Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
aws-cdk-fargate-vpc-endpoint-service-example
import * as cdk from '@aws-cdk/core';
import ec2 = require('@aws-cdk/aws-ec2');
import ecs = require('@aws-cdk/aws-ecs');
import efs = require('@aws-cdk/aws-efs');
import sm = require('@aws-cdk/aws-secretsmanager');
import ad = require('@aws-cdk/aws-directoryservice');
import ecsp = require('@aws-cdk/aws-ecs-patterns');
export class EfsFargateStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// VPC Networking
// Left VPC (With AD & DNS own (non-aws) DNS)
const vpc = ec2.Vpc.fromLookup(this, 'vpc', { isDefault: true }); // new ec2.Vpc(this, 'Vpc', { maxAzs: 2 });
const privateSubnets = vpc.privateSubnets
.slice(0, 2)
.map((x) => x.subnetId);
//ActiveDirectory
const adDnsDomainName = 'ad.aws.javydekoning.com';
const templatedSecret = new sm.Secret(
this,
adDnsDomainName + '_credentials',
{
generateSecretString: {
secretStringTemplate: JSON.stringify({ username: 'admin' }),
generateStringKey: 'password',
},
}
);
const mad = new ad.CfnMicrosoftAD(this, 'ad', {
name: adDnsDomainName,
password: templatedSecret.secretValueFromJson('password').toString(),
vpcSettings: {
vpcId: vpc.vpcId,
subnetIds: privateSubnets,
},
});
const dhcpOptions = new ec2.CfnDHCPOptions(this, 'dhcpOptions', {
domainName: adDnsDomainName,
domainNameServers: mad.attrDnsIpAddresses,
});
//Right VPC
const appVpc = new ec2.Vpc(this, 'appVpc', {
cidr: '10.32.0.0/16',
});
//EFS
const fs = new efs.FileSystem(this, 'nfs-fs', {
vpc: appVpc,
throughputMode: efs.ThroughputMode.PROVISIONED,
provisionedThroughputPerSecond: cdk.Size.mebibytes(8),
});
//ECS Fargate
const volume: ecs.Volume = {
name: 'volume',
efsVolumeConfiguration: {
fileSystemId: fs.fileSystemId,
},
};
const taskDefinition = new ecs.TaskDefinition(this, 'taskdef', {
compatibility: ecs.Compatibility.FARGATE,
cpu: '1024',
memoryMiB: '4096',
volumes: [volume],
});
const container = taskDefinition.addContainer('Ssh', {
image: ecs.ContainerImage.fromRegistry('containous/whoami'),
logging: new ecs.AwsLogDriver({
streamPrefix: '/ecs/whoami',
}),
});
container.addMountPoints({
containerPath: '/efs',
sourceVolume: volume.name,
readOnly: false,
});
container.addPortMappings({
containerPort: 80,
protocol: ecs.Protocol.TCP,
});
const cluster = new ecs.Cluster(this, 'awsvpc-ecs-demo-cluster', {
vpc: appVpc,
});
const fargateService = new ecsp.NetworkLoadBalancedFargateService(
this,
'mysvc',
{
cluster,
taskDefinition,
desiredCount: 2,
listenerPort: 80,
}
);
const endPointService = new ec2.VpcEndpointService(this, 'endpoint', {
acceptanceRequired: false,
vpcEndpointServiceLoadBalancers: [fargateService.loadBalancer],
});
fargateService.service.connections.allowFromAnyIpv4(ec2.Port.tcp(80));
fs.connections.allowFrom(
fargateService.service.connections.securityGroups[0],
ec2.Port.tcp(2049)
);
//Endpoint
const enpointSecurityGroup = new ec2.SecurityGroup(
this,
'mySecurityGroup',
{
vpc,
allowAllOutbound: true,
}
);
//Allow Traffic from on port 80, you should scope this down to your CIDR Blocks.
enpointSecurityGroup.connections.allowFromAnyIpv4(ec2.Port.tcp(80));
vpc.addInterfaceEndpoint('endpoint', {
service: {
name: endPointService.vpcEndpointServiceName,
port: 80,
privateDnsDefault: false,
},
securityGroups: [enpointSecurityGroup],
});
}
}
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from '@aws-cdk/core';
import { EfsFargateStack } from '../lib/efs-fargate-stack';
const prod: cdk.StackProps = {
env: { account: '922457306128', region: 'eu-west-1' },
tags: { Project: 'CDKDemo' },
};
const app = new cdk.App();
new EfsFargateStack(app, 'EfsFargateStack', prod);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment