def test_tg_healthcheck_port_ref(self): p = Parameter('myport') tg_healthcheck_port(Ref(p))
Statement=[ awacs.aws.Statement( Effect=awacs.aws.Allow, Action=[awacs.sts.AssumeRole], Principal=awacs.aws.Principal( "Service", "apigateway.amazonaws.com"), ) ]), ManagedPolicyArns=[ "arn:aws:iam::aws:policy/service-role/AWSLambdaRole", ])) devices_authorizer = template.add_resource( apigateway.Authorizer( 'DevicesApiAuthorizer', RestApiId=Ref(restapi), Name='DevicesApiAuthorizer', Type='REQUEST', AuthorizerResultTtlInSeconds=0, AuthorizerCredentials=GetAtt(authorizer_credentials, "Arn"), IdentitySource="method.request.header.Attestation", AuthorizerUri=lambda_invocation_arn(authorizer_lambda))) android_resource = template.add_resource( apigateway.Resource('AndroidResource', RestApiId=Ref(restapi), PathPart='android', ParentId=GetAtt(restapi, 'RootResourceId'))) root_method = template.add_resource( apigateway.Method('RootMethod',
Type="String", Description="Public Subnet CIDR", Default="172.18.0.0/22", )) private_subnet = t.add_parameter( Parameter( "PrivateSubnetCidr", Type="String", Description="Public Subnet CIDR", Default="172.18.32.0/21", )) vpc = t.add_resource(ec2.VPC( "VPC", CidrBlock=Ref(vpc_cidr), )) public_net = t.add_resource( ec2.Subnet( "PublicSubnet", CidrBlock=Ref(public_subnet), MapPublicIpOnLaunch=True, VpcId=Ref(vpc), )) private_net = t.add_resource( ec2.Subnet( "PrivateSubnet", CidrBlock=Ref(private_subnet), MapPublicIpOnLaunch=False,
SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=PublicCidrIp, ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=ApplicationPort, ToPort=ApplicationPort, CidrIp="0.0.0.0/0", ), ], #elb에서 추가한 보안그룹을 참조하도록 추가 VpcId=Ref("VpcId"), )) #elb 보안그룹 추가 t.add_resource( ec2.SecurityGroup( "LoadBalancerSecurityGroup", GroupDescription="Web load balancer security group.", VpcId=Ref("VpcId"), SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="3000", ToPort="3000", CidrIp="0.0.0.0/0", ), ],
ud = Base64( Join('\n', [ "#!/bin/bash", "curl --silent --location https://rpm.nodesource.com/setup_10.x | sudo bash -", "sudo yum -y install nodejs", "sudo wget http://bit.ly/2vESNuc -O /home/ec2-user/helloworld.js", "sudo wget http://bit.ly/2vVvT18 -O /etc/init/helloworld.conf", "sudo start helloworld" ])) t.add_resource( ec2.Instance( "instance", ImageId="ami-a4c7edb2", InstanceType="t2.micro", SecurityGroups=[Ref("SecurityGroup")], KeyName=Ref("awstest"), UserData=ud, )) t.add_output( Output( "InstancePublicIp", Description="Public IP of our instance.", Value=GetAtt("instance", "PublicIp"), )) t.add_output( Output( "WebUrl", Description="Application endpoint",
Type=SUBNET_ID, Description='Subnet in AZ 2 to use for Postgres Instance', )) security_group = template.add_parameter( Parameter( 'SecurityGroup', Type='String', Description='Security Group to use for Postgres', )) subnet_group = template.add_resource( DBSubnetGroup( 'SubnetGroup', DBSubnetGroupDescription='Subnets group for Postgres Instance', SubnetIds=[Ref(subnet_az_1), Ref(subnet_az_2)])) rds_postgres = template.add_resource( DBInstance('DB', DBInstanceIdentifier='dev-db', DBName='dev', DBInstanceClass='db.t2.micro', AllocatedStorage='10', Engine='postgres', EngineVersion='9.6.3', MasterUsername=Ref(master_user), MasterUserPassword=Ref(master_user_password), DBSubnetGroupName=Ref(subnet_group), VPCSecurityGroups=[Ref(security_group)], PubliclyAccessible=True))
def create_rds_instance(self): rds_security_group_name = 'sgDatabaseServer' rds_security_group = self.add_resource( ec2.SecurityGroup( rds_security_group_name, GroupDescription='Enables access to database servers', VpcId=Ref(self.vpc_id), SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [POSTGRESQL] ], SecurityGroupEgress=[ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [POSTGRESQL] ], Tags=self.get_tags(Name=rds_security_group_name))) rds_subnet_group_name = 'dbsngDatabaseServer' rds_subnet_group = self.add_resource( rds.DBSubnetGroup(rds_subnet_group_name, DBSubnetGroupDescription= 'Private subnets for the RDS instances', SubnetIds=Ref(self.private_subnets), Tags=self.get_tags(Name=rds_subnet_group_name))) rds_parameter_group = self.add_resource( rds.DBParameterGroup( 'dbpgDatabaseServer', Family='postgres9.4', Description='Parameter group for the RDS instances', Parameters={'log_min_duration_statement': '500'})) rds_database_name = 'DatabaseServer' return self.add_resource( rds.DBInstance( rds_database_name, AllocatedStorage=128, AllowMajorVersionUpgrade=False, AutoMinorVersionUpgrade=True, BackupRetentionPeriod=30, DBInstanceClass=Ref(self.rds_instance_type), DBName=Ref(self.rds_db_name), DBParameterGroupName=Ref(rds_parameter_group), DBSubnetGroupName=Ref(rds_subnet_group), Engine='postgres', EngineVersion='9.4.1', MasterUsername=Ref(self.rds_username), MasterUserPassword=Ref(self.rds_password), MultiAZ=True, PreferredBackupWindow='04:00-04:30', # 12:00AM-12:30AM ET PreferredMaintenanceWindow= 'sun:04:30-sun:05:30', # SUN 12:30AM-01:30AM ET StorageType='gp2', VPCSecurityGroups=[Ref(rds_security_group)], Tags=self.get_tags(Name=rds_database_name)))
from . import USE_ECS, USE_GOVCLOUD from .security_groups import load_balancer_security_group from .template import template from .utils import ParameterWithDefaults as Parameter from .vpc import public_subnet_a, public_subnet_b # Web worker if USE_ECS: web_worker_port = Ref( template.add_parameter( Parameter( "WebWorkerPort", Description="Web worker container exposed port", Type="Number", Default="8000", ), group="Load Balancer", label="Web Worker Port", )) else: # default to port 80 for EC2 and Elastic Beanstalk options web_worker_port = Ref( template.add_parameter( Parameter( "WebWorkerPort", Description="Default web worker exposed port (non-HTTPS)", Type="Number", Default="80", ),
def create_cache_cluster(stack, name, cache_type, vpc, cidrs, subnet_ids, instance_type, num_cache_clusters): """Add Elasticache Cache cluster Resource.""" ports = {'redis': 6379, 'memcached': 11211} ingress = [] for idx, cidr in enumerate(cidrs): ingress.append( SecurityGroupRule( '{0}{1}{2}'.format(name.replace('-', ''), cache_type, idx), CidrIp=cidr, FromPort=ports[cache_type], ToPort=ports[cache_type], IpProtocol='tcp', )) secgroup = stack.stack.add_resource( SecurityGroup( '{0}{1}SecurityGroup'.format(name.replace('-', ''), cache_type), GroupDescription='{0} {1} Security Group'.format(name, cache_type), SecurityGroupIngress=ingress, SecurityGroupEgress=[ SecurityGroupRule( '{0}egress'.format(name.replace('-', '')), CidrIp='0.0.0.0/0', IpProtocol='-1') ], VpcId=vpc, )) subnet_group = stack.stack.add_resource( elasticache.SubnetGroup( '{0}{1}cache'.format(name.replace('-', ''), cache_type), Description='{0}{1} cache'.format(name, cache_type), SubnetIds=subnet_ids, )) if num_cache_clusters > 1: stack.stack.add_resource( elasticache.ReplicationGroup( '{0}CacheCluster'.format(name.replace('-', '')), ReplicationGroupId='{0}'.format(name), ReplicationGroupDescription='{0}cluster'.format(name), Engine='{0}'.format(cache_type), EngineVersion='3.2.6', CacheNodeType=instance_type, NumCacheClusters=num_cache_clusters, CacheSubnetGroupName=Ref(subnet_group), SecurityGroupIds=[Ref(secgroup)], AtRestEncryptionEnabled=True)) else: stack.stack.add_resource( elasticache.CacheCluster( '{0}CacheCluster'.format(name.replace('-', '')), ClusterName='{0}'.format(name), Engine='{0}'.format(cache_type), EngineVersion='3.2.10', CacheNodeType=instance_type, NumCacheNodes=num_cache_clusters, VpcSecurityGroupIds=[Ref(secgroup)], CacheSubnetGroupName=Ref(subnet_group)))
def create_bastion(self): bastion_security_group_name = 'sgBastion' bastion_security_group = self.add_resource( ec2.SecurityGroup( bastion_security_group_name, GroupDescription='Enables access to the BastionHost', VpcId=Ref(self.vpc_id), SecurityGroupIngress=[ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=Ref(self.ip_access), FromPort=p, ToPort=p) for p in [GRAPHITE_WEB, KIBANA, SSH] ] + [ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [GRAPHITE, RELP, STATSITE] ] + [ ec2.SecurityGroupRule(IpProtocol='udp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [STATSITE] ], SecurityGroupEgress=[ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p) for p in [POSTGRESQL, REDIS, SSH] ] + [ ec2.SecurityGroupRule(IpProtocol='tcp', CidrIp=ALLOW_ALL_CIDR, FromPort=p, ToPort=p) for p in [HTTP, HTTPS] ], Tags=self.get_tags(Name=bastion_security_group_name))) bastion_host_name = 'BastionHost' return self.add_resource( ec2.Instance(bastion_host_name, BlockDeviceMappings=[{ "DeviceName": "/dev/sda1", "Ebs": { "VolumeType": "gp2", "VolumeSize": "256" } }], InstanceType=Ref(self.bastion_instance_type), KeyName=Ref(self.keyname), ImageId=Ref(self.bastion_host_ami), NetworkInterfaces=[ ec2.NetworkInterfaceProperty( Description='ENI for BastionHost', GroupSet=[Ref(bastion_security_group)], SubnetId=Select("0", Ref(self.public_subnets)), AssociatePublicIpAddress=True, DeviceIndex=0, DeleteOnTermination=True) ], Tags=self.get_tags(Name=bastion_host_name)))
Type="String", Description="Bucket for lambda zip file" )) lambda_package = t.add_parameter(Parameter( "LambdaPackage", Type="String", Description="Location of the zip" )) template_bucket = t.add_resource(s3.Bucket("TemplateBucket")) # Create loggroup log_group = t.add_resource(logs.LogGroup( "LogGroup", LogGroupName=Join("", ["/aws/lambda/", Join("-", ["lambda", Ref("AWS::StackName")])]), RetentionInDays=14 )) lambda_role = t.add_resource(iam.Role( "LambdaRole", AssumeRolePolicyDocument=Policy( Version="2012-10-17", Statement=[ Statement( Effect=Allow, Principal=Principal("Service", "lambda.amazonaws.com"), Action=[Action("sts", "AssumeRole")] ) ]), Path="/",
"Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, Policies=[ iam.Policy( PolicyName='{}InstancePolicy'.format(STACK_NAME), PolicyDocument=instance_policy_doc, ), ])) instance_profile = template.add_resource( iam.InstanceProfile('InstanceProfile', Roles=[Ref(instance_role)], InstanceProfileName='TweeterUploaderInstanceProfile')) # Define Instance Metadata instance_metadata = Metadata( Init({ 'config': InitConfig( commands={'update_yum_packages': { 'command': 'yum update -y' }}, files=InitFiles({ # setup .bashrc ec2-user '/home/ec2-user/.bashrc': InitFile(content=Join( '',
import troposphere.iam as iam from troposphere import Base64, Select, FindInMap, GetAtt, Join from troposphere import Template, Condition, Equals, And, Or, Not, If from troposphere import Parameter, Ref, Tags, Template, Output from troposphere.autoscaling import LaunchConfiguration, AutoScalingGroup from troposphere.policies import CreationPolicy, ResourceSignal # things you may want to change ref_disk_all_root_volumesize = "100" ref_disk_master_ebs_diskcount = 2 ref_disk_master_ebs_volumesize = "500" ref_disk_worker_ebs_diskcount = 9 ref_disk_worker_ebs_volumesize = "1000" # Don't touch these ref_stack_id = Ref('AWS::StackId') ref_region = Ref('AWS::Region') ref_stack_name = Ref('AWS::StackName') ref_ambariserver = GetAtt('AmbariNode', 'PrivateDnsName') ref_java_provider = Ref('JavaProvider') # now the work begins t = Template() t.add_version("2010-09-09") t.add_description("""\ CloudFormation template to Deploy Hortonworks Data Platform on VPC with a public subnet""")
policy.PolicyDocument = transform_policy_document(policy_document) self.Policies.append(policy) if __name__ == '__main__': t = Template() account_number = t.add_parameter( Parameter( "AccountNumber", Description= "The name of the account number for the cross account Role", Type="String", )) iam_role = MyRole("CrossAccountS3Role") # Rack IAM is able to handle class like Troposphere functions such # as Ref() and Join() iam_role.add_account_assume_policy( Join(":", ["arn", "aws", "iam", "", Ref(account_number), "root"])) iam_role.add_policy("CrossAccountS3Policy", "Allow", ["s3:*"]) cross_account_s3_role = t.add_resource(iam_role) t.add_output( Output("RoleArn", Description="ARN of the role", Value=GetAtt(cross_account_s3_role, "Arn"))) # Sample output is included in `iam_troposphere_integration.template` print(t.to_json())
def create_rds_cloudwatch_alarms(self, rds_database): self.add_resource( cloudwatch.Alarm( 'alarmDatabaseServerCPUUtilization', AlarmDescription='Database server CPU utilization', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=300, Threshold='75', EvaluationPeriods=1, ComparisonOperator='GreaterThanThreshold', MetricName='CPUUtilization', Namespace='AWS/RDS', Dimensions=[ cloudwatch.MetricDimension('metricDatabaseServerName', Name='DBInstanceIdentifier', Value=Ref(rds_database)) ], )) self.add_resource( cloudwatch.Alarm( 'alarmDatabaseServerDiskQueueDepth', AlarmDescription='Database server disk queue depth', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=60, Threshold='10', EvaluationPeriods=1, ComparisonOperator='GreaterThanThreshold', MetricName='DiskQueueDepth', Namespace='AWS/RDS', Dimensions=[ cloudwatch.MetricDimension('metricDatabaseServerName', Name='DBInstanceIdentifier', Value=Ref(rds_database)) ], )) self.add_resource( cloudwatch.Alarm( 'alarmDatabaseServerFreeStorageSpace', AlarmDescription='Database server free storage space', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=60, Threshold=str(int(5.0e+09)), # 5GB in bytes EvaluationPeriods=1, ComparisonOperator='LessThanThreshold', MetricName='FreeStorageSpace', Namespace='AWS/RDS', Dimensions=[ cloudwatch.MetricDimension('metricDatabaseServerName', Name='DBInstanceIdentifier', Value=Ref(rds_database)) ], )) self.add_resource( cloudwatch.Alarm( 'alarmDatabaseServerFreeableMemory', AlarmDescription='Database server freeable memory', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=60, Threshold=str(int(1.28e+08)), # 128MB in bytes EvaluationPeriods=1, ComparisonOperator='LessThanThreshold', MetricName='FreeableMemory', Namespace='AWS/RDS', Dimensions=[ cloudwatch.MetricDimension('metricDatabaseServerName', Name='DBInstanceIdentifier', Value=Ref(rds_database)) ], ))
from troposphere.cloudformation import AWSCustomObject class CustomPlacementGroup(AWSCustomObject): resource_type = "Custom::PlacementGroup" props = { 'ServiceToken': (basestring, True), 'PlacementGroupName': (basestring, True) } t = Template() t.set_description( "Example template showing how a Lambda Function CustomResource might look" "For information on AWS Lambda-backed Custom Resources see:" "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/" "template-custom-resources-lambda.html" ) placementgroup_a = t.add_resource(CustomPlacementGroup( "ClusterGroup", ServiceToken=Join("", ["arn:aws:lambda:", Ref("AWS::Region"), ":", Ref("AWS::AccountId"), ":function:cfnPlacementGroup"]), PlacementGroupName="ExampleClusterGroup", )) print(t.to_json())
def emit_configuration(): vpc = cfn.vpcs[0] instance_class = template.add_parameter( Parameter( 'RegistryInstanceType', Type='String', Default='m3.medium', Description='Registry instance type', AllowedValues=cfn.usable_instances(), )) create_bucket = template.add_parameter( Parameter( 'CreateDockerRegistryBucket', Type='String', Description='Whether or not to create the Docker Registry bucket.', Default='no', AllowedValues=['yes', 'no'])) condition_name = "DockerRegistryBucketCondition" conditions = {condition_name: Equals(Ref(create_bucket), "yes")} for c in conditions: template.add_condition(c, conditions[c]) # Create the registry bucket bucket_name = Join( '.', ['docker-registry', CLOUDNAME, Ref("AWS::Region"), CLOUDENV, 'leafme']) bucket = template.add_resource( Bucket("DockerRegistryBucket", BucketName=bucket_name, DeletionPolicy='Retain', Condition=condition_name)) ingress_rules = [ SecurityGroupRule(IpProtocol=p[0], CidrIp=DEFAULT_ROUTE, FromPort=p[1], ToPort=p[1]) for p in [('tcp', 80), ('tcp', 22)] ] sg = template.add_resource( SecurityGroup("DockerRegistry", GroupDescription="Security Group for Docker Registries", VpcId=Ref(vpc), SecurityGroupIngress=ingress_rules, DependsOn=vpc.title)) policy_vars = {"env": CLOUDENV, "cloud": CLOUDNAME, "region": "us-east-1"} # IAM role for docker registry policy = json.loads( cfn.load_template("registry_policy.json.j2", policy_vars)) default_policy = json.loads( cfn.load_template("default_policy.json.j2", policy_vars)) iam_role = template.add_resource( Role("DockerRegistryIamRole", AssumeRolePolicyDocument=ASSUME_ROLE_POLICY, Path="/", Policies=[ Policy(PolicyName="RegistryDefaultPolicy", PolicyDocument=default_policy), Policy(PolicyName="RegistryPolicy", PolicyDocument=policy) ], DependsOn=vpc.title)) instance_profile = template.add_resource( InstanceProfile("DockerRegistryInstanceProfile", Path="/", Roles=[Ref(iam_role)], DependsOn=iam_role.title)) user_data = cfn.load_template("default-init.bash.j2", { "env": CLOUDENV, "cloud": CLOUDNAME, "deploy": "docker_registry" }) launch_config = template.add_resource( LaunchConfiguration("RegistryLaunchConfiguration", ImageId=FindInMap('RegionMap', Ref("AWS::Region"), int(cfn.Amis.INSTANCE)), InstanceType=Ref(instance_class), IamInstanceProfile=Ref(instance_profile), KeyName=Ref(cfn.keyname), SecurityGroups=[Ref(sg)], DependsOn=[instance_profile.title, sg.title], AssociatePublicIpAddress=False, UserData=Base64(user_data))) asg = template.add_resource( AutoScalingGroup( "RegistryAutoscalingGroup", AvailabilityZones=cfn.get_asg_azs(), DesiredCapacity="1", LaunchConfigurationName=Ref(launch_config), MinSize="1", MaxSize="1", NotificationConfiguration=NotificationConfiguration( TopicARN=Ref(cfn.alert_topic), NotificationTypes=[ EC2_INSTANCE_TERMINATE, EC2_INSTANCE_LAUNCH, EC2_INSTANCE_LAUNCH_ERROR, EC2_INSTANCE_TERMINATE_ERROR ]), VPCZoneIdentifier=[ Ref(sn) for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.PLATFORM) ], DependsOn=[ sn.title for sn in cfn.get_vpc_subnets(vpc, cfn.SubnetTypes.PLATFORM) ]))
awacs.aws.Statement( Effect=awacs.aws.Deny, Action=[awacs.aws.Action("sqs", "*")], NotResource=[GetAtt("myqueue", "Arn")], ), ], ), ), Policy( PolicyName="giveaccesstotopiconly", PolicyDocument=awacs.aws.PolicyDocument( Statement=[ awacs.aws.Statement( Effect=awacs.aws.Allow, Action=[awacs.aws.Action("sns", "*")], Resource=[Ref("mytopic")], ), awacs.aws.Statement( Effect=awacs.aws.Deny, Action=[awacs.aws.Action("sns", "*")], NotResource=[Ref("mytopic")], ), ], ), ), ], ) ) print(t.to_json())
'BucketName', Type='String', Description='Lambda Code Bucket' )) time_token = t.add_parameter(Parameter( 'TimeToken', Type='String', Description='Time Token for last upload' )) lambda_function = t.add_resource( awslambda.Function( "reds", Code=awslambda.Code( S3Bucket=Ref(bucket_name), S3Key=Join("",["reds-",Ref(time_token),".zip"]) ), Handler="reds.lambda_handler", MemorySize=128, Role=Join('',['arn:aws:iam::',Ref("AWS::AccountId"),':role/',Ref(lambda_role)]), Runtime="python2.7", Timeout=30 ) ) t.add_output([ Output( 'LambdaFunction', Description='ReDS Lambda Function', Value=Ref(lambda_function),
)) ud = Base64( Join('\n', [ "#!/bin/bash", "sudo yum install --enablerepo=epel -y nodejs", "wget http://bit.ly/2vESNuc -O /home/ec2-user/helloworld.js", "wget http://bit.ly/2vVvT18 -O /etc/init/helloworld.conf", "start helloworld" ])) t.add_resource( ec2.Instance( "instance", ImageId="ami-a4c7edb2", InstanceType="t2.micro", SecurityGroups=[Ref("SecurityGroup")], KeyName=Ref("KeyPair"), UserData=ud, )) t.add_output( Output( "InstancePublicIp", Description="Public IP of our instance.", Value=GetAtt("instance", "PublicIp"), )) t.add_output( Output( "WebUrl", Description="Application endpoint",
frontend_ec2_sg = t.add_resource(ec2.SecurityGroup( "rzienertHttpSecurityGroup", GroupDescription="Enable HTTP traffic for frontend class servers", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0" ) ] )) ec2_instance = t.add_resource(ec2.Instance( "rzienertInstance", ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), InstanceType="t1.micro", SecurityGroups=[Ref(frontend_ec2_sg)], UserData=Base64("80") )) elb = t.add_resource(elb.LoadBalancer( "rzienertLoadBalancer", AvailabilityZones=GetAZs(""), ConnectionDrainingPolicy=elb.ConnectionDrainingPolicy( Enabled=True, Timeout=300 ), CrossZone=True, Instances=[Ref(ec2_instance)], Listeners=[
# Header End # Metadata t.add_metadata({ "Comments": "Perforce Helix Deployment for EC2", "LastUpdated": "Sep 14th 2016", "UpdatedBy": "Graeme Rich", "Version": "2016.1", }) # Metadata End # Conditions ProdNotify = t.add_condition("ProdNotify", Equals(Ref("EnvironmentType"), "Production")), EvalNotify = t.add_condition("EvalNotify", Equals(Ref("EnvironmentType"), "Evaluationn")), DevNotify = t.add_condition("DevNotify", Equals(Ref("EnvironmentType"), "Development")), # Exp josn # "Conditions": { # "ProdNotify": { # "Fn::Equals": [ # { # "Ref": "EnvironmentType" # }, # "Production" # ]
"ClassB", Type="Number", Description="Class B of VPC (10.XXX.0.0/16)", Default="0", MinValue=0, MaxValue=255, ConstraintDescription="Must be in the range [0-255]", )) t.add_resource(VPC( "VPC", EnableDnsSupport="true", EnableDnsHostnames="true", CidrBlock=Sub('10.${ClassB}.0.0/16'), Tags=Tags( Name=Ref("AWS::StackName"), ) )) t.add_resource(InternetGateway( "InternetGateway", Tags=Tags( Name=Ref("AWS::StackName"), ) )) t.add_resource(VPCGatewayAttachment( "VPNGatewayAttachment", VpcId=Ref("VPC"), InternetGatewayId=Ref("InternetGateway") ))
GroupDescription="Allow SSH and private network access", SecurityGroupIngress=[ ec2.SecurityGroupRule( IpProtocol="tcp", FromPort=0, ToPort=65535, CidrIp="172.16.0.0/12", ), ec2.SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp=PublicCidrIp, ), ], VpcId=Ref("VpcId") )) t.add_resource(Cluster( 'ECSCluster', )) t.add_resource(Role( 'EcsClusterRole', ManagedPolicyArns=[ 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM', 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly', 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role', 'arn:aws:iam::aws:policy/CloudWatchFullAccess' ], AssumeRolePolicyDocument={ 'Version': '2012-10-17', 'Statement': [{
# # Parameters # param_bucket_name = t.add_parameter( Parameter( 'BucketName', Description='Bucket name', Default='', Type='String', AllowedPattern=r'[-\.a-z0-9]*', )) # # Condition # t.add_condition('HasBucketName', Not(Equals(Ref(param_bucket_name), ''))) t.add_condition('ChinaRegionCondition', Equals(Ref(AWS_REGION), 'cn-north-1')) # # Mapping # t.add_mapping( 'ElbAccountId', cfnutil.load_csv_as_mapping('mapping/elb-account-id.csv', 'Region', 'ID', 'Elastic Load Balancing Account ID')) # # Resource # bucket = t.add_resource( s3.Bucket(
def test_network_port_ref(self): p = Parameter('myport') network_port(Ref(p))
def test_helperfun(self): FakeAWSObject('fake', helperfun=Ref('fake_ref'))
from .assets import assets_management_policy from .common import container_instance_type from .load_balancer import load_balancer, web_worker_health_check from .logs import logging_policy from .security_groups import container_security_group from .template import template from .vpc import container_a_subnet, container_b_subnet ami = Ref( template.add_parameter( Parameter( "AMI", Description= "The Amazon Machine Image (AMI) to use for instances. Make " "sure to use the correct AMI for your region and instance " "type (t2 instances require HVM AMIs).", Type="String", Default="", ), group="Application Server", label="Amazon Machine Image (AMI)", )) key_name = template.add_parameter( Parameter( "KeyName", Description="Name of an existing EC2 KeyPair to enable SSH access to " "the AWS EC2 instances", Type="AWS::EC2::KeyPair::KeyName", ConstraintDescription="must be the name of an existing EC2 KeyPair."), group="Application Server",
def test_ref(self): param = Parameter("param", Description="description", Type="String") t = Ref(param) ref = t.to_dict() self.assertEqual(ref['Ref'], 'param')
def __init__(self, key_title, key_rotation, key_admins, key_users, template): """ AWS - http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html Troposphere - https://github.com/cloudtools/troposphere/blob/master/troposphere/kms.py Create a Customer Master key in KMS for encrpytion and use with credstash :param key_title: String title of the key in AWS, not the alias name, must be alphanumeric :param key_rotation: Boolean to enable or disable key rotation at a cost :param key_admins: single string or list of ARNs of IAM objects for apply key admin policy to :param key_users: single string or list of ARNs of IAM objects for apply key user policy to :param template: The troposphere template to add the Elastic Loadbalancer to. """ # Policy for Admins and users k_key_policy = { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": {"AWS": key_admins}, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": key_users}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } # Create Key Resource self.k_key = template.add_resource(Key(key_title, Description=Join('', [key_title, ' on Stack: ', Ref('AWS::StackName')]), Enabled=True, EnableKeyRotation=key_rotation, KeyPolicy=k_key_policy)) # Add Output template.add_output(Output( key_title, Value=Join('', [Ref(self.k_key), ' is a managed AWS KMS Key and Key Rotation = ', self.k_key.EnableKeyRotation.upper(), '. Created with Amazonia as part of stack name - ', Ref('AWS::StackName'), ]), Description='Amazonia KMS Key Bucket' ))