def add_extra_certificate(listener_stack, listener, cert_arn):
"""
Function to add Certificates to listener
:param listener_stack: The stack that "owns" the listener.
:param listener: The listener to add the certificate to
:param cert_arn: The identifier of the certificate
"""
cert_arn_re = re.compile(
r"((?:^arn:aws(?:-[a-z]+)?:acm:[\S]+:[0-9]+:certificate/)"
r"([a-z0-9]{8}(?:-[a-z0-9]{4}){3}-[a-z0-9]{12})$)")
if cert_arn_re.match(cert_arn):
cert_arn_id = cert_arn
elif isinstance(cert_arn, str) and cert_arn.find(ACM_KEY) < 0:
cert_arn_id = f"{ACM_KEY}::{cert_arn}"
elif isinstance(cert_arn, str) and cert_arn.find(ACM_KEY):
cert_arn_id = cert_arn
else:
raise ValueError(
f"{listener_stack.title} - Certificate value is not valid",
cert_arn)
if hasattr(listener, "Certificates") and listener.Certificates:
add_listener_certificate_via_arn(listener_stack, listener, cert_arn_id,
cert_arn)
else:
setattr(listener, "Certificates",
[Certificate(CertificateArn=cert_arn_id)])
def _add_service_listener(self, service_name, target_group_action,
alb, internal):
ssl_cert = Certificate(CertificateArn=self.ssl_certificate_arn)
service_listener = Listener(
"SslLoadBalancerListener" + service_name,
Protocol="HTTPS",
DefaultActions=[target_group_action],
LoadBalancerArn=Ref(alb),
Port=443,
Certificates=[ssl_cert],
SslPolicy="ELBSecurityPolicy-FS-1-2-Res-2019-08"
)
self.template.add_resource(service_listener)
if internal:
# Allow HTTP traffic on internal services
http_service_listener = Listener(
"LoadBalancerListener" + service_name,
Protocol="HTTP",
DefaultActions=[target_group_action],
LoadBalancerArn=Ref(alb),
Port=80
)
self.template.add_resource(http_service_listener)
else:
# Redirect HTTP to HTTPS on external services
redirection_config = RedirectConfig(
StatusCode='HTTP_301',
Protocol='HTTPS',
Port='443'
)
http_redirection_action = Action(
RedirectConfig=redirection_config,
Type="redirect"
)
http_redirection_listener = Listener(
"LoadBalancerRedirectionListener" + service_name,
Protocol="HTTP",
DefaultActions=[http_redirection_action],
LoadBalancerArn=Ref(alb),
Port=80
)
self.template.add_resource(http_redirection_listener)
return service_listener
def add_listener_certificate_via_arn(listener_stack, listener,
certificate_arn_id, cert_name) -> None:
"""
Adds a new ListenerCertificate for a given listener.
ListenerCertificate can only take 1 certificate in the list !!
:param ecs_composex.common.stacks.ComposeXStack listener_stack:
:param ecs_composex.elbv2.elbv2_stack.elbv2_listener.ComposeListener listener:
:param str certificate_arn_id: the ID to point to the certificate
:param str cert_name:
"""
listener_stack.stack_template.add_resource(
ListenerCertificate(
f"AcmCert{listener.title}{NONALPHANUM.sub('', cert_name)}",
Certificates=[Certificate(CertificateArn=certificate_arn_id)],
ListenerArn=Ref(listener),
))
def add_ssl_config_to_listeners(service_template, cert_import, ports):
"""
Function to add the SSL settings to the listener of the LB
:param service_template:
:param cert_import:
:param list ports: list of ports (int)
:return:
"""
for port in ports:
if not isinstance(port, int):
raise TypeError(f"Port must be of type", int, "got", type(port))
listener = find_service_listener(port, service_template)
if listener.Protocol == "HTTP":
listener.Protocol = "HTTPS"
setattr(
listener,
"Certificates",
[Certificate(CertificateArn=cert_import)],
)
elif listener.Protocol == "TCP":
listener.Protocol = "TLS"
def to_json(self):
if self._json is not None:
return self._json
# Validity checks
if len(self.subnet_ids) < 2:
raise ValidationException(
"Use .subnet_id() to specify at least two ELB subnets")
if len(self.cert_ids) < 1:
raise ValidationException(
"Use .certificate_id() to specify at least one certificate")
if not self._ecs_redirect and len(self.default_targets) < 1:
raise ValidationException(
"Use .default_target() to specify at least one default target or .ecs_redirect("
") to set up a redirect container")
for (name, tp) in self.target_paths.iteritems():
if len(set(map(lambda h: h.type, tp.hosts))) != 1:
raise ValidationException(
"Inconsistent target types for %s. All hosts for a given path must have the "
"same type (ip or instance)." % name)
# Build Security Group
if self._custom_elb_sgs:
elb_sgs = self._custom_elb_sgs
else:
elb_sg = SecurityGroup(
"ElbSecurityGroup",
GroupDescription=Sub("${AWS::StackName}-ElbSg"),
Tags=self.tags_with(Name=Sub("${AWS::StackName}-ElbSg")),
VpcId=self.vpc_id,
SecurityGroupEgress=[
SecurityGroupRule(CidrIp="0.0.0.0/0", IpProtocol="-1")
],
SecurityGroupIngress=self._sg_rules)
self.template.add_resource(elb_sg)
self.template.add_output(
Output("ElbSecurityGroupOutput",
Description="Security group ID assigned to the ELB",
Value=Ref(elb_sg),
Export=Export(Sub("${AWS::StackName}-ElbSg"))))
# Build Attachment Security Group
inst_sg = SecurityGroup(
"InstanceSecurityGroup",
GroupDescription=Sub("${AWS::StackName}-InstSg"),
Tags=self.tags_with(Name=Sub("${AWS::StackName}-InstSg")),
VpcId=self.vpc_id,
SecurityGroupEgress=[
SecurityGroupRule(CidrIp="0.0.0.0/0", IpProtocol="-1")
],
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="-1",
SourceSecurityGroupId=Ref(elb_sg))
])
self.template.add_resource(inst_sg)
self.template.add_output(
Output("InstanceSecurityGroupOutput",
Description="Convenience SG to assign to instances",
Value=Ref(inst_sg),
Export=Export(Sub("${AWS::StackName}-InstSg"))))
elb_sgs = [Ref("ElbSecurityGroup")]
# Build ELB
elb = LoadBalancer("ELB",
Name=Ref("AWS::StackName"),
SecurityGroups=elb_sgs,
Subnets=self.subnet_ids,
Tags=self.tags_with(Name=Ref("AWS::StackName")),
LoadBalancerAttributes=self.elb_attributes())
self.template.add_resource(elb)
self.template.add_output(
Output("ElbArnOutput",
Description="ARN of the ELB",
Value=Ref(elb),
Export=Export(Sub("${AWS::StackName}-ElbArn"))))
self.template.add_output(
Output("ElbDnsOutput",
Description="DNS name of the ELB",
Value=GetAtt("ELB", "DNSName"),
Export=Export(Sub("${AWS::StackName}-ElbDns"))))
# Build Default Target Group
if self._ecs_redirect:
default_tg_protocol = "HTTP"
else:
default_tg_protocol = self.default_targets[0].protocol
default_tg = TargetGroup(
"DefaultTargetGroup",
Port=8080,
Protocol=default_tg_protocol,
Tags=self.tags_with(Name=Sub("${AWS::StackName}-Default")),
VpcId=self.vpc_id,
Targets=list(
map(lambda h: TargetDescription(Id=h.host, Port=h.port),
self.default_targets)),
HealthyThresholdCount=2,
Matcher=Matcher(HttpCode="200-399"))
self.template.add_resource(default_tg)
self.attach_alarm(default_tg)
# Build Listener
self.template.add_resource(
Listener("HttpsListener",
Certificates=list(
map(lambda i: Certificate(CertificateArn=i),
self.cert_ids)),
DefaultActions=[
Action(Type="forward",
TargetGroupArn=Ref("DefaultTargetGroup"))
],
LoadBalancerArn=Ref("ELB"),
Port=443,
Protocol="HTTPS"))
# Build HTTP redirect
if len(self.http_redirect_targets) > 0:
# Build Redirect Target Group
http_tg = TargetGroup(
"RedirectTargetGroup",
Port=8080,
Protocol=self.http_redirect_targets[0].protocol,
Tags=self.tags_with(Name=Sub("${AWS::StackName}-Redirect")),
VpcId=self.vpc_id,
Targets=list(
map(lambda h: TargetDescription(Id=h.host, Port=h.port),
self.http_redirect_targets)),
HealthyThresholdCount=2,
Matcher=Matcher(HttpCode="200-399"))
self.template.add_resource(http_tg)
self.attach_alarm(http_tg)
if self._ecs_redirect or len(self.http_redirect_targets) > 0:
if self._ecs_redirect:
redirect_tg = "DefaultTargetGroup"
else:
redirect_tg = "RedirectTargetGroup"
# Build Listener
self.template.add_resource(
Listener("HttpListener",
DefaultActions=[
Action(Type="forward",
TargetGroupArn=Ref(redirect_tg))
],
LoadBalancerArn=Ref("ELB"),
Port=80,
Protocol="HTTP"))
# Build Target Groups & Rules
for (name, tp) in self.target_paths.iteritems():
name_an = alpha_numeric_name(name)
tag_name = taggable_name(name)
g = TargetGroup(
"PathTg" + name_an,
Port=tp.hosts[0].port,
Protocol=tp.hosts[0].protocol,
Tags=self.tags_with(Name="%s/%s" % (self.env_name, tag_name),
TargetPath=tag_name),
Targets=list(map(lambda h: h.to_target_desc(), tp.hosts)),
VpcId=self.vpc_id,
HealthCheckPath="/%s" % name,
HealthyThresholdCount=2,
Matcher=tp.health_check_matcher)
# TODO: We should probably explicitly specify this for every TG. Not
# doing that now because it will cause lots of updates. Maybe
# in 0.4?
if len(tp.hosts) > 0 and tp.hosts[0].type != "instance":
g.TargetType = tp.hosts[0].type
if self.sticky:
g.TargetGroupAttributes = [
TargetGroupAttribute(Key="stickiness.enabled",
Value="true"),
TargetGroupAttribute(Key="stickiness.type",
Value="lb_cookie")
]
self.template.add_resource(g)
self.attach_alarm(g)
self.template.add_resource(
ListenerRule(
"PathRl" + name_an,
Actions=[Action(Type="forward", TargetGroupArn=Ref(g))],
Conditions=[
Condition(Field="path-pattern",
Values=["/%s/*" % name])
],
ListenerArn=Ref("HttpsListener"),
Priority=self.priority_hash(name)))
self.template.add_resource(
ListenerRule(
"PathRln" + name_an,
Actions=[Action(Type="forward", TargetGroupArn=Ref(g))],
Conditions=[
Condition(Field="path-pattern", Values=["/%s" % name])
],
ListenerArn=Ref("HttpsListener"),
Priority=self.priority_hash(name)))
# Build Alternate Listeners
for al in self.alt_listeners:
tg_name = "AltTg%d" % al.port
tg_protocol = al.hosts[0].protocol
tg = TargetGroup(
tg_name,
Port=9999,
Protocol=tg_protocol,
Tags=self.tags_with(Name=Sub("${AWS::StackName}-%s" %
tg_name)),
VpcId=self.vpc_id,
Targets=list(
map(lambda h: TargetDescription(Id=h.host, Port=h.port),
al.hosts)),
HealthyThresholdCount=2,
Matcher=Matcher(HttpCode="200-399"))
self.template.add_resource(tg)
self.attach_alarm(tg)
listener = Listener("AltListener%d" % al.port,
DefaultActions=[
Action(Type="forward",
TargetGroupArn=Ref(tg_name))
],
LoadBalancerArn=Ref("ELB"),
Port=al.port,
Protocol=al.protocol)
if al.protocol == "HTTPS":
listener.Certificates = list(
map(lambda i: Certificate(CertificateArn=i),
self.cert_ids))
self.template.add_resource(listener)
self._json = self.template.to_json()
return self._json
def add_resources(self):
self.KongPublicLoadBalancerSecurityGroup = self.template.add_resource(
ec2.SecurityGroup(
"KongPublicLoadBalancerSecurityGroup",
GroupDescription=
"Enable HTTP access on port 8000m and 8001 for Admin",
VpcId=Ref(self.VpcId),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8000,
ToPort=8001,
CidrIp=Ref(self.KongAdminAccess),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8443,
ToPort=8444,
CidrIp=Ref(self.KongProxyAccess),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=22,
ToPort=22,
CidrIp=Ref(self.KongAdminAccess),
)
],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPublicLBSG"),
))
self.KongPrivateLoadBalancerSecurityGroup = self.template.add_resource(
ec2.SecurityGroup(
"KongPrivateLoadBalancerSecurityGroup",
GroupDescription="Enable HTTP access on port 8000 and 8001",
VpcId=Ref(self.VpcId),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8000,
ToPort=8001,
CidrIp=Ref(self.KongAdminAccess),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8443,
ToPort=8444,
CidrIp=Ref(self.KongProxyAccess),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=22,
ToPort=22,
CidrIp=Ref(self.KongAdminAccess),
)
],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPrivateLBSG"),
))
self.KongPublicLoadBalancer = self.template.add_resource(
elb.LoadBalancer(
"KongPublicLoadBalancer",
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPubLB",
Scheme="internet-facing",
Subnets=[Ref(self.RESTPubSubnet1),
Ref(self.RESTPubSubnet2)],
SecurityGroups=[Ref(self.KongPublicLoadBalancerSecurityGroup)],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPubLB"),
))
self.KongPublicSecureProxyTargetGroup = self.template.add_resource(
elb.TargetGroup(
"KongPublicSecureProxyTargetGroup",
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTP",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="4",
Matcher=elb.Matcher(HttpCode="200"),
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPubSecProxyTG",
Port="8443",
Protocol="HTTPS",
UnhealthyThresholdCount="3",
VpcId=Ref(self.VpcId),
))
self.KongPublicSecureAdminTargetGroup = self.template.add_resource(
elb.TargetGroup(
"KongPublicSecureAdminTargetGroup",
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTPS",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="4",
Matcher=elb.Matcher(HttpCode="200"),
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPubSecAdminTG",
Port="8444",
Protocol="HTTPS",
UnhealthyThresholdCount="3",
VpcId=Ref(self.VpcId),
))
self.KongPrivateSecureProxyTargetGroup = self.template.add_resource(
elb.TargetGroup(
"KongPrivateSecureProxyTargetGroup",
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTPS",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="4",
Matcher=elb.Matcher(HttpCode="200"),
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPrivateSecProxyTG",
Port="8443",
Protocol="HTTPS",
UnhealthyThresholdCount="3",
VpcId=Ref(self.VpcId),
))
self.KongPrivateSecureAdminTargetGroup = self.template.add_resource(
elb.TargetGroup(
"KongPrivateSecureAdminTargetGroup",
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTPS",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="4",
Matcher=elb.Matcher(HttpCode="200"),
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPrivSecAdminTG",
Port="8444",
Protocol="HTTPS",
UnhealthyThresholdCount="3",
VpcId=Ref(self.VpcId),
))
self.KongPublicNonSecureAdminTargetGroup = self.template.add_resource(
elb.TargetGroup(
"KongPublicNonSecureAdminTargetGroup",
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTP",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="4",
Matcher=elb.Matcher(HttpCode="200"),
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPubNonSecAdminTG",
Port="8001",
Protocol="HTTP",
UnhealthyThresholdCount="3",
VpcId=Ref(self.VpcId),
))
self.KongPrivateLoadBalancer = self.template.add_resource(
elb.LoadBalancer(
"KongPrivateLoadBalancer",
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPrivLB",
Scheme="internal",
Subnets=[Ref(self.RESTPrivSubnet1),
Ref(self.RESTPrivSubnet2)],
SecurityGroups=[
Ref(self.KongPrivateLoadBalancerSecurityGroup)
],
Tags=Tags(
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongPrivLB") + self.base_tags,
))
self.KongPublicSecureProxyListener = self.template.add_resource(
elb.Listener(
"KongPublicSecureProxyListener",
Port="8443",
Protocol="HTTPS",
SslPolicy="ELBSecurityPolicy-2016-08",
LoadBalancerArn=Ref(self.KongPublicLoadBalancer),
Certificates=[
Certificate(CertificateArn=Ref(self.KongSSLCertificate))
],
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref(
self.KongPublicSecureProxyTargetGroup))
]))
self.KongPublicSecureAdminListener = self.template.add_resource(
elb.Listener(
"KongPublicSecureAdminListener",
Port="8444",
Protocol="HTTPS",
SslPolicy="ELBSecurityPolicy-2016-08",
LoadBalancerArn=Ref(self.KongPublicLoadBalancer),
Certificates=[
Certificate(CertificateArn=Ref(self.KongSSLCertificate))
],
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref(
self.KongPublicSecureAdminTargetGroup))
]))
self.KongPrivateSecureProxyListener = self.template.add_resource(
elb.Listener(
"KongPrivateSecureProxyListener",
Port="8443",
Protocol="HTTPS",
SslPolicy="ELBSecurityPolicy-2016-08",
LoadBalancerArn=Ref(self.KongPrivateLoadBalancer),
Certificates=[
Certificate(CertificateArn=Ref(self.KongSSLCertificate))
],
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref(
self.KongPrivateSecureProxyTargetGroup))
]))
self.KongPrivateSecureAdminListener = self.template.add_resource(
elb.Listener(
"KongPrivateSecureAdminListener",
Port="8444",
Protocol="HTTPS",
SslPolicy="ELBSecurityPolicy-2016-08",
LoadBalancerArn=Ref(self.KongPrivateLoadBalancer),
Certificates=[
Certificate(CertificateArn=Ref(self.KongSSLCertificate))
],
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref(
self.KongPrivateSecureAdminTargetGroup))
]))
self.KongPublicNonSecureAdminListener = self.template.add_resource(
elb.Listener("KongPublicNonSecureAdminListener",
Port="8001",
Protocol="HTTP",
LoadBalancerArn=Ref(self.KongPublicLoadBalancer),
DefaultActions=[
elb.Action(
Type="forward",
TargetGroupArn=Ref(
self.KongPublicNonSecureAdminTargetGroup))
]))
self.KongEC2SecurityGroup = self.template.add_resource(
ec2.SecurityGroup(
"KongEC2SecurityGroup",
GroupDescription=
"Enable SSH access and HTTP access on the inbound Port",
VpcId=Ref(self.VpcId),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8000,
ToPort=8001,
SourceSecurityGroupId=Ref(
self.KongPublicLoadBalancerSecurityGroup),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8443,
ToPort=8444,
SourceSecurityGroupId=Ref(
self.KongPublicLoadBalancerSecurityGroup),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8000,
ToPort=8001,
SourceSecurityGroupId=Ref(
self.KongPrivateLoadBalancerSecurityGroup),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8443,
ToPort=8444,
SourceSecurityGroupId=Ref(
self.KongPrivateLoadBalancerSecurityGroup),
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort=8443,
ToPort=8444,
SourceSecurityGroupId=Ref(
self.KongPrivateLoadBalancerSecurityGroup),
)
],
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongEc2SG"),
))
self.CassandraSGKongCommunicationIngress = self.template.add_resource(
ec2.SecurityGroupIngress(
"CassandraSGKongCommunicationIngress",
DependsOn=self.KongEC2SecurityGroup,
GroupId=Ref(self.CassandraSG),
IpProtocol="tcp",
FromPort=Ref(self.CassandraPort),
ToPort=Ref(self.CassandraPort),
SourceSecurityGroupId=Ref(self.KongEC2SecurityGroup),
))
self.ASGUpdateRole = self.template.add_resource(
Role("ASGUpdateRole",
AssumeRolePolicyDocument=Policy(Statement=[
Statement(Effect=Allow,
Action=[AssumeRole],
Principal=Principal("Service",
["ec2.amazonaws.com"]))
]),
Policies=[
iam.Policy(
PolicyName="ASGUpdateRole",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": [
"ec2:Describe*",
"cloudformation:DescribeStackResource"
],
"Effect":
"Allow",
"Resource":
"*"
}]
})
]))
self.ASGUpdateProfile = self.template.add_resource(
InstanceProfile(
"ASGUpdateProfile",
Path="/",
Roles=[Ref(self.ASGUpdateRole)],
))
self.KongVersionSSMParameter = self.template.add_resource(
SSMParameter(
"KongVersionSSMParameter",
Description="The Kong Version",
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongVersion",
Type="String",
Value=Ref(self.KongVersionSSMParameterValue),
))
self.KongExecuteMigrationsSSMParameter = self.template.add_resource(
SSMParameter(
"KongExecuteMigrationsSSMParameter",
Description=
"Flag to determine if Kong should Execute DB migrations",
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-KongExecuteMigrations",
Type="String",
Value=Ref(self.KongExecuteMigrationsSSMParameterValue),
))
self.CassandraSeedListSSMParameter = self.template.add_resource(
SSMParameter(
"CassandraSeedListSSMParameter",
Description="The Cassandra Seed Node List",
Name=self.environment_parameters["ClientEnvironmentKey"] +
"-CassandraSeedList",
Type="String",
Value=Ref(self.CassandraSeedListSSMParameterValue),
))
self.KongLaunchConfig = self.template.add_resource(
LaunchConfiguration(
"KongLaunchConfig",
ImageId="ami-a4c7edb2",
AssociatePublicIpAddress="false",
InstanceType=Ref(self.KongInstanceType),
IamInstanceProfile=Ref(self.KongIAMInstanceProfile),
KeyName=Ref(self.KongKeyName),
SecurityGroups=[Ref(self.KongEC2SecurityGroup)],
UserData=Base64(
Join('', [
"#!/bin/bash\n",
"yum update -y \n",
"pip install --upgrade pip \n",
"pip install --upgrade awscli \n",
"ClientCode=\"" +
self.environment_parameters["ClientEnvironmentKey"] +
"\" \n",
"REGION=\"" +
self.environment_parameters["EnvironmentRegion"] +
"\" \n",
"BootstrapRepositorySSMKey=\"-bootstrapRepository\" \n",
"BootstrapRepositorySSMKey=${ClientCode}${BootstrapRepositorySSMKey} \n",
"echo $BootstrapRepositorySSMKey \n",
"bootstrapRepository=\"$(aws ssm get-parameter --name ${BootstrapRepositorySSMKey} --region ${REGION} --output text --query 'Parameter.Value')\" \n",
"echo $bootstrapRepository \n",
"keyprefix=\"/bootstrap/rest/bash\" \n",
"localpath=\"/tmp/bootstrap\" \n",
"echo $bootStrapRepository \n",
"if [ ! -d \"${localpath}\"]; then \n",
"mkdir - p \n",
"\"${localpath}\" \n",
"fi \n",
"FullS3Path=${bootstrapRepository}${keyprefix} \n",
"echo $FullS3Path \n",
"aws s3 sync s3://$FullS3Path $localpath \n",
"chmod u+x /tmp/bootstrap/kong-provision.sh \n",
"/bin/bash /tmp/bootstrap/kong-provision.sh \n",
]))))
self.KongScalingGroup = self.template.add_resource(
AutoScalingGroup(
"KongScalingGroup",
AutoScalingGroupName=self.
environment_parameters["ClientEnvironmentKey"] +
"-KongAutoScalingGroup",
AvailabilityZones=["us-east-1a"],
LaunchConfigurationName=Ref(self.KongLaunchConfig),
VPCZoneIdentifier=[Ref(self.RESTPrivSubnet1)],
MinSize="1",
MaxSize="1",
DesiredCapacity="1",
TargetGroupARNs=[
Ref(self.KongPublicNonSecureAdminTargetGroup),
Ref(self.KongPrivateSecureAdminTargetGroup),
Ref(self.KongPrivateSecureProxyTargetGroup),
Ref(self.KongPublicSecureAdminTargetGroup),
Ref(self.KongPublicSecureProxyTargetGroup)
],
Tags=[
AutoScalingTag(
"Name",
self.environment_parameters["ClientEnvironmentKey"] +
"-Kong-Ec2", True),
AutoScalingTag(
"Environment",
self.environment_parameters["EnvironmentName"], True),
AutoScalingTag(
"ResourceOwner",
self.environment_parameters["ResourceOwner"], True),
AutoScalingTag(
"ClientCode",
self.environment_parameters["ClientEnvironmentKey"],
True),
],
))
def create_alb_template():
template = Template()
vpc = template.add_parameter(
parameter=Parameter(title='Vpc', Type='String'))
subnet_a = template.add_parameter(
parameter=Parameter(title='SubnetA', Type='String'))
subnet_b = template.add_parameter(
parameter=Parameter(title='SubnetB', Type='String'))
ec2_instance = template.add_parameter(
parameter=Parameter(title='Ec2Instance', Type='String'))
certificate = template.add_parameter(
parameter=Parameter(title='Certificate', Type='String'))
security_group = template.add_resource(
resource=SecurityGroup(title='SampleSecurityGroup',
GroupDescription='sample-security-group',
SecurityGroupIngress=[{
'IpProtocol': 'tcp',
'FromPort': 80,
'ToPort': 80,
'CidrIp': '0.0.0.0/0'
}, {
'IpProtocol': 'tcp',
'FromPort': 443,
'ToPort': 443,
'CidrIp': '0.0.0.0/0'
}],
VpcId=Ref(vpc)))
load_balancer = template.add_resource(resource=LoadBalancer(
title='SampleLoadBalancer',
Name='sample-alb-https',
Subnets=[Ref(subnet_a), Ref(subnet_b)],
SecurityGroups=[Ref(security_group)],
))
target_group = template.add_resource(resource=TargetGroup(
title='SampleTargetGroup',
Targets=[TargetDescription(
Id=Ref(ec2_instance),
Port=80,
)],
VpcId=Ref(vpc),
Name='sample-target-group-https',
Port=443,
Protocol='HTTP',
))
template.add_resource(resource=Listener(
title='SampleListenerHttps',
Certificates=[Certificate(CertificateArn=Ref(certificate))],
DefaultActions=[
Action(TargetGroupArn=Ref(target_group), Type='forward')
],
LoadBalancerArn=Ref(load_balancer),
Port=443,
Protocol='HTTPS',
))
template.add_resource(resource=Listener(
title='SampleListenerHttp',
DefaultActions=[
Action(
RedirectConfig=RedirectConfig(
Host='#{host}',
Path='/#{path}',
Port='443',
Protocol='HTTPS',
Query='#{query}',
StatusCode='HTTP_301',
),
Type='redirect',
)
],
LoadBalancerArn=Ref(load_balancer),
Port=80,
Protocol='HTTP',
))
with open('./alb.yml', mode='w') as file:
file.write(template.to_yaml())
LoadBalancerAttributes(Key="access_logs.s3.prefix", Value="alb")
],
SecurityGroups=[Ref(alb_security_group)],
DependsOn=Ref(logs_bucket_policy))
template.add_resource(load_balancer)
target_group = TargetGroup("exampletargetgroup",
VpcId=vpc_id,
HealthCheckPath='/',
Port='80',
Protocol='HTTP')
listener = Listener(
"examplelistener",
LoadBalancerArn=Ref(load_balancer),
Port='443',
Protocol='HTTPS',
Certificates=[Certificate(CertificateArn=certificate_arn)],
DefaultActions=[Action(Type='forward', TargetGroupArn=Ref(target_group))],
SslPolicy="ELBSecurityPolicy-TLS-1-2-Ext-2018-06")
template.add_resource(target_group)
template.add_resource(listener)
# Setup the ASG & launch config
launch_config = LaunchConfiguration(
"LaunchConfig",
ImageId=image_id,
IamInstanceProfile=Ref(example_instance_profile),
InstanceType=instance_type,
Metadata=Metadata(
Init({
'config':
InitConfig(
Protocol = "HTTPS",
StatusCode = "HTTP_301"
),
Type = "redirect"
)
],
LoadBalancerArn = Ref(application_load_balancer),
Port = 80,
Protocol = "HTTP"
)
https_listener = Listener(
region.replace("-", "") + "ecslivehttpslistener",
Certificates = [
Certificate(
CertificateArn = Ref(origin_issued_certificate)
)
],
DefaultActions = [
Action(
region.replace("-", "") + "ecslivehttpsfixedresponseaction",
FixedResponseConfig = FixedResponseConfig(
region.replace("-", "") + "ecslivehttpredirectconfig",
ContentType = "text/plain",
MessageBody = "Service Unavailable",
StatusCode = "503"
),
Order = 50000,
Type = "fixed-response"
)
Subnets=[
Ref(loadbalancer_a_subnet),
Ref(loadbalancer_b_subnet),
],
SecurityGroups=[Ref(load_balancer_security_group)],
)
template.add_output(
Output("LoadBalancerDNSName",
Description="Loadbalancer DNS",
Value=GetAtt(application_load_balancer, "DNSName")))
application_listener = Listener(
'ApplicationListener',
template=template,
Certificates=[Certificate(CertificateArn=application_certificate, )],
LoadBalancerArn=Ref(application_load_balancer),
Protocol='HTTPS',
Port=443,
DefaultActions=[
Action(
TargetGroupArn=Ref(application_target_group),
Type='forward',
)
])
# ECS cluster
cluster = Cluster(
"Cluster",
template=template,
)
Path="/#{path}",
Port="443",
Protocol="HTTPS",
Query="#{query}",
StatusCode="HTTP_301"))
],
LoadBalancerArn=Ref(resources["ALB"]),
Port=80,
Protocol="HTTP"))
resources["ALBHTTPSlistener"] = template.add_resource(
AppListener("ALBHTTPSlistener",
DependsOn=[resource for resource in ["ALB", "ALBTargetGroup"]],
Certificates=[
Certificate("ALBCertificate",
CertificateArn=Ref(
parameters["SSLCertificateALB"]))
],
DefaultActions=[
Action(Type='forward',
TargetGroupArn=Ref("ALBTargetGroup"))
],
LoadBalancerArn=Ref(resources["ALB"]),
Port=443,
Protocol="HTTPS"))
### Application Load Balancer Target Group ###
resources["ALBTargetGroup"] = template.add_resource(
TargetGroup(
"ALBTargetGroup",