def associate(self, lbd_permission, lbd_func, event_rule, **kwargs):
lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
lbd_permission.Action = "lambda:InvokeFunction"
lbd_permission.Principal = "events.amazonaws.com"
lbd_permission.SourceArn = GetAtt(event_rule, "Arn")
x_depends_on_y(lbd_permission, lbd_func)
x_depends_on_y(lbd_permission, event_rule)
try:
targets = event_rule.Targets
except AttributeError:
targets = list()
target_id = "{}TgtId".format(lbd_func.title)
target_ids = [
target.Id
for target in targets
]
if target_id not in target_ids:
target = events.Target(
Id=target_id,
Arn=GetAtt(lbd_func, "Arn"),
)
targets.append(target)
event_rule.Targets = targets
x_depends_on_y(event_rule, lbd_func)
def associate(self,
lbd_permission,
lbd_func,
api_method,
**kwargs):
lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
lbd_permission.Action = "lambda:InvokeFunction"
lbd_permission.Principal = "apigateway.amazonaws.com"
try:
lbd_permission.SourceArn = Sub(
"arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/*/${HttpMethod}/${ResourcePath}",
{
"Region": {"Ref": "AWS::Region"},
"AccountId": {"Ref": "AWS::AccountId"},
"RestApiId": Ref(api_method.RestApiId),
"HttpMethod": api_method.HttpMethod,
"ResourcePath": api_method.Metadata[TROPOSPHERE_METADATA_FIELD_NAME][
ResourceLevelField.ApiResource.FULL_PATH]
}
)
except:
pass
x_depends_on_y(lbd_permission, lbd_func)
x_depends_on_y(lbd_permission, api_method)
def create_db_sg(self):
db_sg = self.tpl.add_resource(
ec2.SecurityGroup(
'DBSG',
GroupDescription='Allow DB From Any',
VpcId=self.vpc_id,
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort=3306,
ToPort=3306
)
]
)
)
# セキュリティグループの論理IDをアウトプットする
self.tpl.add_output(
Output(
'DBSGId',
Description='DB Security Group Id',
Value=GetAtt(db_sg, 'GroupId')
)
)
def scheduled_job_event_rule_aws_objects(
self) -> typing.Dict[str, events.Rule]:
"""
Returns a key value pair of scheduled job expression and
``troposphere_mate.events.Rule`` object. Since
"""
if self._scheduled_job_event_rule_aws_objects_cache is NOTHING:
dct = dict()
for expression in self.scheduled_job_expression_list:
event_rule_logic_id = "EventRule{}".format(
fingerprint.of_text(expression + self.lbd_func_name))
event_rule = events.Rule(
title=event_rule_logic_id,
State="ENABLED",
ScheduleExpression=expression,
Targets=[
events.Target(
Id="EventRuleStartCrawlerGitHubDataTrigger",
Arn=GetAtt(self.lbd_func_aws_object, "Arn"),
)
],
DependsOn=[
self.lbd_func_aws_object,
])
dct[expression] = event_rule
self._scheduled_job_event_rule_aws_objects_cache = dct
return self._scheduled_job_event_rule_aws_objects_cache
def create_launch_template(self):
web_sg_list = [self.web_sg_id]
launch_template = self.tpl.add_resource(
ec2.LaunchTemplate(
'LaunchTemplate',
LaunchTemplateName=f'{self.prefix}-{self.project}-LaunchTemplate',
LaunchTemplateData=ec2.LaunchTemplateData(
ImageId=self.image_id,
InstanceType=self.instance_type,
KeyName=self.key_name,
SecurityGroupIds=web_sg_list
)
)
)
# 起動テンプレートの論理IDをアウトプット
self.tpl.add_output(
Output(
'LaunchTemplateId',
Description='LaunchTemplate Id',
Value=Ref(launch_template)
)
)
# 起動テンプレートのバージョンをアウトプット
self.tpl.add_output(
Output(
'LaunchTemplateLatestVersion',
Description='LaunchTemplate Latest Version',
Value=GetAtt(launch_template, 'LatestVersionNumber')
)
)
def create_web_sg(self):
web_sg = self.tpl.add_resource(
ec2.SecurityGroup(
'WebSG',
GroupDescription='Allow Web From Any',
VpcId=self.vpc_id,
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort=443,
ToPort=443
),
ec2.SecurityGroupRule(
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort=80,
ToPort=80
),
]
)
)
# セキュリティグループの論理IDをアウトプットする
self.tpl.add_output(
Output(
'WebSGId',
Description='Web Security Group Id',
Value=GetAtt(web_sg, 'GroupId')
)
)
def apigw_authorizer_lbd_permission_aws_object(
self) -> awslambda.Permission:
if self._apigw_authorizer_lbd_permission_aws_object_cache is NOTHING:
apigw_authorizer_lbd_permission_logic_id = "LbdPermission{}".format(
self.apigw_authorizer_logic_id)
apigw_authorizer_lbd_permission = awslambda.Permission(
title=apigw_authorizer_lbd_permission_logic_id,
Action="lambda:InvokeFunction",
FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
Principal="apigateway.amazonaws.com",
SourceArn=Sub(
"arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/authorizers/${AuthorizerId}",
{
"Region": {
"Ref": "AWS::Region"
},
"AccountId": {
"Ref": "AWS::AccountId"
},
"RestApiId": Ref(self.apigw_restapi),
"AuthorizerId": Ref(self.apigw_authorizer_aws_object),
}),
DependsOn=[
self.apigw_authorizer_aws_object,
self.lbd_func_aws_object,
])
self._apigw_authorizer_lbd_permission_aws_object_cache = apigw_authorizer_lbd_permission
return self._apigw_authorizer_lbd_permission_aws_object_cache
def associate(self, lbd_func, sqs_queue, *args, **kwargs):
"""
Assign Lambda Function a Dead Letter Queue.
"""
lbd_func.DeadLetterConfig = awslambda.DeadLetterConfig(
TargetArn=GetAtt(sqs_queue, "Arn"))
x_depends_on_y(lbd_func, sqs_queue)
def s3_event_bucket_lbd_permission_aws_object(
self) -> awslambda.Permission:
if self._s3_event_bucket_lbd_permission_aws_object_cache is NOTHING:
s3_event_bucket_lbd_permission_logic_id = "LbdPermission{}".format(
self.s3_event_bucket_logic_id)
s3_event_bucket_lbd_permission = awslambda.Permission(
title=s3_event_bucket_lbd_permission_logic_id,
Action="lambda:InvokeFunction",
FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
Principal="s3.amazonaws.com",
SourceArn=GetAtt(self.s3_event_bucket_aws_object, "Arn"),
DependsOn=[
self.s3_event_bucket_aws_object,
self.lbd_func_aws_object,
])
self._s3_event_bucket_lbd_permission_aws_object_cache = s3_event_bucket_lbd_permission
return self._s3_event_bucket_lbd_permission_aws_object_cache
def associate(self, lbd_event_map, lbd_func, sqs_queue, *args,
**kwargs):
"""
Use SQS Queue to trigger Lambda Function
"""
lbd_event_map.FunctionName = Ref(lbd_func)
lbd_event_map.EventSourceArn = GetAtt(sqs_queue, "Arn")
x_depends_on_y(lbd_event_map, lbd_func)
x_depends_on_y(lbd_event_map, sqs_queue)
def associate(self, lbd_event_map, lbd_func, kinesis_stream, *args,
**kwargs):
"""
Use Kinesis Stream to trigger Lambda Function
"""
lbd_event_map.FunctionName = Ref(lbd_func)
lbd_event_map.EventSourceArn = GetAtt(kinesis_stream, "Arn")
x_depends_on_y(lbd_event_map, lbd_func)
x_depends_on_y(lbd_event_map, kinesis_stream)
def test_mutable_aws_object():
"""
确定 ``mate.AWSObject`` 变化时, 对应的 ``mate.AWSObject.aws_object`` 也应该
跟着变化.
"""
from troposphere_mate import iam
tpl = Template()
my_policy = iam.ManagedPolicy(
title="MyPolicy",
template=tpl,
PolicyDocument={},
)
my_role = iam.Role(
title="MyRole",
template=tpl,
RoleName="my-role",
AssumeRolePolicyDocument={},
)
assert tpl.to_dict(
)["Resources"]["MyRole"]["Properties"]["RoleName"] == "my-role"
assert "ManagedPolicyArns" not in tpl.to_dict(
)["Resources"]["MyRole"]["Properties"]
my_role.RoleName = "my-role-two"
my_role.ManagedPolicyArns = [Ref(my_policy)]
assert tpl.to_dict(
)["Resources"]["MyRole"]["Properties"]["RoleName"] == "my-role-two"
assert tpl.to_dict(
)["Resources"]["MyRole"]["Properties"]["ManagedPolicyArns"] == [{
"Ref":
"MyPolicy"
}]
outputs = [
Output(
"MyRolePath",
Value=GetAtt(my_role, "Path"),
DependsOn=my_role,
)
]
for output in outputs:
tpl.add_output(output)
assert tpl.to_dict()["Outputs"]["MyRolePath"]["Value"] == {
"Fn::GetAtt": ["MyRole", "Path"]
}
dct = tpl.to_dict()
tpl2 = Template()
tpl2.add_resource(my_policy)
tpl2.add_resource(my_role)
for output in outputs:
tpl2.add_output(output)
dct2 = tpl2.to_dict()
assert dct == dct2
def associate(self, lbd_event_map, lbd_func, dynamodb_table, *args,
**kwargs):
"""
Use DynamoDB Table Stream to trigger Lambda Function
"""
lbd_event_map.FunctionName = Ref(lbd_func)
lbd_event_map.EventSourceArn = GetAtt(dynamodb_table, "StreamArn")
x_depends_on_y(lbd_event_map, lbd_func)
x_depends_on_y(lbd_event_map, dynamodb_table)
def associate(self,
lbd_permission,
lbd_func,
api_authorizer,
rest_api,
authorizer_type_is_token=True,
token_authorizer_header="auth",
**kwargs):
lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
lbd_permission.Action = "lambda:InvokeFunction"
lbd_permission.Principal = "apigateway.amazonaws.com"
lbd_permission.SourceArn = Sub(
"arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/authorizers/${AuthorizerId}",
{
"Region": {"Ref": "AWS::Region"},
"AccountId": {"Ref": "AWS::AccountId"},
"RestApiId": {"Ref": rest_api},
"AuthorizerId": Ref(api_authorizer),
}
)
if authorizer_type_is_token:
api_authorizer.Type = "TOKEN"
api_authorizer.IdentitySource = "method.request.header.{}".format(
token_authorizer_header
)
api_authorizer.RestApiId = Ref(rest_api)
api_authorizer.AuthorizerUri = Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${AuthorizerFunctionArn}/invocations",
{
"Region": {"Ref": "AWS::Region"},
"AuthorizerFunctionArn": GetAtt(lbd_func, "Arn"),
}
)
x_depends_on_y(api_authorizer, lbd_func)
x_depends_on_y(api_authorizer, rest_api)
x_depends_on_y(lbd_permission, lbd_func)
x_depends_on_y(lbd_permission, api_authorizer)
x_depends_on_y(lbd_permission, rest_api)
def s3_notification_configuration_aws_property(self):
s3_notification_configuration = s3.NotificationConfiguration()
if self.s3_event_lbd_config_list is not NOTHING:
if isinstance(self.s3_event_lbd_config_list, list):
s3_notification_configuration.LambdaConfigurations = [
s3.LambdaConfigurations(
Event=s3_event_lbd_config.event,
Function=GetAtt(self.lbd_func_aws_object, "Arn"),
Filter=s3_event_lbd_config.filter,
) for s3_event_lbd_config in self.s3_event_lbd_config_list
]
return s3_notification_configuration
def scheduled_job_event_lbd_permission_aws_objects(
self) -> typing.Dict[str, awslambda.Permission]:
if self._scheduled_job_event_lbd_permission_aws_objects_cache is NOTHING:
dct = dict()
for expression in self.scheduled_job_expression_list:
event_rule_lambda_permission_logic_id = "LbdPermissionEventRule{}".format(
fingerprint.of_text(expression + self.lbd_func_name))
event_rule = self.scheduled_job_event_rule_aws_objects[
expression]
event_rule_lambda_permission = awslambda.Permission(
title=event_rule_lambda_permission_logic_id,
Action="lambda:InvokeFunction",
FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
Principal="events.amazonaws.com",
SourceArn=GetAtt(event_rule, "Arn"),
DependsOn=[
event_rule,
self.lbd_func_aws_object,
])
dct[expression] = event_rule_lambda_permission
self._scheduled_job_event_lbd_permission_aws_objects_cache = dct
return self._scheduled_job_event_lbd_permission_aws_objects_cache
def associate(self, api_method, lbd_func, **kwargs):
try:
api_method.Integration.Type = "AWS"
api_method.Integration.IntegrationHttpMethod = "POST"
api_method.Integration.Uri = Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${LambdaArn}/invocations",
{
"Region": {
"Ref": "AWS::Region"
},
"LambdaArn": GetAtt(lbd_func, "Arn"),
})
except:
pass
x_depends_on_y(api_method, lbd_func)
def associate(self,
api_resource,
rest_api,
has_parent_resource=True,
**kwargs):
api_resource.RestApiId = Ref(rest_api)
if has_parent_resource is False:
api_resource.ParentId = GetAtt(rest_api, "RootResourceId")
metadata = initiate_default_resource_metadata(api_resource)
metadata[TROPOSPHERE_METADATA_FIELD_NAME][
ResourceLevelField.ApiResource.
FULL_PATH] = api_resource.PathPart
api_resource.Metadata = metadata
x_depends_on_y(api_resource, rest_api)
def create_s3_bucket_policy(self, bucket_key, bucket_name,
oai: cf.CloudFrontOriginAccessIdentity):
self.template.add_resource(
s3.BucketPolicy(f'{bucket_key}S3CfPolicy',
Bucket=bucket_name,
PolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Action': 's3:GetObject',
'Resource':
f'arn:aws:s3:::{bucket_name}/*',
'Principal': {
'CanonicalUser':
GetAtt(oai, 'S3CanonicalUserId')
}
}]
}))
def lbd_func_iam_role_arn(self):
if isinstance(self.lbd_func_iam_role,
iam.Role): # a troposphere_mate IAM Role object
return GetAtt(self.lbd_func_iam_role, "Arn")
elif isinstance(
self.lbd_func_iam_role, (Ref, GetAtt)
): # reference of a parameter or get attribute instrinct function
return self.lbd_func_iam_role
elif isinstance(self.lbd_func_iam_role,
Parameter): # a parameter represent a iam role ARN
return Ref(self.lbd_func_iam_role)
elif isinstance(self.lbd_func_iam_role, str): # an ARN string
return self.lbd_func_iam_role
else:
raise TypeError("{}.lbd_func_iam_role has to be one of "
"troposphere_mate.iam.Role, "
"Ref of a Parameter, "
"GetAtt of a troposphere_mate.iam.Role, "
"a Parameter represent a iam role ARN, "
"a string represent a iam role ARN".format(
self.identifier))
def apigw_authorizer_aws_object(self) -> apigateway.Authorizer:
if self._apigw_authorizer_aws_object_cache is NOTHING:
if self.apigw_authorizer_name is NOTHING:
apigw_authorizer_name = self.apigw_authorizer_logic_id
else:
apigw_authorizer_name = self.apigw_authorizer_name
if len(
set(apigw_authorizer_name).difference(
set(string.ascii_letters + string.digits))):
raise ValueError(
"{}.apigw_authorizer_name can only have letter and digits".
format(self.identifier))
apigw_authorizer = apigateway.Authorizer(
title=self.apigw_authorizer_logic_id,
Name=apigw_authorizer_name,
RestApiId=Ref(self.apigw_restapi),
AuthType="custom",
Type="TOKEN",
IdentitySource="method.request.header.{}".format(
self.apigw_authorizer_token_type_header_field),
AuthorizerResultTtlInSeconds=300,
AuthorizerUri=Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${AuthorizerFunctionArn}/invocations",
{
"Region": {
"Ref": "AWS::Region"
},
"AuthorizerFunctionArn":
GetAtt(self.lbd_func_aws_object, "Arn"),
}),
DependsOn=[
self.lbd_func_aws_object,
self.apigw_restapi,
])
self._apigw_authorizer_aws_object_cache = apigw_authorizer
return self._apigw_authorizer_aws_object_cache
def apigw_method_aws_object(self) -> apigateway.Method:
if self._apigw_method_aws_object_cache is NOTHING:
depends_on = [
self.apigw_resource_aws_object,
self.lbd_func_aws_object,
]
# Integration Request
request_template = {"application/json": "$input.json('$')"}
# Integration Response
if self.apigw_method_int_type == self.ApiMethodIntType.html:
integration_response_200 = apigateway.IntegrationResponse(
StatusCode="200",
ResponseParameters={
"method.response.header.Access-Control-Allow-Origin":
"'*'",
"method.response.header.Content-Type": "'text/html'"
},
ResponseTemplates={"text/html": "$input.path('$')"},
)
method_response_200 = apigateway.MethodResponse(
StatusCode="200",
ResponseParameters={
"method.response.header.Access-Control-Allow-Origin":
False,
"method.response.header.Content-Type": False,
},
ResponseModels={"application/json": "Empty"},
)
elif self.apigw_method_int_type == self.ApiMethodIntType.rpc:
integration_response_200 = apigateway.IntegrationResponse(
StatusCode="200",
ContentHandling="CONVERT_TO_TEXT",
ResponseParameters={},
ResponseTemplates={"application/json": ""})
method_response_200 = apigateway.MethodResponse(
StatusCode="200",
ResponseParameters={},
ResponseModels={"application/json": "Empty"},
)
elif self.apigw_method_int_type == self.ApiMethodIntType.rest:
integration_response_200 = apigateway.IntegrationResponse(
StatusCode="200",
ContentHandling="CONVERT_TO_TEXT",
ResponseParameters={},
ResponseTemplates={"application/json": ""})
method_response_200 = apigateway.MethodResponse(
StatusCode="200",
ResponseParameters={},
ResponseModels={"application/json": "Empty"},
)
else:
raise TypeError
integration_responses = [
integration_response_200,
]
integration = apigateway.Integration(
Type="AWS",
IntegrationHttpMethod="POST",
Uri=Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${LambdaArn}/invocations",
{
"Region": {
"Ref": "AWS::Region"
},
"LambdaArn": GetAtt(self.lbd_func_aws_object, "Arn"),
}),
RequestTemplates=request_template,
IntegrationResponses=integration_responses,
)
if self.apigw_method_int_passthrough_behavior is not NOTHING:
integration.PassthroughBehavior = self.apigw_method_int_passthrough_behavior
if self.apigw_method_int_timeout_in_milli is not NOTHING:
integration.TimeoutInMillis = self.apigw_method_int_timeout_in_milli
# Method Response
method_responses = [
method_response_200,
]
if self.apigw_method_enable_cors_yes is True:
for integration_response in integration.IntegrationResponses:
integration_response.ResponseParameters[
"method.response.header.Access-Control-Allow-Origin"] = "'*'"
for method_response in method_responses:
method_response.ResponseParameters[
"method.response.header.Access-Control-Allow-Origin"] = False
self.check_apigw_method_authorization_type()
self.check_apigw_method_int_type()
apigw_method = apigateway.Method(
title=self.apigw_method_logic_id,
RestApiId=Ref(self.apigw_restapi),
ResourceId=Ref(self.apigw_resource_aws_object),
AuthorizationType=self.apigw_method_authorization_type,
HttpMethod=self.apigw_method_http_method,
MethodResponses=method_responses,
Integration=integration,
)
if self.apigw_method_use_authorizer_yes:
apigw_method.AuthorizerId = Ref(self.apigw_method_authorizer)
depends_on.append(self.apigw_method_authorizer)
apigw_method.DependsOn = depends_on
self._apigw_method_aws_object_cache = apigw_method
return self._apigw_method_aws_object_cache
# cross reference parameter
Parameters={
tier_1_iam_role.param_env_name.title: Ref(param_env_name),
},
)
# bind nested stack with a template
link_stack_template(stack=iam_role_stack, template=tier_1_iam_role.template)
iam_instance_profile = iam.InstanceProfile(
"IamInstanceProfileWebServer",
template=template,
InstanceProfileName=helper_fn_sub("{}-web-server", param_env_name),
# cross reference output
Roles=[
GetAtt(
iam_role_stack,
f"Outputs.{tier_1_iam_role.output_iam_ec2_instance_role_name.title}"
),
],
DependsOn=iam_role_stack,
)
# allow cross reference from other stack
output_iam_ec2_instance_profile_name = Output(
"IamInstanceProfileName",
Value=iam_instance_profile.iam_instance_profile_name,
Export=Export(
helper_fn_sub("{}-iam-ec2-instance-profile-name", param_env_name)),
)
template.add_output(output_iam_ec2_instance_profile_name)
output_iam_ec2_instance_profile_arn = Output(
def do_create_template(self):
template = Template()
self.template = template
param_env_name = Parameter(
"EnvironmentName",
Type="String",
Default=self.ENVIRONMENT_NAME.get_value(),
)
param_stage = Parameter(
"Stage",
Type="String",
Default=self.STAGE.get_value(),
)
template.add_parameter(param_stage)
template.add_parameter(param_env_name)
output_list = list()
vpc = ec2.VPC(
"VPC",
template=template,
CidrBlock=self.VPC_CIDR.get_value(),
EnableDnsHostnames=True,
)
self.vpc = vpc
public_subnet_list = list()
for ind, cidr in enumerate(self.PUBLIC_SUBNET_CIDR_LIST.get_value()):
subnet = ec2.Subnet(
"PublicSubnet{}".format(ind + 1),
template=template,
CidrBlock=cidr,
VpcId=Ref(vpc),
AvailabilityZone=AZPropertyValues.get_nth_az(ind + 1),
MapPublicIpOnLaunch=True,
Tags=Tags(
Name=helper_fn_sub("{}/subnet/public%s" %
(ind + 1, ), param_env_name)),
DependsOn=[
vpc,
],
)
public_subnet_list.append(subnet)
self.public_subnet_list = public_subnet_list
private_subnet_list = list()
for ind, cidr in enumerate(self.PRIVATE_SUBNET_CIDR_LIST.get_value()):
subnet = ec2.Subnet(
"PrivateSubnet{}".format(ind + 1),
template=template,
CidrBlock=cidr,
VpcId=Ref(vpc),
AvailabilityZone=AZPropertyValues.get_nth_az(ind + 1),
MapPublicIpOnLaunch=False,
Tags=Tags(
Name=helper_fn_sub("{}/subnet/priavte%s" %
(ind + 1, ), param_env_name)),
DependsOn=[
vpc,
],
)
private_subnet_list.append(subnet)
self.private_subnet_list = private_subnet_list
subnet_list = public_subnet_list + private_subnet_list
self.subnet_list = subnet_list
# igw for public subnet
# internet gateway is a component that allow VPC to visit public internet
igw = ec2.InternetGateway(
"IGW",
template=template,
)
igw_attach_vpc = ec2.VPCGatewayAttachment("IGWAttachVPC",
template=template,
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
DependsOn=[
vpc,
igw,
])
self.igw = igw
# eip + ngw is on public subnet but for private subnet traffic out
eip_list = list()
ngw_list = list()
for ind in range(1, 1 + self.NUMBER_OF_NAT_GW.get_value()):
eip = ec2.EIP("EIP{}".format(ind),
template=template,
Domain="vpc",
DependsOn=[
igw_attach_vpc,
])
eip_list.append(eip)
ngw = ec2.NatGateway(
"NGW{}".format(ind),
template=template,
AllocationId=GetAtt(eip, "AllocationId"),
SubnetId=Ref(public_subnet_list[ind - 1]),
Tags=Tags(Name=helper_fn_sub("{}/ngw/public%s" %
ind, param_env_name)),
DependsOn=eip_list,
)
ngw_list.append(ngw)
self.eip_list = eip_list
self.ngw_list = ngw_list
# public route
public_route_table = ec2.RouteTable(
"PublicRouteTable",
template=template,
VpcId=Ref(vpc),
Tags=Tags(Name=helper_fn_sub("{}/public-routes", param_env_name)))
self.public_route_table = public_route_table
public_route_default = ec2.Route(
"PublicRouteDefault",
template=template,
RouteTableId=Ref(public_route_table),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
DependsOn=[public_route_table, igw],
)
for ind, subnet in enumerate(public_subnet_list):
route_table_association = ec2.SubnetRouteTableAssociation(
"PublicSubnet{}RouteTableAssociation".format(ind + 1),
template=template,
RouteTableId=Ref(public_route_table),
SubnetId=Ref(subnet),
DependsOn=[public_route_table, subnet],
)
# private route
if self.USE_NAT_GW_PER_PRIVATE_SUBNET_FLAG.get_value() is True:
for ind, subnet in enumerate(private_subnet_list):
private_route_table = ec2.RouteTable(
"PrivateRouteTable{}".format(ind + 1),
template=template,
VpcId=Ref(vpc),
Tags=Tags(
Name=helper_fn_sub("{}/private-routes%s" %
(ind + 1, ), param_env_name)),
DependsOn=[
vpc,
])
# Route anything to nat gateway
private_route_default = ec2.Route(
"PrivateRoute{}Default".format(ind + 1),
template=template,
RouteTableId=Ref(private_route_table),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(ngw_list[ind]),
DependsOn=[private_route_table, ngw_list[ind]],
)
route_table_association = ec2.SubnetRouteTableAssociation(
"PrivateSubnet{}RouteTableAssociation".format(ind + 1),
template=template,
RouteTableId=Ref(private_route_table),
SubnetId=Ref(subnet),
DependsOn=[private_route_table, subnet],
)
else:
private_route_table = ec2.RouteTable(
"PrivateRouteTable",
template=template,
VpcId=Ref(vpc),
Tags=Tags(
Name=helper_fn_sub("{}/private-routes", param_env_name)),
DependsOn=[
vpc,
],
)
private_route_default = ec2.Route(
"PrivateRouteDefault",
template=template,
RouteTableId=Ref(private_route_table),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(ngw_list[0]),
DependsOn=[private_route_table, ngw_list[0]],
)
for ind, subnet in enumerate(private_subnet_list):
route_table_association = ec2.SubnetRouteTableAssociation(
"PrivateSubnet{}RouteTableAssociation".format(ind + 1),
template=template,
RouteTableId=Ref(private_route_table),
SubnetId=Ref(subnet),
DependsOn=[private_route_table, subnet],
)
group_name = "{}/sg/allow-ssh-from-anywhere".format(
self.ENVIRONMENT_NAME.get_value())
sg_for_ssh_from_anywhere = ec2.SecurityGroup(
"SGForSSHFromAnywhere",
template=template,
GroupDescription="Allow SSH In",
GroupName=group_name,
VpcId=Ref(vpc),
SecurityGroupIngress=[{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}],
Tags=Tags(Name=group_name),
)
self.sg_for_ssh_from_anywhere = sg_for_ssh_from_anywhere
output_list.extend([
Output(
vpc.title + "Id",
Description="VPC ID",
Value=Ref(vpc),
Export=Export(helper_fn_sub("{}-vpc-id", param_env_name)),
DependsOn=vpc,
),
Output(
"PublicSubnetIds",
Description="comma delimited public subnet Ids",
Value=Join(",",
[Ref(subnet)
for subnet in self.public_subnet_list]),
Export=Export(
helper_fn_sub("{}-public-subnet-ids", param_env_name)),
DependsOn=self.public_subnet_list,
),
Output(
"PrivateSubnetIds",
Description="comma delimited private subnet Ids",
Value=Join(
",", [Ref(subnet) for subnet in self.private_subnet_list]),
Export=Export(
helper_fn_sub("{}-private-subnet-ids", param_env_name)),
DependsOn=self.private_subnet_list,
),
Output(sg_for_ssh_from_anywhere.title + "Id",
Description="Security Group ID",
Value=Ref(sg_for_ssh_from_anywhere),
Export=Export(
helper_fn_sub("{}-sg-id-allow-ssh-from-anywhere",
param_env_name)))
])
for subnet in subnet_list:
output = Output(
subnet.title + "Id",
Description="{} ID".format(subnet.title),
Value=Ref(subnet),
DependsOn=subnet,
)
output_list.append(output)
for output in output_list:
template.add_output(output)
common_tags = dict(
Name=self.ENVIRONMENT_NAME.get_value(),
Project=self.PROJECT_NAME_SLUG.get_value(),
Stage=self.STAGE.get_value(),
EnvName=self.ENVIRONMENT_NAME.get_value(),
)
template.update_tags(common_tags, overwrite=False)
return template
)
kinesis_stream_raw_data_in = kinesis.Stream(
"KinesisStreamRawDataIn",
template=template,
Name=tm.helper_fn_sub("{}-raw-data-in", param_env_name),
ShardCount=2,
)
kinesis_firehose_delivery_stream_etl = firehose.DeliveryStream(
"KinesisFirehoseDeliveryStreamEtl",
template=template,
DeliveryStreamName=tm.helper_fn_sub("{}-etl", param_env_name),
DeliveryStreamType="KinesisStreamAsSource",
KinesisStreamSourceConfiguration=firehose.KinesisStreamSourceConfiguration(
KinesisStreamARN=GetAtt(kinesis_stream_raw_data_in, "Arn"),
RoleARN="arn:aws:iam::700621413265:role/firehose-admin-role",
),
ExtendedS3DestinationConfiguration=firehose.
ExtendedS3DestinationConfiguration(
BucketARN=GetAtt(s3_bucket_for_raw_data, "Arn"),
BufferingHints=firehose.BufferingHints(
IntervalInSeconds=60,
SizeInMBs=6,
),
CompressionFormat="UNCOMPRESSED",
RoleARN="arn:aws:iam::700621413265:role/firehose-admin-role",
),
)
athena_database = glue.Database(
tier_1_1_iam_policy.param_env_name.title: Ref(param_env_name),
},
)
# bind nested stack with a template
link_stack_template(stack=iam_policy_stack, template=tier_1_1_iam_policy.template)
iam_ec_instance_role = iam.Role(
"IamRoleWebServer",
template=template,
RoleName=helper_fn_sub("{}-web-server", param_env_name),
AssumeRolePolicyDocument=canned.iam.create_assume_role_policy_document([
canned.iam.AWSServiceName.amazon_Elastic_Compute_Cloud_Amazon_EC2,
]),
# cross reference output
ManagedPolicyArns=[
GetAtt(iam_policy_stack, f"Outputs.{tier_1_1_iam_policy.output_iam_ec2_instance_policy_name.title}"),
],
DependsOn=iam_policy_stack,
)
# allow cross reference from other stack
output_iam_ec2_instance_role_name = Output(
"IamInstanceRoleName",
Value=iam_ec_instance_role.iam_role_name,
Export=Export(helper_fn_sub("{}-iam-ec2-instance-role-name", param_env_name)),
DependsOn=iam_ec_instance_role,
)
template.add_output(output_iam_ec2_instance_role_name)
output_iam_ec2_instance_role_arn = Output(
"IamInstanceRoleArn",
def apigw_resource_parent_id(self) -> typing.Union[Ref, GetAtt]:
# it is the root module, use RootResourceId as parent id
if ("." not in self.rel_module_name) and bool(self.rel_module_name):
return GetAtt(self.apigw_restapi, "RootResourceId")
else:
return Ref(self.parent_config.apigw_resource_aws_object)
def associate(self, lbd_func, kms_key, *args, **kwargs):
"""
Assign Lambda Function a KMS Key to encrypt its environment variables.
"""
lbd_func.KmsKeyArn = GetAtt(kms_key, "Arn")
x_depends_on_y(lbd_func, kms_key)