Created
April 13, 2021 14:41
-
-
Save javydekoning/c59b15cd773143c9b0f70d77d50fcde3 to your computer and use it in GitHub Desktop.
aws-cdk-fargate-vpc-endpoint-service-example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import * as cdk from '@aws-cdk/core'; | |
| import ec2 = require('@aws-cdk/aws-ec2'); | |
| import ecs = require('@aws-cdk/aws-ecs'); | |
| import efs = require('@aws-cdk/aws-efs'); | |
| import sm = require('@aws-cdk/aws-secretsmanager'); | |
| import ad = require('@aws-cdk/aws-directoryservice'); | |
| import ecsp = require('@aws-cdk/aws-ecs-patterns'); | |
| export class EfsFargateStack extends cdk.Stack { | |
| constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) { | |
| super(scope, id, props); | |
| // VPC Networking | |
| // Left VPC (With AD & DNS own (non-aws) DNS) | |
| const vpc = ec2.Vpc.fromLookup(this, 'vpc', { isDefault: true }); // new ec2.Vpc(this, 'Vpc', { maxAzs: 2 }); | |
| const privateSubnets = vpc.privateSubnets | |
| .slice(0, 2) | |
| .map((x) => x.subnetId); | |
| //ActiveDirectory | |
| const adDnsDomainName = 'ad.aws.javydekoning.com'; | |
| const templatedSecret = new sm.Secret( | |
| this, | |
| adDnsDomainName + '_credentials', | |
| { | |
| generateSecretString: { | |
| secretStringTemplate: JSON.stringify({ username: 'admin' }), | |
| generateStringKey: 'password', | |
| }, | |
| } | |
| ); | |
| const mad = new ad.CfnMicrosoftAD(this, 'ad', { | |
| name: adDnsDomainName, | |
| password: templatedSecret.secretValueFromJson('password').toString(), | |
| vpcSettings: { | |
| vpcId: vpc.vpcId, | |
| subnetIds: privateSubnets, | |
| }, | |
| }); | |
| const dhcpOptions = new ec2.CfnDHCPOptions(this, 'dhcpOptions', { | |
| domainName: adDnsDomainName, | |
| domainNameServers: mad.attrDnsIpAddresses, | |
| }); | |
| //Right VPC | |
| const appVpc = new ec2.Vpc(this, 'appVpc', { | |
| cidr: '10.32.0.0/16', | |
| }); | |
| //EFS | |
| const fs = new efs.FileSystem(this, 'nfs-fs', { | |
| vpc: appVpc, | |
| throughputMode: efs.ThroughputMode.PROVISIONED, | |
| provisionedThroughputPerSecond: cdk.Size.mebibytes(8), | |
| }); | |
| //ECS Fargate | |
| const volume: ecs.Volume = { | |
| name: 'volume', | |
| efsVolumeConfiguration: { | |
| fileSystemId: fs.fileSystemId, | |
| }, | |
| }; | |
| const taskDefinition = new ecs.TaskDefinition(this, 'taskdef', { | |
| compatibility: ecs.Compatibility.FARGATE, | |
| cpu: '1024', | |
| memoryMiB: '4096', | |
| volumes: [volume], | |
| }); | |
| const container = taskDefinition.addContainer('Ssh', { | |
| image: ecs.ContainerImage.fromRegistry('containous/whoami'), | |
| logging: new ecs.AwsLogDriver({ | |
| streamPrefix: '/ecs/whoami', | |
| }), | |
| }); | |
| container.addMountPoints({ | |
| containerPath: '/efs', | |
| sourceVolume: volume.name, | |
| readOnly: false, | |
| }); | |
| container.addPortMappings({ | |
| containerPort: 80, | |
| protocol: ecs.Protocol.TCP, | |
| }); | |
| const cluster = new ecs.Cluster(this, 'awsvpc-ecs-demo-cluster', { | |
| vpc: appVpc, | |
| }); | |
| const fargateService = new ecsp.NetworkLoadBalancedFargateService( | |
| this, | |
| 'mysvc', | |
| { | |
| cluster, | |
| taskDefinition, | |
| desiredCount: 2, | |
| listenerPort: 80, | |
| } | |
| ); | |
| const endPointService = new ec2.VpcEndpointService(this, 'endpoint', { | |
| acceptanceRequired: false, | |
| vpcEndpointServiceLoadBalancers: [fargateService.loadBalancer], | |
| }); | |
| fargateService.service.connections.allowFromAnyIpv4(ec2.Port.tcp(80)); | |
| fs.connections.allowFrom( | |
| fargateService.service.connections.securityGroups[0], | |
| ec2.Port.tcp(2049) | |
| ); | |
| //Endpoint | |
| const enpointSecurityGroup = new ec2.SecurityGroup( | |
| this, | |
| 'mySecurityGroup', | |
| { | |
| vpc, | |
| allowAllOutbound: true, | |
| } | |
| ); | |
| //Allow Traffic from on port 80, you should scope this down to your CIDR Blocks. | |
| enpointSecurityGroup.connections.allowFromAnyIpv4(ec2.Port.tcp(80)); | |
| vpc.addInterfaceEndpoint('endpoint', { | |
| service: { | |
| name: endPointService.vpcEndpointServiceName, | |
| port: 80, | |
| privateDnsDefault: false, | |
| }, | |
| securityGroups: [enpointSecurityGroup], | |
| }); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env node | |
| import 'source-map-support/register'; | |
| import * as cdk from '@aws-cdk/core'; | |
| import { EfsFargateStack } from '../lib/efs-fargate-stack'; | |
| const prod: cdk.StackProps = { | |
| env: { account: '922457306128', region: 'eu-west-1' }, | |
| tags: { Project: 'CDKDemo' }, | |
| }; | |
| const app = new cdk.App(); | |
| new EfsFargateStack(app, 'EfsFargateStack', prod); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment