def __init__(self, scope: core.Construct, id: str, vpc,
asg_security_groups, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Creat DB Low Level API - MySQL M-AZs
db_security_group = ec2.CfnSecurityGroup(
self,
"dbSG",
group_description="All EC2 access DB",
group_name="DB_SG",
vpc_id=vpc.vpc_id)
for asg_sg in asg_security_groups:
ec2.CfnSecurityGroupIngress(
self,
"SG_ingress",
ip_protocol="tcp",
description="ASG EC2 access DB",
to_port=3306,
from_port=3306,
group_id=db_security_group.attr_group_id,
source_security_group_id=asg_sg.security_group_id)
subnet_ids = []
for i in vpc.isolated_subnets:
subnet_ids.append(i.subnet_id)
db_subnet_group = rds.CfnDBSubnetGroup(
self,
"db_subnet",
db_subnet_group_description="DB_subnet",
db_subnet_group_name="db_subnet",
subnet_ids=subnet_ids)
db_mysql = rds.CfnDBInstance(
self,
"MyDB",
db_name="mysqldb",
db_instance_class="db.t2.small",
allocated_storage="100",
storage_type="gp2",
engine="MySQL",
engine_version="5.7.22",
master_username=db_master_username,
master_user_password=db_master_user_password,
multi_az=True,
vpc_security_groups=[db_security_group.attr_group_id],
db_subnet_group_name=db_subnet_group.db_subnet_group_name,
backup_retention_period=7,
allow_major_version_upgrade=False,
enable_cloudwatch_logs_exports=[
"audit", "error", "general", "slowquery"
],
delete_automated_backups=False)
db_mysql.add_depends_on(db_subnet_group)
db_mysql.add_depends_on(db_security_group)
def __init__(self, scope: core.Construct, id: str, vpc, public_subnet_a,
public_subnet_c, public_subnet_d, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = "test"
# RedisSecurityGroup
redis_security_group = ec2.CfnSecurityGroup(
self,
"RedisSecurityGroup",
group_name="stg-test-redis01",
group_description="HTTP traffic",
vpc_id=vpc.ref,
security_group_ingress=[{
"ipProtocol": "tcp",
"fromPort": 6379,
"toPort": 6379,
"cidrIp": "192.168.0.0/16"
}],
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# MyDBSubnetGroup
redis_subnet_group = redis.CfnSubnetGroup(
self,
"RedisSubnetGroup",
cache_subnet_group_name="stg-test-redis01",
description="stg-test-redis01",
subnet_ids=[
public_subnet_a.ref, public_subnet_c.ref, public_subnet_d.ref
])
redis_params = {
'auto_minor_version_upgrade': True,
'engine': 'redis',
'at_rest_encryption_enabled': True,
'automatic_failover_enabled': False,
'engine_version': '4.0.10',
'cache_node_type': 'cache.t3.micro',
'num_cache_clusters': 1,
'replication_group_description': "stg-test-redis01",
'replication_group_id': "stg-test-redis01",
'security_group_ids': [redis_security_group.ref],
'cache_subnet_group_name': redis_subnet_group.ref
}
self.redis = redis.CfnReplicationGroup(self, 'stg-test-redis01',
**redis_params)
core.CfnOutput(self, "OutputVpc", value=vpc.ref)
core.CfnOutput(self, "OutputRedis", value=self.redis.ref)
def __init__(self, scope: core.Construct, id: str, app_nw_stack: appNwStack, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Contexts
PRJ = self.node.try_get_context("prj")
AMI_ID = self.node.try_get_context("ami-id") # Amazon Linux 2
# Functions
def nametag(x): return core.CfnTag(
key="Name", value="{}/{}".format(PRJ, x))
# ### Resources
# IAM Role
ec2_statement = iam.PolicyStatement()
ec2_statement.add_actions("sts:AssumeRole")
ec2_statement.add_service_principal(service="ec2.amazonaws.com")
ec2_document = iam.PolicyDocument(
statements=[ec2_statement]
)
iam_role = iam.CfnRole(
self, "iamRoleForEc2",
role_name="{}-ec2-role".format(PRJ),
description="{}-ec2-role".format(PRJ),
assume_role_policy_document=ec2_document.to_json(),
managed_policy_arns=[
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
]
)
ec2_instance_profile = iam.CfnInstanceProfile(
self, "ec2InstanceProfile",
roles=[iam_role.ref],
instance_profile_name="{}-ec2-instance-profile".format(PRJ)
)
# Security Group
sg = ec2.CfnSecurityGroup(
self, "sg",
group_description="sg for ec2 instance({})".format(PRJ),
vpc_id=app_nw_stack.vpc.ref,
security_group_ingress=[]
)
# Instance
ec2.CfnInstance(
self, "instance",
iam_instance_profile=ec2_instance_profile.ref,
image_id=AMI_ID,
instance_type="t3.micro",
security_group_ids=[sg.ref],
subnet_id=app_nw_stack.ec2_subnet.ref,
tags=[nametag("instance")]
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
def get_userdata():
with open('bootstrap.sh', 'r') as userdata:
return userdata.read()
vmie_ami = "ami-00bf35d2ab0bdb452"
default_vpc = "vpc-e94d1f93"
ec2_role = "arn:aws:iam::88888888888:role/KratosRole"
account_id = "8888888888"
vm_import_image = aws_ec2.GenericLinuxImage({"us-east-1": vmie_ami})
core.Environment(account=account_id)
kratos_role = aws_iam.Role.from_role_arn(self, 'KratosXL', role_arn=ec2_role)
aws_ec2.Instance(self, f"VMIE-{vmie_ami}", instance_type=aws_ec2.InstanceType('t2.micro'),
role=kratos_role, machine_image=vm_import_image, security_group=aws_ec2.CfnSecurityGroup(self, id=f"SG-{vmie_ami}",
group_description=f"SG-CDK-{vmie_ami}"), vpc=aws_ec2.Vpc.from_lookup(self, f'CDK-VPC--{vmie_ami}', vpc_id=default_vpc),
user_data=aws_ec2.UserData.custom(get_userdata()), key_name="covidQuarantine")
def generate_instances(count=1):
amazon_linux_2 = aws_ec2.GenericLinuxImage(
{"us-east-1": "ami-0fc61db8544a617ed"})
ec2_objects = []
for i in range(count):
ec2_instnace = aws_ec2.Instance(
self,
f"CDK-Instance-{i + int(1)}",
instance_type=aws_ec2.InstanceType('t2.micro'),
role=kratos_role,
machine_image=amazon_linux_2,
security_group=aws_ec2.CfnSecurityGroup(
self,
id=f"SG{i + int(1)}",
group_description=f"SG-CDK-{i}"),
vpc=aws_ec2.Vpc.from_lookup(self,
f'CDK-VPC-{i + int(1)}',
vpc_id="vpc-eeeee3"),
user_data=aws_ec2.UserData.custom(get_userdata()),
key_name="covidQuarantine")
ec2_objects.append(ec2_instnace)
return ec2_objects
def __init__(self, scope: core.Construct, id: str, **kwargs):
super().__init__(scope, id, **kwargs)
self.elasticache_security_group = ec2.CfnSecurityGroup(
self,
"ElastiCacheSecurityGroup",
vpc_id=scope.vpc.vpc_id,
group_description="ElastiCacheSecurityGroup",
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=6379,
from_port=6379,
source_security_group_id=scope.vpc.
vpc_default_security_group,
)
],
)
self.elasticache_subnet_group = elasticache.CfnSubnetGroup(
self,
"CfnSubnetGroup",
subnet_ids=scope.vpc.select_subnets(
subnet_type=ec2.SubnetType.ISOLATED).subnet_ids,
description="The subnet group for ElastiCache",
)
self.elasticache = elasticache.CfnCacheCluster(
self,
"ElastiCacheClusterRedis",
cache_node_type="cache.t2.micro",
engine="redis",
num_cache_nodes=1,
vpc_security_group_ids=[
self.elasticache_security_group.get_att("GroupId").to_string()
],
cache_subnet_group_name=self.elasticache_subnet_group.ref, # noqa
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# The code that defines your stack goes here
# instance role
# instance profile
# SecurityGroup
publicsecuritygroup01 = aws_ec2.CfnSecurityGroup(
self,
'publicsecuritygroup01',
group_description='publicsecuritygroup',
group_name='publicsecuritygroup01',
vpc_id=core.Fn.import_value('vpcid01'),
tags=[core.CfnTag(key='Name', value='publicsecuritygroup01')])
privatesecuritygroup01 = aws_ec2.CfnSecurityGroup(
self,
'privatesecuritygroup01',
group_description='privatesecuritygroup',
group_name='privatesecuritygroup01',
vpc_id=core.Fn.import_value('vpcid01'),
tags=[core.CfnTag(key='Name', value='privatesecuritygroup01')])
# public Ingress
aws_ec2.CfnSecurityGroupIngress(self,
'publicsecuritygroupingress01',
group_id=publicsecuritygroup01.ref,
ip_protocol='tcp',
cidr_ip='0.0.0.0/0',
description='for bastion',
from_port=22,
to_port=22)
# public Egress
aws_ec2.CfnSecurityGroupEgress(
self,
'publicsecuritygroupegress01',
group_id=publicsecuritygroup01.ref,
ip_protocol='tcp',
destination_security_group_id=privatesecuritygroup01.ref,
description='for private',
from_port=22,
to_port=22)
# private Ingress
aws_ec2.CfnSecurityGroupIngress(
self,
'privatesecuritygroupingress01',
group_id=privatesecuritygroup01.ref,
ip_protocol='tcp',
source_security_group_id=publicsecuritygroup01.ref,
description='for bastion',
from_port=22,
to_port=22)
# private Egress
aws_ec2.CfnSecurityGroupEgress(self,
'privatesecuritygroupegress01',
group_id=privatesecuritygroup01.ref,
ip_protocol='tcp',
cidr_ip='0.0.0.0/0',
description='for 443',
from_port=443,
to_port=443)
aws_ec2.CfnSecurityGroupEgress(self,
'privatesecuritygroupegress02',
group_id=privatesecuritygroup01.ref,
ip_protocol='tcp',
cidr_ip='0.0.0.0/0',
description='for 80',
from_port=80,
to_port=80)
# aws_ec2.CfnSecurityGroupEgress(self, 'privatesecuritygroupegress03', group_id=privatesecuritygroup01.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='for 22', from_port=22, to_port=22)
core.CfnOutput(self,
'output01',
value=publicsecuritygroup01.ref,
description='publicsecuritygroup',
export_name='publicsecuritygroup01')
core.CfnOutput(self,
'output02',
value=privatesecuritygroup01.ref,
description='privatesecuritygroup',
export_name='privatesecuritygroup01')
def __init__(self, scope: core.Construct, id: str, vpc, public_subnet_a, public_subnet_c, public_subnet_d, ec2_sg_id, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = "test"
# print(ec2_sg_id.ref)
# RdsSecurityGroup
RdsSecurityGroupStg = ec2.CfnSecurityGroup(self, "RdsSecurityGroupStg",
group_name = 'stg-'+prefix+'-db01',
group_description = 'stg-'+prefix+'-db01',
vpc_id = vpc.ref,
security_group_ingress = [
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=3306,
from_port=3306,
cidr_ip='0.0.0.0/0',
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=3306,
from_port=3306,
source_security_group_id=ec2_sg_id.ref,
),
],
security_group_egress = [
{
"ipProtocol" : "tcp",
"fromPort" : 0,
"toPort" : 65535,
"cidrIp" : "0.0.0.0/0"
}
],
)
# MyDBSubnetGroup
rds_subnet_group = rds.CfnDBSubnetGroup(self, "DBSubnetGroup",
db_subnet_group_description = "DBSubnetGroup",
subnet_ids = [
public_subnet_a.ref,
public_subnet_c.ref,
public_subnet_d.ref
]
)
DBParameterGroupStg = rds.CfnDBParameterGroup(self, "DBParameterGroupStg",
description = 'stg-'+prefix+'db01',
family = "MySQL5.6",
parameters = {
'character_set_client': "utf8",
'character_set_connection': "utf8",
'character_set_database': "utf8",
'character_set_results': "utf8",
'character_set_server': "utf8",
'collation_connection': "utf8_general_ci",
'collation_server': "utf8_general_ci",
'long_query_time': "1.2",
'slow_query_log': "1",
'time_zone': "Asia/Tokyo",
},
tags=[
core.CfnTag(key="Name", value='stg-'+prefix+'db01')
]
)
rds_params = {
'db_instance_identifier': "stg-test-db01",
'engine': "mysql",
'engine_version': '5.6.39',
'db_instance_class': 'db.t3.micro',
'allocated_storage': '5',
'storage_type': 'gp2',
'db_name': "test",
'master_username': "******",
'master_user_password': "******",
'db_subnet_group_name' : rds_subnet_group.ref,
'publicly_accessible': False,
'multi_az': False,
'preferred_backup_window': "18:00-18:30",
'preferred_maintenance_window': "sat:19:00-sat:19:30",
'auto_minor_version_upgrade': False,
'db_parameter_group_name': DBParameterGroupStg.ref,
'vpc_security_groups': [RdsSecurityGroupStg.ref],
'copy_tags_to_snapshot': True,
'backup_retention_period': 7,
# 'enable_performance_insights': True,
'delete_automated_backups': True,
'deletion_protection': False,
'availability_zone': "us-east-1a",
'enable_cloudwatch_logs_exports': ["error","slowquery"]
# 'storage_encrypted': False,
}
self.rds = rds.CfnDBInstance(self, 'staff-rds', **rds_params,
tags=[
core.CfnTag(key="Name", value='stg-'+prefix+'db01')
]
)
core.CfnOutput(self, "OutputVpc",
value=vpc.ref)
core.CfnOutput(self, "OutputRds",
value=self.rds.ref)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# IAMロールを作成
my_role_ec2 = iam.CfnRole(
self,
id="my-role-ec2",
assume_role_policy_document={
"Version":
"2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}]
},
description="the ec2 role",
managed_policy_arns=[
# "arn:aws:iam::aws:policy/AmazonS3FullAccess" # 付与したいアクセス権をリストする
],
role_name="my-role-ec2",
tags=[{
"key": "Name",
"value": "my-role-ec2"
}])
# Instance Profileを作成
my_instance_profile = iam.CfnInstanceProfile(self,
id="my-instance-profile",
roles=[my_role_ec2.ref])
# VPCを作成
my_vpc = ec2.CfnVPC(self,
id="my-vpc",
cidr_block="192.168.0.0/16",
enable_dns_hostnames=True,
tags=[{
"key": "Name",
"value": "my-vpc"
}])
# Subnetを作成
my_subnet_1 = ec2.CfnSubnet(self,
id="my-subnet",
cidr_block="192.168.0.0/24",
vpc_id=my_vpc.ref,
availability_zone=core.Fn.select(
0, core.Fn.get_azs("")),
tags=[{
"key": "Name",
"value": "my-subnet-1"
}])
# Internet Gatewayを作成
my_igw = ec2.CfnInternetGateway(self,
id="my-igw",
tags=[{
"key": "Name",
"value": "my-igw"
}])
# Internet Gatewayをアタッチ
ec2.CfnVPCGatewayAttachment(self,
id="my-igw-attachment",
vpc_id=my_vpc.ref,
internet_gateway_id=my_igw.ref)
# Routetableを作成
my_rtb = ec2.CfnRouteTable(self,
id="my-rtb",
vpc_id=my_vpc.ref,
tags=[{
"key": "Name",
"value": "my-rtb"
}])
# Routetableとサブネットの関連付け
ec2.CfnSubnetRouteTableAssociation(self,
id="my-rtb-association",
route_table_id=my_rtb.ref,
subnet_id=my_subnet_1.ref)
# Routeの設定
my_rt = ec2.CfnRoute(self,
id="my-rt",
route_table_id=my_rtb.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=my_igw.ref)
# Security Groupの作成
my_sg_ec2 = ec2.CfnSecurityGroup(
self,
id="my-sg-ec2",
vpc_id=my_vpc.ref,
group_description="my-sg-ec2",
group_name="my-sg-ec2",
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=22,
to_port=22)
],
tags=[{
"key": "Name",
"value": "my-sg-ec2"
}])
# AMIを指定してimage_idを取得
amzn_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE,
cpu_type=ec2.AmazonLinuxCpuType.X86_64).get_image(self).image_id
# EC2を作成
my_ec2 = ec2.CfnInstance(
self,
id="my-ec2",
availability_zone=core.Fn.select(0, core.Fn.get_azs("")),
block_device_mappings=[
ec2.CfnInstance.BlockDeviceMappingProperty(
device_name="/dev/sda1",
ebs=ec2.CfnInstance.EbsProperty(delete_on_termination=True,
encrypted=False,
volume_size=10,
volume_type="gp2"))
],
credit_specification=ec2.CfnInstance.CreditSpecificationProperty(
cpu_credits="standard"),
iam_instance_profile=my_instance_profile.ref,
image_id=amzn_linux,
instance_type="t2.micro",
security_group_ids=[my_sg_ec2.ref],
subnet_id=my_subnet_1.ref,
tags=[{
"key": "Name",
"value": "my-ec2"
}])
def __init__(self, scope: core.Construct, id: str, data, iam_vars) -> None:
super().__init__(scope, id)
# VPC
vpc = ec2.CfnVPC(self, "cdk-vpc", cidr_block=data["vpc"])
igw = ec2.CfnInternetGateway(self, id="igw")
ec2.CfnVPCGatewayAttachment(self,
id="igw-attach",
vpc_id=vpc.ref,
internet_gateway_id=igw.ref)
public_route_table = ec2.CfnRouteTable(self,
id="public_route_table",
vpc_id=vpc.ref)
ec2.CfnRoute(self,
id="public_route",
route_table_id=public_route_table.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref)
public_subnets = []
for i, s in enumerate(data["subnets"]["public"]):
subnet = ec2.CfnSubnet(self,
id="public_{}".format(s),
cidr_block=s,
vpc_id=vpc.ref,
availability_zone=core.Fn.select(
i, core.Fn.get_azs()),
map_public_ip_on_launch=True)
public_subnets.append(subnet)
ec2.CfnSubnetRouteTableAssociation(
self,
id="public_{}_association".format(s),
route_table_id=public_route_table.ref,
subnet_id=subnet.ref)
eip = ec2.CfnEIP(self, id="natip")
nat = ec2.CfnNatGateway(self,
id="nat",
allocation_id=eip.attr_allocation_id,
subnet_id=public_subnets[0].ref)
private_route_table = ec2.CfnRouteTable(self,
id="private_route_table",
vpc_id=vpc.ref)
ec2.CfnRoute(self,
id="private_route",
route_table_id=private_route_table.ref,
destination_cidr_block="0.0.0.0/0",
nat_gateway_id=nat.ref)
private_subnets = []
for i, s in enumerate(data["subnets"]["private"]):
subnet = ec2.CfnSubnet(self,
id="private_{}".format(s),
cidr_block=s,
vpc_id=vpc.ref,
availability_zone=core.Fn.select(
i, core.Fn.get_azs()),
map_public_ip_on_launch=False)
private_subnets.append(subnet)
ec2.CfnSubnetRouteTableAssociation(
self,
id="private_{}_association".format(s),
route_table_id=private_route_table.ref,
subnet_id=subnet.ref)
# Security groups
lb_sg = ec2.CfnSecurityGroup(self,
id="lb",
group_description="LB SG",
vpc_id=vpc.ref)
lambda_sg = ec2.CfnSecurityGroup(self,
id="lambda",
group_description="Lambda SG",
vpc_id=vpc.ref)
public_prefix = ec2.CfnPrefixList(self,
id="cidr_prefix",
address_family="IPv4",
max_entries=1,
prefix_list_name="public",
entries=[{
"cidr": "0.0.0.0/0",
"description": "Public"
}])
_sg_rules = [{
'sg':
lb_sg.attr_group_id,
'rules': [{
"direction": "ingress",
"description": "HTTP from Internet",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"cidr_blocks": public_prefix.ref
}, {
"direction": "egress",
"description": "LB to Lambda",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"source_security_group_id": lambda_sg.attr_group_id
}]
}, {
"sg":
lambda_sg.attr_group_id,
"rules": [{
"direction": "ingress",
"description": "HTTP from LB",
"from_port": 80,
"to_port": 80,
"protocol": "tcp",
"source_security_group_id": lb_sg.attr_group_id
}, {
"direction": "egress",
"description": "All to Internet",
"from_port": 0,
"to_port": 65535,
"protocol": "tcp",
"cidr_blocks": public_prefix.ref
}]
}]
for ruleset in _sg_rules:
for rule in ruleset["rules"]:
if rule["direction"] == "ingress":
ec2.CfnSecurityGroupIngress(
self,
id=rule["description"].replace(" ", "_"),
description=rule["description"],
to_port=rule["to_port"],
from_port=rule["from_port"],
ip_protocol=rule["protocol"],
group_id=ruleset["sg"],
source_prefix_list_id=rule["cidr_blocks"]
if "cidr_blocks" in rule else None,
source_security_group_id=rule[
"source_security_group_id"]
if "source_security_group_id" in rule else None)
else:
ec2.CfnSecurityGroupEgress(
self,
id=rule["description"].replace(" ", "_"),
description=rule["description"],
to_port=rule["to_port"],
from_port=rule["from_port"],
ip_protocol=rule["protocol"],
group_id=ruleset["sg"],
destination_prefix_list_id=rule["cidr_blocks"]
if "cidr_blocks" in rule else None,
destination_security_group_id=rule[
"source_security_group_id"]
if "source_security_group_id" in rule else None)
# IAM
assume_policy_doc = iam.PolicyDocument()
for statement in iam_vars["assume"]["Statement"]:
_statement = iam.PolicyStatement(actions=[statement["Action"]], )
_statement.add_service_principal(statement["Principal"]["Service"])
assume_policy_doc.add_statements(_statement)
role = iam.CfnRole(self,
id="iam_role",
path="/",
assume_role_policy_document=assume_policy_doc)
role_policy_doc = iam.PolicyDocument()
for statement in iam_vars["policy"]["Statement"]:
_statement = iam.PolicyStatement(actions=statement["Action"],
resources=["*"])
role_policy_doc.add_statements(_statement)
policy = iam.CfnPolicy(self,
id="iam_policy",
policy_document=role_policy_doc,
policy_name="cdkPolicy",
roles=[role.ref])
# Lambda
shutil.make_archive("../lambda", 'zip', "../lambda/")
s3_client = boto3.client('s3')
s3_client.upload_file("../lambda.zip", "cloudevescops-zdays-demo",
"cdk.zip")
function = lmd.CfnFunction(self,
id="lambda_function",
handler="lambda.lambda_handler",
role=role.attr_arn,
runtime="python3.7",
code={
"s3Bucket": "cloudevescops-zdays-demo",
"s3Key": "cdk.zip"
},
vpc_config={
"securityGroupIds": [lambda_sg.ref],
"subnetIds":
[s.ref for s in private_subnets]
},
environment={"variables": {
"TOOL": "CDK"
}})
# LB
lb = alb.CfnLoadBalancer(self,
id="alb",
name="lb-cdk",
scheme="internet-facing",
type="application",
subnets=[s.ref for s in public_subnets],
security_groups=[lb_sg.ref])
lmd.CfnPermission(self,
id="lambda_permis",
action="lambda:InvokeFunction",
function_name=function.ref,
principal="elasticloadbalancing.amazonaws.com")
tg = alb.CfnTargetGroup(self,
id="alb_tg",
name="lambda-cdk",
target_type="lambda",
health_check_enabled=True,
health_check_interval_seconds=40,
health_check_path="/",
health_check_timeout_seconds=30,
targets=[{
"id":
function.get_att("Arn").to_string()
}],
matcher={"httpCode": "200"})
alb.CfnListener(self,
id="listener",
default_actions=[{
"type": "forward",
"targetGroupArn": tg.ref
}],
load_balancer_arn=lb.ref,
port=80,
protocol="HTTP")
core.CfnOutput(self, id="fqdn", value=lb.attr_dns_name)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Exercise 11
# WebServerRole
web_server_role = iam.CfnRole(
self,
"WebServerRole",
role_name="ec2-webserver-role",
assume_role_policy_document={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
managed_policy_arns=[
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonRekognitionReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM",
"arn:aws:iam::aws:policy/AmazonPollyReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
],
path="/",
policies=[{
"policyName": "SystemsManagerParameters",
"policyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ssm:DescribeParameters"],
"Resource": "*"
}, {
"Effect": "Allow",
"Action": ["ssm:GetParameters"],
"Resource": {
"Fn::Sub":
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/edx-*"
}
}]
}
}, {
"policyName": "LogRolePolicy",
"policyDocument": {
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
'logs:CreateLogGroup', 'logs:CreateLogStream',
'logs:PutLogEvents', 'logs:DescribeLogStreams'
],
"Resource": {
"Fn::Sub": "arn:aws:logs::${AWS::Region}:*:*"
}
}]
}
}])
# WebServerInstanceProfile
web_server_instance_profile = iam.CfnInstanceProfile(
self,
"WebServerInstanceProfile",
instance_profile_name="webserverinstanceprofile",
path="/",
roles=[web_server_role.role_name])
# WebSecurityGroup
web_security_group = ec2.CfnSecurityGroup(
self,
"WebSecurityGroup",
group_name="web-server-sg",
group_description="HTTP traffic",
vpc_id=core.Fn.import_value("VPC"),
security_group_ingress=[{
"ipProtocol": "tcp",
"fromPort": 80,
"toPort": 80,
"cidrIp": "0.0.0.0/0"
}],
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# LambdaSecurityGroup
lambda_security_group = ec2.CfnSecurityGroup(
self,
"LambdaSecurityGroup",
group_name="labels-lambda-sg",
group_description="HTTP traffic",
vpc_id=core.Fn.import_value("VPC"),
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# Output
core.CfnOutput(self,
"WebServerInstanceProfileOutput",
value=web_server_instance_profile.ref,
description="Web Server Instance Profile",
export_name="WebServerInstanceProfileOutput")
core.CfnOutput(self,
"WebServerRoleOutput",
value=web_server_role.attr_arn,
description="Web Server Role",
export_name="WebServerRoleOutput")
core.CfnOutput(self,
"WebSecurityGroupOutput",
value=web_security_group.ref,
description="Web Security Group",
export_name="WebSecurityGroupOutput")
core.CfnOutput(self,
"LambdaSecurityGroupOutput",
value=lambda_security_group.ref,
description="Lambda Security Group",
export_name="LambdaSecurityGroupOutput")
def __init__(self, scope: core.Construct, id: str, application_port,
ingress_security_group_ids, ssl_certificate_arn, ssl_policy,
subnet_ids, vpc_id):
super().__init__(scope, id)
# Use low level constructs to build security groups as it allows us to name the
# ingress rules properly. It's also easier to map the low level construct params
# to their cfn equivalent
app_sg = ec2.CfnSecurityGroup(
self,
id='SharedApplicationSecurityGroup',
group_description='Shared Fargate Security Group',
vpc_id=vpc_id)
app_lb_sg = ec2.CfnSecurityGroup(
self,
id='SharedApplicationLBSecurityGroup',
group_description='Shared ALB Security Group',
vpc_id=vpc_id,
security_group_egress=[{
'ipProtocol': 'tcp',
'fromPort': application_port,
'toPort': application_port,
'destinationSecurityGroupId': app_sg.ref
}])
app_sg_ingress = ec2.CfnSecurityGroupIngress(
self,
id='SharedApplicationSecurityGroupIngress',
group_id=app_sg.ref,
source_security_group_id=app_lb_sg.ref,
ip_protocol='tcp',
from_port=application_port,
to_port=application_port)
for index, sg in enumerate(ingress_security_group_ids):
ec2.CfnSecurityGroupIngress(
self,
id=f"SharedApplicationLBSecurityGroupIngress{index}",
group_id=app_lb_sg.ref,
source_security_group_id=sg,
ip_protocol='tcp',
from_port=443,
to_port=443)
lb = elbv2.CfnLoadBalancer(self,
id='SharedLoadBalancer',
scheme='internal',
security_groups=[app_lb_sg.ref],
subnets=subnet_ids)
listener = elbv2.CfnListener(
self,
id='SharedListener',
certificates=[{
'certificateArn': ssl_certificate_arn
}],
default_actions=[{
'type': 'fixed-response',
'fixedResponseConfig': {
'contentType': 'text/plain',
'messageBody':
'You have reached the the Load Balancer, but not matched any of the listener rules',
'statusCode': '200'
}
}],
load_balancer_arn=lb.ref,
port=443,
protocol='HTTPS',
ssl_policy=ssl_policy)
core.CfnOutput(
self,
id=SHARED_LB_DNS_NAME,
description='Shared Load Balancer DNS Name',
export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_DNS_NAME}",
value=lb.attr_dns_name)
core.CfnOutput(
self,
id=SHARED_LB_HOSTED_ZONE_ID,
description='Shared Load Balancer Canonical Hosted Zone ID',
export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_HOSTED_ZONE_ID}",
value=lb.attr_canonical_hosted_zone_id)
core.CfnOutput(
self,
id=SHARED_LB_LISTENER,
description='Shared Load Balancer Listener',
export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_LISTENER}",
value=listener.ref)
core.CfnOutput(
self,
id=SHARED_SERVICE_SECURITY_GROUP,
description='Shared Fargate Security Group',
export_name=
f"{core.Aws.STACK_NAME}:{SHARED_SERVICE_SECURITY_GROUP}",
value=app_sg.ref)
def __init__(self, scope: core.Construct, id: str, vpc, subnet_id,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = self.node.try_get_context("project_name")
env_name = self.node.try_get_context("env")
volumne_size = self.node.try_get_context("volumne_size")
ec2_type = self.node.try_get_context("ec2_type")
self.security_group = ec2.CfnSecurityGroup(
self,
id="web_server_sg",
vpc_id=vpc.ref,
group_name=env_name + '-' + prefix + '-www01',
group_description="Web server security group",
# security_group_ingress=[ingress_ssh],
# security_group_egress=[egress_all],
tags=[
core.CfnTag(key="Name",
value=env_name + '-' + prefix + '-www01')
])
# public Ingress
ec2.CfnSecurityGroupIngress(self,
'publicsecuritygroupingress01',
group_id=self.security_group.ref,
ip_protocol='tcp',
cidr_ip='0.0.0.0/0',
description='http',
from_port=80,
to_port=80)
ec2.CfnSecurityGroupIngress(self,
'publicsecuritygroupingress02',
group_id=self.security_group.ref,
ip_protocol='tcp',
cidr_ip='0.0.0.0/0',
description='ssh',
from_port=22,
to_port=22)
# public Egress
ec2.CfnSecurityGroupEgress(
self,
'publicsecuritygroupegress01',
group_id=self.security_group.ref,
ip_protocol='-1',
cidr_ip='0.0.0.0/0'
# destination_security_group_id=privatesecuritygroup01.ref,
# description='for private',
# from_port=22, to_port=22
)
# private Ingress
image_id = ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(
self).image_id
self.host = ec2.CfnInstance(
self,
env_name + '-' + prefix,
# availability_zone="ap-northeast-1a",
image_id=image_id,
instance_type=ec2_type,
key_name=key_name,
# credit_specification= { "cpu_credits" : "standard" },
credit_specification=ec2.CfnInstance.CreditSpecificationProperty(
cpu_credits="standard"),
disable_api_termination=False,
security_group_ids=[self.security_group.ref],
subnet_id=subnet_id.ref,
block_device_mappings=[{
"deviceName": "/dev/xvda",
"ebs": {
"volumeSize": volumne_size,
}
}],
tags=[{
"key": "Name",
"value": env_name + '-' + prefix + '-www01'
}])
def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
super().__init__(scope, id, **kwargs)
# secrets manager for DB password
self.db_secret = secrets.Secret(
self,
"DBSecret",
secret_name=f"{scope.full_app_name}-db-secret",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template=json.dumps({"username": "******"}),
exclude_punctuation=True,
include_space=False,
generate_string_key="password",
),
)
self.db_secret_arn = ssm.StringParameter(
self,
"DBSecretArn",
parameter_name=f"{scope.full_app_name}-secret-arn",
string_value=self.db_secret.secret_arn,
)
self.db_security_group = ec2.CfnSecurityGroup(
self,
"DBSecurityGroup",
vpc_id=scope.vpc.vpc_id,
group_description="DBSecurityGroup",
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
to_port=5432,
from_port=5432,
source_security_group_id=scope.vpc.vpc_default_security_group,
)
],
)
self.db_subnet_group = rds.CfnDBSubnetGroup(
self,
"CfnDBSubnetGroup",
subnet_ids=scope.vpc.select_subnets(
subnet_type=ec2.SubnetType.ISOLATED
).subnet_ids,
db_subnet_group_description=f"{scope.full_app_name}-db-subnet-group",
)
self.db_config = {
"engine_mode": "serverless",
"engine": "aurora-postgresql",
"engine_version": "10.7",
# "port": 5432,
"enable_http_endpoint": True,
"master_username": self.db_secret.secret_value_from_json(
"username"
).to_string(),
"master_user_password": self.db_secret.secret_value_from_json(
"password"
).to_string(),
"vpc_security_group_ids": [
self.db_security_group.get_att("GroupId").to_string()
],
"db_subnet_group_name": self.db_subnet_group.ref,
}
self.rds_cluster = rds.CfnDBCluster(
self, "DBCluster", **self.db_config
)
def __init__(self, scope: core.Construct, id: str, vpc_ip: str,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
if vpc_ip:
print("VPC_IP " + vpc_ip)
cidr = vpc_ip
else:
cidr = "10.0.0.0/16"
# 01. VPC 생성
cfVpc = ec2.CfnVPC(self,
"VPC",
cidr_block=cidr,
tags=[core.Tag(key="Name", value="CDKVPC")])
# 02. Subnet 생성
subnet_2a = ec2.CfnSubnet(
self,
id="subnet_2a",
availability_zone="ap-northeast-2a",
cidr_block="100.0.1.0/24",
map_public_ip_on_launch=True,
vpc_id=cfVpc.ref,
tags=[core.Tag(key="Name", value="subnet-2a")])
subnet_2c = ec2.CfnSubnet(
self,
id="subnet_2c",
availability_zone="ap-northeast-2c",
cidr_block="100.0.2.0/24",
map_public_ip_on_launch=True,
vpc_id=cfVpc.ref,
tags=[core.Tag(key="Name", value="subnet-2c")])
# 03. Internet Gateway 생성
internet_gateway = ec2.CfnInternetGateway(
self,
id="Internet_Gateway_DNS_Example",
tags=[core.Tag(key="Name", value="Internet_Gateway_for_DNS")])
# 04. Internat Gateway Attach
ec2.CfnVPCGatewayAttachment(self,
id="vpcgw",
vpc_id=cfVpc.ref,
internet_gateway_id=internet_gateway.ref)
#05. Route Table 생성
route_table = ec2.CfnRouteTable(
self,
id="dns_example_routetable",
vpc_id=cfVpc.ref,
tags=[core.Tag(key="Name", value="Route_for_DNS")])
#Route
ec2.CfnRoute(self,
id="IGW_Route",
route_table_id=route_table.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=internet_gateway.ref)
ec2.CfnSubnetRouteTableAssociation(self,
id="DnsSubnet_Associate_2a",
route_table_id=route_table.ref,
subnet_id=subnet_2a.ref)
ec2.CfnSubnetRouteTableAssociation(self,
id="DnsSubnet_Associate_2c",
route_table_id=route_table.ref,
subnet_id=subnet_2c.ref)
# 03. SG 생성
sg = ec2.CfnSecurityGroup(self,
id="sg-ssh",
vpc_id=cfVpc.ref,
group_description="Default Group",
tags=[core.Tag(key="Name", value="DNS_SG")])
#security_group_ingress=[ingress_ssh])
#security_group_egress=[egress_all])
ingress_ssh = ec2.CfnSecurityGroupIngress(self,
"SSH",
ip_protocol="tcp",
group_id=sg.ref,
from_port=22,
to_port=22,
cidr_ip="0.0.0.0/0")
egress_all = ec2.CfnSecurityGroupEgress(
self,
id="OUTBOUND",
group_id=sg.ref,
ip_protocol="-1",
#from_port=0,
#to_port=65535,
cidr_ip="0.0.0.0/0")
# 04. DNS Server EC2 생성
dns_server = ec2.MachineImage.generic_linux(
{"ap-northeast-2": "ami-00d293396a942208d"})
ec2.CfnInstance(self,
id="dns_master",
image_id=dns_server.get_image(self).image_id,
instance_type="t2.small",
key_name="SeoulRegion",
security_group_ids=[sg.ref],
subnet_id=subnet_2a.ref,
tags=[{
"key": "Name",
"value": "dns_master"
}])
ec2.CfnInstance(self,
id="dns_slave",
image_id=dns_server.get_image(self).image_id,
instance_type="t2.small",
key_name="SeoulRegion",
security_group_ids=[sg.ref],
subnet_id=subnet_2c.ref,
tags=[{
"key": "Name",
"value": "dns_slave"
}])
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self, id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=1,
subnet_configuration=[])
subnet = ec2.Subnet(self, id="MySubnet",
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
igw = ec2.CfnInternetGateway(self, id="MyIGW",
tags=[core.CfnTag(key="Name", value="IGW")])
ec2.CfnVPCGatewayAttachment(self, id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
subnet.add_route(id="default_route",
router_id=igw.ref,
router_type=ec2.RouterType('GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
sg_public = ec2.CfnSecurityGroup(self, id="SG_PUBLIC",
group_description="SG for the Public Subnet",
group_name="SG_PUBLIC",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Public")])
my_home_ip = requests.get("https://api.ipify.org").text
ports_pub = {'tcp': [22, 80],
'icmp': [-1]
}
for protocol, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(self, id=f"sg_pub_in_{protocol}_{port}",
group_id=sg_public.attr_group_id,
ip_protocol=protocol,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocol.upper()} {port} from home IP")
with open("/home/dragos/Documents/AWS_CDK/instance_creation/instance_creation/configure.sh", 'r') as config_file:
ud = core.Fn.base64(config_file.read())
instance = ec2.CfnInstance(self, id="MyInstance",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_public.ref],
tags=[core.CfnTag(key="Name", value="MyInstance")])
# COMMENT
instance.user_data = ud
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self,
id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=3,
subnet_configuration=[])
pub_subnet = ec2.PublicSubnet(self,
id="PublicSubnet",
availability_zone="eu-central-1c",
cidr_block="192.168.0.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=True)
igw = ec2.CfnInternetGateway(
self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")])
ec2.CfnVPCGatewayAttachment(self,
id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
pub_subnet.add_route(id="default_route-sub01",
router_id=igw.ref,
router_type=ec2.RouterType('GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
# Elastic IP
eip_01 = ec2.CfnEIP(self, id="EIP01")
# NAT gateway
ngw = ec2.CfnNatGateway(self,
id="NAT_GW",
allocation_id=eip_01.attr_allocation_id,
subnet_id=pub_subnet.subnet_id,
tags=[core.CfnTag(key="Name", value="NAT_GW")])
subnet01 = ec2.Subnet(self,
id="Subnet01",
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=False)
subnet02 = ec2.Subnet(self,
id="Subnet02",
availability_zone="eu-central-1b",
cidr_block="192.168.2.0/24",
vpc_id=vpc.vpc_id,
map_public_ip_on_launch=False)
subnet01.add_route(id="default_route-sub01",
router_id=ngw.ref,
router_type=ec2.RouterType('NAT_GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
subnet02.add_route(id="default_route-sub02",
router_id=ngw.ref,
router_type=ec2.RouterType('NAT_GATEWAY'),
destination_cidr_block="0.0.0.0/0",
enables_internet_connectivity=True)
sg_lb = ec2.CfnSecurityGroup(
self,
id="SG_ALB",
group_description="SG for the APP LB",
group_name="SG_ALB",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_ALB")])
sg_ec2i = ec2.CfnSecurityGroup(
self,
id="SG_Instances",
group_description="SG for the Instances",
group_name="SG_Instances",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Instances")])
# my_home_ip = requests.get("https://api.ipify.org").text
my_home_ip = "94.112.113.195"
ports_pub = {'tcp': [22, 80], 'icmp': [-1]}
for protocol, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_alb_in_{protocol}_{port}",
group_id=sg_lb.attr_group_id,
ip_protocol=protocol,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocol.upper()} {port} from home IP")
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_ec2i_in_{protocol}_{port}",
group_id=sg_ec2i.attr_group_id,
ip_protocol=protocol,
to_port=port,
from_port=port,
source_security_group_id=sg_lb.ref,
description=f"{protocol.upper()} {port} from the ALB SG")
with open(
"/home/dragos/Documents/AWS_CDK/app_lb_sample/app_lb_sample/configure.sh",
'r') as config_file:
ud = core.Fn.base64(config_file.read())
bastion_host = ec2.CfnInstance(
self,
id="bastion",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=pub_subnet.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_lb.ref],
tags=[core.CfnTag(key="Name", value="bastion")])
instance01 = ec2.CfnInstance(
self,
id="WebServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet01.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_ec2i.ref],
user_data=ud,
tags=[core.CfnTag(key="Name", value="WebServer01")])
instance02 = ec2.CfnInstance(
self,
id="WebServer02",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=subnet02.subnet_id,
key_name="proton_mail_kp",
security_group_ids=[sg_ec2i.ref],
user_data=ud,
tags=[core.CfnTag(key="Name", value="WebServer02")])
# health_check = elbv2.HealthCheck(enabled=True,
# healthy_http_codes="200",
# path="/index.html",
# protocol=elbv2.Protocol("HTTP"))
target01 = elbv2.CfnTargetGroup.TargetDescriptionProperty(
id=instance01.ref)
target02 = elbv2.CfnTargetGroup.TargetDescriptionProperty(
id=instance02.ref)
tg = elbv2.CfnTargetGroup(
self,
id="TG-WEB-HTTP",
name="TG-WEB-HTTP",
health_check_enabled=True,
health_check_path="/index.html",
health_check_port="80",
matcher=elbv2.CfnTargetGroup.MatcherProperty(http_code="200"),
port=80,
protocol="HTTP", # CASE SENSITIVE
target_type="instance", # CASE SENSITIVE
targets=[target01, target02],
vpc_id=vpc.vpc_id)
alb = elbv2.CfnLoadBalancer(
self,
id="MyALB-HTTP",
ip_address_type="ipv4",
name="MyALB-HTTP",
scheme="internet-facing",
security_groups=[sg_lb.ref],
type="application",
subnets=[subnet01.subnet_id, subnet02.subnet_id])
def_act = Listener.ActionProperty(type="forward",
authenticate_cognito_config=None,
authenticate_oidc_config=None,
fixed_response_config=None,
forward_config=None,
order=50000,
redirect_config=None,
target_group_arn=tg.ref)
listener = elbv2.CfnListener(self,
id="Listener01",
load_balancer_arn=alb.ref,
port=80,
protocol="HTTP",
default_actions=[def_act])
def createSecurityGroup(self):
# L2 SecurityGroup construct does not support ipv6 well :(
securityGroup = ec2.CfnSecurityGroup(self, 'serverVpcSecurityGroup',
vpc_id=self.vpc.vpc_id,
group_description='Server Vpc Security Group',
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=22,
to_port=22,
cidr_ip=f'{self.ip}/32',
description='Allow specific host for ssh'
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=8333,
to_port=8333,
cidr_ip='0.0.0.0/0',
description='Allow bitcoind'
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=8333,
to_port=8333,
cidr_ipv6='::/0',
description='Allow bitcoind'
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=9735,
to_port=9735,
cidr_ip='0.0.0.0/0',
description='Allow lnd'
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=9735,
to_port=9735,
cidr_ipv6='::/0',
description='Allow lnd'
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=9911,
to_port=9911,
cidr_ip='0.0.0.0/0',
description='Allow lnd'
),
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol='tcp',
from_port=9911,
to_port=9911,
cidr_ipv6='::/0',
description='Allow lnd'
),
],
security_group_egress=[
ec2.CfnSecurityGroup.EgressProperty(
ip_protocol='-1',
from_port=-1,
to_port=-1,
cidr_ip='0.0.0.0/0',
description='Allow all outbound'
),
ec2.CfnSecurityGroup.EgressProperty(
ip_protocol='-1',
from_port=-1,
to_port=-1,
cidr_ipv6='::/0',
description='Allow all outbound'
),
]
)
securityGroup.apply_removal_policy(cdk.RemovalPolicy.RETAIN)
return securityGroup
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
current_directory = os.path.realpath(
os.path.join(os.getcwd(), os.path.dirname(__file__)))
allowed_values = yaml.load(open(
os.path.join(current_directory, "..", "..",
"allowed_values.yaml")),
Loader=yaml.SafeLoader)
ami_mapping = {"AMI": {"OEJITSI": AMI_NAME}}
for region in generated_ami_ids.keys():
ami_mapping[region] = {"OEJITSI": generated_ami_ids[region]}
aws_ami_region_map = core.CfnMapping(self,
"AWSAMIRegionMap",
mapping=ami_mapping)
# utility function to parse the unique id from the stack id for
# shorter resource names using cloudformation functions
def append_stack_uuid(name):
return core.Fn.join("-", [
name,
core.Fn.select(
0,
core.Fn.split(
"-",
core.Fn.select(2, core.Fn.split(
"/", core.Aws.STACK_ID))))
])
#
# PARAMETERS
#
cidr_block_param = core.CfnParameter(
self,
"IngressCidrBlock",
allowed_pattern="((\d{1,3})\.){3}\d{1,3}/\d{1,2}",
default="0.0.0.0/0",
description=
"Required: A CIDR block to restrict access to the Jitsi application. Leave as 0.0.0.0/0 to allow public access from internet."
)
ec2_instance_type_param = core.CfnParameter(
self,
"InstanceType",
allowed_values=allowed_values["allowed_instance_types"],
default="t3.xlarge",
description=
"Required: The EC2 instance type for the application Auto Scaling Group."
)
jitsi_hostname_param = core.CfnParameter(
self,
"JitsiHostname",
description=
"Required: The hostname to access Jitsi. E.G. 'jitsi.internal.mycompany.com'"
)
jitsi_interface_app_name_param = core.CfnParameter(
self,
"JitsiInterfaceAppName",
default="Jitsi Meet",
description=
"Optional: Customize the app name on the Jitsi interface.")
jitsi_interface_default_remote_display_name_param = core.CfnParameter(
self,
"JitsiInterfaceDefaultRemoteDisplayName",
default="Fellow Jitster",
description=
"Optional: Customize the default display name for Jitsi users.")
jitsi_interface_native_app_name_param = core.CfnParameter(
self,
"JitsiInterfaceNativeAppName",
default="Jitsi Meet",
description=
"Optional: Customize the native app name on the Jitsi interface.")
jitsi_interface_show_brand_watermark_param = core.CfnParameter(
self,
"JitsiInterfaceShowBrandWatermark",
allowed_values=["true", "false"],
default="true",
description=
"Optional: Display the watermark logo image in the upper left corner."
)
jitsi_interface_show_watermark_for_guests_param = core.CfnParameter(
self,
"JitsiInterfaceShowWatermarkForGuests",
allowed_values=["true", "false"],
default="true",
description=
"Optional: Display the watermark logo image in the upper left corner for guest users. This can be set to override the general setting behavior for guest users."
)
jitsi_interface_brand_watermark_param = core.CfnParameter(
self,
"JitsiInterfaceBrandWatermark",
default="",
description=
"Optional: Provide a URL to a PNG image to be used as the brand watermark logo image in the upper right corner. File should be publically available for download."
)
jitsi_interface_brand_watermark_link_param = core.CfnParameter(
self,
"JitsiInterfaceBrandWatermarkLink",
default="http://jitsi.org",
description=
"Optional: Provide a link destination for the brand watermark logo image in the upper right corner."
)
jitsi_interface_watermark_param = core.CfnParameter(
self,
"JitsiInterfaceWatermark",
default="",
description=
"Optional: Provide a URL to a PNG image to be used as the watermark logo image in the upper left corner. File should be publically available for download."
)
jitsi_interface_watermark_link_param = core.CfnParameter(
self,
"JitsiInterfaceWatermarkLink",
default="http://jitsi.org",
description=
"Optional: Provide a link destination for the Jitsi watermark logo image in the upper left corner."
)
route_53_hosted_zone_name_param = core.CfnParameter(
self,
"Route53HostedZoneName",
description=
"Required: Route 53 Hosted Zone name in which a DNS record will be created by this template. Must already exist and be the domain part of the Jitsi Hostname parameter, without trailing dot. E.G. 'internal.mycompany.com'"
)
notification_email_param = core.CfnParameter(
self,
"NotificationEmail",
default="",
description=
"Optional: Specify an email address to get emails about deploys, Let's Encrypt, and other system events."
)
#
# CONDITIONS
#
notification_email_exists_condition = core.CfnCondition(
self,
"NotificationEmailExistsCondition",
expression=core.Fn.condition_not(
core.Fn.condition_equals(notification_email_param.value, "")))
#
# RESOURCES
#
# vpc
vpc = Vpc(self, "Vpc")
# sns
sns_notification_topic = aws_sns.CfnTopic(
self,
"NotificationTopic",
topic_name="{}-notifications".format(core.Aws.STACK_NAME))
sns_notification_subscription = aws_sns.CfnSubscription(
self,
"NotificationSubscription",
protocol="email",
topic_arn=sns_notification_topic.ref,
endpoint=notification_email_param.value_as_string)
sns_notification_subscription.cfn_options.condition = notification_email_exists_condition
iam_notification_publish_policy = aws_iam.PolicyDocument(statements=[
aws_iam.PolicyStatement(effect=aws_iam.Effect.ALLOW,
actions=["sns:Publish"],
resources=[sns_notification_topic.ref])
])
# cloudwatch
app_log_group = aws_logs.CfnLogGroup(
self, "JitsiAppLogGroup", retention_in_days=TWO_YEARS_IN_DAYS)
app_log_group.cfn_options.update_replace_policy = core.CfnDeletionPolicy.RETAIN
app_log_group.cfn_options.deletion_policy = core.CfnDeletionPolicy.RETAIN
system_log_group = aws_logs.CfnLogGroup(
self, "JitsiSystemLogGroup", retention_in_days=TWO_YEARS_IN_DAYS)
system_log_group.cfn_options.update_replace_policy = core.CfnDeletionPolicy.RETAIN
system_log_group.cfn_options.deletion_policy = core.CfnDeletionPolicy.RETAIN
# iam
iam_jitsi_instance_role = aws_iam.CfnRole(
self,
"JitsiInstanceRole",
assume_role_policy_document=aws_iam.PolicyDocument(statements=[
aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=["sts:AssumeRole"],
principals=[aws_iam.ServicePrincipal("ec2.amazonaws.com")])
]),
policies=[
aws_iam.CfnRole.PolicyProperty(
policy_document=aws_iam.PolicyDocument(statements=[
aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=[
"logs:CreateLogStream",
"logs:DescribeLogStreams", "logs:PutLogEvents"
],
resources=[
app_log_group.attr_arn,
system_log_group.attr_arn
])
]),
policy_name="AllowStreamLogsToCloudWatch"),
aws_iam.CfnRole.PolicyProperty(
policy_document=aws_iam.PolicyDocument(statements=[
aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=[
"ec2:AssociateAddress", "ec2:DescribeVolumes",
"ec2:DescribeTags",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData"
],
resources=["*"])
]),
policy_name="AllowStreamMetricsToCloudWatch"),
aws_iam.CfnRole.PolicyProperty(
policy_document=aws_iam.PolicyDocument(statements=[
aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=["autoscaling:Describe*"],
resources=["*"])
]),
policy_name="AllowDescribeAutoScaling"),
],
managed_policy_arns=[
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
])
# ec2
jitsi_sg = aws_ec2.CfnSecurityGroup(
self,
"JitsiSg",
group_description="Jitsi security group",
vpc_id=vpc.id())
eip = aws_ec2.CfnEIP(self, "Eip", domain="vpc")
core.Tags.of(eip).add("Name", "{}/Eip".format(core.Aws.STACK_NAME))
ec2_instance_profile = aws_iam.CfnInstanceProfile(
self, "JitsiInstanceProfile", roles=[iam_jitsi_instance_role.ref])
with open("jitsi/jitsi_launch_config_user_data.sh") as f:
jitsi_launch_config_user_data = f.read()
ec2_launch_config = aws_autoscaling.CfnLaunchConfiguration(
self,
"JitsiLaunchConfig",
image_id=core.Fn.find_in_map("AWSAMIRegionMap", core.Aws.REGION,
"OEJITSI"),
instance_type=ec2_instance_type_param.value_as_string,
iam_instance_profile=ec2_instance_profile.ref,
security_groups=[jitsi_sg.ref],
user_data=(core.Fn.base64(
core.Fn.sub(
jitsi_launch_config_user_data, {
"JitsiHostname":
jitsi_hostname_param.value_as_string,
"JitsiPublicIP":
eip.ref,
"LetsEncryptCertificateEmail":
notification_email_param.value_as_string
}))))
# autoscaling
asg = aws_autoscaling.CfnAutoScalingGroup(
self,
"JitsiAsg",
launch_configuration_name=ec2_launch_config.ref,
desired_capacity="1",
max_size="1",
min_size="1",
vpc_zone_identifier=vpc.public_subnet_ids())
asg.cfn_options.creation_policy = core.CfnCreationPolicy(
resource_signal=core.CfnResourceSignal(count=1, timeout="PT15M"))
asg.cfn_options.update_policy = core.CfnUpdatePolicy(
auto_scaling_rolling_update=core.CfnAutoScalingRollingUpdate(
max_batch_size=1,
min_instances_in_service=0,
pause_time="PT15M",
wait_on_resource_signals=True))
core.Tags.of(asg).add("Name",
"{}/JitsiAsg".format(core.Aws.STACK_NAME))
jitsi_http_ingress = aws_ec2.CfnSecurityGroupIngress(
self,
"JitsiHttpSgIngress",
cidr_ip=cidr_block_param.value_as_string,
from_port=80,
group_id=jitsi_sg.ref,
ip_protocol="tcp",
to_port=80)
jitsi_https_ingress = aws_ec2.CfnSecurityGroupIngress(
self,
"JitsiHttpsSgIngress",
cidr_ip=cidr_block_param.value_as_string,
from_port=443,
group_id=jitsi_sg.ref,
ip_protocol="tcp",
to_port=443)
jitsi_fallback_network_audio_video_ingress = aws_ec2.CfnSecurityGroupIngress(
self,
"JitsiFallbackNetworkAudioVideoSgIngress",
cidr_ip=cidr_block_param.value_as_string,
from_port=4443,
group_id=jitsi_sg.ref,
ip_protocol="tcp",
to_port=4443)
jitsi_general_network_audio_video_ingress = aws_ec2.CfnSecurityGroupIngress(
self,
"JitsiGeneralNetworkAudioVideoSgIngress",
cidr_ip=cidr_block_param.value_as_string,
from_port=10000,
group_id=jitsi_sg.ref,
ip_protocol="udp",
to_port=10000)
# route 53
record_set = aws_route53.CfnRecordSet(
self,
"RecordSet",
hosted_zone_name=
f"{route_53_hosted_zone_name_param.value_as_string}.",
name=jitsi_hostname_param.value_as_string,
resource_records=[eip.ref],
type="A")
# https://github.com/aws/aws-cdk/issues/8431
record_set.add_property_override("TTL", 60)
# AWS::CloudFormation::Interface
self.template_options.metadata = {
"OE::Patterns::TemplateVersion": template_version,
"AWS::CloudFormation::Interface": {
"ParameterGroups": [{
"Label": {
"default": "Infrastructure Config"
},
"Parameters": [
jitsi_hostname_param.logical_id,
route_53_hosted_zone_name_param.logical_id,
cidr_block_param.logical_id,
ec2_instance_type_param.logical_id,
notification_email_param.logical_id
]
}, {
"Label": {
"default": "Jitsi Config"
},
"Parameters": [
jitsi_interface_app_name_param.logical_id,
jitsi_interface_default_remote_display_name_param.
logical_id,
jitsi_interface_native_app_name_param.logical_id,
jitsi_interface_show_brand_watermark_param.logical_id,
jitsi_interface_show_watermark_for_guests_param.
logical_id,
jitsi_interface_brand_watermark_param.logical_id,
jitsi_interface_brand_watermark_link_param.logical_id,
jitsi_interface_watermark_param.logical_id,
jitsi_interface_watermark_link_param.logical_id,
]
}, *vpc.metadata_parameter_group()],
"ParameterLabels": {
cidr_block_param.logical_id: {
"default": "Ingress CIDR Block"
},
ec2_instance_type_param.logical_id: {
"default": "EC2 instance type"
},
jitsi_hostname_param.logical_id: {
"default": "Jitsi Hostname"
},
jitsi_interface_app_name_param.logical_id: {
"default": "Jitsi Interface App Name"
},
jitsi_interface_default_remote_display_name_param.logical_id:
{
"default":
"Jitsi Interface Default Remote Display Name"
},
jitsi_interface_native_app_name_param.logical_id: {
"default": "Jitsi Interface Native App Name"
},
jitsi_interface_show_brand_watermark_param.logical_id: {
"default": "Jitsi Interface Show Watermark"
},
jitsi_interface_show_watermark_for_guests_param.logical_id:
{
"default": "Jitsi Interface Show Watermark For Guests"
},
jitsi_interface_brand_watermark_param.logical_id: {
"default": "Jitsi Interface Watermark"
},
jitsi_interface_brand_watermark_link_param.logical_id: {
"default": "Jitsi Interface Watermark Link"
},
jitsi_interface_watermark_param.logical_id: {
"default": "Jitsi Interface Watermark"
},
jitsi_interface_watermark_link_param.logical_id: {
"default": "Jitsi Interface Watermark Link"
},
notification_email_param.logical_id: {
"default": "Notification Email"
},
route_53_hosted_zone_name_param.logical_id: {
"default": "AWS Route 53 Hosted Zone Name"
},
**vpc.metadata_parameter_labels()
}
}
}
#
# OUTPUTS
#
eip_output = core.CfnOutput(
self,
"EipOutput",
description=
"The Elastic IP address dynamically mapped to the autoscaling group instance.",
value=eip.ref)
endpoint_output = core.CfnOutput(
self,
"JitsiUrl",
description="The URL for the Jitsi instance.",
value=core.Fn.join(
"", ["https://", jitsi_hostname_param.value_as_string]))
def __init__(self, scope: core.Construct, id: str, custom: dict,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
region = self.region
#create S3 access role for ec2
ec2Role = iam.Role(
self,
"aws-cdk-handson-lab02-ec2role",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3ReadOnlyAccess")
])
instanceProfile = iam.CfnInstanceProfile(
self,
"aws-cdk-handson-lab02-ec2Profile",
roles=[ec2Role.role_name],
instance_profile_name="aws-cdk-handson-lab02-ec2Profile",
)
#create new VPC for lab02
#vpc = ec2.Vpc.from_lookup(self, "aws-cdk-handson-lab02-vpc",vpc_name="default") #使用默认的vpc
#创建新的vpc
vpc = ec2.Vpc(self,
id="aws-cdk-handson-lab02-vpc",
cidr="172.30.0.0/16",
nat_gateways=0,
subnet_configuration=[
{
"cidrMask": 24,
"name": "subnet-1-",
"subnetType": ec2.SubnetType.PUBLIC
},
{
"cidrMask": 24,
"name": "subnet-2-",
"subnetType": ec2.SubnetType.PUBLIC
},
{
"cidrMask": 24,
"name": "subnet-3-",
"subnetType": ec2.SubnetType.PUBLIC
},
])
#使用已有的安全组
#sg=ec2.SecurityGroup.from_security_group_id(self,"nodeSG",security_group_id='sg-0dd53aaa5c9eb8324')
#创建新的安全组
sg = ec2.CfnSecurityGroup(
self,
"aws-cdk-handson-lab02-ec2securitygroup",
group_description="this is aws-cdk-handson workshop",
group_name="aws-cdk-handson-lab02-ec2securitygroup",
security_group_ingress=[
{
"ipProtocol": "tcp",
"fromPort": 80,
"toPort": 80,
"cidrIp": "0.0.0.0/0",
},
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"cidrIp": "0.0.0.0/0",
},
{
"ipProtocol": "tcp",
"fromPort": 8080,
"toPort": 8080,
"cidrIp": "0.0.0.0/0",
},
],
vpc_id=vpc.vpc_id)
#read and base64 encode userdata file
data = open("../resource/httpd.sh", "rb").read()
encodedBytes = base64.encodebytes(data)
encodedStr = str(encodedBytes, "utf-8")
#create ec2 instances
ami = ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2)
#创建2台EC2
ec2Count = 2
for i in range(ec2Count):
eni0 = ec2.CfnNetworkInterface(
self,
"eni-" + str(i),
subnet_id=vpc.public_subnets[0].subnet_id,
group_set=[sg.attr_group_id])
#group_set=[sg.security_group_id]
instance = ec2.CfnInstance(
self,
"ec2-httpd-" + str(i),
image_id=ami.get_image(
self).image_id, #use Amazon Linux 2 AMI
instance_type="t3.micro",
key_name="wsu-cn-northwest-1", #这个是keypair的名字非常重要
tags=[
core.CfnTag(key="Name",
value="aws-cdk-lab02-ec2-" + str(i))
], #加上标签
iam_instance_profile=instanceProfile.ref,
user_data=encodedStr,
network_interfaces=[{
'deviceIndex': '0',
'networkInterfaceId': eni0.ref,
}])
core.CfnOutput(self,
"PublicIP-" + str(i),
export_name="PublicIP-" + str(i),
value=instance.attr_public_ip)
core.CfnOutput(self,
"PublicDNSName-" + str(i),
export_name="PublicDNSName-" + str(i),
value=instance.attr_public_dns_name)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = "test"
cidr = "192.168.0.0/16"
# def name(s): return "{0}/{1}".format(prefix, s)
def name(s):
return "{0} {1}".format(prefix, s)
# VPC
self.vpc = ec2.CfnVPC(self,
"vpc",
cidr_block=cidr,
enable_dns_hostnames=True,
enable_dns_support=True,
tags=[core.CfnTag(key="Name", value=prefix)])
# InternetGateway
igw = ec2.CfnInternetGateway(
self, "igw", tags=[core.CfnTag(key="Name", value=prefix)])
igw_attachment = ec2.CfnVPCGatewayAttachment(
self,
"igw_attachment",
vpc_id=self.vpc.ref,
internet_gateway_id=igw.ref)
dhcpoptions = ec2.CfnDHCPOptions(
self,
"dhcpoptions",
domain_name="ec2.internal " + prefix,
domain_name_servers=["AmazonProvidedDNS"],
tags=[core.CfnTag(key="Name", value=prefix)])
dhcpoptionsassociation = ec2.CfnVPCDHCPOptionsAssociation(
self,
"dhcpoptionsassociation",
dhcp_options_id=dhcpoptions.ref,
vpc_id=self.vpc.ref)
# PrivateSubnetA
# private_subnet_a = ec2.CfnSubnet(
# self, "private_a",
# vpc_id=vpc.ref,
# cidr_block="192.168.0.0/24",
# availability_zone="ap-northeast-1a",
# tags=[
# core.CfnTag(key="Name", value=name("private_a"))
# ]
# )
# PrivateSubnetC
# private_subnet_c = ec2.CfnSubnet(
# self, "private_c",
# vpc_id=vpc.ref,
# cidr_block="192.168.1.0/24",
# availability_zone="ap-northeast-1c",
# tags=[
# core.CfnTag(key="Name", value=name("private_c"))
# ]
# )
# PublicSubnetA
self.public_subnet_a = ec2.CfnSubnet(
self,
"public_a",
vpc_id=self.vpc.ref,
cidr_block="192.168.0.0/20",
# availability_zone="ap-northeast-1a",
availability_zone="us-east-1a",
tags=[core.CfnTag(key="Name", value=prefix + " public_a")])
# PublicSubnetC
self.public_subnet_c = ec2.CfnSubnet(
self,
"public_c",
vpc_id=self.vpc.ref,
cidr_block="192.168.16.0/20",
availability_zone="us-east-1c",
tags=[core.CfnTag(key="Name", value=prefix + " public_c")])
self.public_subnet_d = ec2.CfnSubnet(
self,
"public_d",
vpc_id=self.vpc.ref,
cidr_block="192.168.32.0/20",
availability_zone="us-east-1d",
tags=[core.CfnTag(key="Name", value=prefix + " public_d")])
# EIP1 (for NATGW)
# eip1 = ec2.CfnEIP(
# self, "eip1",
# domain="vpc",
# )
# eip1.add_depends_on(igw_attachment)
# EIP2 (for NATGW)
# eip2 = ec2.CfnEIP(
# self, "eip2",
# domain="vpc",
# )
# eip2.add_depends_on(igw_attachment)
# NatGatewayA
# natgw_a = ec2.CfnNatGateway(
# self, "natgw_a",
# allocation_id=eip1.attr_allocation_id,
# subnet_id=self.public_subnet_a.ref,
# tags=[
# core.CfnTag(key="Name", value=name("natgw_a"))
# ]
# )
# NatGatewayC
# natgw_c = ec2.CfnNatGateway(
# self, "natgw_c",
# allocation_id=eip2.attr_allocation_id,
# subnet_id=public_subnet_c.ref,
# tags=[
# core.CfnTag(key="Name", value=name("natgw_c"))
# ]
# )
# RouteTable of PrivateSubnetA
# rtb_private_a = ec2.CfnRouteTable(
# self, "rtb_private_a",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_private_a"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_private_a_association",
# route_table_id=rtb_private_a.ref,
# subnet_id=private_subnet_a.ref
# )
# ec2.CfnRoute(
# self, "route_private_a",
# route_table_id=rtb_private_a.ref,
# destination_cidr_block="0.0.0.0/0",
# nat_gateway_id=natgw_a.ref
# )
# RouteTable of PrivateSubnetC
# rtb_private_c = ec2.CfnRouteTable(
# self, "rtb_private_c",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_private_c"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_private_c_association",
# route_table_id=rtb_private_c.ref,
# subnet_id=private_subnet_c.ref
# )
# ec2.CfnRoute(
# self, "route_private_c",
# route_table_id=rtb_private_c.ref,
# destination_cidr_block="0.0.0.0/0",
# nat_gateway_id=natgw_c.ref
# )
# RouteTable of PublicSubnetA
self.rtb_public_a = ec2.CfnRouteTable(
self,
"rtb_public_a",
vpc_id=self.vpc.ref,
tags=[core.CfnTag(key="Name", value=prefix + "rtb_public_a")])
ec2.CfnSubnetRouteTableAssociation(
self,
"rtb_public_a_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_a.ref)
ec2.CfnSubnetRouteTableAssociation(
self,
"rtb_public_c_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_c.ref)
ec2.CfnSubnetRouteTableAssociation(
self,
"rtb_public_d_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_d.ref)
ec2.CfnRoute(self,
"route_public_a",
route_table_id=self.rtb_public_a.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref)
# RouteTable of PublicSubnetC
# rtb_public_c = ec2.CfnRouteTable(
# self, "rtb_public_c",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_public_c"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_public_c_association",
# route_table_id=rtb_public_c.ref,
# subnet_id=public_subnet_c.ref
# )
# ec2.CfnRoute(
# self, "route_public_c",
# route_table_id=rtb_public_c.ref,
# destination_cidr_block="0.0.0.0/0",
# gateway_id=igw.ref
# )
# ami_id = ec2.AmazonLinuxImage(generation = ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(self).image_id
# security_group = ec2.SecurityGroup(
# self,
# id='test',
# vpc=self.vpc,
# security_group_name='test-security-group'
# )
# security_group.add_ingress_rule(
# peer=ec2.Peer.ipv4(cidr),
# connection=ec2.Port.tcp(22),
# )
# red_web_inst = ec2.CfnInstance(self,
# "testInstance01",
# image_id = ami_id,
# instance_type = "t3a.micro",
# monitoring = False,
# key_name = "stg-intrinio-www01",
# security_group_ids=[security_group.security_group_id],
# block_device_mappings = [{
# "deviceName": "/dev/xvda",
# "ebs": {
# "volumeSize": 10,
# "volumeType": "io1",
# "iops": 150,
# "deleteOnTermination": True
# }
# }
# ],
# tags = [
# { "key": "Name", "value": prefix }
# ],
# network_interfaces = [{
# "deviceIndex": "0",
# "associatePublicIpAddress": True,
# "subnetId": self.public_subnet_a.ref,
# # "groupSet": [web_sg.security_group_id]
# }], #https: //github.com/aws/aws-cdk/issues/3419
# )
# RedisSecurityGroup
redis_security_group = ec2.CfnSecurityGroup(
self,
"RedisSecurityGroup",
group_name="stg-test-redis01",
group_description="HTTP traffic",
vpc_id=self.vpc.ref,
security_group_ingress=[{
"ipProtocol": "tcp",
"fromPort": 6379,
"toPort": 6379,
"cidrIp": "192.168.0.0/16"
}],
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# MyDBSubnetGroup
redis_subnet_group = redis.CfnSubnetGroup(
self,
"RedisSubnetGroup",
cache_subnet_group_name="stg-test-redis01",
description="stg-test-redis01",
subnet_ids=[
self.public_subnet_a.ref, self.public_subnet_c.ref,
self.public_subnet_d.ref
])
redis_params = {
'auto_minor_version_upgrade': True,
'engine': 'redis',
'at_rest_encryption_enabled': True,
'automatic_failover_enabled': False,
'engine_version': '4.0.10',
'cache_node_type': 'cache.t3.micro',
'num_cache_clusters': 1,
'replication_group_description': "stg-test-redis01",
'security_group_ids': [redis_security_group.ref],
'cache_subnet_group_name': redis_subnet_group.ref
}
self.redis = redis.CfnReplicationGroup(self, 'staff-redis',
**redis_params)
core.CfnOutput(self, "OutputVpc", value=self.vpc.ref)
core.CfnOutput(self, "OutputRedis", value=self.redis.ref)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
prefix = "test""
cidr = "10.100.0.0/16"
# def name(s): return "{0}/{1}".format(prefix, s)
def name(s): return "{0} {1}".format(prefix, s)
# VPC
self.vpc = ec2.CfnVPC(
self, "vpc",
cidr_block=cidr,
enable_dns_hostnames=True,
enable_dns_support=True,
tags=[
core.CfnTag(key="Name", value=prefix+" VPC")
]
)
# InternetGateway
igw = ec2.CfnInternetGateway(
self, "igw",
tags=[
core.CfnTag(key="Name", value=prefix+" IGW")
]
)
igw_attachment = ec2.CfnVPCGatewayAttachment(
self, "igw_attachment",
vpc_id=self.vpc.ref,
internet_gateway_id=igw.ref
)
dhcpoptions = ec2.CfnDHCPOptions(
self, "dhcpoptions",
domain_name="ec2.internal "+prefix,
domain_name_servers=["AmazonProvidedDNS"],
tags=[
core.CfnTag(key="Name", value=prefix)
]
)
dhcpoptionsassociation = ec2.CfnVPCDHCPOptionsAssociation(
self, "dhcpoptionsassociation",
dhcp_options_id=dhcpoptions.ref,
vpc_id=self.vpc.ref
)
# PrivateSubnetA
# private_subnet_a = ec2.CfnSubnet(
# self, "private_a",
# vpc_id=vpc.ref,
# cidr_block="192.168.0.0/24",
# availability_zone="ap-northeast-1a",
# tags=[
# core.CfnTag(key="Name", value=name("private_a"))
# ]
# )
# PrivateSubnetC
# private_subnet_c = ec2.CfnSubnet(
# self, "private_c",
# vpc_id=vpc.ref,
# cidr_block="192.168.1.0/24",
# availability_zone="ap-northeast-1c",
# tags=[
# core.CfnTag(key="Name", value=name("private_c"))
# ]
# )
# PublicSubnetA
self.public_subnet_a = ec2.CfnSubnet(
self, "public_a",
vpc_id=self.vpc.ref,
cidr_block="192.168.0.0/20",
# availability_zone="ap-northeast-1a",
availability_zone="us-east-1a",
tags=[
core.CfnTag(key="Name", value=prefix+" public_a")
]
)
# PublicSubnetC
self.public_subnet_c = ec2.CfnSubnet(
self, "public_c",
vpc_id=self.vpc.ref,
cidr_block="192.168.16.0/20",
availability_zone="us-east-1c",
tags=[
core.CfnTag(key="Name", value=prefix+" public_c")
]
)
self.public_subnet_d = ec2.CfnSubnet(
self, "public_d",
vpc_id=self.vpc.ref,
cidr_block="192.168.32.0/20",
availability_zone="us-east-1d",
tags=[
core.CfnTag(key="Name", value=prefix+" public_d")
]
)
# EIP1 (for NATGW)
# eip1 = ec2.CfnEIP(
# self, "eip1",
# domain="vpc",
# )
# eip1.add_depends_on(igw_attachment)
# EIP2 (for NATGW)
# eip2 = ec2.CfnEIP(
# self, "eip2",
# domain="vpc",
# )
# eip2.add_depends_on(igw_attachment)
# NatGatewayA
# natgw_a = ec2.CfnNatGateway(
# self, "natgw_a",
# allocation_id=eip1.attr_allocation_id,
# subnet_id=self.public_subnet_a.ref,
# tags=[
# core.CfnTag(key="Name", value=name("natgw_a"))
# ]
# )
# NatGatewayC
# natgw_c = ec2.CfnNatGateway(
# self, "natgw_c",
# allocation_id=eip2.attr_allocation_id,
# subnet_id=public_subnet_c.ref,
# tags=[
# core.CfnTag(key="Name", value=name("natgw_c"))
# ]
# )
# RouteTable of PrivateSubnetA
# rtb_private_a = ec2.CfnRouteTable(
# self, "rtb_private_a",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_private_a"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_private_a_association",
# route_table_id=rtb_private_a.ref,
# subnet_id=private_subnet_a.ref
# )
# ec2.CfnRoute(
# self, "route_private_a",
# route_table_id=rtb_private_a.ref,
# destination_cidr_block="0.0.0.0/0",
# nat_gateway_id=natgw_a.ref
# )
# RouteTable of PrivateSubnetC
# rtb_private_c = ec2.CfnRouteTable(
# self, "rtb_private_c",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_private_c"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_private_c_association",
# route_table_id=rtb_private_c.ref,
# subnet_id=private_subnet_c.ref
# )
# ec2.CfnRoute(
# self, "route_private_c",
# route_table_id=rtb_private_c.ref,
# destination_cidr_block="0.0.0.0/0",
# nat_gateway_id=natgw_c.ref
# )
# RouteTable of PublicSubnetA
self.rtb_public_a = ec2.CfnRouteTable(
self, "rtb_public_a",
vpc_id=self.vpc.ref,
tags=[
core.CfnTag(key="Name", value=prefix+"rtb_public_a")
]
)
ec2.CfnSubnetRouteTableAssociation(
self, "rtb_public_a_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_a.ref
)
ec2.CfnSubnetRouteTableAssociation(
self, "rtb_public_c_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_c.ref
)
ec2.CfnSubnetRouteTableAssociation(
self, "rtb_public_d_association",
route_table_id=self.rtb_public_a.ref,
subnet_id=self.public_subnet_d.ref
)
ec2.CfnRoute(
self, "route_public_a",
route_table_id=self.rtb_public_a.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref
)
# RouteTable of PublicSubnetC
# rtb_public_c = ec2.CfnRouteTable(
# self, "rtb_public_c",
# vpc_id=vpc.ref,
# tags=[
# core.CfnTag(key="Name", value=name("rtb_public_c"))
# ]
# )
# ec2.CfnSubnetRouteTableAssociation(
# self, "rtb_public_c_association",
# route_table_id=rtb_public_c.ref,
# subnet_id=public_subnet_c.ref
# )
# ec2.CfnRoute(
# self, "route_public_c",
# route_table_id=rtb_public_c.ref,
# destination_cidr_block="0.0.0.0/0",
# gateway_id=igw.ref
# )
ami_id = ec2.AmazonLinuxImage(generation = ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(self).image_id
security_group = ec2.SecurityGroup(
self,
id='InstanceSecurityGroupwww',
vpc=self.vpc,
security_group_name='stg-'+prefix+'www'
)
security_group.add_ingress_rule(
peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(22),
)
security_group.add_ingress_rule(
peer=ec2.Peer.ipv4('0.0.0.0/0'),
connection=ec2.Port.tcp(80),
)
EC2InstanceStgWeb = ec2.CfnInstance(self,
"EC2InstanceStgWeb",
image_id = ami_id,
instance_type = "t3a.micro",
monitoring = False,
key_name = "stg-intrinio-www01",
security_group_ids=[security_group.security_group_id],
block_device_mappings = [{
"deviceName": "/dev/xvda",
"ebs": {
"volumeSize": 10,
# "volumeType": "io1",
# "iops": 150,
# "deleteOnTermination": True
}
}
],
tags = [
{ "key": "Name", "value": 'stg'+prefix+'www01' }
],
network_interfaces = [{
"deviceIndex": "0",
"associatePublicIpAddress": True,
"subnetId": self.public_subnet_a.ref,
# "groupSet": [web_sg.security_group_id]
}], #https: //github.com/aws/aws-cdk/issues/3419
)
# RdsSecurityGroup
RdsStgSecurityGroup = ec2.CfnSecurityGroup(self, "RdsStgSecurityGroup",
group_name = 'stg-'+prefix+'db01',
group_description = 'stg-'+prefix+'db01',
vpc_id = self.vpc.ref,
security_group_ingress = [
{
"ipProtocol" : "tcp",
"fromPort" : 3306,
"toPort" : 3306,
"cidrIp" : "0.0.0.0/0"
}
],
security_group_egress = [
{
"ipProtocol" : "tcp",
"fromPort" : 0,
"toPort" : 65535,
"cidrIp" : "0.0.0.0/0"
}
],
)
# MyDBSubnetGroup
rds_subnet_group = rds.CfnDBSubnetGroup(self, "DBSubnetGroup",
db_subnet_group_description = "DBSubnetGroup",
subnet_ids = [
self.public_subnet_a.ref,
self.public_subnet_c.ref,
self.public_subnet_d.ref
]
)
DBParameterGroupStg = rds.CfnDBParameterGroup(self, "DBParameterGroupStg",
description = "",
family = "",
parameters = [{'character_set_client': utf8,}]
)
rds_params = {
'db_instance_identifier': "stg-test-db01",
'engine': "mysql",
'engine_version': '5.6.39',
'db_instance_class': 'db.t3.micro',
'allocated_storage': '5',
'storage_type': 'gp2',
'db_name': "test",
'master_username': "******",
'master_user_password': "******",
'db_subnet_group_name' : rds_subnet_group.ref,
'publicly_accessible': False,
'multi_az': False,
'preferred_backup_window': "18:00-18:30",
'PreferredMaintenanceWindow': "sat:19:00-sat:19:30",
'auto_minor_version_upgrade': False,
'db_parameter_group_name': DBParameterGroupStg,
'vpc_security_groups': [RdsStgSecurityGroup.ref],
'copy_tags_to_snapshot': True,
'backup_retention_period': 7,
'enable_performance_insights': True,
'delete_automated_backups': True,
'deletion_protection': False,
'availability_zone': self.public_subnet_a.ref,
# 'storage_encrypted': False,
}
self.rds = rds.CfnDBInstance(self, 'staff-rds', **rds_params)
core.CfnOutput(self, "Output",
value=self.vpc.ref)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# Create an empty VPC
# If you don't specify any other resources EXCEPT the VPC, there's a standard template applied
vpc = ec2.Vpc(
self,
id="MyVPC",
nat_gateways=0,
cidr="192.168.0.0/20",
max_azs=1,
subnet_configuration=[],
)
# A couple of subnets
app_subnet = ec2.CfnSubnet(
self,
id="Application",
vpc_id=vpc.vpc_id,
availability_zone="eu-central-1a",
cidr_block="192.168.1.0/24",
map_public_ip_on_launch=False,
tags=[core.CfnTag(key="Name", value="Application")])
web_subnet = ec2.CfnSubnet(
self,
id="Webhost",
vpc_id=vpc.vpc_id,
availability_zone="eu-central-1b",
cidr_block="192.168.2.0/24",
map_public_ip_on_launch=True,
tags=[core.CfnTag(key="Name", value="WebHost")])
# A couple of route tables
private_rt = ec2.CfnRouteTable(
self,
id="Private_RT",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="Private_RT")])
public_rt = ec2.CfnRouteTable(
self,
id="Public_RT",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="Public_RT")])
# How to associate a subnet with a route table
ec2.CfnSubnetRouteTableAssociation(self,
id="WebHostRTAssoc",
subnet_id=web_subnet.ref,
route_table_id=public_rt.ref)
ec2.CfnSubnetRouteTableAssociation(self,
id="ApplicationRTAssoc",
subnet_id=app_subnet.ref,
route_table_id=private_rt.ref)
# A gateway (Internet Gateway in this case)
igw = ec2.CfnInternetGateway(
self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")])
# How to associate a gateway to a VPC (IGW in this case - for VGW use vpn_gateway_id=blablabla)
ec2.CfnVPCGatewayAttachment(self,
id="IGW_Assoc",
vpc_id=vpc.vpc_id,
internet_gateway_id=igw.ref)
# Elastic IP
eip_01 = ec2.CfnEIP(self, id="EIP01")
# NAT gateway
ngw = ec2.CfnNatGateway(self,
id="NAT_GW",
allocation_id=eip_01.attr_allocation_id,
subnet_id=web_subnet.ref,
tags=[core.CfnTag(key="Name", value="NAT_GW")])
ngw.add_depends_on(eip_01)
# Add a route to a route table
default_route_public = ec2.CfnRoute(self,
id="DefaultRoutePublic",
route_table_id=public_rt.ref,
destination_cidr_block="0.0.0.0/0",
gateway_id=igw.ref)
default_route_public.add_depends_on(igw)
default_route_private = ec2.CfnRoute(
self,
id="DefaultRouteprivate",
route_table_id=private_rt.ref,
destination_cidr_block="0.0.0.0/0",
nat_gateway_id=ngw.ref)
default_route_private.add_depends_on(ngw)
### Security Groups ###
# PUBLIC SUBNET SG
sg_public = ec2.CfnSecurityGroup(
self,
id="SG_PUBLIC",
group_description="SG for the Public Subnet",
group_name="SG_PUBLIC",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Public")])
my_home_ip = requests.get("https://api.my-ip.io/ip.json").json()['ip']
ports_pub = {'tcp': [22, 80], 'icmp': [-1]}
for protocl, ports_list in ports_pub.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_pub_in_{protocl}_{port}",
group_id=sg_public.attr_group_id,
ip_protocol=protocl,
cidr_ip=f"{my_home_ip}/32",
to_port=port,
from_port=port,
description=f"{protocl.upper()} {port} from home IP")
# SG INGRESS ENTRIES - ICMP - EXAMPLE
# sg_in_icmp = ec2.CfnSecurityGroupIngress(self, id="SG_PUB_IN_ICMP",
# group_id=sg_public.attr_group_id,
# ip_protocol = "icmp",
# cidr_ip = f"{my_home_ip}/32",
# to_port = -1,
# from_port = -1,
# description = "ICMP FROM HOME")
# SG EGRESS ENTRIES - AUTO-IMPLIED IF NOT CONFIGURED
# sg_out_all = ec2.CfnSecurityGroupEgress(self, id="SG_PUB_OUT_ALL",
# group_id=sg_public.attr_group_id,
# ip_protocol="-1",
# cidr_ip="0.0.0.0/0")
# PRIVATE SUBNET SG
sg_private = ec2.CfnSecurityGroup(
self,
id="SG_PRIVATE",
group_description="SG for the Private Subnet",
group_name="SG_PRIVATE",
vpc_id=vpc.vpc_id,
tags=[core.CfnTag(key="Name", value="SG_Private")])
sg_private.add_depends_on(sg_public)
ports_priv = {'tcp': [22, 21, 53, 3368, 80], 'icmp': [-1]}
for protocl, ports_list in ports_priv.items():
for port in ports_list:
ec2.CfnSecurityGroupIngress(
self,
id=f"sg_priv_in_{protocl}_{port}",
group_id=sg_private.attr_group_id,
description=
f"{protocl.upper()}:{port} from the public subnet only",
ip_protocol=protocl,
from_port=port,
to_port=port,
source_security_group_id=sg_public.ref)
### EC2 Instances ###
# Generate some user data _ WIP
# user_data = ec2.UserData.custom
# One in the public subnet
webserver01 = ec2.CfnInstance(
self,
id="WebServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=web_subnet.ref,
key_name="proton_mail_kp",
security_group_ids=[sg_public.ref],
tags=[core.CfnTag(key="Name", value="WebServer01")])
appserver01 = ec2.CfnInstance(
self,
id="AppServer01",
image_id="ami-0de9f803fcac87f46",
instance_type="t2.micro",
subnet_id=app_subnet.ref,
key_name="proton_mail_kp",
security_group_ids=[sg_private.ref],
tags=[core.CfnTag(key="Name", value="AppServer01")])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Exercise 9
db_password_parameters = core.CfnParameter(
self,
"DBPassword",
no_echo=True,
description="New account and RDS password",
min_length=1,
max_length=41,
constraint_description=
"the password must be between 1 and 41 characters",
default="DBPassword")
# DBSecurityGroup:
db_security_group = ec2.CfnSecurityGroup(
self,
"DBSecurityGroup",
group_description="DB traffic",
vpc_id=core.Fn.import_value("VPC"),
security_group_ingress=[{
"ipProtocol":
"tcp",
"fromPort":
3306,
"toPort":
3306,
"sourceSecurityGroupId":
core.Fn.import_value("WebSecurityGroupOutput"),
}, {
"ipProtocol":
"tcp",
"fromPort":
3306,
"toPort":
3306,
"sourceSecurityGroupId":
core.Fn.import_value("EdxProjectCloud9Sg"),
}, {
"ipProtocol":
"tcp",
"fromPort":
3306,
"toPort":
3306,
"sourceSecurityGroupId":
core.Fn.import_value("LambdaSecurityGroupOutput"),
}],
security_group_egress=[{
"ipProtocol": "tcp",
"fromPort": 0,
"toPort": 65535,
"cidrIp": "0.0.0.0/0"
}],
)
# MyDBSubnetGroup
my_db_subnet_group = rds.CfnDBSubnetGroup(
self,
"DBSubnetGroup",
db_subnet_group_description="MyDBSubnetGroup",
subnet_ids=[
core.Fn.import_value("PrivateSubnet1"),
core.Fn.import_value("PrivateSubnet2")
])
# RDSCluster
rds_cluster = rds.CfnDBCluster(
self,
"RDSCluster",
db_cluster_identifier="edx-photos-db",
database_name="Photos",
master_username="******",
master_user_password=db_password_parameters.value_as_string,
engine_mode="serverless",
scaling_configuration={
"autoPause": True,
"maxCapacity": 4,
"minCapacity": 2
},
engine="aurora",
db_subnet_group_name=my_db_subnet_group.ref,
vpc_security_group_ids=[db_security_group.ref])
rds_cluster.apply_removal_policy(core.RemovalPolicy.DESTROY)
# Output
core.CfnOutput(self,
"MyDBEndpoint",
value=rds_cluster.attr_endpoint_address,
description="MyDB Endpoint",
export_name="MyDBEndpoint")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
#create S3 access role for ec2
ec2Role = iam.Role(
self,
"ec2role",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("AmazonS3ReadOnlyAccess")
]
)
instanceProfile = iam.CfnInstanceProfile(
self,
"ec2Profile",
roles=[ec2Role.role_name],
instance_profile_name="aws-cdk-handson-ec2Profile",
)
#create new VPC for lab02
vpc= ec2.Vpc(self,id="aws-cdk-handson-vpc",cidr="172.30.0.0/16",nat_gateways=0,
subnet_configuration=[
{ "cidrMask": 24,"name": "subnet-1-", "subnetType": ec2.SubnetType.PUBLIC },
{ "cidrMask": 24,"name": "subnet-2-", "subnetType": ec2.SubnetType.PUBLIC },
{ "cidrMask": 24,"name": "subnet-3-", "subnetType": ec2.SubnetType.PUBLIC },
])
#create new Security Group
sg = ec2.CfnSecurityGroup(
self,
"ec2securitygroup",
group_description="this is aws-cdk-handson workshop",
group_name="ec2securitygroup",
security_group_ingress=[
{
"ipProtocol": "tcp",
"fromPort": 80,
"toPort": 80,
"cidrIp": "0.0.0.0/0",
},
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"cidrIp": "0.0.0.0/0",
},
],
vpc_id=vpc.vpc_id
)
#create Elastic Network Interface
eni0 = ec2.CfnNetworkInterface(
self, "eni-" + str(1), subnet_id=vpc.public_subnets[0].subnet_id,
#group_set=["sg-08cddeaeec7392eb2"]
group_set=[sg.attr_group_id]
)
#read and base64 encode userdata file
data = open("httpd.sh", "rb").read()
encodedBytes = base64.encodebytes(data)
encodedStr = str(encodedBytes, "utf-8")
#create ec2 instances
ami=ec2.AmazonLinuxImage(generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2)
instance = ec2.CfnInstance(
self,
"ec2-httpd-" + str(1),
image_id=ami.get_image(self).image_id, #use Amazon Linux 2 AMI
instance_type="t2.micro",
key_name="wsu-ap-northeast-1",
network_interfaces=[
{
"deviceIndex": "0",
"networkInterfaceId": eni0.ref
}
],
tags=[core.CfnTag(key="Name", value="aws-cdk-handson-ec2")],
iam_instance_profile=instanceProfile.ref,
user_data=encodedStr
)
#associate EIP with the instance
eip = ec2.CfnEIP(self, "eip-" + str(1))
ec2.CfnEIPAssociation(self, "eip-ass-i" + str(1),
allocation_id=eip.attr_allocation_id,
network_interface_id=eni0.ref)
#Export PublicIP and PublicDNSName
core.CfnOutput(self,"PublicIP",export_name="PublicIP",value=instance.attr_public_ip)
core.CfnOutput(self,"PublicDNSName",export_name="PublicDNSName",value=instance.attr_public_dns_name)
