def create_subnets():
return [
ec2.Subnet(
'subnetA',
AvailabilityZone='us-east-1a',
CidrBlock=Ref('cidrSubnetA'),
MapPublicIpOnLaunch=True,
Tags=_tags(),
VpcId=Ref('vpc'),
),
ec2.SubnetRouteTableAssociation(
'subnetAToRouteTable',
RouteTableId=Ref('routeTable'),
SubnetId=Ref('subnetA'),
),
ec2.Subnet(
'subnetB',
AvailabilityZone='us-east-1b',
CidrBlock=Ref('cidrSubnetB'),
MapPublicIpOnLaunch=True,
Tags=_tags(),
VpcId=Ref('vpc'),
),
ec2.SubnetRouteTableAssociation(
'subnetBToRouteTable',
RouteTableId=Ref('routeTable'),
SubnetId=Ref('subnetB'),
),
]
def create_subnets(self):
self.default_azs = []
self.default_private_subnets = []
self.default_public_subnets = []
for num, availability_zone in enumerate(self.availability_zones):
public_subnet_name = '{}PublicSubnet'.format(
availability_zone.cfn_name)
public_subnet = self.create_resource(ec2.Subnet(
public_subnet_name,
VpcId=Ref(self.vpc),
CidrBlock=cidr_generator.next(),
AvailabilityZone=availability_zone.name,
Tags=self.get_tags(Name=public_subnet_name)),
output=public_subnet_name)
self.create_resource(
ec2.SubnetRouteTableAssociation(
'{}PublicRouteTableAssociation'.format(
public_subnet.title),
SubnetId=Ref(public_subnet),
RouteTableId=Ref(self.public_route_table)))
private_subnet_name = '{}PrivateSubnet'.format(
availability_zone.cfn_name)
private_subnet = self.create_resource(ec2.Subnet(
private_subnet_name,
VpcId=Ref(self.vpc),
CidrBlock=cidr_generator.next(),
AvailabilityZone=availability_zone.name,
Tags=self.get_tags(Name=private_subnet_name)),
output=private_subnet_name)
private_route_table_name = '{}PrivateRouteTable'.format(
availability_zone.cfn_name)
private_route_table = self.create_resource(
ec2.RouteTable(
private_route_table_name,
VpcId=Ref(self.vpc),
Tags=self.get_tags(Name=private_route_table_name)))
self.PRIVATE_ROUTE_TABLES.append(private_route_table)
self.create_resource(
ec2.SubnetRouteTableAssociation(
'{}PrivateSubnetRouteTableAssociation'.format(
private_subnet.title),
SubnetId=Ref(private_subnet),
RouteTableId=Ref(private_route_table)))
self.PUBLIC_SUBNETS.append(public_subnet)
self.PRIVATE_SUBNETS.append(private_subnet)
if availability_zone.name in self.get_input('AvailabilityZones'):
self.create_nat_gateway(availability_zone, public_subnet,
private_route_table)
self.default_azs.append(availability_zone.name)
self.default_private_subnets.append(private_subnet)
self.default_public_subnets.append(public_subnet)
def create_subnets(self, public_route_table):
self.default_azs = []
self.default_private_subnets = []
self.default_public_subnets = []
for num, availability_zone in enumerate(self.availability_zones):
public_subnet_name = '{}PublicSubnet'.format(
availability_zone.cfn_name) # NOQA
public_subnet = self.create_resource(
ec2.Subnet(public_subnet_name,
VpcId=Ref(self.vpc),
CidrBlock=next(self.public_subnet_cidr_ranges),
AvailabilityZone=availability_zone.name,
Tags=self.get_tags(Name=public_subnet_name)))
self.create_resource(
ec2.SubnetRouteTableAssociation(
'{}PublicRouteTableAssociation'.format(
public_subnet.title),
SubnetId=Ref(public_subnet),
RouteTableId=Ref(public_route_table)))
private_subnet_name = '{}PrivateSubnet'.format(
availability_zone.cfn_name) # NOQA
private_subnet = self.create_resource(
ec2.Subnet(private_subnet_name,
VpcId=Ref(self.vpc),
CidrBlock=next(self.private_subnet_cidr_ranges),
AvailabilityZone=availability_zone.name,
Tags=self.get_tags(Name=private_subnet_name)))
private_route_table_name = '{}PrivateRouteTable'.format(
availability_zone.cfn_name) # NOQA
private_route_table = self.create_resource(
ec2.RouteTable(
private_route_table_name,
VpcId=Ref(self.vpc),
Tags=self.get_tags(Name=private_route_table_name)))
self.create_resource(
ec2.SubnetRouteTableAssociation(
'{}PrivateSubnetRouteTableAssociation'.format(
private_subnet.title), # NOQA
SubnetId=Ref(private_subnet),
RouteTableId=Ref(private_route_table)))
if availability_zone.name in self.get_input(
'AvailabilityZones').split(','): # NOQA
self.create_nat(availability_zone, public_subnet,
private_route_table)
self.default_azs.append(availability_zone.name)
self.default_private_subnets.append(private_subnet)
self.default_public_subnets.append(public_subnet)
def resources(self, stack: Stack) -> list[AWSObject]:
"""Return resources associated with the construct."""
igw = ec2.InternetGateway(name_to_id(f"{self.name_prefix}-igw"))
attachement = ec2.VPCGatewayAttachment(
name_to_id(f"{self.name_prefix}-igw-attachement"),
InternetGatewayId=Ref(igw),
VpcId=Ref(self.vpc),
)
route = ec2.Route(
name_to_id(f"{self.name_prefix}-igw-route"),
RouteTableId=Ref(self.route_table),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
)
result = [igw, attachement, route]
# If a new route table has to be created associate it with provided subnets
if self.add_route_table_to_stack:
result.append(self.route_table)
assert self.subnets is not None
result.extend([
ec2.SubnetRouteTableAssociation(
name_to_id(f"{self.name_prefix}-{num}"),
RouteTableId=Ref(self.route_table),
SubnetId=Ref(subnet),
)
for subnet, num in zip(self.subnets, range(len(self.subnets)))
])
return result
def route_table_assoc(self) -> ec2.SubnetRouteTableAssociation:
"""Return association of route table to this subnet."""
return ec2.SubnetRouteTableAssociation(
name_to_id(f"{self.name}RouteTableAssoc"),
RouteTableId=Ref(self.route_table),
SubnetId=Ref(self.subnet),
)
def s3_route_table_assoc(self) -> ec2.SubnetRouteTableAssociation:
"""Return route table association."""
return ec2.SubnetRouteTableAssociation(
name_to_id(f"{self.name}S3RouteTableAssoc"),
RouteTableId=Ref(self.s3_route_table),
SubnetId=Ref(self.subnet),
)
def createCouchbaseSubnetRouteTableAssociation(t, subnet, routetable):
couchbaseSubnetRouteTableAssociation = t.add_resource(ec2.SubnetRouteTableAssociation(
'SUBNETROUTETABLEASSOCATION',
RouteTableId=Ref(routetable),
SubnetId=Ref(subnet)
))
return couchbaseSubnetRouteTableAssociation
def route_subnet_association(self, t, subnetName, subnetId, routeTableId):
association = t.add_resource(
ec2.SubnetRouteTableAssociation(
'AssociateRt' + subnetName,
SubnetId=subnetId,
RouteTableId=routeTableId,
))
def resources(self, stack: Stack) -> list[AWSObject]:
"""Return resources associated with the construct."""
igw = ec2.InternetGateway(name_to_id(f"{self.name_prefix}-igw"))
attachement = ec2.VPCGatewayAttachment(
name_to_id(f"{self.name_prefix}-igw-attachement"),
InternetGatewayId=Ref(igw),
VpcId=Ref(self.vpc),
)
route_table = ec2.RouteTable(
name_to_id(f"{self.name_prefix}-igw-route-table"), VpcId=Ref(self.vpc)
)
route = ec2.Route(
name_to_id(f"{self.name_prefix}-igw-route"),
RouteTableId=Ref(route_table),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
)
route_table_associations = (
ec2.SubnetRouteTableAssociation(
name_to_id(f"{self.name_prefix}-{num}"),
RouteTableId=Ref(route_table),
SubnetId=Ref(subnet),
)
for subnet, num in zip(self.subnets, range(len(self.subnets)))
)
return [igw, attachement, route_table, route, *route_table_associations]
def create_route_table(self):
t = self.template
self.route_table = t.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=self.vpc_id,
Tags=self.tags,
)
)
t.add_output(Output("RouteTableId", Value=self.route_table.Ref()))
self.route_table_assoc = t.add_resource(
ec2.SubnetRouteTableAssociation(
"SubnetRouteTableAssociation",
SubnetId=self.subnet.Ref(),
RouteTableId=self.route_table.Ref(),
)
)
t.add_output(
Output(
"SubnetRouteTableAssociationId",
Value=self.route_table_assoc.Ref()
)
)
def assign_subnet_route_table(self, subnet, route_table):
name = "%s%s" % (subnet, route_table.name)
a = ec2.SubnetRouteTableAssociation(
name, DeletionPolicy=self.deletion_policy)
a.SubnetId = Ref(subnet)
a.RouteTableId = Ref(route_table)
self._add_resource(a)
def add_subnet_db2_rta(self):
name, tags = self._name_tags('subnet_db2_rta')
self.subnet_db1_rta = self.t.add_resource(
ec2.SubnetRouteTableAssociation(
name,
SubnetId=Ref(self.subnet_db2),
RouteTableId=Ref(self.igw_route_table),
# Doesn't support: Tags=Tags(**tags),
))
def build_public_route_table_associations(public_subnets):
public_route_table_associations = [
ec2.SubnetRouteTableAssociation(name=public_subnet["Name"] +
"PublicRouteTableAssociation",
SubnetId=Ref(public_subnet["Name"]),
RouteTableId=Ref("PublicRouteTable"))
for public_subnet in public_subnets
if public_subnet["Type"] is "Public"
]
return public_route_table_associations
def create_route_table_associations(self):
# Accociate each az subnet to a route table
t = self.template
for name in self.subnets.keys():
for i in range(len(self.zones)):
if self.subnets[name]['net_type'] == 'public':
route_table_name = self.subnets[name]['route_table']
else:
route_table_name = self.subnets[name]['route_table'][i]
t.add_resource(
ec2.SubnetRouteTableAssociation(
'%sRouteTableAssociation%d' % (name, i),
SubnetId=Ref(self.subnets[name]['az_subnets'][i]),
RouteTableId=Ref(route_table_name)))
def create_routes(t, env, vpc_objects, subnet_config, subnet_mapping):
'''
Takes template t and vpc_objects to add routes and security_groups
'''
# Create Route Tables
vpc_objects['route_tables'] = {}
for tier in subnet_mapping['service_name_for_subnets'].keys():
for az in range(1, subnet_mapping['number_of_azs'] + 1):
rt_name = "{}{}{}RT".format(env.title(), tier.title(), az)
vpc_objects['route_tables'][rt_name] = t.add_resource(
ec2.RouteTable(rt_name,
VpcId=Ref(vpc_objects['vpc']),
Tags=Tags(Name=rt_name)))
#add route for IGW in DMZ route table
if tier == "dmz":
t.add_resource(
ec2.Route(
'{}{}{}IGW'.format(env.title(), tier.title(), az),
#DependsOn=Ref(vpc_objects['igw_attachment']),
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(
vpc_objects['route_tables'][rt_name])))
elif tier == "app" or tier == "internal":
t.add_resource(
ec2.Route(
'{}{}{}NAT'.format(env.title(), tier.title(), az),
#DependsOn=Ref(vpc_objects['igw_attachment']),
NatGatewayId=Ref('{}{}NatGW'.format(env.title(), az)),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(
vpc_objects['route_tables'][rt_name])))
for subid in subnet_config:
tier = subnet_config[subid]['tier'].lower()
az = subnet_config[subid]['az_number']
route_table_name = '{}{}{}RT'.format(env.title(), tier.title(), az)
#associate subnet with route table
t.add_resource(
ec2.SubnetRouteTableAssociation(
'{}{}{}RTA'.format(route_table_name.title(), subid.title(),
az),
SubnetId=Ref(vpc_objects['subnets'][subid]),
RouteTableId=Ref(
vpc_objects['route_tables'][route_table_name])))
return t, vpc_objects
def add_natted_subnet_group(self,
cidr_block: str,
name_prefix: str,
no_of_subnets: int = 4):
"""Create private subnets behind NAT gateways
Creates a group of subnets, attaches the private network ACL and
the corresponding private route table depending on AZ
Args:
cidr_block (str): Will be split across AZs
name_prefix (str): Subnet name. AZ will be added at the end.
no_of_subnets (int, optional): How many subnets to set up.
Must be a power of 2. Defaults to 4.
Raises:
NotImplementedError: [description]
"""
for res in multiaz_subnets(
name_prefix=name_prefix,
cidr_block=cidr_block,
region=self.region,
no_of_subnets=no_of_subnets,
vpc=self.vpc,
network_acl=self.internal_nacl,
):
self._r[res.title] = res
if res.resource["Type"] == "AWS::EC2::Subnet":
subnet = res
route_found = False
for route_table in self.natted_route_tables:
if route_table.Metadata["az"] == subnet.Metadata["az"]:
self._r[
f"{subnet.title}RouteAssociation"] = t_ec2.SubnetRouteTableAssociation(
title=f"{subnet.title}RouteAssociation",
SubnetId=Ref(subnet),
RouteTableId=Ref(route_table),
)
route_found = True
break
if not route_found:
raise NotImplementedError(
f"Can't find NAT gateway in {subnet.Metadata['az']}")
def configure_vpc(cfn_template, cluster_name):
vpc = ec2.VPC("DustVPC")
vpc.CidrBlock = "10.0.0.0/16"
vpc.Tags = [ec2.Tag("Name:", cluster_name)]
cfn_template.add_resource(vpc)
vpc_id = Ref(vpc)
subnet = ec2.Subnet('dustSubnet')
subnet.VpcId = vpc_id
subnet.CidrBlock = "10.0.0.0/24"
cfn_template.add_resource(subnet)
vpc_subnet = Ref(subnet)
net_gateway = ec2.InternetGateway('dustGateway')
cfn_template.add_resource(net_gateway)
attach_net_gateway = ec2.VPCGatewayAttachment('dustAttachGateway')
attach_net_gateway.VpcId = vpc_id
attach_net_gateway.InternetGatewayId = Ref(net_gateway)
cfn_template.add_resource(attach_net_gateway)
route_table = ec2.RouteTable('dustRoutetable')
route_table.VpcId = vpc_id
cfn_template.add_resource(route_table)
route = ec2.Route('dustRoute')
route.RouteTableId = Ref(route_table)
route.DestinationCidrBlock = "0.0.0.0/0"
route.GatewayId = Ref(net_gateway)
route.DependsOn = "dustAttachGateway"
cfn_template.add_resource(route)
attach_route = ec2.SubnetRouteTableAssociation('dustAttachRouteTable')
attach_route.SubnetId = vpc_subnet
attach_route.RouteTableId = Ref(route_table)
cfn_template.add_resource(attach_route)
return vpc_id, vpc_subnet
def gen_public_subnet_az(self, az_index, cidr_block):
name = f"PublicSubnet{az_index}"
subnet = ec2.Subnet(
name,
VpcId=Ref(self.vpc),
CidrBlock=cidr_block,
AvailabilityZone=Select(str(az_index), GetAZs(Ref("AWS::Region"))),
)
self.template.add_resource(subnet)
self.export_value(Ref(subnet), name)
route_table_association = ec2.SubnetRouteTableAssociation(
f"{name}RouteTableAssociation",
SubnetId=Ref(subnet),
RouteTableId=Ref(self.public_route_table),
)
self.template.add_resource(route_table_association)
network_acl_association = ec2.SubnetNetworkAclAssociation(
f"{name}NetworkAclAssociation",
SubnetId=Ref(subnet),
NetworkAclId=Ref(self.network_acl),
)
self.template.add_resource(network_acl_association)
private_route_table = t.add_resource(
ec2.RouteTable(
'PrivateRouteTable',
VpcId=Ref(vpc),
))
public_route_table = t.add_resource(
ec2.RouteTable(
'PublicRouteTable',
VpcId=Ref(vpc),
))
public_route_association = t.add_resource(
ec2.SubnetRouteTableAssociation(
'PublicRouteAssociation',
SubnetId=Ref(public_net),
RouteTableId=Ref(public_route_table),
))
default_public_route = t.add_resource(
ec2.Route(
'PublicDefaultRoute',
RouteTableId=Ref(public_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(igw),
))
private_route_association = t.add_resource(
ec2.SubnetRouteTableAssociation(
'PrivateRouteAssociation',
SubnetId=Ref(private_net),
def create_network(self):
t = self.template
variables = self.get_variables()
self.create_gateway()
t.add_resource(ec2.NetworkAcl('DefaultACL', VpcId=VPC_ID))
self.create_nat_security_groups()
subnets = {'public': [], 'private': []}
net_types = subnets.keys()
zones = []
for i in range(variables["AZCount"]):
az = Select(i, GetAZs(""))
zones.append(az)
name_suffix = i
for net_type in net_types:
name_prefix = net_type.capitalize()
subnet_name = "%sSubnet%s" % (name_prefix, name_suffix)
subnets[net_type].append(subnet_name)
t.add_resource(
ec2.Subnet(subnet_name,
AvailabilityZone=az,
VpcId=VPC_ID,
DependsOn=GW_ATTACH,
CidrBlock=variables.get("%sSubnets" %
name_prefix)[i],
Tags=Tags(type=net_type)))
route_table_name = "%sRouteTable%s" % (name_prefix,
name_suffix)
t.add_resource(
ec2.RouteTable(route_table_name,
VpcId=VPC_ID,
Tags=[ec2.Tag('type', net_type)]))
t.add_resource(
ec2.SubnetRouteTableAssociation(
"%sRouteTableAssociation%s" %
(name_prefix, name_suffix),
SubnetId=Ref(subnet_name),
RouteTableId=Ref(route_table_name)))
route_name = '%sRoute%s' % (name_prefix, name_suffix)
if net_type == 'public':
# the public subnets are where the NAT instances live,
# so their default route needs to go to the AWS
# Internet Gateway
t.add_resource(
ec2.Route(route_name,
RouteTableId=Ref(route_table_name),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(GATEWAY)))
self.create_nat_instance(i, subnet_name)
else:
# Private subnets are where actual instances will live
# so their gateway needs to be through the nat instances
route = ec2.Route(
route_name,
RouteTableId=Ref(route_table_name),
DestinationCidrBlock='0.0.0.0/0',
)
if variables["UseNatGateway"]:
route.NatGatewayId = Ref(NAT_GATEWAY_NAME %
name_suffix)
else:
route.InstanceId = Ref(NAT_INSTANCE_NAME % name_suffix)
t.add_resource(route)
for net_type in net_types:
t.add_output(
Output("%sSubnets" % net_type.capitalize(),
Value=Join(",", [Ref(sn) for sn in subnets[net_type]])))
for i, sn in enumerate(subnets[net_type]):
t.add_output(
Output("%sSubnet%d" % (net_type.capitalize(), i),
Value=Ref(sn)))
self.template.add_output(
Output("AvailabilityZones", Value=Join(",", zones)))
for i, az in enumerate(zones):
t.add_output(Output("AvailabilityZone%d" % (i), Value=az))
def __init__(self):
super(VPC, self).__init__()
self.vpc = ec2.VPC(
"VPC",
CidrBlock="172.1.0.0/16",
InstanceTenancy="default",
EnableDnsSupport=True,
EnableDnsHostnames=True,
Tags=Tags(Name=Ref("AWS::StackName")),
)
self.internet_gateway = ec2.InternetGateway(
"InternetGateway",
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-internet-gateway"]), ),
)
self.internet_gateway_attachment = ec2.VPCGatewayAttachment(
"InternetGatewayAttachment",
InternetGatewayId=Ref(self.internet_gateway),
VpcId=Ref(self.vpc),
)
self.public_route_table = ec2.RouteTable(
"PublicRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(Name=Join(
"-", [Ref("AWS::StackName"), "public-route-table"]), ),
)
self.private_route_table = ec2.RouteTable(
"PrivateRouteTable",
VpcId=Ref(self.vpc),
Tags=Tags(Name=Join(
"-", [Ref("AWS::StackName"), "private-route-table"]), ),
)
self.vpc_s3_endpoint = ec2.VPCEndpoint(
"VPCS3Endpoint",
ServiceName=Join(
"",
["com.amazonaws.", Ref("AWS::Region"), ".s3"]),
VpcId=Ref(self.vpc),
RouteTableIds=[
Ref(self.public_route_table),
Ref(self.private_route_table)
],
)
self.route_to_internet = ec2.Route(
"RouteToInternet",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.internet_gateway),
RouteTableId=Ref(self.public_route_table),
DependsOn=self.internet_gateway_attachment.title,
)
# private subnets
self.private_subnet_1 = ec2.Subnet(
"PrivateSubnet1",
AvailabilityZone=Select(0, GetAZs()),
CidrBlock="172.1.1.0/24",
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-private-subnet-1"]), ),
VpcId=Ref(self.vpc),
)
self.private_subnet_1_route_table_association = ec2.SubnetRouteTableAssociation(
"PrivateSubnet1RouteTableAssociation",
RouteTableId=Ref(self.private_route_table),
SubnetId=Ref(self.private_subnet_1),
)
self.private_subnet_2 = ec2.Subnet(
"PrivateSubnet2",
AvailabilityZone=Select(1, GetAZs()),
CidrBlock="172.1.2.0/24",
MapPublicIpOnLaunch=False,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-private-subnet-2"]), ),
VpcId=Ref(self.vpc),
)
self.private_subnet_2_route_table_association = ec2.SubnetRouteTableAssociation(
"PrivateSubnet2RouteTableAssociation",
RouteTableId=Ref(self.private_route_table),
SubnetId=Ref(self.private_subnet_2),
)
self.private_network_aCL = ec2.NetworkAcl(
"PrivateNetworkACL",
VpcId=Ref(self.vpc),
Tags=Tags(Name=Join("",
[Ref("AWS::StackName"), "-private-nacl"]), ),
)
self.private_subnet_1_network_acl_association = ec2.SubnetNetworkAclAssociation(
"PrivateSubnet1NetworkAclAssociation",
SubnetId=Ref(self.private_subnet_1),
NetworkAclId=Ref(self.private_network_aCL),
)
self.private_subnet_2_network_acl_association = ec2.SubnetNetworkAclAssociation(
"PrivateSubnet2NetworkAclAssociation",
SubnetId=Ref(self.private_subnet_2),
NetworkAclId=Ref(self.private_network_aCL),
)
self.private_network_acl_entry_in = ec2.NetworkAclEntry(
"PrivateNetworkAclEntryIn",
CidrBlock="172.1.0.0/16",
Egress=False,
NetworkAclId=Ref(self.private_network_aCL),
Protocol=-1,
RuleAction="allow",
RuleNumber=200,
)
self.private_network_acl_entry_out = ec2.NetworkAclEntry(
"PrivateNetworkAclEntryOut",
CidrBlock="172.1.0.0/16",
Egress=True,
NetworkAclId=Ref(self.private_network_aCL),
Protocol=-1,
RuleAction="allow",
RuleNumber=200,
)
# public subnets
self.public_subnet_1 = ec2.Subnet(
"PublicSubnet1",
AvailabilityZone=Select(0, GetAZs()),
CidrBlock="172.1.128.0/24",
MapPublicIpOnLaunch=True,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-public-subnet-1"]), ),
VpcId=Ref(self.vpc),
)
self.public_subnet_1_route_table_association = ec2.SubnetRouteTableAssociation(
"PublicSubnet1RouteTableAssociation",
RouteTableId=Ref(self.public_route_table),
SubnetId=Ref(self.public_subnet_1),
)
self.public_subnet_2 = ec2.Subnet(
"PublicSubnet2",
AvailabilityZone=Select(1, GetAZs()),
CidrBlock="172.1.129.0/24",
MapPublicIpOnLaunch=True,
Tags=Tags(Name=Join(
"", [Ref("AWS::StackName"), "-public-subnet-2"]), ),
VpcId=Ref(self.vpc),
)
self.public_subnet_2_route_table_association = ec2.SubnetRouteTableAssociation(
"PublicSubnet2RouteTableAssociation",
RouteTableId=Ref(self.public_route_table),
SubnetId=Ref(self.public_subnet_2),
)
def create_vpc_template(template=None):
if not template:
template = Template()
template.add_description(
'AWS cloud formation script template.at creates a VPC with a NAT Gg'
)
template.add_version('2010-09-09')
vpc_cidr_block = template.add_parameter(
Parameter(
'VPCCIDR',
Default=vpc_config['cidr_block'],
Description='The IP address space for this VPC, in CIDR notation',
Type='String',
))
vpc = template.add_resource(
ec2.VPC('VPC',
CidrBlock=Ref(vpc_cidr_block),
Tags=Tags(vpc_config['tags'])))
igw = template.add_resource(ec2.InternetGateway('InternetGateway', ))
template.add_resource(
ec2.VPCGatewayAttachment(
"NatAttachment",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
template.add_output(Output('VPCId', Value=Ref(vpc), Description='VPC Id'))
public_security_group = template.add_resource(
ec2.SecurityGroup(
security_group_config['public']['name'],
GroupDescription='{} public security group'.format(
vpc_config['name']),
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
ToPort=r['port'],
FromPort=r['port'],
CidrIp=r['cidr_block'])
for r in security_group_config['public']['ingress_rules']
],
VpcId=Ref(vpc),
Tags=Tags(
dict(Name='public {} security group'.format(
vpc_config['name']))),
))
template.add_output(
Output('PublicSecurityGroupId',
Value=Ref(public_security_group),
Description='Public Security Group Id'))
private_security_group = template.add_resource(
ec2.SecurityGroup(
security_group_config['private']['name'],
GroupDescription='{} private security group'.format(
vpc_config['name']),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp',
ToPort=r['port'],
FromPort=r['port'],
SourceSecurityGroupId=Ref(public_security_group))
for r in security_group_config['private']['ingress_rules']
],
VpcId=Ref(vpc),
Tags=Tags(
dict(Name='private {} security group'.format(
vpc_config['name']))),
))
for i, sub_net in enumerate(sub_nets):
public_subnet = template.add_parameter(
Parameter(
'PublicSubnetCidr{}'.format(i),
Type='String',
Description='Public Subnet CIDR',
Default=sub_net['public_cidr'],
))
public_net = template.add_resource(
ec2.Subnet(
'PublicSubnet{}'.format(i),
AvailabilityZone=sub_net['region'],
CidrBlock=Ref(public_subnet),
MapPublicIpOnLaunch=False,
VpcId=Ref(vpc),
Tags=Tags(dict(Name='Public Subnet {}'.format(i))),
))
public_route_table = template.add_resource(
ec2.RouteTable(
'PublicRouteTable{}'.format(i),
VpcId=Ref(vpc),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PublicRouteAssociation{}'.format(i),
SubnetId=Ref(public_net),
RouteTableId=Ref(public_route_table),
))
template.add_resource(
ec2.Route(
'PublicDefaultRoute{}'.format(i),
RouteTableId=Ref(public_route_table),
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(igw),
))
template.add_output(
Output('PublicSubnet{}'.format(i),
Value=Ref(public_subnet),
Description='Subnet Id'))
if private_sub_net:
private_subnet = template.add_parameter(
Parameter(
'PrivateSubnetCidr{}'.format(i),
Type='String',
Description='Private Subnet CIDR',
Default=sub_net['private_cidr'],
))
private_net = template.add_resource(
ec2.Subnet(
'PrivateSubnet{}'.format(i),
CidrBlock=Ref(private_subnet),
MapPublicIpOnLaunch=False,
VpcId=Ref(vpc),
Tags=Tags(dict(Name='Private Subnet {}'.format(i))),
))
private_route_table = template.add_resource(
ec2.RouteTable(
'PrivateRouteTable{}'.format(i),
VpcId=Ref(vpc),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PrivateRouteAssociation{}'.format(i),
SubnetId=Ref(private_net),
RouteTableId=Ref(private_route_table),
))
template.add_output(
Output('PrivateSubnet{}'.format(i),
Value=Ref(private_subnet),
Description='Subnet Id'))
if nat_gateway and private_sub_net:
nat_eip = template.add_resource(
ec2.EIP(
'NatEip{}'.format(i),
Domain="vpc",
))
nat = template.add_resource(
ec2.NatGateway(
'Nat{}'.format(i),
AllocationId=GetAtt(nat_eip, 'AllocationId'),
SubnetId=Ref(public_net),
))
template.add_resource(
ec2.Route(
'NatRoute{}'.format(i),
RouteTableId=Ref(private_route_table),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref(nat),
))
template.add_output(
Output(
'NatEip{}'.format(i),
Value=Ref(nat_eip),
Description='Nat Elastic IP',
))
write_json_to_file('vpc.json', template)
def add_resources(self):
""" Add All Cloudformation Resources. This will include vpc, igw, and any other network
resources """
self.vpc = self.template.add_resource(
ec2.VPC(
"VPC",
CidrBlock=Ref(self.VpcCidr),
EnableDnsSupport=True,
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-VPC"),
))
self.PubSubnet1 = self.template.add_resource(
ec2.Subnet(
"PubSubnet1",
CidrBlock=Ref(self.PubSub1Cidr),
VpcId=Ref(self.vpc),
AvailabilityZone="us-east-1a",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PubSubnet1"),
))
self.PubSubnet2 = self.template.add_resource(
ec2.Subnet(
"PubSubnet2",
VpcId=Ref(self.vpc),
CidrBlock=Ref(self.PubSub2Cidr),
AvailabilityZone="us-east-1b",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PubSubnet2"),
))
self.PrivSubnet1 = self.template.add_resource(
ec2.Subnet(
"PrivSubnet1",
VpcId=Ref(self.vpc),
CidrBlock=Ref(self.PrivSub1Cidr),
AvailabilityZone="us-east-1a",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PrivSubnet1"),
))
self.PrivSubnet2 = self.template.add_resource(
ec2.Subnet(
"PrivSubnet2",
CidrBlock=Ref(self.PrivSub2Cidr),
VpcId=Ref(self.vpc),
AvailabilityZone="us-east-1b",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PrivSubnet2"),
))
self.IGW = self.template.add_resource(
ec2.InternetGateway(
"IGW",
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-IGW"),
))
self.IGWAttachment = self.template.add_resource(
ec2.VPCGatewayAttachment(
"IGWAttachment",
VpcId=Ref(self.vpc),
InternetGatewayId=Ref(self.IGW),
))
self.EIP1 = self.template.add_resource(ec2.EIP(
"EIP1",
Domain="vpc",
))
self.EIP2 = self.template.add_resource(ec2.EIP(
"EIP2",
Domain="vpc",
))
self.NAT1 = self.template.add_resource(
ec2.NatGateway(
"NAT",
AllocationId=GetAtt(self.EIP1, "AllocationId"),
SubnetId=Ref(self.PubSubnet1),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-NAT1"),
))
self.NAT2 = self.template.add_resource(
ec2.NatGateway(
"NAT2",
AllocationId=GetAtt(self.EIP2, "AllocationId"),
SubnetId=Ref(self.PubSubnet2),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-NAT2"),
))
self.PrivRT1 = self.template.add_resource(
ec2.RouteTable(
"PrivRT1",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PRIVRT1"),
))
self.PrivRT2 = self.template.add_resource(
ec2.RouteTable(
"PrivRT2",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PRIVRT2"),
))
self.NatRoute = self.template.add_resource(
ec2.Route(
"NatRoute",
RouteTableId=Ref(self.PrivRT1),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(self.NAT1),
))
self.Nat2Route = self.template.add_resource(
ec2.Route(
"NatRoute2",
RouteTableId=Ref(self.PrivRT2),
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(self.NAT2),
))
self.PrivRT1Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PrivRT1Association",
SubnetId=Ref(self.PrivSubnet1),
RouteTableId=Ref(self.PrivRT1),
))
self.PrivRT2Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PrivRT2Association",
SubnetId=Ref(self.PrivSubnet2),
RouteTableId=Ref(self.PrivRT2),
))
self.PubRT1 = self.template.add_resource(
ec2.RouteTable(
"PubRT1",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PUBRT1"),
))
self.PubRT2 = self.template.add_resource(
ec2.RouteTable(
"PubRT2",
VpcId=Ref(self.vpc),
Tags=self.base_tags +
Tags(Name=self.environment_parameters["ClientEnvironmentKey"] +
"-SS-PUBRT2"),
))
self.PubRT1IGWattachment = self.template.add_resource(
ec2.Route(
"PubRT1IGWAttachment",
DependsOn=["IGWAttachment"],
RouteTableId=Ref(self.PubRT1),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.IGW),
))
self.PubRT2IGWattachment = self.template.add_resource(
ec2.Route(
"PubRT2IGWAttachment",
DependsOn=["IGWAttachment"],
RouteTableId=Ref(self.PubRT2),
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(self.IGW),
))
self.PubRT1Association = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PubRT1Associate",
SubnetId=Ref(self.PubSubnet1),
RouteTableId=Ref(self.PubRT1),
))
self.PubRT2Asocation = self.template.add_resource(
ec2.SubnetRouteTableAssociation(
"PubR2Associate",
SubnetId=Ref(self.PubSubnet2),
RouteTableId=Ref(self.PubRT2),
))
def sg_subnet_vpc(self, template, provision_refs):
ref_stack_id = Ref('AWS::StackId')
if 'aws_vpc_id' in self.app.config['provision']:
vpc = self.app.config['provision']['aws_vpc_id']
use_subnet = self.app.config['provision']['aws_subnet_id']
use_subnet2 = self.app.config['provision']['aws_subnet2_id']
use_sg = self.app.config['provision']['aws_sg_id']
use_alb_sg = self.app.config['provision']['alb_sg_id']
self.app.log.info(
'Using your AWS subnet, make sure the routes and ports are configured correctly'
)
else:
vpc = Ref(
template.add_resource(
ec2.VPC('VPC',
CidrBlock='10.0.0.0/16',
Tags=Tags(Application=ref_stack_id))))
internet_gateway = template.add_resource(
ec2.InternetGateway('InternetGateway',
Tags=Tags(Application=ref_stack_id)))
template.add_resource(
ec2.VPCGatewayAttachment(
'AttachGateway',
VpcId=vpc,
InternetGatewayId=Ref(internet_gateway)))
route_table = template.add_resource(
ec2.RouteTable('RouteTable',
VpcId=vpc,
Tags=Tags(Application=ref_stack_id)))
subnet = template.add_resource(
ec2.Subnet('Subnet',
CidrBlock='10.0.0.0/24',
VpcId=vpc,
AvailabilityZone=Select(0, GetAZs("")),
Tags=Tags(Application=ref_stack_id)))
subnet2 = template.add_resource(
ec2.Subnet('Subnet2',
CidrBlock='10.0.1.0/24',
VpcId=vpc,
AvailabilityZone=Select(1, GetAZs("")),
Tags=Tags(Application=ref_stack_id)))
template.add_resource(
ec2.Route(
'Route',
DependsOn='AttachGateway',
GatewayId=Ref('InternetGateway'),
DestinationCidrBlock='0.0.0.0/0',
RouteTableId=Ref(route_table),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'SubnetRouteTableAssociation',
SubnetId=Ref(subnet),
RouteTableId=Ref(route_table),
))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'Subnet2RouteTableAssociation',
SubnetId=Ref(subnet2),
RouteTableId=Ref(route_table),
))
network_acl = template.add_resource(
ec2.NetworkAcl(
'NetworkAcl',
VpcId=vpc,
Tags=Tags(Application=ref_stack_id),
))
template.add_resource(
ec2.NetworkAclEntry(
'InboundSSHNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='100',
Protocol='6',
PortRange=ec2.PortRange(From='22', To='22'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'InboundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='101',
Protocol='6',
PortRange=ec2.PortRange(From='1024', To='65535'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'InboundICMPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='102',
Protocol='1',
Icmp=ec2.ICMP(Code=-1, Type=-1),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
# Only used when Blockscout is deployed
template.add_resource(
ec2.NetworkAclEntry(
'InboundHttpsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='103',
Protocol='6',
PortRange=ec2.PortRange(From='443', To='443'),
Egress='false',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutBoundHTTPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='100',
Protocol='6',
PortRange=ec2.PortRange(From='80', To='80'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutBoundHTTPSNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='101',
Protocol='6',
PortRange=ec2.PortRange(From='443', To='443'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutBoundResponsePortsNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='102',
Protocol='6',
PortRange=ec2.PortRange(From='1024', To='65535'),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.NetworkAclEntry(
'OutboundICMPNetworkAclEntry',
NetworkAclId=Ref(network_acl),
RuleNumber='103',
Protocol='1',
Icmp=ec2.ICMP(Code=-1, Type=-1),
Egress='true',
RuleAction='allow',
CidrBlock='0.0.0.0/0',
))
template.add_resource(
ec2.SubnetNetworkAclAssociation(
'SubnetNetworkAclAssociation',
SubnetId=Ref(subnet),
NetworkAclId=Ref(network_acl),
))
template.add_resource(
ec2.SubnetNetworkAclAssociation(
'Subnet2NetworkAclAssociation',
SubnetId=Ref(subnet2),
NetworkAclId=Ref(network_acl),
))
use_subnet = Ref(subnet)
use_subnet2 = Ref(subnet2)
alb_security_group = template.add_resource(
ec2.SecurityGroup(
'ALBSecurityGroup',
GroupDescription=
'ALB allows traffic from public, is used to terminate SSL',
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='46658',
ToPort='46658',
CidrIp='0.0.0.0/0'),
],
VpcId=vpc,
))
use_alb_sg = Ref(alb_security_group)
instance_security_group = template.add_resource(
ec2.SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='Enable tendermint and SSH for all nodes',
SecurityGroupIngress=[
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='46656',
ToPort='46656',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(IpProtocol='tcp',
FromPort='46658',
ToPort='46658',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(IpProtocol='icmp',
FromPort='-1',
ToPort='-1',
CidrIp='0.0.0.0/0'),
],
VpcId=vpc,
))
use_sg = Ref(instance_security_group)
provision_refs.vpc = vpc
provision_refs.security_group_ec2 = use_sg
provision_refs.security_group_alb = use_alb_sg
provision_refs.subnets.append(use_subnet)
provision_refs.subnets.append(use_subnet2)
def dump_base_yaml(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
igw = template.add_resource(
ec2.InternetGateway(
"Igw",
Tags=resource_tags,
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
igwa = template.add_resource(
ec2.VPCGatewayAttachment(
"IgwA",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
default_route = template.add_resource(
ec2.Route("defaultRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=Ref(route_tbl)))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
priv_route_tbl = template.add_resource(
ec2.RouteTable(
"PrivRouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
priv_subnet = template.add_resource(
ec2.Subnet(
"PrivSubnet",
VpcId=Ref(vpc),
CidrBlock="10.10.1.0/24",
MapPublicIpOnLaunch=False,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblPrivSubnetAsoc",
RouteTableId=Ref(priv_route_tbl),
SubnetId=Ref(priv_subnet)))
ngw_elastic_ip = template.add_resource(
ec2.EIP(
"MyNgwEip",
Tags=resource_tags,
))
nat_gateway = template.add_resource(
ec2.NatGateway(
"MyNatGateway",
AllocationId=GetAtt(ngw_elastic_ip, "AllocationId"),
SubnetId=Ref(subnet),
))
private_out_route = template.add_resource(
ec2.Route("privateOutRoute",
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gateway),
RouteTableId=Ref(priv_route_tbl)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
Output(
"PrivSubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(priv_subnet),
Export=Export("PrivSubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
def add_resource(self):
t = self.template
self.PublicRouteTable = t.add_resource(ec2.RouteTable(
"PublicRouteTable",
VpcId=Ref("VPC"),
Tags=Tags(
Application=Ref("AWS::StackName"),
Network="Public",
Environment=Ref(self.Environment),
Name=Join("-", ["RT-PU-1", Ref(self.Project)]),
),
))
self.GatewayToInternet = t.add_resource(ec2.VPCGatewayAttachment(
"GatewayToInternet",
VpcId=Ref("VPC"),
InternetGatewayId=Ref("InternetGateway"),
))
self.PubSubnet1 = t.add_resource(ec2.Subnet(
"PubSubnet1",
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Public",
Name=Join("-", ["NT-PU-1", Ref(self.Project)]),
),
VpcId=Ref("VPC"),
CidrBlock=Ref(self.PublicSubnet1),
AvailabilityZone=Ref(self.AvailabilityZone1),
MapPublicIpOnLaunch=True,
))
self.PubSubnet2 = t.add_resource(ec2.Subnet(
"PubSubnet2",
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Public",
Name=Join("-", ["NT-PU-2", Ref(self.Project)]),
),
VpcId=Ref("VPC"),
CidrBlock=Ref(self.PublicSubnet2),
AvailabilityZone=Ref(self.AvailabilityZone2),
MapPublicIpOnLaunch=True,
))
self.PriSubnet2 = t.add_resource(ec2.Subnet(
"PriSubnet2",
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Private",
Name=Join("-", ["NT-PR-2", Ref(self.Project)]),
),
VpcId=Ref("VPC"),
CidrBlock=Ref(self.PrivateSubnet2),
AvailabilityZone=Ref(self.AvailabilityZone2),
))
self.PriSubnet1 = t.add_resource(ec2.Subnet(
"PriSubnet1",
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Private",
Name=Join("-", ["NT-PR-1", Ref(self.Project)]),
),
VpcId=Ref("VPC"),
CidrBlock=Ref(self.PrivateSubnet1),
AvailabilityZone=Ref(self.AvailabilityZone1),
))
self.PrivateRouteTable2 = t.add_resource(ec2.RouteTable(
"PrivateRouteTable2",
VpcId=Ref("VPC"),
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Private",
Name=Join("-", ["RT-PR-2", Ref(self.Project)]),
),
))
self.PublicRoute = t.add_resource(ec2.Route(
"PublicRoute",
GatewayId=Ref("InternetGateway"),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(self.PublicRouteTable),
))
self.PrivateRouteTable1 = t.add_resource(ec2.RouteTable(
"PrivateRouteTable1",
VpcId=Ref("VPC"),
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Private",
Name=Join("-", ["RT-PR-1", Ref(self.Project)]),
),
))
self.PriSubnet2RTAssoc = t.add_resource(ec2.SubnetRouteTableAssociation(
"PriSubnet2RTAssoc",
SubnetId=Ref(self.PriSubnet2),
RouteTableId=Ref(self.PrivateRouteTable2),
))
self.InternetGateway = t.add_resource(ec2.InternetGateway(
"InternetGateway",
Tags=Tags(
Application=Ref("AWS::StackName"),
Environment=Ref(self.Environment),
Network="Public",
Name=Join("-", ["IGW", Ref(self.Project)]),
),
))
self.VPC = t.add_resource(ec2.VPC(
"VPC",
CidrBlock=Ref(self.VpcCidr),
EnableDnsSupport=True,
EnableDnsHostnames=True,
Tags=Tags(
Name=Join("-", ["VPC", Ref(self.Project)]),
Environment=Ref(self.Environment),
Application=Ref("AWS::StackName"),
),
))
self.PubSubnet2RTAssoc = t.add_resource(ec2.SubnetRouteTableAssociation(
"PubSubnet2RTAssoc",
SubnetId=Ref(self.PubSubnet2),
RouteTableId=Ref(self.PublicRouteTable),
))
self.PubSubnet1RTAssoc = t.add_resource(ec2.SubnetRouteTableAssociation(
"PubSubnet1RTAssoc",
SubnetId=Ref(self.PubSubnet1),
RouteTableId=Ref(self.PublicRouteTable),
))
self.PriSubnet1RTAssoc = t.add_resource(ec2.SubnetRouteTableAssociation(
"PriSubnet1RTAssoc",
SubnetId=Ref(self.PriSubnet1),
RouteTableId=Ref(self.PrivateRouteTable1),
))
),
],
VpcId=Ref(VPC),
))
PublicRoute = t.add_resource(ec2.Route(
"PublicRoute",
GatewayId=Ref(InternetGateway),
DestinationCidrBlock="0.0.0.0/0",
RouteTableId=Ref(PublicRouteTable),
DependsOn="AttachGateway",
))
PublicSubnetRouteTableAssociation = t.add_resource(ec2.SubnetRouteTableAssociation(
"PublicSubnetRouteTableAssociation",
SubnetId=Ref(PublicSubnet),
RouteTableId=Ref(PublicRouteTable),
))
AmbariSecurityGroup = t.add_resource(ec2.SecurityGroup(
"AmbariSecurityGroup",
SecurityGroupIngress=[
ec2.SecurityGroupRule(
ToPort="-1", IpProtocol="icmp", CidrIp=FindInMap("SubnetConfig", "Public", "CIDR"), FromPort="-1"
),
ec2.SecurityGroupRule(
ToPort="65535", IpProtocol="tcp", CidrIp=FindInMap("SubnetConfig", "Public", "CIDR"), FromPort="0"
),
ec2.SecurityGroupRule(
ToPort="65535", IpProtocol="tcp", CidrIp=Ref(OpenLocation), FromPort="0"
),
def dump_base_yaml(cfn_file):
template = Template()
vpc_cidr_param = template.add_parameter(
Parameter(
"vpcCidrParam",
Description="string of vpc cidr block to use",
Type="String",
))
subnet_cidr_param = template.add_parameter(
Parameter(
"subnetCidrParam",
Description="string of subnet cidr block to use",
Type="String",
))
igw = template.add_resource(
ec2.InternetGateway(
"Igw",
Tags=resource_tags,
))
vpc = template.add_resource(
ec2.VPC(
"Vpc",
CidrBlock=Ref(vpc_cidr_param),
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy="default",
Tags=resource_tags,
))
igwa = template.add_resource(
ec2.VPCGatewayAttachment(
"IgwA",
VpcId=Ref(vpc),
InternetGatewayId=Ref(igw),
))
route_tbl = template.add_resource(
ec2.RouteTable(
"RouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
default_route = template.add_resource(
ec2.Route("defaultRoute",
DestinationCidrBlock="0.0.0.0/0",
GatewayId=Ref(igw),
RouteTableId=Ref(route_tbl)))
subnet = template.add_resource(
ec2.Subnet(
"Subnet",
VpcId=Ref(vpc),
CidrBlock=Ref(subnet_cidr_param),
MapPublicIpOnLaunch=True,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblSubnetAsoc",
RouteTableId=Ref(route_tbl),
SubnetId=Ref(subnet)))
priv_route_tbl = template.add_resource(
ec2.RouteTable(
"PrivRouteTable",
VpcId=Ref(vpc),
Tags=resource_tags,
))
priv_subnet = template.add_resource(
ec2.Subnet(
"PrivSubnet",
VpcId=Ref(vpc),
CidrBlock="10.10.1.0/24",
MapPublicIpOnLaunch=False,
AvailabilityZone=Select(0, GetAZs()),
Tags=resource_tags,
))
route_tbl_asoc = template.add_resource(
ec2.SubnetRouteTableAssociation("RouteTblPrivSubnetAsoc",
RouteTableId=Ref(priv_route_tbl),
SubnetId=Ref(priv_subnet)))
ngw_elastic_ip = template.add_resource(
ec2.EIP(
"MyNgwEip",
Tags=resource_tags,
))
nat_gateway = template.add_resource(
ec2.NatGateway(
"MyNatGateway",
AllocationId=GetAtt(ngw_elastic_ip, "AllocationId"),
SubnetId=Ref(subnet),
))
private_out_route = template.add_resource(
ec2.Route("privateOutRoute",
DestinationCidrBlock="0.0.0.0/0",
NatGatewayId=Ref(nat_gateway),
RouteTableId=Ref(priv_route_tbl)))
first_network_acl = template.add_resource(
ec2.NetworkAcl(
"MyFirstNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry(
"MyPrivOutNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
network_inbound_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyInNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="74.77.86.69/32",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=22, To=22)))
private_to_public_client_ports_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPriv2PubClientPortsNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="10.10.1.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=101,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_internet_client_ports_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPub2DefaultClientPortsNetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_private_icmpv4_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPubIcmpv4NetAclEntry",
NetworkAclId=Ref(first_network_acl),
CidrBlock="10.10.1.0/24",
Protocol=1,
Icmp=ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
RuleNumber=103))
second_network_acl = template.add_resource(
ec2.NetworkAcl(
"MySecondNetAcl",
Tags=resource_tags,
VpcId=Ref(vpc),
))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPriv2InternetClientPortsNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=6,
RuleAction="allow",
RuleNumber=100,
PortRange=ec2.PortRange(From=1024, To=65535)))
public_to_private_ssh_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivSshNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=101,
PortRange=ec2.PortRange(From=22, To=22)))
public_to_private_http_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivHttpNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=6,
RuleAction="allow",
RuleNumber=102,
PortRange=ec2.PortRange(From=80, To=80)))
private_to_public_icmpv4_acl_entry = template.add_resource(
ec2.NetworkAclEntry("MyPrivIcmpv4NetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="10.10.0.0/24",
Protocol=1,
Icmp=ec2.ICMP(Code=-1, Type=-1),
RuleAction="allow",
RuleNumber=103))
network_out_second_acl_entry = template.add_resource(
ec2.NetworkAclEntry(
"MyPubOutNetAclEntry",
NetworkAclId=Ref(second_network_acl),
CidrBlock="0.0.0.0/0",
Protocol=-1,
Egress=True,
RuleAction="allow",
RuleNumber=100,
))
subnet_nacl_asociation = template.add_resource(
ec2.SubnetNetworkAclAssociation("subNaclAsoc",
NetworkAclId=Ref(first_network_acl),
SubnetId=Ref(subnet)))
priv_subnet_nacl_asociation = template.add_resource(
ec2.SubnetNetworkAclAssociation("privSubNaclAsoc",
NetworkAclId=Ref(second_network_acl),
SubnetId=Ref(priv_subnet)))
template.add_output([
Output(
"VpcId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(vpc),
Export=Export("VpcId-jdix"),
),
Output(
"SubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(subnet),
Export=Export("SubnetId-jdix"),
),
Output(
"PrivSubnetId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(priv_subnet),
Export=Export("PrivSubnetId-jdix"),
),
])
template_out_yaml(cfn_file, template)
Path="/",
AssumeRolePolicyDocument={
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
}
}]
},
))
PublicSubnetRouteTableAssociation = t.add_resource(
ec2.SubnetRouteTableAssociation(
"PublicSubnetRouteTableAssociation",
SubnetId=Ref(PublicSubnet),
RouteTableId=Ref(PublicRouteTable),
))
S3RolePolicies = t.add_resource(
iam.PolicyType(
"S3RolePolicies",
PolicyName="s3access",
PolicyDocument={
"Statement": [{
"Action": "s3:*",
"Resource": "*",
"Effect": "Allow"
}]
},
Roles=[Ref(AmbariAccessRole),
def add_resources(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
# Add StackName to outputs (for ease of reference by child stacks)
template.add_output(
Output('StackName',
Description='Name of this CloudFormation stack',
Value=Ref('AWS::StackName')))
vpc = template.add_resource(
ec2.VPC('VPC',
CidrBlock=variables['VpcCidr'].ref,
EnableDnsSupport=True,
EnableDnsHostnames=True,
InstanceTenancy=variables['VpcInstanceTenancy'].ref,
Tags=Tags(Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'vpc',
variables['EnvironmentName'].ref
]),
Network='Public')))
template.add_output(
Output('VPC',
Description='VPC',
Export=Export(Sub('${AWS::StackName}-VPC')),
Value=Ref(vpc)))
template.add_output(
Output('CidrBlock',
Description='Set of IP addresses for the VPC',
Export=Export(Sub('${AWS::StackName}-CidrBlock')),
Value=GetAtt(vpc, 'CidrBlock')))
# Create subnets
for i in range(AZS):
for zone in ['Public', 'Private']:
template.add_resource(
ec2.Subnet(
'%sSubnet%s' % (zone[:3], str(i + 1)),
Condition='%sAZ%i' % (zone, (i + 1)),
VpcId=Ref(vpc),
AvailabilityZone=Select(str(i + variables['AzOffset']),
GetAZs('')),
CidrBlock=Ref('%sSubnet%s' % (zone, str(i + 1))),
Tags=Tags(
Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref,
zone.lower(), variables['EnvironmentName'].ref,
Select(str(i + variables['AzOffset']),
GetAZs(''))
]),
Network='%s - %s' % (zone, str(i + 1)))))
template.add_output(
Output('%sSubnet%s' % (zone[:3], str(i + 1)),
Condition='%sAZ%s' % (zone, str(i + 1)),
Description='%sSubnet%s' % (zone[:3], str(i + 1)),
Export=Export(
Sub('${AWS::StackName}-'
'%sSubnet%s' % (zone[:3], str(i + 1)))),
Value=Ref('%sSubnet%s' % (zone[:3], str(i + 1)))))
template.add_output(
Output(
'%sSubnet%sAZ' % (zone[:3], str(i + 1)),
Condition='%sAZ%s' % (zone, str(i + 1)),
Description='%sSubnet%s Availability Zone' %
(zone[:3], str(i + 1)), # noqa
Export=Export(
Sub('${AWS::StackName}-'
'%sSubnet%sAZ' % (zone[:3], str(i + 1)))),
Value=GetAtt('%sSubnet%s' % (zone[:3], str(i + 1)),
'AvailabilityZone')))
internetgateway = template.add_resource(
ec2.InternetGateway('InternetGateway',
Tags=Tags(
Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'igw',
variables['EnvironmentName'].ref
]),
Network='Public')))
template.add_resource(
ec2.VPCGatewayAttachment(
'GatewayToInternet',
InternetGatewayId=Ref(internetgateway),
VpcId=Ref(vpc),
))
# Elastic IPs
for i in range(AZS):
template.add_resource(
ec2.EIP('NAT%iElasticIP' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
Domain='vpc'))
template.add_output(
Output(
'NAT%iElasticIP' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
Description='Elastic IP for NATs %i' % (i + 1),
Export=Export(
Sub('${AWS::StackName}-NAT%iElasticIP' % (i + 1))),
Value=Ref('NAT%iElasticIP' % (i + 1)),
))
# NAT Gateways
for i in range(AZS):
template.add_resource(
ec2.NatGateway('NATGateway%i' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
AllocationId=GetAtt('NAT%iElasticIP' % (i + 1),
'AllocationId'),
SubnetId=Ref('PubSubnet%i' % (i + 1))))
# Route tables
publicroutetable = template.add_resource(
ec2.RouteTable(
'PublicRouteTable',
VpcId=Ref(vpc),
Tags=Tags(Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'public-routes',
variables['EnvironmentName'].ref
]),
Network='Public')))
template.add_output(
Output(publicroutetable.title,
Description=publicroutetable.title,
Export=Export(
Sub('${AWS::StackName}-%s' % publicroutetable.title)),
Value=Ref(publicroutetable)))
for i in range(AZS):
template.add_resource(
ec2.RouteTable(
'PrivateRouteTable%i' % (i + 1),
Condition='PrivateAZ%i' % (i + 1),
VpcId=Ref(vpc),
Tags=Tags(
Application=Ref('AWS::StackName'),
Name=Join('-', [
variables['CustomerName'].ref, 'private-routes',
variables['EnvironmentName'].ref,
Select(str(i + variables['AzOffset']), GetAZs(''))
]),
Network='Private - %i' % (i + 1))))
template.add_output(
Output('PrivateRouteTable%i' % (i + 1),
Condition='PrivateAZ%i' % (i + 1),
Description='PrivateRouteTable%i' % (i + 1),
Export=Export(
Sub('${AWS::StackName}-'
'PrivateRouteTable%i' % (i + 1))),
Value=Ref('PrivateRouteTable%i' % (i + 1))))
# Routes & Route Table Associations
template.add_resource(
ec2.Route('PublicRoute',
DestinationCidrBlock='0.0.0.0/0',
GatewayId=Ref(internetgateway),
RouteTableId=Ref(publicroutetable)))
for i in range(AZS):
template.add_resource(
ec2.Route('PrivateRoute%i' % (i + 1),
Condition='CreateNATGateway%i' % (i + 1),
DestinationCidrBlock='0.0.0.0/0',
NatGatewayId=Ref('NATGateway%i' % (i + 1)),
RouteTableId=Ref('PrivateRouteTable%i' % (i + 1))))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PubSubnet%iRTAssoc' % (i + 1),
Condition='PublicAZ%i' % (i + 1),
RouteTableId=Ref(publicroutetable),
SubnetId=Ref('PubSubnet%i' % (i + 1))))
template.add_resource(
ec2.SubnetRouteTableAssociation(
'PriSubnet%iRTAssoc' % (i + 1),
Condition='PrivateAZ%i' % (i + 1),
RouteTableId=Ref('PrivateRouteTable%i' % (i + 1)),
SubnetId=Ref('PriSubnet%i' % (i + 1))))