(self.zones):
sname = self.RESOURCE_FORMAT_SUBNET.format(i + 1)
staname = self.RESOURCE_FORMAT_SUBNET_RTA.format(i + 1)
subnet = self.tpl.add_resource(Subnet(
sname, AvailabilityZone=zone, VpcId=Ref(vpc), CidrBlock=str(cidrs[i].cidr),
Tags=Tags(Name='{}-{}'.format(self.name, str(i + 1)))
))
self.resources.append(Resource(sname, 'EKS VPC {}'.format(sname), Status.not_exist))
self.tpl.add_resource(SubnetRouteTableAssociation(
staname, SubnetId=Ref(subnet), RouteTableId=Ref(rt)
))
self.resources.append(Resource(staname, 'EKS VPC {}'.format(staname), Status.not_exist))
subnets.append(subnet)
self.subnet_refs = [Ref(s) for s in subnets]
self.tpl.add_output(Output(self.OUTPUT_VPC, Value=Ref(vpc)))
self.tpl.add_output(Output(self.OUTPUT_SUBNETS, Value=Join(',', self.subnet_refs)))
def _add_resources(self):
self.vpc = VPC(
"VirtualPrivateCloud",
CidrBlock=Ref(self.parameters['CidrBlock']),
InstanceTenancy="default",
EnableDnsSupport=True,
EnableDnsHostnames=True,
Tags=Tags(
Name=Ref(self.parameters['StackPrefix'])
),
)
self.template.add_resource(self.vpc)
self.igw = InternetGateway(
"InternetGateway",
)
self.template.add_resource(self.igw)
self.igw_attachment = VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.igw),
)
self.template.add_resource(self.igw_attachment)
def add_internet_gateway(self, name, routing_table_name, vpc_name):
"""
Create Internet Gateway
:param name: Name to assign the gateway
:param routing_table_name: Name of routing table
:param vpc_name: Name of VPC
"""
self.template.add_resource(InternetGateway(name, ))
self.template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(vpc_name),
InternetGatewayId=Ref(name)))
self.template.add_resource(
Route(
"{}IGRoute".format(vpc_name),
DependsOn='AttachGateway',
GatewayId=Ref(name),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(routing_table_name),
))
def __create_public_subnet(template: Template, vpc) -> Subnet:
igw = template.add_resource(resource=InternetGateway(title='SampleIgw'))
template.add_resource(resource=VPCGatewayAttachment(
title='SampleAttachment', VpcId=Ref(vpc), InternetGatewayId=Ref(igw)))
public_route_table = template.add_resource(
resource=RouteTable(title='SamplePublicRoteTable', VpcId=Ref(vpc)))
for suffix in ['A', 'B']:
public_subnet_cidr = template.add_parameter(
parameter=Parameter(title='PublicSubnetCidr' + suffix,
Type='String',
Default=__get_subnet_cidr()))
public_subnet = template.add_resource(
resource=Subnet(title='SamplePublicSubnet' + suffix,
AvailabilityZone=Sub('${AWS::Region}' +
suffix.lower()),
CidrBlock=Ref(public_subnet_cidr),
MapPublicIpOnLaunch=True,
VpcId=Ref(vpc)))
add_export(template, public_subnet.title + 'Id', Ref(public_subnet))
template.add_resource(resource=SubnetRouteTableAssociation(
title='SamplePublicRoteTableAssociation' + suffix,
RouteTableId=Ref(public_route_table),
SubnetId=Ref(public_subnet)))
template.add_resource(resource=Route(title='SamplePublicRoute',
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(igw),
RouteTableId=Ref(public_route_table)))
return public_subnet
))
RDSPort = template.add_parameter(
Parameter(
PARAM_RDSPORT,
Default='3306',
Type="String",
Description="SQL Port Number",
))
##############################
# RESOURCES
##############################
Igw = template.add_resource(
InternetGateway(
"Igw",
Tags=Tags(Name=Sub("${EnvironmentName} Igw"), ),
))
PrivateRoute2Default = template.add_resource(
Route(
"PrivateRoute2Default",
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref("PrivateRoute2Table"),
NatGatewayId=Ref("NatGateway2"),
DependsOn="NatGateway2",
))
RDSInternalSecurityGroup = template.add_resource(
SecurityGroup(
"RDSInternalSecurityGroup",
SecurityGroupIngress=[{
SubnetIds=Ref("Subnet"),
))
vpc = t.add_resource(VPC(
"VPC",
CidrBlock="10.0.0.0/16",
))
subnet = t.add_resource(Subnet(
"Subnet",
CidrBlock="10.0.0.0/24",
VpcId=Ref("VPC"),
))
internetgateway = t.add_resource(InternetGateway(
"InternetGateway",
))
gatewayattachment = t.add_resource(VPCGatewayAttachment(
"GatewayAttachment",
VpcId=Ref("VPC"),
InternetGatewayId=Ref("InternetGateway"),
))
securitygroupingress1 = SecurityGroupIngress(
"SecurityGroupIngress1",
CidrIp="10.0.0.0/16",
FromPort="80",
ToPort="80",
IpProtocol="tcp",
)
vpc_cidr,
public_subnet_cidr,
loadbalancer_a_subnet_cidr,
loadbalancer_b_subnet_cidr,
container_a_subnet_cidr,
container_b_subnet_cidr,
)
template = Template()
vpc = template.add_resource(VPC(
"Vpc",
CidrBlock=vpc_cidr,
))
internet_gateway = template.add_resource(InternetGateway("InternetGateway", ))
template.add_resource(
VPCGatewayAttachment(
"GatewayAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway),
))
public_route_table = template.add_resource(
RouteTable(
"PublicRouteTable",
VpcId=Ref(vpc),
))
public_route = template.add_resource(
EnableDnsSupport=True,
CidrBlock="10." + str(environment_index) + ".0.0/16",
EnableDnsHostnames=True,
Tags=Tags(Name=Ref("AWS::StackName"), ),
))
InternetGatewayAttachment = t.add_resource(
VPCGatewayAttachment(
"InternetGatewayAttachment",
VpcId=Ref("VPC"),
InternetGatewayId=Ref("InternetGateway"),
))
InternetGateway = t.add_resource(
InternetGateway(
"InternetGateway",
Tags=Tags(Name=Ref("AWS::StackName"), ),
))
t.add_output(Output("VPC", Value=Ref("VPC"), Description="VPC ID"))
t.add_output(
Output("ELBSubnets",
Value=Join(
", ", [Ref("ELBSubnet1"),
Ref("ELBSubnet2"),
Ref("ELBSubnet3")]),
Description="ELB Subnets"))
t.add_output(
Output("AppSubnets",
Value=Join(
", ", [Ref("AppSubnet1"),
Ref("AppSubnet2"),
def add_internet_gateway(self):
'''
Add an internet gateway
'''
self.cfn_template.add_resource(InternetGateway(title=constants.IGW, ))
return self.cfn_template
Subnet('PublicSubnet',
CidrBlock=FindInMap(Ref(environmentType_param), 'cidr', 'Public'),
VpcId=Ref(VPC),
Tags=Tags(Name=FindInMap(Ref(environmentType_param), 'tags',
'PublicSubnet'))))
PrivateSubnet = t.add_resource(
Subnet('PrivateSubnet',
CidrBlock=FindInMap(Ref(environmentType_param), 'cidr', 'Private'),
VpcId=Ref(VPC),
Tags=Tags(Name=FindInMap(Ref(environmentType_param), 'tags',
'PrivateSubnet'))))
InternetGateway = t.add_resource(
InternetGateway(
'InternetGateway',
Tags=Tags(Name=FindInMap(Ref(environmentType_param), 'tags', 'Igw'))))
GatewayAttachment = t.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(VPC),
InternetGatewayId=Ref(InternetGateway)))
NatEip = t.add_resource(EIP('NatEip', Domain="vpc"))
NatGateway = t.add_resource(
NatGateway(
'NatGateway',
DependsOn='AttachGateway',
AllocationId=GetAtt(NatEip, 'AllocationId'),
SubnetId=Ref(PublicSubnet),
VPCGatewayAttachment,
)
from .template import template
vpc = VPC(
"Vpc",
template=template,
CidrBlock="10.0.0.0/16",
)
# Allow outgoing to outside VPC
internet_gateway = InternetGateway(
"InternetGateway",
template=template,
)
# Attach Gateway to VPC
VPCGatewayAttachment(
"GatewayAttachement",
template=template,
VpcId=Ref(vpc),
InternetGatewayId=Ref(internet_gateway),
)
# Public route table
public_route_table = RouteTable(
"PublicRouteTable",
"VPC",
EnableDnsSupport="true",
CidrBlock=data['CIDRInfo']['cidr'],
EnableDnsHostnames="true",
Tags=Tags(**{
'Name': '%s' % data['Tags']['Name'],
'Env': '%s' % data['Tags']['Env'],
'Owner': '%s' % data['Tags']['Owner']
})
))
### Create Internet Gateway for VPC, to enable VMs to access Internet
InternetGateway = t.add_resource(InternetGateway(
"InternetGateway",
Tags=Tags(**{
'Name': '%s - Public Network IGW' % data['EnvInfo']['Name'],
'Env': '%s' % data['Tags']['Env'],
'Owner': '%s' % data['Tags']['Owner']
})
))
### Attached InternetGateway to the VPC
VPCGatewayAttachment = t.add_resource(VPCGatewayAttachment(
"VPCGatewayAttachment",
VpcId=Ref("VPC"),
InternetGatewayId=Ref("InternetGateway"),
))
### Create Private Subnets from json with addSubnet from functions.py
PrivateSubnets = [addSubnet(t, data['Tags']['Env'], data['Tags']['Owner'], **SubnetData) for SubnetData in data['PrivateSubnetsData']]
### Create Public Subnets from json with addSubnet from functions.py
def build_template(sierrafile):
template = Template()
template.add_version('2010-09-09')
template.add_metadata(build_interface(sierrafile.extra_params))
parameters = AttrDict(
# Network Parameters
vpc_cidr=template.add_parameter(Parameter(
'VpcCidr',
Type='String',
Default='192.172.0.0/16',
)),
subnet1_cidr=template.add_parameter(Parameter(
'Subnet1Cidr',
Type='String',
Default='192.172.1.0/24',
)),
subnet2_cidr=template.add_parameter(Parameter(
'Subnet2Cidr',
Type='String',
Default='192.172.2.0/24',
)),
# ECS Parameters
cluster_size=template.add_parameter(Parameter(
'ClusterSize',
Type='Number',
Default=2,
)),
instance_type=template.add_parameter(Parameter(
'InstanceType',
Type='String',
Default='t2.medium'
)),
key_name=template.add_parameter(Parameter(
'KeyName',
Type='AWS::EC2::KeyPair::KeyName',
)),
image_id=template.add_parameter(Parameter(
'ImageId',
Type='AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>',
Default=(
'/aws/service/ecs/optimized-ami'
'/amazon-linux/recommended/image_id'
),
Description=(
'An SSM parameter that resolves to a valid AMI ID.'
' This is the AMI that will be used to create ECS hosts.'
' The default is the current recommended ECS-optimized AMI.'
)
)),
# Other Parameters
github_token=template.add_parameter(Parameter(
'GitHubToken',
Type='String',
NoEcho=True,
)),
)
# Environment Variable Parameters
for env_var_param, env_var_name in sierrafile.extra_params:
template.add_parameter(Parameter(
env_var_param,
Type='String',
NoEcho=True,
))
# Resource Declarations
# # Network
network_vpc = template.add_resource(VPC(
'NetworkVpc',
CidrBlock=Ref(parameters.vpc_cidr),
Tags=Tags(Name=Ref('AWS::StackName')),
))
network_ig = template.add_resource(InternetGateway(
'NetworkInternetGateway',
Tags=Tags(Name=Ref('AWS::StackName')),
))
vpc_attach = template.add_resource(VPCGatewayAttachment(
'NetworkInternetGatewayAttachment',
InternetGatewayId=Ref(network_ig),
VpcId=Ref(network_vpc),
))
route_table = template.add_resource(RouteTable(
'NetworkRouteTable',
VpcId=Ref(network_vpc),
Tags=Tags(Name=Ref('AWS::StackName')),
))
template.add_resource(Route(
'NetworkDefaultRoute',
DependsOn=[vpc_attach.title],
RouteTableId=Ref(route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(network_ig),
))
subnet1 = template.add_resource(Subnet(
'NetworkSubnet1',
VpcId=Ref(network_vpc),
AvailabilityZone=Select(0, GetAZs()),
MapPublicIpOnLaunch=True,
CidrBlock=Ref(parameters.subnet1_cidr),
Tags=Tags(Name=Sub('${AWS::StackName} (Public)')),
))
subnet2 = template.add_resource(Subnet(
'NetworkSubnet2',
VpcId=Ref(network_vpc),
AvailabilityZone=Select(1, GetAZs()),
MapPublicIpOnLaunch=True,
CidrBlock=Ref(parameters.subnet2_cidr),
Tags=Tags(Name=Sub('${AWS::StackName} (Public)')),
))
template.add_resource(SubnetRouteTableAssociation(
'NetworkSubnet1RouteTableAssociation',
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet1),
))
template.add_resource(SubnetRouteTableAssociation(
'NetworkSubnet2RouteTableAssociation',
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet2),
))
elb = template.add_resource(LoadBalancer(
ELB_NAME,
Name=Sub('${AWS::StackName}-elb'),
Type='network',
Subnets=[Ref(subnet1), Ref(subnet2)],
))
# # Cluster
ecs_host_role = template.add_resource(Role(
'EcsHostRole',
AssumeRolePolicyDocument=PolicyDocument(
Statement=[Statement(
Effect=Allow,
Principal=Principal('Service', 'ec2.amazonaws.com'),
Action=[awacs.sts.AssumeRole]
)],
),
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/'
'service-role/AmazonEC2ContainerServiceforEC2Role'
]
))
ecs_host_profile = template.add_resource(InstanceProfile(
'EcsHostInstanceProfile',
Roles=[Ref(ecs_host_role)]
))
ecs_host_sg = template.add_resource(SecurityGroup(
'EcsHostSecurityGroup',
GroupDescription=Sub('${AWS::StackName}-hosts'),
VpcId=Ref(network_vpc),
SecurityGroupIngress=[SecurityGroupRule(
CidrIp='0.0.0.0/0',
IpProtocol='-1'
)]
))
cluster = template.add_resource(Cluster(
'EcsCluster',
ClusterName=Ref('AWS::StackName')
))
autoscaling_name = 'EcsHostAutoScalingGroup'
launch_conf_name = 'EcsHostLaunchConfiguration'
launch_conf = template.add_resource(LaunchConfiguration(
launch_conf_name,
ImageId=Ref(parameters.image_id),
InstanceType=Ref(parameters.instance_type),
IamInstanceProfile=Ref(ecs_host_profile),
KeyName=Ref(parameters.key_name),
SecurityGroups=[Ref(ecs_host_sg)],
UserData=Base64(Sub(
'#!/bin/bash\n'
'yum install -y aws-cfn-bootstrap\n'
'/opt/aws/bin/cfn-init -v'
' --region ${AWS::Region}'
' --stack ${AWS::StackName}'
f' --resource {launch_conf_name}\n'
'/opt/aws/bin/cfn-signal -e $?'
' --region ${AWS::Region}'
' --stack ${AWS::StackName}'
f' --resource {autoscaling_name}\n'
)),
Metadata={
'AWS::CloudFormation::Init': {
'config': {
'commands': {
'01_add_instance_to_cluster': {
'command': Sub(
f'echo ECS_CLUSTER=${{{cluster.title}}}'
f' > /etc/ecs/ecs.config'
),
}
},
'files': {
'/etc/cfn/cfn-hup.conf': {
'mode': 0o400,
'owner': 'root',
'group': 'root',
'content': Sub(
'[main]\n'
'stack=${AWS::StackId}\n'
'region=${AWS::Region}\n'
),
},
'/etc/cfn/hooks.d/cfn-auto-reloader.conf': {
'content': Sub(
'[cfn-auto-reloader-hook]\n'
'triggers=post.update\n'
'path=Resources.ContainerInstances.Metadata'
'.AWS::CloudFormation::Init\n'
'action=/opt/aws/bin/cfn-init -v'
' --region ${AWS::Region}'
' --stack ${AWS::StackName}'
f' --resource {launch_conf_name}\n'
),
},
},
'services': {
'sysvinit': {
'cfn-hup': {
'enabled': True,
'ensureRunning': True,
'files': [
'/etc/cfn/cfn-hup.conf',
'/etc/cfn/hooks.d/cfn-auto-reloader.conf'
]
}
}
}
}
}
}
))
autoscaling_group = template.add_resource(AutoScalingGroup(
autoscaling_name,
VPCZoneIdentifier=[Ref(subnet1), Ref(subnet2)],
LaunchConfigurationName=Ref(launch_conf),
DesiredCapacity=Ref(parameters.cluster_size),
MinSize=Ref(parameters.cluster_size),
MaxSize=Ref(parameters.cluster_size),
Tags=[{
'Key': 'Name',
'Value': Sub('${AWS::StackName} - ECS Host'),
'PropagateAtLaunch': True,
}],
CreationPolicy=CreationPolicy(
ResourceSignal=ResourceSignal(Timeout='PT15M'),
),
UpdatePolicy=UpdatePolicy(
AutoScalingRollingUpdate=AutoScalingRollingUpdate(
MinInstancesInService=1,
MaxBatchSize=1,
PauseTime='PT5M',
WaitOnResourceSignals=True,
),
),
))
# # Services
task_role = template.add_resource(Role(
'TaskExecutionRole',
AssumeRolePolicyDocument=PolicyDocument(
Statement=[Statement(
Effect=Allow,
Principal=Principal('Service', 'ecs-tasks.amazonaws.com'),
Action=[awacs.sts.AssumeRole],
)],
),
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/'
'service-role/AmazonECSTaskExecutionRolePolicy'
],
))
artifact_bucket = template.add_resource(Bucket(
'ArtifactBucket',
DeletionPolicy='Retain',
))
codebuild_role = template.add_resource(Role(
'CodeBuildServiceRole',
Path='/',
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Principal=Principal(
'Service', 'codebuild.amazonaws.com'
),
Action=[
awacs.sts.AssumeRole,
],
),
],
),
Policies=[Policy(
PolicyName='root',
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Resource=['*'],
Effect=Allow,
Action=[
awacs.ssm.GetParameters,
],
),
Statement(
Resource=['*'],
Effect=Allow,
Action=[
awacs.s3.GetObject,
awacs.s3.PutObject,
awacs.s3.GetObjectVersion,
],
),
Statement(
Resource=['*'],
Effect=Allow,
Action=[
awacs.logs.CreateLogGroup,
awacs.logs.CreateLogStream,
awacs.logs.PutLogEvents,
],
),
],
),
)],
))
codepipeline_role = template.add_resource(Role(
'CodePipelineServiceRole',
Path='/',
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Principal=Principal(
'Service', 'codepipeline.amazonaws.com'
),
Action=[
awacs.sts.AssumeRole,
],
),
],
),
Policies=[Policy(
PolicyName='root',
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Resource=[
Sub(f'${{{artifact_bucket.title}.Arn}}/*')
],
Effect=Allow,
Action=[
awacs.s3.GetBucketVersioning,
awacs.s3.GetObject,
awacs.s3.GetObjectVersion,
awacs.s3.PutObject,
],
),
Statement(
Resource=['*'],
Effect=Allow,
Action=[
awacs.ecs.DescribeServices,
awacs.ecs.DescribeTaskDefinition,
awacs.ecs.DescribeTasks,
awacs.ecs.ListTasks,
awacs.ecs.RegisterTaskDefinition,
awacs.ecs.UpdateService,
awacs.codebuild.StartBuild,
awacs.codebuild.BatchGetBuilds,
awacs.iam.PassRole,
],
),
],
),
)],
))
log_group = template.add_resource(LogGroup(
'LogGroup',
LogGroupName=Sub('/ecs/${AWS::StackName}'),
))
if any(conf.pipeline.enable for conf in sierrafile.services.values()):
project = template.add_resource(Project(
'CodeBuildProject',
Name=Sub('${AWS::StackName}-build'),
ServiceRole=Ref(codebuild_role),
Artifacts=Artifacts(Type='CODEPIPELINE'),
Source=Source(Type='CODEPIPELINE'),
Environment=Environment(
ComputeType='BUILD_GENERAL1_SMALL',
Image='aws/codebuild/docker:17.09.0',
Type='LINUX_CONTAINER',
),
))
for name, settings in sierrafile.services.items():
task_definition = template.add_resource(TaskDefinition(
f'{name}TaskDefinition',
RequiresCompatibilities=['EC2'],
Cpu=str(settings.container.cpu),
Memory=str(settings.container.memory),
NetworkMode='bridge',
ExecutionRoleArn=Ref(task_role.title),
ContainerDefinitions=[
ContainerDefinition(
Name=f'{name}',
Image=settings.container.image,
Memory=str(settings.container.memory),
Essential=True,
PortMappings=[
PortMapping(
ContainerPort=settings.container.port,
Protocol='tcp',
),
],
Environment=[
troposphere.ecs.Environment(Name=k, Value=v)
for k, v in sierrafile.env_vars.items()
if k in settings.get('environment', [])
],
LogConfiguration=LogConfiguration(
LogDriver='awslogs',
Options={
'awslogs-region': Ref('AWS::Region'),
'awslogs-group': Ref(log_group.title),
'awslogs-stream-prefix': Ref('AWS::StackName'),
},
),
),
],
))
target_group = template.add_resource(TargetGroup(
f'{name}TargetGroup',
Port=settings.container.port,
Protocol='TCP',
VpcId=Ref(network_vpc),
Tags=Tags(Name=Sub(f'${{AWS::StackName}}-{name}')),
))
listener = template.add_resource(Listener(
f'{name}ElbListener',
LoadBalancerArn=Ref(elb),
Port=settings.container.port,
Protocol='TCP',
DefaultActions=[
Action(TargetGroupArn=Ref(target_group), Type='forward')
],
))
service = template.add_resource(Service(
f'{name}Service',
Cluster=Ref(cluster),
ServiceName=f'{name}-service',
DependsOn=[autoscaling_group.title, listener.title],
DesiredCount=settings.container.count,
TaskDefinition=Ref(task_definition),
LaunchType='EC2',
LoadBalancers=[
troposphere.ecs.LoadBalancer(
ContainerName=f'{name}',
ContainerPort=settings.container.port,
TargetGroupArn=Ref(target_group),
),
],
))
if settings.pipeline.enable:
pipeline = template.add_resource(Pipeline(
f'{name}Pipeline',
RoleArn=GetAtt(codepipeline_role, 'Arn'),
ArtifactStore=ArtifactStore(
Type='S3',
Location=Ref(artifact_bucket),
),
Stages=[
Stages(
Name='Source',
Actions=[Actions(
Name='Source',
ActionTypeId=ActionTypeId(
Category='Source',
Owner='ThirdParty',
Version='1',
Provider='GitHub',
),
OutputArtifacts=[
OutputArtifacts(Name=f'{name}Source'),
],
RunOrder='1',
Configuration={
'Owner': settings.pipeline.user,
'Repo': settings.pipeline.repo,
'Branch': settings.pipeline.branch,
'OAuthToken': Ref(parameters.github_token),
},
)],
),
Stages(
Name='Build',
Actions=[Actions(
Name='Build',
ActionTypeId=ActionTypeId(
Category='Build',
Owner='AWS',
Version='1',
Provider='CodeBuild',
),
InputArtifacts=[
InputArtifacts(Name=f'{name}Source'),
],
OutputArtifacts=[
OutputArtifacts(Name=f'{name}Build'),
],
RunOrder='1',
Configuration={
'ProjectName': Ref(project),
},
)],
),
Stages(
Name='Deploy',
Actions=[Actions(
Name='Deploy',
ActionTypeId=ActionTypeId(
Category='Deploy',
Owner='AWS',
Version='1',
Provider='ECS',
),
InputArtifacts=[
InputArtifacts(Name=f'{name}Build')
],
RunOrder='1',
Configuration={
'ClusterName': Ref(cluster),
'ServiceName': Ref(service),
'FileName': 'image.json',
},
)],
),
],
))
template.add_resource(Webhook(
f'{name}CodePipelineWebhook',
Name=Sub(f'${{AWS::StackName}}-{name}-webhook'),
Authentication='GITHUB_HMAC',
AuthenticationConfiguration=AuthenticationConfiguration(
SecretToken=Ref(parameters.github_token),
),
Filters=[FilterRule(
JsonPath='$.ref',
MatchEquals=f'refs/heads/{settings.pipeline.branch}'
)],
TargetAction='Source',
TargetPipeline=Ref(pipeline),
TargetPipelineVersion=1,
RegisterWithThirdParty=True,
))
return template
resources = {}
### VPC ###
resources[ "VPC" ] = template.add_resource(VPC(
"VPC",
CidrBlock = "10.0.0.0/24",
EnableDnsHostnames = True,
EnableDnsSupport = True,
Tags = [ { "Key": "Name", "Value": Join("-", [ Ref(parameters[ "Project" ]), "vpc" ]) },
{ "Key": "Project", "Value": Ref(parameters[ "Project" ]) }]))
### Internet Gateway ###
resources[ "InternetGateway" ] = template.add_resource(InternetGateway(
"InternetGateway",
Tags = [ { "Key": "Name", "Value": Join("-", [ Ref(parameters[ "Project" ]), "igw" ]) },
{ "Key": "Project", "Value": Ref(parameters[ "Project" ]) }]))
resources[ "VPCGatewayAttachmentIGW" ] = template.add_resource(VPCGatewayAttachment(
"VPCGatewayAttachmentIGW",
DependsOn = [ resource for resource in [ "InternetGateway",
"VPC" ] ],
InternetGatewayId = Ref(resources[ "InternetGateway" ]),
VpcId = Ref(resources[ "VPC" ] )))
### Routing Tables ###
resources[ "PrivateRouteTableA" ] = template.add_resource(RouteTable(
"PrivateRouteTableA",
DependsOn = [ resource for resource in [ "VPC" ] ],
Tags = [ { "Key": "Name", "Value": Join("-", [ Ref(parameters[ "Project" ]), "prv", "a", "rt" ]) },
{ "Key": "Project", "Value": Ref(parameters[ "Project" ]) }],
for f in vpc.subnets:
subnet = template.add_resource(
Subnet(f.name,
CidrBlock=f.CidrBlock,
VpcId=Ref(VPC),
MapPublicIpOnLaunch=f.MapPublicIpOnLaunch,
AvailabilityZone=Select(f.AvailabilityZone, GetAZs()),
Tags=Tags(Name=environmentString + f.name,
Stack=Ref("AWS::StackName"))))
f.instance = subnet
############################# ADD GATEWAY AND ROLE ###########################
internetGateway = template.add_resource(
InternetGateway('InternetGateway',
Tags=Tags(Name=environmentString + "Internet-Gateway",
Stack=Ref("AWS::StackName"))))
gatewayAttachment = template.add_resource(
VPCGatewayAttachment('AttachGateway',
VpcId=Ref(VPC),
InternetGatewayId=Ref(internetGateway)))
routeTable = template.add_resource(
RouteTable('PublicRouteTable',
VpcId=Ref(VPC),
Tags=Tags(Name=environmentString + "Public-Routes",
Stack=Ref("AWS::StackName"))))
route = template.add_resource(
Route(
def build(ssh_keypair_name):
template = Template()
template.set_version("2010-09-09")
keyname_param = template.add_parameter(
Parameter(
"KeyName",
ConstraintDescription="must be the name of an existing EC2 KeyPair.",
Description="Name of an existing EC2 KeyPair to enable SSH access to \
the instance",
Type="AWS::EC2::KeyPair::KeyName",
Default=ssh_keypair_name,
)
)
sshlocation_param = template.add_parameter(
Parameter(
"SSHLocation",
Description=" The IP address range that can be used to SSH to the EC2 \
instances",
Type="String",
MinLength="9",
MaxLength="18",
Default="0.0.0.0/0",
AllowedPattern=r"(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
ConstraintDescription=("must be a valid IP CIDR range of the form x.x.x.x/x."),
)
)
instanceType_param = template.add_parameter(
Parameter(
"InstanceType",
Type="String",
Description="WebServer EC2 instance type",
Default="t3a.small",
AllowedValues=[
"t2.micro",
"t2.small",
"t2.medium",
"t3a.small",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"g2.2xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
],
ConstraintDescription="must be a valid EC2 instance type.",
)
)
template.add_mapping(
"AWSRegion2AMI",
{
"us-east-1": {"image": "ami-0d915a031cabac0e0"},
"us-east-2": {"image": "ami-0b97435028ca44fcc"},
"us-west-1": {"image": "ami-068d0753a46192935"},
"us-west-2": {"image": "ami-0c457f229774da543"},
"eu-west-1": {"image": "ami-046c6a0123bf94619"},
"eu-west-2": {"image": "ami-0dbe8ba0cd21ea12b"},
"eu-west-3": {"image": "ami-041bf9180061ce7ea"},
"eu-central-1": {"image": "ami-0f8184e6f30cc0c33"},
"eu-north-1": {"image": "ami-08dd1b893371bcaac"},
"ap-south-1": {"image": "ami-0ff23052091536db2"},
"ap-southeast-1": {"image": "ami-0527e82bae7c51958"},
"ap-southeast-2": {"image": "ami-0bae8773e653a32ec"},
"ap-northeast-1": {"image": "ami-060741a96307668be"},
"ap-northeast-2": {"image": "ami-0d991ac4f545a6b34"},
"sa-east-1": {"image": "ami-076f350d5a5ec448d"},
"ca-central-1": {"image": "ami-0071deaa12b66d1bf"},
},
)
vpc = template.add_resource(VPC("VPC", CidrBlock="10.0.0.0/16"))
subnet = template.add_resource(Subnet("Subnet", CidrBlock="10.0.0.0/24", VpcId=Ref(vpc)))
internet_gateway = template.add_resource(InternetGateway("InternetGateway"))
attach_gateway = template.add_resource(
VPCGatewayAttachment("AttachGateway", VpcId=Ref(vpc), InternetGatewayId=Ref(internet_gateway))
)
route_table = template.add_resource(RouteTable("RouteTable", VpcId=Ref(vpc)))
template.add_resource(
Route(
"Route",
DependsOn=attach_gateway,
GatewayId=Ref(internet_gateway),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(route_table),
)
)
template.add_resource(
SubnetRouteTableAssociation("SubnetRouteTableAssociation", SubnetId=Ref(subnet), RouteTableId=Ref(route_table),)
)
network_acl = template.add_resource(NetworkAcl("NetworkAcl", VpcId=Ref(vpc),))
template.add_resource(
NetworkAclEntry(
"InboundHTTPNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="100",
Protocol="6",
PortRange=PortRange(To="80", From="80"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"InboundSSHNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="101",
Protocol="6",
PortRange=PortRange(To="22", From="22"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"InboundResponsePortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="102",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress="false",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"OutBoundHTTPNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="100",
Protocol="6",
PortRange=PortRange(To="80", From="80"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"OutBoundHTTPSNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="101",
Protocol="6",
PortRange=PortRange(To="443", From="443"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
NetworkAclEntry(
"OutBoundResponsePortsNetworkAclEntry",
NetworkAclId=Ref(network_acl),
RuleNumber="102",
Protocol="6",
PortRange=PortRange(To="65535", From="1024"),
Egress="true",
RuleAction="allow",
CidrBlock="0.0.0.0/0",
)
)
template.add_resource(
SubnetNetworkAclAssociation("SubnetNetworkAclAssociation", SubnetId=Ref(subnet), NetworkAclId=Ref(network_acl),)
)
instance_security_group = template.add_resource(
SecurityGroup(
"InstanceSecurityGroup",
GroupDescription="Enable SSH access via port 22",
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=Ref(sshlocation_param)),
SecurityGroupRule(IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0"),
],
VpcId=Ref(vpc),
)
)
server_instance = template.add_resource(
Instance(
"ServerInstance",
ImageId=FindInMap("AWSRegion2AMI", Ref("AWS::Region"), "image"),
InstanceType=Ref(instanceType_param),
KeyName=Ref(keyname_param),
NetworkInterfaces=[
NetworkInterfaceProperty(
GroupSet=[Ref(instance_security_group)],
AssociatePublicIpAddress="true",
DeviceIndex="0",
DeleteOnTermination="true",
SubnetId=Ref(subnet),
)
],
)
)
template.add_output([Output("ServerIP", Value=GetAtt(server_instance, "PublicIp"))])
return template
