def add_interfaces(self, services:List[str]):
for svc in services:
if not svc in self.interfaces:
self.interfaces[svc] = ec2.InterfaceVpcEndpoint(
self, svc,
vpc=self.vpc,
service=ec2.InterfaceVpcEndpointAwsService(name=svc),
open=True,
private_dns_enabled=True,
lookup_supported_azs=True,
security_groups=[self.security_group])
return self
def create_endpoints(self) -> None:
endpoints = {
"SQS":
ec2.InterfaceVpcEndpointAwsService.SQS,
"CLOUDWATCH_LOGS":
ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
"CLOUDWATCH_MONITORING":
ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH,
"KMS ":
ec2.InterfaceVpcEndpointAwsService.KMS,
"ECR":
ec2.InterfaceVpcEndpointAwsService.ECR,
"ECR_DOCKER":
ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
"CODE_ARTIFACT_API":
ec2.InterfaceVpcEndpointAwsService(name="codeartifact.api"),
"CODE_ARTIFACT_REPOSITORIES":
ec2.InterfaceVpcEndpointAwsService(
name="codeartifact.repositories"),
}
for name, service in endpoints.items():
ec2.InterfaceVpcEndpoint(
self,
name,
vpc=self.instance,
service=service,
subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.ISOLATED),
private_dns_enabled=True,
security_groups=[self.mwaa_sg],
)
self.instance.add_gateway_endpoint(
"s3-endpoint",
service=ec2.GatewayVpcEndpointAwsService.S3,
subnets=[ec2.SubnetSelection(subnet_type=ec2.SubnetType.ISOLATED)],
)
def create_gateway_endpoint(
self,
service_name: str,
vpc: _ec2.Vpc,
gateway_endpoint_policy: _iam.PolicyStatement = None):
"""create gateway endpoint"""
vpc_endpoint = _ec2.GatewayVpcEndpoint(
self,
id=service_name.upper() + "VPCEndPoint",
vpc=vpc,
service=_ec2.InterfaceVpcEndpointAwsService(service_name))
if gateway_endpoint_policy is not None:
vpc_endpoint.add_to_policy(gateway_endpoint_policy)
def create_interface_endpoint(
self,
service_name: str,
security_group: _ec2.ISecurityGroup,
vpc: _ec2.Vpc,
interface_endpoint_policy: _iam.PolicyStatement = None):
"""create interface endpoint"""
vpc_endpoint = _ec2.InterfaceVpcEndpoint(
self,
id=service_name.upper() + "VPCEndPoint",
vpc=vpc,
service=_ec2.InterfaceVpcEndpointAwsService(service_name),
private_dns_enabled=True,
security_groups=[security_group])
if interface_endpoint_policy is not None:
vpc_endpoint.add_to_policy(interface_endpoint_policy)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.security_group = ec2.SecurityGroup(
self,
'EndpointSecurity',
vpc=vpc,
allow_all_outbound=True,
description='SG for AWS Resources in isolated subnet')
self.security_group.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port(protocol=ec2.Protocol.ALL,
string_representation='Any source'))
self.gateways = {}
for svc in ['s3', 'dynamodb']:
self.gateways[svc] = ec2.GatewayVpcEndpoint(
self,
svc,
vpc=vpc,
service=ec2.GatewayVpcEndpointAwsService(name=svc))
self.interfaces = {}
for svc in [
'ssm', 'ec2messages', 'ec2', 'ssmmessages', 'kms',
'elasticloadbalancing', 'elasticfilesystem', 'lambda',
'states', 'events', 'execute-api', 'kinesis-streams',
'kinesis-firehose', 'logs', 'sns', 'sqs', 'secretsmanager',
'config', 'ecr.api', 'ecr.dkr'
]:
self.interfaces[svc] = ec2.InterfaceVpcEndpoint(
self,
svc,
vpc=vpc,
service=ec2.InterfaceVpcEndpointAwsService(name=svc),
open=True,
private_dns_enabled=True,
lookup_supported_azs=False,
security_groups=[self.security_group])
def _create_vpc_endpoints(self) -> None:
vpc_gateway_endpoints = {
"s3": ec2.GatewayVpcEndpointAwsService.S3,
"dynamodb": ec2.GatewayVpcEndpointAwsService.DYNAMODB,
}
vpc_interface_endpoints = {
"cloudwatch_endpoint":
ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH,
"cloudwatch_logs_endpoint":
ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
"cloudwatch_events":
ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_EVENTS,
"ecr_docker_endpoint":
ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
"ecr_endpoint":
ec2.InterfaceVpcEndpointAwsService.ECR,
"ec2_endpoint":
ec2.InterfaceVpcEndpointAwsService.EC2,
"ecs":
ec2.InterfaceVpcEndpointAwsService.ECS,
"ecs_agent":
ec2.InterfaceVpcEndpointAwsService.ECS_AGENT,
"ecs_telemetry":
ec2.InterfaceVpcEndpointAwsService.ECS_TELEMETRY,
"git_endpoint":
ec2.InterfaceVpcEndpointAwsService.CODECOMMIT_GIT,
"ssm_endpoint":
ec2.InterfaceVpcEndpointAwsService.SSM,
"ssm_messages_endpoint":
ec2.InterfaceVpcEndpointAwsService.SSM_MESSAGES,
"secrets_endpoint":
ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
"kms_endpoint":
ec2.InterfaceVpcEndpointAwsService.KMS,
"sagemaker_endpoint":
ec2.InterfaceVpcEndpointAwsService.SAGEMAKER_API,
"sagemaker_runtime":
ec2.InterfaceVpcEndpointAwsService.SAGEMAKER_RUNTIME,
"notebook_endpoint":
ec2.InterfaceVpcEndpointAwsService.SAGEMAKER_NOTEBOOK,
"athena_endpoint":
ec2.InterfaceVpcEndpointAwsService("athena"),
"glue_endpoint":
ec2.InterfaceVpcEndpointAwsService("glue"),
"sqs":
ec2.InterfaceVpcEndpointAwsService.SQS,
"step_function_endpoint":
ec2.InterfaceVpcEndpointAwsService("states"),
"sns_endpoint":
ec2.InterfaceVpcEndpointAwsService.SNS,
"kinesis_firehose_endpoint":
ec2.InterfaceVpcEndpointAwsService("kinesis-firehose"),
"api_gateway":
ec2.InterfaceVpcEndpointAwsService.APIGATEWAY,
"sts_endpoint":
ec2.InterfaceVpcEndpointAwsService.STS,
"efs":
ec2.InterfaceVpcEndpointAwsService.ELASTIC_FILESYSTEM,
"elb":
ec2.InterfaceVpcEndpointAwsService.ELASTIC_LOAD_BALANCING,
"autoscaling":
ec2.InterfaceVpcEndpointAwsService("autoscaling"),
"cloudformation_endpoint":
ec2.InterfaceVpcEndpointAwsService("cloudformation"),
"codebuild_endpoint":
ec2.InterfaceVpcEndpointAwsService("codebuild"),
}
for name, gateway_vpc_endpoint_service in vpc_gateway_endpoints.items(
):
self.vpc.add_gateway_endpoint(
id=name,
service=gateway_vpc_endpoint_service,
subnets=[
ec2.SubnetSelection(subnets=self.nodes_subnets.subnets),
],
)
self._vpc_security_group = ec2.SecurityGroup(self,
"vpc-sg",
vpc=self.vpc,
allow_all_outbound=False)
# Adding ingress rule to VPC CIDR
self._vpc_security_group.add_ingress_rule(
peer=ec2.Peer.ipv4(self.vpc.vpc_cidr_block),
connection=ec2.Port.all_tcp())
for name, interface_service in vpc_interface_endpoints.items():
self.vpc.add_interface_endpoint(
id=name,
service=interface_service,
subnets=ec2.SubnetSelection(
subnets=self.nodes_subnets.subnets),
private_dns_enabled=True,
security_groups=[self._vpc_security_group],
)
# Adding CodeArtifact VPC endpoints
self.vpc.add_interface_endpoint(
id="code_artifact_repo_endpoint",
service=cast(
ec2.IInterfaceVpcEndpointService,
ec2.InterfaceVpcEndpointAwsService(
"codeartifact.repositories")),
subnets=ec2.SubnetSelection(subnets=self.nodes_subnets.subnets),
private_dns_enabled=False,
security_groups=[self._vpc_security_group],
)
self.vpc.add_interface_endpoint(
id="code_artifact_api_endpoint",
service=cast(
ec2.IInterfaceVpcEndpointService,
ec2.InterfaceVpcEndpointAwsService("codeartifact.api")),
subnets=ec2.SubnetSelection(subnets=self.nodes_subnets.subnets),
private_dns_enabled=False,
security_groups=[self._vpc_security_group],
)
# Adding Lambda and Redshift endpoints with CDK low level APIs
endpoint_url_template = "com.amazonaws.{}.{}"
ec2.CfnVPCEndpoint(
self,
"redshift_endpoint",
vpc_endpoint_type="Interface",
service_name=endpoint_url_template.format(self.region, "redshift"),
vpc_id=self.vpc.vpc_id,
security_group_ids=[self._vpc_security_group.security_group_id],
subnet_ids=self.nodes_subnets.subnet_ids,
private_dns_enabled=True,
)
ec2.CfnVPCEndpoint(
self,
"lambda_endpoint",
vpc_endpoint_type="Interface",
service_name=endpoint_url_template.format(self.region, "lambda"),
vpc_id=self.vpc.vpc_id,
security_group_ids=[self._vpc_security_group.security_group_id],
subnet_ids=self.nodes_subnets.subnet_ids,
private_dns_enabled=True,
)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(self,
'AWS-Cookbook-VPC',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
database_name = "AWSCookbookRecipe408"
rds_cluster = rds.ServerlessCluster(
self,
'DBCluster',
engine=rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
parameter_group=rds.ParameterGroup.from_parameter_group_name(
self, 'ParameterGroup', 'default.aurora-postgresql10'),
vpc=vpc,
cluster_identifier='awscookbookrecipe408',
default_database_name=database_name,
# enable_data_api=True,
deletion_protection=False,
removal_policy=RemovalPolicy.DESTROY,
vpc_subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'RdsDataInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'rds-data'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
# -------- Begin EC2 Helper ---------
vpc.add_interface_endpoint(
'VPCSSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCEC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCSSMMessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
iam_role = iam.Role(
self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance = ec2.Instance(
self,
"Instance",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
)
CfnOutput(self, 'InstanceId', value=instance.instance_id)
# -------- End EC2 Helper ---------
# outputs
CfnOutput(self, 'VpcId', value=vpc.vpc_id)
CfnOutput(self, 'SecretArn', value=rds_cluster.secret.secret_full_arn)
CfnOutput(self, 'ClusterArn', value=rds_cluster.cluster_arn)
CfnOutput(self,
'ClusterIdentifier',
value=rds_cluster.cluster_identifier)
CfnOutput(self, 'DatabaseName', value=database_name)
CfnOutput(self, 'InstanceRoleName', value=instance.role.role_name)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# create s3 bucket
s3_Bucket = s3.Bucket(self,
"AWS-Cookbook-Recipe-402",
removal_policy=RemovalPolicy.DESTROY)
aws_s3_deployment.BucketDeployment(
self,
'S3Deployment',
destination_bucket=s3_Bucket,
sources=[aws_s3_deployment.Source.asset("./s3_content")],
retain_on_delete=False)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(self,
'AWS-Cookbook-VPC',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
vpc.add_interface_endpoint(
'VPCSecretsManagerInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'secretsmanager'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCRDSInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'rds'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_gateway_endpoint(
's3GateWayEndPoint',
service=ec2.GatewayVpcEndpointAwsService('s3'),
subnets=[
ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
],
)
rds_security_group = ec2.SecurityGroup(
self,
'rds_security_group',
description='Security Group for the RDS Instance',
allow_all_outbound=True,
vpc=vpc)
rds_instance = rds.DatabaseInstance(
self,
'DBInstance',
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0_23),
instance_type=ec2.InstanceType("m5.large"),
vpc=vpc,
database_name='AWSCookbookRecipe402',
instance_identifier='awscookbookrecipe402',
delete_automated_backups=True,
deletion_protection=False,
removal_policy=RemovalPolicy.DESTROY,
allocated_storage=8,
vpc_subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
security_groups=[rds_security_group])
# -------- Begin EC2 Helper ---------
vpc.add_interface_endpoint(
'VPCSSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCEC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCSSMMessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
iam_role = iam.Role(
self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance = ec2.Instance(
self,
"Instance",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
)
CfnOutput(self, 'InstanceId', value=instance.instance_id)
# -------- End EC2 Helper ---------
rds_instance.secret.grant_read(instance)
# allow connection from ec2 instance to DB
rds_instance.connections.allow_from(instance.connections,
ec2.Port.tcp(3306), "Ingress")
s3_Bucket.grant_read(instance)
# outputs
CfnOutput(self, 'VpcId', value=vpc.vpc_id)
CfnOutput(self,
'RdsSecurityGroup',
value=rds_security_group.security_group_id)
CfnOutput(self,
'RdsDatabaseId',
value=rds_instance.instance_identifier)
CfnOutput(self,
'RdsEndpoint',
value=rds_instance.db_instance_endpoint_address)
CfnOutput(self,
'RdsPort',
value=rds_instance.db_instance_endpoint_port)
CfnOutput(self, 'BucketName', value=s3_Bucket.bucket_name)
isolated_subnets = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
CfnOutput(self,
'IsolatedSubnets',
value=', '.join(map(str, isolated_subnets.subnet_ids)))
CfnOutput(self, 'InstanceRoleName', value=iam_role.role_name)
CfnOutput(self,
'RdsSecretArn',
value=rds_instance.secret.secret_full_arn)
def provision_vpc(self, name: str, vpc: VPC):
self.public_subnet_name = f"{name}-public"
self.private_subnet_name = f"{name}-private"
if not vpc.create:
self.vpc = ec2.Vpc.from_lookup("Vpc", vpc_id=vpc.id)
return
nat_provider = ec2.NatProvider.gateway()
self.vpc = ec2.Vpc(
self.scope,
"VPC",
max_azs=vpc.max_azs,
cidr=vpc.cidr,
subnet_configuration=[
ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name=self.public_subnet_name,
cidr_mask=24, # can't use token ids
),
ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE,
name=self.private_subnet_name,
cidr_mask=24, # can't use token ids
),
],
gateway_endpoints={
"S3":
ec2.GatewayVpcEndpointOptions(
service=ec2.GatewayVpcEndpointAwsService.S3),
},
nat_gateway_provider=nat_provider,
)
cdk.Tags.of(self.vpc).add("Name", name)
cdk.CfnOutput(self.scope, "vpc-output", value=self.vpc.vpc_cidr_block)
# ripped off this: https://github.com/aws/aws-cdk/issues/9573
pod_cidr = ec2.CfnVPCCidrBlock(self.scope,
"PodCidr",
vpc_id=self.vpc.vpc_id,
cidr_block="100.64.0.0/16")
c = 0
for az in self.vpc.availability_zones:
pod_subnet = ec2.PrivateSubnet(
self.scope,
# this can't be okay
f"{name}-pod-{c}", # Can't use parameter/token in this name
vpc_id=self.vpc.vpc_id,
availability_zone=az,
cidr_block=f"100.64.{c}.0/18",
)
pod_subnet.add_default_nat_route([
gw for gw in nat_provider.configured_gateways if gw.az == az
][0].gateway_id)
pod_subnet.node.add_dependency(pod_cidr)
# TODO: need to tag
c += 64
for endpoint in [
"ec2", # Only these first three have predefined consts
"sts",
"ecr.api",
"autoscaling",
"ecr.dkr",
]: # TODO: Do we need an s3 interface as well? or just the gateway?
self.vpc_endpoint = ec2.InterfaceVpcEndpoint(
self.scope,
f"{endpoint}-ENDPOINT",
vpc=self.vpc,
service=ec2.InterfaceVpcEndpointAwsService(endpoint, port=443),
# private_dns_enabled=True,
subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE),
)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
isolated_subnets = ec2.SubnetConfiguration(
name="isolated_subnets",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24
)
# create VPCs
vpc1 = ec2.Vpc(
self,
'AWS-Cookbook-VPC1-211',
cidr='10.10.0.0/23',
max_azs=1,
subnet_configuration=[isolated_subnets]
)
vpc1.add_interface_endpoint(
'VPC1SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc1.add_interface_endpoint(
'VPC1EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc1.add_interface_endpoint(
'VPC1SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc2 = ec2.Vpc(
self,
'AWS-Cookbook-VPC2-209',
cidr='10.20.0.0/23',
max_azs=1,
subnet_configuration=[isolated_subnets]
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
)
iam_role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
instance1 = ec2.Instance(
self,
"Instance1",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc1,
)
instance2 = ec2.Instance(
self,
"Instance2",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc2,
)
# outputs
CfnOutput(
self,
'VpcId1',
value=vpc1.vpc_id
)
CfnOutput(
self,
'InstanceId1',
value=instance1.instance_id
)
CfnOutput(
self,
'InstanceId2',
value=instance2.instance_id
)
CfnOutput(
self,
'InstanceIp1',
value=instance1.instance_private_ip
)
CfnOutput(
self,
'InstanceIp2',
value=instance2.instance_private_ip
)
CfnOutput(
self,
'InstanceSg1',
value=instance1.connections.security_groups[0].security_group_id
)
CfnOutput(
self,
'InstanceSg2',
value=instance2.connections.security_groups[0].security_group_id
)
CfnOutput(
self,
'VpcId2',
value=vpc2.vpc_id
)
vpc1_subnet_list = vpc1.select_subnets(subnet_type=ec2.SubnetType.ISOLATED)
CfnOutput(
self,
'VpcSubnetRtId1',
value=vpc1_subnet_list.subnets[0].route_table.route_table_id
)
vpc2_subnet_list = vpc2.select_subnets(subnet_type=ec2.SubnetType.ISOLATED)
CfnOutput(
self,
'VpcSubnetRtId2',
value=vpc2_subnet_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'VpcCidr1',
value=vpc1.vpc_cidr_block
)
CfnOutput(
self,
'VpcCidr2',
value=vpc2.vpc_cidr_block
)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED", subnet_type=ec2.SubnetType.ISOLATED, cidr_mask=24)
# create VPC
vpc1 = ec2.Vpc(self,
'AWS-Cookbook-VPC1-211',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
vpc1.add_interface_endpoint(
'VPC1SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(one_per_az=False,
subnet_type=ec2.SubnetType.ISOLATED),
)
vpc1.add_interface_endpoint(
'VPC1EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(one_per_az=False,
subnet_type=ec2.SubnetType.ISOLATED),
)
vpc1.add_interface_endpoint(
'VPC1SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(one_per_az=False,
subnet_type=ec2.SubnetType.ISOLATED),
)
vpc2 = ec2.Vpc(self,
'AWS-Cookbook-VPC2-211',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
VPC2SSMInterfaceEndpoint = vpc2.add_interface_endpoint(
'VPC2SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(one_per_az=False,
subnet_type=ec2.SubnetType.ISOLATED),
)
vpc2.add_interface_endpoint(
'VPC2EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(one_per_az=False,
subnet_type=ec2.SubnetType.ISOLATED),
)
vpc2.add_interface_endpoint(
'VPC2SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(one_per_az=False,
subnet_type=ec2.SubnetType.ISOLATED),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
iam_role = iam.Role(
self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance1 = ec2.Instance(
self,
"Instance1",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc1,
)
instance2 = ec2.Instance(
self,
"Instance2",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc2,
)
# outputs
core.CfnOutput(self, 'VPC1Id', value=vpc1.vpc_id)
core.CfnOutput(self, 'VPC2Id', value=vpc2.vpc_id)
core.CfnOutput(self, 'Instance1ID', value=instance1.instance_id)
core.CfnOutput(self, 'Instance2ID', value=instance2.instance_id)
vpc1_isoalted_subnets = vpc1.select_subnets(
subnet_type=ec2.SubnetType.ISOLATED)
core.CfnOutput(self,
'VPC1Subnets',
value=', '.join(
map(str, vpc1_isoalted_subnets.subnet_ids)))
core.CfnOutput(self,
'VPC2InterfaceEndpointSG',
value=VPC2SSMInterfaceEndpoint.security_group_id)
vpc2_isolated_subnets_list = vpc2.select_subnets(
subnet_type=ec2.SubnetType.ISOLATED)
core.CfnOutput(self,
'VPC2Subnet1ID',
value=vpc2_isolated_subnets_list.subnets[0].subnet_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# create s3 bucket
s3_Bucket = s3.Bucket(self,
"AWS-Cookbook-Recipe-404",
removal_policy=RemovalPolicy.DESTROY,
auto_delete_objects=True)
aws_s3_deployment.BucketDeployment(
self,
'S3Deployment',
destination_bucket=s3_Bucket,
sources=[aws_s3_deployment.Source.asset("./s3_content")],
retain_on_delete=False)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(self,
'AWS-Cookbook-VPC',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
vpc.add_interface_endpoint(
'VPCSecretsManagerInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'secretsmanager'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_gateway_endpoint(
's3GateWayEndPoint',
service=ec2.GatewayVpcEndpointAwsService('s3'),
subnets=[
ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
],
)
subnet_group = rds.SubnetGroup(
self,
'rds_subnet_group',
description='VPC Subnet Group for RDS',
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED))
rds_instance = rds.DatabaseInstance(
self,
'DBInstance',
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0_23),
instance_type=ec2.InstanceType("m5.large"),
vpc=vpc,
multi_az=False,
database_name='AWSCookbookRecipe404',
instance_identifier='awscookbook404db-orig',
delete_automated_backups=True,
deletion_protection=False,
# iam_authentication=
removal_policy=RemovalPolicy.DESTROY,
allocated_storage=8,
subnet_group=subnet_group)
# mkdir -p lambda-layers/sqlparse/python
# cd layers/sqlparse/python
# pip install sqlparse --target="."
# cd ../../../
# create Lambda Layer
sqlparse = aws_lambda.LayerVersion(
self,
"sqlparse",
code=aws_lambda.AssetCode('lambda-layers/sqlparse'),
compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8],
description="sqlparse",
license=
"https://github.com/andialbrecht/sqlparse/blob/master/LICENSE")
pymysql = aws_lambda.LayerVersion(
self,
"pymysql",
code=aws_lambda.AssetCode('lambda-layers/pymysql'),
compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8],
description="pymysql",
license="MIT")
smartopen = aws_lambda.LayerVersion(
self,
"smartopen",
code=aws_lambda.AssetCode('lambda-layers/smart_open'),
compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8],
description="smartopen",
license="MIT")
lambda_function = aws_lambda.Function(
self,
'LambdaRDS',
code=aws_lambda.AssetCode("./mysql-lambda/"),
handler="lambda_function.lambda_handler",
environment={
"DB_SECRET_ARN": rds_instance.secret.secret_arn,
"S3_BUCKET": s3_Bucket.bucket_name
},
layers=[sqlparse, pymysql, smartopen],
memory_size=1024,
runtime=aws_lambda.Runtime.PYTHON_3_8,
timeout=Duration.seconds(600),
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED))
rds_instance.secret.grant_read(lambda_function)
rds_instance.connections.allow_from(lambda_function.connections,
ec2.Port.tcp(3306), "Ingress")
s3_Bucket.grant_read(lambda_function)
create_params = {
"FunctionName": lambda_function.function_arn,
}
on_create = custom_resources.AwsSdkCall(
action='invoke',
service='Lambda',
parameters=create_params,
physical_resource_id=custom_resources.PhysicalResourceId.of(
'LambdaRDS'))
policy_statement = iam.PolicyStatement(
actions=["lambda:InvokeFunction"],
effect=iam.Effect.ALLOW,
resources=[lambda_function.function_arn],
)
policy = custom_resources.AwsCustomResourcePolicy.from_statements(
statements=[policy_statement])
custom_resources.AwsCustomResource(
self,
'CustomResource',
policy=policy,
on_create=on_create,
log_retention=logs.RetentionDays.TWO_WEEKS)
# outputs
CfnOutput(self, 'RdsSubnetGroup', value=subnet_group.subnet_group_name)
CfnOutput(self,
'RdsDatabaseId',
value=rds_instance.instance_identifier)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.current_dir = os.path.dirname(__file__)
self.vpc = ec2.Vpc(
self,
"VPC",
cidr="10.0.0.0/21",
max_azs=2,
subnet_configuration=[
ec2.SubnetConfiguration(
cidr_mask=28,
name="Database",
subnet_type=ec2.SubnetType.ISOLATED,
),
ec2.SubnetConfiguration(cidr_mask=28,
name="Private",
subnet_type=ec2.SubnetType.PRIVATE),
ec2.SubnetConfiguration(cidr_mask=28,
name="Public",
subnet_type=ec2.SubnetType.PUBLIC)
],
nat_gateways=3)
self.qs_security_group = ec2.SecurityGroup(
self,
"quicksight-sg",
vpc=self.vpc,
allow_all_outbound=True,
description="QuickSight security group")
self.bastion = ec2.BastionHostLinux(
self,
"BastionHost",
vpc=self.vpc,
subnet_selection=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PUBLIC))
self.bastion.connections.allow_from_any_ipv4(ec2.Port.tcp(22),
"Internet access SSH")
self.vpc.add_interface_endpoint(
"redshift_endpoint",
service=ec2.InterfaceVpcEndpointAwsService("redshift"))
self.vpc.add_interface_endpoint(
"rds_endpoint", service=ec2.InterfaceVpcEndpointAwsService("rds"))
self.redshift_secret = secrets.Secret(
self,
'redshift-admin',
secret_name='redshift-admin',
description=
"This secret has generated admin secret password for Redshift cluster",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=32,
exclude_characters='"@\\\/',
exclude_punctuation=True))
self.rs_security_group = ec2.SecurityGroup(self,
"redshift-sg",
vpc=self.vpc,
allow_all_outbound=True,
description="Redshift SG")
self.rs_security_group.add_ingress_rule(self.rs_security_group,
ec2.Port.all_tcp(),
'Redshift-basic')
self.rs_security_group.add_ingress_rule(
# https://docs.aws.amazon.com/quicksight/latest/user/regions.html
ec2.Peer.ipv4('52.23.63.224/27'),
ec2.Port.tcp(5439),
'QuickSight-IP')
self.rs_security_group.add_ingress_rule(self.qs_security_group,
ec2.Port.tcp(5439),
'QuickSight-sg')
# self.rs_security_group.add_egress_rule(
# self.rs_security_group,
# ec2.Port.all_tcp(),
# 'Allow outbound for QuickSight'
# )
self.redshift_cluster = redshift.Cluster(
self,
"datasource-redshift",
master_user=redshift.Login(
master_username="******",
master_password=self.redshift_secret.secret_value_from_json(
'password')),
vpc=self.vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.ISOLATED),
security_groups=[self.rs_security_group])
self.rds_secret = secrets.Secret(
self,
'rds-admin',
secret_name='rds-admin',
description=
"This secret has generated admin secret password for RDS cluster",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=32,
exclude_characters='"@\\\/',
exclude_punctuation=True))
self.rds_cluster = rds.DatabaseCluster(
self,
"datasource-rds",
engine=rds.DatabaseClusterEngine.aurora_postgres(
version=rds.AuroraPostgresEngineVersion.VER_11_9),
instance_props={
"vpc_subnets": {
"subnet_type": ec2.SubnetType.ISOLATED
},
"vpc": self.vpc
},
credentials=rds.Credentials.from_secret(self.rds_secret))
self.rds_cluster.connections.allow_default_port_from(
self.bastion, "EC2 Bastion access Aurora")
self.rds_cluster.connections.allow_default_port_from(
self.qs_security_group, "QuickSight-sg")
self.rds_cluster.connections.allow_default_port_from(
# https://docs.aws.amazon.com/quicksight/latest/user/regions.html
ec2.Peer.ipv4('52.23.63.224/27'),
"QuickSight-IP")
self.qs_security_group.add_ingress_rule(self.rs_security_group,
ec2.Port.all_tcp(), 'AllTCP')
for rds_group in self.rds_cluster.connections.security_groups:
self.qs_security_group.add_ingress_rule(rds_group,
ec2.Port.all_tcp(),
'AllTCP')
# self.qs_security_group.add_egress_rule(
# self.rs_security_group,
# ec2.Port.all_tcp(),
# 'AllTCP'
# )
core.CfnOutput(self, "vpcId", value=self.vpc.vpc_id)
core.CfnOutput(self, "redshiftUsername", value="admin")
core.CfnOutput(self, "redshiftPassword", value="redshift-admin")
core.CfnOutput(self,
"redshiftClusterId",
value=self.redshift_cluster.cluster_name)
core.CfnOutput(self,
"redshiftHost",
value=self.redshift_cluster.cluster_endpoint.hostname)
core.CfnOutput(self, "redshiftDB", value="dev")
core.CfnOutput(self, "rdsUsername", value="administrator")
core.CfnOutput(self, "rdsPassword", value="rds-admin")
core.CfnOutput(self,
"rdsClusterId",
value=self.rds_cluster.cluster_identifier)
core.CfnOutput(self, "namespace", value="default")
core.CfnOutput(self, "version", value="1")
core.CfnOutput(self,
"quicksightSecurityGroupId",
value=self.qs_security_group.security_group_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
isolated_subnets = ec2.SubnetConfiguration(
name="Isolated",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(self,
'AWS-Cookbook-VPC',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
# -------- Begin EC2 Helper ---------
vpc.add_interface_endpoint(
'VPCSSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCEC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCSSMMessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
vpc.add_gateway_endpoint(
's3GateWayEndPoint',
service=ec2.GatewayVpcEndpointAwsService('s3'),
subnets=[
ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
],
)
iam_role = iam.Role(
self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance1_sg = ec2.SecurityGroup(self, 'instance1_sg', vpc=vpc)
instance1 = ec2.Instance(
self,
"Instance1",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
security_group=instance1_sg,
vpc_subnets=ec2.SubnetSelection(subnets=[vpc.isolated_subnets[0]]))
instance2_sg = ec2.SecurityGroup(self, 'instance2_sg', vpc=vpc)
instance2 = ec2.Instance(
self,
"Instance2",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
security_group=instance2_sg,
vpc_subnets=ec2.SubnetSelection(subnets=[vpc.isolated_subnets[1]]))
# outputs
CfnOutput(self, 'InstanceId1', value=instance1.instance_id)
CfnOutput(self, 'InstanceId2', value=instance2.instance_id)
CfnOutput(self, 'InstanceSgId1', value=instance1_sg.security_group_id)
CfnOutput(self, 'InstanceSgId2', value=instance2_sg.security_group_id)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
attachments_subnets = ec2.SubnetConfiguration(
name="ATTACHMENTS",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=28)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=28)
public_subnets = ec2.SubnetConfiguration(
name="PUBLIC",
subnet_type=ec2.SubnetType.PUBLIC,
cidr_mask=28)
private_subnets = ec2.SubnetConfiguration(
name="PRIVATE",
subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT,
cidr_mask=28)
# create VPC
vpc1 = ec2.Vpc(
self,
'AWS-Cookbook-210-VPC1',
cidr='10.10.0.0/26',
subnet_configuration=[isolated_subnets, attachments_subnets]
)
vpc1.add_interface_endpoint(
'VPC1SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc1.add_interface_endpoint(
'VPC1EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc1.add_interface_endpoint(
'VPC1SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc2 = ec2.Vpc(
self,
'AWS-Cookbook-210-VPC2',
cidr='10.10.0.128/25',
subnet_configuration=[public_subnets, private_subnets, isolated_subnets, attachments_subnets]
)
vpc2.add_interface_endpoint(
'VPC2SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc2.add_interface_endpoint(
'VPC2EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc2.add_interface_endpoint(
'VPC2SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc3 = ec2.Vpc(
self,
'AWS-Cookbook-210-VPC3',
cidr='10.10.0.64/26',
subnet_configuration=[isolated_subnets, attachments_subnets]
)
vpc3.add_interface_endpoint(
'VPC3SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc3.add_interface_endpoint(
'VPC3EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc3.add_interface_endpoint(
'VPC3SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
)
iam_role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonEC2RoleforSSM"))
security_group_instance1 = ec2.SecurityGroup(
self,
"Instance1SG",
vpc=vpc1,
allow_all_outbound=True
)
security_group_instance1.add_ingress_rule(
ec2.Peer.any_ipv4(),
ec2.Port.all_icmp()
)
instance1 = ec2.Instance(
self,
"Instance1",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc1,
security_group=security_group_instance1
)
security_group_instance2 = ec2.SecurityGroup(
self,
"Instance2SG",
vpc=vpc2,
allow_all_outbound=True
)
security_group_instance2.add_ingress_rule(
ec2.Peer.any_ipv4(),
ec2.Port.all_icmp()
)
instance2 = ec2.Instance(
self,
"Instance2",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc2,
security_group=security_group_instance2
)
security_group_instance3 = ec2.SecurityGroup(
self,
"Instance3SG",
vpc=vpc3,
allow_all_outbound=True
)
security_group_instance3.add_ingress_rule(
ec2.Peer.any_ipv4(),
ec2.Port.all_icmp()
)
instance3 = ec2.Instance(
self,
"Instance3",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc3,
security_group=security_group_instance3
)
# outputs
CfnOutput(
self,
'VpcId1',
value=vpc1.vpc_id
)
CfnOutput(
self,
'VpcId2',
value=vpc2.vpc_id
)
CfnOutput(
self,
'VpcId3',
value=vpc3.vpc_id
)
CfnOutput(
self,
'InstanceId1',
value=instance1.instance_id
)
CfnOutput(
self,
'InstanceId2',
value=instance2.instance_id
)
CfnOutput(
self,
'InstanceId3',
value=instance3.instance_id
)
vpc1_attachment_subnets = vpc1.select_subnets(subnet_group_name="ATTACHMENTS")
CfnOutput(
self,
'AttachmentSubnetsVpc1',
value=', '.join(map(str, vpc1_attachment_subnets.subnet_ids))
)
vpc2_attachment_subnets = vpc2.select_subnets(subnet_group_name="ATTACHMENTS")
CfnOutput(
self,
'AttachmentSubnetsVpc2',
value=', '.join(map(str, vpc2_attachment_subnets.subnet_ids))
)
vpc3_attachment_subnets = vpc3.select_subnets(subnet_group_name="ATTACHMENTS")
CfnOutput(
self,
'AttachmentSubnetsVpc3',
value=', '.join(map(str, vpc3_attachment_subnets.subnet_ids))
)
vpc1_isolated_subnets_list = vpc1.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
CfnOutput(
self,
'Vpc1RtId1',
value=vpc1_isolated_subnets_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'Vpc1RtId2',
value=vpc1_isolated_subnets_list.subnets[1].route_table.route_table_id
)
vpc2_public_subnets_list = vpc2.select_subnets(subnet_type=ec2.SubnetType.PUBLIC)
CfnOutput(
self,
'Vpc2PublicSubnetId1',
value=vpc2_public_subnets_list.subnets[0].subnet_id
)
CfnOutput(
self,
'Vpc2PublicSubnetId2',
value=vpc2_public_subnets_list.subnets[1].subnet_id
)
CfnOutput(
self,
'Vpc2PublicRtId1',
value=vpc2_public_subnets_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'Vpc2PublicRtId2',
value=vpc2_public_subnets_list.subnets[1].route_table.route_table_id
)
vpc2_isolated_subnets_list = vpc2.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT)
CfnOutput(
self,
'Vpc2RtId1',
value=vpc2_isolated_subnets_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'Vpc2RtId2',
value=vpc2_isolated_subnets_list.subnets[1].route_table.route_table_id
)
vpc3_isolated_subnets_list = vpc3.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
CfnOutput(
self,
'Vpc3RtId1',
value=vpc3_isolated_subnets_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'Vpc3RtId2',
value=vpc3_isolated_subnets_list.subnets[1].route_table.route_table_id
)
vpc2_attachment_subnets_list = vpc2.select_subnets(subnet_group_name="ATTACHMENTS")
CfnOutput(
self,
'Vpc2AttachRtId1',
value=vpc2_attachment_subnets_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'Vpc2AttachRtId2',
value=vpc2_attachment_subnets_list.subnets[1].route_table.route_table_id
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.current_dir = os.path.dirname(__file__)
self.quicksight_migration_source_assume_role = iam.Role(
self, 'quicksight-migration-source-assume-role',
description='Role for the Quicksight dashboard migration Lambdas to assume',
role_name='quicksight-migration-source-assume-role',
max_session_duration=core.Duration.seconds(3600),
assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'),
inline_policies={
'AllowAccess': iam.PolicyDocument(
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"quicksight:*",
],
resources=["*"]
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ssm:GetParameter",
],
resources=["arn:aws:ssm:*:*:parameter/infra/config"]
)
]
)
}
)
self.quicksight_migration_source_assume_role.assume_role_policy.add_statements(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=['sts:AssumeRole'],
principals=[iam.AccountPrincipal("499080683179")]
)
)
self.quicksight_migration_target_assume_role = iam.Role(
self, 'quicksight-migration-target-assume-role',
description='Role for the Quicksight dashboard migration Lambdas to assume',
role_name='quicksight-migration-target-assume-role',
max_session_duration=core.Duration.seconds(3600),
assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'),
inline_policies={
'AllowAccess': iam.PolicyDocument(
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"quicksight:*",
],
resources=["*"]
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"ssm:GetParameter",
],
resources=["arn:aws:ssm:*:*:parameter/infra/config"]
)
]
)
}
)
self.quicksight_migration_target_assume_role.assume_role_policy.add_statements(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=['sts:AssumeRole'],
principals=[iam.AccountPrincipal("499080683179")]
)
)
self.vpc = ec2.Vpc(self, "VPC",
cidr="10.0.0.0/21",
max_azs=3,
subnet_configuration=[
ec2.SubnetConfiguration(
cidr_mask=28,
name="Database",
subnet_type=ec2.SubnetType.ISOLATED,
)
]
)
self.vpc.add_interface_endpoint("redshift_endpoint",
service=ec2.InterfaceVpcEndpointAwsService("redshift")
)
self.vpc.add_interface_endpoint("rds_endpoint",
service=ec2.InterfaceVpcEndpointAwsService("rds")
)
self.redshift_secret = secrets.Secret(self,'redshift-admin',
secret_name='redshift-admin',
description="This secret has generated admin secret password for Redshift cluster",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=32,
exclude_characters='"@\\\/',
exclude_punctuation=True
)
)
self.redshift_cluster = redshift.Cluster(self, "datasource-redshift",
master_user=redshift.Login(
master_username="******",
master_password=self.redshift_secret.secret_value_from_json('password')
),
vpc=self.vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.ISOLATED
)
)
self.rds_secret = secrets.Secret(self,'rds-admin',
secret_name='rds-admin',
description="This secret has generated admin secret password for RDS cluster",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=32,
exclude_characters='"@\\\/',
exclude_punctuation=True
)
)
self.rds_cluster = rds.DatabaseCluster(self, "datasource-rds",
engine=rds.DatabaseClusterEngine.aurora_mysql(
version=rds.AuroraMysqlEngineVersion.VER_2_08_1),
instance_props={
"vpc_subnets": {
"subnet_type": ec2.SubnetType.ISOLATED
},
"vpc": self.vpc
},
credentials=rds.Credentials.from_secret(self.rds_secret)
)
ssm.StringParameter(self, 'InfraConfigParam',
parameter_name='/infra/config',
string_value=json.dumps(self.to_dict()))
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
public_subnets = ec2.SubnetConfiguration(
name="Public",
subnet_type=ec2.SubnetType.PUBLIC,
cidr_mask=24)
tier2_subnets = ec2.SubnetConfiguration(
name="Tier2",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(
self,
'AWS-Cookbook-VPC',
max_azs=2,
cidr='10.10.0.0/22',
subnet_configuration=[public_subnets, tier2_subnets]
)
tier2_subnet_list = vpc.select_subnets(subnet_group_name="Tier2")
# -------- Begin EC2 Helper ---------
vpc.add_interface_endpoint(
'VPCSSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssm'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc.add_interface_endpoint(
'VPCEC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ec2messages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
vpc.add_interface_endpoint(
'VPCSSMMessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService('ssmmessages'), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False,
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
)
iam_role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonEC2RoleforSSM"))
instance1 = ec2.Instance(
self,
"Instance1",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnets=[tier2_subnet_list.subnets[0]]
)
)
instance2 = ec2.Instance(
self,
"Instance2",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnets=[tier2_subnet_list.subnets[0]]
)
)
CfnOutput(
self,
'InstanceId1',
value=instance1.instance_id
)
CfnOutput(
self,
'InstanceId2',
value=instance2.instance_id
)
# -------- End EC2 Helper ---------
# outputs
CfnOutput(
self,
'VpcId',
value=vpc.vpc_id
)
public_subnets = vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC)
CfnOutput(
self,
'VpcPublicSubnet1',
value=public_subnets.subnets[0].subnet_id
)
CfnOutput(
self,
'PrivateRtId1',
value=tier2_subnet_list.subnets[0].route_table.route_table_id
)
CfnOutput(
self,
'PrivateRtId2',
value=tier2_subnet_list.subnets[1].route_table.route_table_id
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
self.current_dir = os.path.dirname(__file__)
self.vpc = ec2.Vpc(self,
"VPC",
cidr="10.0.0.0/21",
max_azs=3,
subnet_configuration=[
ec2.SubnetConfiguration(
cidr_mask=28,
name="Database",
subnet_type=ec2.SubnetType.ISOLATED,
)
])
self.vpc.add_interface_endpoint(
"redshift_endpoint",
service=ec2.InterfaceVpcEndpointAwsService("redshift"))
self.vpc.add_interface_endpoint(
"rds_endpoint", service=ec2.InterfaceVpcEndpointAwsService("rds"))
self.redshift_secret = secrets.Secret(
self,
'redshift-admin',
secret_name='redshift-admin',
description=
"This secret has generated admin secret password for Redshift cluster",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=32,
exclude_characters='"@\\\/',
exclude_punctuation=True))
self.redshift_cluster = redshift.Cluster(
self,
"datasource-redshift",
master_user=redshift.Login(
master_username="******",
master_password=self.redshift_secret.secret_value_from_json(
'password')),
vpc=self.vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.ISOLATED))
self.rds_secret = secrets.Secret(
self,
'rds-admin',
secret_name='rds-admin',
description=
"This secret has generated admin secret password for RDS cluster",
generate_secret_string=secrets.SecretStringGenerator(
secret_string_template='{"username": "******"}',
generate_string_key='password',
password_length=32,
exclude_characters='"@\\\/',
exclude_punctuation=True))
self.rds_cluster = rds.DatabaseCluster(
self,
"datasource-rds",
engine=rds.DatabaseClusterEngine.aurora_mysql(
version=rds.AuroraMysqlEngineVersion.VER_2_08_1),
instance_props={
"vpc_subnets": {
"subnet_type": ec2.SubnetType.ISOLATED
},
"vpc": self.vpc
},
credentials=rds.Credentials.from_secret(self.rds_secret))
core.CfnOutput(self, "vpcId", value=self.vpc.vpc_id)
core.CfnOutput(self, "redshiftUsername", value="admin")
core.CfnOutput(self,
"redshiftPassword",
value=self.redshift_secret.secret_name)
core.CfnOutput(self,
"redshiftClusterId",
value=self.redshift_cluster.cluster_name)
core.CfnOutput(self,
"redshiftHost",
value=self.redshift_cluster.cluster_endpoint.hostname)
core.CfnOutput(self, "redshiftDB", value="dev")
core.CfnOutput(self, "rdsUsername", value="admin")
core.CfnOutput(self, "rdsPassword", value=self.rds_secret.secret_name)
core.CfnOutput(self,
"rdsClusterId",
value=self.rds_cluster.cluster_identifier)
core.CfnOutput(self, "namespace", value="default")
core.CfnOutput(self, "version", value="1")
def __init__(self, scope: cdk.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# Create a VPC (2 AZ, each with private + public subnets and all the required components)
vpc = ec2.Vpc(self, "Target_VPC", cidr="10.0.0.0/16")
# Sec Grp
sg = ec2.SecurityGroup(self,
'SecurityGroup',
vpc=vpc,
allow_all_outbound=True,
security_group_name="VpcEndpoint_sg")
sg.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
#VPC endpoit
vpc_endpoint = ec2.InterfaceVpcEndpoint(
self,
'ApiVpcEndpoint',
vpc=vpc,
private_dns_enabled=True,
security_groups=[sg],
service=ec2.InterfaceVpcEndpointAwsService(name="execute-api",
port=443))
handler = lambda_.Function(
self,
"sayHi_fn",
runtime=lambda_.Runtime.NODEJS_14_X,
code=lambda_.Code.from_asset("resources/lambda"),
handler="app.main")
"""
api = apigateway.RestApi(self, "sayHi_api",
rest_api_name="Say Hi API",
description="This service greets"
)
integration = apigateway.LambdaIntegration(handler,
request_templates={"application/json": '{ "statusCode": "200" }'}
)
api.root.add_method("GET", integration)
"""
apigateway.LambdaRestApi(
self,
"sayHiPrivateLambdaRestAPI",
endpoint_types=[apigateway.EndpointType.PRIVATE],
handler=handler,
policy=iam.PolicyDocument(statements=[
iam.PolicyStatement(principals=[iam.AnyPrincipal()],
actions=['execute-api:Invoke'],
resources=['execute-api:/*'],
effect=iam.Effect.DENY,
conditions={
"StringNotEquals": {
"aws:SourceVpce":
vpc_endpoint.vpc_endpoint_id
}
}),
iam.PolicyStatement(principals=[iam.AnyPrincipal()],
actions=['execute-api:Invoke'],
resources=['execute-api:/*'],
effect=iam.Effect.ALLOW)
]))
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# create s3 bucket
s3_Bucket = s3.Bucket(self,
"AWS-Cookbook-Recipe209",
removal_policy=RemovalPolicy.DESTROY)
aws_s3_deployment.BucketDeployment(
self,
'S3Deployment',
destination_bucket=s3_Bucket,
sources=[aws_s3_deployment.Source.asset("./s3_content")],
retain_on_delete=False)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(self,
'AWS-Cookbook-VPC',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
vpc.add_interface_endpoint(
'VPC1SSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPC1EC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPC1SSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
iam_role = iam.Role(
self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance = ec2.Instance(
self,
"Instance",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
)
# Grant the EC2 Instance access to the s3 bucket by adding an IAM policy to the role
instance.add_to_role_policy(
iam.PolicyStatement(effect=iam.Effect.ALLOW,
resources=[s3_Bucket.bucket_arn + '/*'],
actions=["s3:*"]))
# outputs
CfnOutput(self, 'VpcId', value=vpc.vpc_id)
CfnOutput(self, 'InstanceId', value=instance.instance_id)
isolated_subnets_list = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
CfnOutput(
self,
'RtId1',
value=isolated_subnets_list.subnets[0].route_table.route_table_id)
CfnOutput(
self,
'RtId2',
value=isolated_subnets_list.subnets[1].route_table.route_table_id)
CfnOutput(self, 'BucketName', value=s3_Bucket.bucket_name)
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# create s3 bucket
s3_Bucket = s3.Bucket(self,
"AWS-Cookbook-Recipe-407",
removal_policy=RemovalPolicy.DESTROY)
aws_s3_deployment.BucketDeployment(
self,
'S3Deployment',
destination_bucket=s3_Bucket,
sources=[aws_s3_deployment.Source.asset("./s3_content")],
retain_on_delete=False)
isolated_subnets = ec2.SubnetConfiguration(
name="ISOLATED",
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
cidr_mask=24)
# create VPC
vpc = ec2.Vpc(self,
'AWS-Cookbook-VPC',
cidr='10.10.0.0/23',
subnet_configuration=[isolated_subnets])
vpc.add_interface_endpoint(
'VPCSSMInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssm'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCEC2MessagesInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ec2messages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCSSMMessagedInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'ssmmessages'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_interface_endpoint(
'VPCSecretsManagerInterfaceEndpoint',
service=ec2.InterfaceVpcEndpointAwsService(
'secretsmanager'
), # Find names with - aws ec2 describe-vpc-endpoint-services | jq '.ServiceNames'
private_dns_enabled=True,
subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED),
)
vpc.add_gateway_endpoint(
's3GateWayEndPoint',
service=ec2.GatewayVpcEndpointAwsService('s3'),
subnets=[
ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
],
)
ami = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
iam_role = iam.Role(
self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
iam_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance = ec2.Instance(
self,
"Instance",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=ami,
role=iam_role,
vpc=vpc,
)
subnet_group = rds.SubnetGroup(
self,
'rds_subnet_group',
description='VPC Subnet Group for RDS',
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
one_per_az=False, subnet_type=ec2.SubnetType.PRIVATE_ISOLATED))
source_rds_security_group = ec2.SecurityGroup(
self,
'source_rds_security_group',
description='Security Group for the Source RDS Instance',
allow_all_outbound=True,
vpc=vpc)
source_db_name = 'AWSCookbookRecipe407Source'
source_rds_instance = rds.DatabaseInstance(
self,
'source_rds_instance',
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_5_7_33),
instance_type=ec2.InstanceType("m5.large"),
vpc=vpc,
multi_az=False,
database_name=source_db_name,
instance_identifier='awscookbook407SourceDb',
delete_automated_backups=True,
deletion_protection=False,
# iam_authentication=
removal_policy=RemovalPolicy.DESTROY,
allocated_storage=8,
subnet_group=subnet_group,
security_groups=[source_rds_security_group])
source_rds_instance.connections.allow_from(instance.connections,
ec2.Port.tcp(3306),
"Ingress")
target_rds_security_group = ec2.SecurityGroup(
self,
'target_rds_security_group',
description='Security Group for the Target RDS Instance',
allow_all_outbound=True,
vpc=vpc)
target_db_name = 'AWSCookbookRecipe407Target'
target_rds_instance = rds.DatabaseInstance(
self,
'target_rds_instance',
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_5_7_26),
instance_type=ec2.InstanceType("m5.large"),
vpc=vpc,
multi_az=False,
database_name=target_db_name,
instance_identifier='awscookbook407TargetDb',
delete_automated_backups=True,
deletion_protection=False,
# iam_authentication=
removal_policy=RemovalPolicy.DESTROY,
allocated_storage=8,
subnet_group=subnet_group,
security_groups=[target_rds_security_group])
target_rds_instance.connections.allow_from(instance.connections,
ec2.Port.tcp(3306),
"Ingress")
# mkdir -p lambda-layers/sqlparse/python
# cd layers/sqlparse/python
# pip install sqlparse --target="."
# cd ../../../
# create Lambda Layer
sqlparse = aws_lambda.LayerVersion(
self,
"sqlparse",
code=aws_lambda.AssetCode('lambda-layers/sqlparse'),
compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8],
description="sqlparse",
license=
"https://github.com/andialbrecht/sqlparse/blob/master/LICENSE")
pymysql = aws_lambda.LayerVersion(
self,
"pymysql",
code=aws_lambda.AssetCode('lambda-layers/pymysql'),
compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8],
description="pymysql",
license="MIT")
smartopen = aws_lambda.LayerVersion(
self,
"smartopen",
code=aws_lambda.AssetCode('lambda-layers/smart_open'),
compatible_runtimes=[aws_lambda.Runtime.PYTHON_3_8],
description="smartopen",
license="MIT")
lambda_function = aws_lambda.Function(
self,
'LambdaRDS',
code=aws_lambda.AssetCode("./mysql-lambda/"),
handler="lambda_function.lambda_handler",
environment={
"DB_SECRET_ARN": source_rds_instance.secret.secret_arn,
"S3_BUCKET": s3_Bucket.bucket_name
},
layers=[sqlparse, pymysql, smartopen],
memory_size=1024,
runtime=aws_lambda.Runtime.PYTHON_3_8,
timeout=Duration.seconds(600),
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED))
source_rds_instance.secret.grant_read(lambda_function)
source_rds_instance.connections.allow_from(lambda_function.connections,
ec2.Port.tcp(3306),
"Ingress")
s3_Bucket.grant_read(lambda_function)
# outputs
CfnOutput(self, 'VpcId', value=vpc.vpc_id)
CfnOutput(self, 'InstanceId', value=instance.instance_id)
CfnOutput(self,
'SourceRdsDatabaseId',
value=source_rds_instance.instance_identifier)
CfnOutput(self,
'SourceRdsSecurityGroup',
value=source_rds_security_group.security_group_id)
CfnOutput(self, 'SourceDbName', value=source_db_name)
CfnOutput(self,
'SourceRdsSecretArn',
value=source_rds_instance.secret.secret_full_arn)
CfnOutput(self,
'SourceRdsEndpoint',
value=source_rds_instance.db_instance_endpoint_address)
CfnOutput(self,
'TargetRdsDatabaseId',
value=target_rds_instance.instance_identifier)
CfnOutput(self,
'TargetRdsSecurityGroup',
value=target_rds_security_group.security_group_id)
CfnOutput(self, 'TargetDbName', value=target_db_name)
CfnOutput(self,
'TargetRdsSecretArn',
value=target_rds_instance.secret.secret_full_arn)
CfnOutput(self,
'TargetRdsEndpoint',
value=target_rds_instance.db_instance_endpoint_address)
isolated_subnets = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
CfnOutput(self,
'IsolatedSubnets',
value=', '.join(map(str, isolated_subnets.subnet_ids)))
CfnOutput(self, 'LambdaArn', value=lambda_function.function_arn)
CfnOutput(self,
'RdsSourceSecretName',
value=source_rds_instance.secret.secret_name)
CfnOutput(self,
'RdsTargetSecretName',
value=target_rds_instance.secret.secret_name)
