def configure_load_balancers(self, vpc: ec2.Vpc, publoadbal: elbv2.ApplicationLoadBalancer): tgroups = {} hc = elbv2.HealthCheck() hc['intervalSecs'] = 10 hc['protocol'] = elbv2.ApplicationProtocol.Http hc['healthyThresholdCount'] = 10 hc['unhealthyThresholdCount'] = 10 hc['timeoutSeconds'] = 5 hc['path'] = '/' targetgroups = [ {'name': 'grafana', 'httpcode': '302', 'port': 3000}, {'name': 'prometheus', 'httpcode': '405', 'port': 9090}, {'name': 'colorgateway', 'httpcode': '200', 'port': 9080}] for tgs in targetgroups: tgname = tgs['name'] code = tgs['httpcode'] port = tgs['port'] hc['healthyHttpCodes'] = code atg = elbv2.ApplicationTargetGroup(self, id=tgname + 'TargetGroup', protocol=elbv2.ApplicationProtocol.Http, port=port, deregistration_delay_sec=30, vpc=vpc, target_group_name='appmeshdemo-' + tgname + '-1', health_check=hc, target_type=elbv2.TargetType.Ip) lbl = elbv2.ApplicationListener(self, tgname + 'LoadBalancerListener', port=port, protocol=elbv2.ApplicationProtocol.Http, default_target_groups=[atg], load_balancer=publoadbal) elbv2.ApplicationListenerRule(self, tgname + 'LoadBalancerRule', listener=lbl, target_groups=[atg], priority=1, path_pattern='*') tgroups[tgname] = atg return tgroups
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # The code that defines your stack goes here # Create a VPC myvpc = ec2.Vpc(self, "CDKVPC", cidr=vars.cidr) # SG for ELB creation websitefrontendSG = ec2.SecurityGroup( self, 'websitefrontendSG', vpc=myvpc, security_group_name='websitefrontendSG') websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(80)) websitefrontendSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(443)) # Create ALB in VPC alb = elb.ApplicationLoadBalancer( self, 'websitefrontend-public', vpc=myvpc, load_balancer_name='websitefrontend-public', security_group=websitefrontendSG, internet_facing=True) # Add target group to ALB catalogtargetgroup = elb.ApplicationTargetGroup( self, 'CatalogTargetGroup', port=80, vpc=myvpc, target_type=elb.TargetType.IP) if not vars.sslcert: # Add http listener to ALB alblistenerhttp = elb.ApplicationListener( self, 'alblistenerhttp', load_balancer=alb, default_target_groups=[catalogtargetgroup], port=80) if vars.sslcert: # Add http listener to ALB alblistenerhttp = elb.ApplicationListener(self, 'alblistenerhttp', load_balancer=alb, port=80) elb.ApplicationListenerRule(self, 'httpredirectionrule', listener=alblistenerhttp, redirect_response=elb.RedirectResponse( status_code='HTTP_301', port='443', protocol='HTTPS')) # OPTIONAL - Add https listener to ALB & attach certificate alblistenerhttps = elb.ApplicationListener( self, 'alblistenerhttps', load_balancer=alb, default_target_groups=[catalogtargetgroup], port=443, certificate_arns=[vars.sslcert_arn]) # OPTIONAL - Redirect HTTP to HTTPS alblistenerhttp.add_redirect_response(id='redirectionrule', port='443', status_code='HTTP_301', protocol='HTTPS') if vars.customdomain: # OPTIONAL - Update DNS with ALB webshopxyz_zone = r53.HostedZone.from_hosted_zone_attributes( self, id='customdomain', hosted_zone_id=vars.hosted_zone_id, zone_name=vars.zone_name) webshop_root_record = r53.ARecord( self, 'ALBAliasRecord', zone=webshopxyz_zone, target=r53.RecordTarget.from_alias( alias.LoadBalancerTarget(alb))) # SG for ECS creation ECSSG = ec2.SecurityGroup(self, 'ECSSecurityGroup', vpc=myvpc, security_group_name='ECS') ECSSG.add_ingress_rule(peer=websitefrontendSG, connection=ec2.Port.tcp(80)) # SG for MySQL creation MySQLSG = ec2.SecurityGroup(self, 'DBSecurityGroup', vpc=myvpc, security_group_name='DB') MySQLSG.add_ingress_rule(peer=ECSSG, connection=ec2.Port.tcp(3306)) # Create DB subnet group subnetlist = [] for subnet in myvpc.private_subnets: subnetlist.append(subnet.subnet_id) subnetgr = rds.CfnDBSubnetGroup( self, 'democlustersubnetgroup', db_subnet_group_name='democlustersubnetgroup', db_subnet_group_description='DemoCluster', subnet_ids=subnetlist) # Create secret db passwd secret = sm.SecretStringGenerator( exclude_characters="\"'@/\\", secret_string_template='{"username": "******"}', generate_string_key='password', password_length=40) dbpass = sm.Secret(self, 'democlusterpass', secret_name='democlusterpass', generate_secret_string=secret) # Create Aurora serverless MySQL instance dbcluster = rds.CfnDBCluster( self, 'DemoCluster', engine='aurora', engine_mode='serverless', engine_version='5.6', db_cluster_identifier='DemoCluster', master_username=dbpass.secret_value_from_json( 'username').to_string(), master_user_password=dbpass.secret_value_from_json( 'password').to_string(), storage_encrypted=True, port=3306, vpc_security_group_ids=[MySQLSG.security_group_id], scaling_configuration=rds.CfnDBCluster. ScalingConfigurationProperty(auto_pause=True, max_capacity=4, min_capacity=1, seconds_until_auto_pause=300), db_subnet_group_name=subnetgr.db_subnet_group_name) dbcluster.add_override('DependsOn', 'democlustersubnetgroup') # Attach database to secret attach = sm.CfnSecretTargetAttachment( self, 'RDSAttachment', secret_id=dbpass.secret_arn, target_id=dbcluster.ref, target_type='AWS::RDS::DBCluster') # Upload image into ECR repo ecrdemoimage = ecra.DockerImageAsset(self, 'ecrdemoimage', directory='../', repository_name='demorepo', exclude=['cdk.out']) # Create ECS fargate cluster ecscluster = ecs.Cluster(self, "ecsCluster", vpc=myvpc) # Create task role for productsCatalogTask getsecretpolicystatement = iam.PolicyStatement(actions=[ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], resources=[ dbpass.secret_arn ], effect=iam.Effect.ALLOW) getsecretpolicydocument = iam.PolicyDocument( statements=[getsecretpolicystatement]) taskrole = iam.Role( self, 'TaskRole', assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'), role_name='TaskRoleforproductsCatalogTask', inline_policies=[getsecretpolicydocument]) # Create task definition taskdefinition = ecs.FargateTaskDefinition(self, 'productsCatalogTask', cpu=1024, memory_limit_mib=2048, task_role=taskrole) # Add container to task definition productscatalogcontainer = taskdefinition.add_container( 'productscatalogcontainer', image=ecs.ContainerImage.from_docker_image_asset( asset=ecrdemoimage), environment={ "region": vars.region, "secretname": "democlusterpass" }) productscatalogcontainer.add_port_mappings( ecs.PortMapping(container_port=80, host_port=80)) # Create service and associate it with the cluster catalogservice = ecs.FargateService( self, 'catalogservice', task_definition=taskdefinition, assign_public_ip=False, security_group=ECSSG, vpc_subnets=ec2.SubnetSelection(subnets=myvpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE).subnets), cluster=ecscluster, desired_count=2) # Add autoscaling to the service scaling = catalogservice.auto_scale_task_count(max_capacity=20, min_capacity=1) scaling.scale_on_cpu_utilization( 'ScaleOnCPU', target_utilization_percent=70, scale_in_cooldown=core.Duration.seconds(amount=1), scale_out_cooldown=core.Duration.seconds(amount=0)) # Associate the fargate service with load balancer targetgroup catalogservice.attach_to_application_target_group(catalogtargetgroup)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Set up VPC vpc = ec2.Vpc(self, 'CDKVPC', cidr=config['cidr']) # SG for ELB webSG = ec2.SecurityGroup(self, 'webSG', vpc=vpc, security_group_name='WebSG') webSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(80)) webSG.add_ingress_rule(peer=ec2.Peer.ipv4('0.0.0.0/0'), connection=ec2.Port.tcp(443)) # Create ALB alb = elb.ApplicationLoadBalancer(self, 'webALB-public', vpc=vpc, load_balancer_name='webALB-public', security_group=webSG, internet_facing=True) # Add listener at port 80 with default action alblistener = alb.add_listener( 'webALB-Listener', port=80, open=True, default_action=elb.ListenerAction.fixed_response( status_code=200, content_type='text/plain', message_body='default action')) # SG for ECS Fargate fargateSG = ec2.SecurityGroup(self, 'fargateSG', vpc=vpc, security_group_name='FargateSG') fargateSG.add_ingress_rule(peer=webSG, connection=ec2.Port.tcp(80)) fargateSG.add_ingress_rule(peer=fargateSG, connection=ec2.Port.tcp(80)) # Create fargate cluster fargate_cluster = ecs.Cluster( self, 'FargateCluster', vpc=vpc, cluster_name='FargateCluster', ) # Set up service discovery namespace = sd.PrivateDnsNamespace( self, 'PrivateDNSNamespace', name=config['service_discovery_namespace'], vpc=vpc) # Create fargate resources for each microservice for indx, s in enumerate(config['services']): # Create task definition and add the container from the repo task_definition = ecs.FargateTaskDefinition( self, 'ServiceTaskDefinition' + str(indx), cpu=1024, memory_limit_mib=2048) cont = task_definition.add_container( 'ServiceContainer' + str(indx), image=ecs.ContainerImage.from_registry(s['repo']), environment={"REGION": config['region']}) cont.add_port_mappings( ecs.PortMapping(container_port=80, host_port=80)) # Create service in private subnets service = ecs.FargateService( self, 'ServiceFargateService' + str(indx), task_definition=task_definition, assign_public_ip=False, security_group=fargateSG, vpc_subnets=ec2.SubnetSelection(subnets=vpc.select_subnets( subnet_type=ec2.SubnetType.PRIVATE).subnets), cluster=fargate_cluster, desired_count=s['num_tasks']) service.enable_cloud_map(cloud_map_namespace=namespace, dns_record_type=sd.DnsRecordType.SRV, name=s['service_discovery_service_name']) # Set up ALB target group and set Fargate service as target target_group = elb.ApplicationTargetGroup( self, 'ServiceTargetGroup' + str(indx), port=80, vpc=vpc, target_type=elb.TargetType.IP, target_group_name=s['service_name'] + 'TargetGroup', targets=[ service.load_balancer_target( container_name='ServiceContainer' + str(indx), container_port=80) ]) # Add the path pattern rule for the listener alblistenerrule = elb.ApplicationListenerRule( self, 'ListenerRule' + str(indx), path_pattern=s['alb_routing_path'], priority=indx + 1, listener=alblistener, target_groups=[target_group])
def createResources(self, ns): # Attach ALB to ECS Service be_health_check = elbv2.HealthCheck(interval=core.Duration.seconds(60), path="/ping", timeout=core.Duration.seconds(5)) self.bentoALB.add_redirect( source_protocol=elbv2.ApplicationProtocol.HTTP, source_port=80, target_protocol=elbv2.ApplicationProtocol.HTTPS, target_port=443) # Get certificate ARN for specified domain name client = boto3.client('acm') response = client.list_certificates(CertificateStatuses=[ 'ISSUED', ], ) for cert in response["CertificateSummaryList"]: if ('*.{}'.format(self.config[ns]['domain_name']) in cert.values()): certARN = cert['CertificateArn'] bento_cert = cfm.Certificate.from_certificate_arn( self, "bento-cert", certificate_arn=certARN) listener = self.bentoALB.add_listener("PublicListener", certificates=[bento_cert], port=443) frontendtarget = listener.add_targets( "ECS-frontend-Target", port=int(self.config[ns]['frontend_container_port']), targets=[self.frontendService], target_group_name="{}-frontend".format(ns)) core.Tags.of(frontendtarget).add("Name", "{}-frontend-alb-target".format(ns)) backendtarget = listener.add_targets( "ECS-backend-Target", port=int(self.config[ns]['backend_container_port']), targets=[self.backendService], health_check=be_health_check, target_group_name="{}-backend".format(ns)) core.Tags.of(backendtarget).add("Name", "{}-backend-alb-target".format(ns)) # Add a fixed error message when browsing an invalid URL listener.add_action( "ECS-Content-Not-Found", action=elbv2.ListenerAction.fixed_response( 200, message_body="The requested resource is not available")) elbv2.ApplicationListenerRule(self, id="alb_frontend_rule", path_pattern="/*", priority=1, listener=listener, target_groups=[frontendtarget]) elbv2.ApplicationListenerRule(self, id="alb_backend_rule", path_pattern="/v1/graphql/*", priority=2, listener=listener, target_groups=[backendtarget])
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: super().__init__(scope, id, **kwargs) #arn = elbv2.ApplicationListener.from_application_listener_attributes(self, "test", listener_arn=) # importing security Group from exesting resources mysg = ec2.SecurityGroup.from_security_group_id( self, "sg", security_group_id=data['security_grp']) # importting Vpc from exesting resources vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=data['vpc_id']) # creating loadbalancer woth exesting resources lb = elbv2.ApplicationLoadBalancer( self, "LB", vpc=vpc, security_group=mysg, internet_facing=True, load_balancer_name="myloadbalancer", vpc_subnets=ec2.SubnetSelection( availability_zones=["ap-south-1a", "ap-south-1b"], one_per_az=True)) # creating Target Group1 mytarget_group = elbv2.ApplicationTargetGroup( self, "targetGroup", target_group_name="mytarget-group", protocol=elbv2.ApplicationProtocol.HTTP, target_type=elbv2.TargetType.INSTANCE, port=80, vpc=vpc, health_check=elbv2.HealthCheck(enabled=True, healthy_http_codes="200", path="/", port="80")) # creating target group 2 mytarget_group2 = elbv2.ApplicationTargetGroup( self, "targetGroup2", target_group_name="mytarget-group2", protocol=elbv2.ApplicationProtocol.HTTP, target_type=elbv2.TargetType.INSTANCE, port=80, vpc=vpc, health_check=elbv2.HealthCheck(enabled=True, healthy_http_codes="200", path="/home", port="80")) # adding a loadbalancer default listener listener = lb.add_listener("listener", port=80, default_target_groups=[mytarget_group]) # adding loadbalancer listener Rule if version == "versionone": slect_target = mytarget_group else: slect_target = mytarget_group2 listenerRule = elbv2.ApplicationListenerRule( self, "listenerRule", listener=listener, priority=1, path_pattern="/home", target_groups=[slect_target]) # Output the DNS name of loadbalancer output_1 = core.CfnOutput(self, "mybucketoutput1", value=lb.load_balancer_dns_name, export_name="mybucketoutput1") core.Tag.add(lb, "Name", "naresh")