def __init__(self, app: core.Construct, id: str, **kwargs) -> None:
super().__init__(app, id)
iam_role = RoleConstruct(
self,
'role',
assumed_by=iam.ServicePrincipal(ServicePrincipals.ECS_TASKS),
managed_policies=[ManagedPolicies.AMAZON_S3_FULL_ACCESS]).iam_role
self.taskDefinition = ecs.FargateTaskDefinition(self,
'task_definition',
task_role=iam_role)
# build a new docker image and push to Elastic Container Registry
self.docker_image_asset = ecr_assets.DockerImageAsset(
self,
'image_asset',
directory='../src',
build_args={'SCRIPTPATH': kwargs.get('script_path')})
# get the image from the built docker image asset
self.docker_image = ecs.ContainerImage.from_docker_image_asset(
self.docker_image_asset)
# add container to task definition
self.taskDefinition.add_container(
'container',
image=self.docker_image,
logging=ecs.LogDriver.aws_logs(stream_prefix='fargatetask'),
environment={'sns_topic': kwargs.get('sns_topic').topic_name})
kwargs.get('sns_topic').grant_publish(self.taskDefinition.task_role)
rule = events.Rule(
self,
"rule",
description="trigger for fargate task",
enabled=True,
schedule=kwargs.get('schedule'),
targets=[
events_targets.EcsTask(
cluster=kwargs.get('cluster'),
taskDefinition=self.taskDefinition,
securityGroup=kwargs.get('ecs_security_group'),
)
])
def __init__(self, scope: core.Construct, id: str,
network_stack: core.Stack, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create ServiceRole for EC2 instances; enable SSM usage
ec2_instance_role = iam.Role(
self,
"Role",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSSMManagedInstanceCore")
],
description="This is a custom role for assuming the SSM role")
# Create security group
ec2_sg = ec2.SecurityGroup(self,
id='test-ec2-instance-sg',
vpc=network_stack.vpc)
# Create Ingress rule to allow ping
ec2_sg.add_ingress_rule(ec2.Peer.ipv4('172.16.0.0/16'),
ec2.Port.all_icmp())
# Create Instance
ec2.Instance(
self,
'Instance',
role=ec2_instance_role,
vpc=network_stack.vpc,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.BURSTABLE3_AMD,
instance_size=ec2.InstanceSize.NANO,
),
machine_image=ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, ),
security_group=ec2_sg)
# Set the default route on the subnets to the TGW
for subnet in network_stack.vpc.isolated_subnets:
ec2.CfnRoute(self,
id='vpc-route-all-tgw',
route_table_id=subnet.route_table.route_table_id,
destination_cidr_block='0.0.0.0/0',
transit_gateway_id=network_stack.tgw.ref)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.Vpc, bastion_sg: ec2.SecurityGroup, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
role = iam.Role(self, 'ec2-bastion-role',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com')
)
# Grant permission to access the MAD secret
role.add_managed_policy(policy=iam.ManagedPolicy.from_managed_policy_arn(self, 'MP1', 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'))
role.add_managed_policy(policy=iam.ManagedPolicy.from_managed_policy_arn(self, 'MP2', 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'))
# Setup UserData
user_data= '<powershell> \n'
user_data+= 'Import-Module AWSPowerShell \n'
user_data+= 'New-NetFirewallRule -DisplayName "Allow local VPC" -Direction Inbound -LocalAddress 10.0.0.0/8 -LocalPort Any -Action Allow \n'
user_data+= 'ADD-WindowsFeature RSAT-AD-Tools \n'
user_data+= 'ADD-WindowsFeature RSAT-DNS-Server \n'
user_data+= '[string]$SecretAD = "MADSecret" \n'
user_data+= '$SecretObj = Get-SECSecretValue -SecretId $SecretAD \n'
user_data+= '[PSCustomObject]$Secret = ($SecretObj.SecretString | ConvertFrom-Json) \n'
user_data+= '$password = $Secret.Password | ConvertTo-SecureString -asPlainText -Force \n'
user_data+= '$username = $Secret.username + "@" + $Secret.Domain \n'
user_data+= '$credential = New-Object System.Management.Automation.PSCredential($username,$password) \n'
user_data+= 'Add-Computer -DomainName $Secret.Domain -Credential $credential -Restart -Force \n'
user_data+= '</powershell> \n'
# Create Bastion
bastion = ec2.Instance(self, 'Bastion',
instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MEDIUM),
machine_image=ec2.MachineImage.from_ssm_parameter(
parameter_name='/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base',
os=ec2.OperatingSystemType.WINDOWS
),
vpc=vpc,
user_data=ec2.UserData.custom(user_data),
#key_name='ec2_key',
role=role,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
security_group=bastion_sg
)
core.CfnOutput(self, "Bastion Host",
value=bastion.instance_public_dns_name
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create Bucket
bucket = s3.Bucket(self, "cdk-firehose-bucket")
# IAM Role for Firehose
firehose_role = iam.Role(
self,
"FirehoseRole",
assumed_by=iam.ServicePrincipal(service="firehose.amazonaws.com"))
delivery_policy = iam.Policy(
self,
"FirehosePolicy",
policy_name="FirehosePolicy",
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"s3:AbortMultipartUpload", "s3:GetBucketLocation",
"s3:GetObject", "s3:ListBucket",
"s3:ListBucketMultipartUploads", "s3:PutObject"
],
resources=[bucket.bucket_arn, bucket.bucket_arn + "/*"])
])
delivery_policy.attach_to_role(firehose_role)
# Firehose stream
delivery_stream = firehose.CfnDeliveryStream(
self,
"QueueingStream",
delivery_stream_name="QueueingStream",
s3_destination_configuration={
"bucketArn": bucket.bucket_arn,
"roleArn": firehose_role.role_arn
},
elasticsearch_destination_configuration=None)
# delivery_stream.add_depends_on(firehose_role)
# We assign the stream's arn and name to a local variable for the Object.
self._delivery_stream_name = delivery_stream.delivery_stream_name
self._delivery_stream_arn = delivery_stream.attr_arn
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(
self,
"VPC",
nat_gateways=0,
subnet_configuration=[
ec2.SubnetConfiguration(name="public",
subnet_type=ec2.SubnetType.PUBLIC)
],
)
ami_amazon_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE,
)
role = iam.Role(self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
ec2.Instance(
self,
"Instance",
instance_type=ec2.InstanceType("t2.micro"),
machine_image=ami_amazon_linux,
vpc=vpc,
role=role,
)
security_group = aws_ec2.SecurityGroup(
self,
"EC2SecurityGroup",
vpc=vpc,
description="EC2 security group via CDK",
security_group_name="CDK SecurityGroup",
)
security_group.add_ingress_rule(
aws_ec2.Peer.ipv4("10.0.0.0/16"),
aws_ec2.Port.tcp(22),
"allow ssh access from the VPC",
)
def __init__(self,
scope: core.Construct,
id: str,
TargetS3="default",
**kwargs):
super().__init__(scope, id, **kwargs)
self.function_list = {}
self.lambda_compute_role = _iam.Role(
self,
'lambda_compute_role',
assumed_by=_iam.CompositePrincipal(
_iam.ServicePrincipal('lambda.amazonaws.com'), ),
managed_policies=[
_iam.ManagedPolicy.from_aws_managed_policy_name(
"CloudWatchLogsFullAccess")
])
TargetS3.grant_read_write(self.lambda_compute_role)
self.Get_Job_List = _lambda.Function(
self,
'Get_Job_List',
runtime=_lambda.Runtime.PYTHON_3_7,
handler='get_job_list.handler',
code=_lambda.Code.asset('workshop/lambda/get_job_list'),
# environment = {
# 'BUCKET': "",
# 'KEY': "",
# },
timeout=core.Duration.seconds(15),
role=self.lambda_compute_role)
self.function_list["Get_Job_List"] = self.Get_Job_List
self.Get_Output_size = _lambda.Function(
self,
'Get_Output_size',
runtime=_lambda.Runtime.PYTHON_3_7,
handler='get_output_size.handler',
code=_lambda.Code.asset('workshop/lambda/get_output_size'),
timeout=core.Duration.seconds(15),
role=self.lambda_compute_role)
self.function_list["Get_Output_size"] = self.Get_Output_size
def create_ecs_role(stack):
ecs_role = iam.Role(
stack,
'FargateTaskExecutionServiceRole',
assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'))
ecs_role.add_to_policy(
iam.PolicyStatement(effect=iam.Effect('ALLOW'),
resources=['*'],
actions=[
'ecr:GetAuthorizationToken',
'ecr:BatchCheckLayerAvailability',
'ecr:GetDownloadUrlForLayer',
'ecr:BatchGetImage',
'logs:CreateLogStream', 'logs:PutLogEvents'
]))
return ecs_role
def __init__(self, app: App, id: str) -> None:
super().__init__(app, id)
# Lambda Function
with open("lambda-handler.py", encoding="utf8") as fp:
handler_code = fp.read()
lambdaFn = _lambda.Function(
self,
"IoTTriggerLambda",
code=_lambda.InlineCode(handler_code),
handler="index.main",
timeout=Duration.seconds(10),
runtime=_lambda.Runtime.PYTHON_3_9,
)
# Set Lambda Logs Retention and Removal Policy
logs.LogGroup(self,
'logs',
log_group_name=f"/aws/lambda/{lambdaFn.function_name}",
removal_policy=RemovalPolicy.DESTROY,
retention=logs.RetentionDays.ONE_DAY)
# IoT Thing
iot_thing = iot.CfnThing(self, "IoTThing", thing_name="MyIotThing")
# IoT Rule with SQL, which invokes a Lambda Function
iot_topic_rule_sql = 'SELECT * FROM "$aws/things/MyIotThing/*"'
iot_topic_rule = iot.CfnTopicRule(
self,
"IoTRule",
topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty(
sql=iot_topic_rule_sql,
actions=[
iot.CfnTopicRule.ActionProperty(
lambda_=iot.CfnTopicRule.LambdaActionProperty(
function_arn=lambdaFn.function_arn))
]))
# Lambda Resource Policy allows invocation from IoT Rule
lambdaFn.add_permission(
"GrantIoTRule",
principal=iam.ServicePrincipal("iot.amazonaws.com"),
source_arn=iot_topic_rule.attr_arn)
def __init__(self, scope: core.Construct, id: str, props,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self, f"{props['namespace'].lower()}-vpc", max_azs=3)
cluster = ecs.Cluster(self,
f"{props['namespace'].lower()}-cluster",
vpc=vpc)
task_role = iam.Role(
self,
f"{props['namespace'].lower()}-task-role",
assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'))
task_role.add_to_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["lambda:*", "cloudwatch:*", "dynamodb:*", "logs:*"],
resources=["*"]))
service = ecs_patterns.ApplicationLoadBalancedFargateService(
self,
f"{props['namespace'].lower()}",
cluster=cluster, # Required
cpu=512, # Default is 256
desired_count=6, # Default is 1
task_image_options=ecs_patterns.
ApplicationLoadBalancedTaskImageOptions(
image=ecs.ContainerImage.from_ecr_repository(
props['ecr'], f"{props['namespace']}"),
container_name="regulators",
container_port=8000,
task_role=task_role),
memory_limit_mib=2048, # Default is 512
public_load_balancer=True # Default is False
)
service.target_group.health_check = elb.HealthCheck(
protocol=elb.Protocol.HTTP,
port='8000',
path='/',
healthy_threshold_count=2,
unhealthy_threshold_count=4)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
db_instance_class: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
stack = core.Stack.of(self)
role = iam.Role(
self,
'NeptuneRole',
assumed_by=iam.ServicePrincipal('rds.amazonaws.com'),
)
sg = ec2.SecurityGroup(
self,
'SecurityGroup',
vpc=vpc,
)
subnet_group = neptune.CfnDBSubnetGroup(
self,
'SubnetGroup',
db_subnet_group_name='{}-subnet-group'.format(
stack.stack_name.lower()),
db_subnet_group_description='Private subnets',
subnet_ids=[subnet.subnet_id for subnet in vpc.private_subnets])
cluster = neptune.CfnDBCluster(
self,
'Cluster',
db_subnet_group_name=subnet_group.ref,
vpc_security_group_ids=[sg.security_group_id],
associated_roles=[{
'roleArn': role.role_arn
}])
neptune.CfnDBInstance(
self,
'Instance',
db_cluster_identifier=cluster.ref,
db_instance_class=db_instance_class,
)
self.endpoint = cluster.attr_endpoint
self.role = role
self.security_group = sg
def __init__(
self,
scope: core.Construct,
id: str,
cluster_name: str,
**kwargs,
) -> None:
super().__init__(scope, id, **kwargs)
# EKS admin role
self._clusterAdminRole = iam.Role(
self, 'clusterAdmin', assumed_by=iam.AccountRootPrincipal())
self._clusterAdminRole.add_to_policy(
iam.PolicyStatement(
resources=["*"],
actions=[
"eks:Describe*", "eks:List*", "eks:AccessKubernetesApi",
"ssm:GetParameter", "iam:ListRoles"
],
))
core.Tags.of(self._clusterAdminRole).add(key='eks/%s/type' %
cluster_name,
value='admin-role')
# Managed Node Group Instance Role
_managed_node_managed_policies = (
iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonEKSWorkerNodePolicy'),
iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonEKS_CNI_Policy'),
iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonEC2ContainerRegistryReadOnly'),
iam.ManagedPolicy.from_aws_managed_policy_name(
'CloudWatchAgentServerPolicy'),
)
self._managed_node_role = iam.Role(
self,
'NodeInstance-Role',
role_name=cluster_name + '-NodeInstanceRole',
path='/',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
managed_policies=list(_managed_node_managed_policies),
)
def __init__(self, scope: core.Construct, id: str,
api_gateway: aws_apigateway.RestApi, **kwargs):
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc.from_lookup(self, id="default", is_default=True)
self.redis = self.create_redis(vpc)
ecr_image = aws_lambda.EcrImageCode.from_asset_image(
directory=os.path.join(os.getcwd(), "startuptoolbag/lambda-redis"))
lambda_vpc_role = aws_iam.Role(
self,
id='lambda-vpc-role2',
assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
managed_policies=[
aws_iam.ManagedPolicy.from_aws_managed_policy_name(
'service-role/AWSLambdaBasicExecutionRole'),
aws_iam.ManagedPolicy.from_aws_managed_policy_name(
'service-role/AWSLambdaVPCAccessExecutionRole')
])
lambda_function = aws_lambda.Function(
self,
id="lambdaRedisContainerFunction",
description="LambdaRedisFunction",
code=ecr_image,
handler=aws_lambda.Handler.FROM_IMAGE,
runtime=aws_lambda.Runtime.FROM_IMAGE,
environment={
"CACHE_ADDRESS": self.redis.attr_redis_endpoint_address,
"CACHE_PORT": self.redis.attr_redis_endpoint_port
},
role=lambda_vpc_role,
vpc=vpc,
allow_public_subnet=True,
memory_size=128,
reserved_concurrent_executions=10,
timeout=core.Duration.seconds(10))
foo_r = api_gateway.root.add_resource("cache")
foo_r.add_method('GET',
aws_apigateway.LambdaIntegration(lambda_function))
def _create_glue_role(self):
"""
Setup the permissions our glue crawler needs to have
"""
return iam.Role(
self,
id=f"GlueServiceRole",
assumed_by=iam.ServicePrincipal("glue.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSGlueServiceRole"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3FullAccess"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"CloudWatchLogsFullAccess"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSSMReadOnlyAccess"),
],
)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
role = iam.Role(
self,
'Ec2Role',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonSSMManagedInstanceCore'),
],
)
sg = ec2.SecurityGroup(
self,
'SecurityGroup',
vpc=vpc,
)
# TODO: add this to userdata
# yum install java-1.8.0-devel -y
# wget https://archive.apache.org/dist/tinkerpop/3.4.1/apache-tinkerpop-gremlin-console-3.4.1-bin.zip
# unzip apache-tinkerpop-gremlin-console-3.4.1-bin.zip
# cd apache-tinkerpop-gremlin-console-3.4.1
# wget https://www.amazontrust.com/repository/SFSRootCAG2.pem
ec2.Instance(
self,
'Instance',
role=role,
vpc=vpc,
security_group=sg,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.BURSTABLE3_AMD,
instance_size=ec2.InstanceSize.NANO,
),
machine_image=ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, ),
)
self.role = role
self.security_group = sg
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
config: dict, region: str, **kwargs):
super().__init__(scope, id, **kwargs)
### EC2 Server for Jenkins
image = ec2.GenericLinuxImage({
region: config["ami_id"],
}, )
role = iam.Role(self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
subnet = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnets[0]
subnet_selection = ec2.SubnetSelection(subnets=[subnet])
self.security_group = ec2.SecurityGroup(self, "EC2SG", vpc=vpc)
self._instance = ec2.Instance(self,
"EC2",
instance_type=ec2.InstanceType(
config["instance_type"]),
machine_image=image,
vpc=vpc,
vpc_subnets=subnet_selection,
role=role,
security_group=self.security_group)
### Lambda for github webhooks
self._webhook_forwarder = _lambda.Function(
self,
"WebHookForwarder",
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.from_asset(
os.path.join(dirname, "lambda", "webhook_forwarder")),
handler="lambda_function.lambda_handler",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnets=vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnets))
def _add_role(self) -> iam.Role:
"""
Add IAM role to the stack
"""
role = iam.Role(self,
'VPNInstanceRole',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'))
# add access to outputs of the current stack to ec2 instance
role.add_to_policy(
iam.PolicyStatement(resources=[
self.format_arn(resource="stack/vpn-cdk/*",
service="cloudformation")
],
actions=['cloudformation:*']))
# add policy to allow elastic ip association
role.add_to_policy(
iam.PolicyStatement(resources=['*'],
actions=['ec2:AssociateAddress']))
return role
def create_ecs(self, vpc, sg_dictionary, repository):
# Cluster
cluster = _ecs.Cluster(
self, 'Cluster',
cluster_name='DEMO-CLUSTER',
vpc=vpc
)
# Role(task execution)
execution_role = _iam.Role(
self, 'ExecutionRole',
role_name='DEMO-TASK-EXECUTION-ROLE',
assumed_by=_iam.ServicePrincipal('ecs-tasks.amazonaws.com')
)
execution_role.add_managed_policy(_iam.ManagedPolicy.from_aws_managed_policy_name('service-role/AmazonECSTaskExecutionRolePolicy'))
# TaskDefinition
task_def = _ecs.TaskDefinition(
self, 'TaskDefinition',
compatibility=_ecs.Compatibility.FARGATE,
cpu='2048',
memory_mib='8192',
network_mode=_ecs.NetworkMode.AWS_VPC,
execution_role=execution_role,
family='DEMO-TASK',
task_role=execution_role,
)
# Container
container = task_def.add_container(
id='DEMO-CONTAINER',
image=_ecs.ContainerImage.from_ecr_repository(repository),
logging=_ecs.LogDriver.aws_logs(
stream_prefix='ecs',
log_group=_logs.LogGroup(
self, 'LogGroup',
log_group_name='/ecs/'+'DEMO-TASK',
retention=_logs.RetentionDays.INFINITE,
)
)
)
container.add_port_mappings(_ecs.PortMapping(container_port=8080))
def __init__(self, scope: core.Construct, id: str, props_vpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
role = iam.Role(self,
"ec2Role",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_to_policy(
iam.PolicyStatement(resources=["*"], actions=["s3:*"]))
ec2_security_group = ec2.SecurityGroup(
self,
"sg-ec2",
vpc=props_vpc['vpc'],
security_group_name='adl-ec2-sg')
bastion = ec2.Instance(
self,
"ubuntu-bastion",
vpc=props_vpc['vpc'],
machine_image=linux,
key_name="adl-keypair-dev-us-east-1",
instance_type=ec2.InstanceType(
instance_type_identifier="t2.micro"),
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
instance_name='adl-bastion-test',
role=role,
#security_group=ssh_security_group
)
# Connections
bastion.add_security_group(ec2_security_group)
bastion.connections.allow_from_any_ipv4(ec2.Port.tcp(22),
'Allow inbound SSH')
bastion.connections.allow_from_any_ipv4(ec2.Port.tcp(8080),
'Allow inbound HTTP')
for ssh_sg in bastion.connections.security_groups:
ec2_security_group.connections.allow_from(
ssh_sg, ec2.Port.all_tcp(), "SSH Access to EC2 Group")
# Outputs
props_ec2 = {"namespace": "ec2_props"}
self.output_props_ec2 = props_ec2.copy()
self.output_props_ec2['ec2-sg'] = ec2_security_group
def create_sagemaker_train_role(self, name):
# Config role
base_role = iam.Role(
self,
"gw_sagemaker_train_role_{}".format(name),
assumed_by=iam.ServicePrincipal("sagemaker.amazonaws.com"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3FullAccess"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSageMakerFullAccess"))
#base_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonElasticContainerRegistryPublicFullAccess"))
#base_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryPublicFullAccess"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonEC2ContainerRegistryFullAccess"))
return base_role
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
lambda_role = aws_iam.Role(
self,
id='Lambda-BERT-Endpoint-Role',
assumed_by=aws_iam.ServicePrincipal('lambda.amazonaws.com'))
lambda_role.add_managed_policy(
aws_iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonSageMakerFullAccess'))
lambda_function = _lambda.Function(
self,
id='Lambda-BERT-Trigger',
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.asset('lambda_function'),
handler='endpoint_trigger.lambda_handler',
function_name='Lambda-BERT-Trigger',
role=lambda_role)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# VPC
vpc = ec2.Vpc(self, "VPC",
nat_gateways=0,
subnet_configuration=[ec2.SubnetConfiguration(name="public",subnet_type=ec2.SubnetType.PUBLIC)]
)
# AMI
amzn_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
)
# Instance Role and SSM Managed Policy
role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
# Instance
instance = ec2.Instance(self, "Instance",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=amzn_linux,
vpc = vpc,
role = role
)
# Script in S3 as Asset
asset = Asset(self, "Asset", path=os.path.join(dirname, "configure.sh"))
local_path = instance.user_data.add_s3_download_command(
bucket=asset.bucket,
bucket_key=asset.s3_object_key
)
# Userdata executes script from S3
instance.user_data.add_execute_file_command(
file_path=local_path
)
asset.grant_read(instance.role)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create ECR Repository
ghost_repo = ecr.Repository(
self, "GhostRepo",
repository_name="ghost"
)
# Create IAM Role For CodeBuild
ghost_build_role = iam.Role(
self, "GhostBuildRole",
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("EC2InstanceProfileForImageBuilderECRContainerBuilds")
]
)
# We only want to fire on the master branch and if there is a change in the dockerbuild folder
git_hub_source = codebuild.Source.git_hub(
owner="jasonumiker",
repo="k8s-plus-aws-gitops",
webhook=True,
webhook_filters=[
codebuild.FilterGroup.in_event_of(codebuild.EventAction.PUSH).and_branch_is("master").and_file_path_is("dockerbuild/*")
]
)
# Create CodeBuild
build_project = codebuild.Project(
self, "GhostBuildProject",
source=git_hub_source,
role=ghost_build_role,
build_spec=codebuild.BuildSpec.from_source_filename("dockerbuild/buildspec.yml"),
environment={
'privileged': True,
},
environment_variables={
'AWS_ACCOUNT_ID': codebuild.BuildEnvironmentVariable(value=self.account),
'IMAGE_REPO_NAME': codebuild.BuildEnvironmentVariable(value=ghost_repo.repository_name)
}
)
def _create_lambda(self):
role = iam.Role(
self,
"LambdaPrepareDbRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
description="Role for Lambda preparing RDS",
role_name=f"{self.name_prefix}-lambda-prepare-db-role",
managed_policies=[
#iam.ManagedPolicy.from_aws_managed_policy_name("AWSLambdaBasicExecutionRole"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSLambdaVPCAccessExecutionRole"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"SecretsManagerReadWrite"),
],
)
lambda_function_id = f"{self.name_prefix}-prepare_db_function"
lambda_function_path = str(pathlib.Path(
__file__).resolve().parent) + "/lambdafn/prepare_db_function/"
lambda_layer_path = str(pathlib.Path(
__file__).resolve().parent) + "/lambdafn/lambda_layer/"
layer = aws_lambda.LayerVersion(
self, 'Layer', code=aws_lambda.AssetCode(lambda_layer_path))
lambda_fn = aws_lambda.Function(
scope=self,
id=lambda_function_id,
function_name=lambda_function_id,
code=aws_lambda.AssetCode(path=lambda_function_path),
handler="lambda_handler.lambda_handler",
layers=[layer],
timeout=Duration.seconds(300),
runtime=aws_lambda.Runtime.PYTHON_3_7,
role=role,
description="write some description for this lambda",
security_groups=[self.security_group],
vpc=self.vpc,
vpc_subnets=self.subnet_selection)
lambda_fn.add_environment('SECRETS_NAME', self.rds.secret.secret_arn)
lambda_fn.add_environment('REGION_NAME', self.region)
def __init__(self,
scope,
id,
*,
name=None,
directory=None,
bucket=None,
key=None) -> None:
super().__init__(scope, id)
# ==================================================
# ================= IAM ROLE =======================
# ==================================================
lambda_role = iam.Role(
scope=self,
id='lambda_role',
assumed_by=iam.ServicePrincipal(service='lambda.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'AWSLambdaExecute')
])
# ==================================================
# =================== ECR IMAGE ====================
# ==================================================
ecr_image = aws_lambda.DockerImageCode.from_image_asset(
repository_name=name, directory=directory)
# ==================================================
# ================ LAMBDA FUNCTION =================
# ==================================================
self.lambda_function = aws_lambda.DockerImageFunction(
scope=self,
id='lambda',
function_name=name,
code=ecr_image,
memory_size=1024,
role=lambda_role,
environment={
'BUCKET': bucket,
'KEY': key
},
timeout=core.Duration.seconds(60))
def __init__(self, scope: core.Construct, id: str, secgroup_name: str, **kwargs):
super().__init__(scope, id, **kwargs)
with open('common/common_cdk/lambda/empty_security_group.py', 'r') as f:
lambda_source = f.read()
# lambda utils to empty security group before deletion
empty_secgroup_lambda = _lambda.SingletonFunction(self, 'EmptySecurityGroupLambda',
uuid="dfs3k8730-4ee1-11e8-9c2d-fdfs65dfsc",
runtime=_lambda.Runtime.PYTHON_3_7,
code=_lambda.Code.inline(lambda_source),
handler='index.handler',
function_name='ara-auto-empty-secgroup'
)
empty_secgroup_lambda_role = _iam.Role(
self, 'AutoEmptyBucketLambdaRole',
assumed_by=_iam.ServicePrincipal('lambda.amazonaws.com')
)
empty_secgroup_lambda_role.add_to_policy(
_iam.PolicyStatement(
actions=[
'ec2:RevokeSecurityGroupIngress',
'ec2:RevokeSecurityGroupEgress'
],
resources=['arn:aws:ec2::'+core.Aws.ACCOUNT_ID+':security-group/'+secgroup_name]
)
)
empty_secgroup_lambda_provider = _custom_resources.Provider(
self, 'EmptyBucketLambdaProvider',
on_event_handler=empty_secgroup_lambda
)
core.CustomResource(
self, 'EmptyBucketCustomResource',
service_token=empty_secgroup_lambda_provider.service_token,
properties={
"secgroup_name": secgroup_name
}
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self,
"NewInstanceVPC",
nat_gateways=0,
subnet_configuration=[
ec2.SubnetConfiguration(
name="public", subnet_type=ec2.SubnetType.PUBLIC)
])
amzn_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
role = iam.Role(self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance = ec2.Instance(
self,
"CDKNewInstance",
instance_type=ec2.InstanceType("t3.nano"),
key_name="arronmoore_com_v2",
machine_image=amzn_linux,
vpc=vpc,
security_group=self.configure_security_group(vpc),
role=role)
asset = Asset(self,
"NewInstanceConfigureScript",
path="./new_instance/configure.sh")
local_path = instance.user_data.add_s3_download_command(
bucket=asset.bucket, bucket_key=asset.s3_object_key)
instance.user_data.add_execute_file_command(file_path=local_path)
def create_crawler_role(self):
"""Crate a role used by crawlers in data lake."""
service = iam.ServicePrincipal("glue.amazonaws.com")
managed_policies = [
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSGlueServiceRole"
),
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3ReadOnlyAccess"
),
]
id_suffix = self.database_name.replace("_", "-")
self._crawler_role = iam.Role(
scope=self,
id=f"oedi-data-lake-crawler-role--{id_suffix}",
role_name=f"oedi_data_lake_cralwer_role__{self.database_name}",
assumed_by=service,
managed_policies=managed_policies,
)
def get_role(self, unique_name: str, service_principal: str) -> iam.Role:
"""
Get the default role for the datajob. We use administrator access
as the policy for our default role.
# todo - we probably want to refine the policies for this role
:param unique_name: a unique name we can give to our role.
:param service_principal: what is the service principal for our service.
for example: glue.amazonaws.com
:return: iam role object.
"""
role_name = unique_name + "-role"
logger.debug(f"creating role {role_name}")
return iam.Role(
self,
role_name,
assumed_by=iam.ServicePrincipal(service_principal),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("AdministratorAccess")
],
)
def _create_env_nodegroup_role(self) -> NonPathRole:
name: str = f"orbit-{self.context.name}-{self.context.region}-eks-nodegroup-role"
role = NonPathRole(
scope=self,
id=name,
role_name=name,
assumed_by=cast(iam.IPrincipal,
iam.ServicePrincipal(service="ec2.amazonaws.com")),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonEKSWorkerNodePolicy"),
iam.ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonEKS_CNI_Policy"),
iam.ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonEC2ContainerRegistryReadOnly"),
iam.ManagedPolicy.from_aws_managed_policy_name(
managed_policy_name="AmazonSSMManagedInstanceCore"),
],
)
return role
def __init__(self, scope: core.Construct, id: str, props,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
lambda_role = iam.Role(
self,
'IapTesLambdaRole',
assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'service-role/AWSLambdaBasicExecutionRole')
])
function = lmbda.Function(
self,
'IapTesLambda',
function_name='rnasum_iap_tes_lambda_dev',
handler='iap_tes.lambda_handler',
runtime=lmbda.Runtime.PYTHON_3_7,
code=lmbda.Code.from_asset('lambdas/iap_tes'),
role=lambda_role,
timeout=core.Duration.seconds(20),
environment={
'IAP_API_BASE_URL': props['iap_api_base_url'],
'TASK_ID': props['task_id'],
'TASK_VERSION_WTS': props['task_version_wts'],
'TASK_VERSION_WGS': props['task_version_wgs'],
'SSM_PARAM_NAME': props['ssm_param_name'],
'GDS_REFDATA_FOLDER': props['gds_refdata_folder'],
'GDS_LOG_FOLDER': props['gds_log_folder'],
'RNASUM_IMAGE_NAME': props['rnasum_image_name'],
'RNASUM_IMAGE_TAG': props['rnasum_image_tag'],
'REFDATA_NAME': props['ref_data_name']
})
secret_value = ssm.StringParameter.from_secure_string_parameter_attributes(
self,
"RNAsumJwtToken",
parameter_name=props['ssm_param_name'],
version=props['ssm_param_version'])
secret_value.grant_read(function)