Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
'WebServerInstanceProfile',
Path='/',
Roles=[Ref(webserverrole)],
))
webserversg = template.add_resource(ec2.SecurityGroup(
'WebServerSecurityGroup',
GroupDescription='Enable HTTP and SSH access',
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=Ref(sshlocation),
),
ec2.SecurityGroupRule(
IpProtocol='tcp',
FromPort='80',
ToPort='80',
CidrIp='0.0.0.0/0',
)
]
))
webserverinstance = template.add_resource(ec2.Instance(
'WebServerInstance',
Metadata=cloudformation.Metadata(
cloudformation.Init({
'config': cloudformation.InitConfig(
packages={
'yum': {
'httpd': [],
def _port_to_dict(port, configuration):
return ec2.SecurityGroupRule(**{
'FromPort': port,
'ToPort': configuration.get('guest', port),
'IpProtocol': configuration.get('protocol', 'tcp'),
'CidrIp': configuration.get('cidr-ip', '0.0.0.0/0'),
})
def create_nat_security_groups(self):
t = self.template
# First setup the NAT Security Group Rules
nat_private_in_all_rule = ec2.SecurityGroupRule(
IpProtocol='-1', FromPort='-1', ToPort='-1',
SourceSecurityGroupId=Ref(DEFAULT_SG))
nat_public_out_all_rule = ec2.SecurityGroupRule(
IpProtocol='-1', FromPort='-1', ToPort='-1', CidrIp='0.0.0.0/0')
return t.add_resource(ec2.SecurityGroup(
NAT_SG,
VpcId=VPC_ID,
GroupDescription='NAT Instance Security Group',
SecurityGroupIngress=[nat_private_in_all_rule],
SecurityGroupEgress=[nat_public_out_all_rule, ]))
def setup_security_group(self):
self._resources.update({
'Ec2InstanceSecurityGroup': ec2.SecurityGroup(
'Ec2InstanceSecurityGroup',
GroupDescription='Enable Streamlit access via port 8501 and SSH access via port 22',
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp',
FromPort='22',
ToPort='22',
CidrIp=Ref(self._parameters['SshLocation'])),
ec2.SecurityGroupRule(
IpProtocol='tcp',
FromPort='8501',
ToPort='8501',
CidrIp=Ref(self._parameters['SshLocation'])),
],
VpcId=Ref(self._parameters['VpcId']),
Tags=Tags(
Application=self._stack_id,
Name=Sub('Streamlit Security Group (${AWS::StackName})'),
),
DependsOn='StackDeletorRole',
),
IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
)
for p in [HTTP]
],
Tags=self.get_tags(Name=app_server_lb_security_group_name)
))
app_server_security_group_name = 'sgAppServer'
app_server_security_group = self.add_resource(ec2.SecurityGroup(
app_server_security_group_name,
DependsOn='sgAppServerLoadBalancer',
GroupDescription='Enables access to application servers',
VpcId=Ref(self.vpc_id),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
)
for p in [SSH, HTTP]
] + [
ec2.SecurityGroupRule(
IpProtocol='tcp', SourceSecurityGroupId=Ref(sg),
FromPort=HTTP, ToPort=HTTP
)
for sg in [app_server_lb_security_group]
],
SecurityGroupEgress=[
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
)
for p in [POSTGRESQL, REDIS]
] + [
# Select a random AvailabilityZone within given AWS Region.
zone = Select(0, GetAZs(""))
# S3 bucket to hold {Flocker, Docker, Swarm} configuration for distribution
# between nodes.
s3bucket = Bucket('ClusterConfig',
DeletionPolicy='Retain')
template.add_resource(s3bucket)
# Create SecurityGroup for cluster instances.
instance_sg = template.add_resource(
ec2.SecurityGroup(
"InstanceSecurityGroup",
GroupDescription="Enable ingress access on all protocols and ports.",
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol=protocol,
FromPort="0",
ToPort="65535",
CidrIp="0.0.0.0/0",
) for protocol in ('tcp', 'udp')
]
)
)
# Base for post-boot {Flocker, Docker, Swarm} configuration on the nodes.
base_user_data = [
'#!/bin/bash\n',
'aws_region="', Ref("AWS::Region"), '"\n',
'aws_zone="', zone, '"\n',
'access_key_id="', Ref(access_key_id_param), '"\n',
'secret_access_key="', Ref(secret_access_key_param), '"\n',
def configure_security_groups(vpc_subnet, vpc_id):
node_sec_group = ec2.SecurityGroup('DustNodeSG')
node_sec_group.GroupDescription = "Allow incoming ssh and icmp and all intracluster tcp"
if vpc_subnet:
node_sec_group.VpcId = vpc_id
ssh_in_rule = ec2.SecurityGroupRule()
ssh_in_rule.FromPort = 22
ssh_in_rule.ToPort = 22
ssh_in_rule.CidrIp = "0.0.0.0/0"
ssh_in_rule.IpProtocol = 'tcp'
icmp_in_rule = ec2.SecurityGroupRule()
icmp_in_rule.FromPort = -1
icmp_in_rule.ToPort = -1
icmp_in_rule.CidrIp = "0.0.0.0/0"
icmp_in_rule.IpProtocol = 'icmp'
node_sec_group.SecurityGroupIngress = [ssh_in_rule, icmp_in_rule]
intracluster_sec_group = ec2.SecurityGroupIngress('DustIntraClusterSG')
if vpc_subnet:
intracluster_sec_group.GroupId = Ref(node_sec_group)
def construct_network(self):
"""
Main function to construct VPC, subnets, security groups, NAT instances, etc
"""
network_config = self.network_config
nat_config = self.nat_config
az_count = self.az_count
self.add_network_cidr_mapping(network_config=network_config)
self._prepare_subnets(self._subnet_configs)
self.create_network_components(network_config=network_config, nat_config=nat_config)
self._common_security_group = self.add_resource(ec2.SecurityGroup('commonSecurityGroup',
GroupDescription='Security Group allows ingress and egress for common usage patterns throughout this deployed infrastructure.',
VpcId=self.vpc_id,
SecurityGroupEgress=[ec2.SecurityGroupRule(
FromPort='80',
ToPort='80',
IpProtocol='tcp',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(
FromPort='443',
ToPort='443',
IpProtocol='tcp',
CidrIp='0.0.0.0/0'),
ec2.SecurityGroupRule(
FromPort='123',
ToPort='123',
IpProtocol='udp',
CidrIp='0.0.0.0/0')],
SecurityGroupIngress=[
ec2.SecurityGroupRule(
)
for p in [SSH, HTTP]
] + [
ec2.SecurityGroupRule(
IpProtocol='tcp', SourceSecurityGroupId=Ref(sg),
FromPort=HTTP, ToPort=HTTP
)
for sg in [worker_lb_security_group]
],
SecurityGroupEgress=[
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
)
for p in [POSTGRESQL, REDIS]
] + [
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=ALLOW_ALL_CIDR, FromPort=p,
ToPort=p
)
for p in [HTTP, HTTPS]
],
Tags=self.get_tags(Name=worker_security_group_name)
))
return worker_lb_security_group, worker_security_group
))
app_server_security_group_name = 'sgAppServer'
app_server_security_group = self.add_resource(ec2.SecurityGroup(
app_server_security_group_name,
DependsOn='sgAppServerLoadBalancer',
GroupDescription='Enables access to application servers',
VpcId=Ref(self.vpc_id),
SecurityGroupIngress=[
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
)
for p in [SSH, HTTP]
] + [
ec2.SecurityGroupRule(
IpProtocol='tcp', SourceSecurityGroupId=Ref(sg),
FromPort=HTTP, ToPort=HTTP
)
for sg in [app_server_lb_security_group]
],
SecurityGroupEgress=[
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
)
for p in [POSTGRESQL, REDIS]
] + [
ec2.SecurityGroupRule(
IpProtocol='tcp', CidrIp=ALLOW_ALL_CIDR, FromPort=p,
ToPort=p
)
for p in [HTTP, HTTPS]