From 03ac8003e22a8c619d0d03dbf483f556ad0333e1 Mon Sep 17 00:00:00 2001
From: Paco Hope <github@filter.paco.to>
Date: Wed, 28 Dec 2022 23:36:47 -0500
Subject: [PATCH] Almost ready

---
 cdk/app.py             | 17 +++++++++--------
 cdk/sfec2/sci_stack.py | 33 ++++++++++++++++++++++++++++-----
 2 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/cdk/app.py b/cdk/app.py
index 450a55b..7b6b4c1 100644
--- a/cdk/app.py
+++ b/cdk/app.py
@@ -6,14 +6,15 @@ from sfec2.sci_stack import VpcBasisStack
 
 app = cdk.App()
 
-cdkEnv = cdk.Environment(account=os.getenv('CDK_DEFAULT_ACCOUNT'),
-            region="us-east-2")
+regionList = [ "us-east-2", "ap-southeast-1" ]
 
-vpcStack = VpcBasisStack(app, "basis", env=cdkEnv )
-
-deployList = [ "a", "b", "c" ]
-
-for thing in deployList:
-    SciInstancesStack(vpcStack, f"i-{thing}-s", thing=thing, env=cdkEnv )
+i = 0
+for region in regionList:
+    cdkEnv = cdk.Environment(
+        account=os.getenv('CDK_DEFAULT_ACCOUNT'),
+        region=region)
+    vpcStack = VpcBasisStack(app, f"v{i}", env=cdkEnv )
+    SciInstancesStack(vpcStack, f"i-{i}", env=cdkEnv )
+    i = i + 1
 
 app.synth()
diff --git a/cdk/sfec2/sci_stack.py b/cdk/sfec2/sci_stack.py
index 1208534..90f24f9 100644
--- a/cdk/sfec2/sci_stack.py
+++ b/cdk/sfec2/sci_stack.py
@@ -3,16 +3,19 @@ import aws_cdk as cdk
 import aws_cdk.aws_ec2 as ec2
 import aws_cdk.aws_iam as iam
 from constructs import Construct
+from aws_cdk.aws_s3_assets import Asset
 
 class SciInstancesStack(cdk.Stack):
 
     def __init__(self, vpcStack: Construct, construct_id:
-        str, thing: str, env: cdk.Environment,  **kwargs) -> None:
+        str, env: cdk.Environment,  **kwargs) -> None:
         super().__init__(vpcStack, construct_id, env=env, **kwargs)
 
-        thisVpc  = vpcStack.vpc
+        role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
+        role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
+
         imageId = ec2.LookupMachineImage(name='debian-11-amd64-20221219-1234', windows=False)
-        ec2instance = ec2.Instance(self, f"i-{thing}",
+        ec2instance = ec2.Instance(self, "ec2",
             vpc=vpcStack.vpc,
             instance_type=ec2.InstanceType("t2.nano"),
             machine_image=imageId,
@@ -22,7 +25,21 @@ class SciInstancesStack(cdk.Stack):
                 )
             ],
             security_group = vpcStack.SciSG,
+            role=role
         )
+        # Script in S3 as Asset
+        asset = Asset(self, "Asset", path=os.path.join("..", "init.sh"))
+        local_path = ec2instance.user_data.add_s3_download_command(
+            bucket=asset.bucket,
+            bucket_key=asset.s3_object_key
+        )
+
+        # Userdata executes script from S3
+        ec2instance.user_data.add_execute_file_command(
+            file_path=local_path
+            )
+        asset.grant_read(ec2instance.role)
+
 
 class VpcBasisStack(cdk.Stack):
 
@@ -39,11 +56,17 @@ class VpcBasisStack(cdk.Stack):
                     cidr_mask = 26
                 )
             ],
-            nat_gateways = 3
+            nat_gateways = 0
         )
 
         # Create standard Security Group for all EC2 instances
         self.SciSG = ec2.SecurityGroup(self, 'Sci-sg', vpc=self.vpc,
-            allow_all_outbound=True, security_group_name='Sci-sg' );
+            allow_all_outbound=True, security_group_name='Sci-sg' )
+        self.SciSG.add_ingress_rule(peer=ec2.Peer.ipv4('173.79.190.162/32'),
+            connection=ec2.Port.tcp(22), description="ssh in from home")
+        self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv6(),
+            connection=ec2.Port.tcp(80), description="HTTP open to the world, ipv6")
+        self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv4(),
+            connection=ec2.Port.tcp(80), description="HTTP open to the world, ipv4")
 
 app = cdk.App()