예제 #1
0
def generate(env='pilot'):
    template = Template()

    template.set_version("2010-09-09")

    # ExistingVPC = template.add_parameter(Parameter(
    #     "ExistingVPC",
    #     Type="AWS::EC2::VPC::Id",
    #     Description=(
    #         "The VPC ID that includes the security groups in the"
    #         "ExistingSecurityGroups parameter."
    #     ),
    # ))
    #
    # ExistingSecurityGroups = template.add_parameter(Parameter(
    #     "ExistingSecurityGroups",
    #     Type="List<AWS::EC2::SecurityGroup::Id>",
    # ))

    param_spider_lambda_memory_size = template.add_parameter(
        Parameter(
            'SpiderLambdaMemorySize',
            Type=NUMBER,
            Description='Amount of memory to allocate to the Lambda Function',
            Default='128',
            AllowedValues=MEMORY_VALUES
        )
    )

    param_spider_lambda_timeout = template.add_parameter(
        Parameter(
            'SpiderLambdaTimeout',
            Type=NUMBER,
            Description='Timeout in seconds for the Lambda function',
            Default='60'
        )
    )

    spider_tasks_queue_dlq_name = f'{env}-spider-tasks-dlq'
    spider_tasks_queue_dlq = template.add_resource(
        Queue(
            "SpiderTasksDLQ",
            QueueName=spider_tasks_queue_dlq_name,
            MessageRetentionPeriod=(60 * 60 * 24 * 14),
        )
    )

    spider_tasks_queue_name = f"{env}-spider-tasks"
    spider_tasks_queue = template.add_resource(
        Queue(
            "SpiderTasksQueue",
            QueueName=spider_tasks_queue_name,
            MessageRetentionPeriod=(60 * 60 * 24 * 14),
            VisibilityTimeout=300,
            RedrivePolicy=RedrivePolicy(
                deadLetterTargetArn=GetAtt(spider_tasks_queue_dlq, "Arn"),
                maxReceiveCount=2,
            ),
            DependsOn=[spider_tasks_queue_dlq],
        )
    )

    spider_lambda_role = template.add_resource(
        Role(
            "SpiderLambdaRole",
            Path="/",
            Policies=[
                Policy(
                    PolicyName="root",
                    PolicyDocument=PolicyDocument(
                        Version="2012-10-17",
                        Id="root",
                        Statement=[
                            Statement(
                                Effect=Allow,
                                Resource=["*"],
                                Action=[
                                    Action("logs", "*")
                                ]
                            ),
                            Statement(
                                Effect=Allow,
                                Resource=["*"],
                                Action=[
                                    Action("s3", "*")
                                ]
                            ),
                            Statement(
                                Effect=Allow,
                                Resource=["*"],
                                Action=[
                                    Action("sqs", "*")
                                ]
                            ),
                        ]
                    ),
                )
            ],
            AssumeRolePolicyDocument={
                "Version": "2012-10-17",
                "Statement": [{
                    "Action": ["sts:AssumeRole"],
                    "Effect": "Allow",
                    "Principal": {
                        "Service": ["lambda.amazonaws.com"]
                    }
                }]
            },
        )
    )

    spider_file_path = './spider/index.js'
    spider_code = open(spider_file_path, 'r').readlines()
    spider_lambda = template.add_resource(
        Function(
            "SpiderLambda",
            Code=Code(
                S3Bucket='spider-lambda',
                S3Key=f'{env}.zip',
                # ZipFile=Join("", spider_code)
            ),
            Handler="index.handler",
            Role=GetAtt(spider_lambda_role, "Arn"),
            Runtime="nodejs12.x",
            Layers=['arn:aws:lambda:us-east-1:342904801388:layer:spider-node-browser:1'],
            MemorySize=Ref(param_spider_lambda_memory_size),
            Timeout=Ref(param_spider_lambda_timeout),
            DependsOn=[spider_tasks_queue],
        )
    )

    # AllSecurityGroups = template.add_resource(CustomResource(
    #     "AllSecurityGroups",
    #     List=Ref(ExistingSecurityGroups),
    #     AppendedItem=Ref("SecurityGroup"),
    #     ServiceToken=GetAtt(spider_lambda, "Arn"),
    # ))
    #
    # SecurityGroup = template.add_resource(SecurityGroup(
    #     "SecurityGroup",
    #     SecurityGroupIngress=[
    #         {"ToPort": "80", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0",
    #          "FromPort": "80"}],
    #     VpcId=Ref(ExistingVPC),
    #     GroupDescription="Allow HTTP traffic to the host",
    #     SecurityGroupEgress=[
    #         {"ToPort": "80", "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0",
    #          "FromPort": "80"}],
    # ))
    #
    # AllSecurityGroups = template.add_output(Output(
    #     "AllSecurityGroups",
    #     Description="Security Groups that are associated with the EC2 instance",
    #     Value=Join(", ", GetAtt(AllSecurityGroups, "Value")),
    # ))

    source_sns_name = f'{env}-source-sns-topic'
    source_sns_topic = template.add_resource(
        Topic(
            "SNSSource",
            TopicName=source_sns_name,
            Subscription=[
                Subscription(
                    Endpoint=GetAtt(spider_tasks_queue, "Arn"),
                    Protocol='sqs',
                )
            ],
            DependsOn=[spider_tasks_queue]
        )
    )

    source_sns_topic_policy = template.add_resource(
        TopicPolicy(
            "SourceForwardingTopicPolicy",
            PolicyDocument=PolicyDocument(
                Version="2012-10-17",
                Id="AllowS3PutMessageInSNS",
                Statement=[
                    Statement(
                        Sid="AllowS3PutMessages",
                        Principal=Principal("Service", "s3.amazonaws.com"),
                        Effect=Allow,
                        Action=[
                            Action("sns", "Publish"),
                        ],
                        Resource=["*"],
                    )
                ]
            ),
            Topics=[Ref(source_sns_topic)],
        )
    )

    sns_sqs_policy = template.add_resource(
        QueuePolicy(
            "AllowSNSPutMessagesInSQS",
            PolicyDocument=PolicyDocument(
                Version="2012-10-17",
                Id="AllowSNSPutMessagesInSQS",
                Statement=[
                    Statement(
                        Sid="AllowSNSPutMessagesInSQS2",
                        Principal=Principal("*"),
                        Effect=Allow,
                        Action=[
                            Action("sqs", "SendMessage"),
                        ],
                        Resource=["*"],
                    )
                ]
            ),
            Queues=[Ref(spider_tasks_queue)],
            DependsOn=[spider_tasks_queue],
        )
    )

    # Buckets
    source_bucket_name = f'{env}-source-bucket'
    source_bucket = template.add_resource(
        Bucket(
            "SourceBucket",
            BucketName=source_bucket_name,
            NotificationConfiguration=NotificationConfiguration(
                TopicConfigurations=[
                    TopicConfigurations(
                        Topic=Ref(source_sns_topic),
                        Event="s3:ObjectCreated:*",
                    )
                ],
            ),
            DependsOn=[source_sns_topic_policy],
        )
    )

    results_bucket_name = f'{env}-results-bucket'
    results_bucket = template.add_resource(
        Bucket(
            "ResultsBucket",
            BucketName=results_bucket_name,
        )
    )

    # Lambda trigger
    template.add_resource(
        EventSourceMapping(
            "TriggerLambdaSpiderFromSQS",
            EventSourceArn=GetAtt(spider_tasks_queue, "Arn"),
            FunctionName=Ref(spider_lambda),
            BatchSize=1,  # Default process tasks one by one
        )
    )

    return template.to_json()
예제 #2
0
def generate_vpc_template(layers, az_count, cidr_block):
    TPL = Template()
    TPL.set_description('VPC - Version 2019-06-05')
    TPL.set_metadata({'Author': 'https://github.com/johnpreston'})
    VPC = VPCType('VPC',
                  CidrBlock=cidr_block,
                  EnableDnsHostnames=True,
                  EnableDnsSupport=True,
                  Tags=Tags(Name=Ref('AWS::StackName'),
                            EnvironmentName=Ref('AWS::StackName')))
    IGW = InternetGateway("InternetGateway")
    IGW_ATTACH = VPCGatewayAttachment("VPCGatewayAttachement",
                                      InternetGatewayId=Ref(IGW),
                                      VpcId=Ref(VPC))
    DHCP_OPTIONS = DHCPOptions('VpcDhcpOptions',
                               DomainName=Sub(f'${{AWS::StackName}}.local'),
                               DomainNameServers=['AmazonProvidedDNS'],
                               Tags=Tags(Name=Sub(f'DHCP-${{{VPC.title}}}')))
    DHCP_ATTACH = VPCDHCPOptionsAssociation('VpcDhcpOptionsAssociate',
                                            DhcpOptionsId=Ref(DHCP_OPTIONS),
                                            VpcId=Ref(VPC))
    DNS_HOSTED_ZONE = HostedZone(
        'VpcHostedZone',
        VPCs=[HostedZoneVPCs(VPCId=Ref(VPC), VPCRegion=Ref('AWS::Region'))],
        Name=Sub(f'${{AWS::StackName}}.local'),
        HostedZoneTags=Tags(Name=Sub(f'ZoneFor-${{{VPC.title}}}')))
    TPL.add_resource(VPC)
    TPL.add_resource(IGW)
    TPL.add_resource(IGW_ATTACH)
    TPL.add_resource(DHCP_OPTIONS)
    TPL.add_resource(DHCP_ATTACH)
    TPL.add_resource(DNS_HOSTED_ZONE)
    STORAGE_RTB = TPL.add_resource(
        RouteTable('StorageRtb', VpcId=Ref(VPC), Tags=Tags(Name='StorageRtb')))
    STORAGE_SUBNETS = []
    for count, subnet_cidr in zip(az_count, layers['stor']):
        subnet = Subnet(
            f'StorageSubnet{alpha[count].upper()}',
            CidrBlock=subnet_cidr,
            VpcId=Ref(VPC),
            AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
            Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Storage-{alpha[count]}'),
                      Usage="Storage"))
        subnet_assoc = TPL.add_resource(
            SubnetRouteTableAssociation(
                f'StorageSubnetAssoc{alpha[count].upper()}',
                SubnetId=Ref(subnet),
                RouteTableId=Ref(STORAGE_RTB)))
        STORAGE_SUBNETS.append(subnet)
        TPL.add_resource(subnet)
    PUBLIC_RTB = TPL.add_resource(
        RouteTable('PublicRtb', VpcId=Ref(VPC), Tags=Tags(Name='PublicRtb')))
    PUBLIC_ROUTE = TPL.add_resource(
        Route('PublicDefaultRoute',
              GatewayId=Ref(IGW),
              RouteTableId=Ref(PUBLIC_RTB),
              DestinationCidrBlock='0.0.0.0/0'))
    PUBLIC_SUBNETS = []
    NAT_GATEWAYS = []
    for count, subnet_cidr in zip(az_count, layers['pub']):
        subnet = Subnet(
            f'PublicSubnet{alpha[count].upper()}',
            CidrBlock=subnet_cidr,
            VpcId=Ref(VPC),
            AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
            MapPublicIpOnLaunch=True,
            Tags=Tags(Name=Sub(f'${{AWS::StackName}}-Public-{alpha[count]}')))
        eip = TPL.add_resource(
            EIP(f"NatGatewayEip{alpha[count].upper()}", Domain='vpc'))
        nat = NatGateway(f"NatGatewayAz{alpha[count].upper()}",
                         AllocationId=GetAtt(eip, 'AllocationId'),
                         SubnetId=Ref(subnet))
        subnet_assoc = TPL.add_resource(
            SubnetRouteTableAssociation(
                f'PublicSubnetsRtbAssoc{alpha[count].upper()}',
                RouteTableId=Ref(PUBLIC_RTB),
                SubnetId=Ref(subnet)))
        NAT_GATEWAYS.append(nat)
        PUBLIC_SUBNETS.append(subnet)
        TPL.add_resource(nat)
        TPL.add_resource(subnet)
    APP_SUBNETS = []
    APP_RTBS = []
    for count, subnet_cidr, nat in zip(az_count, layers['app'], NAT_GATEWAYS):
        SUFFIX = alpha[count].upper()
        subnet = Subnet(
            f'AppSubnet{SUFFIX}',
            CidrBlock=subnet_cidr,
            VpcId=Ref(VPC),
            AvailabilityZone=Sub(f'${{AWS::Region}}{alpha[count]}'),
            Tags=Tags(Name=Sub(f'${{AWS::StackName}}-App-{alpha[count]}')))
        APP_SUBNETS.append(subnet)
        rtb = RouteTable(f'AppRtb{alpha[count].upper()}',
                         VpcId=Ref(VPC),
                         Tags=Tags(Name=f'AppRtb{alpha[count].upper()}'))
        APP_RTBS.append(rtb)
        route = Route(f'AppRoute{alpha[count].upper()}',
                      NatGatewayId=Ref(nat),
                      RouteTableId=Ref(rtb),
                      DestinationCidrBlock='0.0.0.0/0')
        subnet_assoc = SubnetRouteTableAssociation(
            f'SubnetRtbAssoc{alpha[count].upper()}',
            RouteTableId=Ref(rtb),
            SubnetId=Ref(subnet))
        TPL.add_resource(subnet)
        TPL.add_resource(rtb)
        TPL.add_resource(route)
        TPL.add_resource(subnet_assoc)

    APP_S3_ENDPOINT = VPCEndpoint(
        'AppS3Endpoint',
        VpcId=Ref(VPC),
        RouteTableIds=[Ref(rtb) for rtb in APP_RTBS],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
        VpcEndpointType='Gateway',
    )
    PUBLIC_S3_ENDPOINT = VPCEndpoint(
        'PublicS3Endpoint',
        VpcId=Ref(VPC),
        RouteTableIds=[Ref(PUBLIC_RTB)],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
        VpcEndpointType='Gateway',
    )
    STORAGE_S3_ENDPOINT = VPCEndpoint(
        'StorageS3Endpoint',
        VpcId=Ref(VPC),
        RouteTableIds=[Ref(STORAGE_RTB)],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.s3'),
        VpcEndpointType='Gateway')
    RESOURCES = []
    for count in az_count:
        resource = TPL.add_resource(EIP(f'Eip{count}', Domain='vpc'))
        RESOURCES.append(resource)
    TPL.add_resource(APP_S3_ENDPOINT)
    TPL.add_resource(PUBLIC_S3_ENDPOINT)
    TPL.add_resource(STORAGE_S3_ENDPOINT)
    SG_RULES = []
    for subnet in layers['app']:
        RULE = SecurityGroupRule(
            IpProtocol="tcp",
            FromPort="443",
            ToPort="443",
            CidrIp=subnet,
        )
        SG_RULES.append(RULE)

    ENDPOINT_SG = TPL.add_resource(
        SecurityGroup(
            'VpcEndpointSecurityGroup',
            VpcId=Ref(VPC),
            GroupDescription='SG for all Interface VPC Endpoints',
            SecurityGroupIngress=SG_RULES,
            Tags=Tags(Name="sg-endpoints"),
        ))

    APP_SNS_ENDPOINT = VPCEndpoint(
        'AppSNSEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.sns'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SNS_ENDPOINT)

    APP_SQS_ENDPOINT = VPCEndpoint(
        'AppSQSEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.sqs'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SQS_ENDPOINT)

    APP_ECR_API_ENDPOINT = VPCEndpoint(
        'AppECRAPIEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.api'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_ECR_API_ENDPOINT)

    APP_ECR_DKR_ENDPOINT = VPCEndpoint(
        'AppECRDKREndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ecr.dkr'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_ECR_DKR_ENDPOINT)

    APP_SECRETS_MANAGER_ENDPOINT = VPCEndpoint(
        'AppSecretsManagerEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.secretsmanager'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SECRETS_MANAGER_ENDPOINT)

    APP_SSM_ENDPOINT = VPCEndpoint(
        'AppSSMEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ssm'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SSM_ENDPOINT)

    APP_SSM_MESSAGES_ENDPOINT = VPCEndpoint(
        'AppSSMMessagesEndpoint',
        VpcId=Ref(VPC),
        SubnetIds=[Ref(subnet) for subnet in APP_SUBNETS],
        SecurityGroupIds=[GetAtt(ENDPOINT_SG, 'GroupId')],
        ServiceName=Sub('com.amazonaws.${AWS::Region}.ssmmessages'),
        VpcEndpointType='Interface',
        PrivateDnsEnabled=True)
    TPL.add_resource(APP_SSM_MESSAGES_ENDPOINT)

    ################################################################################
    #
    # OUTPUTS
    #
    TPL.add_output(object_outputs(VPC, name_is_id=True))
    TPL.add_output(object_outputs(APP_SQS_ENDPOINT, name_is_id=True))
    TPL.add_output(object_outputs(APP_SNS_ENDPOINT, name_is_id=True))
    TPL.add_output(
        comments_outputs([{
            'EIP':
            Join(',',
                 [GetAtt(resource, "AllocationId") for resource in RESOURCES])
        }, {
            'PublicSubnets':
            Join(',', [Ref(subnet) for subnet in PUBLIC_SUBNETS])
        }, {
            'StorageSubnets':
            Join(',', [Ref(subnet) for subnet in STORAGE_SUBNETS])
        }, {
            'ApplicationSubnets':
            Join(',', [Ref(subnet) for subnet in APP_SUBNETS])
        }, {
            'StackName': Ref('AWS::StackName')
        }, {
            'VpcZoneId': Ref(DNS_HOSTED_ZONE)
        }]))
    return TPL
예제 #3
0
                    EvaluationPeriods="120",
                    MetricName="TestMetric",
                    Namespace="AWS/ElasticMapReduce",
                    Period="300",
                    Statistic="AVERAGE",
                    Threshold="50",
                    Unit="PERCENT",
                    Dimensions=[
                        emr.MetricDimension('my.custom.master.property',
                                            'my.custom.master.value')
                    ])))
    ]
    return rules


template = Template()
template.set_description(
    "Sample CloudFormation template for creating an EMR cluster")

keyname = template.add_parameter(
    Parameter("KeyName",
              Description="Name of an existing EC2 KeyPair to enable SSH "
              "to the instances",
              Type=KEY_PAIR_NAME))

subnet = template.add_parameter(
    Parameter("Subnet",
              Description="Subnet ID for creating the EMR cluster",
              Type=SUBNET_ID))

spot = template.add_parameter(
예제 #4
0
 def setup_method(self):
     self.template = Template()
#!/usr/bin/env python

from troposphere import Base64, FindInMap, GetAtt
from troposphere import Parameter, Output, Ref, Template, Condition, Equals, And, Or, Not, If
import troposphere.ec2 as ec2

tpl = Template()
tpl.add_version("2010-09-09")
tpl.add_description("Creates EC2 security group and instance")

params= {}
conditions = {}
mappings = {}
resources = {}

params['keyname'] = tpl.add_parameter(
    Parameter(
        "KeyName",
        Description="Name of an existing EC2 KeyPair to enable access to the instance",
        Type="String",
        Default="",
        ConstraintDescription="must be a string"
    )
)

params['os'] = tpl.add_parameter(
    Parameter(
        "OperatingSystem",
        Description="Chosen operating system",
        Type="String",
        Default="AmazonLinux2",
#!/usr/bin/env python
"""
Script to create a new Lambda Layer CFN template via Troposphere
"""

from datetime import datetime
import argparse
from troposphere import (Parameter, Template, GetAtt, Sub, Ref)
from troposphere.awslambda import (LayerVersion, Content)
VERSION = datetime.utcnow().isoformat()

TEMPLATE = Template()
TEMPLATE.set_description(
    f'Template to create a Lambda layer. Version {VERSION}')

PARSER = argparse.ArgumentParser()
PARSER.add_argument('--runtimes', action='append', required=True)
PARSER.add_argument('--s3-bucket', required=True)
PARSER.add_argument('--s3-key', required=True)
PARSER.add_argument('--json', action='store_true')

ARGS = PARSER.parse_args()

LAYER_NAME = TEMPLATE.add_parameter(
    Parameter('LayerName', Type="String", AllowedPattern='[a-z]+'))

LAYER = TEMPLATE.add_resource(
    LayerVersion('LayerVersion',
                 CompatibleRuntimes=ARGS.runtimes,
                 Description=Sub(f'Layer ${{{LAYER_NAME.title}}}'),
                 LayerName=Ref(LAYER_NAME),
예제 #7
0
def generate_template(service_name):
    t = Template()
    t.add_version('2010-09-09')

    t.add_description("""\
    AWS CloudFormation Template for AWS Exploitation Lab """)

    t.add_mapping("PublicRegionMap", ami_public_mapping)
    t.add_mapping("PrivateRegionMap", ami_private_mapping)

    keyname_param = t.add_parameter(
        Parameter(
            'KeyName',
            ConstraintDescription='must be the name of an existing EC2 KeyPair.',
            Description='Name of an existing EC2 KeyPair to enable SSH access to \
    the instance',
            Type='AWS::EC2::KeyPair::KeyName',
        ))

    sshlocation_param = t.add_parameter(
        Parameter(
            'SSHLocation',
            Description=' The IP address range that can be used to SSH to the EC2 \
    instances',
            Type='String',
            MinLength='9',
            MaxLength='18',
            Default='0.0.0.0/0',
            AllowedPattern="(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})",
            ConstraintDescription=(
                "must be a valid IP CIDR range of the form x.x.x.x/x."),
        ))

    instanceType_param = t.add_parameter(Parameter(
        'InstanceType',
        Type='String',
        Description='WebServer EC2 instance type',
        Default='t2.micro',
        AllowedValues=[
            't2.micro', 't2.small', 't2.medium',
            'm3.medium', 'm3.large', 'm3.xlarge', 'm3.2xlarge',
        ],
        ConstraintDescription='must be a valid EC2 instance type.',
    ))

    ref_stack_id = Ref('AWS::StackId')

    ec2_role = t.add_resource(Role(
        "%sEC2Role" % service_name,
        AssumeRolePolicyDocument=awacs.aws.Policy(
            Statement=[
                awacs.aws.Statement(
                    Effect=awacs.aws.Allow,
                    Action=[awacs.aws.Action("sts", "AssumeRole")],
                    Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])
                )
            ]
        )
    ))
    ec2_role.ManagedPolicyArns = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess"
    ]

    ec2_snapshot_policy_document = awacs.aws.Policy(
        Statement=[
            awacs.aws.Statement(
                Sid="PermitEC2Snapshots",
                Effect=awacs.aws.Allow,
                Action=[
                    awacs.aws.Action("ec2", "CreateSnapshot"),
                    awacs.aws.Action("ec2", "ModifySnapshotAttribute"),
                ],
                Resource=["*"]
            )
        ]
    )

    ec2_snapshot_policy = Policy(
        PolicyName="EC2SnapshotPermissions",
        PolicyDocument=ec2_snapshot_policy_document
    )

    priv_ec2_role = t.add_resource(Role(
        "%sPrivEC2Role" % service_name,
        AssumeRolePolicyDocument=awacs.aws.Policy(
            Statement=[
                awacs.aws.Statement(
                    Effect=awacs.aws.Allow,
                    Action=[awacs.aws.Action("sts", "AssumeRole")],
                    Principal=awacs.aws.Principal("Service", ["ec2.amazonaws.com"])
                )
            ]
        ),
        Policies=[ec2_snapshot_policy]
    ))

    priv_ec2_role.ManagedPolicyArns = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess"
    ]

    VPC_ref = t.add_resource(
        VPC(
            'VPC',
            CidrBlock='10.0.0.0/16',
            Tags=Tags(
                Application=ref_stack_id)))

    instanceProfile = t.add_resource(
        InstanceProfile(
            "InstanceProfile",
            InstanceProfileName="%sInstanceRole" % (service_name),
            Roles=[Ref(ec2_role)]))

    privInstanceProfile = t.add_resource(
        InstanceProfile(
            "PrivInstanceProfile",
            InstanceProfileName="%sPrivInstanceRole" % (service_name),
            Roles=[Ref(priv_ec2_role)]))

    public_subnet = t.add_resource(
        Subnet(
            '%sSubnetPublic' % service_name,
            MapPublicIpOnLaunch=True,
            CidrBlock='10.0.1.0/24',
            VpcId=Ref(VPC_ref),
            Tags=Tags(
                Application=ref_stack_id,
                Name="%sSubnet_public" % (service_name))
        )
    )

    private_subnet = t.add_resource(
        Subnet(
            '%sSubnetPrivate' % service_name,
            MapPublicIpOnLaunch=False,
            CidrBlock='10.0.2.0/24',
            VpcId=Ref(VPC_ref),
            Tags=Tags(
                Application=ref_stack_id,
                Name="%sSubnet_private" % (service_name))
        )
    )

    internetGateway = t.add_resource(
        InternetGateway(
            'InternetGateway',
            Tags=Tags(
                Application=ref_stack_id,
                Name="%sInternetGateway" % service_name)))

    gatewayAttachment = t.add_resource(
        VPCGatewayAttachment(
            'AttachGateway',
            VpcId=Ref(VPC_ref),
            InternetGatewayId=Ref(internetGateway)))

    routeTable = t.add_resource(
        RouteTable(
            'RouteTable',
            VpcId=Ref(VPC_ref),
            Tags=Tags(
                Application=ref_stack_id,
                Name="%sRouteTable" % service_name)))

    route = t.add_resource(
        Route(
            'Route',
            DependsOn='AttachGateway',
            GatewayId=Ref('InternetGateway'),
            DestinationCidrBlock='0.0.0.0/0',
            RouteTableId=Ref(routeTable),
        ))

    # Only associate this Route Table with the public subnet
    subnetRouteTableAssociation = t.add_resource(
        SubnetRouteTableAssociation(
            'SubnetRouteTableAssociation',
            SubnetId=Ref(public_subnet),
            RouteTableId=Ref(routeTable),
        ))

    instanceSecurityGroup = t.add_resource(
        SecurityGroup(
            'InstanceSecurityGroup',
            GroupDescription='%sSecurityGroup' % service_name,
            SecurityGroupIngress=[
                SecurityGroupRule(
                    IpProtocol='tcp',
                    FromPort='22',
                    ToPort='22',
                    CidrIp=Ref(sshlocation_param)),
                SecurityGroupRule(
                    IpProtocol='tcp',
                    FromPort='80',
                    ToPort='80',
                    CidrIp='0.0.0.0/0'),
                SecurityGroupRule(
                    IpProtocol='tcp',
                    FromPort='1080',
                    ToPort='1080',
                    CidrIp='0.0.0.0/0'),
                SecurityGroupRule(
                    IpProtocol='tcp',
                    FromPort='443',
                    ToPort='443',
                    CidrIp='0.0.0.0/0'),
                SecurityGroupRule(
                    IpProtocol='tcp',
                    FromPort='0',
                    ToPort='65535',
                    CidrIp="10.0.0.0/8"),
            ],
            VpcId=Ref(VPC_ref),
        )
    )

    public_instance = t.add_resource(
        Instance(
            "Public%sInstance" % service_name,
            ImageId=FindInMap("PublicRegionMap", Ref("AWS::Region"), "AMI"),
            InstanceType=Ref(instanceType_param),
            KeyName=Ref(keyname_param),
            NetworkInterfaces=[
                NetworkInterfaceProperty(
                    GroupSet=[
                        Ref(instanceSecurityGroup)],
                    AssociatePublicIpAddress='true',
                    DeviceIndex='0',
                    DeleteOnTermination='true',
                    SubnetId=Ref(public_subnet))],
            UserData=Base64(public_instance_userdata),
            Tags=Tags(
                Application=ref_stack_id,
                Name='%sPublicInstance' % (service_name))
        )
    )

    private_instance = t.add_resource(
        Instance(
            "Private%sInstance" % service_name,
            ImageId=FindInMap("PrivateRegionMap", Ref("AWS::Region"), "AMI"),
            InstanceType=Ref(instanceType_param),
            KeyName=Ref(keyname_param),
            NetworkInterfaces=[
                NetworkInterfaceProperty(
                    GroupSet=[
                        Ref(instanceSecurityGroup)],
                    DeviceIndex='0',
                    DeleteOnTermination='true',
                    SubnetId=Ref(private_subnet))],
            UserData=Base64(private_instance_userdata),
            Tags=Tags(
                Application=ref_stack_id,
                Name='%sPrivateInstance' % (service_name)),
            IamInstanceProfile="%sPrivInstanceRole" % (service_name)
        )
    )

    outputs = []
    outputs.append(
        Output(
            "PublicIP",
            Description="IP Address of Public Instance",
            Value=GetAtt(public_instance, "PublicIp"),
        )
    )
    t.add_output(outputs)

    # Set up S3 Bucket and CloudTrail
    S3Bucket = t.add_resource(
        Bucket(
            "S3Bucket",
            DeletionPolicy="Retain"
        )
    )

    S3PolicyDocument=awacs.aws.PolicyDocument(
        Id='EnforceServersideEncryption',
        Version='2012-10-17',
        Statement=[
            awacs.aws.Statement(
                Sid='PermitCTBucketPut',
                Action=[s3.PutObject],
                Effect=awacs.aws.Allow,
                Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]),
                Resource=[Join('', [s3.ARN(''), Ref(S3Bucket), "/*"])],
            ),
            awacs.aws.Statement(
                Sid='PermitCTBucketACLRead',
                Action=[s3.GetBucketAcl],
                Effect=awacs.aws.Allow,
                Principal=awacs.aws.Principal("Service", ["cloudtrail.amazonaws.com"]),
                Resource=[Join('', [s3.ARN(''), Ref(S3Bucket)])],
            )
        ]
    )

    S3BucketPolicy = t.add_resource(
        BucketPolicy(
            "BucketPolicy",
            PolicyDocument=S3PolicyDocument,
            Bucket=Ref(S3Bucket),
            DependsOn=[S3Bucket]
        )
    )

    myTrail = t.add_resource(
        Trail(
            "CloudTrail",
            IsLogging=True,
            S3BucketName=Ref(S3Bucket),
            DependsOn=["BucketPolicy"],
        )
    )
    myTrail.IsMultiRegionTrail = True
    myTrail.IncludeGlobalServiceEvents = True
    return t.to_json()
예제 #8
0
 def test_parameter(self):
     t = Template()
     p = Parameter("MyParameter", Type="String")
     t.add_parameter(p)
     with self.assertRaises(ValueError):
         t.add_parameter(p)
예제 #9
0
 def test_resource(self):
     t = Template()
     r = FakeAWSObject('fake', callcorrect=True)
     t.add_resource(r)
     with self.assertRaises(ValueError):
         t.add_resource(r)
예제 #10
0
 def test_invalid_parameter_property_in_template(self):
     t = Template()
     p = Parameter("BasicNumber", Type="Number", AllowedPattern=".*")
     t.add_parameter(p)
     with self.assertRaises(ValueError):
         t.to_json()
예제 #11
0
 def test_output(self):
     t = Template()
     o = Output("MyOutput", Value="myvalue")
     t.add_output(o)
     with self.assertRaises(ValueError):
         t.add_output(o)
예제 #12
0
 def test_badrequired(self):
     with self.assertRaises(ValueError):
         t = Template()
         t.add_resource(Instance('ec2instance'))
         t.to_json()
예제 #13
0
 def test_mutualexclusion(self):
     t = Template()
     t.add_resource(FakeAWSObject('fake', callcorrect=True,
                                  singlelist=[10]))
     with self.assertRaises(ValueError):
         t.to_json()
예제 #14
0
def generate_queues_template(QueueNamePrefix, Environment):
    QueueName = f'{QueueNamePrefix}-{Environment}'
    DLQQueueName = f'{QueueNamePrefix}DLQ-{Environment}'

    t = Template(Description='A template for a messaging queue')
    t.version = '2010-09-09'

    KMSKey = t.add_resource(
        Key('KMSKey',
            Description=f'KMS Key for encrypting {QueueName}',
            Enabled=True,
            EnableKeyRotation=True,
            KeyPolicy=Policy(
                Version='2012-10-17',
                Statement=[
                    Statement(Sid='Enable IAM User Permissions',
                              Effect=Allow,
                              Principal=AWSPrincipal(
                                  Sub('arn:aws:iam::${AWS::AccountId}:root')),
                              Action=[KmsAction(All)],
                              Resource=AllResources),
                    Statement(Sid='Allow access for Key Administrators',
                              Effect=Allow,
                              Principal=AWSPrincipal([
                                  Sub(f'{USER}/frank'),
                                  Sub(f'{USER}/moonunit')
                              ]),
                              Action=[
                                  KmsAction('Create*'),
                                  KmsAction('Describe*'),
                                  KmsAction('Enable*'),
                                  KmsAction('List*'),
                                  KmsAction('Put*'),
                                  KmsAction('Update*'),
                                  KmsAction('Revoke*'),
                                  KmsAction('Disable*'),
                                  KmsAction('Get*'),
                                  KmsAction('Delete*'),
                                  KmsAction('ScheduleKeyDeletion'),
                                  KmsAction('CancelKeyDeletion')
                              ],
                              Resource=AllResources)
                ])))

    t.add_resource(
        Alias('KMSKeyAlias',
              AliasName=f'alias/{QueueName}',
              TargetKeyId=Ref(KMSKey)))

    dlq = t.add_resource(
        Queue(
            'DeadLetterQueue',
            QueueName=DLQQueueName,
            MaximumMessageSize=262144,  # 256KiB
            MessageRetentionPeriod=1209600,  # 14 days
            VisibilityTimeout=30))

    t.add_resource(
        Queue(
            'PrimaryQueue',
            QueueName=QueueName,
            MaximumMessageSize=262144,  # 256KiB
            MessageRetentionPeriod=1209600,  # 14 days
            VisibilityTimeout=30,
            RedrivePolicy=RedrivePolicy(deadLetterTargetArn=GetAtt(
                dlq.title, 'Arn'),
                                        maxReceiveCount=10),
            KmsMasterKeyId=Ref(KMSKey),
            KmsDataKeyReusePeriodSeconds=300))

    t.add_output([
        Output('QueueArn',
               Description=f'ARN of {QueueName} Queue',
               Value=GetAtt('PrimaryQueue', 'Arn'),
               Export=Export(Name(Sub('${AWS::StackName}:PrimaryQueueArn')))),
        Output('KmsKeyArn',
               Description=f'KMS Key ARN for {QueueName} Queue',
               Value=GetAtt('KMSKey', 'Arn'),
               Export=Export(Name(Sub('${AWS::StackName}:KmsKeyArn'))))
    ])

    return t
예제 #15
0
파일: base.py 프로젝트: LyndonHook/stacker
 def reset_template(self):
     self.template = Template()
     self._rendered = None
     self._version = None
예제 #16
0
 def test_ref(self):
     name = 'fake'
     t = Template()
     resource = t.add_resource(Instance(name))
     self.assertEqual(resource.name, name)
예제 #17
0
from re import M
from troposphere import (Template, Ref, Parameter, Sub, GetAtt, config, s3,
                         sns, iam)
from awacs.aws import (PolicyDocument, Statement, Principal, Allow)
import awacs.s3
import awacs.sns
import awacs.sts

config_service_principal = Principal('Service', 'config.amazonaws.com')

template = Template(
    Description='Create Config Rules ready to aggregate to SecurityHub')

notification_email = template.add_parameter(
    Parameter('NotificationEmail',
              Default='*****@*****.**',
              Description=
              'Email address for AWS Config notifications (for new topics).',
              Type='String'))

aggregator_account_id = template.add_parameter(
    Parameter(
        'AggregatorAccountId',
        Description='Account ID of SecurityHub aggregation account',
        Type='String',
    ))

config_bucket = template.add_resource(
    s3.Bucket('ConfigBucket', DeletionPolicy='Retain'))

config_bucket_policy = template.add_resource(
예제 #18
0
 def test_required_title_error(self):
     with self.assertRaisesRegexp(ValueError, "title:"):
         t = Template()
         t.add_resource(Instance('ec2instance'))
         t.to_json()
예제 #19
0
def GenerateStepJenkinsLayer():
    t = Template()

    t.add_description("""\
    Jenkins for Step Hackathon Layer
    """)

    stackname_param = t.add_parameter(
        Parameter(
            "StackName",
            Description="Environment Name (default: hackathon)",
            Type="String",
            Default="hackathon",
        ))

    vpcid_param = t.add_parameter(
        Parameter(
            "VpcId",
            Type="String",
            Description="VpcId of your existing Virtual Private Cloud (VPC)",
            Default="vpc-fab00e9f"))

    subnets = t.add_parameter(
        Parameter(
            "Subnets",
            Type="CommaDelimitedList",
            Description=(
                "The list SubnetIds, for public subnets in the "
                "region and in your Virtual Private Cloud (VPC) - minimum one"
            ),
            Default="subnet-b68f3bef,subnet-9a6208ff,subnet-bfdd4fc8"))

    keypair_param = t.add_parameter(
        Parameter("KeyPair",
                  Description="Name of an existing EC2 KeyPair to enable SSH "
                  "access to the instance",
                  Type="String",
                  Default="glueteam"))

    jenkins_ami_id_param = t.add_parameter(
        Parameter("JenkinsAmiId",
                  Description="Jenkins server AMI ID (default: ami-f3641a84)",
                  Type="String",
                  Default="ami-f3641a84"))

    operations_subdomain_hosted_zone_param = t.add_parameter(
        Parameter("DashsoftHostedZoneParam",
                  Description="HostedZone (default: hackathon.operations.dk)",
                  Type="String",
                  Default="hackathon.operations.dk"))

    iam_role_param = t.add_parameter(
        Parameter(
            "IamRole",
            Description="IAM Role name",
            Type="String",
        ))

    # --------- Jenkins instance

    jenkins_sg = t.add_resource(
        ec2.SecurityGroup(
            'JenkinsSG',
            GroupDescription='Security group for Jenkins host',
            VpcId=Ref(vpcid_param),
            Tags=Tags(Name=Join("", [Ref(stackname_param), "SG"])),
            SecurityGroupIngress=[
                ec2.SecurityGroupRule(
                    IpProtocol="tcp",
                    FromPort="22",
                    ToPort="22",
                    CidrIp="0.0.0.0/0",
                ),
                ec2.SecurityGroupRule(
                    IpProtocol="tcp",
                    FromPort="80",
                    ToPort="80",
                    CidrIp="0.0.0.0/0",
                ),
                ec2.SecurityGroupRule(
                    IpProtocol="tcp",
                    FromPort="443",
                    ToPort="443",
                    CidrIp="0.0.0.0/0",
                ),
            ]))

    jenkins_eip = t.add_resource(ec2.EIP(
        'JenkinsEIP',
        Domain='vpc',
    ))

    jenkins_eth0 = t.add_resource(
        ec2.NetworkInterface(
            "JenkinsEth0",
            Description=Join("", [Ref(stackname_param), " Eth0"]),
            GroupSet=[
                Ref(jenkins_sg),
            ],
            SourceDestCheck=True,
            SubnetId=Select(0, Ref(subnets)),
            Tags=Tags(
                Name=Join("", [Ref(stackname_param), " Interface 0"]),
                Interface="eth0",
            )))

    jenkins_host = t.add_resource(
        ec2.Instance(
            'JenkinsHost',
            ImageId=Ref(jenkins_ami_id_param),
            InstanceType='m3.medium',
            KeyName=Ref(keypair_param),
            IamInstanceProfile=Ref(iam_role_param),
            NetworkInterfaces=[
                ec2.NetworkInterfaceProperty(
                    NetworkInterfaceId=Ref(jenkins_eth0),
                    DeviceIndex="0",
                ),
            ],
            Tags=Tags(Name=Ref(stackname_param), Id=Ref(stackname_param)),
            UserData=Base64(Join('', [
                '#!/bin/bash\n',
            ])),
        ))

    jenkins_eip_assoc = t.add_resource(
        ec2.EIPAssociation(
            "JenkinsEIPAssoc",
            NetworkInterfaceId=Ref(jenkins_eth0),
            AllocationId=GetAtt("JenkinsEIP", "AllocationId"),
            PrivateIpAddress=GetAtt("JenkinsEth0", "PrimaryPrivateIpAddress"),
        ))

    jenkins_host_cname = t.add_resource(
        route53.RecordSetType(
            "JenkinsHostCname",
            HostedZoneName=Join(
                "", [Ref(operations_subdomain_hosted_zone_param), "."]),
            Comment=Join("", ["Jenkins host CNAME for ",
                              Ref(stackname_param)]),
            Name=Join(
                "",
                ["jenkins.",
                 Ref(operations_subdomain_hosted_zone_param), "."]),
            Type="A",
            TTL="60",
            ResourceRecords=[GetAtt("JenkinsHost", "PublicIp")],
            DependsOn="JenkinsEIPAssoc"))

    return t
예제 #20
0
 def __init__(self, vpc_config, description="VPC built by VPCBuilder"):
     self.__template = Template()
     self.__template.set_version("2010-09-09")
     self.__template.set_description(description)
     self.__vpc_config = vpc_config
예제 #21
0
def main():
    """Generates the CloudFormation template"""
    template = Template()

    template.add_version("2010-09-09")

    template.add_description(
        'This template deploys a VPC, with a pair of public and private subnets spread ' +
        'across two Availabilty Zones. It deploys an Internet Gateway, with a default ' +
        'route on the public subnets. It deploys a pair of NAT Gateways (one in each AZ), ' +
        'and default routes for them in the private subnets.'
    )
    # Parameters
    # EnvironmentName
    env_param = template.add_parameter(Parameter(
        'EnvironmentName',
        Type='String',
        Description='An environment name that will be prefixed to resource names',
    ))

    # VPC CIDR
    vpc_cidr_param = template.add_parameter(Parameter(
        'VpcCIDR',
        Type='String',
        Description='Please enter the IP range (CIDR notation) for this VPC',
        Default='10.192.0.0/16',
    ))

    # PublicSubnet1CIDR
    pub_subnet_1_param = template.add_parameter(Parameter(
        'PublicSubnet1CIDR',
        Type='String',
        Description='Please enter the IP range (CIDR notation) for the public subnet ' +
        'in the first Availability Zone',
        Default='10.192.10.0/24',
    ))

    # PublicSubnet2CIDR
    pub_subnet_2_param = template.add_parameter(Parameter(
        'PublicSubnet2CIDR',
        Type='String',
        Description='Please enter the IP range (CIDR notation) for the public subnet ' +
        'in the second Availability Zone',
        Default='10.192.11.0/24',
    ))

    # PrivateSubnet1CIDR
    prvt_subnet_1_param = template.add_parameter(Parameter(
        'PrivateSubnet1CIDR',
        Type='String',
        Description='Please enter the IP range (CIDR notation) for the private subnet ' +
        'in the first Availability Zone',
        Default='10.192.20.0/24',
    ))

    # PrivateSubnet2CIDR
    prvt_subnet_2_param = template.add_parameter(Parameter(
        'PrivateSubnet2CIDR',
        Type='String',
        Description='Please enter the IP range (CIDR notation) for the private subnet ' +
        'in the second Availability Zone',
        Default='10.192.21.0/24',
    ))

    # Resources
    # VPC
    vpc = template.add_resource(
        VPC(
            'VPC',
            CidrBlock=Ref(vpc_cidr_param),
            Tags=Tags(Name=Ref(env_param)),
        )
    )

    # InternetGateway
    internet_gateway = template.add_resource(
        InternetGateway(
            'InternetGateway',
            Tags=Tags(Name=Ref(env_param)),
        )
    )

    # InternetGatewayAttachment
    template.add_resource(
        VPCGatewayAttachment(
            'InternetGatewayAttachment',
            InternetGatewayId=Ref(internet_gateway),
            VpcId=Ref(vpc),
        )
    )

    # PublicSubnet1
    pub_subnet1 = template.add_resource(
        Subnet(
            'PublicSubnet1',
            VpcId=Ref(vpc),
            AvailabilityZone=Select('0', GetAZs("")),
            CidrBlock=Ref(pub_subnet_1_param),
            MapPublicIpOnLaunch=False,
            Tags=Tags(Name=Sub('${EnvironmentName} Public Subnet (AZ1)')),
        )
    )

    # PublicSubnet2
    pub_subnet2 = template.add_resource(
        Subnet(
            'PublicSubnet2',
            VpcId=Ref(vpc),
            AvailabilityZone=Select('1', GetAZs("")),
            CidrBlock=Ref(pub_subnet_2_param),
            MapPublicIpOnLaunch=False,
            Tags=Tags(Name=Sub('${EnvironmentName} Public Subnet (AZ2)')),
        )
    )

    # PrivateSubnet1
    prvt_subnet1 = template.add_resource(
        Subnet(
            'PrivateSubnet1',
            VpcId=Ref(vpc),
            AvailabilityZone=Select('0', GetAZs("")),
            CidrBlock=Ref(prvt_subnet_1_param),
            MapPublicIpOnLaunch=False,
            Tags=Tags(Name=Sub('${EnvironmentName} Private Subnet (AZ1)')),
        )
    )

    # PrivateSubnet2
    prvt_subnet2 = template.add_resource(
        Subnet(
            'PrivateSubnet2',
            VpcId=Ref(vpc),
            AvailabilityZone=Select('1', GetAZs("")),
            CidrBlock=Ref(prvt_subnet_2_param),
            MapPublicIpOnLaunch=False,
            Tags=Tags(Name=Sub('${EnvironmentName} Private Subnet (AZ2)')),
        )
    )

    # NatGateway1EIP
    nat_gateway1_eip = template.add_resource(
        EIP(
            'NatGateway1EIP',
            DependsOn='InternetGatewayAttachment',
            Domain='vpc',
        )
    )

    # NatGateway2EIP
    nat_gateway2_eip = template.add_resource(
        EIP(
            'NatGateway2EIP',
            DependsOn='InternetGatewayAttachment',
            Domain='vpc',
        )
    )

    # NatGateway1
    nat_gateway1 = template.add_resource(
        NatGateway(
            'NatGateway1',
            AllocationId=GetAtt(nat_gateway1_eip, 'AllocationId'),
            SubnetId=Ref(pub_subnet1),
        )
    )

    # NatGateway2
    nat_gateway2 = template.add_resource(
        NatGateway(
            'NatGateway2',
            AllocationId=GetAtt(nat_gateway2_eip, 'AllocationId'),
            SubnetId=Ref(pub_subnet2),
        )
    )

    # PublicRouteTable
    pub_route_table = template.add_resource(
        RouteTable(
            'PublicRouteTable',
            VpcId=Ref(vpc),
            Tags=Tags(Name=Sub('${EnvironmentName} Public Routes')),
        )
    )

    # DefaultPublicRoute
    template.add_resource(
        Route(
            'DefaultPublicRoute',
            RouteTableId=Ref(pub_route_table),
            DestinationCidrBlock='0.0.0.0/0',
            GatewayId=Ref(internet_gateway),
        )
    )

    # PublicSubnet1RouteTableAssociation
    template.add_resource(
        SubnetRouteTableAssociation(
            'PublicSubnet1RouteTableAssociation',
            RouteTableId=Ref(pub_route_table),
            SubnetId=Ref(pub_subnet1),
        )
    )

    # PublicSubnet2RouteTableAssociation
    template.add_resource(
        SubnetRouteTableAssociation(
            'PublicSubnet2RouteTableAssociation',
            RouteTableId=Ref(pub_route_table),
            SubnetId=Ref(pub_subnet2),
        )
    )

    # PrivateRouteTable1
    prvt_route_table1 = template.add_resource(
        RouteTable(
            'PrivateRouteTable1',
            VpcId=Ref(vpc),
            Tags=Tags(Name=Sub('${EnvironmentName} Private Routes (AZ1)')),
        )
    )

    # DefaultPrivateRoute1
    template.add_resource(
        Route(
            'DefaultPrivateRoute1',
            RouteTableId=Ref(prvt_route_table1),
            DestinationCidrBlock='0.0.0.0/0',
            NatGatewayId=Ref(nat_gateway1),
        )
    )

    # PrivateSubnet1RouteTableAssociation
    template.add_resource(
        SubnetRouteTableAssociation(
            'PrivateSubnet1RouteTableAssociation',
            RouteTableId=Ref(prvt_route_table1),
            SubnetId=Ref(prvt_subnet1),
        )
    )

    # PrivateRouteTable2
    prvt_route_table2 = template.add_resource(
        RouteTable(
            'PrivateRouteTable2',
            VpcId=Ref(vpc),
            Tags=Tags(Name=Sub('${EnvironmentName} Private Routes (AZ2)')),
        )
    )

    # DefaultPrivateRoute2
    template.add_resource(
        Route(
            'DefaultPrivateRoute2',
            RouteTableId=Ref(prvt_route_table2),
            DestinationCidrBlock='0.0.0.0/0',
            NatGatewayId=Ref(nat_gateway2),
        )
    )

    # PrivateSubnet1RouteTableAssociation
    template.add_resource(
        SubnetRouteTableAssociation(
            'PrivateSubnet2RouteTableAssociation',
            RouteTableId=Ref(prvt_route_table2),
            SubnetId=Ref(prvt_subnet2),
        )
    )

    # Outputs
    template.add_output(Output(
        'VPC',
        Description='A reference to the created VPC',
        Value=Ref(vpc),
    ))

    template.add_output(Output(
        'PublicSubnets',
        Description='A list of the public subnets',
        Value=Join(',', [Ref(pub_subnet1), Ref(pub_subnet2)]),
    ))

    template.add_output(Output(
        'PrivateSubnets',
        Description='A list of the private subnets',
        Value=Join(',', [Ref(prvt_subnet1), Ref(prvt_subnet2)]),
    ))

    template.add_output(Output(
        'PublicSubnet1',
        Description='A reference to the public subnet in the 1st Availability Zone',
        Value=Ref(pub_subnet1),
    ))

    template.add_output(Output(
        'PublicSubnet2',
        Description='A reference to the public subnet in the 2nd Availability Zone',
        Value=Ref(pub_subnet2),
    ))

    template.add_output(Output(
        'PrivateSubnet1',
        Description='A reference to the private  subnet in the 1st Availability Zone',
        Value=Ref(prvt_subnet1),
    ))

    template.add_output(Output(
        'PrivateSubnet2',
        Description='A reference to the private  subnet in the 2nd Availability Zone',
        Value=Ref(prvt_subnet2),
    ))

    print(template.to_json())
예제 #22
0
 def test_simple_table(self):
     serverless_table = SimpleTable("SomeTable")
     t = Template()
     t.add_resource(serverless_table)
     t.to_json()
예제 #23
0
    def create_template(self):

        if self.template_type == 'project_role':

            template = Template()

            namespace_param = template.add_parameter(
                Parameter(
                    "IAMNamespace",
                    Description="Namespace for IAM users, policies, etc.",
                    Type="String",
                    Default="/"))

            uppercase_env_prefix_param = template.add_parameter(
                Parameter(
                    "UppercaseAwsEnvironmentPrefix",
                    Description=
                    "Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)",
                    Type="String"))

            lowercase_env_prefix_param = template.add_parameter(
                Parameter(
                    "LowercaseAwsEnvironmentPrefix",
                    Description=
                    "Lowercase abbreviation for AWS account (i.e. dev,qa,prod)",
                    Type="String"))
            aws_account_number_param = template.add_parameter(
                Parameter("AccountNumber",
                          Description="AWS Account Number",
                          Type="String"))
            uppercase_project_name_param = template.add_parameter(
                Parameter("UppercaseProjectName",
                          Description="Uppercase Project Name",
                          Type="String"))
            lowercase_project_name_param = template.add_parameter(
                Parameter("LowercaseProjectName",
                          Description="Lowercase Project Name",
                          Type="String"))

            pd = PolicyDocument(Version="2012-10-17",
                                Id="Account-Permissions",
                                Statement=self.create_policy_document())

            iam_group = template.add_resource(
                Group(
                    'IamGroup',

                    #Join('-', [Ref(uppercase_env_prefix_param),Ref(uppercase_project_name_param)])
                    Path=Ref(namespace_param),
                    GroupName=Join('-', [
                        Ref(uppercase_env_prefix_param),
                        Ref(uppercase_project_name_param)
                    ])
                    #'ManagedPolicyArns': ([basestring], False),

                    #Policies'= ([Policy], False)
                ))

            iam_managed_policy = template.add_resource(
                ManagedPolicy("ManagedPolicy",
                              Description=Join('-', [
                                  Ref(uppercase_env_prefix_param),
                                  Ref(uppercase_project_name_param), 'project'
                              ]),
                              Groups=[
                                  Join('-', [
                                      Ref(uppercase_env_prefix_param),
                                      Ref(uppercase_project_name_param)
                                  ])
                              ],
                              ManagedPolicyName=Join('-', [
                                  Ref(uppercase_env_prefix_param),
                                  Ref(uppercase_project_name_param)
                              ]),
                              Path=Ref(namespace_param),
                              PolicyDocument=pd))

            if self.debug:
                print(template.to_json())

            with tempfile.NamedTemporaryFile(mode='w',
                                             suffix='.rdr',
                                             delete=False) as tmp:
                tmp.write(template.to_json())
            self._config.pop('meta-parameters', None)

            if (not os.path.exists(self.cwd + '/template.json')
                    and not self._config['environment']['template']):

                with open(self.cwd + '/template.json', 'w') as file:
                    file.write(template.to_json())
                file.close()
            else:
                if self.debug:
                    print('Not creating template.json')

            return tmp.name

        elif self.template_type == 'project_role_jump_account':

            self._config['parameters'].pop('Resources', None)

            template = Template()

            namespace_param = template.add_parameter(
                Parameter(
                    "IAMNamespace",
                    Description="Namespace for IAM users, policies, etc.",
                    Type="String",
                    Default="/"))

            uppercase_env_prefix_param = template.add_parameter(
                Parameter(
                    "UppercaseAwsEnvironmentPrefix",
                    Description=
                    "Uppercase abbreviation for AWS account (i.e. DEV,QA,PROD)",
                    Type="String"))

            lowercase_env_prefix_param = template.add_parameter(
                Parameter(
                    "LowercaseAwsEnvironmentPrefix",
                    Description=
                    "Lowercase abbreviation for AWS account (i.e. dev,qa,prod)",
                    Type="String"))
            aws_account_number_param = template.add_parameter(
                Parameter("AccountNumber",
                          Description="AWS Account Number",
                          Type="String"))
            uppercase_project_name_param = template.add_parameter(
                Parameter("UppercaseProjectName",
                          Description="Uppercase Project Name",
                          Type="String"))
            lowercase_project_name_param = template.add_parameter(
                Parameter("LowercaseProjectName",
                          Description="Lowercase Project Name",
                          Type="String"))

            pd = PolicyDocument(Version="2012-10-17",
                                Statement=self.create_policy_document())

            iam_policy = template.add_resource(
                ManagedPolicy('ManagedPolicy',
                              Description=Join('-', [
                                  Ref(uppercase_env_prefix_param),
                                  Ref(uppercase_project_name_param), 'project'
                              ]),
                              PolicyDocument=pd,
                              ManagedPolicyName=Join('-', [
                                  Ref(uppercase_env_prefix_param),
                                  Ref(uppercase_project_name_param)
                              ]),
                              Path=Ref(namespace_param)))

            iam_group = template.add_resource(
                Group("Group",
                      GroupName=Join('-', [
                          Ref(uppercase_env_prefix_param),
                          Ref(uppercase_project_name_param)
                      ])))
            if self.debug:
                print(template.to_json())

            with tempfile.NamedTemporaryFile(mode='w',
                                             suffix='.rdr',
                                             delete=False) as tmp:
                tmp.write(template.to_json())
            self._config.pop('meta-parameters', None)

            if (not os.path.exists(self.cwd + '/template.json')
                    and not self._config['environment']['template']):

                with open(self.cwd + '/template.json', 'w') as file:
                    file.write(template.to_json())
                file.close()
            else:
                if self.debug:
                    print('Not creating template.json')

            if self.debug:
                print('template file is: ' + str(tmp.name))
            return tmp.name

        else:
            print('incorrect template type')
            sys.exit(1)
예제 #24
0
def roleTemplate(app,env,nameBucket):

        template = Template()

        Ec2Role = template.add_resource(Role(
            "Ec2Role",
            RoleName="ec2-role",
            AssumeRolePolicyDocument={"Statement": [{
                "Effect": "Allow",
                "Principal": {
                    "Service": [ "ec2.amazonaws.com" ]
                },
                "Action": [ "sts:AssumeRole" ]
            }]},
            Policies=[Policy(
                PolicyName="ec2-policy",
                PolicyDocument={
                    "Statement": [
                        {
                            "Action": [
                                "ec2:*",
                            ],
                            "Effect": "Allow",
                            "Resource": ["*"]
                        }
                    ]
                }
            ),
            Policy(
                PolicyName="s3List",
                PolicyDocument={
                    "Statement": [
                        {
                            "Action": ["s3:ListBucket"],
                            "Resource":[Join("",["arn:aws:s3:::",ImportValue("Bucket"+nameBucket+app+env)])],
                            "Effect": "Allow"
                        }
                    ]
                }
            ),
            Policy(
                PolicyName="s3Permissions",
                PolicyDocument={
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "s3:PutObject",
                                "s3:GetObject",
                                "s3:DeleteObject"
                            ],
                            "Resource": [Join("",["arn:aws:s3:::",ImportValue("Bucket"+nameBucket+app+env),"/*"])]
                        }
                    ]
                }
            )
            ]
        )
        )



        profile = template.add_resource(InstanceProfile(
            "InstanceProfile",
            Roles=[Ref(Ec2Role)]
        ))

        output = template.add_output(Output(
            "iamRole"+app+env,
            Description="IAM Role",
            Value=Ref(profile),
            Export=Export("Role-"+app+"-"+env)
        ))

        return (template.to_json())
예제 #25
0
# ==================================================
# This stack creates the API infrastructure.
# ==================================================
from troposphere import Template, Parameter, Ref, GetAtt, Join, Output
import troposphere.s3 as s3
import troposphere.iam as iam
import troposphere.cloudfront as cloudfront
import uuid

# ==================================================
# Template details.
# ==================================================
template = Template(
    'Create the infrastructure needed to run the Connected Together Admin')
template.add_version('2010-09-09')

# ==================================================
# Parameters.
# ==================================================
uuid_parameter = template.add_parameter(
    Parameter('Uuid',
              Type='String',
              Default=str(uuid.uuid4()),
              Description='The unique ID for this stack.',
              MinLength='36',
              MaxLength='36'))

environment_parameter = template.add_parameter(
    Parameter(
        'Environment',
        Type='String',
예제 #26
0
 def __init__(self, sceptre_user_data):
     self.template = Template()
     self.sceptre_user_data = sceptre_user_data
     self.template.add_description(
         "Lambda Function for Unregisteration of Runners")
def main(**launch_parameters):
    try:
        t = Template()
        t.set_version("2010-09-09")
        t.set_description("(SOCA) - Base template to deploy DCV nodes")
        allow_anonymous_data_collection = launch_parameters["DefaultMetricCollection"]
        # Launch Actual Capacity
        instance = ec2.Instance(str(launch_parameters["session_name"]))
        instance.BlockDeviceMappings = [{'DeviceName': "/dev/xvda" if launch_parameters["base_os"] == "amazonlinux2" else "/dev/sda1",
                                         'Ebs': {
                                             'DeleteOnTermination': True,
                                             'VolumeSize': 30 if launch_parameters["disk_size"] is False else int(launch_parameters["disk_size"]),
                                             'VolumeType': 'gp2',
                                             'Encrypted': True}
                                         }]
        instance.ImageId = launch_parameters["image_id"]
        instance.SecurityGroupIds = [launch_parameters["security_group_id"]]
        if launch_parameters["hibernate"] is True:
            instance.HibernationOptions = ec2.HibernationOptions(Configured=True)
        instance.InstanceType = launch_parameters["instance_type"]
        instance.SubnetId = random.choice(launch_parameters["soca_private_subnets"]) if len(launch_parameters["soca_private_subnets"]) > 1 else launch_parameters["soca_private_subnets"][0]
        instance.IamInstanceProfile = launch_parameters["ComputeNodeInstanceProfileArn"].split("instance-profile/")[-1]
        instance.KeyName = launch_parameters["KeyName"]
        instance.UserData = Base64(Sub((launch_parameters["user_data"])))
        instance.Tags = base_Tags(
            Name=str(launch_parameters["cluster_id"] + "-" + launch_parameters["session_name"] + "-" + launch_parameters["user"]),
            _soca_JobName=str(launch_parameters["session_name"]),
            _soca_JobOwner=str(launch_parameters["user"]),
            _soca_NodeType="dcv",
            _soca_JobProject="desktop",
            _soca_DCVSupportHibernate=str(launch_parameters["hibernate"]).lower(),
            _soca_ClusterId=str(launch_parameters["cluster_id"]),
            _soca_DCVSessionUUID=str(launch_parameters["session_uuid"]),
            _soca_DCVSystem=str(launch_parameters["base_os"]))
        t.add_resource(instance)

        # Begin Custom Resource
        # Change Mapping to No if you want to disable this
        if allow_anonymous_data_collection is True:
            metrics = CustomResourceSendAnonymousMetrics("SendAnonymousData")
            metrics.ServiceToken = launch_parameters["SolutionMetricLambda"]
            metrics.DesiredCapacity = "1"
            metrics.InstanceType = str(launch_parameters["instance_type"])
            metrics.Efa = "false"
            metrics.ScratchSize = "0"
            metrics.RootSize = str(launch_parameters["disk_size"])
            metrics.SpotPrice = "false"
            metrics.BaseOS = str(launch_parameters["base_os"])
            metrics.StackUUID = str(launch_parameters["session_uuid"])
            metrics.KeepForever = "false"
            metrics.FsxLustre = str({"fsx_lustre": "false", "existing_fsx": "false", "s3_backend": "false", "import_path": "false", "export_path": "false",
                                     "deployment_type": "false", "per_unit_throughput": "false", "capacity": 1200})
            metrics.TerminateWhenIdle = "false"
            metrics.Dcv = "true"
            t.add_resource(metrics)
        # End Custom Resource

        # Tags must use "soca:<Key>" syntax
        template_output = t.to_yaml().replace("_soca_", "soca:")
        return {'success': True,
                'output': template_output}

    except Exception as e:
        exc_type, exc_obj, exc_tb = sys.exc_info()
        fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
        return {'success': False,
                'output': 'cloudformation_builder.py: ' + (str(e) + ': error :' + str(exc_type) + ' ' + str(fname) + ' ' + str(exc_tb.tb_lineno))}
예제 #28
0
 def __init__(self, sceptre_user_data):
     self.template = Template()
     self.sceptre_user_data = sceptre_user_data
     self.add_vpc()
예제 #29
0
from troposphere import (
    Base64,
    ec2,
    GetAtt,
    Join,
    Output,
    Parameter,
    Ref,
    Template,
)

ApplicationPort = "3000"
PublicCidrIp = str(ip_network(get_ip()))

t = Template()

t.add_description("Effective DevOps in AWS: HelloWorld web application")

t.add_parameter(
    Parameter(
        "KeyPair",
        Description="Name of an existing EC2 KeyPair to SSH",
        Type="AWS::EC2::KeyPair::KeyName",
        ConstraintDescription="must be the name of an existing EC2 KeyPair.",
    ))

t.add_resource(
    ec2.SecurityGroup(
        "SecurityGroup",
        GroupDescription="Allow SSH and TCP/{} access".format(ApplicationPort),
예제 #30
0
def create_cloudformation_stack(args):
    print("Hello AWS!")

    # Connect to EC2. Get a cloudformation client
    session = boto3.Session(profile_name='f_project')
    client = session.client('cloudformation', region_name='sa-east-1')
    stack_name = args.stack_name
    ssh_key = args.ssh_key_name
    sec_group_name = 'TesisSecurityGroup'

    # Create stack template.
    cloudformation_template = Template()

    # Add parameters -> SSH key
    ssh_key_parameter = cloudformation_template.add_parameter(
        ssh_parameter(ssh_key))
    cloudformation_template.add_output(
        cf_output("SSHKey", "SSH Key to log into instances", 'KeyName'))

    # Add roles and policies (bucket)
    policy_name = 'RolePolicies'
    role_name = 'InstanceRole'
    profile_name = 'InstanceProfile'

    ref_stack_id = Ref('AWS::StackId')
    ref_region = Ref('AWS::Region')
    ref_stack_name = Ref('AWS::StackName')

    cloudformation_template, subnet = set_cloudformation_settings(
        cloudformation_template, ref_stack_id)

    # Add security group
    ssh_sec_group = add_ssh_security_group(sec_group_name)
    cloudformation_template.add_resource(ssh_sec_group)

    # Read the environment information from the config file
    cfg_parser = ConfigObj(CFG_FILE)

    instance_size = cfg_parser['aws_config']['INSTANCE_SIZE']
    bucket_name = cfg_parser['aws_config']['BUCKET']

    # Add bucket access policies
    cloudformation_template.add_resource(
        allow_bucket_access_role(role_name))  # 1
    cloudformation_template.add_resource(
        bucket_access_policy(policy_name, role_name, bucket_name))  # 2
    cloudformation_template.add_resource(
        instance_profile_bucket(profile_name, role_name))  # 3

    for instance_id in cfg_parser["Instances"]:

        instance = cfg_parser["Instances"][instance_id]
        name = instance['name']
        print("Instance name:", name)
        ami_id = instance['ami_id']
        ip = instance['ip']
        bootstrap_file = instance['local_bootstrap_file']
        bootstrap_path = os.path.join(os.getcwd(), BOOTSTRAP_FOLDER, name,
                                      bootstrap_file)

        aws_instance = EnvInstance(name)
        aws_instance.create_instance_template(
            ami_id,
            instance_size,
            ip,
            ssh_key_parameter,
            bootstrap_path,
            sec_group_name,  # TODO: unused
            subnet)
        aws_instance.set_bucket_access(role_name, profile_name, bucket_name)
        aws_instance.add_to_security_group(ssh_sec_group)
        # aws_instance.add_to_security_group(ref_stack_id)

        cloudformation_template.add_resource(aws_instance)
        cloudformation_template.add_output(
            cf_output("%sInstance" % name, "%s: IP %s" % (name, ip), name))

        print("Instance added to template!")

    try:
        # Create stack
        client.create_stack(StackName=stack_name,
                            TemplateBody=cloudformation_template.to_json(),
                            Capabilities=['CAPABILITY_IAM'])

        # Wait until stack is created
        while client.describe_stacks(
                StackName=stack_name
        )["Stacks"][0]["StackStatus"] != StackState.created:
            # Add timeout -> and delete stack
            print("Creating Environment...")
            time.sleep(15)
        else:
            print("CloudFormation Stack created")
    except ClientError:
        formatted_lines = traceback.format_exc().splitlines()
        print(traceback.format_exc())
        print(formatted_lines[0])
        print(formatted_lines[-1])
        print("CloudFormation Stack could not be created!")