Exemple #1
0
 public MyStack()
 {
     var ptfeServiceVpcEndpoint = new Aws.Ec2.VpcEndpoint("ptfeServiceVpcEndpoint", new Aws.Ec2.VpcEndpointArgs
     {
         PrivateDnsEnabled = false,
         SecurityGroupIds  =
         {
             aws_security_group.Ptfe_service.Id,
         },
         ServiceName = @var.Ptfe_service,
         SubnetIds   =
         {
             local.Subnet_ids,
         },
         VpcEndpointType = "Interface",
         VpcId           = @var.Vpc_id,
     });
     var @internal = Output.Create(Aws.Route53.GetZone.InvokeAsync(new Aws.Route53.GetZoneArgs
     {
         Name        = "vpc.internal.",
         PrivateZone = true,
         VpcId       = @var.Vpc_id,
     }));
     var ptfeServiceRecord = new Aws.Route53.Record("ptfeServiceRecord", new Aws.Route53.RecordArgs
     {
         Name    = @internal.Apply(@internal => $"ptfe.{@internal.Name}"),
         Records =
         {
             ptfeServiceVpcEndpoint.DnsEntries.Apply(dnsEntries => dnsEntries[0])["dns_name"],
         },
         Ttl    = 300,
         Type   = "CNAME",
         ZoneId = @internal.Apply(@internal => @internal.ZoneId),
     });
 }
Exemple #2
0
 public MyStack()
 {
     var privateS3VpcEndpoint = new Aws.Ec2.VpcEndpoint("privateS3VpcEndpoint", new Aws.Ec2.VpcEndpointArgs
     {
         ServiceName = "com.amazonaws.us-west-2.s3",
         VpcId       = aws_vpc.Foo.Id,
     });
     var privateS3PrefixList = privateS3VpcEndpoint.PrefixListId.Apply(prefixListId => Aws.GetPrefixList.InvokeAsync(new Aws.GetPrefixListArgs
     {
         PrefixListId = prefixListId,
     }));
     var bar = new Aws.Ec2.NetworkAcl("bar", new Aws.Ec2.NetworkAclArgs
     {
         VpcId = aws_vpc.Foo.Id,
     });
     var privateS3NetworkAclRule = new Aws.Ec2.NetworkAclRule("privateS3NetworkAclRule", new Aws.Ec2.NetworkAclRuleArgs
     {
         CidrBlock    = privateS3PrefixList.Apply(privateS3PrefixList => privateS3PrefixList.CidrBlocks[0]),
         Egress       = false,
         FromPort     = 443,
         NetworkAclId = bar.Id,
         Protocol     = "tcp",
         RuleAction   = "allow",
         RuleNumber   = 200,
         ToPort       = 443,
     });
 }
Exemple #3
0
 public MyStack()
 {
     var s3 = new Aws.Ec2.VpcEndpoint("s3", new Aws.Ec2.VpcEndpointArgs
     {
         ServiceName = "com.amazonaws.us-west-2.s3",
         VpcId       = aws_vpc.Main.Id,
     });
 }
Exemple #4
0
 public MyStack()
 {
     var s3 = new Aws.Ec2.VpcEndpoint("s3", new Aws.Ec2.VpcEndpointArgs
     {
         ServiceName = "com.amazonaws.us-west-2.s3",
         Tags        =
         {
             { "Environment", "test" },
         },
         VpcId = aws_vpc.Main.Id,
     });
 }
Exemple #5
0
 public MyStack()
 {
     var aws_vpc = new Aws.Ec2.Vpc("aws_vpc", new Aws.Ec2.VpcArgs
     {
         CidrBlock       = "10.0.0.0/16",
         InstanceTenancy = "default",
     });
     var privateS3VpcEndpoint = new Aws.Ec2.VpcEndpoint("privateS3VpcEndpoint", new Aws.Ec2.VpcEndpointArgs
     {
         VpcId       = aws_vpc.Id,
         ServiceName = "com.amazonaws.us-west-2.s3",
     });
     var privateS3PrefixList = Aws.Ec2.GetPrefixList.Invoke(new Aws.Ec2.GetPrefixListInvokeArgs
     {
         PrefixListId = privateS3VpcEndpoint.PrefixListId,
     });
     var bar = new Aws.Ec2.NetworkAcl("bar", new Aws.Ec2.NetworkAclArgs
     {
         VpcId = aws_vpc.Id,
     });
     var privateS3NetworkAclRule = new Aws.Ec2.NetworkAclRule("privateS3NetworkAclRule", new Aws.Ec2.NetworkAclRuleArgs
     {
         NetworkAclId = bar.Id,
         RuleNumber   = 200,
         Egress       = false,
         Protocol     = "tcp",
         RuleAction   = "allow",
         CidrBlock    = privateS3PrefixList.Apply(privateS3PrefixList => privateS3PrefixList.CidrBlocks[0]),
         FromPort     = 443,
         ToPort       = 443,
     });
     var amis = Aws.Ec2.GetAmiIds.Invoke(new Aws.Ec2.GetAmiIdsInvokeArgs
     {
         Owners =
         {
             bar.Id,
         },
         Filters =
         {
             new Aws.Ec2.Inputs.GetAmiIdsFilterInputArgs
             {
                 Name   = bar.Id,
                 Values =
                 {
                     "pulumi*",
                 },
             },
         },
     });
 }
Exemple #6
0
 public MyStack()
 {
     var ec2 = new Aws.Ec2.VpcEndpoint("ec2", new Aws.Ec2.VpcEndpointArgs
     {
         PrivateDnsEnabled = true,
         SecurityGroupIds  =
         {
             aws_security_group.Sg1.Id,
         },
         ServiceName     = "com.amazonaws.us-west-2.ec2",
         VpcEndpointType = "Interface",
         VpcId           = aws_vpc.Main.Id,
     });
 }
Exemple #7
0
 public MyStack()
 {
     var s3 = Output.Create(Aws.Ec2.GetVpcEndpointService.InvokeAsync(new Aws.Ec2.GetVpcEndpointServiceArgs
     {
         Service = "s3",
     }));
     // Create a VPC
     var foo = new Aws.Ec2.Vpc("foo", new Aws.Ec2.VpcArgs
     {
         CidrBlock = "10.0.0.0/16",
     });
     // Create a VPC endpoint
     var ep = new Aws.Ec2.VpcEndpoint("ep", new Aws.Ec2.VpcEndpointArgs
     {
         ServiceName = s3.Apply(s3 => s3.ServiceName),
         VpcId       = foo.Id,
     });
 }
    static Task <int> Main()
    {
        return(Deployment.RunAsync(async() => {
            var region = Aws.Config.Region;
            var fullProjectStack = $"{Deployment.Instance.ProjectName}-{Deployment.Instance.StackName}";

            // Create the VPC.
            var vpc = new Ec2.Vpc("VPC", new Ec2.VpcArgs {
                CidrBlock = Config.VpcCidr,
                InstanceTenancy = Config.VpcTenancy,
                EnableDnsSupport = true,
                EnableDnsHostnames = true,
                Tags = new Dictionary <string, object> {
                    { "Name", fullProjectStack }
                },
            });

            // Associate DHCP options with our VPC.
            var dhcpOptions = new Ec2.VpcDhcpOptions("DHCPOptions", new Ec2.VpcDhcpOptionsArgs {
                DomainName = (region == "us-east-1" ? "ec2.internal" : $"{region}.compute.internal"),
                DomainNameServers = { "AmazonProvidedDNS" },
            });
            var vpcDhcpOptionsAssociation = new Ec2.VpcDhcpOptionsAssociation("VPCDHCPOptionsAssociation", new Ec2.VpcDhcpOptionsAssociationArgs {
                VpcId = vpc.Id,
                DhcpOptionsId = dhcpOptions.Id,
            });

            // Create an Internet Gateway for our public subnet to connect to the Internet.
            var internetGateway = new Ec2.InternetGateway("InternetGateway", new Ec2.InternetGatewayArgs {
                VpcId = vpc.Id,
                Tags = new Dictionary <string, object> {
                    { "Name", fullProjectStack }
                },
            });

            // Creat a Route Table for public subnets to use the Internet Gateway for 0.0.0.0/0 traffic.
            var publicSubnetRouteTable = new Ec2.RouteTable("PublicSubnetRouteTable", new Ec2.RouteTableArgs {
                VpcId = vpc.Id,
                Tags = new Dictionary <string, object> {
                    { "Name", "Public Subnets" },
                    { "Network", "Public" },
                },
            });
            var publicSubnetRoute = new Ec2.Route("PublicSubnetRoute", new Ec2.RouteArgs {
                RouteTableId = publicSubnetRouteTable.Id,
                DestinationCidrBlock = "0.0.0.0/0",
                GatewayId = internetGateway.Id,
            });

            // For each AZ, create the NAT Gateways and public and private subnets. Keep track of various properties
            // so that they can be exported as top-level stack exports later on.
            var natEips = ImmutableArray.CreateBuilder <Output <string> >();
            var publicSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
            var privateSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
            var protectedSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
            var privateSubnetRouteTableIds = ImmutableArray.CreateBuilder <Output <string> >();
            var publicSubnetCidrs = await Config.GetPublicSubnetCidrs();
            var publicSubnetTags = await Config.GetPublicSubnetTags();
            var privateSubnetCidrs = await Config.GetPrivateSubnetCidrs();
            var privateSubnetTags = await Config.GetPrivateSubnetTags();
            var protectedSubnetCidrs = await Config.GetProtectedSubnetCidrs();
            var protectedSubnetTags = await Config.GetProtectedSubnetTags();

            var azs = await Config.GetAvailabilityZones();
            for (var i = 0; i < azs.Length; i++)
            {
                var az = azs[i];

                // Each AZ gets a public subnet.
                var publicSubnet = new Ec2.Subnet($"PublicSubnet{i}", new Ec2.SubnetArgs {
                    VpcId = vpc.Id,
                    AvailabilityZone = az,
                    CidrBlock = publicSubnetCidrs[i],
                    MapPublicIpOnLaunch = true,
                    Tags = publicSubnetTags[i].Add("Name", $"Public subnet {i}"),
                });
                publicSubnetIds.Add(publicSubnet.Id);

                var publicSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PublicSubnet{i}RouteTableAssociation", new Ec2.RouteTableAssociationArgs {
                    SubnetId = publicSubnet.Id,
                    RouteTableId = publicSubnetRouteTable.Id,
                });

                // If desired, create a NAT Gateway and private subnet for each AZ.
                if (Config.CreatePrivateSubnets)
                {
                    var natEip = new Ec2.Eip($"NAT{i}EIP", new Ec2.EipArgs {
                        Vpc = true
                    }, new CustomResourceOptions {
                        DependsOn = { internetGateway }
                    });
                    var natGateway = new Ec2.NatGateway($"NATGateway{i}", new Ec2.NatGatewayArgs {
                        SubnetId = publicSubnet.Id,
                        AllocationId = natEip.Id,
                    });
                    natEips.Add(natEip.PublicIp);

                    var privateSubnet = new Ec2.Subnet($"PrivateSubnet{i}A", new Ec2.SubnetArgs {
                        VpcId = vpc.Id,
                        AvailabilityZone = az,
                        CidrBlock = privateSubnetCidrs[i],
                        Tags = privateSubnetTags[i].Add("Name", $"Private subnet {i}A"),
                    });
                    privateSubnetIds.Add(privateSubnet.Id);

                    var privateSubnetRouteTable = new Ec2.RouteTable($"PrivateSubnet{i}ARouteTable", new Ec2.RouteTableArgs {
                        VpcId = vpc.Id,
                        Tags = new Dictionary <string, object> {
                            { "Name", $"Private subnet {i}A" },
                            { "Network", "Private" },
                        },
                    });
                    var privateSubnetRoute = new Ec2.Route($"PrivateSubnet{i}ARoute", new Ec2.RouteArgs {
                        RouteTableId = privateSubnetRouteTable.Id,
                        DestinationCidrBlock = "0.0.0.0/0",
                        NatGatewayId = natGateway.Id,
                    });
                    var privateSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PrivateSubnet{i}ARouteTableAssociation", new Ec2.RouteTableAssociationArgs {
                        SubnetId = privateSubnet.Id,
                        RouteTableId = privateSubnetRouteTable.Id,
                    });

                    // Remember the route table ID for the VPC endpoint later.
                    privateSubnetRouteTableIds.Add(privateSubnetRouteTable.Id);

                    // If desired, create additional private subnets with dedicated network ACLs for extra protection.
                    if (Config.CreateProtectedSubnets)
                    {
                        var protectedSubnet = new Ec2.Subnet($"PrivateSubnet{i}B", new Ec2.SubnetArgs {
                            VpcId = vpc.Id,
                            AvailabilityZone = az,
                            CidrBlock = protectedSubnetCidrs[i],
                            Tags = protectedSubnetTags[i].Add("Name", $"Private subnet ${i}B"),
                        });
                        protectedSubnetIds.Add(protectedSubnet.Id);

                        var protectedSubnetRouteTable = new Ec2.RouteTable($"PrivateSubnet{i}BRouteTable", new Ec2.RouteTableArgs {
                            VpcId = vpc.Id,
                            Tags = new Dictionary <string, object> {
                                { "Name", $"Private subnet {i}B" },
                                { "Network", "Private" },
                            },
                        });
                        var protectedSubnetRoute = new Ec2.Route($"PrivateSubnet{i}BRoute", new Ec2.RouteArgs {
                            RouteTableId = protectedSubnetRouteTable.Id,
                            DestinationCidrBlock = "0.0.0.0/0",
                            NatGatewayId = natGateway.Id,
                        });
                        var protectedSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PrivateSubnet{i}BRouteTableAssociation", new Ec2.RouteTableAssociationArgs {
                            SubnetId = protectedSubnet.Id,
                            RouteTableId = protectedSubnetRouteTable.Id,
                        });
                        var protectedSubnetNetworkAcl = new Ec2.NetworkAcl($"PrivateSubnet{i}BNetworkAcl", new Ec2.NetworkAclArgs {
                            VpcId = vpc.Id,
                            SubnetIds = { protectedSubnet.Id },
                            Tags = new Dictionary <string, object> {
                                { "Name", $"NACL protected subnet {i}" },
                                { "Network", "NACL Protected" },
                            },
                        });
                        var protectedSubnetNetworkAclEntryInbound = new Ec2.NetworkAclRule($"PrivateSubnet{i}BNetworkAclEntryInbound", new Ec2.NetworkAclRuleArgs {
                            NetworkAclId = protectedSubnetNetworkAcl.Id,
                            CidrBlock = "0.0.0.0/0",
                            Egress = false,
                            Protocol = "-1",
                            RuleAction = "allow",
                            RuleNumber = 100,
                        });
                        var protectedSubnetNetworkAclEntryOutbound = new Ec2.NetworkAclRule($"PrivateSubnet{i}BNetworkAclEntryOutbound", new Ec2.NetworkAclRuleArgs {
                            NetworkAclId = protectedSubnetNetworkAcl.Id,
                            CidrBlock = "0.0.0.0/0",
                            Egress = true,
                            Protocol = "-1",
                            RuleAction = "allow",
                            RuleNumber = 100,
                        });

                        // Remember the route table ID for the VPC endpoint later.
                        privateSubnetRouteTableIds.Add(protectedSubnetRouteTable.Id);
                    }
                }
            }

            // If we created private subnets, allocate an S3 VPC Endpoint to simplify access to S3.
            Output <string>?s3VpcEndpointId = null;
            if (Config.CreatePrivateSubnets)
            {
                s3VpcEndpointId = new Ec2.VpcEndpoint("S3VPCEndpoint", new Ec2.VpcEndpointArgs {
                    VpcId = vpc.Id,
                    Policy = @"{
    ""Version"": ""2012-10-17"",
    ""Statement"": [{
        ""Action"": ""*"",
        ""Effect"": ""Allow"",
        ""Resource"": ""*"",
        ""Principal"": ""*""
    }]
}
",
                    RouteTableIds = privateSubnetRouteTableIds.ToImmutable(),
                    ServiceName = $"com.amazonaws.{region}.s3",
                }).Id;
            }

            // Export all of the resulting properties that upstream stacks may want to consume.
            return new Dictionary <string, object?>
            {
                { "vpcId", vpc.Id },
                { "vpcCidr", vpc.CidrBlock },
                { "natEips", natEips.ToImmutableArray() },
                { "publicSubnetIds", publicSubnetIds.ToImmutableArray() },
                { "publicSubnetCidrs", publicSubnetCidrs },
                { "publicSubnetRouteTableId", publicSubnetRouteTable.Id },
                { "privateSubnetIds", privateSubnetIds.ToImmutableArray() },
                { "privateSubnetCidrs", privateSubnetCidrs },
                { "protectedSubnetIds", protectedSubnetIds.ToImmutableArray() },
                { "protectedSubnetCidrs", protectedSubnetCidrs },
                { "privateSubnetRouteTableIds", privateSubnetRouteTableIds.ToImmutableArray() },
                { "s3VpcEndpointId", s3VpcEndpointId },
            };
        }));
    }