Skip to content

Commit

Permalink
feature: add vpc flow (#8)
Browse files Browse the repository at this point in the history 
Co-authored-by: Ran Isenberg <ran.isenberg@ranthebuilder.cloud>
  • Loading branch information
@ran-isenberg
ran-isenberg and Ran Isenberg authored Jul 31, 2024
1 parent 5dd167f commit 63a2b5b
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 23 deletions.
64 changes: 52 additions & 12 deletions cdk/service/chat_bot_construct.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ def __init__(self, scope: Construct, identifier: str, waf_acl: wafv2.CfnWebACL,
super().__init__(scope, identifier)
self.id_ = identifier
self.network_assets = network_assets
# Build Docker image and push to ECR

# Build Docker image and push to ECR
current = Path(__file__).parent
docker_dir = str(Path(current / 'docker'))
docker_image_asset = ecr_assets.DockerImageAsset(
Expand All @@ -33,6 +33,50 @@ def __init__(self, scope: Construct, identifier: str, waf_acl: wafv2.CfnWebACL,
# Create a VPC
vpc = ec2.Vpc(self, 'ChatVpc', max_azs=2)

vpc_log_group = logs.LogGroup(
self,
'VPCLogGroup',
log_group_name='ecs-cdk-vpc-flow',
retention=logs.RetentionDays.ONE_DAY,
removal_policy=RemovalPolicy.DESTROY,
)

# Setup IAM user for logs
vpc_flow_role = iam.Role(
self,
'FlowLog',
assumed_by=iam.ServicePrincipal('vpc-flow-logs.amazonaws.com'),
inline_policies={
'ses': iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=[
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
'logs:DescribeLogGroups',
'logs:DescribeLogStreams',
],
resources=[vpc_log_group.log_group_arn],
effect=iam.Effect.ALLOW,
)
]
),
},
)

# Setup VPC flow logs
ec2.CfnFlowLog(
self,
'FlowLogs',
resource_id=vpc.vpc_id,
resource_type='VPC',
traffic_type='ALL',
deliver_logs_permission_arn=vpc_flow_role.role_arn,
log_destination_type='cloud-watch-logs',
log_group_name=vpc_log_group.log_group_name,
)

# Create an ECS cluster
cluster = ecs.Cluster(self, 'ChatCluster', vpc=vpc, container_insights=True, enable_fargate_capacity_providers=True)

Expand All @@ -58,15 +102,6 @@ def __init__(self, scope: Construct, identifier: str, waf_acl: wafv2.CfnWebACL,
# Open the necessary port internally
container.add_port_mappings(ecs.PortMapping(container_port=8501, protocol=ecs.Protocol.TCP))

# Security group for the Fargate service
security_group = ec2.SecurityGroup(self, 'ChatSecurityGroup', vpc=vpc)

# Allow inbound traffic on ports 80 (HTTP) and 443 (HTTPS) from any IP
security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(80), 'Allow HTTP traffic from the internet')
security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443), 'Allow HTTPS traffic from the internet')
security_group.add_ingress_rule(ec2.Peer.any_ipv6(), ec2.Port.tcp(80), 'Allow HTTP traffic from the internet (IPv6)')
security_group.add_ingress_rule(ec2.Peer.any_ipv6(), ec2.Port.tcp(443), 'Allow HTTPS traffic from the internet (IPv6)')

access_logs_bucket = s3.Bucket(
scope=self,
id='accessLogsS3Bucket',
Expand All @@ -93,6 +128,13 @@ def __init__(self, scope: Construct, identifier: str, waf_acl: wafv2.CfnWebACL,
enforce_ssl=True,
)

# Security group for the Fargate service
security_group = ec2.SecurityGroup(self, 'ChatSecurityGroup', vpc=vpc)

# Allow inbound traffic on 443 (HTTPS) from any IP
security_group.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443), 'Allow HTTPS traffic from the internet')
security_group.add_ingress_rule(ec2.Peer.any_ipv6(), ec2.Port.tcp(443), 'Allow HTTPS traffic from the internet (IPv6)')

# Create a Fargate service and make it publicly accessible
fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(
self,
Expand Down Expand Up @@ -140,8 +182,6 @@ def __init__(self, scope: Construct, identifier: str, waf_acl: wafv2.CfnWebACL,
scalable_target.scale_on_cpu_utilization(
'CpuScaling',
target_utilization_percent=70,
scale_in_cooldown=Duration.seconds(60),
scale_out_cooldown=Duration.seconds(60),
)

scalable_target.scale_on_memory_utilization('MemoryScaling', target_utilization_percent=80)
Expand Down
13 changes: 2 additions & 11 deletions cdk/service/service_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,7 @@ def _add_security_tests(self) -> None:
NagSuppressions.add_stack_suppressions(
self,
[
{'id': 'AwsSolutions-IAM4', 'reason': 'policy for cloudwatch logs.'},
{'id': 'AwsSolutions-IAM5', 'reason': 'policy for cloudwatch logs.'},
{'id': 'AwsSolutions-APIG2', 'reason': 'lambda does input validation'},
{'id': 'AwsSolutions-APIG1', 'reason': 'not mandatory in a sample template'},
{'id': 'AwsSolutions-APIG3', 'reason': 'not mandatory in a sample template'},
{'id': 'AwsSolutions-APIG6', 'reason': 'not mandatory in a sample template'},
{'id': 'AwsSolutions-APIG4', 'reason': 'authorization not mandatory in a sample template'},
{'id': 'AwsSolutions-COG4', 'reason': 'not using cognito'},
{'id': 'AwsSolutions-L1', 'reason': 'False positive'},
{'id': 'AwsSolutions-VPC7', 'reason': 'Not interested in this check'},
{'id': 'AwsSolutions-EC23', 'reason': 'False positive, port is limited to 80 or 443'},
{'id': 'AwsSolutions-IAM5', 'reason': 'fetch secret from secret manager, should be a concrete secret ARN in a real app'},
{'id': 'AwsSolutions-EC23', 'reason': 'we accept ingress from all IPs and have WAF to prevent DDOS'},
],
)

0 comments on commit 63a2b5b

Please sign in to comment.