Skip to content

Instantly share code, notes, and snippets.

@kevink

kevink/index.ts

Created March 25, 2020 21:51
Show Gist options
  • Save kevink/ba6ebffc99a23efd750c2890a976a192 to your computer and use it in GitHub Desktop.
Save kevink/ba6ebffc99a23efd750c2890a976a192 to your computer and use it in GitHub Desktop.
Download ZIP
Test Script for AWS infra
Raw
index.ts
// Copyright 2016-2019, Pulumi Corporation. All rights reserved.
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as pulumi from "@pulumi/pulumi";
//import { VpcEndpointService } from "@pulumi/aws/ec2";
// ****************************************************************************************************************************************
// Grab some secrets from our config file
// ****************************************************************************************************************************************
// Get the config ready to go.
const config = new pulumi.Config();
// If keyName is provided, an existing KeyPair is used, else if publicKey is provided a new KeyPair derived from the publicKey is created.
let keyName: pulumi.Input<string> = config.get("keyName");
const publicKey = config.get("publicKey");
// The privateKey associated with the selected key must be provided (either directly or base64 encoded), along with an optional passphrase if needed.
const privateKey = config.requireSecret("privateKey").apply(key => {
if (key.startsWith("-----BEGIN RSA PRIVATE KEY-----")) {
return key;
} else {
return Buffer.from(key, "base64").toString("ascii");
}
});
const privateKeyPassphrase = config.getSecret("privateKeyPassphrase");
// ****************************************************************************************************************************************
// Setup VPC, Security Groups
// ****************************************************************************************************************************************
const vpc = new awsx.ec2.Vpc("api-vpc", {
cidrBlock: "10.1.0.0/16",
//enableDnsHostnames: true,
//enableDnsSupport: true,
numberOfAvailabilityZones: 2,
subnets: [
// { type: "public" },
{ type: "private" },
// { type: "isolated", name: "db" },
// { type: "isolated", name: "redis" },
],
tags: { Name: "api-vpc" }
});
const igw = new aws.ec2.InternetGateway("api-igw", {
vpcId: vpc.id,
tags: { Name: "api-igw" }
});
const generateSubnet = (name: string, cidr: string, az: string, vpc: awsx.ec2.Vpc) => {
return new aws.ec2.Subnet(name, {
cidrBlock: cidr,
vpcId: vpc.id,
availabilityZone: az,
//mapPublicIpOnLaunch: true,
tags: { Name: "api-subnet-" + az },
});
};
const subnet1 = generateSubnet("api-subnet1", "10.1.0.0/20", "us-west-2a", vpc);
const subnet2 = generateSubnet("api-subnet2", "10.1.16.0/20", "us-west-2b", vpc);
// Create a new security group that permits SSH and web access.
const secgrp = new aws.ec2.SecurityGroup("api-secgrp", {
vpcId: vpc.id,
description: "api-secgrp",
ingress: [
{ protocol: "tcp", fromPort: 22, toPort: 22, cidrBlocks: ["0.0.0.0/0"] },
{ protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] },
{ protocol: "tcp", fromPort: 443, toPort: 443, cidrBlocks: ["0.0.0.0/0"] },
{ protocol: "tcp", fromPort: 3306, toPort: 3306, cidrBlocks: ["216.160.116.174/32"] }, // whitelist my home network
{ protocol: "tcp", fromPort: 3306, toPort: 3306, cidrBlocks: ["10.0.0.0/16"] }, // whitelist internal network
{ protocol: "tcp", fromPort: 3306, toPort: 3306, cidrBlocks: ["172.31.0.0/16"] }, // whitelist internal network
],
egress: [
{ protocol: "-1", fromPort: 0, toPort: 0, cidrBlocks: [ "0.0.0.0/0" ] },
],
tags: { Name: "api-secgrp" },
});
// Create a route table for Internet access
const rt = new aws.ec2.RouteTable("api-rt-inet", {
vpcId: vpc.id,
routes: [
{ cidrBlock: "0.0.0.0/0", gatewayId: igw.id },
],
tags: { Name: "api-rt" },
});
// ****************************************************************************************************************************************
// Setup our EC2 Instance
// ****************************************************************************************************************************************
// Get our Debian AMI
const amiId = aws.getAmi({
owners: ["379101102735"],
mostRecent: true,
filters: [{
name: "name",
values: ["debian-stretch-hvm-x86_64-gp2-2020-02-10-73984"],
}],
}, { async: true }).then(ami => ami.id);
// Create a small EC2 server that we'll then provision stuff onto.
const size = "t2.micro";
if (!keyName) {
const key = new aws.ec2.KeyPair("key", { publicKey });
keyName = key.keyName;
}
// Launch it in the sec group we made above
const apiserver = new aws.ec2.Instance("api-server", {
instanceType: size,
availabilityZone: "us-west-2a",
ami: amiId,
keyName: keyName,
vpcSecurityGroupIds: [ secgrp.id ],
tags: {
Name: "api-server",
},
ebsBlockDevices: [
{
volumeSize: 15,
encrypted: true,
deviceName: "/dev/xvdh"
}
],
volumeTags: {
snapshotable: "true"
},
});
// make sure we can ssh in
const conn = {
host: apiserver.publicIp,
username: "ec2-user",
privateKey,
privateKeyPassphrase,
};
// ****************************************************************************************************************************************
// Create our database instance
// ****************************************************************************************************************************************
// Create a new subnet group for the database from our subnets
const dbSubnetGroup = new aws.rds.SubnetGroup("api-dbsubnets", {
subnetIds: [subnet1.id,subnet2.id],
});
const db = new aws.rds.Instance("api-mysqldb", {
engine: "mysql",
availabilityZone: "us-west-2a",
instanceClass: "db.t2.micro",
allocatedStorage: 20,
publiclyAccessible: true,
dbSubnetGroupName: dbSubnetGroup.name,
vpcSecurityGroupIds: [ secgrp.id ],
name: "absdata",
username: "absdata",
password: config.getSecret("dbPassword"),
skipFinalSnapshot: true,
});
// ****************************************************************************************************************************************
// Create our application load balancer, TargetGroups and Listener
// ****************************************************************************************************************************************
const alb = new aws.lb.LoadBalancer("api-lb", {
// accessLogs: {
// bucket: aws_s3_bucket_lb_logs.bucket,
// enabled: true,
// prefix: "test-lb",
// },
//enableDeletionProtection: true,
internal: false,
loadBalancerType: "application",
securityGroups: [secgrp.id],
subnets: [subnet1.id, subnet2.id],
tags: {
Environment: "production",
},
});
const tg1 = new aws.lb.TargetGroup("api-tg1", {
port: 80,
protocol: "HTTP",
vpcId: vpc.id,
});
const tg2 = new aws.lb.TargetGroup("api-tg2", {
port: 80,
protocol: "HTTP",
vpcId: vpc.id,
});
// Fixed-response Listener
const listener = new aws.lb.Listener("api-listener", {
certificateArn: "arn:aws:acm:us-west-2:353450002364:certificate/ebcfcee2-883d-4667-ac80-911bb99e8c93",
defaultActions: [{
targetGroupArn: tg1.arn,
type: "forward",
}],
loadBalancerArn: alb.arn,
port: 443,
protocol: "HTTPS",
sslPolicy: "ELBSecurityPolicy-2016-08",
});
const generateListenerRule = (
name: string,
path: string,
tg: aws.lb.TargetGroup,
listener: aws.lb.Listener
) => {
return new aws.lb.ListenerRule(name, {
actions: [{
targetGroupArn: tg.arn,
type: "forward",
}],
conditions: [
{
pathPattern: {
values: [path],},
},
//{
//hostHeader: {
// values: ["example.com"], },
//},
],
listenerArn: listener.arn,
priority: 100,
});
};
const listenerRule1 = generateListenerRule("api-listener1", "/bigotpp", tg1, listener);
const listenerRule2 = generateListenerRule("api-listener2", "/tiregurus", tg2, listener);
// Export the resulting URL so that it's easy to access.
export const albIp = alb.id;
//export const endpoint = listener.endpoint.hostname;
export const publicIp = apiserver.publicIp;
//export const publicHostName = apiserver.publicDns;
export const database = db.endpoint;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment