This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
readonly internalSshSecurityGroup: ec2.ISecurityGroup | |
readonly publicIp: string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
constructor(scope: cdk.Construct, id: string, props: BastionHostProps) { | |
super(scope, id) | |
const externalSshSG = this.createAllowExternSshSG(props.vpc, props.peers) | |
this.internalSshSecurityGroup = this.createAllowInternalSshSG(props.vpc) | |
const snsTopic = new sns.Topic(this, 'autoscaling-notifications') | |
const externalIp = new ec2.CfnEIP(this, 'bastionhost-ip') | |
this.publicIp = externalIp.ref | |
this.createLambda(snsTopic, externalIp.ref) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const asg = new autoscaling.AutoScalingGroup(this, 'bastion-selfheal-ASG', { | |
vpc: props.vpc, | |
allowAllOutbound: true, | |
associatePublicIpAddress: false, | |
keyName: props.keyName, | |
notificationsTopic: snsTopic, | |
instanceType: props.instanceType ? props.instanceType : new ec2.InstanceType('t3.micro'), | |
machineImage: props.image, | |
vpcSubnets: props.subnets ? props.subnets : { | |
onePerAz: true, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private createLambda(topic: sns.ITopic, ip: string) { | |
new lambda.Function(this, "AutoScalingAttachIpLambda", { | |
events: [new eventSources.SnsEventSource(topic)], | |
code: this.createLambdaCode(ip), | |
runtime: lambda.Runtime.NODEJS_8_10, | |
handler: "index.handler", | |
role: this.createLambdaRole() | |
}) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private createLambdaCode(publicIpAddress: string): lambda.Code { | |
return lambda.Code.inline(` | |
var AWS = require('aws-sdk'); | |
AWS.config.update({region: 'eu-central-1'}); | |
exports.handler = (event,context,callback) => { | |
console.log(event.Records[0].Sns.Message) | |
const message = JSON.parse(event.Records[0].Sns.Message); | |
console.log(message.Event) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private createLambdaRole(): iam.Role { | |
const lambdaDocument = new iam.PolicyDocument(); | |
const associateAddressStatement = new iam.PolicyStatement(); | |
associateAddressStatement.addActions("ec2:AssociateAddress"); | |
associateAddressStatement.addResources(); | |
const logStatement = new iam.PolicyStatement() | |
logStatement.addActions("logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"); | |
logStatement.addAllResources() | |
lambdaDocument.addStatements(associateAddressStatement, logStatement); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const externalSshSG = this.createAllowExternSshSG(props.vpc, props.peers) | |
const internalSshSecurityGroup = this.createAllowInternalSshSG(props.vpc) | |
const snsTopic = new sns.Topic(this, 'autoscaling-notifications') | |
const externalIp = new ec2.CfnEIP(this, 'bastionhost-ip') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private createAllowInternalSshSG(vpc: ec2.IVpc): ec2.SecurityGroup { | |
const securityGroup = new ec2.SecurityGroup(this, 'allow-ssh-internal-SG', { | |
vpc: vpc | |
}) | |
securityGroup.addIngressRule(securityGroup, ec2.Port.tcp(22)) | |
return securityGroup | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export interface BastionHostProps { | |
readonly vpc: ec2.IVpc | |
readonly instanceType?: ec2.InstanceType; | |
readonly image: ec2.IMachineImage; | |
readonly peers: ec2.IPeer[]; | |
readonly keyName: string; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
private createAllowExternSshSG(vpc: ec2.IVpc, peers: ec2.IPeer[]): ec2.SecurityGroup { | |
const sshSecurityGroup = new ec2.SecurityGroup(this, 'allow-ssh-external-SG', { | |
vpc: vpc | |
}) | |
peers.forEach(peer => { | |
sshSecurityGroup.addIngressRule(peer, ec2.Port.tcp(22)) | |
}); | |
return sshSecurityGroup |