def __init__(self, scope: core.Construct, id: str, vpc, asg_security_groups, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Creat DB Low Level API - MySQL M-AZs db_security_group = ec2.CfnSecurityGroup( self, "dbSG", group_description="All EC2 access DB", group_name="DB_SG", vpc_id=vpc.vpc_id) for asg_sg in asg_security_groups: ec2.CfnSecurityGroupIngress( self, "SG_ingress", ip_protocol="tcp", description="ASG EC2 access DB", to_port=3306, from_port=3306, group_id=db_security_group.attr_group_id, source_security_group_id=asg_sg.security_group_id) subnet_ids = [] for i in vpc.isolated_subnets: subnet_ids.append(i.subnet_id) db_subnet_group = rds.CfnDBSubnetGroup( self, "db_subnet", db_subnet_group_description="DB_subnet", db_subnet_group_name="db_subnet", subnet_ids=subnet_ids) db_mysql = rds.CfnDBInstance( self, "MyDB", db_name="mysqldb", db_instance_class="db.t2.small", allocated_storage="100", storage_type="gp2", engine="MySQL", engine_version="5.7.22", master_username=db_master_username, master_user_password=db_master_user_password, multi_az=True, vpc_security_groups=[db_security_group.attr_group_id], db_subnet_group_name=db_subnet_group.db_subnet_group_name, backup_retention_period=7, allow_major_version_upgrade=False, enable_cloudwatch_logs_exports=[ "audit", "error", "general", "slowquery" ], delete_automated_backups=False) db_mysql.add_depends_on(db_subnet_group) db_mysql.add_depends_on(db_security_group)
def __init__(self, scope: core.Construct, id: str, vpc, public_subnet_a, public_subnet_c, public_subnet_d, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = "test" # RedisSecurityGroup redis_security_group = ec2.CfnSecurityGroup( self, "RedisSecurityGroup", group_name="stg-test-redis01", group_description="HTTP traffic", vpc_id=vpc.ref, security_group_ingress=[{ "ipProtocol": "tcp", "fromPort": 6379, "toPort": 6379, "cidrIp": "192.168.0.0/16" }], security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # MyDBSubnetGroup redis_subnet_group = redis.CfnSubnetGroup( self, "RedisSubnetGroup", cache_subnet_group_name="stg-test-redis01", description="stg-test-redis01", subnet_ids=[ public_subnet_a.ref, public_subnet_c.ref, public_subnet_d.ref ]) redis_params = { 'auto_minor_version_upgrade': True, 'engine': 'redis', 'at_rest_encryption_enabled': True, 'automatic_failover_enabled': False, 'engine_version': '4.0.10', 'cache_node_type': 'cache.t3.micro', 'num_cache_clusters': 1, 'replication_group_description': "stg-test-redis01", 'replication_group_id': "stg-test-redis01", 'security_group_ids': [redis_security_group.ref], 'cache_subnet_group_name': redis_subnet_group.ref } self.redis = redis.CfnReplicationGroup(self, 'stg-test-redis01', **redis_params) core.CfnOutput(self, "OutputVpc", value=vpc.ref) core.CfnOutput(self, "OutputRedis", value=self.redis.ref)
def __init__(self, scope: core.Construct, id: str, app_nw_stack: appNwStack, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Contexts PRJ = self.node.try_get_context("prj") AMI_ID = self.node.try_get_context("ami-id") # Amazon Linux 2 # Functions def nametag(x): return core.CfnTag( key="Name", value="{}/{}".format(PRJ, x)) # ### Resources # IAM Role ec2_statement = iam.PolicyStatement() ec2_statement.add_actions("sts:AssumeRole") ec2_statement.add_service_principal(service="ec2.amazonaws.com") ec2_document = iam.PolicyDocument( statements=[ec2_statement] ) iam_role = iam.CfnRole( self, "iamRoleForEc2", role_name="{}-ec2-role".format(PRJ), description="{}-ec2-role".format(PRJ), assume_role_policy_document=ec2_document.to_json(), managed_policy_arns=[ "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" ] ) ec2_instance_profile = iam.CfnInstanceProfile( self, "ec2InstanceProfile", roles=[iam_role.ref], instance_profile_name="{}-ec2-instance-profile".format(PRJ) ) # Security Group sg = ec2.CfnSecurityGroup( self, "sg", group_description="sg for ec2 instance({})".format(PRJ), vpc_id=app_nw_stack.vpc.ref, security_group_ingress=[] ) # Instance ec2.CfnInstance( self, "instance", iam_instance_profile=ec2_instance_profile.ref, image_id=AMI_ID, instance_type="t3.micro", security_group_ids=[sg.ref], subnet_id=app_nw_stack.ec2_subnet.ref, tags=[nametag("instance")] )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) def get_userdata(): with open('bootstrap.sh', 'r') as userdata: return userdata.read() vmie_ami = "ami-00bf35d2ab0bdb452" default_vpc = "vpc-e94d1f93" ec2_role = "arn:aws:iam::88888888888:role/KratosRole" account_id = "8888888888" vm_import_image = aws_ec2.GenericLinuxImage({"us-east-1": vmie_ami}) core.Environment(account=account_id) kratos_role = aws_iam.Role.from_role_arn(self, 'KratosXL', role_arn=ec2_role) aws_ec2.Instance(self, f"VMIE-{vmie_ami}", instance_type=aws_ec2.InstanceType('t2.micro'), role=kratos_role, machine_image=vm_import_image, security_group=aws_ec2.CfnSecurityGroup(self, id=f"SG-{vmie_ami}", group_description=f"SG-CDK-{vmie_ami}"), vpc=aws_ec2.Vpc.from_lookup(self, f'CDK-VPC--{vmie_ami}', vpc_id=default_vpc), user_data=aws_ec2.UserData.custom(get_userdata()), key_name="covidQuarantine")
def generate_instances(count=1): amazon_linux_2 = aws_ec2.GenericLinuxImage( {"us-east-1": "ami-0fc61db8544a617ed"}) ec2_objects = [] for i in range(count): ec2_instnace = aws_ec2.Instance( self, f"CDK-Instance-{i + int(1)}", instance_type=aws_ec2.InstanceType('t2.micro'), role=kratos_role, machine_image=amazon_linux_2, security_group=aws_ec2.CfnSecurityGroup( self, id=f"SG{i + int(1)}", group_description=f"SG-CDK-{i}"), vpc=aws_ec2.Vpc.from_lookup(self, f'CDK-VPC-{i + int(1)}', vpc_id="vpc-eeeee3"), user_data=aws_ec2.UserData.custom(get_userdata()), key_name="covidQuarantine") ec2_objects.append(ec2_instnace) return ec2_objects
def __init__(self, scope: core.Construct, id: str, **kwargs): super().__init__(scope, id, **kwargs) self.elasticache_security_group = ec2.CfnSecurityGroup( self, "ElastiCacheSecurityGroup", vpc_id=scope.vpc.vpc_id, group_description="ElastiCacheSecurityGroup", security_group_ingress=[ ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=6379, from_port=6379, source_security_group_id=scope.vpc. vpc_default_security_group, ) ], ) self.elasticache_subnet_group = elasticache.CfnSubnetGroup( self, "CfnSubnetGroup", subnet_ids=scope.vpc.select_subnets( subnet_type=ec2.SubnetType.ISOLATED).subnet_ids, description="The subnet group for ElastiCache", ) self.elasticache = elasticache.CfnCacheCluster( self, "ElastiCacheClusterRedis", cache_node_type="cache.t2.micro", engine="redis", num_cache_nodes=1, vpc_security_group_ids=[ self.elasticache_security_group.get_att("GroupId").to_string() ], cache_subnet_group_name=self.elasticache_subnet_group.ref, # noqa )
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here # instance role # instance profile # SecurityGroup publicsecuritygroup01 = aws_ec2.CfnSecurityGroup( self, 'publicsecuritygroup01', group_description='publicsecuritygroup', group_name='publicsecuritygroup01', vpc_id=core.Fn.import_value('vpcid01'), tags=[core.CfnTag(key='Name', value='publicsecuritygroup01')]) privatesecuritygroup01 = aws_ec2.CfnSecurityGroup( self, 'privatesecuritygroup01', group_description='privatesecuritygroup', group_name='privatesecuritygroup01', vpc_id=core.Fn.import_value('vpcid01'), tags=[core.CfnTag(key='Name', value='privatesecuritygroup01')]) # public Ingress aws_ec2.CfnSecurityGroupIngress(self, 'publicsecuritygroupingress01', group_id=publicsecuritygroup01.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='for bastion', from_port=22, to_port=22) # public Egress aws_ec2.CfnSecurityGroupEgress( self, 'publicsecuritygroupegress01', group_id=publicsecuritygroup01.ref, ip_protocol='tcp', destination_security_group_id=privatesecuritygroup01.ref, description='for private', from_port=22, to_port=22) # private Ingress aws_ec2.CfnSecurityGroupIngress( self, 'privatesecuritygroupingress01', group_id=privatesecuritygroup01.ref, ip_protocol='tcp', source_security_group_id=publicsecuritygroup01.ref, description='for bastion', from_port=22, to_port=22) # private Egress aws_ec2.CfnSecurityGroupEgress(self, 'privatesecuritygroupegress01', group_id=privatesecuritygroup01.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='for 443', from_port=443, to_port=443) aws_ec2.CfnSecurityGroupEgress(self, 'privatesecuritygroupegress02', group_id=privatesecuritygroup01.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='for 80', from_port=80, to_port=80) # aws_ec2.CfnSecurityGroupEgress(self, 'privatesecuritygroupegress03', group_id=privatesecuritygroup01.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='for 22', from_port=22, to_port=22) core.CfnOutput(self, 'output01', value=publicsecuritygroup01.ref, description='publicsecuritygroup', export_name='publicsecuritygroup01') core.CfnOutput(self, 'output02', value=privatesecuritygroup01.ref, description='privatesecuritygroup', export_name='privatesecuritygroup01')
def __init__(self, scope: core.Construct, id: str, vpc, public_subnet_a, public_subnet_c, public_subnet_d, ec2_sg_id, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = "test" # print(ec2_sg_id.ref) # RdsSecurityGroup RdsSecurityGroupStg = ec2.CfnSecurityGroup(self, "RdsSecurityGroupStg", group_name = 'stg-'+prefix+'-db01', group_description = 'stg-'+prefix+'-db01', vpc_id = vpc.ref, security_group_ingress = [ ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=3306, from_port=3306, cidr_ip='0.0.0.0/0', ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=3306, from_port=3306, source_security_group_id=ec2_sg_id.ref, ), ], security_group_egress = [ { "ipProtocol" : "tcp", "fromPort" : 0, "toPort" : 65535, "cidrIp" : "0.0.0.0/0" } ], ) # MyDBSubnetGroup rds_subnet_group = rds.CfnDBSubnetGroup(self, "DBSubnetGroup", db_subnet_group_description = "DBSubnetGroup", subnet_ids = [ public_subnet_a.ref, public_subnet_c.ref, public_subnet_d.ref ] ) DBParameterGroupStg = rds.CfnDBParameterGroup(self, "DBParameterGroupStg", description = 'stg-'+prefix+'db01', family = "MySQL5.6", parameters = { 'character_set_client': "utf8", 'character_set_connection': "utf8", 'character_set_database': "utf8", 'character_set_results': "utf8", 'character_set_server': "utf8", 'collation_connection': "utf8_general_ci", 'collation_server': "utf8_general_ci", 'long_query_time': "1.2", 'slow_query_log': "1", 'time_zone': "Asia/Tokyo", }, tags=[ core.CfnTag(key="Name", value='stg-'+prefix+'db01') ] ) rds_params = { 'db_instance_identifier': "stg-test-db01", 'engine': "mysql", 'engine_version': '5.6.39', 'db_instance_class': 'db.t3.micro', 'allocated_storage': '5', 'storage_type': 'gp2', 'db_name': "test", 'master_username': "******", 'master_user_password': "******", 'db_subnet_group_name' : rds_subnet_group.ref, 'publicly_accessible': False, 'multi_az': False, 'preferred_backup_window': "18:00-18:30", 'preferred_maintenance_window': "sat:19:00-sat:19:30", 'auto_minor_version_upgrade': False, 'db_parameter_group_name': DBParameterGroupStg.ref, 'vpc_security_groups': [RdsSecurityGroupStg.ref], 'copy_tags_to_snapshot': True, 'backup_retention_period': 7, # 'enable_performance_insights': True, 'delete_automated_backups': True, 'deletion_protection': False, 'availability_zone': "us-east-1a", 'enable_cloudwatch_logs_exports': ["error","slowquery"] # 'storage_encrypted': False, } self.rds = rds.CfnDBInstance(self, 'staff-rds', **rds_params, tags=[ core.CfnTag(key="Name", value='stg-'+prefix+'db01') ] ) core.CfnOutput(self, "OutputVpc", value=vpc.ref) core.CfnOutput(self, "OutputRds", value=self.rds.ref)
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # IAMロールを作成 my_role_ec2 = iam.CfnRole( self, id="my-role-ec2", assume_role_policy_document={ "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } }] }, description="the ec2 role", managed_policy_arns=[ # "arn:aws:iam::aws:policy/AmazonS3FullAccess" # 付与したいアクセス権をリストする ], role_name="my-role-ec2", tags=[{ "key": "Name", "value": "my-role-ec2" }]) # Instance Profileを作成 my_instance_profile = iam.CfnInstanceProfile(self, id="my-instance-profile", roles=[my_role_ec2.ref]) # VPCを作成 my_vpc = ec2.CfnVPC(self, id="my-vpc", cidr_block="192.168.0.0/16", enable_dns_hostnames=True, tags=[{ "key": "Name", "value": "my-vpc" }]) # Subnetを作成 my_subnet_1 = ec2.CfnSubnet(self, id="my-subnet", cidr_block="192.168.0.0/24", vpc_id=my_vpc.ref, availability_zone=core.Fn.select( 0, core.Fn.get_azs("")), tags=[{ "key": "Name", "value": "my-subnet-1" }]) # Internet Gatewayを作成 my_igw = ec2.CfnInternetGateway(self, id="my-igw", tags=[{ "key": "Name", "value": "my-igw" }]) # Internet Gatewayをアタッチ ec2.CfnVPCGatewayAttachment(self, id="my-igw-attachment", vpc_id=my_vpc.ref, internet_gateway_id=my_igw.ref) # Routetableを作成 my_rtb = ec2.CfnRouteTable(self, id="my-rtb", vpc_id=my_vpc.ref, tags=[{ "key": "Name", "value": "my-rtb" }]) # Routetableとサブネットの関連付け ec2.CfnSubnetRouteTableAssociation(self, id="my-rtb-association", route_table_id=my_rtb.ref, subnet_id=my_subnet_1.ref) # Routeの設定 my_rt = ec2.CfnRoute(self, id="my-rt", route_table_id=my_rtb.ref, destination_cidr_block="0.0.0.0/0", gateway_id=my_igw.ref) # Security Groupの作成 my_sg_ec2 = ec2.CfnSecurityGroup( self, id="my-sg-ec2", vpc_id=my_vpc.ref, group_description="my-sg-ec2", group_name="my-sg-ec2", security_group_ingress=[ ec2.CfnSecurityGroup.IngressProperty(ip_protocol="tcp", cidr_ip="0.0.0.0/0", from_port=22, to_port=22) ], tags=[{ "key": "Name", "value": "my-sg-ec2" }]) # AMIを指定してimage_idを取得 amzn_linux = ec2.MachineImage.latest_amazon_linux( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX, edition=ec2.AmazonLinuxEdition.STANDARD, virtualization=ec2.AmazonLinuxVirt.HVM, storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE, cpu_type=ec2.AmazonLinuxCpuType.X86_64).get_image(self).image_id # EC2を作成 my_ec2 = ec2.CfnInstance( self, id="my-ec2", availability_zone=core.Fn.select(0, core.Fn.get_azs("")), block_device_mappings=[ ec2.CfnInstance.BlockDeviceMappingProperty( device_name="/dev/sda1", ebs=ec2.CfnInstance.EbsProperty(delete_on_termination=True, encrypted=False, volume_size=10, volume_type="gp2")) ], credit_specification=ec2.CfnInstance.CreditSpecificationProperty( cpu_credits="standard"), iam_instance_profile=my_instance_profile.ref, image_id=amzn_linux, instance_type="t2.micro", security_group_ids=[my_sg_ec2.ref], subnet_id=my_subnet_1.ref, tags=[{ "key": "Name", "value": "my-ec2" }])
def __init__(self, scope: core.Construct, id: str, data, iam_vars) -> None: super().__init__(scope, id) # VPC vpc = ec2.CfnVPC(self, "cdk-vpc", cidr_block=data["vpc"]) igw = ec2.CfnInternetGateway(self, id="igw") ec2.CfnVPCGatewayAttachment(self, id="igw-attach", vpc_id=vpc.ref, internet_gateway_id=igw.ref) public_route_table = ec2.CfnRouteTable(self, id="public_route_table", vpc_id=vpc.ref) ec2.CfnRoute(self, id="public_route", route_table_id=public_route_table.ref, destination_cidr_block="0.0.0.0/0", gateway_id=igw.ref) public_subnets = [] for i, s in enumerate(data["subnets"]["public"]): subnet = ec2.CfnSubnet(self, id="public_{}".format(s), cidr_block=s, vpc_id=vpc.ref, availability_zone=core.Fn.select( i, core.Fn.get_azs()), map_public_ip_on_launch=True) public_subnets.append(subnet) ec2.CfnSubnetRouteTableAssociation( self, id="public_{}_association".format(s), route_table_id=public_route_table.ref, subnet_id=subnet.ref) eip = ec2.CfnEIP(self, id="natip") nat = ec2.CfnNatGateway(self, id="nat", allocation_id=eip.attr_allocation_id, subnet_id=public_subnets[0].ref) private_route_table = ec2.CfnRouteTable(self, id="private_route_table", vpc_id=vpc.ref) ec2.CfnRoute(self, id="private_route", route_table_id=private_route_table.ref, destination_cidr_block="0.0.0.0/0", nat_gateway_id=nat.ref) private_subnets = [] for i, s in enumerate(data["subnets"]["private"]): subnet = ec2.CfnSubnet(self, id="private_{}".format(s), cidr_block=s, vpc_id=vpc.ref, availability_zone=core.Fn.select( i, core.Fn.get_azs()), map_public_ip_on_launch=False) private_subnets.append(subnet) ec2.CfnSubnetRouteTableAssociation( self, id="private_{}_association".format(s), route_table_id=private_route_table.ref, subnet_id=subnet.ref) # Security groups lb_sg = ec2.CfnSecurityGroup(self, id="lb", group_description="LB SG", vpc_id=vpc.ref) lambda_sg = ec2.CfnSecurityGroup(self, id="lambda", group_description="Lambda SG", vpc_id=vpc.ref) public_prefix = ec2.CfnPrefixList(self, id="cidr_prefix", address_family="IPv4", max_entries=1, prefix_list_name="public", entries=[{ "cidr": "0.0.0.0/0", "description": "Public" }]) _sg_rules = [{ 'sg': lb_sg.attr_group_id, 'rules': [{ "direction": "ingress", "description": "HTTP from Internet", "from_port": 80, "to_port": 80, "protocol": "tcp", "cidr_blocks": public_prefix.ref }, { "direction": "egress", "description": "LB to Lambda", "from_port": 80, "to_port": 80, "protocol": "tcp", "source_security_group_id": lambda_sg.attr_group_id }] }, { "sg": lambda_sg.attr_group_id, "rules": [{ "direction": "ingress", "description": "HTTP from LB", "from_port": 80, "to_port": 80, "protocol": "tcp", "source_security_group_id": lb_sg.attr_group_id }, { "direction": "egress", "description": "All to Internet", "from_port": 0, "to_port": 65535, "protocol": "tcp", "cidr_blocks": public_prefix.ref }] }] for ruleset in _sg_rules: for rule in ruleset["rules"]: if rule["direction"] == "ingress": ec2.CfnSecurityGroupIngress( self, id=rule["description"].replace(" ", "_"), description=rule["description"], to_port=rule["to_port"], from_port=rule["from_port"], ip_protocol=rule["protocol"], group_id=ruleset["sg"], source_prefix_list_id=rule["cidr_blocks"] if "cidr_blocks" in rule else None, source_security_group_id=rule[ "source_security_group_id"] if "source_security_group_id" in rule else None) else: ec2.CfnSecurityGroupEgress( self, id=rule["description"].replace(" ", "_"), description=rule["description"], to_port=rule["to_port"], from_port=rule["from_port"], ip_protocol=rule["protocol"], group_id=ruleset["sg"], destination_prefix_list_id=rule["cidr_blocks"] if "cidr_blocks" in rule else None, destination_security_group_id=rule[ "source_security_group_id"] if "source_security_group_id" in rule else None) # IAM assume_policy_doc = iam.PolicyDocument() for statement in iam_vars["assume"]["Statement"]: _statement = iam.PolicyStatement(actions=[statement["Action"]], ) _statement.add_service_principal(statement["Principal"]["Service"]) assume_policy_doc.add_statements(_statement) role = iam.CfnRole(self, id="iam_role", path="/", assume_role_policy_document=assume_policy_doc) role_policy_doc = iam.PolicyDocument() for statement in iam_vars["policy"]["Statement"]: _statement = iam.PolicyStatement(actions=statement["Action"], resources=["*"]) role_policy_doc.add_statements(_statement) policy = iam.CfnPolicy(self, id="iam_policy", policy_document=role_policy_doc, policy_name="cdkPolicy", roles=[role.ref]) # Lambda shutil.make_archive("../lambda", 'zip', "../lambda/") s3_client = boto3.client('s3') s3_client.upload_file("../lambda.zip", "cloudevescops-zdays-demo", "cdk.zip") function = lmd.CfnFunction(self, id="lambda_function", handler="lambda.lambda_handler", role=role.attr_arn, runtime="python3.7", code={ "s3Bucket": "cloudevescops-zdays-demo", "s3Key": "cdk.zip" }, vpc_config={ "securityGroupIds": [lambda_sg.ref], "subnetIds": [s.ref for s in private_subnets] }, environment={"variables": { "TOOL": "CDK" }}) # LB lb = alb.CfnLoadBalancer(self, id="alb", name="lb-cdk", scheme="internet-facing", type="application", subnets=[s.ref for s in public_subnets], security_groups=[lb_sg.ref]) lmd.CfnPermission(self, id="lambda_permis", action="lambda:InvokeFunction", function_name=function.ref, principal="elasticloadbalancing.amazonaws.com") tg = alb.CfnTargetGroup(self, id="alb_tg", name="lambda-cdk", target_type="lambda", health_check_enabled=True, health_check_interval_seconds=40, health_check_path="/", health_check_timeout_seconds=30, targets=[{ "id": function.get_att("Arn").to_string() }], matcher={"httpCode": "200"}) alb.CfnListener(self, id="listener", default_actions=[{ "type": "forward", "targetGroupArn": tg.ref }], load_balancer_arn=lb.ref, port=80, protocol="HTTP") core.CfnOutput(self, id="fqdn", value=lb.attr_dns_name)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Exercise 11 # WebServerRole web_server_role = iam.CfnRole( self, "WebServerRole", role_name="ec2-webserver-role", assume_role_policy_document={ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["ec2.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, managed_policy_arns=[ "arn:aws:iam::aws:policy/AmazonS3FullAccess", "arn:aws:iam::aws:policy/AmazonRekognitionReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", "arn:aws:iam::aws:policy/AmazonPollyReadOnlyAccess", "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" ], path="/", policies=[{ "policyName": "SystemsManagerParameters", "policyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ssm:DescribeParameters"], "Resource": "*" }, { "Effect": "Allow", "Action": ["ssm:GetParameters"], "Resource": { "Fn::Sub": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/edx-*" } }] } }, { "policyName": "LogRolePolicy", "policyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents', 'logs:DescribeLogStreams' ], "Resource": { "Fn::Sub": "arn:aws:logs::${AWS::Region}:*:*" } }] } }]) # WebServerInstanceProfile web_server_instance_profile = iam.CfnInstanceProfile( self, "WebServerInstanceProfile", instance_profile_name="webserverinstanceprofile", path="/", roles=[web_server_role.role_name]) # WebSecurityGroup web_security_group = ec2.CfnSecurityGroup( self, "WebSecurityGroup", group_name="web-server-sg", group_description="HTTP traffic", vpc_id=core.Fn.import_value("VPC"), security_group_ingress=[{ "ipProtocol": "tcp", "fromPort": 80, "toPort": 80, "cidrIp": "0.0.0.0/0" }], security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # LambdaSecurityGroup lambda_security_group = ec2.CfnSecurityGroup( self, "LambdaSecurityGroup", group_name="labels-lambda-sg", group_description="HTTP traffic", vpc_id=core.Fn.import_value("VPC"), security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # Output core.CfnOutput(self, "WebServerInstanceProfileOutput", value=web_server_instance_profile.ref, description="Web Server Instance Profile", export_name="WebServerInstanceProfileOutput") core.CfnOutput(self, "WebServerRoleOutput", value=web_server_role.attr_arn, description="Web Server Role", export_name="WebServerRoleOutput") core.CfnOutput(self, "WebSecurityGroupOutput", value=web_security_group.ref, description="Web Security Group", export_name="WebSecurityGroupOutput") core.CfnOutput(self, "LambdaSecurityGroupOutput", value=lambda_security_group.ref, description="Lambda Security Group", export_name="LambdaSecurityGroupOutput")
def __init__(self, scope: core.Construct, id: str, application_port, ingress_security_group_ids, ssl_certificate_arn, ssl_policy, subnet_ids, vpc_id): super().__init__(scope, id) # Use low level constructs to build security groups as it allows us to name the # ingress rules properly. It's also easier to map the low level construct params # to their cfn equivalent app_sg = ec2.CfnSecurityGroup( self, id='SharedApplicationSecurityGroup', group_description='Shared Fargate Security Group', vpc_id=vpc_id) app_lb_sg = ec2.CfnSecurityGroup( self, id='SharedApplicationLBSecurityGroup', group_description='Shared ALB Security Group', vpc_id=vpc_id, security_group_egress=[{ 'ipProtocol': 'tcp', 'fromPort': application_port, 'toPort': application_port, 'destinationSecurityGroupId': app_sg.ref }]) app_sg_ingress = ec2.CfnSecurityGroupIngress( self, id='SharedApplicationSecurityGroupIngress', group_id=app_sg.ref, source_security_group_id=app_lb_sg.ref, ip_protocol='tcp', from_port=application_port, to_port=application_port) for index, sg in enumerate(ingress_security_group_ids): ec2.CfnSecurityGroupIngress( self, id=f"SharedApplicationLBSecurityGroupIngress{index}", group_id=app_lb_sg.ref, source_security_group_id=sg, ip_protocol='tcp', from_port=443, to_port=443) lb = elbv2.CfnLoadBalancer(self, id='SharedLoadBalancer', scheme='internal', security_groups=[app_lb_sg.ref], subnets=subnet_ids) listener = elbv2.CfnListener( self, id='SharedListener', certificates=[{ 'certificateArn': ssl_certificate_arn }], default_actions=[{ 'type': 'fixed-response', 'fixedResponseConfig': { 'contentType': 'text/plain', 'messageBody': 'You have reached the the Load Balancer, but not matched any of the listener rules', 'statusCode': '200' } }], load_balancer_arn=lb.ref, port=443, protocol='HTTPS', ssl_policy=ssl_policy) core.CfnOutput( self, id=SHARED_LB_DNS_NAME, description='Shared Load Balancer DNS Name', export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_DNS_NAME}", value=lb.attr_dns_name) core.CfnOutput( self, id=SHARED_LB_HOSTED_ZONE_ID, description='Shared Load Balancer Canonical Hosted Zone ID', export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_HOSTED_ZONE_ID}", value=lb.attr_canonical_hosted_zone_id) core.CfnOutput( self, id=SHARED_LB_LISTENER, description='Shared Load Balancer Listener', export_name=f"{core.Aws.STACK_NAME}:{SHARED_LB_LISTENER}", value=listener.ref) core.CfnOutput( self, id=SHARED_SERVICE_SECURITY_GROUP, description='Shared Fargate Security Group', export_name= f"{core.Aws.STACK_NAME}:{SHARED_SERVICE_SECURITY_GROUP}", value=app_sg.ref)
def __init__(self, scope: core.Construct, id: str, vpc, subnet_id, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = self.node.try_get_context("project_name") env_name = self.node.try_get_context("env") volumne_size = self.node.try_get_context("volumne_size") ec2_type = self.node.try_get_context("ec2_type") self.security_group = ec2.CfnSecurityGroup( self, id="web_server_sg", vpc_id=vpc.ref, group_name=env_name + '-' + prefix + '-www01', group_description="Web server security group", # security_group_ingress=[ingress_ssh], # security_group_egress=[egress_all], tags=[ core.CfnTag(key="Name", value=env_name + '-' + prefix + '-www01') ]) # public Ingress ec2.CfnSecurityGroupIngress(self, 'publicsecuritygroupingress01', group_id=self.security_group.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='http', from_port=80, to_port=80) ec2.CfnSecurityGroupIngress(self, 'publicsecuritygroupingress02', group_id=self.security_group.ref, ip_protocol='tcp', cidr_ip='0.0.0.0/0', description='ssh', from_port=22, to_port=22) # public Egress ec2.CfnSecurityGroupEgress( self, 'publicsecuritygroupegress01', group_id=self.security_group.ref, ip_protocol='-1', cidr_ip='0.0.0.0/0' # destination_security_group_id=privatesecuritygroup01.ref, # description='for private', # from_port=22, to_port=22 ) # private Ingress image_id = ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image( self).image_id self.host = ec2.CfnInstance( self, env_name + '-' + prefix, # availability_zone="ap-northeast-1a", image_id=image_id, instance_type=ec2_type, key_name=key_name, # credit_specification= { "cpu_credits" : "standard" }, credit_specification=ec2.CfnInstance.CreditSpecificationProperty( cpu_credits="standard"), disable_api_termination=False, security_group_ids=[self.security_group.ref], subnet_id=subnet_id.ref, block_device_mappings=[{ "deviceName": "/dev/xvda", "ebs": { "volumeSize": volumne_size, } }], tags=[{ "key": "Name", "value": env_name + '-' + prefix + '-www01' }])
def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None: super().__init__(scope, id, **kwargs) # secrets manager for DB password self.db_secret = secrets.Secret( self, "DBSecret", secret_name=f"{scope.full_app_name}-db-secret", generate_secret_string=secrets.SecretStringGenerator( secret_string_template=json.dumps({"username": "******"}), exclude_punctuation=True, include_space=False, generate_string_key="password", ), ) self.db_secret_arn = ssm.StringParameter( self, "DBSecretArn", parameter_name=f"{scope.full_app_name}-secret-arn", string_value=self.db_secret.secret_arn, ) self.db_security_group = ec2.CfnSecurityGroup( self, "DBSecurityGroup", vpc_id=scope.vpc.vpc_id, group_description="DBSecurityGroup", security_group_ingress=[ ec2.CfnSecurityGroup.IngressProperty( ip_protocol="tcp", to_port=5432, from_port=5432, source_security_group_id=scope.vpc.vpc_default_security_group, ) ], ) self.db_subnet_group = rds.CfnDBSubnetGroup( self, "CfnDBSubnetGroup", subnet_ids=scope.vpc.select_subnets( subnet_type=ec2.SubnetType.ISOLATED ).subnet_ids, db_subnet_group_description=f"{scope.full_app_name}-db-subnet-group", ) self.db_config = { "engine_mode": "serverless", "engine": "aurora-postgresql", "engine_version": "10.7", # "port": 5432, "enable_http_endpoint": True, "master_username": self.db_secret.secret_value_from_json( "username" ).to_string(), "master_user_password": self.db_secret.secret_value_from_json( "password" ).to_string(), "vpc_security_group_ids": [ self.db_security_group.get_att("GroupId").to_string() ], "db_subnet_group_name": self.db_subnet_group.ref, } self.rds_cluster = rds.CfnDBCluster( self, "DBCluster", **self.db_config )
def __init__(self, scope: core.Construct, id: str, vpc_ip: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) if vpc_ip: print("VPC_IP " + vpc_ip) cidr = vpc_ip else: cidr = "10.0.0.0/16" # 01. VPC 생성 cfVpc = ec2.CfnVPC(self, "VPC", cidr_block=cidr, tags=[core.Tag(key="Name", value="CDKVPC")]) # 02. Subnet 생성 subnet_2a = ec2.CfnSubnet( self, id="subnet_2a", availability_zone="ap-northeast-2a", cidr_block="100.0.1.0/24", map_public_ip_on_launch=True, vpc_id=cfVpc.ref, tags=[core.Tag(key="Name", value="subnet-2a")]) subnet_2c = ec2.CfnSubnet( self, id="subnet_2c", availability_zone="ap-northeast-2c", cidr_block="100.0.2.0/24", map_public_ip_on_launch=True, vpc_id=cfVpc.ref, tags=[core.Tag(key="Name", value="subnet-2c")]) # 03. Internet Gateway 생성 internet_gateway = ec2.CfnInternetGateway( self, id="Internet_Gateway_DNS_Example", tags=[core.Tag(key="Name", value="Internet_Gateway_for_DNS")]) # 04. Internat Gateway Attach ec2.CfnVPCGatewayAttachment(self, id="vpcgw", vpc_id=cfVpc.ref, internet_gateway_id=internet_gateway.ref) #05. Route Table 생성 route_table = ec2.CfnRouteTable( self, id="dns_example_routetable", vpc_id=cfVpc.ref, tags=[core.Tag(key="Name", value="Route_for_DNS")]) #Route ec2.CfnRoute(self, id="IGW_Route", route_table_id=route_table.ref, destination_cidr_block="0.0.0.0/0", gateway_id=internet_gateway.ref) ec2.CfnSubnetRouteTableAssociation(self, id="DnsSubnet_Associate_2a", route_table_id=route_table.ref, subnet_id=subnet_2a.ref) ec2.CfnSubnetRouteTableAssociation(self, id="DnsSubnet_Associate_2c", route_table_id=route_table.ref, subnet_id=subnet_2c.ref) # 03. SG 생성 sg = ec2.CfnSecurityGroup(self, id="sg-ssh", vpc_id=cfVpc.ref, group_description="Default Group", tags=[core.Tag(key="Name", value="DNS_SG")]) #security_group_ingress=[ingress_ssh]) #security_group_egress=[egress_all]) ingress_ssh = ec2.CfnSecurityGroupIngress(self, "SSH", ip_protocol="tcp", group_id=sg.ref, from_port=22, to_port=22, cidr_ip="0.0.0.0/0") egress_all = ec2.CfnSecurityGroupEgress( self, id="OUTBOUND", group_id=sg.ref, ip_protocol="-1", #from_port=0, #to_port=65535, cidr_ip="0.0.0.0/0") # 04. DNS Server EC2 생성 dns_server = ec2.MachineImage.generic_linux( {"ap-northeast-2": "ami-00d293396a942208d"}) ec2.CfnInstance(self, id="dns_master", image_id=dns_server.get_image(self).image_id, instance_type="t2.small", key_name="SeoulRegion", security_group_ids=[sg.ref], subnet_id=subnet_2a.ref, tags=[{ "key": "Name", "value": "dns_master" }]) ec2.CfnInstance(self, id="dns_slave", image_id=dns_server.get_image(self).image_id, instance_type="t2.small", key_name="SeoulRegion", security_group_ids=[sg.ref], subnet_id=subnet_2c.ref, tags=[{ "key": "Name", "value": "dns_slave" }])
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) vpc = ec2.Vpc(self, id="MyVPC", nat_gateways=0, cidr="192.168.0.0/20", max_azs=1, subnet_configuration=[]) subnet = ec2.Subnet(self, id="MySubnet", availability_zone="eu-central-1a", cidr_block="192.168.1.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=True) igw = ec2.CfnInternetGateway(self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")]) ec2.CfnVPCGatewayAttachment(self, id="IGW_Assoc", vpc_id=vpc.vpc_id, internet_gateway_id=igw.ref) subnet.add_route(id="default_route", router_id=igw.ref, router_type=ec2.RouterType('GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) sg_public = ec2.CfnSecurityGroup(self, id="SG_PUBLIC", group_description="SG for the Public Subnet", group_name="SG_PUBLIC", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_Public")]) my_home_ip = requests.get("https://api.ipify.org").text ports_pub = {'tcp': [22, 80], 'icmp': [-1] } for protocol, ports_list in ports_pub.items(): for port in ports_list: ec2.CfnSecurityGroupIngress(self, id=f"sg_pub_in_{protocol}_{port}", group_id=sg_public.attr_group_id, ip_protocol=protocol, cidr_ip=f"{my_home_ip}/32", to_port=port, from_port=port, description=f"{protocol.upper()} {port} from home IP") with open("/home/dragos/Documents/AWS_CDK/instance_creation/instance_creation/configure.sh", 'r') as config_file: ud = core.Fn.base64(config_file.read()) instance = ec2.CfnInstance(self, id="MyInstance", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=subnet.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_public.ref], tags=[core.CfnTag(key="Name", value="MyInstance")]) # COMMENT instance.user_data = ud
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) vpc = ec2.Vpc(self, id="MyVPC", nat_gateways=0, cidr="192.168.0.0/20", max_azs=3, subnet_configuration=[]) pub_subnet = ec2.PublicSubnet(self, id="PublicSubnet", availability_zone="eu-central-1c", cidr_block="192.168.0.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=True) igw = ec2.CfnInternetGateway( self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")]) ec2.CfnVPCGatewayAttachment(self, id="IGW_Assoc", vpc_id=vpc.vpc_id, internet_gateway_id=igw.ref) pub_subnet.add_route(id="default_route-sub01", router_id=igw.ref, router_type=ec2.RouterType('GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) # Elastic IP eip_01 = ec2.CfnEIP(self, id="EIP01") # NAT gateway ngw = ec2.CfnNatGateway(self, id="NAT_GW", allocation_id=eip_01.attr_allocation_id, subnet_id=pub_subnet.subnet_id, tags=[core.CfnTag(key="Name", value="NAT_GW")]) subnet01 = ec2.Subnet(self, id="Subnet01", availability_zone="eu-central-1a", cidr_block="192.168.1.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=False) subnet02 = ec2.Subnet(self, id="Subnet02", availability_zone="eu-central-1b", cidr_block="192.168.2.0/24", vpc_id=vpc.vpc_id, map_public_ip_on_launch=False) subnet01.add_route(id="default_route-sub01", router_id=ngw.ref, router_type=ec2.RouterType('NAT_GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) subnet02.add_route(id="default_route-sub02", router_id=ngw.ref, router_type=ec2.RouterType('NAT_GATEWAY'), destination_cidr_block="0.0.0.0/0", enables_internet_connectivity=True) sg_lb = ec2.CfnSecurityGroup( self, id="SG_ALB", group_description="SG for the APP LB", group_name="SG_ALB", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_ALB")]) sg_ec2i = ec2.CfnSecurityGroup( self, id="SG_Instances", group_description="SG for the Instances", group_name="SG_Instances", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_Instances")]) # my_home_ip = requests.get("https://api.ipify.org").text my_home_ip = "94.112.113.195" ports_pub = {'tcp': [22, 80], 'icmp': [-1]} for protocol, ports_list in ports_pub.items(): for port in ports_list: ec2.CfnSecurityGroupIngress( self, id=f"sg_alb_in_{protocol}_{port}", group_id=sg_lb.attr_group_id, ip_protocol=protocol, cidr_ip=f"{my_home_ip}/32", to_port=port, from_port=port, description=f"{protocol.upper()} {port} from home IP") ec2.CfnSecurityGroupIngress( self, id=f"sg_ec2i_in_{protocol}_{port}", group_id=sg_ec2i.attr_group_id, ip_protocol=protocol, to_port=port, from_port=port, source_security_group_id=sg_lb.ref, description=f"{protocol.upper()} {port} from the ALB SG") with open( "/home/dragos/Documents/AWS_CDK/app_lb_sample/app_lb_sample/configure.sh", 'r') as config_file: ud = core.Fn.base64(config_file.read()) bastion_host = ec2.CfnInstance( self, id="bastion", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=pub_subnet.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_lb.ref], tags=[core.CfnTag(key="Name", value="bastion")]) instance01 = ec2.CfnInstance( self, id="WebServer01", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=subnet01.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_ec2i.ref], user_data=ud, tags=[core.CfnTag(key="Name", value="WebServer01")]) instance02 = ec2.CfnInstance( self, id="WebServer02", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=subnet02.subnet_id, key_name="proton_mail_kp", security_group_ids=[sg_ec2i.ref], user_data=ud, tags=[core.CfnTag(key="Name", value="WebServer02")]) # health_check = elbv2.HealthCheck(enabled=True, # healthy_http_codes="200", # path="/index.html", # protocol=elbv2.Protocol("HTTP")) target01 = elbv2.CfnTargetGroup.TargetDescriptionProperty( id=instance01.ref) target02 = elbv2.CfnTargetGroup.TargetDescriptionProperty( id=instance02.ref) tg = elbv2.CfnTargetGroup( self, id="TG-WEB-HTTP", name="TG-WEB-HTTP", health_check_enabled=True, health_check_path="/index.html", health_check_port="80", matcher=elbv2.CfnTargetGroup.MatcherProperty(http_code="200"), port=80, protocol="HTTP", # CASE SENSITIVE target_type="instance", # CASE SENSITIVE targets=[target01, target02], vpc_id=vpc.vpc_id) alb = elbv2.CfnLoadBalancer( self, id="MyALB-HTTP", ip_address_type="ipv4", name="MyALB-HTTP", scheme="internet-facing", security_groups=[sg_lb.ref], type="application", subnets=[subnet01.subnet_id, subnet02.subnet_id]) def_act = Listener.ActionProperty(type="forward", authenticate_cognito_config=None, authenticate_oidc_config=None, fixed_response_config=None, forward_config=None, order=50000, redirect_config=None, target_group_arn=tg.ref) listener = elbv2.CfnListener(self, id="Listener01", load_balancer_arn=alb.ref, port=80, protocol="HTTP", default_actions=[def_act])
def createSecurityGroup(self): # L2 SecurityGroup construct does not support ipv6 well :( securityGroup = ec2.CfnSecurityGroup(self, 'serverVpcSecurityGroup', vpc_id=self.vpc.vpc_id, group_description='Server Vpc Security Group', security_group_ingress=[ ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=22, to_port=22, cidr_ip=f'{self.ip}/32', description='Allow specific host for ssh' ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=8333, to_port=8333, cidr_ip='0.0.0.0/0', description='Allow bitcoind' ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=8333, to_port=8333, cidr_ipv6='::/0', description='Allow bitcoind' ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=9735, to_port=9735, cidr_ip='0.0.0.0/0', description='Allow lnd' ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=9735, to_port=9735, cidr_ipv6='::/0', description='Allow lnd' ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=9911, to_port=9911, cidr_ip='0.0.0.0/0', description='Allow lnd' ), ec2.CfnSecurityGroup.IngressProperty( ip_protocol='tcp', from_port=9911, to_port=9911, cidr_ipv6='::/0', description='Allow lnd' ), ], security_group_egress=[ ec2.CfnSecurityGroup.EgressProperty( ip_protocol='-1', from_port=-1, to_port=-1, cidr_ip='0.0.0.0/0', description='Allow all outbound' ), ec2.CfnSecurityGroup.EgressProperty( ip_protocol='-1', from_port=-1, to_port=-1, cidr_ipv6='::/0', description='Allow all outbound' ), ] ) securityGroup.apply_removal_policy(cdk.RemovalPolicy.RETAIN) return securityGroup
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) current_directory = os.path.realpath( os.path.join(os.getcwd(), os.path.dirname(__file__))) allowed_values = yaml.load(open( os.path.join(current_directory, "..", "..", "allowed_values.yaml")), Loader=yaml.SafeLoader) ami_mapping = {"AMI": {"OEJITSI": AMI_NAME}} for region in generated_ami_ids.keys(): ami_mapping[region] = {"OEJITSI": generated_ami_ids[region]} aws_ami_region_map = core.CfnMapping(self, "AWSAMIRegionMap", mapping=ami_mapping) # utility function to parse the unique id from the stack id for # shorter resource names using cloudformation functions def append_stack_uuid(name): return core.Fn.join("-", [ name, core.Fn.select( 0, core.Fn.split( "-", core.Fn.select(2, core.Fn.split( "/", core.Aws.STACK_ID)))) ]) # # PARAMETERS # cidr_block_param = core.CfnParameter( self, "IngressCidrBlock", allowed_pattern="((\d{1,3})\.){3}\d{1,3}/\d{1,2}", default="0.0.0.0/0", description= "Required: A CIDR block to restrict access to the Jitsi application. Leave as 0.0.0.0/0 to allow public access from internet." ) ec2_instance_type_param = core.CfnParameter( self, "InstanceType", allowed_values=allowed_values["allowed_instance_types"], default="t3.xlarge", description= "Required: The EC2 instance type for the application Auto Scaling Group." ) jitsi_hostname_param = core.CfnParameter( self, "JitsiHostname", description= "Required: The hostname to access Jitsi. E.G. 'jitsi.internal.mycompany.com'" ) jitsi_interface_app_name_param = core.CfnParameter( self, "JitsiInterfaceAppName", default="Jitsi Meet", description= "Optional: Customize the app name on the Jitsi interface.") jitsi_interface_default_remote_display_name_param = core.CfnParameter( self, "JitsiInterfaceDefaultRemoteDisplayName", default="Fellow Jitster", description= "Optional: Customize the default display name for Jitsi users.") jitsi_interface_native_app_name_param = core.CfnParameter( self, "JitsiInterfaceNativeAppName", default="Jitsi Meet", description= "Optional: Customize the native app name on the Jitsi interface.") jitsi_interface_show_brand_watermark_param = core.CfnParameter( self, "JitsiInterfaceShowBrandWatermark", allowed_values=["true", "false"], default="true", description= "Optional: Display the watermark logo image in the upper left corner." ) jitsi_interface_show_watermark_for_guests_param = core.CfnParameter( self, "JitsiInterfaceShowWatermarkForGuests", allowed_values=["true", "false"], default="true", description= "Optional: Display the watermark logo image in the upper left corner for guest users. This can be set to override the general setting behavior for guest users." ) jitsi_interface_brand_watermark_param = core.CfnParameter( self, "JitsiInterfaceBrandWatermark", default="", description= "Optional: Provide a URL to a PNG image to be used as the brand watermark logo image in the upper right corner. File should be publically available for download." ) jitsi_interface_brand_watermark_link_param = core.CfnParameter( self, "JitsiInterfaceBrandWatermarkLink", default="http://jitsi.org", description= "Optional: Provide a link destination for the brand watermark logo image in the upper right corner." ) jitsi_interface_watermark_param = core.CfnParameter( self, "JitsiInterfaceWatermark", default="", description= "Optional: Provide a URL to a PNG image to be used as the watermark logo image in the upper left corner. File should be publically available for download." ) jitsi_interface_watermark_link_param = core.CfnParameter( self, "JitsiInterfaceWatermarkLink", default="http://jitsi.org", description= "Optional: Provide a link destination for the Jitsi watermark logo image in the upper left corner." ) route_53_hosted_zone_name_param = core.CfnParameter( self, "Route53HostedZoneName", description= "Required: Route 53 Hosted Zone name in which a DNS record will be created by this template. Must already exist and be the domain part of the Jitsi Hostname parameter, without trailing dot. E.G. 'internal.mycompany.com'" ) notification_email_param = core.CfnParameter( self, "NotificationEmail", default="", description= "Optional: Specify an email address to get emails about deploys, Let's Encrypt, and other system events." ) # # CONDITIONS # notification_email_exists_condition = core.CfnCondition( self, "NotificationEmailExistsCondition", expression=core.Fn.condition_not( core.Fn.condition_equals(notification_email_param.value, ""))) # # RESOURCES # # vpc vpc = Vpc(self, "Vpc") # sns sns_notification_topic = aws_sns.CfnTopic( self, "NotificationTopic", topic_name="{}-notifications".format(core.Aws.STACK_NAME)) sns_notification_subscription = aws_sns.CfnSubscription( self, "NotificationSubscription", protocol="email", topic_arn=sns_notification_topic.ref, endpoint=notification_email_param.value_as_string) sns_notification_subscription.cfn_options.condition = notification_email_exists_condition iam_notification_publish_policy = aws_iam.PolicyDocument(statements=[ aws_iam.PolicyStatement(effect=aws_iam.Effect.ALLOW, actions=["sns:Publish"], resources=[sns_notification_topic.ref]) ]) # cloudwatch app_log_group = aws_logs.CfnLogGroup( self, "JitsiAppLogGroup", retention_in_days=TWO_YEARS_IN_DAYS) app_log_group.cfn_options.update_replace_policy = core.CfnDeletionPolicy.RETAIN app_log_group.cfn_options.deletion_policy = core.CfnDeletionPolicy.RETAIN system_log_group = aws_logs.CfnLogGroup( self, "JitsiSystemLogGroup", retention_in_days=TWO_YEARS_IN_DAYS) system_log_group.cfn_options.update_replace_policy = core.CfnDeletionPolicy.RETAIN system_log_group.cfn_options.deletion_policy = core.CfnDeletionPolicy.RETAIN # iam iam_jitsi_instance_role = aws_iam.CfnRole( self, "JitsiInstanceRole", assume_role_policy_document=aws_iam.PolicyDocument(statements=[ aws_iam.PolicyStatement( effect=aws_iam.Effect.ALLOW, actions=["sts:AssumeRole"], principals=[aws_iam.ServicePrincipal("ec2.amazonaws.com")]) ]), policies=[ aws_iam.CfnRole.PolicyProperty( policy_document=aws_iam.PolicyDocument(statements=[ aws_iam.PolicyStatement( effect=aws_iam.Effect.ALLOW, actions=[ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:PutLogEvents" ], resources=[ app_log_group.attr_arn, system_log_group.attr_arn ]) ]), policy_name="AllowStreamLogsToCloudWatch"), aws_iam.CfnRole.PolicyProperty( policy_document=aws_iam.PolicyDocument(statements=[ aws_iam.PolicyStatement( effect=aws_iam.Effect.ALLOW, actions=[ "ec2:AssociateAddress", "ec2:DescribeVolumes", "ec2:DescribeTags", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricData" ], resources=["*"]) ]), policy_name="AllowStreamMetricsToCloudWatch"), aws_iam.CfnRole.PolicyProperty( policy_document=aws_iam.PolicyDocument(statements=[ aws_iam.PolicyStatement( effect=aws_iam.Effect.ALLOW, actions=["autoscaling:Describe*"], resources=["*"]) ]), policy_name="AllowDescribeAutoScaling"), ], managed_policy_arns=[ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ]) # ec2 jitsi_sg = aws_ec2.CfnSecurityGroup( self, "JitsiSg", group_description="Jitsi security group", vpc_id=vpc.id()) eip = aws_ec2.CfnEIP(self, "Eip", domain="vpc") core.Tags.of(eip).add("Name", "{}/Eip".format(core.Aws.STACK_NAME)) ec2_instance_profile = aws_iam.CfnInstanceProfile( self, "JitsiInstanceProfile", roles=[iam_jitsi_instance_role.ref]) with open("jitsi/jitsi_launch_config_user_data.sh") as f: jitsi_launch_config_user_data = f.read() ec2_launch_config = aws_autoscaling.CfnLaunchConfiguration( self, "JitsiLaunchConfig", image_id=core.Fn.find_in_map("AWSAMIRegionMap", core.Aws.REGION, "OEJITSI"), instance_type=ec2_instance_type_param.value_as_string, iam_instance_profile=ec2_instance_profile.ref, security_groups=[jitsi_sg.ref], user_data=(core.Fn.base64( core.Fn.sub( jitsi_launch_config_user_data, { "JitsiHostname": jitsi_hostname_param.value_as_string, "JitsiPublicIP": eip.ref, "LetsEncryptCertificateEmail": notification_email_param.value_as_string })))) # autoscaling asg = aws_autoscaling.CfnAutoScalingGroup( self, "JitsiAsg", launch_configuration_name=ec2_launch_config.ref, desired_capacity="1", max_size="1", min_size="1", vpc_zone_identifier=vpc.public_subnet_ids()) asg.cfn_options.creation_policy = core.CfnCreationPolicy( resource_signal=core.CfnResourceSignal(count=1, timeout="PT15M")) asg.cfn_options.update_policy = core.CfnUpdatePolicy( auto_scaling_rolling_update=core.CfnAutoScalingRollingUpdate( max_batch_size=1, min_instances_in_service=0, pause_time="PT15M", wait_on_resource_signals=True)) core.Tags.of(asg).add("Name", "{}/JitsiAsg".format(core.Aws.STACK_NAME)) jitsi_http_ingress = aws_ec2.CfnSecurityGroupIngress( self, "JitsiHttpSgIngress", cidr_ip=cidr_block_param.value_as_string, from_port=80, group_id=jitsi_sg.ref, ip_protocol="tcp", to_port=80) jitsi_https_ingress = aws_ec2.CfnSecurityGroupIngress( self, "JitsiHttpsSgIngress", cidr_ip=cidr_block_param.value_as_string, from_port=443, group_id=jitsi_sg.ref, ip_protocol="tcp", to_port=443) jitsi_fallback_network_audio_video_ingress = aws_ec2.CfnSecurityGroupIngress( self, "JitsiFallbackNetworkAudioVideoSgIngress", cidr_ip=cidr_block_param.value_as_string, from_port=4443, group_id=jitsi_sg.ref, ip_protocol="tcp", to_port=4443) jitsi_general_network_audio_video_ingress = aws_ec2.CfnSecurityGroupIngress( self, "JitsiGeneralNetworkAudioVideoSgIngress", cidr_ip=cidr_block_param.value_as_string, from_port=10000, group_id=jitsi_sg.ref, ip_protocol="udp", to_port=10000) # route 53 record_set = aws_route53.CfnRecordSet( self, "RecordSet", hosted_zone_name= f"{route_53_hosted_zone_name_param.value_as_string}.", name=jitsi_hostname_param.value_as_string, resource_records=[eip.ref], type="A") # https://github.com/aws/aws-cdk/issues/8431 record_set.add_property_override("TTL", 60) # AWS::CloudFormation::Interface self.template_options.metadata = { "OE::Patterns::TemplateVersion": template_version, "AWS::CloudFormation::Interface": { "ParameterGroups": [{ "Label": { "default": "Infrastructure Config" }, "Parameters": [ jitsi_hostname_param.logical_id, route_53_hosted_zone_name_param.logical_id, cidr_block_param.logical_id, ec2_instance_type_param.logical_id, notification_email_param.logical_id ] }, { "Label": { "default": "Jitsi Config" }, "Parameters": [ jitsi_interface_app_name_param.logical_id, jitsi_interface_default_remote_display_name_param. logical_id, jitsi_interface_native_app_name_param.logical_id, jitsi_interface_show_brand_watermark_param.logical_id, jitsi_interface_show_watermark_for_guests_param. logical_id, jitsi_interface_brand_watermark_param.logical_id, jitsi_interface_brand_watermark_link_param.logical_id, jitsi_interface_watermark_param.logical_id, jitsi_interface_watermark_link_param.logical_id, ] }, *vpc.metadata_parameter_group()], "ParameterLabels": { cidr_block_param.logical_id: { "default": "Ingress CIDR Block" }, ec2_instance_type_param.logical_id: { "default": "EC2 instance type" }, jitsi_hostname_param.logical_id: { "default": "Jitsi Hostname" }, jitsi_interface_app_name_param.logical_id: { "default": "Jitsi Interface App Name" }, jitsi_interface_default_remote_display_name_param.logical_id: { "default": "Jitsi Interface Default Remote Display Name" }, jitsi_interface_native_app_name_param.logical_id: { "default": "Jitsi Interface Native App Name" }, jitsi_interface_show_brand_watermark_param.logical_id: { "default": "Jitsi Interface Show Watermark" }, jitsi_interface_show_watermark_for_guests_param.logical_id: { "default": "Jitsi Interface Show Watermark For Guests" }, jitsi_interface_brand_watermark_param.logical_id: { "default": "Jitsi Interface Watermark" }, jitsi_interface_brand_watermark_link_param.logical_id: { "default": "Jitsi Interface Watermark Link" }, jitsi_interface_watermark_param.logical_id: { "default": "Jitsi Interface Watermark" }, jitsi_interface_watermark_link_param.logical_id: { "default": "Jitsi Interface Watermark Link" }, notification_email_param.logical_id: { "default": "Notification Email" }, route_53_hosted_zone_name_param.logical_id: { "default": "AWS Route 53 Hosted Zone Name" }, **vpc.metadata_parameter_labels() } } } # # OUTPUTS # eip_output = core.CfnOutput( self, "EipOutput", description= "The Elastic IP address dynamically mapped to the autoscaling group instance.", value=eip.ref) endpoint_output = core.CfnOutput( self, "JitsiUrl", description="The URL for the Jitsi instance.", value=core.Fn.join( "", ["https://", jitsi_hostname_param.value_as_string]))
def __init__(self, scope: core.Construct, id: str, custom: dict, **kwargs) -> None: super().__init__(scope, id, **kwargs) region = self.region #create S3 access role for ec2 ec2Role = iam.Role( self, "aws-cdk-handson-lab02-ec2role", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name( "AmazonS3ReadOnlyAccess") ]) instanceProfile = iam.CfnInstanceProfile( self, "aws-cdk-handson-lab02-ec2Profile", roles=[ec2Role.role_name], instance_profile_name="aws-cdk-handson-lab02-ec2Profile", ) #create new VPC for lab02 #vpc = ec2.Vpc.from_lookup(self, "aws-cdk-handson-lab02-vpc",vpc_name="default") #使用默认的vpc #创建新的vpc vpc = ec2.Vpc(self, id="aws-cdk-handson-lab02-vpc", cidr="172.30.0.0/16", nat_gateways=0, subnet_configuration=[ { "cidrMask": 24, "name": "subnet-1-", "subnetType": ec2.SubnetType.PUBLIC }, { "cidrMask": 24, "name": "subnet-2-", "subnetType": ec2.SubnetType.PUBLIC }, { "cidrMask": 24, "name": "subnet-3-", "subnetType": ec2.SubnetType.PUBLIC }, ]) #使用已有的安全组 #sg=ec2.SecurityGroup.from_security_group_id(self,"nodeSG",security_group_id='sg-0dd53aaa5c9eb8324') #创建新的安全组 sg = ec2.CfnSecurityGroup( self, "aws-cdk-handson-lab02-ec2securitygroup", group_description="this is aws-cdk-handson workshop", group_name="aws-cdk-handson-lab02-ec2securitygroup", security_group_ingress=[ { "ipProtocol": "tcp", "fromPort": 80, "toPort": 80, "cidrIp": "0.0.0.0/0", }, { "ipProtocol": "tcp", "fromPort": 22, "toPort": 22, "cidrIp": "0.0.0.0/0", }, { "ipProtocol": "tcp", "fromPort": 8080, "toPort": 8080, "cidrIp": "0.0.0.0/0", }, ], vpc_id=vpc.vpc_id) #read and base64 encode userdata file data = open("../resource/httpd.sh", "rb").read() encodedBytes = base64.encodebytes(data) encodedStr = str(encodedBytes, "utf-8") #create ec2 instances ami = ec2.AmazonLinuxImage( generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2) #创建2台EC2 ec2Count = 2 for i in range(ec2Count): eni0 = ec2.CfnNetworkInterface( self, "eni-" + str(i), subnet_id=vpc.public_subnets[0].subnet_id, group_set=[sg.attr_group_id]) #group_set=[sg.security_group_id] instance = ec2.CfnInstance( self, "ec2-httpd-" + str(i), image_id=ami.get_image( self).image_id, #use Amazon Linux 2 AMI instance_type="t3.micro", key_name="wsu-cn-northwest-1", #这个是keypair的名字非常重要 tags=[ core.CfnTag(key="Name", value="aws-cdk-lab02-ec2-" + str(i)) ], #加上标签 iam_instance_profile=instanceProfile.ref, user_data=encodedStr, network_interfaces=[{ 'deviceIndex': '0', 'networkInterfaceId': eni0.ref, }]) core.CfnOutput(self, "PublicIP-" + str(i), export_name="PublicIP-" + str(i), value=instance.attr_public_ip) core.CfnOutput(self, "PublicDNSName-" + str(i), export_name="PublicDNSName-" + str(i), value=instance.attr_public_dns_name)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = "test" cidr = "192.168.0.0/16" # def name(s): return "{0}/{1}".format(prefix, s) def name(s): return "{0} {1}".format(prefix, s) # VPC self.vpc = ec2.CfnVPC(self, "vpc", cidr_block=cidr, enable_dns_hostnames=True, enable_dns_support=True, tags=[core.CfnTag(key="Name", value=prefix)]) # InternetGateway igw = ec2.CfnInternetGateway( self, "igw", tags=[core.CfnTag(key="Name", value=prefix)]) igw_attachment = ec2.CfnVPCGatewayAttachment( self, "igw_attachment", vpc_id=self.vpc.ref, internet_gateway_id=igw.ref) dhcpoptions = ec2.CfnDHCPOptions( self, "dhcpoptions", domain_name="ec2.internal " + prefix, domain_name_servers=["AmazonProvidedDNS"], tags=[core.CfnTag(key="Name", value=prefix)]) dhcpoptionsassociation = ec2.CfnVPCDHCPOptionsAssociation( self, "dhcpoptionsassociation", dhcp_options_id=dhcpoptions.ref, vpc_id=self.vpc.ref) # PrivateSubnetA # private_subnet_a = ec2.CfnSubnet( # self, "private_a", # vpc_id=vpc.ref, # cidr_block="192.168.0.0/24", # availability_zone="ap-northeast-1a", # tags=[ # core.CfnTag(key="Name", value=name("private_a")) # ] # ) # PrivateSubnetC # private_subnet_c = ec2.CfnSubnet( # self, "private_c", # vpc_id=vpc.ref, # cidr_block="192.168.1.0/24", # availability_zone="ap-northeast-1c", # tags=[ # core.CfnTag(key="Name", value=name("private_c")) # ] # ) # PublicSubnetA self.public_subnet_a = ec2.CfnSubnet( self, "public_a", vpc_id=self.vpc.ref, cidr_block="192.168.0.0/20", # availability_zone="ap-northeast-1a", availability_zone="us-east-1a", tags=[core.CfnTag(key="Name", value=prefix + " public_a")]) # PublicSubnetC self.public_subnet_c = ec2.CfnSubnet( self, "public_c", vpc_id=self.vpc.ref, cidr_block="192.168.16.0/20", availability_zone="us-east-1c", tags=[core.CfnTag(key="Name", value=prefix + " public_c")]) self.public_subnet_d = ec2.CfnSubnet( self, "public_d", vpc_id=self.vpc.ref, cidr_block="192.168.32.0/20", availability_zone="us-east-1d", tags=[core.CfnTag(key="Name", value=prefix + " public_d")]) # EIP1 (for NATGW) # eip1 = ec2.CfnEIP( # self, "eip1", # domain="vpc", # ) # eip1.add_depends_on(igw_attachment) # EIP2 (for NATGW) # eip2 = ec2.CfnEIP( # self, "eip2", # domain="vpc", # ) # eip2.add_depends_on(igw_attachment) # NatGatewayA # natgw_a = ec2.CfnNatGateway( # self, "natgw_a", # allocation_id=eip1.attr_allocation_id, # subnet_id=self.public_subnet_a.ref, # tags=[ # core.CfnTag(key="Name", value=name("natgw_a")) # ] # ) # NatGatewayC # natgw_c = ec2.CfnNatGateway( # self, "natgw_c", # allocation_id=eip2.attr_allocation_id, # subnet_id=public_subnet_c.ref, # tags=[ # core.CfnTag(key="Name", value=name("natgw_c")) # ] # ) # RouteTable of PrivateSubnetA # rtb_private_a = ec2.CfnRouteTable( # self, "rtb_private_a", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_private_a")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_private_a_association", # route_table_id=rtb_private_a.ref, # subnet_id=private_subnet_a.ref # ) # ec2.CfnRoute( # self, "route_private_a", # route_table_id=rtb_private_a.ref, # destination_cidr_block="0.0.0.0/0", # nat_gateway_id=natgw_a.ref # ) # RouteTable of PrivateSubnetC # rtb_private_c = ec2.CfnRouteTable( # self, "rtb_private_c", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_private_c")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_private_c_association", # route_table_id=rtb_private_c.ref, # subnet_id=private_subnet_c.ref # ) # ec2.CfnRoute( # self, "route_private_c", # route_table_id=rtb_private_c.ref, # destination_cidr_block="0.0.0.0/0", # nat_gateway_id=natgw_c.ref # ) # RouteTable of PublicSubnetA self.rtb_public_a = ec2.CfnRouteTable( self, "rtb_public_a", vpc_id=self.vpc.ref, tags=[core.CfnTag(key="Name", value=prefix + "rtb_public_a")]) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_a_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_a.ref) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_c_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_c.ref) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_d_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_d.ref) ec2.CfnRoute(self, "route_public_a", route_table_id=self.rtb_public_a.ref, destination_cidr_block="0.0.0.0/0", gateway_id=igw.ref) # RouteTable of PublicSubnetC # rtb_public_c = ec2.CfnRouteTable( # self, "rtb_public_c", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_public_c")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_public_c_association", # route_table_id=rtb_public_c.ref, # subnet_id=public_subnet_c.ref # ) # ec2.CfnRoute( # self, "route_public_c", # route_table_id=rtb_public_c.ref, # destination_cidr_block="0.0.0.0/0", # gateway_id=igw.ref # ) # ami_id = ec2.AmazonLinuxImage(generation = ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(self).image_id # security_group = ec2.SecurityGroup( # self, # id='test', # vpc=self.vpc, # security_group_name='test-security-group' # ) # security_group.add_ingress_rule( # peer=ec2.Peer.ipv4(cidr), # connection=ec2.Port.tcp(22), # ) # red_web_inst = ec2.CfnInstance(self, # "testInstance01", # image_id = ami_id, # instance_type = "t3a.micro", # monitoring = False, # key_name = "stg-intrinio-www01", # security_group_ids=[security_group.security_group_id], # block_device_mappings = [{ # "deviceName": "/dev/xvda", # "ebs": { # "volumeSize": 10, # "volumeType": "io1", # "iops": 150, # "deleteOnTermination": True # } # } # ], # tags = [ # { "key": "Name", "value": prefix } # ], # network_interfaces = [{ # "deviceIndex": "0", # "associatePublicIpAddress": True, # "subnetId": self.public_subnet_a.ref, # # "groupSet": [web_sg.security_group_id] # }], #https: //github.com/aws/aws-cdk/issues/3419 # ) # RedisSecurityGroup redis_security_group = ec2.CfnSecurityGroup( self, "RedisSecurityGroup", group_name="stg-test-redis01", group_description="HTTP traffic", vpc_id=self.vpc.ref, security_group_ingress=[{ "ipProtocol": "tcp", "fromPort": 6379, "toPort": 6379, "cidrIp": "192.168.0.0/16" }], security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # MyDBSubnetGroup redis_subnet_group = redis.CfnSubnetGroup( self, "RedisSubnetGroup", cache_subnet_group_name="stg-test-redis01", description="stg-test-redis01", subnet_ids=[ self.public_subnet_a.ref, self.public_subnet_c.ref, self.public_subnet_d.ref ]) redis_params = { 'auto_minor_version_upgrade': True, 'engine': 'redis', 'at_rest_encryption_enabled': True, 'automatic_failover_enabled': False, 'engine_version': '4.0.10', 'cache_node_type': 'cache.t3.micro', 'num_cache_clusters': 1, 'replication_group_description': "stg-test-redis01", 'security_group_ids': [redis_security_group.ref], 'cache_subnet_group_name': redis_subnet_group.ref } self.redis = redis.CfnReplicationGroup(self, 'staff-redis', **redis_params) core.CfnOutput(self, "OutputVpc", value=self.vpc.ref) core.CfnOutput(self, "OutputRedis", value=self.redis.ref)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) prefix = "test"" cidr = "10.100.0.0/16" # def name(s): return "{0}/{1}".format(prefix, s) def name(s): return "{0} {1}".format(prefix, s) # VPC self.vpc = ec2.CfnVPC( self, "vpc", cidr_block=cidr, enable_dns_hostnames=True, enable_dns_support=True, tags=[ core.CfnTag(key="Name", value=prefix+" VPC") ] ) # InternetGateway igw = ec2.CfnInternetGateway( self, "igw", tags=[ core.CfnTag(key="Name", value=prefix+" IGW") ] ) igw_attachment = ec2.CfnVPCGatewayAttachment( self, "igw_attachment", vpc_id=self.vpc.ref, internet_gateway_id=igw.ref ) dhcpoptions = ec2.CfnDHCPOptions( self, "dhcpoptions", domain_name="ec2.internal "+prefix, domain_name_servers=["AmazonProvidedDNS"], tags=[ core.CfnTag(key="Name", value=prefix) ] ) dhcpoptionsassociation = ec2.CfnVPCDHCPOptionsAssociation( self, "dhcpoptionsassociation", dhcp_options_id=dhcpoptions.ref, vpc_id=self.vpc.ref ) # PrivateSubnetA # private_subnet_a = ec2.CfnSubnet( # self, "private_a", # vpc_id=vpc.ref, # cidr_block="192.168.0.0/24", # availability_zone="ap-northeast-1a", # tags=[ # core.CfnTag(key="Name", value=name("private_a")) # ] # ) # PrivateSubnetC # private_subnet_c = ec2.CfnSubnet( # self, "private_c", # vpc_id=vpc.ref, # cidr_block="192.168.1.0/24", # availability_zone="ap-northeast-1c", # tags=[ # core.CfnTag(key="Name", value=name("private_c")) # ] # ) # PublicSubnetA self.public_subnet_a = ec2.CfnSubnet( self, "public_a", vpc_id=self.vpc.ref, cidr_block="192.168.0.0/20", # availability_zone="ap-northeast-1a", availability_zone="us-east-1a", tags=[ core.CfnTag(key="Name", value=prefix+" public_a") ] ) # PublicSubnetC self.public_subnet_c = ec2.CfnSubnet( self, "public_c", vpc_id=self.vpc.ref, cidr_block="192.168.16.0/20", availability_zone="us-east-1c", tags=[ core.CfnTag(key="Name", value=prefix+" public_c") ] ) self.public_subnet_d = ec2.CfnSubnet( self, "public_d", vpc_id=self.vpc.ref, cidr_block="192.168.32.0/20", availability_zone="us-east-1d", tags=[ core.CfnTag(key="Name", value=prefix+" public_d") ] ) # EIP1 (for NATGW) # eip1 = ec2.CfnEIP( # self, "eip1", # domain="vpc", # ) # eip1.add_depends_on(igw_attachment) # EIP2 (for NATGW) # eip2 = ec2.CfnEIP( # self, "eip2", # domain="vpc", # ) # eip2.add_depends_on(igw_attachment) # NatGatewayA # natgw_a = ec2.CfnNatGateway( # self, "natgw_a", # allocation_id=eip1.attr_allocation_id, # subnet_id=self.public_subnet_a.ref, # tags=[ # core.CfnTag(key="Name", value=name("natgw_a")) # ] # ) # NatGatewayC # natgw_c = ec2.CfnNatGateway( # self, "natgw_c", # allocation_id=eip2.attr_allocation_id, # subnet_id=public_subnet_c.ref, # tags=[ # core.CfnTag(key="Name", value=name("natgw_c")) # ] # ) # RouteTable of PrivateSubnetA # rtb_private_a = ec2.CfnRouteTable( # self, "rtb_private_a", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_private_a")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_private_a_association", # route_table_id=rtb_private_a.ref, # subnet_id=private_subnet_a.ref # ) # ec2.CfnRoute( # self, "route_private_a", # route_table_id=rtb_private_a.ref, # destination_cidr_block="0.0.0.0/0", # nat_gateway_id=natgw_a.ref # ) # RouteTable of PrivateSubnetC # rtb_private_c = ec2.CfnRouteTable( # self, "rtb_private_c", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_private_c")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_private_c_association", # route_table_id=rtb_private_c.ref, # subnet_id=private_subnet_c.ref # ) # ec2.CfnRoute( # self, "route_private_c", # route_table_id=rtb_private_c.ref, # destination_cidr_block="0.0.0.0/0", # nat_gateway_id=natgw_c.ref # ) # RouteTable of PublicSubnetA self.rtb_public_a = ec2.CfnRouteTable( self, "rtb_public_a", vpc_id=self.vpc.ref, tags=[ core.CfnTag(key="Name", value=prefix+"rtb_public_a") ] ) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_a_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_a.ref ) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_c_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_c.ref ) ec2.CfnSubnetRouteTableAssociation( self, "rtb_public_d_association", route_table_id=self.rtb_public_a.ref, subnet_id=self.public_subnet_d.ref ) ec2.CfnRoute( self, "route_public_a", route_table_id=self.rtb_public_a.ref, destination_cidr_block="0.0.0.0/0", gateway_id=igw.ref ) # RouteTable of PublicSubnetC # rtb_public_c = ec2.CfnRouteTable( # self, "rtb_public_c", # vpc_id=vpc.ref, # tags=[ # core.CfnTag(key="Name", value=name("rtb_public_c")) # ] # ) # ec2.CfnSubnetRouteTableAssociation( # self, "rtb_public_c_association", # route_table_id=rtb_public_c.ref, # subnet_id=public_subnet_c.ref # ) # ec2.CfnRoute( # self, "route_public_c", # route_table_id=rtb_public_c.ref, # destination_cidr_block="0.0.0.0/0", # gateway_id=igw.ref # ) ami_id = ec2.AmazonLinuxImage(generation = ec2.AmazonLinuxGeneration.AMAZON_LINUX_2).get_image(self).image_id security_group = ec2.SecurityGroup( self, id='InstanceSecurityGroupwww', vpc=self.vpc, security_group_name='stg-'+prefix+'www' ) security_group.add_ingress_rule( peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(22), ) security_group.add_ingress_rule( peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(80), ) EC2InstanceStgWeb = ec2.CfnInstance(self, "EC2InstanceStgWeb", image_id = ami_id, instance_type = "t3a.micro", monitoring = False, key_name = "stg-intrinio-www01", security_group_ids=[security_group.security_group_id], block_device_mappings = [{ "deviceName": "/dev/xvda", "ebs": { "volumeSize": 10, # "volumeType": "io1", # "iops": 150, # "deleteOnTermination": True } } ], tags = [ { "key": "Name", "value": 'stg'+prefix+'www01' } ], network_interfaces = [{ "deviceIndex": "0", "associatePublicIpAddress": True, "subnetId": self.public_subnet_a.ref, # "groupSet": [web_sg.security_group_id] }], #https: //github.com/aws/aws-cdk/issues/3419 ) # RdsSecurityGroup RdsStgSecurityGroup = ec2.CfnSecurityGroup(self, "RdsStgSecurityGroup", group_name = 'stg-'+prefix+'db01', group_description = 'stg-'+prefix+'db01', vpc_id = self.vpc.ref, security_group_ingress = [ { "ipProtocol" : "tcp", "fromPort" : 3306, "toPort" : 3306, "cidrIp" : "0.0.0.0/0" } ], security_group_egress = [ { "ipProtocol" : "tcp", "fromPort" : 0, "toPort" : 65535, "cidrIp" : "0.0.0.0/0" } ], ) # MyDBSubnetGroup rds_subnet_group = rds.CfnDBSubnetGroup(self, "DBSubnetGroup", db_subnet_group_description = "DBSubnetGroup", subnet_ids = [ self.public_subnet_a.ref, self.public_subnet_c.ref, self.public_subnet_d.ref ] ) DBParameterGroupStg = rds.CfnDBParameterGroup(self, "DBParameterGroupStg", description = "", family = "", parameters = [{'character_set_client': utf8,}] ) rds_params = { 'db_instance_identifier': "stg-test-db01", 'engine': "mysql", 'engine_version': '5.6.39', 'db_instance_class': 'db.t3.micro', 'allocated_storage': '5', 'storage_type': 'gp2', 'db_name': "test", 'master_username': "******", 'master_user_password': "******", 'db_subnet_group_name' : rds_subnet_group.ref, 'publicly_accessible': False, 'multi_az': False, 'preferred_backup_window': "18:00-18:30", 'PreferredMaintenanceWindow': "sat:19:00-sat:19:30", 'auto_minor_version_upgrade': False, 'db_parameter_group_name': DBParameterGroupStg, 'vpc_security_groups': [RdsStgSecurityGroup.ref], 'copy_tags_to_snapshot': True, 'backup_retention_period': 7, 'enable_performance_insights': True, 'delete_automated_backups': True, 'deletion_protection': False, 'availability_zone': self.public_subnet_a.ref, # 'storage_encrypted': False, } self.rds = rds.CfnDBInstance(self, 'staff-rds', **rds_params) core.CfnOutput(self, "Output", value=self.vpc.ref)
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # Create an empty VPC # If you don't specify any other resources EXCEPT the VPC, there's a standard template applied vpc = ec2.Vpc( self, id="MyVPC", nat_gateways=0, cidr="192.168.0.0/20", max_azs=1, subnet_configuration=[], ) # A couple of subnets app_subnet = ec2.CfnSubnet( self, id="Application", vpc_id=vpc.vpc_id, availability_zone="eu-central-1a", cidr_block="192.168.1.0/24", map_public_ip_on_launch=False, tags=[core.CfnTag(key="Name", value="Application")]) web_subnet = ec2.CfnSubnet( self, id="Webhost", vpc_id=vpc.vpc_id, availability_zone="eu-central-1b", cidr_block="192.168.2.0/24", map_public_ip_on_launch=True, tags=[core.CfnTag(key="Name", value="WebHost")]) # A couple of route tables private_rt = ec2.CfnRouteTable( self, id="Private_RT", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="Private_RT")]) public_rt = ec2.CfnRouteTable( self, id="Public_RT", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="Public_RT")]) # How to associate a subnet with a route table ec2.CfnSubnetRouteTableAssociation(self, id="WebHostRTAssoc", subnet_id=web_subnet.ref, route_table_id=public_rt.ref) ec2.CfnSubnetRouteTableAssociation(self, id="ApplicationRTAssoc", subnet_id=app_subnet.ref, route_table_id=private_rt.ref) # A gateway (Internet Gateway in this case) igw = ec2.CfnInternetGateway( self, id="MyIGW", tags=[core.CfnTag(key="Name", value="IGW")]) # How to associate a gateway to a VPC (IGW in this case - for VGW use vpn_gateway_id=blablabla) ec2.CfnVPCGatewayAttachment(self, id="IGW_Assoc", vpc_id=vpc.vpc_id, internet_gateway_id=igw.ref) # Elastic IP eip_01 = ec2.CfnEIP(self, id="EIP01") # NAT gateway ngw = ec2.CfnNatGateway(self, id="NAT_GW", allocation_id=eip_01.attr_allocation_id, subnet_id=web_subnet.ref, tags=[core.CfnTag(key="Name", value="NAT_GW")]) ngw.add_depends_on(eip_01) # Add a route to a route table default_route_public = ec2.CfnRoute(self, id="DefaultRoutePublic", route_table_id=public_rt.ref, destination_cidr_block="0.0.0.0/0", gateway_id=igw.ref) default_route_public.add_depends_on(igw) default_route_private = ec2.CfnRoute( self, id="DefaultRouteprivate", route_table_id=private_rt.ref, destination_cidr_block="0.0.0.0/0", nat_gateway_id=ngw.ref) default_route_private.add_depends_on(ngw) ### Security Groups ### # PUBLIC SUBNET SG sg_public = ec2.CfnSecurityGroup( self, id="SG_PUBLIC", group_description="SG for the Public Subnet", group_name="SG_PUBLIC", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_Public")]) my_home_ip = requests.get("https://api.my-ip.io/ip.json").json()['ip'] ports_pub = {'tcp': [22, 80], 'icmp': [-1]} for protocl, ports_list in ports_pub.items(): for port in ports_list: ec2.CfnSecurityGroupIngress( self, id=f"sg_pub_in_{protocl}_{port}", group_id=sg_public.attr_group_id, ip_protocol=protocl, cidr_ip=f"{my_home_ip}/32", to_port=port, from_port=port, description=f"{protocl.upper()} {port} from home IP") # SG INGRESS ENTRIES - ICMP - EXAMPLE # sg_in_icmp = ec2.CfnSecurityGroupIngress(self, id="SG_PUB_IN_ICMP", # group_id=sg_public.attr_group_id, # ip_protocol = "icmp", # cidr_ip = f"{my_home_ip}/32", # to_port = -1, # from_port = -1, # description = "ICMP FROM HOME") # SG EGRESS ENTRIES - AUTO-IMPLIED IF NOT CONFIGURED # sg_out_all = ec2.CfnSecurityGroupEgress(self, id="SG_PUB_OUT_ALL", # group_id=sg_public.attr_group_id, # ip_protocol="-1", # cidr_ip="0.0.0.0/0") # PRIVATE SUBNET SG sg_private = ec2.CfnSecurityGroup( self, id="SG_PRIVATE", group_description="SG for the Private Subnet", group_name="SG_PRIVATE", vpc_id=vpc.vpc_id, tags=[core.CfnTag(key="Name", value="SG_Private")]) sg_private.add_depends_on(sg_public) ports_priv = {'tcp': [22, 21, 53, 3368, 80], 'icmp': [-1]} for protocl, ports_list in ports_priv.items(): for port in ports_list: ec2.CfnSecurityGroupIngress( self, id=f"sg_priv_in_{protocl}_{port}", group_id=sg_private.attr_group_id, description= f"{protocl.upper()}:{port} from the public subnet only", ip_protocol=protocl, from_port=port, to_port=port, source_security_group_id=sg_public.ref) ### EC2 Instances ### # Generate some user data _ WIP # user_data = ec2.UserData.custom # One in the public subnet webserver01 = ec2.CfnInstance( self, id="WebServer01", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=web_subnet.ref, key_name="proton_mail_kp", security_group_ids=[sg_public.ref], tags=[core.CfnTag(key="Name", value="WebServer01")]) appserver01 = ec2.CfnInstance( self, id="AppServer01", image_id="ami-0de9f803fcac87f46", instance_type="t2.micro", subnet_id=app_subnet.ref, key_name="proton_mail_kp", security_group_ids=[sg_private.ref], tags=[core.CfnTag(key="Name", value="AppServer01")])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Exercise 9 db_password_parameters = core.CfnParameter( self, "DBPassword", no_echo=True, description="New account and RDS password", min_length=1, max_length=41, constraint_description= "the password must be between 1 and 41 characters", default="DBPassword") # DBSecurityGroup: db_security_group = ec2.CfnSecurityGroup( self, "DBSecurityGroup", group_description="DB traffic", vpc_id=core.Fn.import_value("VPC"), security_group_ingress=[{ "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "sourceSecurityGroupId": core.Fn.import_value("WebSecurityGroupOutput"), }, { "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "sourceSecurityGroupId": core.Fn.import_value("EdxProjectCloud9Sg"), }, { "ipProtocol": "tcp", "fromPort": 3306, "toPort": 3306, "sourceSecurityGroupId": core.Fn.import_value("LambdaSecurityGroupOutput"), }], security_group_egress=[{ "ipProtocol": "tcp", "fromPort": 0, "toPort": 65535, "cidrIp": "0.0.0.0/0" }], ) # MyDBSubnetGroup my_db_subnet_group = rds.CfnDBSubnetGroup( self, "DBSubnetGroup", db_subnet_group_description="MyDBSubnetGroup", subnet_ids=[ core.Fn.import_value("PrivateSubnet1"), core.Fn.import_value("PrivateSubnet2") ]) # RDSCluster rds_cluster = rds.CfnDBCluster( self, "RDSCluster", db_cluster_identifier="edx-photos-db", database_name="Photos", master_username="******", master_user_password=db_password_parameters.value_as_string, engine_mode="serverless", scaling_configuration={ "autoPause": True, "maxCapacity": 4, "minCapacity": 2 }, engine="aurora", db_subnet_group_name=my_db_subnet_group.ref, vpc_security_group_ids=[db_security_group.ref]) rds_cluster.apply_removal_policy(core.RemovalPolicy.DESTROY) # Output core.CfnOutput(self, "MyDBEndpoint", value=rds_cluster.attr_endpoint_address, description="MyDB Endpoint", export_name="MyDBEndpoint")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) #create S3 access role for ec2 ec2Role = iam.Role( self, "ec2role", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name("AmazonS3ReadOnlyAccess") ] ) instanceProfile = iam.CfnInstanceProfile( self, "ec2Profile", roles=[ec2Role.role_name], instance_profile_name="aws-cdk-handson-ec2Profile", ) #create new VPC for lab02 vpc= ec2.Vpc(self,id="aws-cdk-handson-vpc",cidr="172.30.0.0/16",nat_gateways=0, subnet_configuration=[ { "cidrMask": 24,"name": "subnet-1-", "subnetType": ec2.SubnetType.PUBLIC }, { "cidrMask": 24,"name": "subnet-2-", "subnetType": ec2.SubnetType.PUBLIC }, { "cidrMask": 24,"name": "subnet-3-", "subnetType": ec2.SubnetType.PUBLIC }, ]) #create new Security Group sg = ec2.CfnSecurityGroup( self, "ec2securitygroup", group_description="this is aws-cdk-handson workshop", group_name="ec2securitygroup", security_group_ingress=[ { "ipProtocol": "tcp", "fromPort": 80, "toPort": 80, "cidrIp": "0.0.0.0/0", }, { "ipProtocol": "tcp", "fromPort": 22, "toPort": 22, "cidrIp": "0.0.0.0/0", }, ], vpc_id=vpc.vpc_id ) #create Elastic Network Interface eni0 = ec2.CfnNetworkInterface( self, "eni-" + str(1), subnet_id=vpc.public_subnets[0].subnet_id, #group_set=["sg-08cddeaeec7392eb2"] group_set=[sg.attr_group_id] ) #read and base64 encode userdata file data = open("httpd.sh", "rb").read() encodedBytes = base64.encodebytes(data) encodedStr = str(encodedBytes, "utf-8") #create ec2 instances ami=ec2.AmazonLinuxImage(generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2) instance = ec2.CfnInstance( self, "ec2-httpd-" + str(1), image_id=ami.get_image(self).image_id, #use Amazon Linux 2 AMI instance_type="t2.micro", key_name="wsu-ap-northeast-1", network_interfaces=[ { "deviceIndex": "0", "networkInterfaceId": eni0.ref } ], tags=[core.CfnTag(key="Name", value="aws-cdk-handson-ec2")], iam_instance_profile=instanceProfile.ref, user_data=encodedStr ) #associate EIP with the instance eip = ec2.CfnEIP(self, "eip-" + str(1)) ec2.CfnEIPAssociation(self, "eip-ass-i" + str(1), allocation_id=eip.attr_allocation_id, network_interface_id=eni0.ref) #Export PublicIP and PublicDNSName core.CfnOutput(self,"PublicIP",export_name="PublicIP",value=instance.attr_public_ip) core.CfnOutput(self,"PublicDNSName",export_name="PublicDNSName",value=instance.attr_public_dns_name)