def create_ec2_instance_profile_resource(template, ecs_cluster_role_resource):
return template.add_resource(
iam.InstanceProfile(
'EC2InstanceProfile',
Roles=[Ref(ecs_cluster_role_resource)]
)
)
def add_instance_profile_ecs(self, layer_name, iam_policies, path_prefix):
"""
Helper function to add role and instance profile resources to this
template using the provided iam_policies. The instance_profile will be
created at:
'/<path_prefix>/<layer_name>/'
"""
iam_role_obj = iam.Role(
layer_name + 'IAMRole',
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': ['ec2.amazonaws.com', 'ecs.amazonaws.com']
},
'Action': ['sts:AssumeRole']
}]
},
Path=Join('', ['/' + path_prefix + '/', layer_name, '/']))
if iam_policies is not None:
iam_role_obj.Policies = iam_policies
iam_role = self.add_resource(iam_role_obj)
return self.add_resource(
iam.InstanceProfile(layer_name + 'InstancePolicy',
Path='/' + path_prefix + '/',
Roles=[Ref(iam_role)]))
def ssm_global():
template = Template()
ssm_role = iam.Role(
'SsmRole',
RoleName="SsmRole",
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
],
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[Action("sts", "AssumeRole")],
Principal=Principal("Service", "ec2.amazonaws.com"))
]))
ssm_profile = iam.InstanceProfile('SsmProfile',
Roles=[Ref(ssm_role)],
InstanceProfileName="SsmProfile")
template.add_resource(ssm_role)
template.add_resource(ssm_profile)
with open(
os.path.dirname(os.path.realpath(__file__)) + '/ssm_global.yml',
'w') as cf_file:
cf_file.write(template.to_yaml())
return template.to_yaml()
def add_iam_policy(self, policy):
if not hasattr(self, 'policies'):
self.policies = []
if not isinstance(policy, iam.Policy):
raise RuntimeError('Policy must be a troposhere iam.Policy object')
self.policies.append(policy)
self.instance_role = iam.Role('{}InstanceRole'.format(self.name),
AssumeRolePolicyDocument={
'Statement': [{
'Effect':
'Allow',
'Principal': {
'Service':
['ec2.amazonaws.com']
},
'Action': ['sts:AssumeRole']
}]
},
Path='/',
Policies=self.policies)
self.instance_profile = iam.InstanceProfile(
'{}InstanceProfile'.format(self.name),
Path='/',
Roles=[Ref(self.instance_role)])
self.resources[self.instance_role.title] = self.instance_role
self.resources[self.instance_profile.title] = self.instance_profile
def create_instance_profile(self, layer_name, iam_policies=None):
'''
Helper method creates an IAM Role and Instance Profile for the optoinally specified IAM policies
@param layer_name [string] friendly name for the Role and Instance Profile used for naming and path organization
@param iam_policies [Troposphere.iam.Policy[]] array of IAM Policies to be associated with the Role and Instance Profile created
'''
iam_role_obj = iam.Role(
layer_name + 'IAMRole',
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': ['ec2.amazonaws.com']
},
'Action': ['sts:AssumeRole']
}]
},
Path=Join('', [
'/' + self.globals.get('environment_name', 'environmentbase') +
'/', layer_name, '/'
]))
if iam_policies != None:
iam_role_obj.Policies = iam_policies
iam_role = self.template.add_resource(iam_role_obj)
return self.template.add_resource(
iam.InstanceProfile(
layer_name + 'InstancePolicy',
Path='/' +
self.globals.get('environment_name', 'environmentbase') + '/',
Roles=[Ref(iam_role)]))
def add_role(self):
self.Ec2Role = self.template.add_resource(
iam.Role("Ec2Role",
RoleName="ec2-role",
Policies=[
iam.Policy(
PolicyName="ec2-policy",
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": [
"ec2:DescribeInstances",
"elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*",
"cloudwatch:PutMetricData",
"autoscaling:Describe*"
],
"Effect":
"Allow",
"Resource": ["*"]
}, {
"Sid":
"Stmt1456922473000",
"Effect":
"Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": ["arn:aws:logs:*:*:*"]
}]
},
)
],
AssumeRolePolicyDocument={
"Version":
"2008-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
}
}]
}))
self.inst_profile = self.template.add_resource(
iam.InstanceProfile("InstanceProfile", Roles=[Ref(self.Ec2Role)]))
def add_instance_profile(self, stack_name, template, provision_refs):
role = template.add_resource(
iam.Role(
"Role",
RoleName=f'{stack_name}-role',
Policies=[
iam.Policy(
PolicyName=f'{stack_name}-s3-policy',
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"Troposphere0",
"Effect":
"Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets", "s3:HeadBucket"
],
"Resource":
"*"
}, {
"Sid":
"Troposphere1",
"Effect":
"Allow",
"Action":
"s3:*",
"Resource": [
"arn:aws:s3:::shipchain-network-dist",
f"arn:aws:s3:::shipchain-network-dist/jumpstart/{stack_name}/*"
]
}]
})
],
AssumeRolePolicyDocument={
"Version":
"2008-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
}
}]
}))
provision_refs.instance_profile = template.add_resource(
iam.InstanceProfile("InstanceProfile", Roles=[Ref(role)]))
def _build_template(self, template):
t = super(EC2Profile, self)._build_template(template)
role = t.resources[self.name]
instance_profile = t.add_resource(
iam.InstanceProfile("{}EC2Profile".format(self.name),
Path="/",
Roles=[Ref(role)]))
t.add_output([
Output('{}InstanceProfile'.format(self.name),
Value=Ref(instance_profile))
])
def create_role(self, name, assumerole_policy):
t = self.template
v = self.get_variables()
role_kwargs = {
'AssumeRolePolicyDocument': assumerole_policy,
}
attached_policies = v['AttachedPolicies']
if attached_policies:
role_kwargs['ManagedPolicyArns'] = attached_policies
path = v['Path']
if path:
role_kwargs['Path'] = path
role = t.add_resource(iam.Role(name, **role_kwargs))
t.add_output(Output(name + "RoleName", Value=Ref(role)))
t.add_output(Output(name + "RoleArn", Value=GetAtt(role.title, "Arn")))
if v['InstanceProfile']:
profile_kwargs = {
'Roles': [
Ref(role),
],
}
if path:
profile_kwargs['Path'] = path
instance_profile = t.add_resource(
iam.InstanceProfile(name + 'InstanceProfile',
**profile_kwargs))
t.add_output(
Output("InstanceProfileName", Value=Ref(instance_profile)))
t.add_output(
Output("InstanceProfileArn",
Value=GetAtt(instance_profile.title, "Arn")))
self.roles.append(role)
return role
def add_iam_role(self):
self.iam_role = self.template.add_resource(
iam.Role("iamRole",
Path="/",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
iam.Policy(PolicyName="Ec2Access",
PolicyDocument={
"Statement": [{
"Effect":
"Allow",
"Action":
["ec2:DescribeInstances"],
"Resource":
"*"
}],
}),
iam.Policy(
PolicyName="DynamoDB",
PolicyDocument={
"Statement": [{
"Effect":
"Allow",
"Action":
"dynamodb:*",
"Resource":
"arn:aws:dynamodb:" + self.region + ":" +
self.account_id + ":table/terminateDB"
}]
})
]))
self.cfninstanceprofile = self.template.add_resource(
iam.InstanceProfile("InstanceProfile", Roles=[Ref(self.iam_role)]))
def __init__(self, parameters, groups, roles):
super(Users, self).__init__()
self.DanielPilch = iam.User(
"DanielPilch",
Path="/",
LoginProfile=iam.LoginProfile(Password=Ref(
parameters.DefaultPassword.title),
PasswordResetRequired=True),
)
self.CIUser = iam.User("CIUser", )
# User to group memberships
self.AWSEngineersMembership = iam.UserToGroupAddition(
"AWSEngineersMembership",
GroupName=Ref(groups.AWSEngineers),
Users=[
Ref(self.DanielPilch),
],
)
self.CIDeploymentMembership = iam.UserToGroupAddition(
"CIDeploymentMembership",
GroupName=Ref(groups.CIDeploymentServices),
Users=[
Ref(self.CIUser),
],
)
# EC2 Baseline Instance Profile
self.EC2BaselineProfile = iam.InstanceProfile(
"EC2BaselineProfile",
Path="/",
Roles=[Ref(roles.EC2Baseline)],
InstanceProfileName="EC2BaselineProfile")
def add_profile(self, access_to):
InstancePolicy1 = iam.Policy(
"InstancePolicy1",
PolicyName="InstancePolicy1",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [
{
"Action": [access_to],
"Resource": ["*"],
"Effect": "Allow",
}
],
},
)
role = iam.Role(
"InstanceRole1",
AssumeRolePolicyDocument={
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"},
"Effect": "Allow",
}
],
},
Policies=[InstancePolicy1],
)
profile = iam.InstanceProfile(
"InstanceProfile1",
Roles=[Ref(role)],
InstanceProfileName="someString",
)
self.t.add_resource(role)
self.t.add_resource(profile)
iam.Role(
"TaskRole",
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': ['ecs-tasks.amazonaws.com']
},
'Action': ["sts:AssumeRole"]
}]
},
))
# Create Instance Profile
InstanceProfile = t.add_resource(
iam.InstanceProfile("InstanceProfile", Roles=[Ref(InstanceRole)]))
# Create the Policies and associate them with the above roles
# Policy to read/write to the ECR Repository
ECRAccessPolicy = t.add_resource(
iam.PolicyType(
"ECRAccessPolicy",
PolicyName="shibboleth-ecr",
PolicyDocument={
'Version':
'2012-10-17',
'Statement': [
{
'Action': ['ecr:GetAuthorizationToken'],
'Resource': ['*'],
'Effect': 'Allow'
),
awacs.aws.Statement(
Effect=awacs.aws.Allow,
Action=[
awacs.aws.Action('autoscaling', 'Describe*'),
awacs.aws.Action('elasticloadbalancing', 'Describe*'),
],
Resource=['*'],
),
], ),
Roles=[Ref(ROLE)],
))
INSTANCE_PROFILE = TEMPLATE.add_resource(
iam.InstanceProfile(
'InstanceProfile',
Roles=[Ref(ROLE)],
))
INSTANCE_TYPE = TEMPLATE.add_parameter(
Parameter(
'InstanceType',
Type=STRING,
Default=M4_LARGE,
AllowedValues=[
M4_LARGE, M4_XLARGE, M4_2XLARGE, M4_4XLARGE, M4_10XLARGE
],
))
KEY_NAME = TEMPLATE.add_parameter(Parameter(
'KeyName',
Type=KEY_PAIR_NAME,
),
]
)
logs_writer_policy = iam.Policy(
'LogsWriterPolicy',
PolicyName='LogsWriterPolicy',
PolicyDocument=logs_writer_policy_doc
)
our_only_role = stack.add_resource(iam.Role('OurOnlyRole',
AssumeRolePolicyDocument=trust.get_default_assumerole_policy(),
Policies=[logs_writer_policy],
))
instance_profile = stack.add_resource(iam.InstanceProfile(
'OurOnlyInstanceProfile',
Roles=[Ref(our_only_role)],
))
default_instance_sg = stack.add_resource(ec2.SecurityGroup(
'DefaultInstanceSG',
GroupDescription='Default group for instances to be in',
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='6',
CidrIp='172.31.22.10/32',
ToPort=22,
FromPort=22,
)
]
))
def attach(self):
"""Attached an IAM Role, IAM Policy, and EC2 Instance Profile to a
CloudFormation template and returns the template."
"""
self.template.add_resource(
iam.Role(
'RoleResource',
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service":
["ec2.amazonaws.com", "opsworks.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
],
Path="/"))
# Inline policy for the given role defined in the Roles attribute.
self.template.add_resource(
iam.PolicyType(
'LogPolicyResource',
PolicyName=Ref(self.template.parameters['LogPolicyName']),
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Resource": ["*"],
"Action": [
"logs:CreateLogGroup", "logs:CreateLogStream",
"logs:PutLogEvents", "logs:DescribeLogStreams"
]
}]
},
Roles=[Ref(self.template.resources['RoleResource'])]))
# Inline policy for the given role defined in the Roles attribute.
self.template.add_resource(
iam.PolicyType(
'DefaultPolicyResource',
PolicyName='DefaultPolicyName',
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Resource": ["*"],
"Action": ["cloudformation:*"]
}]
},
Roles=[Ref(self.template.resources['RoleResource'])]))
self.template.add_resource(
iam.InstanceProfile(
'InstanceProfileResource',
Path="/",
Roles=[Ref(self.template.resources['RoleResource'])]))
self.template.add_resource(
LogGroup('LogGroupResource',
RetentionInDays=Ref(
self.template.parameters['LogRetentionDays']),
DeletionPolicy='Delete'))
self.template.add_output(
Output("LogGroupName",
Description="LogGroupName (Physical ID)",
Value=Ref(self.template.resources['LogGroupResource'])))
return self.template
Action=[Action('lambda', 'InvokeFunction')],
Resource=[
'arn:aws:lambda:eu-west-1:*:function:delete_cfn_stack'
]),
]
}),
],
# ManagedPolicyArns=[
# 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
# ]
))
emr_instance_profile = template.add_resource(
iam.InstanceProfile(
'EMRInstanceProfile',
InstanceProfileName='GenericEMRInstanceProfile',
Roles=[Ref(emr_job_flow_role)],
))
# Output
template.add_output([
Output('EMRServiceRole',
Value=Ref(emr_service_role),
Description='Service role needed by EMR'),
Output('EMRInstanceProfile',
Value=Ref(emr_instance_profile),
Description='Instance profile for nodes in EMR cluster'),
Output('EMRJobFlowRole',
Value=Ref(emr_job_flow_role),
Description='Job Flow role needed by EMR'),
Output('EMRInstanceProfileArn',
"EMRJobFlowRole",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
ManagedPolicyArns=[
'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role'
]))
emr_instance_profile = template.add_resource(
iam.InstanceProfile("EMRInstanceProfile", Roles=[Ref(emr_job_flow_role)]))
# EMR Cluster Resource
cluster = template.add_resource(
emr.Cluster("EMRSampleCluster",
Name="EMR Sample Cluster",
ReleaseLabel='emr-4.4.0',
BootstrapActions=[
emr.BootstrapActionConfig(
Name='Dummy bootstrap action',
ScriptBootstrapAction=emr.ScriptBootstrapActionConfig(
Path='/bin/sh', Args=['echo', 'Hello World']))
],
Configurations=[
emr.Configuration(Classification="core-site",
def main():
t = Template("A template to create a load balanced autoscaled Web flask deployment using ansible.")
addMapping(t)
### VPC CONFIGURATION ###
vpc = ec2.VPC(
"MainVPC",
CidrBlock="10.1.0.0/16"
)
t.add_resource(vpc)
vpc_id = Ref(vpc)
subnet_1 = ec2.Subnet(
"WebAppSubnet1",
t,
AvailabilityZone="us-east-1a",
CidrBlock="10.1.0.0/24",
MapPublicIpOnLaunch=True,
VpcId=vpc_id,
)
subnet_1_id = Ref(subnet_1)
subnet_2 = ec2.Subnet(
"WebAppSubnet2",
t,
AvailabilityZone="us-east-1b",
CidrBlock="10.1.1.0/24",
MapPublicIpOnLaunch=True,
VpcId=vpc_id,
)
subnet_2_id = Ref(subnet_2)
### NETWORKING ###
igw = ec2.InternetGateway("internetGateway", t)
gateway_to_internet = ec2.VPCGatewayAttachment(
"GatewayToInternet",
t,
VpcId=vpc_id,
InternetGatewayId=Ref(igw)
)
route_table = ec2.RouteTable(
"subnetRouteTable",
t,
VpcId=vpc_id
)
route_table_id = Ref(route_table)
internet_route = ec2.Route(
"routeToInternet",
t,
DependsOn=gateway_to_internet,
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=route_table_id
)
subnet_1_route_assoc = ec2.SubnetRouteTableAssociation(
"Subnet1RouteAssociation",
t,
RouteTableId=route_table_id,
SubnetId=Ref(subnet_1)
)
subnet_2_route_assoc = ec2.SubnetRouteTableAssociation(
"Subnet2RouteAssociation",
t,
RouteTableId=route_table_id,
SubnetId=Ref(subnet_2)
)
http_ingress = {
"CidrIp": "0.0.0.0/0",
"Description": "Allow HTTP traffic in from internet.",
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
}
ssh_ingress = {
"CidrIp": "0.0.0.0/0",
"Description": "Allow SSH traffic in from internet.",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
}
elb_sg = ec2.SecurityGroup(
"elbSecurityGroup",
t,
GroupName="WebGroup",
GroupDescription="Allow web traffic in from internet to ELB",
VpcId=vpc_id,
SecurityGroupIngress=[
http_ingress
])
ssh_sg = ec2.SecurityGroup(
"sshSecurityGroup",
t,
GroupName="SSHGroup",
GroupDescription="Allow SSH traffic in from internet",
VpcId=vpc_id,
SecurityGroupIngress=[
ssh_ingress
]
)
elb_sg_id = Ref(elb_sg)
ssh_sg_id = Ref(ssh_sg)
autoscale_ingress = {
"SourceSecurityGroupId": elb_sg_id,
"Description": "Allow web traffic in from ELB",
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80
}
autoscale_sg = ec2.SecurityGroup(
"WebAutoscaleSG",
t,
GroupName="AutoscaleGroup",
GroupDescription="Allow web traffic in from elb on port 80",
VpcId=vpc_id,
SecurityGroupIngress=[
autoscale_ingress
]
)
autoscale_sg_id = Ref(autoscale_sg)
# BUCKETS
app_bucket = s3.Bucket(
"CodeDeployApplicationBucket",
t,
)
### LOAD BALANCING ###
Web_elb = elb.LoadBalancer(
"WebElb",
t,
Name="WebElb", # TODO: Fix for name conflict
Subnets=[subnet_1_id, subnet_2_id],
SecurityGroups=[elb_sg_id]
)
Web_target_group = elb.TargetGroup(
"WebTargetGroup",
t,
DependsOn=Web_elb,
HealthCheckPath="/health",
HealthCheckPort=80,
HealthCheckProtocol="HTTP",
Matcher=elb.Matcher(HttpCode="200"),
Name="NginxTargetGroup",
Port=80,
Protocol="HTTP",
VpcId=vpc_id
)
Web_listener = elb.Listener(
"WebListener",
t,
LoadBalancerArn=Ref(Web_elb),
DefaultActions=[
elb.Action("forwardAction",
TargetGroupArn=Ref(Web_target_group),
Type="forward"
)
],
Port=80,
Protocol="HTTP"
)
### AUTOSCALING ###
# Everything after sudo -u ubuntu is one command
# The sudo command is required to properly set file permissions when
# running the ansible script as it assumes running from non root user
lc_user_data = Base64(Join("\n",
[
"#!/bin/bash",
"apt-add-repository -y ppa:ansible/ansible",
"apt-get update && sudo apt-get -y upgrade",
"apt-get -y install git",
"apt-get -y install ansible",
"cd /home/ubuntu/",
"sudo -H -u ubuntu bash -c '"
"export LC_ALL=C.UTF-8 && "
"export LANG=C.UTF-8 && "
"ansible-pull -U https://github.com/DameonSmith/aws-meetup-ansible.git --extra-vars \"user=ubuntu\"'"
]))
web_instance_role = iam.Role(
"webInstanceCodeDeployRole",
t,
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': 'ec2.amazonaws.com'
},
'Action': 'sts:AssumeRole'
}]
},
Policies=[
iam.Policy(
PolicyName="CodeDeployS3Policy",
PolicyDocument=aws.Policy(
Version='2012-10-17',
Statement=[
aws.Statement(
Sid='CodeDeployS3',
Effect=aws.Allow,
Action=[
aws_s3.PutObject,
aws_s3.GetObject,
aws_s3.GetObjectVersion,
aws_s3.DeleteObject,
aws_s3.ListObjects,
aws_s3.ListBucket,
aws_s3.ListBucketVersions,
aws_s3.ListAllMyBuckets,
aws_s3.ListMultipartUploadParts,
aws_s3.ListBucketMultipartUploads,
aws_s3.ListBucketByTags,
],
Resource=[
GetAtt(app_bucket, 'Arn'),
Join('', [
GetAtt(app_bucket, 'Arn'),
'/*',
]),
"arn:aws:s3:::aws-codedeploy-us-east-2/*",
"arn:aws:s3:::aws-codedeploy-us-east-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-1/*",
"arn:aws:s3:::aws-codedeploy-us-west-2/*",
"arn:aws:s3:::aws-codedeploy-ca-central-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-1/*",
"arn:aws:s3:::aws-codedeploy-eu-west-2/*",
"arn:aws:s3:::aws-codedeploy-eu-west-3/*",
"arn:aws:s3:::aws-codedeploy-eu-central-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
"arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
"arn:aws:s3:::aws-codedeploy-ap-south-1/*",
"arn:aws:s3:::aws-codedeploy-sa-east-1/*",
]
)
]
)
)
]
)
web_instance_profile = iam.InstanceProfile(
"webInstanceProfile",
t,
Path='/',
Roles=[Ref(web_instance_role)],
)
Web_launch_config = autoscaling.LaunchConfiguration(
"webLaunchConfig",
t,
ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), # TODO: Remove magic string
SecurityGroups=[ssh_sg_id, autoscale_sg_id],
IamInstanceProfile=Ref(web_instance_profile),
InstanceType="t2.micro",
BlockDeviceMappings= [{
"DeviceName": "/dev/sdk",
"Ebs": {"VolumeSize": "10"}
}],
UserData= lc_user_data,
KeyName="advanced-cfn",
)
Web_autoscaler = autoscaling.AutoScalingGroup(
"WebAutoScaler",
t,
LaunchConfigurationName=Ref(Web_launch_config),
MinSize="2", # TODO: Change to parameter
MaxSize="2",
VPCZoneIdentifier=[subnet_2_id, subnet_1_id],
TargetGroupARNs= [Ref(Web_target_group)]
)
t.add_output([
Output(
"ALBDNS",
Description="The DNS name for the application load balancer.",
Value=GetAtt(Web_elb, "DNSName")
)
])
# DEVTOOLS CONFIG
codebuild_service_role = iam.Role(
"CMSCodeBuildServiceRole",
t,
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': ['codebuild.amazonaws.com']
},
'Action': ['sts:AssumeRole']
}]
},
Policies=[
iam.Policy(
PolicyName="CloudWatchLogsPolicy",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid='logs',
Effect=aws.Allow,
Action=[
aws_logs.CreateLogGroup,
aws_logs.CreateLogStream,
aws_logs.PutLogEvents
],
Resource=['*']
)
]
)
),
iam.Policy(
PolicyName="s3AccessPolicy",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid='codebuilder',
Effect=aws.Allow,
Action=[
aws_s3.PutObject,
aws_s3.GetObject,
aws_s3.GetObjectVersion,
aws_s3.DeleteObject
],
Resource=[
GetAtt(app_bucket, 'Arn'),
Join('', [
GetAtt(app_bucket, 'Arn'),
'/*',
])
]
)
]
)
)
]
)
github_repo = Parameter(
"GithubRepoLink",
Description="Name of the repository you wish to connect to codebuild.",
Type="String"
)
artifact_key = Parameter(
"ArtifactKey",
Description="The key for the artifact that codebuild creates.",
Type="String"
)
t.add_parameter(github_repo)
t.add_parameter(artifact_key)
cms_code_build_project = codebuild.Project(
"CMSBuild",
t,
Name="CMS-Build",
Artifacts=codebuild.Artifacts(
Location=Ref(app_bucket),
Name=Ref(artifact_key),
NamespaceType="BUILD_ID",
Type="S3",
Packaging="ZIP"
),
Description="Code build for CMS",
Environment=codebuild.Environment(
ComputeType="BUILD_GENERAL1_SMALL",
Image="aws/codebuild/python:3.6.5",
Type="LINUX_CONTAINER",
),
ServiceRole=GetAtt(codebuild_service_role, 'Arn'),
Source=codebuild.Source(
"CMSSourceCode",
Auth=codebuild.SourceAuth(
"GitHubAuth",
Type="OAUTH"
),
Location=Ref(github_repo),
Type="GITHUB"
),
Triggers=codebuild.ProjectTriggers(
Webhook=True
)
)
codedeploy_service_role = iam.Role(
"CMSDeploymentGroupServiceRole",
t,
AssumeRolePolicyDocument={
'Statement': [{
'Effect': 'Allow',
'Principal': {
'Service': ['codedeploy.amazonaws.com']
},
'Action': ['sts:AssumeRole']
}]
},
Policies=[
iam.Policy(
PolicyName="CloudWatchLogsPolicy",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid='logs',
Effect=aws.Allow,
Action=[
aws_logs.CreateLogGroup,
aws_logs.CreateLogStream,
aws_logs.PutLogEvents
],
Resource=['*']
)
]
)
),
iam.Policy(
PolicyName="s3AccessPolicy",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid='codebuilder',
Effect=aws.Allow,
Action=[
aws_s3.PutObject,
aws_s3.GetObject,
aws_s3.GetObjectVersion,
aws_s3.DeleteObject
],
Resource=[
GetAtt(app_bucket, 'Arn'),
Join('', [
GetAtt(app_bucket, 'Arn'),
'/*'
])
]
)
]
)
),
iam.Policy(
PolicyName="autoscalingAccess",
PolicyDocument=aws.Policy(
Version="2012-10-17",
Statement=[
aws.Statement(
Sid='codebuilder',
Effect=aws.Allow,
Action=[
aws.Action('autoscaling', '*'),
aws.Action('elasticloadbalancing', '*')
],
Resource=[
'*'
]
)
]
)
)
]
)
cms_codedeploy_application = codedeploy.Application(
"CMSCodeDeployApplication",
t,
)
cms_deployment_group = codedeploy.DeploymentGroup(
"CMSDeploymentGroup",
t,
DependsOn=[cms_codedeploy_application],
ApplicationName=Ref(cms_codedeploy_application),
AutoScalingGroups=[Ref(Web_autoscaler)],
LoadBalancerInfo=codedeploy.LoadBalancerInfo(
"CodeDeployLBInfo",
TargetGroupInfoList=[
codedeploy.TargetGroupInfoList(
"WebTargetGroup",
Name=GetAtt(Web_target_group, "TargetGroupName")
)
]
),
ServiceRoleArn=GetAtt(codedeploy_service_role, 'Arn')
)
print(t.to_yaml())
def main():
template = Template()
template.add_resource(
ecs.Cluster("ECSCluster", ClusterName="WorldCheckCluster"))
template.add_resource(
iam.Role("ECSTaskRole",
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ecs-tasks.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
}))
template.add_resource(
iam.Role(
"ECSServiceSchedulerRole",
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ecs.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
iam.Policy(PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets"
],
"Resource":
"*"
}]
},
PolicyName="ecs-service")
]))
template.add_resource(
iam.Role("EC2InstanceRole",
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
iam.Policy(PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect":
"Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint", "ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecr:GetAuthorizationToken",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer", "ecs:Submit*",
"logs:CreateLogStream", "logs:PutLogEvents",
"ec2:DescribeTags", "cloudwatch:PutMetricData"
],
"Resource":
"*"
}]
},
PolicyName="ecs-service")
]))
template.add_resource(
iam.InstanceProfile("EC2InstanceProfile",
Roles=[Ref("EC2InstanceRole")]))
with open("user-data.sh", "r") as f:
user_data_content = f.readlines()
template.add_resource(
ec2.Instance(
"EC2Instance",
ImageId="ami-13f7226a",
InstanceType="t2.micro",
SecurityGroups=["default"],
UserData=Base64(Join('', [Sub(x) for x in user_data_content])),
IamInstanceProfile=Ref("EC2InstanceProfile"),
))
template.add_resource(
ecs.TaskDefinition(
"ECSTaskDefinition",
TaskRoleArn=Ref("ECSTaskRole"),
ContainerDefinitions=[
ecs.ContainerDefinition(
Name="SimpleServer",
Memory="128",
Image="abbas123456/simple-server:latest",
PortMappings=[ecs.PortMapping(ContainerPort=8000)],
)
]))
template.add_resource(
elb.TargetGroup(
"ECSTargetGroup",
VpcId="vpc-925497f6",
Port=8000,
Protocol="HTTP",
))
template.add_resource(
elb.LoadBalancer(
"LoadBalancer",
Subnets=["subnet-a321c8fb", "subnet-68fa271e", "subnet-689d350c"],
SecurityGroups=["sg-0202bd65"]))
template.add_resource(
elb.Listener(
"LoadBalancerListener",
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref("ECSTargetGroup"))
],
LoadBalancerArn=Ref("LoadBalancer"),
Port=80,
Protocol="HTTP",
))
template.add_resource(
ecs.Service("ECSService",
Cluster=Ref("ECSCluster"),
DesiredCount=1,
LoadBalancers=[
ecs.LoadBalancer(ContainerPort=8000,
ContainerName="SimpleServer",
TargetGroupArn=Ref("ECSTargetGroup"))
],
Role=Ref("ECSServiceSchedulerRole"),
TaskDefinition=Ref("ECSTaskDefinition"),
DependsOn="LoadBalancerListener"))
return template.to_json()
def buildInstance(t, args):
t.add_resource(
ec2.SecurityGroup('WebserverIngressSG',
GroupDescription='Global Webserver Access',
VpcId=Ref('VPC'),
Tags=Tags(Name='Global Webserver Access')))
t.add_resource(
ec2.SecurityGroupIngress('WebserverIngressSG80',
GroupId=Ref('WebserverIngressSG'),
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort='80',
ToPort='80'))
t.add_resource(
ec2.SecurityGroupIngress('WebserverIngress443',
GroupId=Ref('WebserverIngressSG'),
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort='443',
ToPort='443'))
t.add_resource(
ec2.SecurityGroup('SysAdminAccessSG',
GroupDescription='System Administrator Access',
VpcId=Ref('VPC'),
Tags=Tags(Name='System Administrator Access')))
if (args.dev):
t.add_resource(
ec2.SecurityGroupIngress('DevSysadminIngress22',
GroupId=Ref('SysAdminAccessSG'),
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort='22',
ToPort='22'))
rolePolicyStatements = [{
"Sid":
"Stmt1500699052003",
"Effect":
"Allow",
"Action": ["s3:ListBucket"],
"Resource": [Join("",
["arn:aws:s3:::", Ref('S3Bucket')])]
}, {
"Sid":
"Stmt1500699052000",
"Effect":
"Allow",
"Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource":
[Join("",
["arn:aws:s3:::", Ref('S3Bucket'), '/Backup/*'])]
}, {
"Sid":
"Stmt1500612724002",
"Effect":
"Allow",
"Action": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*"],
"Resource": [OpenEMRKeyARN]
}]
if (args.recovery):
rolePolicyStatements.extend([
{
"Sid": "Stmt1500699052004",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource":
[Join(
"",
["arn:aws:s3:::", Ref('RecoveryS3Bucket')])]
},
{
"Sid":
"Stmt1500699052005",
"Effect":
"Allow",
"Action": [
"s3:GetObject",
],
"Resource": [
Join("", [
"arn:aws:s3:::",
Ref('RecoveryS3Bucket'), '/Backup/*'
])
]
},
])
t.add_resource(
iam.ManagedPolicy('WebserverPolicy',
Description='Policy for webserver instance',
PolicyDocument={
"Version": "2012-10-17",
"Statement": rolePolicyStatements
}))
t.add_resource(
iam.Role('WebserverRole',
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Path='/',
ManagedPolicyArns=[Ref('WebserverPolicy')]))
t.add_resource(
iam.InstanceProfile('WebserverInstanceProfile',
Path='/',
Roles=[Ref('WebserverRole')]))
t.add_resource(
ec2.Volume('DockerVolume',
DeletionPolicy='Delete' if args.dev else 'Snapshot',
Size=Ref('PracticeStorage'),
AvailabilityZone=Select("0", GetAZs("")),
VolumeType='gp2',
Encrypted=True,
KmsKeyId=OpenEMRKeyID,
Tags=Tags(Name="OpenEMR Practice")))
bootstrapScript = [
"#!/bin/bash -x\n", "exec > /var/log/openemr-cfn-bootstrap 2>&1\n",
"cfn-init -v ", " --stack ", ref_stack_name,
" --resource WebserverInstance ",
" --configsets Setup ", " --region ", ref_region, "\n",
"cfn-signal -e $? ", " --stack ", ref_stack_name,
" --resource WebserverInstance ", " --region ",
ref_region, "\n"
]
setupScript = [
"#!/bin/bash -xe\n", "exec > /tmp/cloud-setup.log 2>&1\n",
"/root/openemr-devops/packages/standard/ami/ami-configure.sh\n"
]
stackPassthroughFile = [
"S3=", Ref('S3Bucket'), "\n", "KMS=", OpenEMRKeyID, "\n"
]
if (args.recovery):
stackPassthroughFile.extend([
"RECOVERYS3=",
Ref('RecoveryS3Bucket'),
"\n",
"RECOVERY_NEWRDS=",
GetAtt('RDSInstance', 'Endpoint.Address'),
"\n",
])
if (args.recovery):
dockerComposeFile = [
"version: '3.1'\n", "services:\n", " openemr:\n",
" restart: always\n", " image: openemr/openemr",
docker_version, "\n", " ports:\n", " - 80:80\n",
" - 443:443\n", " volumes:\n",
" - logvolume01:/var/log\n",
" - sitevolume:/var/www/localhost/htdocs/openemr/sites\n",
" environment:\n", " MANUAL_SETUP: 1\n", "volumes:\n",
" logvolume01: {}\n", " sitevolume: {}\n"
]
else:
dockerComposeFile = [
"version: '3.1'\n", "services:\n", " openemr:\n",
" restart: always\n", " image: openemr/openemr",
docker_version, "\n", " ports:\n", " - 80:80\n",
" - 443:443\n", " volumes:\n",
" - logvolume01:/var/log\n",
" - sitevolume:/var/www/localhost/htdocs/openemr/sites\n",
" environment:\n", " MYSQL_HOST: '",
GetAtt('RDSInstance', 'Endpoint.Address'), "'\n",
" MYSQL_ROOT_USER: openemr\n", " MYSQL_ROOT_PASS: '******'RDSPassword'), "'\n", " MYSQL_USER: openemr\n",
" MYSQL_PASS: '******'RDSPassword'), "'\n", " OE_USER: admin\n",
" OE_PASS: '******'AdminPassword'), "'\n", "volumes:\n", " logvolume01: {}\n",
" sitevolume: {}\n"
]
bootstrapInstall = cloudformation.InitConfig(
files={
"/root/cloud-setup.sh": {
"content": Join("", setupScript),
"mode": "000500",
"owner": "root",
"group": "root"
},
"/root/cloud-variables": {
"content": Join("", stackPassthroughFile),
"mode": "000500",
"owner": "root",
"group": "root"
},
"/root/openemr-devops/packages/standard/docker-compose.yaml": {
"content": Join("", dockerComposeFile),
"mode": "000500",
"owner": "root",
"group": "root"
}
},
commands={"01_setup": {
"command": "/root/cloud-setup.sh"
}})
bootstrapMetadata = cloudformation.Metadata(
cloudformation.Init(cloudformation.InitConfigSets(Setup=['Install']),
Install=bootstrapInstall))
t.add_resource(
ec2.Instance('WebserverInstance',
Metadata=bootstrapMetadata,
ImageId=FindInMap('RegionData', ref_region,
'OpenEMRMktPlaceAMI'),
InstanceType=Ref('WebserverInstanceSize'),
NetworkInterfaces=[
ec2.NetworkInterfaceProperty(
AssociatePublicIpAddress=True,
DeviceIndex="0",
GroupSet=[
Ref('ApplicationSecurityGroup'),
Ref('WebserverIngressSG'),
Ref('SysAdminAccessSG')
],
SubnetId=Ref('PublicSubnet1'))
],
KeyName=Ref('EC2KeyPair'),
IamInstanceProfile=Ref('WebserverInstanceProfile'),
Volumes=[{
"Device": "/dev/sdd",
"VolumeId": Ref('DockerVolume')
}],
Tags=Tags(Name='OpenEMR Cloud Standard'),
InstanceInitiatedShutdownBehavior='stop',
UserData=Base64(Join('', bootstrapScript)),
CreationPolicy={"ResourceSignal": {
"Timeout": "PT15M"
}}))
return t
"CFNRolePolicies",
PolicyName="CFNaccess",
PolicyDocument={
"Statement": [{
"Action": "cloudformation:Describe*",
"Resource": "*",
"Effect": "Allow"
}]
},
Roles=[Ref("AmbariAccessRole")],
))
AmbariInstanceProfile = t.add_resource(
iam.InstanceProfile(
"AmbariInstanceProfile",
Path="/",
Roles=[Ref("AmbariAccessRole")],
))
NodeAccessRole = t.add_resource(
iam.Role(
"NodeAccessRole",
Path="/",
AssumeRolePolicyDocument={
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
}
}]
def gen_template(config):
num_couchbase_servers = config.server_number
couchbase_instance_type = config.server_type
num_sync_gateway_servers = config.sync_gateway_number
sync_gateway_server_type = config.sync_gateway_type
num_gateloads = config.load_number
gateload_instance_type = config.load_type
num_lbs = config.lb_number
lb_instance_type = config.lb_type
t = Template()
t.add_description(
'An Ec2-classic stack with Couchbase Server, Sync Gateway + load testing tools '
)
def createCouchbaseSecurityGroups(t):
# Couchbase security group
secGrpCouchbase = ec2.SecurityGroup('CouchbaseSecurityGroup')
secGrpCouchbase.GroupDescription = "Allow access to Couchbase Server"
secGrpCouchbase.SecurityGroupIngress = [
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule(
IpProtocol="tcp",
FromPort="8091",
ToPort="8091",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # sync gw user port
IpProtocol="tcp",
FromPort="4984",
ToPort="4984",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # sync gw admin port
IpProtocol="tcp",
FromPort="4985",
ToPort="4985",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # expvars
IpProtocol="tcp",
FromPort="9876",
ToPort="9876",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="4369",
ToPort="4369",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="5984",
ToPort="5984",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="8092",
ToPort="8092",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="11209",
ToPort="11209",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="11210",
ToPort="11210",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="11211",
ToPort="11211",
CidrIp="0.0.0.0/0",
),
ec2.SecurityGroupRule( # couchbase server
IpProtocol="tcp",
FromPort="21100",
ToPort="21299",
CidrIp="0.0.0.0/0",
)
]
# Add security group to template
t.add_resource(secGrpCouchbase)
return secGrpCouchbase
#
# Parameters
#
keyname_param = t.add_parameter(
Parameter(
'KeyName',
Type='String',
Description='Name of an existing EC2 KeyPair to enable SSH access')
)
secGrpCouchbase = createCouchbaseSecurityGroups(t)
# Create an IAM Role to give the EC2 instance permissions to
# push Cloudwatch Logs, which avoids the need to bake in the
# AWS_KEY + AWS_SECRET_KEY into an ~/.aws/credentials file or
# env variables
mobileTestKitRole = iam.Role(
'MobileTestKit',
ManagedPolicyArns=['arn:aws:iam::aws:policy/CloudWatchFullAccess'],
AssumeRolePolicyDocument={
'Version':
'2012-10-17',
'Statement': [{
'Action': 'sts:AssumeRole',
'Principal': {
'Service': 'ec2.amazonaws.com'
},
'Effect': 'Allow',
}]
})
t.add_resource(mobileTestKitRole)
# The InstanceProfile instructs the EC2 instance to use
# the mobileTestKitRole created above. It will be referenced
# in the instance.IamInstanceProfile property for all EC2 instances created
instanceProfile = iam.InstanceProfile(
'EC2InstanceProfile',
Roles=[Ref(mobileTestKitRole)],
)
t.add_resource(instanceProfile)
# Couchbase Server Instances
for i in xrange(num_couchbase_servers):
name = "couchbaseserver{}".format(i)
instance = ec2.Instance(name)
instance.ImageId = "ami-6d1c2007" # centos7
instance.InstanceType = couchbase_instance_type
instance.SecurityGroups = [Ref(secGrpCouchbase)]
instance.KeyName = Ref(keyname_param)
instance.Tags = Tags(Name=name, Type="couchbaseserver")
instance.IamInstanceProfile = Ref(instanceProfile)
instance.BlockDeviceMappings = [
ec2.BlockDeviceMapping(DeviceName="/dev/sda1",
Ebs=ec2.EBSBlockDevice(
DeleteOnTermination=True,
VolumeSize=200,
VolumeType="gp2"))
]
t.add_resource(instance)
# Sync Gw instances (ubuntu ami)
for i in xrange(num_sync_gateway_servers):
name = "syncgateway{}".format(i)
instance = ec2.Instance(name)
instance.ImageId = "ami-6d1c2007" # centos7
instance.InstanceType = sync_gateway_server_type
instance.SecurityGroups = [Ref(secGrpCouchbase)]
instance.KeyName = Ref(keyname_param)
instance.IamInstanceProfile = Ref(instanceProfile)
instance.BlockDeviceMappings = [
ec2.BlockDeviceMapping(DeviceName="/dev/sda1",
Ebs=ec2.EBSBlockDevice(
DeleteOnTermination=True,
VolumeSize=200,
VolumeType="gp2"))
]
# Make syncgateway0 a cache writer, and the rest cache readers
# See https://github.com/couchbase/sync_gateway/wiki/Distributed-channel-cache-design-notes
if i == 0:
instance.Tags = Tags(Name=name,
Type="syncgateway",
CacheType="writer")
else:
instance.Tags = Tags(Name=name, Type="syncgateway")
t.add_resource(instance)
# Gateload instances (ubuntu ami)
for i in xrange(num_gateloads):
name = "gateload{}".format(i)
instance = ec2.Instance(name)
instance.ImageId = "ami-6d1c2007" # centos7
instance.InstanceType = gateload_instance_type
instance.SecurityGroups = [Ref(secGrpCouchbase)]
instance.KeyName = Ref(keyname_param)
instance.IamInstanceProfile = Ref(instanceProfile)
instance.Tags = Tags(Name=name, Type="gateload")
instance.BlockDeviceMappings = [
ec2.BlockDeviceMapping(DeviceName="/dev/sda1",
Ebs=ec2.EBSBlockDevice(
DeleteOnTermination=True,
VolumeSize=200,
VolumeType="gp2"))
]
t.add_resource(instance)
# Load Balancer instances (ubuntu ami)
for i in xrange(num_lbs):
name = "loadbalancer{}".format(i)
instance = ec2.Instance(name)
instance.ImageId = "ami-6d1c2007" # centos7
instance.InstanceType = lb_instance_type
instance.SecurityGroups = [Ref(secGrpCouchbase)]
instance.KeyName = Ref(keyname_param)
instance.IamInstanceProfile = Ref(instanceProfile)
instance.Tags = Tags(Name=name, Type="loadbalancer")
instance.BlockDeviceMappings = [
ec2.BlockDeviceMapping(DeviceName="/dev/sda1",
Ebs=ec2.EBSBlockDevice(
DeleteOnTermination=True,
VolumeSize=200,
VolumeType="gp2"))
]
t.add_resource(instance)
return t.to_json()
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
iam.Policy(
PolicyName='{}InstancePolicy'.format(STACK_NAME),
PolicyDocument=instance_policy_doc,
),
]))
instance_profile = template.add_resource(
iam.InstanceProfile('InstanceProfile',
Roles=[Ref(instance_role)],
InstanceProfileName='TweeterUploaderInstanceProfile'))
# Define Instance Metadata
instance_metadata = Metadata(
Init({
'config':
InitConfig(
commands={'update_yum_packages': {
'command': 'yum update -y'
}},
files=InitFiles({
# setup .bashrc ec2-user
'/home/ec2-user/.bashrc':
InitFile(content=Join(
'',
def emit_configuration():
# Parameters here
jenkins_instance_class = template.add_parameter(
Parameter(
'JenkinsInstanceType',
Type='String',
Default='t2.micro',
Description='Chef jenkins instance type',
AllowedValues=cfn.usable_instances(),
ConstraintDescription='Instance size must be a valid instance type'
))
# jenkins IAM role
jenkins_role_name = '.'.join(['jenkins', CLOUDNAME, CLOUDENV])
jenkins_iam_role = template.add_resource(
iam.Role('JenkinsIamRole',
AssumeRolePolicyDocument=ASSUME_ROLE_POLICY,
Path="/",
Policies=[
iam.Policy(PolicyName='JenkinsPolicy',
PolicyDocument=json.loads(
cfn.load_template(
"jenkins_policy.json.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"region": "us-east-1"
}))),
iam.Policy(PolicyName='JenkinsDefaultPolicy',
PolicyDocument=json.loads(
cfn.load_template(
"default_policy.json.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"region": "us-east-1"
})))
],
DependsOn=cfn.vpcs[0].title))
jenkins_instance_profile = template.add_resource(
iam.InstanceProfile("JenkinsInstanceProfile",
Path="/",
Roles=[Ref(jenkins_iam_role)],
DependsOn=jenkins_iam_role.title))
jenkins_user_data = cfn.load_template("default-init.bash.j2", {
"env": CLOUDENV,
"cloud": CLOUDNAME,
"deploy": "jenkins"
})
ingress_rules = [
ec2.SecurityGroupRule(IpProtocol=p[0],
CidrIp=DEFAULT_ROUTE,
FromPort=p[1],
ToPort=p[1])
for p in [('tcp', 22), ('tcp', 80), ('tcp', 443)]
]
security_group = template.add_resource(
ec2.SecurityGroup(
"JenkinsSecurityGroup",
GroupDescription='Security Group for jenkins instances',
VpcId=Ref(cfn.vpcs[0]),
SecurityGroupIngress=ingress_rules,
DependsOn=cfn.vpcs[0].title,
Tags=Tags(Name='.'.join(['jenkins-sg', CLOUDNAME, CLOUDENV]))))
launch_cfg = template.add_resource(
autoscaling.LaunchConfiguration(
"JenkinsLaunchConfiguration",
ImageId=FindInMap('RegionMap', Ref("AWS::Region"),
int(cfn.Amis.EBS)),
InstanceType=Ref(jenkins_instance_class),
IamInstanceProfile=Ref(jenkins_instance_profile),
AssociatePublicIpAddress=not USE_PRIVATE_SUBNETS,
BlockDeviceMappings=[
ec2.BlockDeviceMapping(
DeviceName='/dev/sda1',
Ebs=ec2.EBSBlockDevice(DeleteOnTermination=True))
],
KeyName=Ref(cfn.keyname),
SecurityGroups=[Ref(security_group)],
DependsOn=[jenkins_instance_profile.title, security_group.title],
UserData=Base64(jenkins_user_data)))
asg_name = '.'.join(['jenkins', CLOUDNAME, CLOUDENV])
asg = template.add_resource(
autoscaling.AutoScalingGroup(
"JenkinsASG",
AvailabilityZones=cfn.get_asg_azs(),
DesiredCapacity="1",
LaunchConfigurationName=Ref(launch_cfg),
MinSize="1",
MaxSize="1",
NotificationConfiguration=autoscaling.NotificationConfiguration(
TopicARN=Ref(cfn.alert_topic),
NotificationTypes=[
EC2_INSTANCE_TERMINATE, EC2_INSTANCE_TERMINATE_ERROR,
EC2_INSTANCE_LAUNCH, EC2_INSTANCE_LAUNCH_ERROR
]),
VPCZoneIdentifier=[
Ref(sn) for sn in cfn.get_vpc_subnets(cfn.vpcs[0],
cfn.SubnetTypes.PLATFORM)
]))
def add_iam_role(self):
self.iam_role = self.template.add_resource(
iam.Role(
"s3AcessPolicies",
Path="/",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Policies=[
iam.Policy(PolicyName="ListAllMyBuckets",
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}],
}),
iam.Policy(
PolicyName="AllowAccessToBucket",
PolicyDocument={
"Statement": [{
"Effect":
"Allow",
"Action":
["s3:ListBucket", "s3:GetBucketLocation"],
"Resource":
Join("", [
"arn:aws:s3:::",
ImportValue(
'deploy-dev-s3bucket-s3bucketname')
])
}]
}),
iam.Policy(
PolicyName="AllowWriteToBucket",
PolicyDocument={
"Statement": [{
"Effect":
"Allow",
"Action": [
"s3:PutObject", "s3:GetObject",
"s3:DeleteObject"
],
"Resource":
Join("", [
"arn:aws:s3:::",
ImportValue(
'deploy-dev-s3bucket-s3bucketname'),
"/*"
])
}]
})
]))
self.cfninstanceprofile = self.template.add_resource(
iam.InstanceProfile("CFNInstanceProfile",
Roles=[Ref(self.iam_role)]))
def buildInstance(t, args):
t.add_resource(
ec2.SecurityGroup('WebserverSG',
GroupDescription='Global Webserver Access',
VpcId=Ref('VPC'),
Tags=Tags(Name='Global Webserver Access')))
t.add_resource(
ec2.SecurityGroupIngress('WebserverSGIngress1',
GroupId=Ref('WebserverSG'),
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort='22',
ToPort='22'))
t.add_resource(
ec2.SecurityGroupIngress('WebserverSGIngress2',
GroupId=Ref('WebserverSG'),
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort='80',
ToPort='80'))
t.add_resource(
ec2.SecurityGroupIngress('WebserverSGIngress3',
GroupId=Ref('WebserverSG'),
IpProtocol='tcp',
CidrIp='0.0.0.0/0',
FromPort='443',
ToPort='443'))
rolePolicyStatements = [{
"Sid":
"Stmt1500699052003",
"Effect":
"Allow",
"Action": ["s3:ListBucket"],
"Resource": [Join("",
["arn:aws:s3:::", Ref('S3Bucket')])]
}, {
"Sid":
"Stmt1500699052000",
"Effect":
"Allow",
"Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource":
[Join("",
["arn:aws:s3:::", Ref('S3Bucket'), '/Backup/*'])]
}, {
"Sid":
"Stmt1500612724002",
"Effect":
"Allow",
"Action": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*"],
"Resource": [OpenEMRKeyARN]
}]
t.add_resource(
iam.ManagedPolicy('WebserverPolicy',
Description='Policy for webserver instance',
PolicyDocument={
"Version": "2012-10-17",
"Statement": rolePolicyStatements
}))
t.add_resource(
iam.Role('WebserverRole',
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
Path='/',
ManagedPolicyArns=[Ref('WebserverPolicy')]))
t.add_resource(
iam.InstanceProfile('WebserverInstanceProfile',
Path='/',
Roles=[Ref('WebserverRole')]))
t.add_resource(
ec2.Volume('DockerVolume',
DeletionPolicy='Delete' if args.dev else 'Snapshot',
Size=Ref('PracticeStorage'),
AvailabilityZone=Select("0", GetAZs("")),
VolumeType='gp2',
Encrypted=True,
KmsKeyId=OpenEMRKeyID,
Tags=Tags(Name="OpenEMR Practice")))
bootstrapScript = [
"#!/bin/bash -x\n", "exec > /tmp/part-001.log 2>&1\n",
"apt-get -y update\n", "apt-get -y install python-pip\n",
"pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz\n",
"cfn-init -v ", " --stack ", ref_stack_name,
" --resource WebserverInstance ",
" --configsets Setup ", " --region ", ref_region, "\n",
"cfn-signal -e $? ", " --stack ", ref_stack_name,
" --resource WebserverInstance ", " --region ",
ref_region, "\n"
]
setupScript = [
"#!/bin/bash -xe\n", "exec > /tmp/cloud-setup.log 2>&1\n",
"DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" --force-yes\n",
"mkfs -t ext4 /dev/xvdd\n", "mkdir /mnt/docker\n",
"cat /root/fstab.append >> /etc/fstab\n", "mount /mnt/docker\n",
"ln -s /mnt/docker /var/lib/docker\n",
"apt-get -y install python-boto awscli\n", "S3=",
Ref('S3Bucket'), "\n", "KMS=", OpenEMRKeyID, "\n",
"touch /root/cloud-backups-enabled\n",
"echo $S3 > /root/.cloud-s3.txt\n",
"echo $KMS > /root/.cloud-kms.txt\n", "touch /tmp/mypass\n",
"chmod 500 /tmp/mypass\n", "openssl rand -base64 32 >> /tmp/mypass\n",
"aws s3 cp /tmp/mypass s3://$S3/Backup/passphrase.txt --sse aws:kms --sse-kms-key-id $KMS\n",
"rm /tmp/mypass\n",
"curl -L https://raw.githubusercontent.com/openemr/openemr-devops/master/packages/lightsail/launch.sh > /root/launch.sh\n",
"chmod +x /root/launch.sh && /root/launch.sh -s 0\n"
]
fstabFile = ["/dev/xvdd /mnt/docker ext4 defaults,nofail 0 0\n"]
bootstrapInstall = cloudformation.InitConfig(
files={
"/root/cloud-setup.sh": {
"content": Join("", setupScript),
"mode": "000500",
"owner": "root",
"group": "root"
},
"/root/fstab.append": {
"content": Join("", fstabFile),
"mode": "000400",
"owner": "root",
"group": "root"
}
},
commands={"01_setup": {
"command": "/root/cloud-setup.sh"
}})
bootstrapMetadata = cloudformation.Metadata(
cloudformation.Init(cloudformation.InitConfigSets(Setup=['Install']),
Install=bootstrapInstall))
t.add_resource(
ec2.Instance('WebserverInstance',
Metadata=bootstrapMetadata,
ImageId=FindInMap('RegionData', ref_region, 'UbuntuAMI'),
InstanceType=Ref('InstanceSize'),
NetworkInterfaces=[
ec2.NetworkInterfaceProperty(
AssociatePublicIpAddress=True,
DeviceIndex="0",
GroupSet=[Ref('WebserverSG')],
SubnetId=Ref('PublicSubnet1'))
],
KeyName=Ref('EC2KeyPair'),
IamInstanceProfile=Ref('WebserverInstanceProfile'),
Volumes=[{
"Device": "/dev/sdd",
"VolumeId": Ref('DockerVolume')
}],
Tags=Tags(Name='OpenEMR Express Plus'),
InstanceInitiatedShutdownBehavior='stop',
UserData=Base64(Join('', bootstrapScript)),
CreationPolicy={"ResourceSignal": {
"Timeout": "PT25M"
}}))
return t
'Statement': [
{
'Action': 'sts:AssumeRole',
'Principal': {
'Service': 'ec2.amazonaws.com'
},
'Effect': 'Allow'
}
]
}
)
)
ec2_instance_profile = template.add_resource(
iam.InstanceProfile(
'EC2InstanceProfile',
Roles=[Ref(ecs_cluster_role)]
)
)
ecs_cluster = template.add_resource(
ecs.Cluster(
'ApiCluster'
)
)
launch_template = template.add_resource(
ec2.LaunchTemplate(
'LaunchTemplate',
LaunchTemplateName=Ref(api_launch_template_name),
LaunchTemplateData=ec2.LaunchTemplateData(
ImageId='ami-066826c6a40879d75',
dict(
Effect="Allow",
Action=[
"logs:Create*",
"logs:PutLogEvents",
],
Resource="arn:aws:logs:*:*:*",
)
], ),
),
])
# ECS container instance profile
container_instance_profile = iam.InstanceProfile(
"ContainerInstanceProfile",
template=template,
Path="/",
Roles=[Ref(container_instance_role)],
)
container_instance_configuration_name = "MainContainerLaunchConfiguration"
container_instance_configuration = LaunchConfiguration(
container_instance_configuration_name,
template=template,
KeyName=Ref(secret_key),
Metadata=Metadata(
cloudformation.Init(
dict(config=cloudformation.InitConfig(
commands=dict(register_cluster=dict(command=Join(
"",
[
def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
# variables = self.get_variables()
template.add_version('2010-09-09')
template.add_description('Kubernetes IAM policies - V1.0.0')
# Resources
nodeinstancerole = template.add_resource(
iam.Role(
'NodeInstanceRole',
AssumeRolePolicyDocument=make_simple_assume_policy(
'ec2.amazonaws.com'),
ManagedPolicyArns=[
IAM_POLICY_ARN_PREFIX + i for i in [
'AmazonEKSWorkerNodePolicy',
'AmazonEKS_CNI_Policy',
'AmazonEC2ContainerRegistryReadOnly',
# SSM agent not shipped ootb
# 'AmazonSSMManagedInstanceCore'
]
]))
template.add_output(
Output('NodeInstanceRole',
Description='The node instance role name',
Value=nodeinstancerole.ref()))
template.add_output(
Output('NodeInstanceRoleArn',
Description='The node instance role ARN',
Value=nodeinstancerole.get_att('Arn')))
nodeinstanceprofile = template.add_resource(
iam.InstanceProfile('NodeInstanceProfile',
Path='/',
Roles=[nodeinstancerole.ref()]))
template.add_output(
Output('NodeInstanceProfile',
Description='The node instance profile',
Value=nodeinstanceprofile.ref()))
template.add_output(
Output('NodeInstanceProfileArn',
Description='The node instance profile ARN',
Value=nodeinstanceprofile.get_att('Arn')))
template.add_resource(
iam.Role(
'ClusterAutoScalerInstanceRole',
AssumeRolePolicyDocument=make_simple_assume_policy(
'ec2.amazonaws.com'),
Policies=[
iam.Policy(
PolicyName='cluster-autoscaler',
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Action=[
awacs.autoscaling.
DescribeAutoScalingGroups, # noqa
awacs.autoscaling.
DescribeAutoScalingInstances, # noqa
awacs.autoscaling.DescribeTags,
awacs.autoscaling.
SetDesiredCapacity, # noqa
awacs.autoscaling.
TerminateInstanceInAutoScalingGroup
], # noqa pylint: disable=line-too-long
Effect=Allow,
Resource=['*'])
]))
]))
