def elb(self, template):
"""
Create an ELB resource configuration from the config file data
and add them to the troposphere template. Outputs for each ELB's
DNSName are created.
Args:
template:
The cloudformation template file
"""
# REQUIRED FIELDS AND MAPPING
# Note, 'name' field is used internally to help label
# logical ids, and as part of the DNS record name.
required_fields = {"listeners": "Listeners", "scheme": "Scheme", "name": None, "hosted_zone": "HostedZoneName"}
elb_list = []
elb_sgs = []
# COULD HAVE MULTIPLE ELB'S (PUBLIC / PRIVATE etc)
for elb in self.data["elb"]:
safe_name = elb["name"].replace("-", "").replace(".", "").replace("_", "")
# TEST FOR REQUIRED FIELDS AND EXIT IF MISSING ANY
for i in required_fields.keys():
if i not in elb.keys():
print "\n\n[ERROR] Missing ELB fields [%s]" % i
sys.exit(1)
load_balancer = LoadBalancer(
"ELB" + safe_name,
Subnets=[Ref("SubnetA"), Ref("SubnetB"), Ref("SubnetC")],
Listeners=elb["listeners"],
Scheme=elb["scheme"],
ConnectionDrainingPolicy=ConnectionDrainingPolicy(Enabled=True, Timeout=120),
Policies=[
Policy(
Attributes=[{"Name": "Reference-Security-Policy", "Value": "ELBSecurityPolicy-2015-05"}],
PolicyType="SSLNegotiationPolicyType",
PolicyName="PinDownSSLNegotiationPolicy201505",
)
],
)
if "health_check" in elb:
load_balancer.HealthCheck = HealthCheck(**elb["health_check"])
for listener in load_balancer.Listeners:
if listener["Protocol"] == "HTTPS":
try:
cert_name = elb["certificate_name"]
except KeyError:
raise errors.CfnConfigError("HTTPS listener but no certificate_name specified")
try:
self.ssl()[cert_name]["cert"]
self.ssl()[cert_name]["key"]
except KeyError:
raise errors.CfnConfigError("Couldn't find ssl cert {0} in config file".format(cert_name))
listener["SSLCertificateId"] = Join(
"",
[
"arn:aws:iam::",
Ref("AWS::AccountId"),
":server-certificate/",
"{0}-{1}".format(cert_name, self.stack_name),
],
)
# if not present, add the default cipher policy
if "PolicyNames" not in listener:
logging.debug(
"ELB Listener for port 443 has no SSL Policy. " + "Using default ELBSecurityPolicy-2015-05"
)
listener["PolicyNames"] = ["PinDownSSLNegotiationPolicy201505"]
elb_list.append(load_balancer)
dns_record = RecordSetGroup(
"DNS" + safe_name,
HostedZoneName=elb["hosted_zone"],
Comment="Zone apex alias targeted to ElasticLoadBalancer.",
RecordSets=[
RecordSet(
"TitleIsIgnoredForThisResource",
Name="%s.%s" % (elb["name"], elb["hosted_zone"]),
Type="A",
AliasTarget=AliasTarget(
GetAtt(load_balancer, "CanonicalHostedZoneNameID"), GetAtt(load_balancer, "DNSName")
),
)
],
)
elb_list.append(dns_record)
elb_role_policies = PolicyType(
"Policy" + safe_name,
PolicyName=safe_name + "BaseHost",
PolicyDocument={
"Statement": [
{
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
],
"Resource": [
Join(
"",
[
"arn:aws:elasticloadbalancing:",
Ref("AWS::Region"),
":",
Ref("AWS::AccountId"),
":loadbalancer/",
Ref(load_balancer),
],
)
],
"Effect": "Allow",
}
]
},
Roles=[Ref("BaseHostRole")],
)
elb_list.append(elb_role_policies)
if "security_groups" in elb:
load_balancer.SecurityGroups = []
for sg_name, sg_rules in elb["security_groups"].items():
sg = SecurityGroup(
sg_name, GroupDescription=sg_name, SecurityGroupIngress=sg_rules, VpcId=Ref("VPC")
)
load_balancer.SecurityGroups.append(Ref(sg))
elb_sgs.append(sg)
else:
sg = SecurityGroup(
"DefaultSG" + safe_name,
GroupDescription="DefaultELBSecurityGroup",
SecurityGroupIngress=[
{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": "0.0.0.0/0"},
{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0"},
],
VpcId=Ref("VPC"),
)
load_balancer.SecurityGroups = [Ref(sg)]
elb_sgs.append(sg)
# Add outputs
output_name = "ELB" + safe_name
logging.debug("config:elb:Adding output to ELB '%s'" % (output_name))
template.add_output(Output(output_name, Description="ELB DNSName", Value=GetAtt(load_balancer, "DNSName")))
# Update template with ELB resources
map(template.add_resource, elb_list)
map(template.add_resource, elb_sgs)
template = self._attach_elbs(template)
rule.IpProtocol = 'tcp'
home_ssh_rules.append(rule)
t.add_resource(rule)
# load balancer
elb_listener_80 = Listener(config['name'] + 'Ssl')
elb_listener_80.InstancePort = 80
elb_listener_80.LoadBalancerPort = 80
elb_listener_80.Protocol = 'HTTP'
elb_listener_80.InstanceProtocol = 'HTTP'
load_balancer = LoadBalancer(config['name'] + "Elb")
load_balancer.CrossZone = True
load_balancer.Listeners = [elb_listener_80]
load_balancer.Subnets = [Ref(subnet.title) for subnet in app_subnets]
load_balancer.SecurityGroups = [Ref(elb_sg)]
t.add_resource(load_balancer)
# launch configuration for consul server
consul_block_device = EBSBlockDevice(config['name'] + 'Ebs')
consul_block_device.DeleteOnTermination = config['consul_launch_config']['block_device']['delete_on_termination']
consul_block_device_mapping = BlockDeviceMapping(config['name'] + 'ConsulBlockDeviceMapping')
consul_block_device_mapping.DeviceName = '/dev/sda1'
consul_block_device_mapping.Ebs = consul_block_device
consul_launch_config = LaunchConfiguration(config['name'] + 'ConsulLaunchConfig')
consul_launch_config.AssociatePublicIpAddress = True
consul_launch_config.EbsOptimized = config['consul_launch_config']['ebs_optimized']
consul_launch_config.ImageId = config['consul_launch_config']['image_id']
consul_launch_config.KeyName = config['consul_launch_config']['key_name']