def __create_iam_role(self):
"""
Private helper method to create IAM role for AWS Config
"""
# use default region for provider since IAM is a global resource
region = "us-gov-west-1" if "gov" in self.partition else "us-east-1"
AwsProvider(self,
f"iam-aws-{region}",
region=region,
profile=self.profile_name)
assume_role_policy = {
"Version":
"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["config.amazonaws.com"]
},
"Action": ["sts:AssumeRole"],
}],
}
managed_policy_arn = (
f"arn:{self.partition}:iam::aws:policy/service-role/AWS_ConfigRole"
)
aws_config_role = IamRole(
self,
"aws_config_role",
name=f"{self.resource_prefix}-global-awsconfig-role",
path="/",
assume_role_policy=json.dumps(assume_role_policy),
managed_policy_arns=[managed_policy_arn],
)
print(f"IAM role for AWS Config was creted in region = {region} ")
return aws_config_role.arn
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='us-west-2')
my_vpc = Vpc(
self,
'MyVpc',
name='my-vpc',
cidr='10.0.0.0/16',
azs=['us-west-2a', 'us-west-2b', 'us-west-2c'],
private_subnets=['10.0.1.0/24', '10.0.2.0/24', '10.0.3.0/24'],
public_subnets=['10.0.101.0/24', '10.0.102.0/24', '10.0.103.0/24'],
enable_nat_gateway=True)
my_eks = Eks(self,
'MyEks',
cluster_name='my-eks',
subnets=Token().as_list(my_vpc.private_subnets_output),
vpc_id=Token().as_string(my_vpc.vpc_id_output),
manage_aws_auth=False,
cluster_version='1.17')
TerraformOutput(self,
'cluster_endpoint',
value=my_eks.cluster_endpoint_output)
TerraformOutput(self,
'create_user_arn',
value=DataAwsCallerIdentity(self, 'current').arn)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='eu-central-1')
# bucketname = 'cdktest-wiwa'
# TerraformAwsModulesS3BucketAws(self, 'bucket', bucket = bucketname)
my_vpc = TerraformAwsModulesVpcAws(self,
id='vpc',
name="test-vpc",
cidr="10.0.0.0/16",
azs=["eu-central-1a"],
public_subnets=["10.0.101.0/24"])
newInstance = Instance(self,
'pythondemo',
ami="ami-0a02ee601d742e89f",
instance_type="t2.micro",
availability_zone="eu-central-1a",
associate_public_ip_address=True,
tags={"Name": "Python-Demo-updated"},
user_data=user_data,
subnet_id=my_vpc.public_subnets_output)
TerraformOutput(self,
'pythondemo_public_ip',
value=newInstance.public_ip)
def create_region_policy(self, policy_name, rules_file, region, remediate: bool):
"""
Create AWS Firewall Manager policy
region scope -> ALB, ApiGateway
remediate - if set True then auto remediate any noncompliant resources
"""
aws = AwsProvider(self, f"aws-fms-{region}",
region=region,
profile=self.profile_name,
alias = f"aws-{region}"
)
rules = self.__parse_rule(rules_file)
region_policy = FmsPolicy(self,f"fms-regionpolicy-{policy_name}",
name=policy_name,
exclude_resource_tags=False,
resource_type_list = [
"AWS::ElasticLoadBalancingV2::LoadBalancer",
"AWS::ApiGateway::Stage"
],
security_service_policy_data = [
FmsPolicySecurityServicePolicyData(
type="WAFV2",
managed_service_data = json.dumps(rules)
)
],
remediation_enabled=remediate,
provider = aws
)
region_policy.override_logical_id(f"fms-regionpolicy-{policy_name}")
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
resourcedetails = parseresourceyaml()
print(" after readding from the yaml", resourcedetails)
print("resorce region is", resourcedetails["customerName"]["region"])
#AwsProvider(self, 'Aws', region='us-east-1')
AwsProvider(self,
'Aws',
region=resourcedetails["customerName"]["region"])
helloInstance = Instance(self,
'hello',
ami="ami-2757f631",
instance_type="t2.micro",
tags={
"Name": "Provisioned by Python",
"Creator": "CDKTF-Python"
})
Vpc(self,
'CustomVpc',
name='custom-vpc',
cidr='10.0.0.0/16',
azs=["us-east-1a", "us-east-1b"],
public_subnets=["10.0.1.0/24", "10.0.2.0/24"])
TerraformOutput(self, 'hello_public_ip', value=helloInstance.public_ip)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='us-east-1')
# create EC2 instance
helloInstance = Instance(self,
'hello',
ami="ami-0742b4e673072066f",
instance_type="t2.micro",
tags={
"Name": "Provisioned by CDKTF",
"user": "******"
})
# create S3 bucket
bucket = S3Bucket(self, 'my_bucket', bucket="nathan.bekenov.labs")
# Outputs
public_ip = TerraformOutput(self,
'hello_public_ip',
value=helloInstance.public_ip)
bucket_name = TerraformOutput(self,
'hello_bucket_name',
value=bucket.bucket)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'AWS', region='us-east-1')
Instance(self,
"Hello World From Terraform Class via Python",
ami="ami-2757f631",
instance_type="t2.micro")
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region=AWS_REGION)
self.eks_cluster_vpc = self._eks_cluster_vpc()
self.eks_cluster = self._eks_cluster()
self.tf_outputs = self._tf_outputs()
def enable_awsconfig_in_region(
self,
region,
bucket_name,
include_global_resources,
create_role=True,
iam_role_arn=None,
topic_arn=None,
frequency="Six_Hours",
):
"""
Enables AWS config in specified region for a particular account
"""
aws_provider = AwsProvider(
self,
f"aws-{region}",
region=region,
profile=self.profile_name,
alias=f"aws-{region}",
)
if create_role:
iam_role_arn = self.__create_iam_role()
print(f"enabling AWS Config for region = {region} ...")
recorder = ConfigConfigurationRecorder(
self,
f"recorder-{region}",
role_arn=iam_role_arn,
recording_group=[
ConfigConfigurationRecorderRecordingGroup(
all_supported=True,
include_global_resource_types=include_global_resources,
)
],
provider=aws_provider,
)
delivery_channel = ConfigDeliveryChannel(
self,
f"delivery_channel-{region}",
s3_bucket_name=bucket_name,
snapshot_delivery_properties=[
ConfigDeliveryChannelSnapshotDeliveryProperties(
delivery_frequency=frequency)
],
sns_topic_arn=topic_arn,
depends_on=[recorder],
provider=aws_provider,
)
recorder_status = ConfigConfigurationRecorderStatus(
self,
f"recorder_status-{region}",
is_enabled=True,
name=recorder.name,
depends_on=[delivery_channel],
provider=aws_provider,
)
recorder_status.override_logical_id(f"recorder_status-{region}")
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='ap-northeast-2')
Vpc(self, 'CustomVpc',
name='custom-vpc',
cidr='10.10.0.0/16',
azs=["ap-northeast-1a", "ap-northeast-1c"],
public_subnets=["10.10.1.0/24", "10.10.2.0/24"]
)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='us-west-1')
helloInstance = Instance(
self,
'hello',
ami="ami-031b673f443c2172c",
instance_type="t2.micro",
)
TerraformOutput(self, 'hello_public_ip', value=helloInstance.public_ip)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='eu-central-1')
Vpc(self, 'CustomVpc',
name='custom-vpc',
cidr='10.0.0.0/16',
azs=["us-east-1a", "us-east-1b"],
public_subnets=["10.0.1.0/24", "10.0.2.0/24"]
)
SnsTopic(self, 'Topic', display_name='my-first-sns-topic')
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='us-east-1')
helloInstance = Instance(self, 'hello',
ami="ami-2757f631",
instance_type="t2.micro",
subnet_id= "subnet-0a9820d8725d1ca85"
)
TerraformOutput(self, 'hello_public_ip',
value=helloInstance.public_ip
)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='eu-central-1')
Vpc(self, 'CustomVpc',
name='custom-vpc',
cidr='10.0.0.0/16',
azs=["us-east-1a", "us-east-1b"],
public_subnets=["10.0.1.0/24", "10.0.2.0/24"]
)
SnsTopic(self, 'Topic', display_name='my-first-sns-topic')
role = IamRole(self, 'Role', name='lambda-role', assume_role_policy='{}')
LambdaFunction(self, 'Lambda', function_name='my-first-lambda-function', role=role.arn, handler='index.handler', runtime='python3.6')
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='eu-central-1')
topic = SnsTopic(self, 'Topic', display_name='overwritten')
topic.add_override('display_name', 'my-first-sns-topic')
self.add_override('terraform.backend', {
'remote': {
'organization': 'test',
'workspaces': {
'name': 'test'
}
}
})
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
# Defining my provider
AwsProvider(self, "AWS", region="us-west-2")
# Creating the ECS Cluster
ecs_cluster = EcsCluster(self,
"CftC",
name="ContainersFromTheCouchLive")
# Creating a task definition for the nginx service
task_definition = EcsTaskDefinition(
self,
"TaskDef",
container_definitions="""[
{
"name": "nginx",
"image": "nginx:latest",
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80
}
]
}
]""",
family="cfclatest",
requires_compatibilities=["FARGATE"],
network_mode="awsvpc",
cpu="512",
memory="2048")
# Creating an ECS service
EcsService(self,
"NginxService",
cluster=ecs_cluster.id,
name="nginx-service-latest",
desired_count=1,
task_definition=task_definition.arn,
network_configuration=[
EcsServiceNetworkConfiguration(
subnets=['<REPLACE>', '<REPLACE>'],
assign_public_ip=True,
security_groups=['<REPLACE>'])
],
launch_type="FARGATE")
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
# define resources here
awsProvider = AwsProvider(self, "Aws", region="ap-northeast-2")
vpcModule = TerraformHclModule(self, "VpcModule", source=".\\vpc")
ec2Module = TerraformHclModule(
self,
"Ec2Module",
source=".\\ec2",
variables={
"vpc_id": "${module.VpcModule.vpc_id}",
"pub_subnet_id": "${module.VpcModule.pub_subnet_id}",
"sg_id": "${module.VpcModule.sg_id}",
},
)
def __init__(self, scope=Construct, ns=str):
super().__init__(scope, ns)
user_id = DataAwsCallerIdentity(self, "userId")
AwsProvider(self, 'Aws', region=region)
role = IamRole(
self,
"basic_lambda_role",
description="Basic Lambda Execution Role",
name=f"{stack_prefix}lambda_role",
assume_role_policy=
'{"Version": "2012-10-17", "Statement": [{"Action": "sts:AssumeRole", "Principal": {"Service": "lambda.amazonaws.com"}, "Effect": "Allow", "Sid": ""}]}'
)
api = ApiGatewayRestApi(self, "api-gateway", name="rest-api")
resource = ApiGatewayResource(self,
f"api-gateway-resource",
rest_api_id=api.id,
parent_id=api.root_resource_id,
path_part="notes")
get_notes = add_gateway_method(self, "GET", "get_notes_handler", api,
resource, role.arn, user_id)
add_note = add_gateway_method(self, "POST", "add_note_handler", api,
resource, role.arn, user_id)
delete_note = add_gateway_method(self, "DELETE", "delete_note_handler",
api, resource, role.arn, user_id)
deployment = ApiGatewayDeployment(
self,
f"{stack_prefix}api-gateway-deployment",
rest_api_id=api.id,
stage_name="dev",
stage_description="Production Environment",
depends_on=get_notes + add_note + delete_note)
bucket_name = 'eladr-terraform-cdk-demo-bucket'
bucket = S3Bucket(self,
's3_bucket',
bucket=bucket_name,
force_destroy=True)
bucket.policy = f'{{"Version": "2012-10-17", "Statement": [{{"Action": "s3:*", "Resource" : "arn:aws:s3:::{bucket_name}/*", "Principal": {{"AWS": "{role.arn}"}}, "Effect": "Allow", "Sid": ""}}]}}'
TerraformOutput(self, "endpoint", value=f"{deployment.invoke_url}")
TerraformOutput(self, "bucket-arn", value=bucket.arn)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
# define resources here
instanceUserData = '#!/bin/bash\r\n' \
'echo "Hello, World From Python Form Terraform CDK " > index.html\r\n'\
'nohup busybox httpd -f -p 80 &\r\n'
AwsProvider(self, 'Aws', region='us-east-1')
ingress_allow = SecurityGroupIngress(cidr_blocks=['0.0.0.0/0'],
ipv6_cidr_blocks=[],
protocol='tcp',
from_port=80,
to_port=80,
description="Allow",
prefix_list_ids=[],
security_groups=[],
self_attribute=False)
egress_allow = SecurityGroupEgress(cidr_blocks=['0.0.0.0/0'],
ipv6_cidr_blocks=[],
protocol='-1',
from_port=0,
to_port=0,
prefix_list_ids=[],
security_groups=[],
self_attribute=False)
secGroup = SecurityGroup(self,
'web_server',
name="allow_web_traffic",
ingress=[ingress_allow],
egress=[egress_allow])
instance = Instance(
self,
"hello",
ami="ami-2757f631",
instance_type="t2.micro",
vpc_security_group_ids=[Token.as_string(secGroup.id)],
user_data=instanceUserData,
tags=["Name", "Terraform-CDK WebServer"])
TerraformOutput(self, 'public_dns', value=instance.public_dns)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
region = 'us-east-1'
AwsProvider(self, 'Aws', region=region)
allow = SecurityGroupIngress(cidr_blocks=['8.8.8.8/32'],
ipv6_cidr_blocks=[],
protocol='tcp',
from_port=5432,
to_port=5432,
description="Allow",
prefix_list_ids=[],
security_groups=[],
self_attribute=False)
sec_group_name = 'cdktf-sg-test'
vpc_id = 'your-vpc-id'
SecurityGroup(self, sec_group_name, vpc_id=vpc_id, ingress=[allow])
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
config = ConfigParser()
config.read('bento.properties')
bentoProvider = AwsProvider(
self,
'Aws',
region=config[ns]['region'],
profile=config[ns]['profile'],
shared_credentials_file="/bento/creds/credentials")
bentoTags = json.loads(config[ns]['tags'])
# VPC
bentoVPC = vpc.VPCResources.createResources(self, ns, config,
bentoTags)
# IAM
bentoIAM = iam.IAMResources.createResources(self, ns, bentoTags)
# ECR
bentoECR = ecr.ECRResources.createResources(self, ns, bentoTags)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
# define resources here
AwsProvider(self, 'Aws', region='us-east-1')
# SNS Topic
BlogTopic = SnsTopic(self, 'Topic', display_name='panong-blog-cdktf')
# CloudWatch Alarm
CloudwatchMetricAlarm(self, 'PAnongBlogAlarm',
actions_enabled = True,
alarm_actions = [BlogTopic.arn],
alarm_name = 'panong-blog-cdktf',
comparison_operator = 'GreaterThanOrEqualToThreshold',
evaluation_periods = 1,
metric_name = 'VpcEventCount',
namespace = 'CloudTrailMetrics',
period = 300,
statistic = 'Sum',
threshold = 1,
treat_missing_data = 'notBreaching'
)
def __init__(self, scope: Construct, ns: str):
super().__init__(scope, ns)
AwsProvider(self, 'Aws', region='us-east-1')
tags = {
"CreateBy": "cdktf-samples-python",
"SampleFrom": "https://github.com/shazi7804/cdktf-samples-python"
}
armAmi = DataAwsAmi(self,
'amazon-arm-linux',
most_recent=True,
owners=["amazon"],
filter=[{
"name": "root-device-type",
"values": ["ebs"]
}, {
"name": "virtualization-type",
"values": ["hvm"]
}, {
"name":
"name",
"values":
["amzn2-ami-hvm-2.0.20200722.0-arm64*"]
}])
# define resources here
vpc = Vpc(self,
'vpc',
enable_dns_hostnames=True,
cidr_block='10.0.0.0/16',
tags=tags)
igw = InternetGateway(self,
'internetGateway',
vpc_id=Token().as_string(vpc.id),
tags=tags)
subnet = Subnet(self,
'subnet',
vpc_id=Token().as_string(vpc.id),
cidr_block="10.0.0.0/24",
availability_zone="us-east-1a",
map_public_ip_on_launch=True,
tags=tags)
routeTable = DefaultRouteTable(
self,
'routeTable',
default_route_table_id=Token().as_string(
vpc.default_route_table_id),
tags=tags)
route = Route(self,
'route',
route_table_id=Token().as_string(routeTable.id),
destination_cidr_block="0.0.0.0/0",
gateway_id=Token().as_string(igw.id))
# instance resources
sg = SecurityGroup(self,
'bastionSecurityGroup',
name="bastion-sg",
vpc_id=Token().as_string(vpc.id),
tags=tags)
sgInboundRule = SecurityGroupRule(self,
'bastionInbound',
type="ingress",
cidr_blocks=["0.0.0.0/0"],
from_port=22,
to_port=22,
protocol="ssh",
security_group_id=Token().as_string(
sg.id))
sgOutboundRule = SecurityGroupRule(self,
'bastionOutbound',
type="egress",
cidr_blocks=["0.0.0.0/0"],
from_port=0,
to_port=65535,
protocol="-1",
security_group_id=Token().as_string(
sg.id))
# reading JSON policy to create sts assuume role
with open('templates/ec2_assume_role_policy.json') as data:
sts_assume_policy = json.load(data)
role = IamRole(self,
'bastionRole',
assume_role_policy=str(
json.dumps(sts_assume_policy)))
# iterating through config to create policy attachment objects
manage_policies = {
"ssm": 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM',
"s3": 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'
}
for policy, arn in manage_policies.items():
IamRolePolicyAttachment(self,
'bastion-{0}-attachment'.format(policy),
role=role.id,
policy_arn=arn)
instance_profile = IamInstanceProfile(self,
'instanceProfile',
role=role.id)
bastion = Instance(self,
'bastion',
ami=armAmi.id,
instance_type="t4g.nano",
subnet_id=Token().as_string(subnet.id),
vpc_security_group_ids=[Token().as_string(sg.id)],
iam_instance_profile=instance_profile.id,
tags=tags)
TerraformOutput(self, 'bastion_public_ip', value=bastion.public_ip)
def __init__(self, scope: Construct, ns: str, profile_name, partition):
super().__init__(scope, ns)
self.profile_name = profile_name if profile_name else "default"
region = "us-gov-west-1" if "gov" in partition else "us-east-1"
AwsProvider(self, f"aws-{region}", region=region, profile=profile_name)
