public MyStack()
{
var ptfeServiceVpcEndpoint = new Aws.Ec2.VpcEndpoint("ptfeServiceVpcEndpoint", new Aws.Ec2.VpcEndpointArgs
{
PrivateDnsEnabled = false,
SecurityGroupIds =
{
aws_security_group.Ptfe_service.Id,
},
ServiceName = @var.Ptfe_service,
SubnetIds =
{
local.Subnet_ids,
},
VpcEndpointType = "Interface",
VpcId = @var.Vpc_id,
});
var @internal = Output.Create(Aws.Route53.GetZone.InvokeAsync(new Aws.Route53.GetZoneArgs
{
Name = "vpc.internal.",
PrivateZone = true,
VpcId = @var.Vpc_id,
}));
var ptfeServiceRecord = new Aws.Route53.Record("ptfeServiceRecord", new Aws.Route53.RecordArgs
{
Name = @internal.Apply(@internal => $"ptfe.{@internal.Name}"),
Records =
{
ptfeServiceVpcEndpoint.DnsEntries.Apply(dnsEntries => dnsEntries[0])["dns_name"],
},
Ttl = 300,
Type = "CNAME",
ZoneId = @internal.Apply(@internal => @internal.ZoneId),
});
}
public MyStack()
{
var privateS3VpcEndpoint = new Aws.Ec2.VpcEndpoint("privateS3VpcEndpoint", new Aws.Ec2.VpcEndpointArgs
{
ServiceName = "com.amazonaws.us-west-2.s3",
VpcId = aws_vpc.Foo.Id,
});
var privateS3PrefixList = privateS3VpcEndpoint.PrefixListId.Apply(prefixListId => Aws.GetPrefixList.InvokeAsync(new Aws.GetPrefixListArgs
{
PrefixListId = prefixListId,
}));
var bar = new Aws.Ec2.NetworkAcl("bar", new Aws.Ec2.NetworkAclArgs
{
VpcId = aws_vpc.Foo.Id,
});
var privateS3NetworkAclRule = new Aws.Ec2.NetworkAclRule("privateS3NetworkAclRule", new Aws.Ec2.NetworkAclRuleArgs
{
CidrBlock = privateS3PrefixList.Apply(privateS3PrefixList => privateS3PrefixList.CidrBlocks[0]),
Egress = false,
FromPort = 443,
NetworkAclId = bar.Id,
Protocol = "tcp",
RuleAction = "allow",
RuleNumber = 200,
ToPort = 443,
});
}
public MyStack()
{
var s3 = new Aws.Ec2.VpcEndpoint("s3", new Aws.Ec2.VpcEndpointArgs
{
ServiceName = "com.amazonaws.us-west-2.s3",
VpcId = aws_vpc.Main.Id,
});
}
public MyStack()
{
var s3 = new Aws.Ec2.VpcEndpoint("s3", new Aws.Ec2.VpcEndpointArgs
{
ServiceName = "com.amazonaws.us-west-2.s3",
Tags =
{
{ "Environment", "test" },
},
VpcId = aws_vpc.Main.Id,
});
}
public MyStack()
{
var aws_vpc = new Aws.Ec2.Vpc("aws_vpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.0.0.0/16",
InstanceTenancy = "default",
});
var privateS3VpcEndpoint = new Aws.Ec2.VpcEndpoint("privateS3VpcEndpoint", new Aws.Ec2.VpcEndpointArgs
{
VpcId = aws_vpc.Id,
ServiceName = "com.amazonaws.us-west-2.s3",
});
var privateS3PrefixList = Aws.Ec2.GetPrefixList.Invoke(new Aws.Ec2.GetPrefixListInvokeArgs
{
PrefixListId = privateS3VpcEndpoint.PrefixListId,
});
var bar = new Aws.Ec2.NetworkAcl("bar", new Aws.Ec2.NetworkAclArgs
{
VpcId = aws_vpc.Id,
});
var privateS3NetworkAclRule = new Aws.Ec2.NetworkAclRule("privateS3NetworkAclRule", new Aws.Ec2.NetworkAclRuleArgs
{
NetworkAclId = bar.Id,
RuleNumber = 200,
Egress = false,
Protocol = "tcp",
RuleAction = "allow",
CidrBlock = privateS3PrefixList.Apply(privateS3PrefixList => privateS3PrefixList.CidrBlocks[0]),
FromPort = 443,
ToPort = 443,
});
var amis = Aws.Ec2.GetAmiIds.Invoke(new Aws.Ec2.GetAmiIdsInvokeArgs
{
Owners =
{
bar.Id,
},
Filters =
{
new Aws.Ec2.Inputs.GetAmiIdsFilterInputArgs
{
Name = bar.Id,
Values =
{
"pulumi*",
},
},
},
});
}
public MyStack()
{
var ec2 = new Aws.Ec2.VpcEndpoint("ec2", new Aws.Ec2.VpcEndpointArgs
{
PrivateDnsEnabled = true,
SecurityGroupIds =
{
aws_security_group.Sg1.Id,
},
ServiceName = "com.amazonaws.us-west-2.ec2",
VpcEndpointType = "Interface",
VpcId = aws_vpc.Main.Id,
});
}
public MyStack()
{
var s3 = Output.Create(Aws.Ec2.GetVpcEndpointService.InvokeAsync(new Aws.Ec2.GetVpcEndpointServiceArgs
{
Service = "s3",
}));
// Create a VPC
var foo = new Aws.Ec2.Vpc("foo", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.0.0.0/16",
});
// Create a VPC endpoint
var ep = new Aws.Ec2.VpcEndpoint("ep", new Aws.Ec2.VpcEndpointArgs
{
ServiceName = s3.Apply(s3 => s3.ServiceName),
VpcId = foo.Id,
});
}
static Task <int> Main()
{
return(Deployment.RunAsync(async() => {
var region = Aws.Config.Region;
var fullProjectStack = $"{Deployment.Instance.ProjectName}-{Deployment.Instance.StackName}";
// Create the VPC.
var vpc = new Ec2.Vpc("VPC", new Ec2.VpcArgs {
CidrBlock = Config.VpcCidr,
InstanceTenancy = Config.VpcTenancy,
EnableDnsSupport = true,
EnableDnsHostnames = true,
Tags = new Dictionary <string, object> {
{ "Name", fullProjectStack }
},
});
// Associate DHCP options with our VPC.
var dhcpOptions = new Ec2.VpcDhcpOptions("DHCPOptions", new Ec2.VpcDhcpOptionsArgs {
DomainName = (region == "us-east-1" ? "ec2.internal" : $"{region}.compute.internal"),
DomainNameServers = { "AmazonProvidedDNS" },
});
var vpcDhcpOptionsAssociation = new Ec2.VpcDhcpOptionsAssociation("VPCDHCPOptionsAssociation", new Ec2.VpcDhcpOptionsAssociationArgs {
VpcId = vpc.Id,
DhcpOptionsId = dhcpOptions.Id,
});
// Create an Internet Gateway for our public subnet to connect to the Internet.
var internetGateway = new Ec2.InternetGateway("InternetGateway", new Ec2.InternetGatewayArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", fullProjectStack }
},
});
// Creat a Route Table for public subnets to use the Internet Gateway for 0.0.0.0/0 traffic.
var publicSubnetRouteTable = new Ec2.RouteTable("PublicSubnetRouteTable", new Ec2.RouteTableArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", "Public Subnets" },
{ "Network", "Public" },
},
});
var publicSubnetRoute = new Ec2.Route("PublicSubnetRoute", new Ec2.RouteArgs {
RouteTableId = publicSubnetRouteTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
GatewayId = internetGateway.Id,
});
// For each AZ, create the NAT Gateways and public and private subnets. Keep track of various properties
// so that they can be exported as top-level stack exports later on.
var natEips = ImmutableArray.CreateBuilder <Output <string> >();
var publicSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
var privateSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
var protectedSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
var privateSubnetRouteTableIds = ImmutableArray.CreateBuilder <Output <string> >();
var publicSubnetCidrs = await Config.GetPublicSubnetCidrs();
var publicSubnetTags = await Config.GetPublicSubnetTags();
var privateSubnetCidrs = await Config.GetPrivateSubnetCidrs();
var privateSubnetTags = await Config.GetPrivateSubnetTags();
var protectedSubnetCidrs = await Config.GetProtectedSubnetCidrs();
var protectedSubnetTags = await Config.GetProtectedSubnetTags();
var azs = await Config.GetAvailabilityZones();
for (var i = 0; i < azs.Length; i++)
{
var az = azs[i];
// Each AZ gets a public subnet.
var publicSubnet = new Ec2.Subnet($"PublicSubnet{i}", new Ec2.SubnetArgs {
VpcId = vpc.Id,
AvailabilityZone = az,
CidrBlock = publicSubnetCidrs[i],
MapPublicIpOnLaunch = true,
Tags = publicSubnetTags[i].Add("Name", $"Public subnet {i}"),
});
publicSubnetIds.Add(publicSubnet.Id);
var publicSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PublicSubnet{i}RouteTableAssociation", new Ec2.RouteTableAssociationArgs {
SubnetId = publicSubnet.Id,
RouteTableId = publicSubnetRouteTable.Id,
});
// If desired, create a NAT Gateway and private subnet for each AZ.
if (Config.CreatePrivateSubnets)
{
var natEip = new Ec2.Eip($"NAT{i}EIP", new Ec2.EipArgs {
Vpc = true
}, new CustomResourceOptions {
DependsOn = { internetGateway }
});
var natGateway = new Ec2.NatGateway($"NATGateway{i}", new Ec2.NatGatewayArgs {
SubnetId = publicSubnet.Id,
AllocationId = natEip.Id,
});
natEips.Add(natEip.PublicIp);
var privateSubnet = new Ec2.Subnet($"PrivateSubnet{i}A", new Ec2.SubnetArgs {
VpcId = vpc.Id,
AvailabilityZone = az,
CidrBlock = privateSubnetCidrs[i],
Tags = privateSubnetTags[i].Add("Name", $"Private subnet {i}A"),
});
privateSubnetIds.Add(privateSubnet.Id);
var privateSubnetRouteTable = new Ec2.RouteTable($"PrivateSubnet{i}ARouteTable", new Ec2.RouteTableArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", $"Private subnet {i}A" },
{ "Network", "Private" },
},
});
var privateSubnetRoute = new Ec2.Route($"PrivateSubnet{i}ARoute", new Ec2.RouteArgs {
RouteTableId = privateSubnetRouteTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
NatGatewayId = natGateway.Id,
});
var privateSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PrivateSubnet{i}ARouteTableAssociation", new Ec2.RouteTableAssociationArgs {
SubnetId = privateSubnet.Id,
RouteTableId = privateSubnetRouteTable.Id,
});
// Remember the route table ID for the VPC endpoint later.
privateSubnetRouteTableIds.Add(privateSubnetRouteTable.Id);
// If desired, create additional private subnets with dedicated network ACLs for extra protection.
if (Config.CreateProtectedSubnets)
{
var protectedSubnet = new Ec2.Subnet($"PrivateSubnet{i}B", new Ec2.SubnetArgs {
VpcId = vpc.Id,
AvailabilityZone = az,
CidrBlock = protectedSubnetCidrs[i],
Tags = protectedSubnetTags[i].Add("Name", $"Private subnet ${i}B"),
});
protectedSubnetIds.Add(protectedSubnet.Id);
var protectedSubnetRouteTable = new Ec2.RouteTable($"PrivateSubnet{i}BRouteTable", new Ec2.RouteTableArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", $"Private subnet {i}B" },
{ "Network", "Private" },
},
});
var protectedSubnetRoute = new Ec2.Route($"PrivateSubnet{i}BRoute", new Ec2.RouteArgs {
RouteTableId = protectedSubnetRouteTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
NatGatewayId = natGateway.Id,
});
var protectedSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PrivateSubnet{i}BRouteTableAssociation", new Ec2.RouteTableAssociationArgs {
SubnetId = protectedSubnet.Id,
RouteTableId = protectedSubnetRouteTable.Id,
});
var protectedSubnetNetworkAcl = new Ec2.NetworkAcl($"PrivateSubnet{i}BNetworkAcl", new Ec2.NetworkAclArgs {
VpcId = vpc.Id,
SubnetIds = { protectedSubnet.Id },
Tags = new Dictionary <string, object> {
{ "Name", $"NACL protected subnet {i}" },
{ "Network", "NACL Protected" },
},
});
var protectedSubnetNetworkAclEntryInbound = new Ec2.NetworkAclRule($"PrivateSubnet{i}BNetworkAclEntryInbound", new Ec2.NetworkAclRuleArgs {
NetworkAclId = protectedSubnetNetworkAcl.Id,
CidrBlock = "0.0.0.0/0",
Egress = false,
Protocol = "-1",
RuleAction = "allow",
RuleNumber = 100,
});
var protectedSubnetNetworkAclEntryOutbound = new Ec2.NetworkAclRule($"PrivateSubnet{i}BNetworkAclEntryOutbound", new Ec2.NetworkAclRuleArgs {
NetworkAclId = protectedSubnetNetworkAcl.Id,
CidrBlock = "0.0.0.0/0",
Egress = true,
Protocol = "-1",
RuleAction = "allow",
RuleNumber = 100,
});
// Remember the route table ID for the VPC endpoint later.
privateSubnetRouteTableIds.Add(protectedSubnetRouteTable.Id);
}
}
}
// If we created private subnets, allocate an S3 VPC Endpoint to simplify access to S3.
Output <string>?s3VpcEndpointId = null;
if (Config.CreatePrivateSubnets)
{
s3VpcEndpointId = new Ec2.VpcEndpoint("S3VPCEndpoint", new Ec2.VpcEndpointArgs {
VpcId = vpc.Id,
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [{
""Action"": ""*"",
""Effect"": ""Allow"",
""Resource"": ""*"",
""Principal"": ""*""
}]
}
",
RouteTableIds = privateSubnetRouteTableIds.ToImmutable(),
ServiceName = $"com.amazonaws.{region}.s3",
}).Id;
}
// Export all of the resulting properties that upstream stacks may want to consume.
return new Dictionary <string, object?>
{
{ "vpcId", vpc.Id },
{ "vpcCidr", vpc.CidrBlock },
{ "natEips", natEips.ToImmutableArray() },
{ "publicSubnetIds", publicSubnetIds.ToImmutableArray() },
{ "publicSubnetCidrs", publicSubnetCidrs },
{ "publicSubnetRouteTableId", publicSubnetRouteTable.Id },
{ "privateSubnetIds", privateSubnetIds.ToImmutableArray() },
{ "privateSubnetCidrs", privateSubnetCidrs },
{ "protectedSubnetIds", protectedSubnetIds.ToImmutableArray() },
{ "protectedSubnetCidrs", protectedSubnetCidrs },
{ "privateSubnetRouteTableIds", privateSubnetRouteTableIds.ToImmutableArray() },
{ "s3VpcEndpointId", s3VpcEndpointId },
};
}));
}