def create_firewall_rules(vpc):
# Create lambda, rds, redis security groups to allow traffic between them
lambda_sg = ec2.SecurityGroup("lambdaSG",
description="Lambda security group",
egress=[{
"from_port": 0,
"to_port": 0,
"cidr_blocks": ["0.0.0.0/0"],
"protocol": -1
}],
vpc_id=vpc.id)
# Create SG for redis, rds
rds_sg = ec2.SecurityGroup(
"AllowLambdaToRdsIngress",
description="Rds Security Group",
vpc_id=vpc.id,
ingress=[{
"from_port": 3306,
"to_port": 3306,
"protocol": "tcp",
"security_groups": [lambda_sg.id],
}],
egress=[{
"from_port": 0,
"to_port": 0,
"protocol": -1,
"cidr_blocks": ["0.0.0.0/0"],
}],
)
redis_sg = ec2.SecurityGroup(
"AllowLambdaToRedisIngress",
description="Redis security group",
vpc_id=vpc.id,
ingress=[{
"from_port": 6379,
"to_port": 6379,
"protocol": "tcp",
"security_groups": [lambda_sg.id],
}],
egress=[{
"from_port": 0,
"to_port": 0,
"cidr_blocks": ["0.0.0.0/0"],
"protocol": -1
}],
)
return {"lambda_sg": lambda_sg, "redis_sg": redis_sg, "rds_sg": rds_sg}
def create_security_group(self):
master_egress_rules = [{
"cidr_blocks": ["0.0.0.0/0"],
"from_port": 0,
"protocol": "-1",
"to_port": 0
}]
# PULUMI DEVS configure your own subnet ID's.
self.master_security_group = ec2.SecurityGroup(
self.cluster_name + "-master-securitygroup",
egress=master_egress_rules,
vpc_id="vpc-229b4f47",
opts=pulumi.ResourceOptions(parent=self))
def _create_sgs(self, bastion_id=None):
#TODO: if infra left up for a while, security groups cant be deleted. are they modified when running? Need a tag?
# Create the security groups first
master_sg = ec2.SecurityGroup("master-sg", vpc_id=self.vpc_id, description="security group for communication with the eks master plance",
__opts__=ResourceOptions(parent=self))
worker_sg = ec2.SecurityGroup("worker-sg", vpc_id=self.vpc_id, description="security group for communication with the worker nodes",
__opts__=ResourceOptions(parent=self))
# Create the egress/ingress rules for the master
master_sg_egress = ec2.SecurityGroupRule("master-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0,
to_port=0, protocol=-1, security_group_id=master_sg.id, description="master sg egress",
__opts__=ResourceOptions(parent=self))
current_ip = Util.get_workstation_ip()
master_sg_ingress_workstation = ec2.SecurityGroupRule("master-sg-ingress-from-workstation", type="ingress", from_port=443, to_port=443,
protocol=-1, security_group_id=master_sg.id, cidr_blocks=["%s/32" % current_ip],
description="ingress to masters from workstation", __opts__=ResourceOptions(parent=self))
master_sg_ingress_nodes = ec2.SecurityGroupRule("master-sg-ingress-from-workers", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=master_sg.id, source_security_group_id=worker_sg.id,
description="master ingress from workers", __opts__=ResourceOptions(parent=self))
# Create the egress/ingress rules for the workers
worker_sg_egress = ec2.SecurityGroupRule("worker-sg-egress", type="egress", cidr_blocks=["0.0.0.0/0"], from_port=0,
to_port=0, protocol=-1, security_group_id=worker_sg.id, description="worker sg egress",
__opts__=ResourceOptions(parent=self))
worker_sg_ingress_itself = ec2.SecurityGroupRule("worker-sg-ingress-itself", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=worker_sg.id, self=True, description="worker ingress from itself",
__opts__=ResourceOptions(parent=self))
worker_sg_ingress_master = ec2.SecurityGroupRule("worker-sg-ingress-master", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=worker_sg.id, source_security_group_id=master_sg.id,
description="worker ingress from master", __opts__=ResourceOptions(parent=self))
worker_sg_ingress_bastion = ec2.SecurityGroupRule("worker-sg-ingress-bastion", type="ingress", from_port=0, to_port=0,
protocol=-1, security_group_id=worker_sg.id, source_security_group_id=bastion_id,
description="worker ingress from bastion host", __opts__=ResourceOptions(parent=self))
self.master_sg = master_sg.id
self.worker_sg = worker_sg.id
f'vpc-route-table-assoc-{zone}',
route_table_id=eks_route_table.id,
subnet_id=vpc_subnet.id,
)
subnet_ids.append(vpc_subnet.id)
## Security Group
eks_security_group = ec2.SecurityGroup(
'eks-cluster-sg',
vpc_id=vpc.id,
description='Allow all HTTP(s) traffic to EKS Cluster',
tags={'Name': 'pulumi-cluster-sg'},
ingress=[{
'cidr_blocks': ['0.0.0.0/0'],
'from_port':
'443',
'to_port':
'443',
'protocol':
'tcp',
'description':
'Allow pods to communicate with the cluster API Server.'
}, {
'cidr_blocks': ['0.0.0.0/0'],
'from_port': '80',
'to_port': '80',
'protocol': 'tcp',
'description': 'Allow internet access to pods'
}])
import pulumi
from pulumi_aws import ec2, ebs
COUNT = 4
AZONE = "us-west-2c"
# difficulty trying to automate an AMI selection
AMI = "ami-7172b611"
sg_web = ec2.SecurityGroup("web-in",
ingress=[{
'protocol': 'tcp',
'from_port': 80,
'to_port': 80,
'cidr_blocks': ["0.0.0.0/0"]
}])
instances_web = []
for i in range(COUNT):
inst = ec2.Instance('Terraform Demo {}'.format(i),
ami=AMI,
availability_zone=AZONE,
instance_type="t2.micro",
vpc_security_group_ids=[sg_web.id])
instances_web.append(inst)
volumes_web = []
for i in range(COUNT):
vol = ebs.Volume(
'Terraform Demo {}'.format(i),
# strange that you can set the azone for instances with pulumi config
# but it doesn't take for volumes
instance = ec2.Instance(
'web-server-www;',
instance_type="t2.micro",
tags={"Owner": "Chris"},
# AMI for Amazon Linux 2 us-east-2 (Ohio)
ami="ami-0f7919c33c90f5b58",
user_data=user_data)
group = ec2.SecurityGroup(
'web-secgrp',
ingress=[
# SSH
{
"protocol": "tcp",
"from_port": 22,
"to_port": 22,
"cidr_blocks": ["0.0.0.0/0"]
},
# HTTP
{
"protocol": "tcp",
"from_port": 80,
"to_port": 80,
"cidr_blocks": ["0.0.0.0/0"]
},
])
group_attachment = ec2.NetworkInterfaceSecurityGroupAttachment(
"web-secgrp-attchment",
network_interface_id=instance.primary_network_interface_id,
security_group_id=group.id)
route_table_id=eks_route_table.id,
subnet_id=vpc_subnet.id,
)
subnet_ids.append(vpc_subnet.id)
## Security Group
eks_security_group = ec2.SecurityGroup(
'eks-cluster-sg',
vpc_id=vpc.id,
description='Allow all HTTP(s) traffic to EKS Cluster',
tags={
'Name': 'template-cluster-sg',
},
ingress=[
ec2.SecurityGroupIngressArgs(
cidr_blocks=['0.0.0.0/0'],
from_port=443,
to_port=443,
protocol='tcp',
description='Allow pods to communicate with the cluster API Server.'
),
ec2.SecurityGroupIngressArgs(
cidr_blocks=['0.0.0.0/0'],
from_port=80,
to_port=80,
protocol='tcp',
description='Allow internet access to pods'),
],
)
# NOTE Pulumi-generated security groups have no outbound rules, a departure from usual where it's completely open.
public_sg = ec2.SecurityGroup(
resource_name='new-public-sg',
description='HTTP and SSH ingress',
vpc_id=vpc.id,
ingress=[
{
'protocol': 'tcp',
'fromPort': 22,
'toPort': 22,
'cidrBlocks': ['0.0.0.0/0']
},
{
'protocol': 'tcp',
'fromPort': 80,
'toPort': 80,
'cidrBlocks': ['0.0.0.0/0']
},
],
egress=[{
'protocol': '-1',
'fromPort': 0,
'toPort': 0,
'cidrBlocks': ['0.0.0.0/0']
}],
tags={
'Name': 'infra public security group (front-back-autoscaling)',
'Creator': 'timc'
})
# TODO add ebs_block_devices
def _create_security_groups(self, vpcid):
pub_name = "%s-public-sg" % self.name
public_sg = ec2.SecurityGroup(pub_name,
description=pub_name,
vpc_id=vpcid,
tags=self.sg_tags,
__opts__=ResourceOptions(parent=self))
priv_name = "%s-private-sg" % self.name
private_sg = ec2.SecurityGroup(priv_name,
description=priv_name,
vpc_id=vpcid,
tags=self.sg_tags,
__opts__=ResourceOptions(parent=self))
"""
Set up public rules:
1. ingress from itself to itself
2. ingress from private to public
3. egress rule for all
4. ingress rule for current IP address on 22
"""
pub_ingress_itself = ec2.SecurityGroupRule(
"public-ingress-from-itself",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=public_sg.id,
self=True,
description="public ingress to/from itself",
__opts__=ResourceOptions(parent=self))
pub_ingress_private = ec2.SecurityGroupRule(
"public-ingress-from-private",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=public_sg.id,
source_security_group_id=private_sg.id,
description="public ingress from private",
__opts__=ResourceOptions(parent=self))
pub_egress = ec2.SecurityGroupRule(
"public-egress",
type="egress",
cidr_blocks=["0.0.0.0/0"],
from_port=0,
to_port=0,
protocol=-1,
security_group_id=public_sg.id,
description="egress traffic from public sg",
__opts__=ResourceOptions(parent=self))
current_ip = Util.get_workstation_ip()
pub_ingress_current_ip = ec2.SecurityGroupRule(
"public-ingress-from-current-ip",
type="ingress",
from_port=22,
to_port=22,
protocol="TCP",
security_group_id=public_sg.id,
cidr_blocks=[("%s/32" % current_ip)],
description="ingress from current IP",
__opts__=ResourceOptions(parent=self))
"""
Set up private rules:
1. ingress from public to it
2. ingress from itself to itself
3. egress rule for all
"""
priv_ingress_itself = ec2.SecurityGroupRule(
"private-ingress-from-itself",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=private_sg.id,
self=True,
description="private ingress to itself",
__opts__=ResourceOptions(parent=self))
priv_ingress_public = ec2.SecurityGroupRule(
"private-ingress-from-public",
type="ingress",
from_port=0,
to_port=0,
protocol=-1,
security_group_id=private_sg.id,
source_security_group_id=public_sg.id,
description="private ingress from public",
__opts__=ResourceOptions(parent=self))
priv_egress = ec2.SecurityGroupRule(
"private-egress",
type="egress",
cidr_blocks=["0.0.0.0/0"],
from_port=0,
to_port=0,
protocol=-1,
security_group_id=private_sg.id,
description="egress traffic from private sg",
__opts__=ResourceOptions(parent=self))
return {"public": public_sg.id, "private": private_sg.id}
db = dynamodb.Table("mytable",
attributes=[{
"name": "Id",
"type": "S"
}],
hash_key="Id",
read_capacity=1,
write_capacity=1)
## EC2
eip = ec2.Eip("myeip")
security_group = ec2.SecurityGroup("mysecuritygroup",
ingress=[{
"protocol": "tcp",
"from_port": 80,
"to_port": 80,
"cidr_blocks": ["0.0.0.0/0"]
}])
vpc = ec2.Vpc("myvpc", cidr_block="10.0.0.0/16")
igw = ec2.InternetGateway("myinternetgateway", vpc_id=vpc.id)
public_route_table = ec2.RouteTable("myroutetable",
routes=[{
"cidr_block": "0.0.0.0/0",
"gateway_id": igw.id
}],
vpc_id=vpc.id)
def AwsgiHandler(self, name, zone, domain, package, func, __opts__,
**lambdaargs):
"""
Define a handler to accept requests, using awsgi
"""
func = package.function(f"{name}-function", func, **lambdaargs,
**opts(parent=self))
invoke_policy = lambda_.Permission(
f'{name}-function-permission',
function=func,
action='lambda:InvokeFunction',
principal='elasticloadbalancing.amazonaws.com',
**opts(parent=func))
netinfo = get_public_subnets(opts=__opts__)
@netinfo.apply
def vpc_id(info):
vpc, subnets, is_v6 = info
return vpc.id
@netinfo.apply
def netstack(info):
vpc, subnets, is_v6 = info
return 'dualstack' if is_v6 else 'ipv4'
@netinfo.apply
def subnet_ids(info):
vpc, subnets, is_v6 = info
return [sn.id for sn in subnets]
cert = Certificate(f"{name}-cert",
domain=domain,
zone=zone,
**opts(parent=self))
# TODO: Cache this
sg = ec2.SecurityGroup(f"{name}-sg",
vpc_id=vpc_id,
ingress=[
{
'from_port': 80,
'to_port': 80,
'protocol': "tcp",
'cidr_blocks': ['0.0.0.0/0'],
},
{
'from_port': 443,
'to_port': 443,
'protocol': "tcp",
'cidr_blocks': ['0.0.0.0/0'],
},
{
'from_port': 80,
'to_port': 80,
'protocol': "tcp",
'ipv6_cidr_blocks': ['::/0'],
},
{
'from_port': 443,
'to_port': 443,
'protocol': "tcp",
'ipv6_cidr_blocks': ['::/0'],
},
],
egress=[
{
'from_port': 0,
'to_port': 0,
'protocol': "-1",
'cidr_blocks': ['0.0.0.0/0'],
},
{
'from_port': 0,
'to_port': 0,
'protocol': "-1",
'ipv6_cidr_blocks': ['::/0'],
},
],
**opts(parent=self))
alb = elb.LoadBalancer(f"{name}-alb",
load_balancer_type='application',
subnets=subnet_ids,
ip_address_type=netstack,
security_groups=[sg],
enable_http2=True,
**opts(parent=self))
target = elb.TargetGroup(
f"{name}-target",
target_type='lambda',
lambda_multi_value_headers_enabled=
False, # AWSGI does not support this yet
health_check={
'enabled': True,
'path': '/',
'matcher': '200-299',
'interval': 30,
'timeout': 5,
},
**opts(parent=self))
elb.TargetGroupAttachment(f"{name}-target-func",
target_group_arn=target.arn,
target_id=func.arn,
**opts(depends_on=[invoke_policy], parent=self))
elb.Listener(f"{name}-http",
load_balancer_arn=alb.arn,
port=80,
protocol='HTTP',
default_actions=[{
'type': 'forward',
'target_group_arn': target.arn,
}],
**opts(parent=self))
elb.Listener(f"{name}-https",
load_balancer_arn=alb.arn,
port=443,
protocol='HTTPS',
ssl_policy='ELBSecurityPolicy-TLS-1-2-Ext-2018-06',
certificate_arn=cert.cert_arn,
default_actions=[{
'type': 'forward',
'target_group_arn': target.arn,
}],
**opts(parent=self))
a_aaaa(
f"{name}-record",
name=domain,
zone_id=zone.zone_id,
aliases=[
{
'name': alb.dns_name,
'zone_id': alb.zone_id,
'evaluate_target_health': True,
},
],
**opts(parent=self),
)
import pulumi
from pulumi_aws import ec2, get_ami, GetAmiFilterArgs
group = ec2.SecurityGroup('web-secgrp', ingress=[
# Uncomment to fail a test:
#{ "protocol": "tcp", "from_port": 22, "to_port": 22, "cidr_blocks": ["0.0.0.0/0"] },
{ "protocol": "tcp", "from_port": 80, "to_port": 80, "cidr_blocks": ["0.0.0.0/0"] },
])
user_data = '#!/bin/bash echo "Hello, World!" > index.html nohup python -m SimpleHTTPServer 80 &'
ami_id = get_ami(
most_recent=True,
owners=["099720109477"],
filters=[
GetAmiFilterArgs(
name="name",
values=["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
)]
).id
server = ec2.Instance('web-server-www',
instance_type="t2.micro",
vpc_security_group_ids=[ group.id ], # reference the group object above
# Comment out to fail a test:
tags={'Name': 'webserver'}, # name tag
# Uncomment to fail a test:
#user_data=user_data) # start a simple web server
ami=ami_id)
rta = ec2.RouteTableAssociation('new-rta',
route_table_id=rt.id,
subnet_id=subnet.id)
sg = ec2.SecurityGroup(resource_name='new-sg',
description='HTTP and SSH ingress',
vpc_id=vpc.id,
ingress=[
{
'protocol': 'tcp',
'fromPort': 22,
'toPort': 22,
'cidrBlocks': ['0.0.0.0/0']
},
{
'protocol': 'tcp',
'fromPort': 80,
'toPort': 80,
'cidrBlocks': ['0.0.0.0/0']
},
],
tags={
'Name': 'infra security group',
'Creator': 'timc'
})
bucket = s3.Bucket(resource_name='new-bucket',
tags={
'Name': 'infra bucket',
'Creator': 'timc'
def __init__(self):
resource_specs = ParseYAML(resource_type).getSpecs()
aws_vpc_id = VPCs.VPCId()
for sg_name, sg_configuration in resource_specs.items():
# AWS Security Groups Dynamic Variables
resource_name = sg_name
resource_description = sg_configuration["description"]
resource_vpc = sg_configuration["vpc"]
resource_ingress_rules = sg_configuration["ingress"]
resource_egress_rules = sg_configuration["egress"]
resource_tags = None
resource_tags = sg_configuration[
"tags"] if "tags" in sg_configuration else None
# Getting list of tags from configuration file
tags_list = {}
if resource_tags is not None:
for each_tag_name, each_tag_value in resource_tags.items():
tags_list.update({each_tag_name: each_tag_value})
# Adding mandatory tags
tags_list.update({"Name": resource_name})
tags_list.update({
"Project/Stack":
pulumi.get_project() + "/" + pulumi.get_stack()
})
tags_list.update(resource_mandatory_tags)
this_vpc = aws_vpc_id[str(resource_vpc)]
# Empty dictionaries that'll be populated with rules
# coming from each individual security group,
# being ingress or egress
ingress_rules_list = {}
egress_rules_list = {}
# Gathering all ingress rules and return the results
# to the right dictionary defined above
for each_ingress_rule in resource_ingress_rules.items():
for each_ingress_rule_key, each_ingress_rule_value in [
each_ingress_rule
]:
ingress_rules_list.update(
{each_ingress_rule_key: each_ingress_rule_value})
combined_ingress_rules = list(ingress_rules_list.values())
# Gathering all egress rules and return the results
# to the right dictionary defined above
for each_egress_rule in resource_egress_rules.items():
for each_egress_rule_key, each_egress_rule_value in [
each_egress_rule
]:
egress_rules_list.update(
{each_egress_rule_key: each_egress_rule_value})
combined_egress_rules = list(egress_rules_list.values())
# Create Security Group
security_group = net.SecurityGroup(
resource_name,
description=resource_description,
name=resource_name,
vpc_id=this_vpc,
ingress=combined_ingress_rules,
egress=combined_egress_rules,
tags=tags_list)
# Update resource dictionary
sg_ids_dict.update({security_group._name: security_group.id})
# Exporting each security group created for future reference
pulumi.export(security_group._name, security_group.id)
# Lets use Pulumi to get the AMI image
pulumi_ami = aws.get_ami(filters=[{
"name": "image-id",
"values": [ec2_image_id]
}],
owners=[ec2_image_owner])
# Create a EC2 security group
pulumi_security_group = ec2.SecurityGroup(
'pulumi-secgrp',
description='pulumi: enable SSH access & outgoing connections',
ingress=[{
'protocol': 'tcp',
'from_port': ec2_ssh_port,
'to_port': ec2_ssh_port,
'cidr_blocks': ['0.0.0.0/0']
}],
egress=[{
'protocol': '-1',
'from_port': 0,
'to_port': 0,
'cidr_blocks': ['0.0.0.0/0']
}])
# Create EC2 instance
ec2_instance = ec2.Instance(ec2_instance_name,
key_name=ec2_keypair_name,
instance_type=ec2_instance_size,
security_groups=[pulumi_security_group.name],
ami=pulumi_ami.id)
if ami == '':
ami = get_linux_ami(instance_type)
pulumi.info(msg="ami={}".format(ami))
web_group = ec2.SecurityGroup('web-secgrp',
description='Enable HTTP/HTTPS access',
ingress=[{
'protocol': 'tcp',
'from_port': 80,
'to_port': 80,
'cidr_blocks': ['0.0.0.0/0']
}, {
'protocol': 'tcp',
'from_port': 443,
'to_port': 443,
'cidr_blocks': ['0.0.0.0/0']
}],
egress=[{
'protocol': 'tcp',
'from_port': 0,
'to_port': 80,
'cidr_blocks': ['0.0.0.0/0']
}, {
'protocol': 'tcp',
'from_port': 0,
'to_port': 443,
'cidr_blocks': ['0.0.0.0/0']
}])
pulumi.info(
msg="aws_cidr_allowed={}".format(env.get_secret('aws_cidr_allowed')))
ssh_group = ec2.SecurityGroup('ssh-secgrp',
"mytable",
attributes=[dynamodb.TableAttributeArgs(
name="Id",
type="S",
)],
hash_key="Id",
read_capacity=1,
write_capacity=1)
## EC2
eip = ec2.Eip("myeip")
security_group = ec2.SecurityGroup("mysecuritygroup",
ingress=[
ec2.SecurityGroupIngressArgs(
protocol="tcp",
from_port=80,
to_port=80,
cidr_blocks=["0.0.0.0/0"])
])
vpc = ec2.Vpc("myvpc", cidr_block="10.0.0.0/16")
igw = ec2.InternetGateway("myinternetgateway", vpc_id=vpc.id)
public_route_table = ec2.RouteTable("myroutetable",
routes=[
ec2.RouteTableRouteArgs(
cidr_block="0.0.0.0/0",
gateway_id=igw.id)
],
vpc_id=vpc.id)
# https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/r/security_group.html.markdown
eks_cluster_sg = ec2.SecurityGroup(
'eks-cluster-sg',
vpc_id=vpc.id,
description='Allow all traffic and associate with our vpc',
tags={'Name': 'eks-cluster-sg'},
egress=[{
'cidr_blocks': ["0.0.0.0/0"],
'from_port': '0',
'to_port': '0',
'self': False,
'protocol': '-1',
'description': 'Allow internet access.'
}],
ingress=[{
'cidr_blocks': ["0.0.0.0/0"],
'from_port':
'443',
'to_port':
'443',
'protocol':
'tcp',
'description':
'Allow pods to communicate with the cluster API Server.'
}, {
'cidr_blocks': ["0.0.0.0/0"],
'from_port': '80',
'to_port': '80',
'protocol': 'tcp',
'description': 'Allow internet access to pods'
}])
def __init__(self, name: str, args: VpcArgs, opts: ResourceOptions = None):
super().__init__('custom:resource:VPC', name, {}, opts)
vpc_name = name + '-vpc'
self.vpc = ec2.Vpc(vpc_name,
cidr_block=args.cidr_block,
instance_tenancy=args.instance_tenancy,
enable_dns_hostnames=args.enable_dns_hostnames,
enable_dns_support=args.enable_dns_support,
tags={'Name': vpc_name},
opts=ResourceOptions(parent=self))
igw_name = name + '-igw'
self.igw = ec2.InternetGateway(igw_name,
vpc_id=self.vpc.id,
tags={'Name': igw_name},
opts=ResourceOptions(parent=self))
rt_name = name + '-rt'
self.route_table = ec2.RouteTable(rt_name,
vpc_id=self.vpc.id,
routes=[
ec2.RouteTableRouteArgs(
cidr_block='0.0.0.0/0',
gateway_id=self.igw.id,
)
],
tags={'Name': rt_name},
opts=ResourceOptions(parent=self))
# Subnets, at least across two zones.
all_zones = get_availability_zones()
# limiting to 2 zones for speed and to meet minimal requirements.
zone_names = [all_zones.names[0], all_zones.names[1]]
self.subnets = []
subnet_name_base = f'{name}-subnet'
for zone in zone_names:
vpc_subnet = ec2.Subnet(
f'{subnet_name_base}-{zone}',
assign_ipv6_address_on_creation=False,
vpc_id=self.vpc.id,
map_public_ip_on_launch=True,
cidr_block=f'10.100.{len(self.subnets)}.0/24',
availability_zone=zone,
tags={
'Name': f'{subnet_name_base}-{zone}',
},
opts=ResourceOptions(parent=self))
ec2.RouteTableAssociation(f'vpc-route-table-assoc-{zone}',
route_table_id=self.route_table.id,
subnet_id=vpc_subnet.id,
opts=ResourceOptions(parent=self))
self.subnets.append(vpc_subnet)
# Security Groups
rds_sg_name = f'{name}-rds-sg'
self.rds_security_group = ec2.SecurityGroup(
rds_sg_name,
vpc_id=self.vpc.id,
description='Allow client access.',
tags={'Name': rds_sg_name},
ingress=[
ec2.SecurityGroupIngressArgs(cidr_blocks=['0.0.0.0/0'],
from_port=3306,
to_port=3306,
protocol='tcp',
description='Allow rds access.'),
],
egress=[
ec2.SecurityGroupEgressArgs(
protocol='-1',
from_port=0,
to_port=0,
cidr_blocks=['0.0.0.0/0'],
)
],
opts=ResourceOptions(parent=self))
fe_sg_name = f'{name}-fe-sg'
self.fe_security_group = ec2.SecurityGroup(
fe_sg_name,
vpc_id=self.vpc.id,
description='Allow all HTTP(s) traffic.',
tags={'Name': fe_sg_name},
ingress=[
ec2.SecurityGroupIngressArgs(cidr_blocks=['0.0.0.0/0'],
from_port=443,
to_port=443,
protocol='tcp',
description='Allow https.'),
ec2.SecurityGroupIngressArgs(cidr_blocks=['0.0.0.0/0'],
from_port=80,
to_port=80,
protocol='tcp',
description='Allow http access'),
],
egress=[
ec2.SecurityGroupEgressArgs(
protocol='-1',
from_port=0,
to_port=0,
cidr_blocks=['0.0.0.0/0'],
)
],
opts=ResourceOptions(parent=self))
self.register_outputs({})
# Copyright 2016-2020, Pulumi Corporation. All rights reserved.
import pulumi
from pulumi_aws import ec2
from ami import get_linux_ami
size = 't2.micro'
group = ec2.SecurityGroup('web-secgrp',
description='Enable HTTP access',
ingress=[
ec2.SecurityGroupIngressArgs(
protocol='tcp',
from_port=80,
to_port=80,
cidr_blocks=['0.0.0.0/0'])
])
server = ec2.Instance('web-server-www',
instance_type=size,
security_groups=[group.name],
ami=get_linux_ami(size))
pulumi.export('public_ip', server.public_ip)
pulumi.export('public_dns', server.public_dns)
["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
}])
# Create a Security Group allowing ssh access
group = ec2.SecurityGroup(f"nextcloud-secgrp-{env}",
description='Enable SSH and HTTP/S access',
ingress=[{
'protocol': 'tcp',
'from_port': 22,
'to_port': 22,
'cidr_blocks': ['0.0.0.0/0']
}, {
'protocol': 'tcp',
'from_port': 443,
'to_port': 443,
'cidr_blocks': ['0.0.0.0/0']
}, {
'protocol': 'tcp',
'from_port': 80,
'to_port': 80,
'cidr_blocks': ['0.0.0.0/0']
}],
egress=[{
'protocol': '-1',
'from_port': 0,
'to_port': 0,
'cidr_blocks': ['0.0.0.0/0']
}])
# Create an EC2 (using the ami previously retrieved)
instance = ec2.Instance(
f"nextcloud-webserver-www-{env}",
# Copyright 2016-2018, Pulumi Corporation. All rights reserved.
import pulumi
from pulumi_aws import ec2
from ami import get_linux_ami
size = 't2.micro'
group = ec2.SecurityGroup('web-secgrp',
description='Enable HTTP access',
ingress=[{
'protocol': 'tcp',
'from_port': 80,
'to_port': 80,
'cidr_blocks': ['0.0.0.0/0']
}])
server = ec2.Instance('web-server-www',
instance_type=size,
security_groups=[group.name],
ami=get_linux_ami(size))
pulumi.export('public_ip', server.public_ip)
pulumi.export('public_dns', server.public_dns)
def __init__(
self,
name,
opts=None,
):
super().__init__("nuage:aws:DevelopmentEnvironment:VPC",
f"{name}VpcEnvironment", None, opts)
vpc = ec2.Vpc(
f"{name}Vpc",
cidr_block="172.32.0.0/16",
enable_dns_hostnames=True,
enable_dns_support=True,
)
subnet_1 = ec2.Subnet(
f"{name}VpcSubnetA",
availability_zone="eu-west-1a",
vpc_id=vpc.id,
cidr_block="172.32.0.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
subnet_2 = ec2.Subnet(
f"{name}VpcSubnetB",
availability_zone="eu-west-1b",
vpc_id=vpc.id,
cidr_block="172.32.16.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
subnet_3 = ec2.Subnet(
f"{name}VpcSubnetC",
availability_zone="eu-west-1c",
vpc_id=vpc.id,
cidr_block="172.32.32.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
private_subnet_1 = ec2.Subnet(
f"{name}VpcPrivateSubnetA",
availability_zone="eu-west-1a",
vpc_id=vpc.id,
cidr_block="172.32.48.0/20",
opts=ResourceOptions(depends_on=[vpc]),
)
security_group = ec2.SecurityGroup(
f"{name}SecurityGroup",
vpc_id=vpc.id,
opts=ResourceOptions(depends_on=[vpc]),
)
security_group_rule = ec2.SecurityGroupRule(
f"{name}SSHRule",
security_group_id=security_group.id,
type="ingress",
protocol="tcp",
from_port=22,
to_port=22,
cidr_blocks=["0.0.0.0/0"],
)
security_group_rule = ec2.SecurityGroupRule(
f"{name}InboundRule",
security_group_id=security_group.id,
type="ingress",
protocol="all",
from_port=0,
to_port=65535,
source_security_group_id=security_group.id,
)
security_group_rule = ec2.SecurityGroupRule(
f"{name}OutboundRule",
security_group_id=security_group.id,
type="egress",
protocol="all",
from_port=0,
to_port=65535,
cidr_blocks=["0.0.0.0/0"],
)
subnets = [subnet_1, subnet_2, subnet_3]
gateway = ec2.InternetGateway(
f"{name}InternetGateway",
vpc_id=vpc.id,
opts=ResourceOptions(depends_on=[vpc]),
)
gateway_route = ec2.Route(
f"{name}GatewayRoute",
destination_cidr_block="0.0.0.0/0",
gateway_id=gateway.id,
route_table_id=vpc.default_route_table_id,
)
elastic_ip = ec2.Eip(f"{name}Eip",
vpc=True,
opts=ResourceOptions(depends_on=[gateway]))
nat_gateway = ec2.NatGateway(
f"{name}NatGateway",
subnet_id=subnet_1.id,
allocation_id=elastic_ip.id,
opts=ResourceOptions(depends_on=[subnet_1, elastic_ip]),
)
private_route_table = ec2.RouteTable(
f"{name}PrivateRouteTable",
routes=[
{
"cidr_block": "0.0.0.0/0",
"nat_gateway_id": nat_gateway.id,
},
],
vpc_id=vpc.id,
opts=ResourceOptions(depends_on=[private_subnet_1]),
)
private_route_table_assoc = ec2.RouteTableAssociation(
f"{name}PrivateRouteTableAssoc",
route_table_id=private_route_table.id,
subnet_id=private_subnet_1.id,
)
outputs = {
"vpc": vpc,
"security_group": security_group,
"public_subnets": [subnet_1, subnet_2, subnet_3],
"private_subnet": private_subnet_1,
"nat_gateway": nat_gateway,
}
self.set_outputs(outputs)
