def create_cache_cluster(stack, name, cache_type, vpc, cidrs, subnet_ids,
instance_type, num_cache_clusters):
"""Add Elasticache Cache cluster Resource."""
ports = {'redis': 6379, 'memcached': 11211}
ingress = []
for idx, cidr in enumerate(cidrs):
ingress.append(
SecurityGroupRule(
'{0}{1}{2}'.format(name.replace('-', ''), cache_type, idx),
CidrIp=cidr,
FromPort=ports[cache_type],
ToPort=ports[cache_type],
IpProtocol='tcp',
))
secgroup = stack.stack.add_resource(
SecurityGroup(
'{0}{1}SecurityGroup'.format(name.replace('-', ''), cache_type),
GroupDescription='{0} {1} Security Group'.format(name, cache_type),
SecurityGroupIngress=ingress,
SecurityGroupEgress=[
SecurityGroupRule('{0}egress'.format(name.replace('-', '')),
CidrIp='0.0.0.0/0',
IpProtocol='-1')
],
VpcId=vpc,
))
subnet_group = stack.stack.add_resource(
elasticache.SubnetGroup(
'{0}{1}cache'.format(name.replace('-', ''), cache_type),
Description='{0}{1} cache'.format(name, cache_type),
SubnetIds=subnet_ids,
))
if num_cache_clusters > 1:
stack.stack.add_resource(
elasticache.ReplicationGroup(
'{0}CacheCluster'.format(name.replace('-', '')),
ReplicationGroupId='{0}'.format(name),
ReplicationGroupDescription='{0}cluster'.format(name),
Engine='{0}'.format(cache_type),
EngineVersion='3.2.6',
CacheNodeType=instance_type,
NumCacheClusters=num_cache_clusters,
CacheSubnetGroupName=Ref(subnet_group),
SecurityGroupIds=[Ref(secgroup)],
AtRestEncryptionEnabled=True))
else:
stack.stack.add_resource(
elasticache.CacheCluster('{0}CacheCluster'.format(
name.replace('-', '')),
ClusterName='{0}'.format(name),
Engine='{0}'.format(cache_type),
EngineVersion='3.2.10',
CacheNodeType=instance_type,
NumCacheNodes=num_cache_clusters,
VpcSecurityGroupIds=[Ref(secgroup)],
CacheSubnetGroupName=Ref(subnet_group)))
def create_sg(t, vpc):
sglocal = t.add_resource(
SecurityGroup(
"VPCAccess",
GroupDescription="VPC Access Only",
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='-1',
CidrIp=Join(
'',
[vpc["vpcenvcidr"], '.', vpc["service_id"], '.0/24']),
FromPort='-1',
ToPort='-1')
],
VpcId=vpc['vpc']))
sgtrusted = t.add_resource(
SecurityGroup(
"TrustedAccess",
GroupDescription="Access From Trusted Locations",
SecurityGroupIngress=[
# ECS Offices
SecurityGroupRule(IpProtocol='-1',
CidrIp=Join('', ['0.0.0.0/0']),
FromPort='-1',
ToPort='-1')
],
VpcId=vpc['vpc']))
output_sg = {}
output_sg["sgtrusted"] = GetAtt(sgtrusted, "GroupId")
output_sg["sglocal"] = GetAtt(sglocal, "GroupId")
return t, output_sg
def add_alb_secuirty_group(self):
'''
Add security group to load balancer
'''
self.cfn_template.add_resource(SecurityGroup(
title=constants.ALB_SG,
GroupDescription='Load balancer security group',
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort=int('8228'),
ToPort=int('8228'),
CidrIp=Ref('CIDRBLK'),
),
SecurityGroupRule(
IpProtocol='-1',
FromPort=int('-1'),
ToPort=int('-1'),
SourceSecurityGroupId=ImportValue(Sub('${Environment}-AppSecurityGroup')),
)
],
SecurityGroupEgress=[
SecurityGroupRule(
IpProtocol='-1',
CidrIp='0.0.0.0/0'
)
],
VpcId=ImportValue(Sub('${Environment}-${VpcId}'))
))
return self.cfn_template
def create_security_group(stack, name, rules=()):
"""Add EC2 Security Group Resource."""
ingress_rules = []
for rule in rules:
ingress_rules.append(
SecurityGroupRule(
'{0}'.format(rule['name']),
CidrIp=rule['cidr'],
FromPort=rule['from_port'],
ToPort=rule['to_port'],
IpProtocol=rule['protocol'],
))
return stack.stack.add_resource(
SecurityGroup(
'{0}SecurityGroup'.format(name),
GroupDescription='{0} Security Group'.format(name),
SecurityGroupIngress=ingress_rules,
SecurityGroupEgress=[
SecurityGroupRule('{0}egress'.format(name.replace('-', '')),
CidrIp='0.0.0.0/0',
IpProtocol='-1')
],
VpcId=Ref(stack.vpc),
))
def __init__(self,
env_name,
vpc_id,
name=None,
internal=False,
tg_salt=None):
self.env_name = env_name
self.vpc_id = vpc_id
if len(env_name) > 10:
raise ValidationException(
"env_name must be no more than 10 characters long")
self.template = Template()
self.subnet_ids = []
self.cert_ids = []
self.default_targets = []
self.http_redirect_targets = []
self.alt_listeners = []
self.target_paths = collections.defaultdict(TargetPath)
self._sticky = True
self._json = None
self._priority_cache = []
self._global_tags = []
self._alarm_topic = None
self.alarm_namespace = "AWS/ApplicationELB"
self._log_bucket = None
self._ecs_redirect = False
self.idle_timeout_seconds = 120
self._custom_elb_sgs = None
self._tg_salt = tg_salt
self._specified_elb_name = name
if name is None:
self._elb_name = Ref("AWS::StackName")
else:
self._elb_name = name
self._deletion_protection = False
if internal:
self._elb_scheme = "internal"
else:
self._elb_scheme = "internet-facing"
self._sg_rules = [
SecurityGroupRule(CidrIp="0.0.0.0/0",
IpProtocol="tcp",
FromPort=443,
ToPort=443),
SecurityGroupRule(CidrIp="0.0.0.0/0",
IpProtocol="tcp",
FromPort=80,
ToPort=80)
]
# The first call to allow() should clear the default _sg_rules,
# subsequent calls should not.
self._reset_sg_rules = True
def allow_cidr(self, *cidrs):
self.allow(*list(
SecurityGroupRule(
CidrIp=c, IpProtocol="tcp", FromPort=443, ToPort=443)
for c in cidrs))
self.allow(*list(
SecurityGroupRule(
CidrIp=c, IpProtocol="tcp", FromPort=80, ToPort=80)
for c in cidrs))
def test_noproperty(self):
t = SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0",
)
d = t.to_dict()
with self.assertRaises(KeyError):
d["Properties"]
def test_noproperty(self):
t = SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0",
)
d = t.to_dict()
with self.assertRaises(KeyError):
d['Properties']
def _add_autopush_security_group(self):
self.InternalRouterSG = self.add_resource(
SecurityGroup("AutopushInternalRouter",
GroupDescription="Internal Routing SG"))
self.EndpointSG = self.add_resource(
SecurityGroup(
"AutopushEndpointNode",
SecurityGroupIngress=[
allow_tcp(8082),
allow_tcp(22),
],
GroupDescription="Allow HTTP traffic to autoendpoint node",
))
self.ConnectionSG = self.add_resource(
SecurityGroup(
"AutopushConnectionNode",
SecurityGroupIngress=[
allow_tcp(8080),
allow_tcp(22),
SecurityGroupRule(IpProtocol="tcp",
FromPort=8081,
ToPort=8081,
SourceSecurityGroupName=Ref(
self.InternalRouterSG))
],
GroupDescription=("Allow Websocket traffic to autopush node")))
def test_noproperty(self):
t = SecurityGroupRule(
IpProtocol="tcp",
FromPort="22",
ToPort="22",
CidrIp="0.0.0.0/0",
)
d = json.loads(json.dumps(t, cls=awsencode))
with self.assertRaises(KeyError):
d['Properties']
def create_rules(self, rules):
ingress_rules = []
for rule in rules:
ingress_rule = 0
if 'source_security_group_id' in rule:
ingress_rule = SecurityGroupRule(
ToPort=rule['to_port'],
FromPort=rule['from_port'],
IpProtocol=rule['ip_protocol'],
SourceSecurityGroupId=rule['source_security_group_id'])
elif 'cidr_ip' in rule:
ingress_rule = SecurityGroupRule(
ToPort=rule['to_port'],
FromPort=rule['from_port'],
IpProtocol=rule['ip_protocol'],
CidrIp=rule['cidr_ip'])
ingress_rules.append(ingress_rule)
return ingress_rules
def add_app_secuirty_group(self):
'''
Add security group tfor all application
'''
self.cfn_template.add_resource(
SecurityGroup(title=constants.APP_SG,
GroupDescription=
'Allow communication between application servers',
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort=int('0'),
ToPort=int('65535'),
CidrIp=Ref('PublicSubnet1CIDRBlock'),
),
SecurityGroupRule(
IpProtocol='tcp',
FromPort=int('0'),
ToPort=int('65535'),
CidrIp=Ref('PrivateSubnet1CIDRBlock'),
),
SecurityGroupRule(
IpProtocol='tcp',
FromPort=int('0'),
ToPort=int('65535'),
CidrIp=Ref('PublicSubnet2CIDRBlock'),
),
SecurityGroupRule(
IpProtocol='tcp',
FromPort=int('0'),
ToPort=int('65535'),
CidrIp=Ref('PrivateSubnet2CIDRBlock'),
),
],
SecurityGroupEgress=[
SecurityGroupRule(IpProtocol='-1',
CidrIp='0.0.0.0/0')
],
VpcId=Ref(constants.VPC)))
return self.cfn_template
def test_security_group(self):
template = self._create_test_document()
SecurityGroup('sg',
template,
GroupDescription='test',
SecurityGroupEgress=[
SecurityGroupRule(IpProtocol='tcp',
FromPort=22,
ToPort=22,
CidrIp="0.0.0.0/0")
],
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol='tcp',
FromPort=22,
ToPort=22,
CidrIp="0.0.0.0/0")
])
security_group = template.resources['sg']
for rule in security_group.properties['SecurityGroupEgress']:
self.assertIsInstance(rule, SecurityGroupRule)
for rule in security_group.properties['SecurityGroupIngress']:
self.assertIsInstance(rule, SecurityGroupRule)
def create_sg_ingress_rule(_type):
if _type.lower() not in ["ssh", "http", "https"]:
raise ValueError("Wrong key value given")
_sg_ingress_rule = SecurityGroupRule(
IpProtocol="tcp",
FromPort=SecurityGroupFunctions._sg_ingress[_type.lower()],
ToPort=SecurityGroupFunctions._sg_ingress[_type.lower()],
CidrIp=SecurityGroupFunctions._cidr_ip)
# print(_sg_ingress_rule)
return _sg_ingress_rule
def create_security_groups(self, vpc_param):
elb_sg = self.t.add_resource(
SecurityGroup(
"ElbSg",
GroupDescription=
"Allows inbound connection from from everywhere on port 80",
VpcId=Ref(vpc_param),
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp="0.0.0.0/0",
)
]))
autoscaling_sg = self.t.add_resource(
SecurityGroup("AutoscalingSG",
GroupDescription=
"Allows inbound connection from elb sg on port 80",
VpcId=Ref(vpc_param),
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol="tcp",
FromPort="80",
ToPort="80",
SourceSecurityGroupId=Ref(elb_sg),
)
]))
self.t.add_resource(
SecurityGroupEgress("ELBegress",
DestinationSecurityGroupId=Ref(autoscaling_sg),
GroupId=Ref(elb_sg),
IpProtocol="-1",
FromPort="-1",
ToPort="-1"))
return elb_sg, autoscaling_sg
def add_security_groups(self):
t = self.template
self.asgSg = t.add_resource(
SecurityGroup(
'AsgSg',
VpcId=Ref(self.vpcIdParam),
GroupDescription='Security group for ASG.',
SecurityGroupIngress=[
SecurityGroupRule(ToPort='80',
FromPort='80',
IpProtocol='tcp',
SourceSecurityGroupId=Ref(self.elbSg)),
SecurityGroupRule(ToPort='22',
FromPort='22',
IpProtocol='tcp',
SourceSecurityGroupId=Ref(
self.vpnSgIdParam))
#TODO HTTPS
],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'AsgSg']))]))
self.rdsSg = t.add_resource(
SecurityGroup('RdsSg',
VpcId=Ref(self.vpcIdParam),
GroupDescription='Security group for RDS.',
SecurityGroupIngress=[
SecurityGroupRule(ToPort='3306',
FromPort='3306',
IpProtocol='tcp',
SourceSecurityGroupId=Ref(
self.asgSg))
],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'RdsSg']))]))
return 0
def add_security_group(self):
t = self.template
self.security_group = t.add_resource(
SecurityGroup(
"SecurityGroup",
GroupDescription="Security Group",
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp",
FromPort="80",
ToPort="80",
CidrIp=Ref(self.whitelist_ip_param))
],
VpcId=Ref(self.vpc_id_param),
))
def add_elb(self):
t = self.template
self.elbSg = t.add_resource(
SecurityGroup(
'ElbSecurityGroup',
VpcId=Ref(self.vpcIdParam),
GroupDescription='Security group for ELB.',
SecurityGroupIngress=[
SecurityGroupRule(ToPort='80',
FromPort='80',
IpProtocol='tcp',
CidrIp="0.0.0.0/0")
#TODO HTTPS
],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'ElbSecurityGroup']))
]))
self.elbListener = Listener('ElbListener',
LoadBalancerPort="80",
InstancePort="80",
Protocol="HTTP",
InstanceProtocol="HTTP")
self.elbHealthCheck = HealthCheck(Target="TCP:80",
Timeout="2",
Interval="5",
HealthyThreshold="2",
UnhealthyThreshold="2")
publicSubnetIds = [
self.sceptreUserData['subnets']['publicInfraAZ1Id'],
self.sceptreUserData['subnets']['publicInfraAZ2Id'],
self.sceptreUserData['subnets']['publicInfraAZ3Id']
]
self.elb = t.add_resource(
LoadBalancer('Elb',
Listeners=[self.elbListener],
Scheme='internet-facing',
HealthCheck=self.elbHealthCheck,
CrossZone=True,
Subnets=publicSubnetIds,
SecurityGroups=[Ref(self.elbSg)],
Tags=self.defaultTags +
[Tag('Name', Join("", [self.namePrefix, 'Elb']))]))
return 0
def add_ssh_security(self):
'''
Add SSH security group
'''
self.cfn_template.add_resource(SecurityGroup(
title=constants.SSH_SG,
GroupDescription='Allow ssh connections to the cluster host instances',
SecurityGroupIngress=[SecurityGroupRule(
IpProtocol='tcp',
FromPort=int('0'),
ToPort=int('65535'),
CidrIp=Ref('CIDRBLK')
)],
VpcId=ImportValue(Sub('${Environment}-VPCID'))
))
return self.cfn_template
def add_open_ssh_security_group(template):
if not template.get_security_group_metadata(sshsg_name):
new_security_group = SecurityGroup(
sshsg_name,
sshsg_description,
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp='0.0.0.0/0'
)
]
)
template.add_security_group_metadata(sshsg_name, new_security_group)
template.add_resource(new_security_group)
def add_base_resources(self):
""" Allow ingress from load balancers with this """
ingress_sg = SecurityGroup(
"IncomingSg",
GroupDescription="SG for ecs instances for incoming alb",
VpcId=self.cluster.get('vpc'),
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol="tcp",
FromPort=0,
ToPort=64500,
SourceSecurityGroupId=ImportValue(f"{self.cluster['name']}-cluster:ALBBadgeSg")
)
]
)
self.template.add_resource(ingress_sg)
def buildTemplate(self):
ref_stack_id = Ref('AWS::StackId')
ref_stack_name = Ref('AWS::StackName')
security_group = self.t.add_resource(
SecurityGroup(
'BastionSshSecurityGroup',
GroupDescription="Allow SSH from anywhere to the Bastion Host",
VpcId=Ref("VpcId"),
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort=22,
ToPort=22,
CidrIp='0.0.0.0/0',
),
],
))
host = self.t.add_resource(
Instance("Bastion",
KeyName=Ref("KeyName"),
InstanceType="t2.nano",
ImageId=Ref("ImageId"),
SecurityGroupIds=[Ref(security_group)],
SubnetId=Ref("SubnetId"),
UserData=Base64(Ref(self.paramUserData)),
Tags=Tags(
Name=Join('', [ref_stack_name, '-BastionHost']),
Department=Ref(self.paramDepartment),
)))
self.t.add_output(
Output(
"InstanceId",
Description="Instance Id of the Bastion Host",
Value=Ref(host),
))
self.t.add_output(
Output(
"BastionDns",
Description="DNS of Bastion Host",
Value=GetAtt(host, "PublicDnsName"),
)),
def ts_add_security_group(t,
vpc_id=None,
name='MySecurityGroup',
desc='Enable all ingress'):
if vpc_id is None:
vpc_id = get_default_vpc()
return t.add_resource(
SecurityGroup(name,
GroupDescription=desc,
VpcId=vpc_id,
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol='tcp',
CidrIp="0.0.0.0/0",
FromPort=0,
ToPort=65535),
],
Tags=Tags(
Application=Ref("AWS::StackName"),
Developer="cisco::haoru",
)))
def _add_processor_databases(self):
# Add the security group for Redis access
self.LambdaProcessorSG = self.add_resource(
SecurityGroup(
"LambdaProcessorSG",
GroupDescription="Lambda Message Processor",
VpcId=Ref(self.ProcessorVPCId),
))
self.RedisClusterSG = self.add_resource(
SecurityGroup(
"RedisClusterSG",
SecurityGroupIngress=[
SecurityGroupRule(IpProtocol="tcp",
FromPort=6379,
ToPort=6379,
SourceSecurityGroupId=GetAtt(
self.LambdaProcessorSG, "GroupId"))
],
GroupDescription="Allow HTTP traffic to redis",
VpcId=Ref(self.ProcessorVPCId),
))
self.RedisClusterSubnetGroup = self.add_resource(
SubnetGroup(
"RedisClusterSubnetGroup",
Description="Subnet group for Redis Cluster",
SubnetIds=[Ref(self.MessageAPISubnetId)],
))
self.RedisCluster = self.add_resource(
CacheCluster(
"RedisPushMessages",
Engine="redis",
CacheNodeType="cache.m3.medium",
NumCacheNodes=1,
CacheSubnetGroupName=Ref(self.RedisClusterSubnetGroup),
VpcSecurityGroupIds=[
GetAtt(self.RedisClusterSG, "GroupId"),
],
Tags=self._instance_tags("push-messages", "push-messages"),
))
def create_security_group(self, security_group_args, prefix):
'''
Method creates a security group and adds it to the resources list
@param security_group_args [dict] collection of keyword arguments for the security group
'''
security_group_ingress = []
for ingress in security_group_args['ingress']:
rule = SecurityGroupRule(IpProtocol=ingress['ip_protocol'],
FromPort=ingress['from_port'],
ToPort=ingress['to_port'],
CidrIp=ingress['cidr_ip'])
security_group_ingress.append(rule)
return self.add_resource(
SecurityGroup(
prefix + 'SecurityGroup',
GroupDescription='Enable SSH access via port 22',
SecurityGroupIngress=security_group_ingress,
VpcId=Ref(self.vpc),
))
def _rulesFromYaml(self, obj):
sgrules = []
try:
with open(obj, 'r') as stream:
doc = yaml.load(stream)
for ruleset in doc:
for cidr in doc[ruleset]['cidr']:
for protocol in doc[ruleset]['protocols']:
for port in doc[ruleset]['protocols'][protocol]:
sgrules.append(
SecurityGroupRule(''.join(
ch for ch in (cidr + protocol + port)
if ch.isalnum()),
CidrIp=cidr,
IpProtocol=protocol,
FromPort=port,
ToPort=port))
except Exception as e:
print(e)
exit(1)
finally:
return sgrules
def create_cache_cluster(stack, cache_type):
"""Add Elasticache Cache cluster Resource."""
ports = {'redis': 6379, 'memcached': 11211}
secgroup = stack.stack.add_resource(
SecurityGroup(
'{0}SecurityGroup'.format(cache_type),
GroupDescription="{0} Security Group".format(cache_type),
SecurityGroupIngress=[
SecurityGroupRule(
"{0}".format(cache_type),
CidrIp=Ref(stack.vpc_address_param),
FromPort=ports[cache_type],
ToPort=ports[cache_type],
IpProtocol="tcp",
)
],
VpcId=Ref(stack.vpc),
))
subnet_group = stack.stack.add_resource(
elasticache.SubnetGroup(
'{0}cache'.format(stack.env),
Description='{0} cache'.format(stack.env),
SubnetIds=[Ref(stack.backend1_subnet),
Ref(stack.backend2_subnet)],
))
stack.stack.add_resource(
elasticache.ReplicationGroup(
'CacheCluster',
ReplicationGroupId='{0}cluster'.format(stack.env),
ReplicationGroupDescription='{0}cluster'.format(stack.env),
Engine='{0}'.format(cache_type),
CacheNodeType=Ref(stack.cache_instance_type_param),
NumCacheClusters='2',
CacheSubnetGroupName=Ref(subnet_group),
SecurityGroupIds=[Ref(secgroup)]))
def _add_resources(self):
rules = [("tcp", 443),
("tcp", 943),
("udp", 1194)]
if self.sceptre_user_data['enable_ssh']:
rules.append(("tcp", 22))
self.openvpn_sg = SecurityGroup(
"SSHSecurityGroup",
VpcId=Ref(self.vpc_id_param),
GroupDescription="Enable SSH access via port 22",
SecurityGroupIngress=[SecurityGroupRule(
IpProtocol=protocol,
FromPort=port,
ToPort=port,
CidrIp=Ref(self.ssh_ip),)
for protocol, port in rules],
Tags=Tags(
Name=Join('-', [Ref(self.stack_prefix), "openvpn"])
),
)
self.template.add_resource(self.openvpn_sg)
self.openvpn_instance = Instance(
"OpenVPNInstance",
ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"),
InstanceType="t2.micro",
KeyName=Ref(self.key_name),
SecurityGroupIds=[Ref(self.openvpn_sg)],
SourceDestCheck=False,
SubnetId=Ref(self.public_subnet_id),
Tags=Tags(
Name=Join('-', [Ref(self.stack_prefix), "openvpn"])
),
)
self.template.add_resource(self.openvpn_instance)
"AMI": "ami-5b6dde3b"
},
"us-west-1": {
"AMI": "ami-74cb9b14"
},
})
instance_security_group = SecurityGroup(
'InstanceSecurityGroup',
template=template,
GroupDescription="Instance security group.",
VpcId=Ref(vpc_id),
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='-1',
FromPort='-1',
ToPort='-1',
CidrIp='0.0.0.0/0',
)
])
load_balancer = elb.LoadBalancer('LoadBalancer',
template=template,
Subnets=[
Ref(public_subnet),
],
SecurityGroups=[Ref(instance_security_group)],
Listeners=[
elb.Listener(LoadBalancerPort=80,
InstanceProtocol='HTTP',
InstancePort=8080,
Protocol='HTTP'),
"Ec2Instance",
ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"),
InstanceType="t1.micro",
KeyName=Ref(keyname_param),
SecurityGroups=["default"],
UserData=Base64("80")
))
instanceSecurityGroup = template.add_resource(
SecurityGroup(
'InstanceSecurityGroup',
GroupDescription='Enable SSH access via port 22',
SecurityGroupIngress=[
SecurityGroupRule(
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp='0.0.0.0/0'),
SecurityGroupRule(
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp='0.0.0.0/0')],
))
template.add_output([
Output(
"InstanceId",
Description="InstanceId of the newly created EC2 instance",
Value=Ref(ec2_instance),
),
Description="Subnet ID where the MountTarget and instance "
"should be created",
Type="String",
))
# security group for the host
efs_host_security_group = SecurityGroup(
"EFSHostSecurityGroup", GroupDescription="EC2 Instance Security Group")
template.add_resource(efs_host_security_group)
# create security group for NFS over TCP for EC2 instances. Only allow the
# instance(s) from the efs_host_security_group to access the mount target
# given by this security group.
efs_security_group_rule = SecurityGroupRule(
IpProtocol='tcp',
FromPort='2049',
ToPort='2049',
SourceSecurityGroupId=Ref(efs_host_security_group))
# Security group that's applied to the Mount Targets.
efs_security_group = SecurityGroup(
"SecurityGroup",
SecurityGroupIngress=[efs_security_group_rule],
VpcId=Ref(vpcid_param),
GroupDescription="Allow NFS over TCP")
template.add_resource(efs_security_group)
# Create FileSystem. This is the actual filesystem, which has one or more
# mount targets. Give it some tags so we can identify it later.
tags = Tags(Name='MyEFSFileSystem')
efs_file_system = FileSystem("MyEFSFileSystem", FileSystemTags=tags)
