Exemplo n.º 1
0
        def associate(self, lbd_permission, lbd_func, event_rule, **kwargs):
            lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
            lbd_permission.Action = "lambda:InvokeFunction"
            lbd_permission.Principal = "events.amazonaws.com"
            lbd_permission.SourceArn = GetAtt(event_rule, "Arn")
            x_depends_on_y(lbd_permission, lbd_func)
            x_depends_on_y(lbd_permission, event_rule)

            try:
                targets = event_rule.Targets
            except AttributeError:
                targets = list()

            target_id = "{}TgtId".format(lbd_func.title)
            target_ids = [
                target.Id
                for target in targets
            ]
            if target_id not in target_ids:
                target = events.Target(
                    Id=target_id,
                    Arn=GetAtt(lbd_func, "Arn"),
                )
                targets.append(target)

            event_rule.Targets = targets
            x_depends_on_y(event_rule, lbd_func)
Exemplo n.º 2
0
        def associate(self,
                      lbd_permission,
                      lbd_func,
                      api_method,
                      **kwargs):
            lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
            lbd_permission.Action = "lambda:InvokeFunction"
            lbd_permission.Principal = "apigateway.amazonaws.com"

            try:
                lbd_permission.SourceArn = Sub(
                    "arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/*/${HttpMethod}/${ResourcePath}",
                    {
                        "Region": {"Ref": "AWS::Region"},
                        "AccountId": {"Ref": "AWS::AccountId"},
                        "RestApiId": Ref(api_method.RestApiId),
                        "HttpMethod": api_method.HttpMethod,
                        "ResourcePath": api_method.Metadata[TROPOSPHERE_METADATA_FIELD_NAME][
                            ResourceLevelField.ApiResource.FULL_PATH]
                    }
                )
            except:
                pass

            x_depends_on_y(lbd_permission, lbd_func)
            x_depends_on_y(lbd_permission, api_method)
Exemplo n.º 3
0
    def create_db_sg(self):
        db_sg = self.tpl.add_resource(
            ec2.SecurityGroup(
                'DBSG',
                GroupDescription='Allow DB From Any',
                VpcId=self.vpc_id,
                SecurityGroupIngress=[
                    ec2.SecurityGroupRule(
                        IpProtocol='tcp',
                        CidrIp='0.0.0.0/0',
                        FromPort=3306,
                        ToPort=3306
                    )
                ]
            )
        )

        # セキュリティグループの論理IDをアウトプットする
        self.tpl.add_output(
            Output(
                'DBSGId',
                Description='DB Security Group Id',
                Value=GetAtt(db_sg, 'GroupId')
            )
        )
 def scheduled_job_event_rule_aws_objects(
         self) -> typing.Dict[str, events.Rule]:
     """
     Returns a key value pair of scheduled job expression and
     ``troposphere_mate.events.Rule`` object. Since
     """
     if self._scheduled_job_event_rule_aws_objects_cache is NOTHING:
         dct = dict()
         for expression in self.scheduled_job_expression_list:
             event_rule_logic_id = "EventRule{}".format(
                 fingerprint.of_text(expression + self.lbd_func_name))
             event_rule = events.Rule(
                 title=event_rule_logic_id,
                 State="ENABLED",
                 ScheduleExpression=expression,
                 Targets=[
                     events.Target(
                         Id="EventRuleStartCrawlerGitHubDataTrigger",
                         Arn=GetAtt(self.lbd_func_aws_object, "Arn"),
                     )
                 ],
                 DependsOn=[
                     self.lbd_func_aws_object,
                 ])
             dct[expression] = event_rule
         self._scheduled_job_event_rule_aws_objects_cache = dct
     return self._scheduled_job_event_rule_aws_objects_cache
    def create_launch_template(self):
        web_sg_list = [self.web_sg_id]
        launch_template = self.tpl.add_resource(
            ec2.LaunchTemplate(
                'LaunchTemplate',
                LaunchTemplateName=f'{self.prefix}-{self.project}-LaunchTemplate',
                LaunchTemplateData=ec2.LaunchTemplateData(
                    ImageId=self.image_id,
                    InstanceType=self.instance_type,
                    KeyName=self.key_name,
                    SecurityGroupIds=web_sg_list
                )
            )
        )

        # 起動テンプレートの論理IDをアウトプット
        self.tpl.add_output(
            Output(
                'LaunchTemplateId',
                Description='LaunchTemplate Id',
                Value=Ref(launch_template)
            )
        )

        # 起動テンプレートのバージョンをアウトプット
        self.tpl.add_output(
            Output(
                'LaunchTemplateLatestVersion',
                Description='LaunchTemplate Latest Version',
                Value=GetAtt(launch_template, 'LatestVersionNumber')
            )
        )
Exemplo n.º 6
0
    def create_web_sg(self):
        web_sg = self.tpl.add_resource(
            ec2.SecurityGroup(
                'WebSG',
                GroupDescription='Allow Web From Any',
                VpcId=self.vpc_id,
                SecurityGroupIngress=[
                    ec2.SecurityGroupRule(
                        IpProtocol='tcp',
                        CidrIp='0.0.0.0/0',
                        FromPort=443,
                        ToPort=443
                    ),
                    ec2.SecurityGroupRule(
                        IpProtocol='tcp',
                        CidrIp='0.0.0.0/0',
                        FromPort=80,
                        ToPort=80
                    ),
                ]
            )
        )

        # セキュリティグループの論理IDをアウトプットする
        self.tpl.add_output(
            Output(
                'WebSGId',
                Description='Web Security Group Id',
                Value=GetAtt(web_sg, 'GroupId')
            )
        )
 def apigw_authorizer_lbd_permission_aws_object(
         self) -> awslambda.Permission:
     if self._apigw_authorizer_lbd_permission_aws_object_cache is NOTHING:
         apigw_authorizer_lbd_permission_logic_id = "LbdPermission{}".format(
             self.apigw_authorizer_logic_id)
         apigw_authorizer_lbd_permission = awslambda.Permission(
             title=apigw_authorizer_lbd_permission_logic_id,
             Action="lambda:InvokeFunction",
             FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
             Principal="apigateway.amazonaws.com",
             SourceArn=Sub(
                 "arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/authorizers/${AuthorizerId}",
                 {
                     "Region": {
                         "Ref": "AWS::Region"
                     },
                     "AccountId": {
                         "Ref": "AWS::AccountId"
                     },
                     "RestApiId": Ref(self.apigw_restapi),
                     "AuthorizerId": Ref(self.apigw_authorizer_aws_object),
                 }),
             DependsOn=[
                 self.apigw_authorizer_aws_object,
                 self.lbd_func_aws_object,
             ])
         self._apigw_authorizer_lbd_permission_aws_object_cache = apigw_authorizer_lbd_permission
     return self._apigw_authorizer_lbd_permission_aws_object_cache
 def associate(self, lbd_func, sqs_queue, *args, **kwargs):
     """
     Assign Lambda Function a Dead Letter Queue.
     """
     lbd_func.DeadLetterConfig = awslambda.DeadLetterConfig(
         TargetArn=GetAtt(sqs_queue, "Arn"))
     x_depends_on_y(lbd_func, sqs_queue)
 def s3_event_bucket_lbd_permission_aws_object(
         self) -> awslambda.Permission:
     if self._s3_event_bucket_lbd_permission_aws_object_cache is NOTHING:
         s3_event_bucket_lbd_permission_logic_id = "LbdPermission{}".format(
             self.s3_event_bucket_logic_id)
         s3_event_bucket_lbd_permission = awslambda.Permission(
             title=s3_event_bucket_lbd_permission_logic_id,
             Action="lambda:InvokeFunction",
             FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
             Principal="s3.amazonaws.com",
             SourceArn=GetAtt(self.s3_event_bucket_aws_object, "Arn"),
             DependsOn=[
                 self.s3_event_bucket_aws_object,
                 self.lbd_func_aws_object,
             ])
         self._s3_event_bucket_lbd_permission_aws_object_cache = s3_event_bucket_lbd_permission
     return self._s3_event_bucket_lbd_permission_aws_object_cache
Exemplo n.º 10
0
 def associate(self, lbd_event_map, lbd_func, sqs_queue, *args,
               **kwargs):
     """
     Use SQS Queue to trigger Lambda Function
     """
     lbd_event_map.FunctionName = Ref(lbd_func)
     lbd_event_map.EventSourceArn = GetAtt(sqs_queue, "Arn")
     x_depends_on_y(lbd_event_map, lbd_func)
     x_depends_on_y(lbd_event_map, sqs_queue)
Exemplo n.º 11
0
 def associate(self, lbd_event_map, lbd_func, kinesis_stream, *args,
               **kwargs):
     """
     Use Kinesis Stream to trigger Lambda Function
     """
     lbd_event_map.FunctionName = Ref(lbd_func)
     lbd_event_map.EventSourceArn = GetAtt(kinesis_stream, "Arn")
     x_depends_on_y(lbd_event_map, lbd_func)
     x_depends_on_y(lbd_event_map, kinesis_stream)
Exemplo n.º 12
0
def test_mutable_aws_object():
    """
    确定 ``mate.AWSObject`` 变化时, 对应的 ``mate.AWSObject.aws_object`` 也应该
    跟着变化.
    """
    from troposphere_mate import iam

    tpl = Template()
    my_policy = iam.ManagedPolicy(
        title="MyPolicy",
        template=tpl,
        PolicyDocument={},
    )
    my_role = iam.Role(
        title="MyRole",
        template=tpl,
        RoleName="my-role",
        AssumeRolePolicyDocument={},
    )
    assert tpl.to_dict(
    )["Resources"]["MyRole"]["Properties"]["RoleName"] == "my-role"
    assert "ManagedPolicyArns" not in tpl.to_dict(
    )["Resources"]["MyRole"]["Properties"]

    my_role.RoleName = "my-role-two"
    my_role.ManagedPolicyArns = [Ref(my_policy)]
    assert tpl.to_dict(
    )["Resources"]["MyRole"]["Properties"]["RoleName"] == "my-role-two"
    assert tpl.to_dict(
    )["Resources"]["MyRole"]["Properties"]["ManagedPolicyArns"] == [{
        "Ref":
        "MyPolicy"
    }]

    outputs = [
        Output(
            "MyRolePath",
            Value=GetAtt(my_role, "Path"),
            DependsOn=my_role,
        )
    ]
    for output in outputs:
        tpl.add_output(output)
    assert tpl.to_dict()["Outputs"]["MyRolePath"]["Value"] == {
        "Fn::GetAtt": ["MyRole", "Path"]
    }

    dct = tpl.to_dict()

    tpl2 = Template()
    tpl2.add_resource(my_policy)
    tpl2.add_resource(my_role)
    for output in outputs:
        tpl2.add_output(output)
    dct2 = tpl2.to_dict()

    assert dct == dct2
Exemplo n.º 13
0
 def associate(self, lbd_event_map, lbd_func, dynamodb_table, *args,
               **kwargs):
     """
     Use DynamoDB Table Stream to trigger Lambda Function
     """
     lbd_event_map.FunctionName = Ref(lbd_func)
     lbd_event_map.EventSourceArn = GetAtt(dynamodb_table, "StreamArn")
     x_depends_on_y(lbd_event_map, lbd_func)
     x_depends_on_y(lbd_event_map, dynamodb_table)
Exemplo n.º 14
0
        def associate(self,
                      lbd_permission,
                      lbd_func,
                      api_authorizer,
                      rest_api,
                      authorizer_type_is_token=True,
                      token_authorizer_header="auth",
                      **kwargs):
            lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
            lbd_permission.Action = "lambda:InvokeFunction"
            lbd_permission.Principal = "apigateway.amazonaws.com"
            lbd_permission.SourceArn = Sub(
                "arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/authorizers/${AuthorizerId}",
                {
                    "Region": {"Ref": "AWS::Region"},
                    "AccountId": {"Ref": "AWS::AccountId"},
                    "RestApiId": {"Ref": rest_api},
                    "AuthorizerId": Ref(api_authorizer),
                }
            )

            if authorizer_type_is_token:
                api_authorizer.Type = "TOKEN"
                api_authorizer.IdentitySource = "method.request.header.{}".format(
                    token_authorizer_header
                )
                api_authorizer.RestApiId = Ref(rest_api)
                api_authorizer.AuthorizerUri = Sub(
                    "arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${AuthorizerFunctionArn}/invocations",
                    {
                        "Region": {"Ref": "AWS::Region"},
                        "AuthorizerFunctionArn": GetAtt(lbd_func, "Arn"),
                    }
                )
                x_depends_on_y(api_authorizer, lbd_func)
                x_depends_on_y(api_authorizer, rest_api)

            x_depends_on_y(lbd_permission, lbd_func)
            x_depends_on_y(lbd_permission, api_authorizer)
            x_depends_on_y(lbd_permission, rest_api)
Exemplo n.º 15
0
    def s3_notification_configuration_aws_property(self):
        s3_notification_configuration = s3.NotificationConfiguration()
        if self.s3_event_lbd_config_list is not NOTHING:
            if isinstance(self.s3_event_lbd_config_list, list):
                s3_notification_configuration.LambdaConfigurations = [
                    s3.LambdaConfigurations(
                        Event=s3_event_lbd_config.event,
                        Function=GetAtt(self.lbd_func_aws_object, "Arn"),
                        Filter=s3_event_lbd_config.filter,
                    ) for s3_event_lbd_config in self.s3_event_lbd_config_list
                ]

        return s3_notification_configuration
Exemplo n.º 16
0
 def scheduled_job_event_lbd_permission_aws_objects(
         self) -> typing.Dict[str, awslambda.Permission]:
     if self._scheduled_job_event_lbd_permission_aws_objects_cache is NOTHING:
         dct = dict()
         for expression in self.scheduled_job_expression_list:
             event_rule_lambda_permission_logic_id = "LbdPermissionEventRule{}".format(
                 fingerprint.of_text(expression + self.lbd_func_name))
             event_rule = self.scheduled_job_event_rule_aws_objects[
                 expression]
             event_rule_lambda_permission = awslambda.Permission(
                 title=event_rule_lambda_permission_logic_id,
                 Action="lambda:InvokeFunction",
                 FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
                 Principal="events.amazonaws.com",
                 SourceArn=GetAtt(event_rule, "Arn"),
                 DependsOn=[
                     event_rule,
                     self.lbd_func_aws_object,
                 ])
             dct[expression] = event_rule_lambda_permission
         self._scheduled_job_event_lbd_permission_aws_objects_cache = dct
     return self._scheduled_job_event_lbd_permission_aws_objects_cache
Exemplo n.º 17
0
 def associate(self, api_method, lbd_func, **kwargs):
     try:
         api_method.Integration.Type = "AWS"
         api_method.Integration.IntegrationHttpMethod = "POST"
         api_method.Integration.Uri = Sub(
             "arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${LambdaArn}/invocations",
             {
                 "Region": {
                     "Ref": "AWS::Region"
                 },
                 "LambdaArn": GetAtt(lbd_func, "Arn"),
             })
     except:
         pass
     x_depends_on_y(api_method, lbd_func)
Exemplo n.º 18
0
        def associate(self,
                      api_resource,
                      rest_api,
                      has_parent_resource=True,
                      **kwargs):
            api_resource.RestApiId = Ref(rest_api)
            if has_parent_resource is False:
                api_resource.ParentId = GetAtt(rest_api, "RootResourceId")

                metadata = initiate_default_resource_metadata(api_resource)
                metadata[TROPOSPHERE_METADATA_FIELD_NAME][
                    ResourceLevelField.ApiResource.
                    FULL_PATH] = api_resource.PathPart

                api_resource.Metadata = metadata

            x_depends_on_y(api_resource, rest_api)
Exemplo n.º 19
0
 def create_s3_bucket_policy(self, bucket_key, bucket_name,
                             oai: cf.CloudFrontOriginAccessIdentity):
     self.template.add_resource(
         s3.BucketPolicy(f'{bucket_key}S3CfPolicy',
                         Bucket=bucket_name,
                         PolicyDocument={
                             'Statement': [{
                                 'Effect': 'Allow',
                                 'Action': 's3:GetObject',
                                 'Resource':
                                 f'arn:aws:s3:::{bucket_name}/*',
                                 'Principal': {
                                     'CanonicalUser':
                                     GetAtt(oai, 'S3CanonicalUserId')
                                 }
                             }]
                         }))
Exemplo n.º 20
0
 def lbd_func_iam_role_arn(self):
     if isinstance(self.lbd_func_iam_role,
                   iam.Role):  # a troposphere_mate IAM Role object
         return GetAtt(self.lbd_func_iam_role, "Arn")
     elif isinstance(
             self.lbd_func_iam_role, (Ref, GetAtt)
     ):  # reference of a parameter or get attribute instrinct function
         return self.lbd_func_iam_role
     elif isinstance(self.lbd_func_iam_role,
                     Parameter):  # a parameter represent a iam role ARN
         return Ref(self.lbd_func_iam_role)
     elif isinstance(self.lbd_func_iam_role, str):  # an ARN string
         return self.lbd_func_iam_role
     else:
         raise TypeError("{}.lbd_func_iam_role has to be one of "
                         "troposphere_mate.iam.Role, "
                         "Ref of a Parameter, "
                         "GetAtt of a troposphere_mate.iam.Role, "
                         "a Parameter represent a iam role ARN, "
                         "a string represent a iam role ARN".format(
                             self.identifier))
Exemplo n.º 21
0
    def apigw_authorizer_aws_object(self) -> apigateway.Authorizer:
        if self._apigw_authorizer_aws_object_cache is NOTHING:
            if self.apigw_authorizer_name is NOTHING:
                apigw_authorizer_name = self.apigw_authorizer_logic_id
            else:
                apigw_authorizer_name = self.apigw_authorizer_name

            if len(
                    set(apigw_authorizer_name).difference(
                        set(string.ascii_letters + string.digits))):
                raise ValueError(
                    "{}.apigw_authorizer_name can only have letter and digits".
                    format(self.identifier))
            apigw_authorizer = apigateway.Authorizer(
                title=self.apigw_authorizer_logic_id,
                Name=apigw_authorizer_name,
                RestApiId=Ref(self.apigw_restapi),
                AuthType="custom",
                Type="TOKEN",
                IdentitySource="method.request.header.{}".format(
                    self.apigw_authorizer_token_type_header_field),
                AuthorizerResultTtlInSeconds=300,
                AuthorizerUri=Sub(
                    "arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${AuthorizerFunctionArn}/invocations",
                    {
                        "Region": {
                            "Ref": "AWS::Region"
                        },
                        "AuthorizerFunctionArn":
                        GetAtt(self.lbd_func_aws_object, "Arn"),
                    }),
                DependsOn=[
                    self.lbd_func_aws_object,
                    self.apigw_restapi,
                ])
            self._apigw_authorizer_aws_object_cache = apigw_authorizer
        return self._apigw_authorizer_aws_object_cache
Exemplo n.º 22
0
    def apigw_method_aws_object(self) -> apigateway.Method:
        if self._apigw_method_aws_object_cache is NOTHING:
            depends_on = [
                self.apigw_resource_aws_object,
                self.lbd_func_aws_object,
            ]

            # Integration Request
            request_template = {"application/json": "$input.json('$')"}

            # Integration Response
            if self.apigw_method_int_type == self.ApiMethodIntType.html:
                integration_response_200 = apigateway.IntegrationResponse(
                    StatusCode="200",
                    ResponseParameters={
                        "method.response.header.Access-Control-Allow-Origin":
                        "'*'",
                        "method.response.header.Content-Type": "'text/html'"
                    },
                    ResponseTemplates={"text/html": "$input.path('$')"},
                )
                method_response_200 = apigateway.MethodResponse(
                    StatusCode="200",
                    ResponseParameters={
                        "method.response.header.Access-Control-Allow-Origin":
                        False,
                        "method.response.header.Content-Type": False,
                    },
                    ResponseModels={"application/json": "Empty"},
                )
            elif self.apigw_method_int_type == self.ApiMethodIntType.rpc:
                integration_response_200 = apigateway.IntegrationResponse(
                    StatusCode="200",
                    ContentHandling="CONVERT_TO_TEXT",
                    ResponseParameters={},
                    ResponseTemplates={"application/json": ""})
                method_response_200 = apigateway.MethodResponse(
                    StatusCode="200",
                    ResponseParameters={},
                    ResponseModels={"application/json": "Empty"},
                )
            elif self.apigw_method_int_type == self.ApiMethodIntType.rest:
                integration_response_200 = apigateway.IntegrationResponse(
                    StatusCode="200",
                    ContentHandling="CONVERT_TO_TEXT",
                    ResponseParameters={},
                    ResponseTemplates={"application/json": ""})
                method_response_200 = apigateway.MethodResponse(
                    StatusCode="200",
                    ResponseParameters={},
                    ResponseModels={"application/json": "Empty"},
                )
            else:
                raise TypeError

            integration_responses = [
                integration_response_200,
            ]

            integration = apigateway.Integration(
                Type="AWS",
                IntegrationHttpMethod="POST",
                Uri=Sub(
                    "arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${LambdaArn}/invocations",
                    {
                        "Region": {
                            "Ref": "AWS::Region"
                        },
                        "LambdaArn": GetAtt(self.lbd_func_aws_object, "Arn"),
                    }),
                RequestTemplates=request_template,
                IntegrationResponses=integration_responses,
            )

            if self.apigw_method_int_passthrough_behavior is not NOTHING:
                integration.PassthroughBehavior = self.apigw_method_int_passthrough_behavior
            if self.apigw_method_int_timeout_in_milli is not NOTHING:
                integration.TimeoutInMillis = self.apigw_method_int_timeout_in_milli

            # Method Response
            method_responses = [
                method_response_200,
            ]

            if self.apigw_method_enable_cors_yes is True:
                for integration_response in integration.IntegrationResponses:
                    integration_response.ResponseParameters[
                        "method.response.header.Access-Control-Allow-Origin"] = "'*'"

                for method_response in method_responses:
                    method_response.ResponseParameters[
                        "method.response.header.Access-Control-Allow-Origin"] = False

            self.check_apigw_method_authorization_type()
            self.check_apigw_method_int_type()

            apigw_method = apigateway.Method(
                title=self.apigw_method_logic_id,
                RestApiId=Ref(self.apigw_restapi),
                ResourceId=Ref(self.apigw_resource_aws_object),
                AuthorizationType=self.apigw_method_authorization_type,
                HttpMethod=self.apigw_method_http_method,
                MethodResponses=method_responses,
                Integration=integration,
            )

            if self.apigw_method_use_authorizer_yes:
                apigw_method.AuthorizerId = Ref(self.apigw_method_authorizer)
                depends_on.append(self.apigw_method_authorizer)

            apigw_method.DependsOn = depends_on

            self._apigw_method_aws_object_cache = apigw_method

        return self._apigw_method_aws_object_cache
    # cross reference parameter
    Parameters={
        tier_1_iam_role.param_env_name.title: Ref(param_env_name),
    },
)
# bind nested stack with a template
link_stack_template(stack=iam_role_stack, template=tier_1_iam_role.template)

iam_instance_profile = iam.InstanceProfile(
    "IamInstanceProfileWebServer",
    template=template,
    InstanceProfileName=helper_fn_sub("{}-web-server", param_env_name),
    # cross reference output
    Roles=[
        GetAtt(
            iam_role_stack,
            f"Outputs.{tier_1_iam_role.output_iam_ec2_instance_role_name.title}"
        ),
    ],
    DependsOn=iam_role_stack,
)

# allow cross reference from other stack
output_iam_ec2_instance_profile_name = Output(
    "IamInstanceProfileName",
    Value=iam_instance_profile.iam_instance_profile_name,
    Export=Export(
        helper_fn_sub("{}-iam-ec2-instance-profile-name", param_env_name)),
)
template.add_output(output_iam_ec2_instance_profile_name)

output_iam_ec2_instance_profile_arn = Output(
Exemplo n.º 24
0
    def do_create_template(self):
        template = Template()
        self.template = template

        param_env_name = Parameter(
            "EnvironmentName",
            Type="String",
            Default=self.ENVIRONMENT_NAME.get_value(),
        )
        param_stage = Parameter(
            "Stage",
            Type="String",
            Default=self.STAGE.get_value(),
        )
        template.add_parameter(param_stage)
        template.add_parameter(param_env_name)

        output_list = list()

        vpc = ec2.VPC(
            "VPC",
            template=template,
            CidrBlock=self.VPC_CIDR.get_value(),
            EnableDnsHostnames=True,
        )
        self.vpc = vpc

        public_subnet_list = list()
        for ind, cidr in enumerate(self.PUBLIC_SUBNET_CIDR_LIST.get_value()):
            subnet = ec2.Subnet(
                "PublicSubnet{}".format(ind + 1),
                template=template,
                CidrBlock=cidr,
                VpcId=Ref(vpc),
                AvailabilityZone=AZPropertyValues.get_nth_az(ind + 1),
                MapPublicIpOnLaunch=True,
                Tags=Tags(
                    Name=helper_fn_sub("{}/subnet/public%s" %
                                       (ind + 1, ), param_env_name)),
                DependsOn=[
                    vpc,
                ],
            )
            public_subnet_list.append(subnet)
        self.public_subnet_list = public_subnet_list

        private_subnet_list = list()
        for ind, cidr in enumerate(self.PRIVATE_SUBNET_CIDR_LIST.get_value()):
            subnet = ec2.Subnet(
                "PrivateSubnet{}".format(ind + 1),
                template=template,
                CidrBlock=cidr,
                VpcId=Ref(vpc),
                AvailabilityZone=AZPropertyValues.get_nth_az(ind + 1),
                MapPublicIpOnLaunch=False,
                Tags=Tags(
                    Name=helper_fn_sub("{}/subnet/priavte%s" %
                                       (ind + 1, ), param_env_name)),
                DependsOn=[
                    vpc,
                ],
            )
            private_subnet_list.append(subnet)
        self.private_subnet_list = private_subnet_list

        subnet_list = public_subnet_list + private_subnet_list
        self.subnet_list = subnet_list

        # igw for public subnet
        # internet gateway is a component that allow VPC to visit public internet
        igw = ec2.InternetGateway(
            "IGW",
            template=template,
        )
        igw_attach_vpc = ec2.VPCGatewayAttachment("IGWAttachVPC",
                                                  template=template,
                                                  VpcId=Ref(vpc),
                                                  InternetGatewayId=Ref(igw),
                                                  DependsOn=[
                                                      vpc,
                                                      igw,
                                                  ])
        self.igw = igw

        # eip + ngw is on public subnet but for private subnet traffic out
        eip_list = list()
        ngw_list = list()
        for ind in range(1, 1 + self.NUMBER_OF_NAT_GW.get_value()):
            eip = ec2.EIP("EIP{}".format(ind),
                          template=template,
                          Domain="vpc",
                          DependsOn=[
                              igw_attach_vpc,
                          ])
            eip_list.append(eip)

            ngw = ec2.NatGateway(
                "NGW{}".format(ind),
                template=template,
                AllocationId=GetAtt(eip, "AllocationId"),
                SubnetId=Ref(public_subnet_list[ind - 1]),
                Tags=Tags(Name=helper_fn_sub("{}/ngw/public%s" %
                                             ind, param_env_name)),
                DependsOn=eip_list,
            )
            ngw_list.append(ngw)
        self.eip_list = eip_list
        self.ngw_list = ngw_list

        # public route
        public_route_table = ec2.RouteTable(
            "PublicRouteTable",
            template=template,
            VpcId=Ref(vpc),
            Tags=Tags(Name=helper_fn_sub("{}/public-routes", param_env_name)))
        self.public_route_table = public_route_table

        public_route_default = ec2.Route(
            "PublicRouteDefault",
            template=template,
            RouteTableId=Ref(public_route_table),
            DestinationCidrBlock="0.0.0.0/0",
            GatewayId=Ref(igw),
            DependsOn=[public_route_table, igw],
        )

        for ind, subnet in enumerate(public_subnet_list):
            route_table_association = ec2.SubnetRouteTableAssociation(
                "PublicSubnet{}RouteTableAssociation".format(ind + 1),
                template=template,
                RouteTableId=Ref(public_route_table),
                SubnetId=Ref(subnet),
                DependsOn=[public_route_table, subnet],
            )

        # private route
        if self.USE_NAT_GW_PER_PRIVATE_SUBNET_FLAG.get_value() is True:
            for ind, subnet in enumerate(private_subnet_list):
                private_route_table = ec2.RouteTable(
                    "PrivateRouteTable{}".format(ind + 1),
                    template=template,
                    VpcId=Ref(vpc),
                    Tags=Tags(
                        Name=helper_fn_sub("{}/private-routes%s" %
                                           (ind + 1, ), param_env_name)),
                    DependsOn=[
                        vpc,
                    ])
                # Route anything to nat gateway
                private_route_default = ec2.Route(
                    "PrivateRoute{}Default".format(ind + 1),
                    template=template,
                    RouteTableId=Ref(private_route_table),
                    DestinationCidrBlock="0.0.0.0/0",
                    NatGatewayId=Ref(ngw_list[ind]),
                    DependsOn=[private_route_table, ngw_list[ind]],
                )
                route_table_association = ec2.SubnetRouteTableAssociation(
                    "PrivateSubnet{}RouteTableAssociation".format(ind + 1),
                    template=template,
                    RouteTableId=Ref(private_route_table),
                    SubnetId=Ref(subnet),
                    DependsOn=[private_route_table, subnet],
                )
        else:
            private_route_table = ec2.RouteTable(
                "PrivateRouteTable",
                template=template,
                VpcId=Ref(vpc),
                Tags=Tags(
                    Name=helper_fn_sub("{}/private-routes", param_env_name)),
                DependsOn=[
                    vpc,
                ],
            )
            private_route_default = ec2.Route(
                "PrivateRouteDefault",
                template=template,
                RouteTableId=Ref(private_route_table),
                DestinationCidrBlock="0.0.0.0/0",
                NatGatewayId=Ref(ngw_list[0]),
                DependsOn=[private_route_table, ngw_list[0]],
            )
            for ind, subnet in enumerate(private_subnet_list):
                route_table_association = ec2.SubnetRouteTableAssociation(
                    "PrivateSubnet{}RouteTableAssociation".format(ind + 1),
                    template=template,
                    RouteTableId=Ref(private_route_table),
                    SubnetId=Ref(subnet),
                    DependsOn=[private_route_table, subnet],
                )

        group_name = "{}/sg/allow-ssh-from-anywhere".format(
            self.ENVIRONMENT_NAME.get_value())
        sg_for_ssh_from_anywhere = ec2.SecurityGroup(
            "SGForSSHFromAnywhere",
            template=template,
            GroupDescription="Allow SSH In",
            GroupName=group_name,
            VpcId=Ref(vpc),
            SecurityGroupIngress=[{
                "IpProtocol": "tcp",
                "FromPort": 22,
                "ToPort": 22,
                "CidrIp": "0.0.0.0/0"
            }],
            Tags=Tags(Name=group_name),
        )
        self.sg_for_ssh_from_anywhere = sg_for_ssh_from_anywhere

        output_list.extend([
            Output(
                vpc.title + "Id",
                Description="VPC ID",
                Value=Ref(vpc),
                Export=Export(helper_fn_sub("{}-vpc-id", param_env_name)),
                DependsOn=vpc,
            ),
            Output(
                "PublicSubnetIds",
                Description="comma delimited public subnet Ids",
                Value=Join(",",
                           [Ref(subnet)
                            for subnet in self.public_subnet_list]),
                Export=Export(
                    helper_fn_sub("{}-public-subnet-ids", param_env_name)),
                DependsOn=self.public_subnet_list,
            ),
            Output(
                "PrivateSubnetIds",
                Description="comma delimited private subnet Ids",
                Value=Join(
                    ",", [Ref(subnet) for subnet in self.private_subnet_list]),
                Export=Export(
                    helper_fn_sub("{}-private-subnet-ids", param_env_name)),
                DependsOn=self.private_subnet_list,
            ),
            Output(sg_for_ssh_from_anywhere.title + "Id",
                   Description="Security Group ID",
                   Value=Ref(sg_for_ssh_from_anywhere),
                   Export=Export(
                       helper_fn_sub("{}-sg-id-allow-ssh-from-anywhere",
                                     param_env_name)))
        ])

        for subnet in subnet_list:
            output = Output(
                subnet.title + "Id",
                Description="{} ID".format(subnet.title),
                Value=Ref(subnet),
                DependsOn=subnet,
            )
            output_list.append(output)

        for output in output_list:
            template.add_output(output)

        common_tags = dict(
            Name=self.ENVIRONMENT_NAME.get_value(),
            Project=self.PROJECT_NAME_SLUG.get_value(),
            Stage=self.STAGE.get_value(),
            EnvName=self.ENVIRONMENT_NAME.get_value(),
        )
        template.update_tags(common_tags, overwrite=False)
        return template
)

kinesis_stream_raw_data_in = kinesis.Stream(
    "KinesisStreamRawDataIn",
    template=template,
    Name=tm.helper_fn_sub("{}-raw-data-in", param_env_name),
    ShardCount=2,
)

kinesis_firehose_delivery_stream_etl = firehose.DeliveryStream(
    "KinesisFirehoseDeliveryStreamEtl",
    template=template,
    DeliveryStreamName=tm.helper_fn_sub("{}-etl", param_env_name),
    DeliveryStreamType="KinesisStreamAsSource",
    KinesisStreamSourceConfiguration=firehose.KinesisStreamSourceConfiguration(
        KinesisStreamARN=GetAtt(kinesis_stream_raw_data_in, "Arn"),
        RoleARN="arn:aws:iam::700621413265:role/firehose-admin-role",
    ),
    ExtendedS3DestinationConfiguration=firehose.
    ExtendedS3DestinationConfiguration(
        BucketARN=GetAtt(s3_bucket_for_raw_data, "Arn"),
        BufferingHints=firehose.BufferingHints(
            IntervalInSeconds=60,
            SizeInMBs=6,
        ),
        CompressionFormat="UNCOMPRESSED",
        RoleARN="arn:aws:iam::700621413265:role/firehose-admin-role",
    ),
)

athena_database = glue.Database(
Exemplo n.º 26
0
        tier_1_1_iam_policy.param_env_name.title: Ref(param_env_name),
    },
)
# bind nested stack with a template
link_stack_template(stack=iam_policy_stack, template=tier_1_1_iam_policy.template)

iam_ec_instance_role = iam.Role(
    "IamRoleWebServer",
    template=template,
    RoleName=helper_fn_sub("{}-web-server", param_env_name),
    AssumeRolePolicyDocument=canned.iam.create_assume_role_policy_document([
        canned.iam.AWSServiceName.amazon_Elastic_Compute_Cloud_Amazon_EC2,
    ]),
    # cross reference output
    ManagedPolicyArns=[
        GetAtt(iam_policy_stack, f"Outputs.{tier_1_1_iam_policy.output_iam_ec2_instance_policy_name.title}"),
    ],
    DependsOn=iam_policy_stack,
)

# allow cross reference from other stack
output_iam_ec2_instance_role_name = Output(
    "IamInstanceRoleName",
    Value=iam_ec_instance_role.iam_role_name,
    Export=Export(helper_fn_sub("{}-iam-ec2-instance-role-name", param_env_name)),
    DependsOn=iam_ec_instance_role,
)
template.add_output(output_iam_ec2_instance_role_name)

output_iam_ec2_instance_role_arn = Output(
    "IamInstanceRoleArn",
Exemplo n.º 27
0
 def apigw_resource_parent_id(self) -> typing.Union[Ref, GetAtt]:
     # it is the root module, use RootResourceId as parent id
     if ("." not in self.rel_module_name) and bool(self.rel_module_name):
         return GetAtt(self.apigw_restapi, "RootResourceId")
     else:
         return Ref(self.parent_config.apigw_resource_aws_object)
Exemplo n.º 28
0
 def associate(self, lbd_func, kms_key, *args, **kwargs):
     """
     Assign Lambda Function a KMS Key to encrypt its environment variables.
     """
     lbd_func.KmsKeyArn = GetAtt(kms_key, "Arn")
     x_depends_on_y(lbd_func, kms_key)