From 6f9750ae8b7933bfca8467c7df90be56246a98ac Mon Sep 17 00:00:00 2001
From: Paco Hope <github@filter.paco.to>
Date: Thu, 29 Dec 2022 12:17:08 -0500
Subject: [PATCH] Added additional firewall. Removed superfluous block device

---
 cdk/sfec2/sci_stack.py | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/cdk/sfec2/sci_stack.py b/cdk/sfec2/sci_stack.py
index 90f24f9..78f0c81 100644
--- a/cdk/sfec2/sci_stack.py
+++ b/cdk/sfec2/sci_stack.py
@@ -14,21 +14,17 @@ class SciInstancesStack(cdk.Stack):
         role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
         role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
 
-        imageId = ec2.LookupMachineImage(name='debian-11-amd64-20221219-1234', windows=False)
+        imageId = ec2.MachineImage.lookup(name='debian-11-amd64-20221219-1234')
         ec2instance = ec2.Instance(self, "ec2",
             vpc=vpcStack.vpc,
             instance_type=ec2.InstanceType("t2.nano"),
             machine_image=imageId,
-            block_devices=[ec2.BlockDevice(
-                device_name="/dev/sda1",
-                volume=ec2.BlockDeviceVolume.ebs(6),
-                )
-            ],
             security_group = vpcStack.SciSG,
-            role=role
+            role=role,
+            key_name='id-paco-2022'
         )
         # Script in S3 as Asset
-        asset = Asset(self, "Asset", path=os.path.join("..", "init.sh"))
+        asset = Asset(self, "userdata", path=os.path.join("..", "init.sh"))
         local_path = ec2instance.user_data.add_s3_download_command(
             bucket=asset.bucket,
             bucket_key=asset.s3_object_key
@@ -39,6 +35,7 @@ class SciInstancesStack(cdk.Stack):
             file_path=local_path
             )
         asset.grant_read(ec2instance.role)
+        cdk.CfnOutput(self, "instance", value=ec2instance.instance_public_ip)
 
 
 class VpcBasisStack(cdk.Stack):
@@ -64,6 +61,8 @@ class VpcBasisStack(cdk.Stack):
             allow_all_outbound=True, security_group_name='Sci-sg' )
         self.SciSG.add_ingress_rule(peer=ec2.Peer.ipv4('173.79.190.162/32'),
             connection=ec2.Port.tcp(22), description="ssh in from home")
+        self.SciSG.add_ingress_rule(peer=ec2.Peer.ipv4('70.164.18.200/29'),
+            connection=ec2.Port.tcp(22), description="ssh in from nova")
         self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv6(),
             connection=ec2.Port.tcp(80), description="HTTP open to the world, ipv6")
         self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv4(),