Raphael raphaelschnaitl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| readonly internalSshSecurityGroup: ec2.ISecurityGroup | |
| readonly publicIp: string |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| constructor(scope: cdk.Construct, id: string, props: BastionHostProps) { | |
| super(scope, id) | |
| const externalSshSG = this.createAllowExternSshSG(props.vpc, props.peers) | |
| this.internalSshSecurityGroup = this.createAllowInternalSshSG(props.vpc) | |
| const snsTopic = new sns.Topic(this, 'autoscaling-notifications') | |
| const externalIp = new ec2.CfnEIP(this, 'bastionhost-ip') | |
| this.publicIp = externalIp.ref | |
| this.createLambda(snsTopic, externalIp.ref) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const asg = new autoscaling.AutoScalingGroup(this, 'bastion-selfheal-ASG', { | |
| vpc: props.vpc, | |
| allowAllOutbound: true, | |
| associatePublicIpAddress: false, | |
| keyName: props.keyName, | |
| notificationsTopic: snsTopic, | |
| instanceType: props.instanceType ? props.instanceType : new ec2.InstanceType('t3.micro'), | |
| machineImage: props.image, | |
| vpcSubnets: props.subnets ? props.subnets : { | |
| onePerAz: true, |
raphaelschnaitl
/ createLambda.ts
Last active
July 24, 2019 09:30
medium.bastion-host.createLambda.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private createLambda(topic: sns.ITopic, ip: string) { | |
| new lambda.Function(this, "AutoScalingAttachIpLambda", { | |
| events: [new eventSources.SnsEventSource(topic)], | |
| code: this.createLambdaCode(ip), | |
| runtime: lambda.Runtime.NODEJS_8_10, | |
| handler: "index.handler", | |
| role: this.createLambdaRole() | |
| }) | |
| } |
raphaelschnaitl
/ createLambdaCode.ts
Last active
July 24, 2019 09:29
medium.bastion-host.createLambdaCode.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private createLambdaCode(publicIpAddress: string): lambda.Code { | |
| return lambda.Code.inline(` | |
| var AWS = require('aws-sdk'); | |
| AWS.config.update({region: 'eu-central-1'}); | |
| exports.handler = (event,context,callback) => { | |
| console.log(event.Records[0].Sns.Message) | |
| const message = JSON.parse(event.Records[0].Sns.Message); | |
| console.log(message.Event) |
raphaelschnaitl
/ createLambdaRole.ts
Created
July 24, 2019 09:18
medium.bastion-host.createLambdaRole.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private createLambdaRole(): iam.Role { | |
| const lambdaDocument = new iam.PolicyDocument(); | |
| const associateAddressStatement = new iam.PolicyStatement(); | |
| associateAddressStatement.addActions("ec2:AssociateAddress"); | |
| associateAddressStatement.addResources(); | |
| const logStatement = new iam.PolicyStatement() | |
| logStatement.addActions("logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"); | |
| logStatement.addAllResources() | |
| lambdaDocument.addStatements(associateAddressStatement, logStatement); |
raphaelschnaitl
/ gatherPrerequisites.ts
Last active
July 24, 2019 08:12
medium.bastion-host.gatherPrerequisites.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const externalSshSG = this.createAllowExternSshSG(props.vpc, props.peers) | |
| const internalSshSecurityGroup = this.createAllowInternalSshSG(props.vpc) | |
| const snsTopic = new sns.Topic(this, 'autoscaling-notifications') | |
| const externalIp = new ec2.CfnEIP(this, 'bastionhost-ip') |
raphaelschnaitl
/ createInternalSshSg.ts
Last active
July 24, 2019 08:08
medium.bastion-host.createInternalSshSg.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private createAllowInternalSshSG(vpc: ec2.IVpc): ec2.SecurityGroup { | |
| const securityGroup = new ec2.SecurityGroup(this, 'allow-ssh-internal-SG', { | |
| vpc: vpc | |
| }) | |
| securityGroup.addIngressRule(securityGroup, ec2.Port.tcp(22)) | |
| return securityGroup | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export interface BastionHostProps { | |
| readonly vpc: ec2.IVpc | |
| readonly instanceType?: ec2.InstanceType; | |
| readonly image: ec2.IMachineImage; | |
| readonly peers: ec2.IPeer[]; | |
| readonly keyName: string; | |
| } |
raphaelschnaitl
/ createAllowPeerSshSg.ts
Last active
July 24, 2019 07:51
medium.bastion-host.createAllowPeerSshSg.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private createAllowExternSshSG(vpc: ec2.IVpc, peers: ec2.IPeer[]): ec2.SecurityGroup { | |
| const sshSecurityGroup = new ec2.SecurityGroup(this, 'allow-ssh-external-SG', { | |
| vpc: vpc | |
| }) | |
| peers.forEach(peer => { | |
| sshSecurityGroup.addIngressRule(peer, ec2.Port.tcp(22)) | |
| }); | |
| return sshSecurityGroup |