DEV Community: Tomasz Szuster The latest articles on DEV Community by Tomasz Szuster (@airmonitor). https://dev.to/airmonitor https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F569064%2Fa3224505-bdd2-404a-932e-6ef506a81da3.png DEV Community: Tomasz Szuster https://dev.to/airmonitor en GitLab runner on MacBook with docker-compose Tomasz Szuster Tue, 30 Jan 2024 23:08:03 +0000 https://dev.to/airmonitor/gitlab-runner-on-macbook-with-docker-compose-5184 https://dev.to/airmonitor/gitlab-runner-on-macbook-with-docker-compose-5184 <p>It turned out that running a self-hosted Gitlab runner on a MacBook with docker desktop and docker-compose was not so common approach.</p> <p>Below are code snippets that enable that solution</p> <ul> <li>docker-compose.yaml </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version: '3' services: gitlab-runner: image: gitlab/gitlab-runner:alpine restart: always container_name: gitlab-runner hostname: gitlab-runner volumes: - /Users/gitlab-runner:/etc/gitlab-runner - /var/run/docker.sock:/var/run/docker.sock environment: - DOCKER_HOST=unix:///var/run/docker.sock networks: - gitlab-network networks: gitlab-network: name: gitlab-network </code></pre> </div> <ul> <li>runner configuration config.yaml </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>concurrent = 2 check_interval = 0 shutdown_timeout = 0 [session_server] session_timeout = 1800 [[runners]] name = "docker-stable" url = "https://gitlab.com" id = 112233 token = "112233" token_obtained_at = 1111-01-24T21:09:11Z token_expires_at = 0001-01-01T00:00:00Z executor = "docker" [runners.cache] MaxUploadedArchiveSize = 0 [runners.docker] tls_verify = false image = "docker:stable" privileged = false disable_entrypoint_overwrite = false oom_kill_disable = false disable_cache = false volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"] network_mode = "host" shm_size = 0 network_mtu = 0 </code></pre> </div> AWS CDK ARM64 CodeBuild is broken Tomasz Szuster Wed, 05 Apr 2023 09:36:44 +0000 https://dev.to/airmonitor/aws-cdk-arm64-codebuild-is-broken-2e9a https://dev.to/airmonitor/aws-cdk-arm64-codebuild-is-broken-2e9a <p>That's so sad that AWS is not doing a good job with undifferentiated heavy lifting.<br> A lot of noise but the reality as usual shows what is true.</p> <p>Below is a simple example of CDK Pipelines which should work<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> pipelines.CodePipeline( self, "pipeline", self_mutation_code_build_defaults=pipelines.CodeBuildOptions( partial_build_spec=codebuild.BuildSpec.from_object( { "phases": { "install": { "commands": [ "npm cache clean -f", "n 16", "node -v", ] } } } ) ), code_build_defaults=pipelines.CodeBuildOptions( role_policy=[ iam.PolicyStatement(actions=["*"], resources=["*"]), iam.PolicyStatement(actions=["sts:AssumeRole"], resources=["*"]), ], build_environment=codebuild.BuildEnvironment( compute_type=codebuild.ComputeType.LARGE, build_image=codebuild.LinuxBuildImage.AMAZON_LINUX_2_ARM_2, ), partial_build_spec=codebuild.BuildSpec.from_object( { "phases": { "install": { "commands": [ "npm cache clean -f", "n 16", "node -v", ] } } } ), ), synth=pipelines.ShellStep( "synth", input=pipelines.CodePipelineSource.connection( repo_string=pipeline_vars.github_git_repo, branch="main", connection_arn=pipeline_vars.github_connection_arn, ), install_commands=[ "npm cache clean -f", "n 16", "node -v", "pip install -r requirements.txt", "npm install -g aws-cdk", ], commands=[ "cdk synth", ], ), pipeline_name=pipeline_vars.project, self_mutation=True, ) </code></pre> </div> <p><strong>What we need to remember is that AWS doesn't provide updated build image that contain supported node version, ideally 16 or 18, but they stick with node 12!</strong></p> <p>The pipeline above is enforcing node 16 installation for pipeline synth and self-mutation.</p> cdk arm6 docker AWS WAF with CDK simple way, L2? Tomasz Szuster Tue, 04 Oct 2022 20:42:16 +0000 https://dev.to/airmonitor/aws-waf-with-cdk-simple-way-l2-58ji https://dev.to/airmonitor/aws-waf-with-cdk-simple-way-l2-58ji <p>Below content is for those of you that want to use more L2 CDK constructs when creating IaC for AWS WAF.</p> <p>Short intro, the current state of WAF L2's for CDK is that they mostly don't exist, thus having easy to use methods is far-far away.</p> <p>Although closer than you may think.</p> <p>Let's share what I've created sometime ago.</p> <p>Python WAF class to manage more or less sensible values for starting your CDK project<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">WAFv2</span><span class="p">(</span><span class="n">Construct</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Implement a v2 WAF where logs are sent to the AWS CloudWatch logs.</span><span class="sh">"""</span> <span class="c1"># pylint: disable=W0235 </span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__aws_account_takeover_prevention</span><span class="p">(</span><span class="n">aws_account_takeover_prevention</span><span class="p">):</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesATPRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">6</span><span class="p">,</span> <span class="n">override_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">OverrideActionProperty</span><span class="p">(</span><span class="n">none</span><span class="o">=</span><span class="p">{}),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">managed_rule_group_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupStatementProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWSManagedRulesATPRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">vendor_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">,</span> <span class="n">managed_rule_group_configs</span><span class="o">=</span><span class="p">[</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupConfigProperty</span><span class="p">(</span> <span class="n">login_path</span><span class="o">=</span><span class="n">aws_account_takeover_prevention</span><span class="p">[</span><span class="sh">"</span><span class="s">login_path</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># type: ignore </span> <span class="p">),</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupConfigProperty</span><span class="p">(</span> <span class="n">password_field</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">FieldIdentifierProperty</span><span class="p">(</span> <span class="n">identifier</span><span class="o">=</span><span class="n">aws_account_takeover_prevention</span><span class="p">[</span><span class="sh">"</span><span class="s">password_field</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># type: ignore </span> <span class="p">),</span> <span class="p">),</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupConfigProperty</span><span class="p">(</span> <span class="n">payload_type</span><span class="o">=</span><span class="sh">"</span><span class="s">FORM_ENCODED</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupConfigProperty</span><span class="p">(</span> <span class="n">username_field</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">FieldIdentifierProperty</span><span class="p">(</span> <span class="n">identifier</span><span class="o">=</span><span class="n">aws_account_takeover_prevention</span><span class="p">[</span><span class="sh">"</span><span class="s">username_field</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># type: ignore </span> <span class="p">),</span> <span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesATPRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__aws_sqli_rule</span><span class="p">():</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesSQLiRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="n">override_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">OverrideActionProperty</span><span class="p">(</span><span class="n">none</span><span class="o">=</span><span class="p">{}),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">managed_rule_group_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupStatementProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWSManagedRulesSQLiRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">vendor_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesSQLiRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__aws_bad_inputs_rule</span><span class="p">():</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesKnownBadInputsRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">4</span><span class="p">,</span> <span class="n">override_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">OverrideActionProperty</span><span class="p">(</span><span class="n">none</span><span class="o">=</span><span class="p">{}),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">managed_rule_group_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupStatementProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWSManagedRulesKnownBadInputsRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">vendor_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesKnownBadInputsRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__rate_list</span><span class="p">(</span><span class="n">rate_value</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Custom-RateLimit</span><span class="si">{</span><span class="n">rate_value</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleActionProperty</span><span class="p">(</span><span class="n">block</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">BlockActionProperty</span><span class="p">()),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">rate_based_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RateBasedStatementProperty</span><span class="p">(</span> <span class="n">aggregate_key_type</span><span class="o">=</span><span class="sh">"</span><span class="s">IP</span><span class="sh">"</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="n">rate_value</span><span class="p">,</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Custom-RateLimit</span><span class="si">{</span><span class="n">rate_value</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__aws_ip_reputation_list</span><span class="p">():</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesAmazonIpReputationList</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">override_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">OverrideActionProperty</span><span class="p">(</span><span class="n">none</span><span class="o">=</span><span class="p">{}),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">managed_rule_group_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupStatementProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWSManagedRulesAmazonIpReputationList</span><span class="sh">"</span><span class="p">,</span> <span class="n">vendor_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesAmazonIpReputationList</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__aws_common_rule</span><span class="p">(</span><span class="n">aws_common_excluded_rules</span><span class="p">):</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesCommonRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">override_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">OverrideActionProperty</span><span class="p">(</span><span class="n">none</span><span class="o">=</span><span class="p">{}),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">managed_rule_group_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupStatementProperty</span><span class="p">(</span> <span class="n">excluded_rules</span><span class="o">=</span><span class="n">aws_common_excluded_rules</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWSManagedRulesCommonRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">vendor_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesCommonRuleSet</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">__aws_anonymous_list</span><span class="p">():</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">RuleProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesAnonymousIpList</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">override_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">OverrideActionProperty</span><span class="p">(</span><span class="n">none</span><span class="o">=</span><span class="p">{}),</span> <span class="n">statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">StatementProperty</span><span class="p">(</span> <span class="n">managed_rule_group_statement</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ManagedRuleGroupStatementProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWSManagedRulesAnonymousIpList</span><span class="sh">"</span><span class="p">,</span> <span class="n">vendor_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="p">),</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS-AWSManagedRulesAnonymousIpList</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">web_acl</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">rate_value</span><span class="p">:</span> <span class="n">Union</span><span class="p">[</span><span class="nb">int</span><span class="p">,</span> <span class="bp">None</span><span class="p">],</span> <span class="n">aws_common_rule</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">True</span><span class="p">,</span> <span class="n">aws_common_rule_ignore_list</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">list</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">aws_anony_list</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">,</span> <span class="n">aws_bad_inputs_rule</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">,</span> <span class="n">aws_sqli_rule</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">,</span> <span class="n">aws_account_takeover_prevention</span><span class="p">:</span> <span class="n">Union</span><span class="p">[</span><span class="nb">bool</span><span class="p">,</span> <span class="n">Dict</span><span class="p">[</span><span class="n">Any</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]</span> <span class="o">=</span> <span class="bp">False</span><span class="p">,</span> <span class="n">waf_scope</span><span class="p">:</span> <span class="n">Literal</span><span class="p">[</span><span class="sh">"</span><span class="s">REGIONAL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">CLOUDFRONT</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">REGIONAL</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create AWS WAF with opinionated default rules. The minimal configuration will create WAF ACL with aws_reputation_list :param aws_common_rule_ignore_list: List of strings that contain rules to be ignored. :param aws_account_takeover_prevention: The definition for account takeover prevention rule :param aws_sqli_rule: The WAF managed rule by AWS AWS-AWSManagedRulesSQLiRuleSet :param aws_bad_inputs_rule: The WAF managed rule by AWS AWS-AWSManagedRulesKnownBadInputsRuleSet :param aws_anony_list: The WAF managed rule by AWS AWS-AWSManagedRulesAnonymousIpList :param aws_common_rule: The WAF managed rule by AWS AWS-AWSManagedRulesCommonRuleSet :param rate_value: The number of packets per seconds for custom rate limiting :param waf_scope: The WAF scope, it could be regional for API GW, Cognito and ALB or CLOUDFRONT for cloudfront distributions :param name: Then name of WAF ACL :return: </span><span class="sh">"""</span> <span class="c1"># 0. Reputation List. The first rule is enabled by default </span> <span class="n">aws_ip_rep_list</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__aws_ip_reputation_list</span><span class="p">()</span> <span class="n">waf_rules</span> <span class="o">=</span> <span class="p">[</span><span class="n">aws_ip_rep_list</span><span class="p">]</span> <span class="k">if</span> <span class="n">rate_value</span><span class="p">:</span> <span class="c1"># 1. Custom Rate Limit </span> <span class="n">rate_list</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__rate_list</span><span class="p">(</span><span class="n">rate_value</span><span class="p">)</span> <span class="n">waf_rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">rate_list</span><span class="p">)</span> <span class="c1"># 2. Common Rule </span> <span class="n">aws_common_excluded_rules</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">if</span> <span class="n">aws_common_rule_ignore_list</span><span class="p">:</span> <span class="n">aws_common_excluded_rules</span> <span class="o">=</span> <span class="p">[</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">ExcludedRuleProperty</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">rule_name</span><span class="p">)</span> <span class="k">for</span> <span class="n">rule_name</span> <span class="ow">in</span> <span class="n">aws_common_rule_ignore_list</span> <span class="p">]</span> <span class="k">if</span> <span class="n">aws_common_rule</span><span class="p">:</span> <span class="n">aws_common_rule</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__aws_common_rule</span><span class="p">(</span><span class="n">aws_common_excluded_rules</span><span class="p">)</span> <span class="n">waf_rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">aws_common_rule</span><span class="p">)</span> <span class="k">if</span> <span class="n">aws_anony_list</span><span class="p">:</span> <span class="c1"># 3. AnonymousIpList </span> <span class="n">aws_anony_list</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__aws_anonymous_list</span><span class="p">()</span> <span class="n">waf_rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">aws_anony_list</span><span class="p">)</span> <span class="k">if</span> <span class="n">aws_bad_inputs_rule</span><span class="p">:</span> <span class="c1"># 4. Known Bad Inputs Rule </span> <span class="n">aws_bad_inputs_rule</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__aws_bad_inputs_rule</span><span class="p">()</span> <span class="n">waf_rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">aws_bad_inputs_rule</span><span class="p">)</span> <span class="k">if</span> <span class="n">aws_sqli_rule</span><span class="p">:</span> <span class="c1"># 5. SQLi Rule </span> <span class="n">aws_sqli_rule</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__aws_sqli_rule</span><span class="p">()</span> <span class="n">waf_rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">aws_sqli_rule</span><span class="p">)</span> <span class="k">if</span> <span class="n">aws_account_takeover_prevention</span><span class="p">:</span> <span class="c1"># 6. Account takeover prevention </span> <span class="n">aws_account_takeover_prevention_rule</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">__aws_account_takeover_prevention</span><span class="p">(</span> <span class="n">aws_account_takeover_prevention</span> <span class="p">)</span> <span class="n">waf_rules</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">aws_account_takeover_prevention_rule</span><span class="p">)</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="nc">CfnWebACL</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">WAF ACL</span><span class="sh">"</span><span class="p">,</span> <span class="n">default_action</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">DefaultActionProperty</span><span class="p">(</span><span class="n">allow</span><span class="o">=</span><span class="p">{}),</span> <span class="n">scope</span><span class="o">=</span><span class="n">waf_scope</span><span class="p">,</span> <span class="n">visibility_config</span><span class="o">=</span><span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACL</span><span class="p">.</span><span class="nc">VisibilityConfigProperty</span><span class="p">(</span> <span class="n">cloud_watch_metrics_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">metric_name</span><span class="o">=</span><span class="sh">"</span><span class="s">web-acl</span><span class="sh">"</span><span class="p">,</span> <span class="n">sampled_requests_enabled</span><span class="o">=</span><span class="bp">True</span> <span class="p">),</span> <span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">,</span> <span class="n">rules</span><span class="o">=</span><span class="n">waf_rules</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">web_acl_association</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">resource_arn</span><span class="p">,</span> <span class="n">web_acl_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnWebACLAssociation</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Associate AWS Resource with WAF. :param resource_arn: The ARN of resource that will be protected by WAF :param web_acl_arn: The WEB Application Access Control List ARN :return: wafv2.CfnWebACLAssociation </span><span class="sh">"""</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="nc">CfnWebACLAssociation</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ACLAssociation</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_arn</span><span class="o">=</span><span class="n">resource_arn</span><span class="p">,</span> <span class="n">web_acl_arn</span><span class="o">=</span><span class="n">web_acl_arn</span><span class="p">)</span> <span class="k">def</span> <span class="nf">web_acl_log</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">web_acl_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">log_group_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">wafv2</span><span class="p">.</span><span class="n">CfnLoggingConfiguration</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Configure provided a log group as a target for WAF log destination. :param web_acl_arn: The WEB Application Access Control List ARN :param log_group_name: The name of log group :return: AWS CDK WAFv2.CfnLoggingConfiguration </span><span class="sh">"""</span> <span class="n">log_group</span> <span class="o">=</span> <span class="n">logs</span><span class="p">.</span><span class="nc">LogGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">web_acl_log_group</span><span class="sh">"</span><span class="p">,</span> <span class="n">log_group_name</span><span class="o">=</span><span class="n">log_group_name</span><span class="p">,</span> <span class="n">retention</span><span class="o">=</span><span class="n">logs</span><span class="p">.</span><span class="n">RetentionDays</span><span class="p">.</span><span class="n">ONE_WEEK</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">cdk</span><span class="p">.</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">wafv2</span><span class="p">.</span><span class="nc">CfnLoggingConfiguration</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">web_acl_cfn_log_configuration</span><span class="sh">"</span><span class="p">,</span> <span class="n">log_destination_configs</span><span class="o">=</span><span class="p">[</span> <span class="n">cdk</span><span class="p">.</span><span class="n">Stack</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">self</span><span class="p">).</span><span class="nf">format_arn</span><span class="p">(</span> <span class="n">arn_format</span><span class="o">=</span><span class="n">cdk</span><span class="p">.</span><span class="n">ArnFormat</span><span class="p">.</span><span class="n">COLON_RESOURCE_NAME</span><span class="p">,</span> <span class="n">service</span><span class="o">=</span><span class="sh">"</span><span class="s">logs</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource</span><span class="o">=</span><span class="sh">"</span><span class="s">log-group</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_name</span><span class="o">=</span><span class="n">log_group</span><span class="p">.</span><span class="n">log_group_name</span><span class="p">,</span> <span class="p">)</span> <span class="p">],</span> <span class="n">resource_arn</span><span class="o">=</span><span class="n">web_acl_arn</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>What we can have from it?<br> Long story short, 5 of AWS managed rules and 1 custom rate limit</p> <ul> <li>AWSManagedRulesAmazonIpReputationList</li> <li>AWSManagedRulesCommonRuleSet</li> <li>AWSManagedRulesAnonymousIpList</li> <li>AWSManagedRulesKnownBadInputsRuleSet</li> <li>AWSManagedRulesSQLiRuleSet</li> <li>AWSManagedRulesATPRuleSet </li> <li>Custom-RateLimit</li> </ul> <p>Example use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">alb_wafv2_construct</span> <span class="o">=</span> <span class="nc">WAFv2</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">construct_id</span><span class="o">=</span><span class="sh">"</span><span class="s">wafv2_construct</span><span class="sh">"</span><span class="p">)</span> <span class="n">alb_wafv2_acl</span> <span class="o">=</span> <span class="n">alb_wafv2_construct</span><span class="p">.</span><span class="nf">web_acl</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">standard_prefix</span><span class="si">}</span><span class="s">-wafv2</span><span class="sh">"</span><span class="p">,</span> <span class="n">rate_value</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">aws_common_rule</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">aws_sqli_rule</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">aws_anony_list</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">aws_bad_inputs_rule</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">aws_account_takeover_prevention</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">login_path</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">/important_page/login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">payload_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">FORM_ENCODED</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password_field</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">PasswordField</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">username_field</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">LoginField</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="n">alb_wafv2_construct</span><span class="p">.</span><span class="nf">web_acl_association</span><span class="p">(</span><span class="n">resource_arn</span><span class="o">=</span><span class="n">alb</span><span class="p">.</span><span class="n">load_balancer_arn</span><span class="p">,</span> <span class="n">web_acl_arn</span><span class="o">=</span><span class="n">alb_wafv2_acl</span><span class="p">.</span><span class="n">attr_arn</span><span class="p">)</span> <span class="n">alb_wafv2_log_group</span> <span class="o">=</span> <span class="n">alb_wafv2_construct</span><span class="p">.</span><span class="nf">web_acl_log</span><span class="p">(</span><span class="n">log_group_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">aws-waf-logs-</span><span class="si">{</span><span class="n">standard_prefix</span><span class="si">}</span><span class="s">-wafv2</span><span class="sh">"</span><span class="p">)</span> <span class="n">alb_wafv2_construct</span><span class="p">.</span><span class="nf">web_acl_log_config</span><span class="p">(</span><span class="n">log_group</span><span class="o">=</span><span class="n">alb_wafv2_log_group</span><span class="p">,</span> <span class="n">web_acl_arn</span><span class="o">=</span><span class="n">alb_wafv2_acl</span><span class="p">.</span><span class="n">attr_arn</span><span class="p">)</span> </code></pre> </div> <p>And more or less you have a good starting point with WAF ACL attached to your ALB.</p> Linux EC2 Bastion Host with AWS CDK Tomasz Szuster Mon, 05 Sep 2022 08:37:27 +0000 https://dev.to/airmonitor/linux-ec2-bastion-host-with-aws-cdk-55ie https://dev.to/airmonitor/linux-ec2-bastion-host-with-aws-cdk-55ie <h2> The requirements. </h2> <p>Provide more secure access to the RDS instance for the end users compared to placing database in public network subnet with public IP.</p> <p>Below solution will use AWS EC2 cloud-init feature to install ansible with required galaxy modules to update /home/ec2-user/.ssh/authorized_keys file whenever a new SSH public key will be placed in public_keys directory.</p> <p>This way EC2 will be recreated every time when SSH key will be added or removed because cloud-init definition will change.</p> <p>As this solution depends on ansible then we need to ensure that new key file name will be added to ansible/bastion/roles/ssh/tasks/main.yaml</p> <p>Below is an example of task main.yaml file:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Gather EC2 metadata facts</span> <span class="na">amazon.aws.ec2_metadata_facts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up multiple authorized key taken from files</span> <span class="na">ansible.posix.authorized_key</span><span class="pi">:</span> <span class="na">user</span><span class="pi">:</span> <span class="s">ec2-user</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{</span><span class="nv"> </span><span class="s">item</span><span class="nv"> </span><span class="s">}}'</span> <span class="na">with_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">public_keys/tom_id_rsa.pub</span> </code></pre> </div> <p>and below playbook the definition:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="nn">---</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">connection</span><span class="pi">:</span> <span class="s">local</span> <span class="na">remote_user</span><span class="pi">:</span> <span class="s">ec2-user</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">become_method</span><span class="pi">:</span> <span class="s">sudo</span> <span class="na">gather_facts</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{</span><span class="nv">role</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ssh'</span><span class="pi">}</span> </code></pre> </div> <h2> The assumptions. </h2> <ul> <li>VPC and subnets (public and private)</li> <li>Route53 DNS public zone</li> <li>S3 Bucket which hosts ansible playbook</li> <li>KMS Key (customer managed)</li> </ul> <p>There is ansible playbook in the root dir named /ansible, with below directory structure:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── ansible │   └── bastion │   ├── ansible.cfg │   ├── main.yml │   └── roles │   └── ssh │   ├── files │   │   └── public_keys │   │   └── tom_id_rsa.pub │   └── tasks │   └── main.yaml </code></pre> </div> <h2> Architecture with data flow </h2> <p>The below architecture is coming from article named <a href="https://dev.to/aws-builders/aws-bastion-host-jump-box-5h87">aws-bastion-host-jump-box</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2cwsslx2nkitzhq5cg31.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2cwsslx2nkitzhq5cg31.png" alt="architecture_diagram"></a></p> <h2> CDK code </h2> <h3> Let's import required components from the assumptions section </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">imported_vpc</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Vpc</span><span class="p">.</span><span class="nf">from_lookup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">imported_vpc</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc_id</span><span class="o">=</span><span class="n">ssm</span><span class="p">.</span><span class="n">StringParameter</span><span class="p">.</span><span class="nf">value_from_lookup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">parameter_name</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">object_names</span><span class="p">[</span><span class="sh">"</span><span class="s">vpc_id_ssm_param_name</span><span class="sh">"</span><span class="p">]</span> <span class="p">),</span> <span class="p">)</span> <span class="n">imported_kms_key</span> <span class="o">=</span> <span class="n">kms</span><span class="p">.</span><span class="n">Key</span><span class="p">.</span><span class="nf">from_lookup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">imported_kms_key</span><span class="sh">"</span><span class="p">,</span> <span class="n">alias_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">alias/</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">object_names</span><span class="p">[</span><span class="sh">"</span><span class="s">shared_kms_key_alias</span><span class="sh">"</span><span class="p">]</span><span class="si">}</span><span class="sh">'</span> <span class="p">)</span> <span class="n">imported_route53_public_zone</span> <span class="o">=</span> <span class="n">route53</span><span class="p">.</span><span class="n">PublicHostedZone</span><span class="p">.</span><span class="nf">from_public_hosted_zone_attributes</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">imported_public_hosted_zone_id</span><span class="sh">"</span><span class="p">,</span> <span class="n">hosted_zone_id</span><span class="o">=</span><span class="n">ssm</span><span class="p">.</span><span class="n">StringParameter</span><span class="p">.</span><span class="nf">value_for_string_parameter</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">parameter_name</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">object_names</span><span class="p">[</span><span class="sh">"</span><span class="s">ssm_public_dns_zone_id</span><span class="sh">"</span><span class="p">]</span> <span class="p">),</span> <span class="n">zone_name</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">object_names</span><span class="p">[</span><span class="sh">"</span><span class="s">ssm_public_dns_zone_name</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> </code></pre> </div> <h3> Let's create bastion and grant necessary permissions </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">bastion</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">bastion_host</span><span class="p">(</span> <span class="n">props</span><span class="o">=</span><span class="n">props</span><span class="p">,</span> <span class="n">ansible_bucket</span><span class="o">=</span><span class="n">shared_ansible_s3_bucket</span><span class="p">,</span> <span class="n">route53_public_zone</span><span class="o">=</span><span class="n">imported_route53_public_zone</span><span class="p">,</span> <span class="n">shared_kms_key</span><span class="o">=</span><span class="n">imported_kms_key</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">imported_vpc</span><span class="p">,</span> <span class="p">)</span> <span class="n">shared_ansible_s3_bucket</span><span class="p">.</span><span class="nf">grant_read</span><span class="p">(</span><span class="n">bastion</span><span class="p">)</span> <span class="n">imported_kms_key</span><span class="p">.</span><span class="nf">grant_decrypt</span><span class="p">(</span><span class="n">bastion</span><span class="p">)</span> </code></pre> </div> <h3> Let's copy ansible playbook to S3 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">self</span><span class="p">.</span><span class="nf">bucket_deployment</span><span class="p">(</span> <span class="n">destination_key_prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">bastion</span><span class="sh">"</span><span class="p">,</span> <span class="n">object_path</span><span class="o">=</span><span class="sh">"</span><span class="s">../../ansible/bastion</span><span class="sh">"</span><span class="p">,</span> <span class="n">bucket</span><span class="o">=</span><span class="n">shared_ansible_s3_bucket</span> <span class="p">)</span> </code></pre> </div> <h3> Let's have methods for bastion_host and bucket_deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="k">def</span> <span class="nf">bucket_deployment</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">destination_key_prefix</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">object_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">bucket</span><span class="p">:</span> <span class="n">s3</span><span class="p">.</span><span class="n">IBucket</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Deploy directory or zip archive to S3 bucket. :param bucket: The AWS S3 Bucket CDK object to which deployment will occur :param destination_key_prefix: The prefix which will be used to deploy object into :param object_path: Path to the directory or zip archive in filesystem :return: </span><span class="sh">"""</span> <span class="n">this_dir</span> <span class="o">=</span> <span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="n">__file__</span><span class="p">)</span> <span class="n">source_asset</span> <span class="o">=</span> <span class="n">s3_deployment</span><span class="p">.</span><span class="n">Source</span><span class="p">.</span><span class="nf">asset</span><span class="p">(</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">this_dir</span><span class="p">,</span> <span class="n">object_path</span><span class="p">))</span> <span class="n">s3_deployment</span><span class="p">.</span><span class="nc">BucketDeployment</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">destination_key_prefix</span><span class="si">}</span><span class="s">_deployment</span><span class="sh">"</span><span class="p">,</span> <span class="n">destination_bucket</span><span class="o">=</span><span class="n">bucket</span><span class="p">,</span> <span class="n">sources</span><span class="o">=</span><span class="p">[</span><span class="n">source_asset</span><span class="p">],</span> <span class="n">destination_key_prefix</span><span class="o">=</span><span class="n">destination_key_prefix</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">bastion_host</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">props</span><span class="p">:</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">ansible_bucket</span><span class="p">:</span> <span class="n">s3</span><span class="p">.</span><span class="n">IBucket</span><span class="p">,</span> <span class="n">route53_public_zone</span><span class="p">:</span> <span class="n">route53</span><span class="p">.</span><span class="n">IPublicHostedZone</span><span class="p">,</span> <span class="n">shared_kms_key</span><span class="p">:</span> <span class="n">kms</span><span class="p">.</span><span class="n">IKey</span><span class="p">,</span> <span class="n">vpc</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="n">IVpc</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ec2</span><span class="p">.</span><span class="n">BastionHostLinux</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create bastion host to route network traffic (grant access) to the resources placed inside private subnets. :param ansible_bucket: The CDK instance of existing s3 bucket that host ansible playbooks :param route53_public_zone: The CDK object for Route53 zone. In this zone the DNS entry for bastion host will be created :param props: The dictionary which contain configuration values loaded initially from /config/config-env.yaml :param shared_kms_key: The AWS KMS key shared for this project :param vpc: The EC2 VPC object, this vpc will be used to place bastion host in it </span><span class="sh">"""</span> <span class="n">ansible_copy_keys_init_list</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">]</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">ssh_pub_keys_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ansible/bastion/roles/ssh/files/public_keys</span><span class="sh">"</span> <span class="c1"># pylint: disable=W0612 </span> <span class="k">for</span> <span class="n">dir_path</span><span class="p">,</span> <span class="n">dirs</span><span class="p">,</span> <span class="n">files</span> <span class="ow">in</span> <span class="nf">walk</span><span class="p">(</span><span class="n">ssh_pub_keys_path</span><span class="p">):</span> <span class="n">ansible_copy_keys_init_list</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span> <span class="n">shell_command</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">aws s3 cp s3://</span><span class="si">{</span><span class="n">ansible_bucket</span><span class="p">.</span><span class="n">bucket_name</span><span class="si">}</span><span class="s">/bastion/roles/ssh/files/public_keys/</span><span class="si">{</span><span class="n">file_name</span><span class="si">}</span><span class="s"> /tmp/</span><span class="sh">"</span> <span class="p">)</span> <span class="k">for</span> <span class="n">file_name</span> <span class="ow">in</span> <span class="n">files</span> <span class="p">)</span> <span class="n">init</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">CloudFormationInit</span><span class="p">.</span><span class="nf">from_config_sets</span><span class="p">(</span> <span class="n">config_sets</span><span class="o">=</span><span class="p">{</span> <span class="c1"># Applies the configs below in this order </span> <span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">yum_packages</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ansible_galaxy_modules_installation</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ansible_playbook_from_s3</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">copy_ssh_pub_keys_from_s3</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">enable_fail2ban</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="p">},</span> <span class="n">configs</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">config</span><span class="sh">"</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">InitConfig</span><span class="p">(</span> <span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span><span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">yum update -y</span><span class="sh">"</span><span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span><span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">amazon-linux-extras install ansible2 -y</span><span class="sh">"</span><span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span><span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">amazon-linux-extras install epel -y</span><span class="sh">"</span><span class="p">),</span> <span class="p">]</span> <span class="p">),</span> <span class="sh">"</span><span class="s">yum_packages</span><span class="sh">"</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">InitConfig</span><span class="p">(</span> <span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitPackage</span><span class="p">.</span><span class="nf">yum</span><span class="p">(</span><span class="sh">"</span><span class="s">htop</span><span class="sh">"</span><span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitPackage</span><span class="p">.</span><span class="nf">yum</span><span class="p">(</span><span class="sh">"</span><span class="s">fail2ban</span><span class="sh">"</span><span class="p">),</span> <span class="p">]</span> <span class="p">),</span> <span class="sh">"</span><span class="s">ansible_galaxy_modules_installation</span><span class="sh">"</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">InitConfig</span><span class="p">(</span> <span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span> <span class="n">cwd</span><span class="o">=</span><span class="sh">"</span><span class="s">/root</span><span class="sh">"</span><span class="p">,</span> <span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">ansible-galaxy collection install ansible.posix</span><span class="sh">"</span> <span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span> <span class="n">cwd</span><span class="o">=</span><span class="sh">"</span><span class="s">/root</span><span class="sh">"</span><span class="p">,</span> <span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">ansible-galaxy collection install amazon.aws</span><span class="sh">"</span> <span class="p">),</span> <span class="p">]</span> <span class="p">),</span> <span class="sh">"</span><span class="s">ansible_playbook_from_s3</span><span class="sh">"</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">InitConfig</span><span class="p">(</span> <span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span><span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">mkdir /root/ansible</span><span class="sh">"</span><span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span> <span class="n">shell_command</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">aws s3 cp s3://</span><span class="si">{</span><span class="n">ansible_bucket</span><span class="p">.</span><span class="n">bucket_name</span><span class="si">}</span><span class="s">/bastion /root/ansible/bastion --recursive</span><span class="sh">"</span> <span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span> <span class="n">cwd</span><span class="o">=</span><span class="sh">"</span><span class="s">/root/ansible/bastion</span><span class="sh">"</span><span class="p">,</span> <span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">ansible-playbook main.yml</span><span class="sh">"</span> <span class="p">),</span> <span class="p">]</span> <span class="p">),</span> <span class="c1"># This section does not implement any real change on Bastion host. It exists only for </span> <span class="c1"># changing the EC2 cloud-init definition that will force EC2 replacement whenever </span> <span class="c1"># a new ssh public key file will be added to the repository </span> <span class="sh">"</span><span class="s">copy_ssh_pub_keys_from_s3</span><span class="sh">"</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">InitConfig</span><span class="p">(</span><span class="n">ansible_copy_keys_init_list</span><span class="p">),</span> <span class="sh">"</span><span class="s">enable_fail2ban</span><span class="sh">"</span><span class="p">:</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">InitConfig</span><span class="p">(</span> <span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span><span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">systemctl enable fail2ban</span><span class="sh">"</span><span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InitCommand</span><span class="p">.</span><span class="nf">shell_command</span><span class="p">(</span><span class="n">shell_command</span><span class="o">=</span><span class="sh">"</span><span class="s">systemctl start fail2ban</span><span class="sh">"</span><span class="p">),</span> <span class="p">]</span> <span class="p">),</span> <span class="p">},</span> <span class="p">)</span> <span class="n">init_options</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">ApplyCloudFormationInitOptions</span><span class="p">(</span> <span class="n">config_sets</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">],</span> <span class="n">timeout</span><span class="o">=</span><span class="n">cdk</span><span class="p">.</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="n">include_url</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">include_role</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">security_group</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">bastion_security_group</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="n">security_group_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">object_names</span><span class="p">[</span><span class="sh">"</span><span class="s">standard_prefix</span><span class="sh">"</span><span class="p">]</span><span class="si">}</span><span class="s">-bastion</span><span class="sh">'</span><span class="p">,</span> <span class="p">)</span> <span class="n">security_group</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span><span class="n">peer</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">Peer</span><span class="p">.</span><span class="nf">any_ipv4</span><span class="p">(),</span> <span class="n">connection</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="n">port</span><span class="o">=</span><span class="mi">22</span><span class="p">))</span> <span class="n">ssm</span><span class="p">.</span><span class="nc">StringParameter</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">bastion_security_group_id_ssm_param</span><span class="sh">"</span><span class="p">,</span> <span class="n">string_value</span><span class="o">=</span><span class="n">security_group</span><span class="p">.</span><span class="n">security_group_id</span><span class="p">,</span> <span class="n">parameter_name</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">object_names</span><span class="p">[</span><span class="sh">"</span><span class="s">bastion_security_group_id_ssm_param</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">bastion</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">BastionHostLinux</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">bastion_host</span><span class="sh">"</span><span class="p">,</span> <span class="n">block_devices</span><span class="o">=</span><span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">BlockDevice</span><span class="p">(</span> <span class="n">device_name</span><span class="o">=</span><span class="sh">"</span><span class="s">/dev/xvda</span><span class="sh">"</span><span class="p">,</span> <span class="n">volume</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">BlockDeviceVolume</span><span class="p">.</span><span class="nf">ebs</span><span class="p">(</span> <span class="n">volume_size</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">encrypted</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">volume_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">EbsDeviceVolumeType</span><span class="p">.</span><span class="n">GP3</span><span class="p">,</span> <span class="n">kms_key</span><span class="o">=</span><span class="n">shared_kms_key</span><span class="p">,</span> <span class="n">delete_on_termination</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="p">],</span> <span class="n">init</span><span class="o">=</span><span class="n">init</span><span class="p">,</span> <span class="n">init_options</span><span class="o">=</span><span class="n">init_options</span><span class="p">,</span> <span class="n">instance_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">stage</span><span class="sh">"</span><span class="p">]</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">project</span><span class="sh">"</span><span class="p">]</span><span class="si">}</span><span class="s">-bastion</span><span class="sh">'</span><span class="p">,</span> <span class="n">instance_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceType</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span> <span class="n">instance_class</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceClass</span><span class="p">.</span><span class="n">BURSTABLE4_GRAVITON</span><span class="p">,</span> <span class="n">instance_size</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceSize</span><span class="p">.</span><span class="n">MICRO</span> <span class="p">),</span> <span class="n">security_group</span><span class="o">=</span><span class="n">security_group</span><span class="p">,</span> <span class="n">subnet_selection</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span> <span class="n">subnet_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">public</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="p">)</span> <span class="n">route53</span><span class="p">.</span><span class="nc">CnameRecord</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">bastion_dns_record</span><span class="sh">"</span><span class="p">,</span> <span class="n">domain_name</span><span class="o">=</span><span class="n">bastion</span><span class="p">.</span><span class="n">instance_public_dns_name</span><span class="p">,</span> <span class="n">record_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">bastion.</span><span class="si">{</span><span class="n">route53_public_zone</span><span class="p">.</span><span class="n">zone_name</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">zone</span><span class="o">=</span><span class="n">route53_public_zone</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">bastion host</span><span class="sh">"</span><span class="p">,</span> <span class="n">ttl</span><span class="o">=</span><span class="n">cdk</span><span class="p">.</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">)</span> <span class="k">return</span> <span class="n">bastion</span> </code></pre> </div> cdk python security aws