nick
/
sciencefair2023
1
0
Fork 0
Code Pull Requests Projects Releases Activity

Added additional firewall. Removed superfluous block device

master
Paco Hope 2022-12-29 12:17:08 -05:00
parent 222e9006bd
commit 6f9750ae8b
1 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cdk/sfec2/sci_stack.py
View File

@ -14,21 +14,17 @@ class SciInstancesStack(cdk.Stack):
role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")) role = iam.Role(self, "InstanceSSM", assumed_by=iam.ServicePrincipal("ec2.amazonaws.com"))
role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore")) role.add_managed_policy(iam.ManagedPolicy.from_aws_managed_policy_name("AmazonSSMManagedInstanceCore"))
imageId = ec2.LookupMachineImage(name='debian-11-amd64-20221219-1234', windows=False) imageId = ec2.MachineImage.lookup(name='debian-11-amd64-20221219-1234')
ec2instance = ec2.Instance(self, "ec2", ec2instance = ec2.Instance(self, "ec2",
vpc=vpcStack.vpc, vpc=vpcStack.vpc,
instance_type=ec2.InstanceType("t2.nano"), instance_type=ec2.InstanceType("t2.nano"),
machine_image=imageId, machine_image=imageId,
block_devices=[ec2.BlockDevice(
device_name="/dev/sda1",
volume=ec2.BlockDeviceVolume.ebs(6),
)
],
security_group = vpcStack.SciSG, security_group = vpcStack.SciSG,
role=role role=role,
key_name='id-paco-2022'
) )
# Script in S3 as Asset # Script in S3 as Asset
asset = Asset(self, "Asset", path=os.path.join("..", "init.sh")) asset = Asset(self, "userdata", path=os.path.join("..", "init.sh"))
local_path = ec2instance.user_data.add_s3_download_command( local_path = ec2instance.user_data.add_s3_download_command(
bucket=asset.bucket, bucket=asset.bucket,
bucket_key=asset.s3_object_key bucket_key=asset.s3_object_key
@ -39,6 +35,7 @@ class SciInstancesStack(cdk.Stack):
file_path=local_path file_path=local_path
) )
asset.grant_read(ec2instance.role) asset.grant_read(ec2instance.role)
cdk.CfnOutput(self, "instance", value=ec2instance.instance_public_ip)
class VpcBasisStack(cdk.Stack): class VpcBasisStack(cdk.Stack):
@ -64,6 +61,8 @@ class VpcBasisStack(cdk.Stack):
allow_all_outbound=True, security_group_name='Sci-sg' ) allow_all_outbound=True, security_group_name='Sci-sg' )
self.SciSG.add_ingress_rule(peer=ec2.Peer.ipv4('173.79.190.162/32'), self.SciSG.add_ingress_rule(peer=ec2.Peer.ipv4('173.79.190.162/32'),
connection=ec2.Port.tcp(22), description="ssh in from home") connection=ec2.Port.tcp(22), description="ssh in from home")
self.SciSG.add_ingress_rule(peer=ec2.Peer.ipv4('70.164.18.200/29'),
connection=ec2.Port.tcp(22), description="ssh in from nova")
self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv6(), self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv6(),
connection=ec2.Port.tcp(80), description="HTTP open to the world, ipv6") connection=ec2.Port.tcp(80), description="HTTP open to the world, ipv6")
self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv4(), self.SciSG.add_ingress_rule(peer=ec2.Peer.any_ipv4(),