def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
role = iam.Role(
self,
'Ec2Role',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonSSMManagedInstanceCore'),
],
)
sg = ec2.SecurityGroup(
self,
'SecurityGroup',
vpc=vpc,
)
# TODO: add this to userdata
# yum install java-1.8.0-devel -y
# wget https://archive.apache.org/dist/tinkerpop/3.4.1/apache-tinkerpop-gremlin-console-3.4.1-bin.zip
# unzip apache-tinkerpop-gremlin-console-3.4.1-bin.zip
# cd apache-tinkerpop-gremlin-console-3.4.1
# wget https://www.amazontrust.com/repository/SFSRootCAG2.pem
ec2.Instance(
self,
'Instance',
role=role,
vpc=vpc,
security_group=sg,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.BURSTABLE3_AMD,
instance_size=ec2.InstanceSize.NANO,
),
machine_image=ec2.AmazonLinuxImage(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2, ),
)
self.role = role
self.security_group = sg
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
config: dict, region: str, **kwargs):
super().__init__(scope, id, **kwargs)
### EC2 Server for Jenkins
image = ec2.GenericLinuxImage({
region: config["ami_id"],
}, )
role = iam.Role(self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
subnet = vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnets[0]
subnet_selection = ec2.SubnetSelection(subnets=[subnet])
self.security_group = ec2.SecurityGroup(self, "EC2SG", vpc=vpc)
self._instance = ec2.Instance(self,
"EC2",
instance_type=ec2.InstanceType(
config["instance_type"]),
machine_image=image,
vpc=vpc,
vpc_subnets=subnet_selection,
role=role,
security_group=self.security_group)
### Lambda for github webhooks
self._webhook_forwarder = _lambda.Function(
self,
"WebHookForwarder",
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.from_asset(
os.path.join(dirname, "lambda", "webhook_forwarder")),
handler="lambda_function.lambda_handler",
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnets=vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE).subnets))
def __init__(self,
scope,
id,
*,
name=None,
directory=None,
bucket=None,
key=None) -> None:
super().__init__(scope, id)
# ==================================================
# ================= IAM ROLE =======================
# ==================================================
lambda_role = iam.Role(
scope=self,
id='lambda_role',
assumed_by=iam.ServicePrincipal(service='lambda.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'AWSLambdaExecute')
])
# ==================================================
# =================== ECR IMAGE ====================
# ==================================================
ecr_image = aws_lambda.DockerImageCode.from_image_asset(
repository_name=name, directory=directory)
# ==================================================
# ================ LAMBDA FUNCTION =================
# ==================================================
self.lambda_function = aws_lambda.DockerImageFunction(
scope=self,
id='lambda',
function_name=name,
code=ecr_image,
memory_size=1024,
role=lambda_role,
environment={
'BUCKET': bucket,
'KEY': key
},
timeout=core.Duration.seconds(60))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# VPC
vpc = ec2.Vpc(self, "VPC",
nat_gateways=0,
subnet_configuration=[ec2.SubnetConfiguration(name="public",subnet_type=ec2.SubnetType.PUBLIC)]
)
# AMI
amzn_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
)
# Instance Role and SSM Managed Policy
role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
# Instance
instance = ec2.Instance(self, "Instance",
instance_type=ec2.InstanceType("t3.nano"),
machine_image=amzn_linux,
vpc = vpc,
role = role
)
# Script in S3 as Asset
asset = Asset(self, "Asset", path=os.path.join(dirname, "configure.sh"))
local_path = instance.user_data.add_s3_download_command(
bucket=asset.bucket,
bucket_key=asset.s3_object_key
)
# Userdata executes script from S3
instance.user_data.add_execute_file_command(
file_path=local_path
)
asset.grant_read(instance.role)
def _create_lambda(self):
role = iam.Role(
self,
"LambdaPrepareDbRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
description="Role for Lambda preparing RDS",
role_name=f"{self.name_prefix}-lambda-prepare-db-role",
managed_policies=[
#iam.ManagedPolicy.from_aws_managed_policy_name("AWSLambdaBasicExecutionRole"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSLambdaVPCAccessExecutionRole"),
iam.ManagedPolicy.from_aws_managed_policy_name(
"SecretsManagerReadWrite"),
],
)
lambda_function_id = f"{self.name_prefix}-prepare_db_function"
lambda_function_path = str(pathlib.Path(
__file__).resolve().parent) + "/lambdafn/prepare_db_function/"
lambda_layer_path = str(pathlib.Path(
__file__).resolve().parent) + "/lambdafn/lambda_layer/"
layer = aws_lambda.LayerVersion(
self, 'Layer', code=aws_lambda.AssetCode(lambda_layer_path))
lambda_fn = aws_lambda.Function(
scope=self,
id=lambda_function_id,
function_name=lambda_function_id,
code=aws_lambda.AssetCode(path=lambda_function_path),
handler="lambda_handler.lambda_handler",
layers=[layer],
timeout=Duration.seconds(300),
runtime=aws_lambda.Runtime.PYTHON_3_7,
role=role,
description="write some description for this lambda",
security_groups=[self.security_group],
vpc=self.vpc,
vpc_subnets=self.subnet_selection)
lambda_fn.add_environment('SECRETS_NAME', self.rds.secret.secret_arn)
lambda_fn.add_environment('REGION_NAME', self.region)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create ECR Repository
ghost_repo = ecr.Repository(
self, "GhostRepo",
repository_name="ghost"
)
# Create IAM Role For CodeBuild
ghost_build_role = iam.Role(
self, "GhostBuildRole",
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("EC2InstanceProfileForImageBuilderECRContainerBuilds")
]
)
# We only want to fire on the master branch and if there is a change in the dockerbuild folder
git_hub_source = codebuild.Source.git_hub(
owner="jasonumiker",
repo="k8s-plus-aws-gitops",
webhook=True,
webhook_filters=[
codebuild.FilterGroup.in_event_of(codebuild.EventAction.PUSH).and_branch_is("master").and_file_path_is("dockerbuild/*")
]
)
# Create CodeBuild
build_project = codebuild.Project(
self, "GhostBuildProject",
source=git_hub_source,
role=ghost_build_role,
build_spec=codebuild.BuildSpec.from_source_filename("dockerbuild/buildspec.yml"),
environment={
'privileged': True,
},
environment_variables={
'AWS_ACCOUNT_ID': codebuild.BuildEnvironmentVariable(value=self.account),
'IMAGE_REPO_NAME': codebuild.BuildEnvironmentVariable(value=ghost_repo.repository_name)
}
)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(self,
"NewInstanceVPC",
nat_gateways=0,
subnet_configuration=[
ec2.SubnetConfiguration(
name="public", subnet_type=ec2.SubnetType.PUBLIC)
])
amzn_linux = ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=ec2.AmazonLinuxEdition.STANDARD,
virtualization=ec2.AmazonLinuxVirt.HVM,
storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE)
role = iam.Role(self,
"InstanceSSM",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AmazonEC2RoleforSSM"))
instance = ec2.Instance(
self,
"CDKNewInstance",
instance_type=ec2.InstanceType("t3.nano"),
key_name="arronmoore_com_v2",
machine_image=amzn_linux,
vpc=vpc,
security_group=self.configure_security_group(vpc),
role=role)
asset = Asset(self,
"NewInstanceConfigureScript",
path="./new_instance/configure.sh")
local_path = instance.user_data.add_s3_download_command(
bucket=asset.bucket, bucket_key=asset.s3_object_key)
instance.user_data.add_execute_file_command(file_path=local_path)
def __init__(self, scope: core.Construct, id: str, secgroup_name: str, **kwargs):
super().__init__(scope, id, **kwargs)
with open('common/common_cdk/lambda/empty_security_group.py', 'r') as f:
lambda_source = f.read()
# lambda utils to empty security group before deletion
empty_secgroup_lambda = _lambda.SingletonFunction(self, 'EmptySecurityGroupLambda',
uuid="dfs3k8730-4ee1-11e8-9c2d-fdfs65dfsc",
runtime=_lambda.Runtime.PYTHON_3_7,
code=_lambda.Code.inline(lambda_source),
handler='index.handler',
function_name='ara-auto-empty-secgroup'
)
empty_secgroup_lambda_role = _iam.Role(
self, 'AutoEmptyBucketLambdaRole',
assumed_by=_iam.ServicePrincipal('lambda.amazonaws.com')
)
empty_secgroup_lambda_role.add_to_policy(
_iam.PolicyStatement(
actions=[
'ec2:RevokeSecurityGroupIngress',
'ec2:RevokeSecurityGroupEgress'
],
resources=['arn:aws:ec2::'+core.Aws.ACCOUNT_ID+':security-group/'+secgroup_name]
)
)
empty_secgroup_lambda_provider = _custom_resources.Provider(
self, 'EmptyBucketLambdaProvider',
on_event_handler=empty_secgroup_lambda
)
core.CustomResource(
self, 'EmptyBucketCustomResource',
service_token=empty_secgroup_lambda_provider.service_token,
properties={
"secgroup_name": secgroup_name
}
)
def __init__(self, scope: core.Construct, id: str, vpc: ec2.IVpc,
db_instance_class: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
stack = core.Stack.of(self)
# TODO: find a way to add role to cluster
role = iam.Role(
self,
'NeptuneRole',
assumed_by=iam.ServicePrincipal('rds.amazonaws.com'),
)
sg = ec2.SecurityGroup(
self,
'SecurityGroup',
vpc=vpc,
)
subnet_group = neptune.CfnDBSubnetGroup(
self,
'SubnetGroup',
db_subnet_group_name='{}-subnet-group'.format(
stack.stack_name.lower()),
db_subnet_group_description='Private subnets',
subnet_ids=[subnet.subnet_id for subnet in vpc.private_subnets])
cluster = neptune.CfnDBCluster(
self,
'Cluster',
db_subnet_group_name=subnet_group.ref,
vpc_security_group_ids=[sg.security_group_id])
neptune.CfnDBInstance(
self,
'Instance',
db_cluster_identifier=cluster.ref,
db_instance_class=db_instance_class,
)
self.endpoint = cluster.attr_endpoint
self.role = role
self.security_group = sg
def create_sagemaker_train_role(self):
# Config role
base_role = iam.Role(
self,
"gw_sagemaker_train_role",
assumed_by=iam.ServicePrincipal("sagemaker.amazonaws.com"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3FullAccess"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSageMakerFullAccess"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonElasticContainerRegistryPublicFullAccess"))
base_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonEC2ContainerRegistryFullAccess"))
return base_role
def get_role(self, unique_name: str, service_principal: str) -> iam.Role:
"""
Get the default role for the datajob. We use administrator access
as the policy for our default role.
# todo - we probably want to refine the policies for this role
:param unique_name: a unique name we can give to our role.
:param service_principal: what is the service principal for our service.
for example: glue.amazonaws.com
:return: iam role object.
"""
role_name = unique_name + "-role"
logger.debug(f"creating role {role_name}")
return iam.Role(
self,
role_name,
assumed_by=iam.ServicePrincipal(service_principal),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("AdministratorAccess")
],
)
def create_crawler_role(self):
"""Crate a role used by crawlers in data lake."""
service = iam.ServicePrincipal("glue.amazonaws.com")
managed_policies = [
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSGlueServiceRole"
),
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3ReadOnlyAccess"
),
]
id_suffix = self.database_name.replace("_", "-")
self._crawler_role = iam.Role(
scope=self,
id=f"oedi-data-lake-crawler-role--{id_suffix}",
role_name=f"oedi_data_lake_cralwer_role__{self.database_name}",
assumed_by=service,
managed_policies=managed_policies,
)
def __init__(self, scope, id, *, description=None, env=None, tags=None, synthesizer=None, iam_user=None,
vpc_id=None, default_capacity=4, default_instance_type='t3a.large'):
super().__init__(scope, id, description=description, env=env, tags=tags,
synthesizer=synthesizer)
if vpc_id:
vpc = ec2.Vpc.from_lookup(self, "VPC",
vpc_id=vpc_id)
else:
vpc = ec2.Vpc(self, f"kodexa-vpc-{id}",
max_azs=2,
cidr="10.10.0.0/16",
subnet_configuration=[ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name="Public",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE,
name="Private",
cidr_mask=24
)],
nat_gateways=1,
)
core.CfnOutput(self, "Output",
value=vpc.vpc_id)
# Create K8S cluster
cluster_admin = iam.Role(self, f"kodexa-eks-adminrole-{id}", assumed_by=iam.AccountRootPrincipal())
cluster = eks.Cluster(self, id=f'kodexa-eks-cluster-{id}', cluster_name=f'kodexa-eks-cluster-{id}',
version=eks.KubernetesVersion.V1_17,
vpc=vpc,
default_capacity_instance=ec2.InstanceType(default_instance_type),
default_capacity=default_capacity,
masters_role=cluster_admin)
if iam_user:
admin_user = iam.User.from_user_name(id='cluster-admin-iam-user', user_name=iam_user, scope=self)
cluster.aws_auth.add_user_mapping(admin_user, groups=['system:masters'])
def __init__(self, scope: core.Construct, id: str, props,
**kwargs) -> None:
super().__init__(scope, id, **kwargs)
lambda_role = iam.Role(
self,
'IapTesLambdaRole',
assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'service-role/AWSLambdaBasicExecutionRole')
])
function = lmbda.Function(
self,
'IapTesLambda',
function_name='rnasum_iap_tes_lambda_dev',
handler='iap_tes.lambda_handler',
runtime=lmbda.Runtime.PYTHON_3_7,
code=lmbda.Code.from_asset('lambdas/iap_tes'),
role=lambda_role,
timeout=core.Duration.seconds(20),
environment={
'IAP_API_BASE_URL': props['iap_api_base_url'],
'TASK_ID': props['task_id'],
'TASK_VERSION_WTS': props['task_version_wts'],
'TASK_VERSION_WGS': props['task_version_wgs'],
'SSM_PARAM_NAME': props['ssm_param_name'],
'GDS_REFDATA_FOLDER': props['gds_refdata_folder'],
'GDS_LOG_FOLDER': props['gds_log_folder'],
'RNASUM_IMAGE_NAME': props['rnasum_image_name'],
'RNASUM_IMAGE_TAG': props['rnasum_image_tag'],
'REFDATA_NAME': props['ref_data_name']
})
secret_value = ssm.StringParameter.from_secure_string_parameter_attributes(
self,
"RNAsumJwtToken",
parameter_name=props['ssm_param_name'],
version=props['ssm_param_version'])
secret_value.grant_read(function)
def build_lambda_role(self, name) -> iam.Role:
return iam.Role(
self,
f"{name}-Role",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
inline_policies={
"LambdaFunctionServiceRolePolicy":
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources=[
f"arn:{Aws.PARTITION}:logs:{Aws.REGION}:{Aws.ACCOUNT_ID}:log-group:/aws/lambda/*"
],
)
])
},
)
def _create_autoscaling_role(scope: core.Construct, id: str, *, role_name: Optional[str] = None):
role = iam.Role(
scope, id, role_name=role_name,
assumed_by=iam.ServicePrincipal('elasticmapreduce.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'service-role/AmazonElasticMapReduceforAutoScalingRole')
])
role.assume_role_policy.add_statements(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
principals=[
iam.ServicePrincipal('application-autoscaling.amazonaws.com')
],
actions=[
'sts:AssumeRole'
]
)
)
return role
def _connect_pinpoint_to_firehose_delivery_stream(self, *, stack):
self.pinpoint_firehose_role = iam.Role(
stack,
'PinPointToFirehoseRole',
assumed_by=iam.ServicePrincipal('pinpoint.amazonaws.com'))
self.pinpoint_firehose_role.add_to_policy(
iam.PolicyStatement(effect=iam.Effect.ALLOW,
actions=[
"firehose:PutRecordBatch",
"firehose:DescribeDeliveryStream"
],
resources=[self.kfh_instance.attr_arn]))
self.pinpoint_to_kfh = pinpoint.CfnEventStream(
stack,
'pinpointclickstreamtokfh',
application_id=self.pinpoint_instance.ref,
destination_stream_arn=self.kfh_instance.attr_arn,
role_arn=self.pinpoint_firehose_role.role_arn)
def create_wic_provider_test_role(self) -> None:
wic_provider_test_role_condition = {
"StringEquals": {"graph.facebook.com:app_id": self._facebook_app_id}
}
wic_provider_test_role = aws_iam.Role(
self,
"wic_provider_test_role",
assumed_by=aws_iam.FederatedPrincipal(
"graph.facebook.com",
wic_provider_test_role_condition,
"sts:AssumeRoleWithWebIdentity",
),
)
wic_provider_test_role.add_to_policy(
aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW, actions=["translate:TranslateText"], resources=["*"]
)
)
self.parameters_to_save["WICProviderTestRoleArn"] = wic_provider_test_role.role_arn
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
vpc = ec2.Vpc(
self,
'Vpc',
cidr='10.11.12.0/24',
max_azs=2,
nat_gateways=1,
)
role = iam.Role(
self,
'Ec2SsmRole',
assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
'AmazonSSMManagedInstanceCore')
],
)
instance = ec2.Instance(
self,
'Instance',
role=role,
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnets=vpc.public_subnets),
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.BURSTABLE4_GRAVITON,
instance_size=ec2.InstanceSize.NANO,
),
machine_image=ec2.AmazonLinuxImage(
cpu_type=ec2.AmazonLinuxCpuType.ARM_64,
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
),
)
# TODO: Wait for EnclaveOptions to be supported by CDK
# https://github.com/aws/aws-cdk/issues/12170
instance.instance.hibernation_options = {'configured': True}
def __init__(self, scope: cdk.Construct, construct_id: str, stage: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# Define Lambda function
lambda_role = iam.Role(
self,
"ExplainRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSLambdaBasicExecutionRole")
],
)
lambda_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSSMFullAccess"))
self.explain_bot_lambda = _lambda.Function(
self,
"ExplainHandler",
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.asset("lambda"),
handler="explain.lambda_handler",
role=lambda_role,
timeout=cdk.Duration.minutes(5),
environment={"STAGE": stage},
)
self.add_meaning_lambda = _lambda.Function(
self,
"AddMeaningHandler",
runtime=_lambda.Runtime.PYTHON_3_8,
code=_lambda.Code.asset("lambda"),
handler="add_meaning.lambda_handler",
role=lambda_role,
timeout=cdk.Duration.minutes(5),
environment={"STAGE": stage},
)
def _create_dispatcher_lambda(self, id: str,
event_bus: aws_events.EventBus) -> None:
# bind dispatch lambda to dynamo db with an IAM to put events in the event bus
lambda_role = iam.Role(
self,
'TenantMgmtDispatch',
assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'),
inline_policies={
'TenantMgmtDispatchPolicy':
iam.PolicyDocument(statements=[
iam.PolicyStatement(actions=['events:PutEvents'],
resources=[event_bus.event_bus_arn],
effect=iam.Effect.ALLOW),
]),
"TracingPolicy":
iam.PolicyDocument(statements=[
iam.PolicyStatement(
actions=["ssm:Describe*", "ssm:Get*", "ssm:List*"],
resources=["arn:aws:ssm:*"],
effect=iam.Effect.ALLOW,
),
]),
},
managed_policies=[self._cloudwatch_logs_policy],
)
return aws_lambda.Function(
self,
f'{id}Dispatcher',
function_name=f'{id}Dispatcher',
code=aws_lambda.Code.from_asset(".build/tenant_crud_dispatcher"),
handler='functions.crud_dispatcher.crud_dispatch_dynamodb_source',
environment={
'EVENT_BUS_NAME':
event_bus.event_bus_name, # where to put the events into
},
runtime=aws_lambda.Runtime.PYTHON_3_7,
role=lambda_role,
memory_size=192,
)
def __init__(self, scope: core.Construct, id: str, vpc,KeyPairName,ec2_type, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create SQL instances
azs = vpc.availability_zones
self.sql_sg = ec2.SecurityGroup(self, 'SQL-Security-Group',vpc=vpc,allow_all_outbound=True,description='SQL-Security-Group-Nodes',security_group_name='sql-sg-'+id)
self.role = iam.Role(self, 'ec2-sql-role',assumed_by=iam.ServicePrincipal('ec2.amazonaws.com'))
#Grant permission to access the MAD secret
self.role.add_managed_policy(policy=iam.ManagedPolicy.from_aws_managed_policy_name('SecretsManagerReadWrite'))
self.node1 = ec2.Instance(self, "SQL Node1",
instance_type=ec2.InstanceType(instance_type_identifier=ec2_type),
machine_image=windows_ami,
vpc=vpc,
key_name=KeyPairName,
user_data=ec2.UserData.custom(user_data),
availability_zone=azs[0],
role=self.role,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True),
security_group=self.sql_sg
)
self.node2 = ec2.Instance(self, "SQL Node2",
instance_type=ec2.InstanceType(instance_type_identifier=ec2_type),
machine_image=windows_ami,
vpc=vpc,
key_name=KeyPairName,
user_data=ec2.UserData.custom(user_data),
availability_zone=azs[1],
role=self.role,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE,one_per_az=True),
security_group=self.sql_sg
)
# Open Security group - change to a reference
self.sql_sg.add_ingress_rule(peer=ec2.Peer.ipv4('10.0.0.0/8'),connection=ec2.Port.all_traffic(),description='Allow traffic between SQL nodes + VPC')
core.CfnOutput(self, "node1",value=self.node1.instance_private_ip)
core.CfnOutput(self, "node2",value=self.node2.instance_private_ip)
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self, "ecs-load-test", cidr="10.0.0.0/22", max_azs=3)
cluster = ecs.Cluster(self, "load-test-cluser", vpc=vpc)
repository = ecr.Repository(self, "spring-boot-helloworld", image_scan_on_push=True)
role = iam.Role(self, "ecs-allow-cw-role",
assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"))
role.add_to_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=['*'],
actions=["cloudwatch:*"]
))
task_definition = ecs.FargateTaskDefinition( self, "spring-boot-td",
task_role=role,
cpu=512,
memory_limit_mib=2048)
image = ecs.ContainerImage.from_ecr_repository(repository, "v24")
container = task_definition.add_container( "spring-boot-container",
image=image,
logging=ecs.LogDrivers.aws_logs(stream_prefix="loadtest"))
port_mapping = ecs.PortMapping(container_port=8080, host_port=8080)
container.add_port_mappings(port_mapping)
fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "test-service",
cluster=cluster,
task_definition=task_definition,
desired_count=2,
cpu=512,
memory_limit_mib=2048,
public_load_balancer=True)
fargate_service.target_group.set_attribute("deregistration_delay.timeout_seconds", "10")
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Create role for Notebook instance
nrole = iam_.Role(self,
"notebookAccessRole",
assumed_by=iam_.ServicePrincipal("sagemaker"))
nrole.add_managed_policy(
iam_.ManagedPolicy.from_aws_managed_policy_name(
'AmazonSageMakerFullAccess'))
nrole.add_managed_policy(
iam_.ManagedPolicy.from_aws_managed_policy_name(
'AmazonEC2ReadOnlyAccess'))
notebook_uuid = str(uuid.uuid4())
notebook_uuid = str(notebook_uuid[0:notebook_uuid.find('-')])
notebook_instance_id = 'spot-history-notebook-' + notebook_uuid
notebook_instance = sagemaker_.CfnNotebookInstance(
self,
notebook_instance_id,
instance_type='ml.m5.xlarge',
volume_size_in_gb=10,
security_group_ids=default_sg,
subnet_id=default_subnet,
notebook_instance_name=notebook_instance_id,
role_arn=nrole.role_arn,
default_code_repository=github_repo,
)
notebook_url = "https://{}.console.aws.amazon.com/sagemaker/home?region={}#/notebook-instances/openNotebook/{}?view=classic".format(
my_region, my_region, notebook_instance.notebook_instance_name)
core.CfnOutput(
self,
"Notebook Name",
value=notebook_url,
description="Notebook Instance Name",
)
def eks_node_role(
scope: core.Construct,
id: str,
cluster: aws_eks.ICluster,
role_name: typing.Optional[str]=None,
) -> aws_iam.Role:
role = aws_iam.Role(
scope=scope,
id=id,
role_name=role_name,
path='/eks/',
assumed_by=aws_iam.ServicePrincipal('ec2.amazonaws.com'),
managed_policies=list(_eks_node_role_base_policies),
)
core.Tag.add(
scope=role,
key='eks/%s/type' % cluster.cluster_name,
value='node'
)
return role
def create_immediate_response_execution_role(
self, function_name: str, parameter_key: str) -> iam_.Role:
role_name = f"{function_name}-ExecutionRole"
return iam_.Role(
self,
role_name,
assumed_by=iam_.ServicePrincipal("lambda.amazonaws.com"),
inline_policies={
f"{function_name}-ExecutionPolicy":
iam_.PolicyDocument(statements=[
iam_.PolicyStatement(
actions=[
"lambda:InvokeFunction",
"lambda:InvokeAsync",
],
effect=iam_.Effect.ALLOW,
resources=[
self.func_async_worker.function_arn,
self.func_sync_worker.function_arn,
],
),
iam_.PolicyStatement(
actions=[
"ssm:GetParameter",
],
effect=iam_.Effect.ALLOW,
resources=[
f"arn:aws:ssm:{self.region}:{self.account}:parameter{parameter_key}",
],
),
])
},
managed_policies=[
iam_.ManagedPolicy.from_aws_managed_policy_name(
"service-role/AWSLambdaBasicExecutionRole"),
# iam_.ManagedPolicy.from_aws_managed_policy_name("AWSXrayWriteOnlyAccess"),
],
role_name=role_name,
)
def create_swift_infrastructure_role(
self, database_instance: _rds.DatabaseInstance, instance_ids: List[str],
mq_broker_arn: str):
"""create swift infrastructure role"""
swift_infrastructure_role = \
_iam.Role(self, "SWIFTInfrastructureRole",
role_name="SWIFTInfrastructureRole",
assumed_by=_iam.AccountPrincipal(account_id=self.account)
.with_conditions({"Bool": {"aws:MultiFactorAuthPresent": "true"}})
)
instances_resource = []
if instance_ids is not None:
for instance_id in instance_ids:
instances_resource.append(
"arn:aws:ec2:" + self.region + ":" + self.account + ":instance/" + instance_id)
statements = [
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["rds:Describe*"],
resources=["*"]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["rds:Start*", "rds:Stop*"],
resources=[database_instance.instance_arn]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["ec2:Describe*"],
resources=["*"]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["ec2:Start*", "ec2:Stop*"],
resources=instances_resource),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["mq:List*", "mq:Describe*", "mq:RebootBroker"],
resources=[mq_broker_arn]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["logs:List*", "logs:Describe*", "logs:Get*"],
resources=["*"])]
_iam.Policy(
self, "SwiftInfrastructurePolicy", policy_name="SwiftInfrastructurePolicy",
roles=[swift_infrastructure_role], statements=statements,
force=True)
def create_swift_instance_operator_role(self, instance_ids):
"""create swift instance operator role"""
swift_instance_operator_role = \
_iam.Role(self, "SWIFTInstanceOperatorRole",
role_name="SWIFTInstanceOperatorRole",
assumed_by=_iam.AccountPrincipal(account_id=self.account)
.with_conditions({"Bool": {"aws:MultiFactorAuthPresent": "true"}})
)
instances_resource = []
if instance_ids is not None:
for instance_id in instance_ids:
instances_resource.append(
"arn:aws:ec2:" + self.region + ":" + self.account + ":instance/" + instance_id)
ssm_doc_resource = "arn:aws:ssm:" + self.region + \
":" + self.account + ":document/SSM-SessionManagerRunShell"
statements = [
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["ssm:StartSession", "ssm:SendCommand"],
resources=[ssm_doc_resource] + instances_resource,
conditions={"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"}}),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
actions=["ssm:DescribeSessions", "ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation",
"ssm:DescribeInstanceProperties", "ec2:DescribeInstances"],
resources=["*"]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
actions=["ssm:TerminateSession"],
resources=[
"arn:aws:ssm:*:*:session/${aws:username}-*"])]
_iam.Policy(
self, "SSMInstanceAccessPolicy", policy_name="SSMInstanceAccessPolicy",
roles=[swift_instance_operator_role], statements=statements,
force=True)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.role = aws_iam.Role(
self,
id="something-role",
assumed_by=aws_iam.ServicePrincipal('lambda.amazonaws.com'),
)
self.role.add_managed_policy(
aws_iam.ManagedPolicy.from_aws_managed_policy_name(
'service-role/AWSLambdaBasicExecutionRole'))
self.table = aws_dynamodb.Table(
self,
id="SomethingTable",
table_name=f"something-table",
billing_mode=aws_dynamodb.BillingMode.PAY_PER_REQUEST,
partition_key=aws_dynamodb.Attribute(
name='something_id', type=aws_dynamodb.AttributeType.STRING),
)
self.table.grant_full_access(self.role)
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
ec_role = iam.Role(
self,
"FirstRoleCDK",
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"),
description="First Role created by CDK",
inline_policies={
"S3IAMFullAccess":
iam.PolicyDocument(statements=[
iam.PolicyStatement(effect=iam.Effect.ALLOW,
actions=['s3:*'],
resources=['*']),
iam.PolicyStatement(effect=iam.Effect.ALLOW,
actions=['iam:*'],
resources=['*']),
])
})
ec_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(
"AdministratorAccess"))
