-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.ts
105 lines (85 loc) · 3.76 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: MIT-0
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of this
* software and associated documentation files (the "Software"), to deal in the Software
* without restriction, including without limitation the rights to use, copy, modify,
* merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
* INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
* PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
* HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
import cdk = require('@aws-cdk/core');
import ec2 = require('@aws-cdk/aws-ec2');
import iam = require('@aws-cdk/aws-iam');
import elasticache = require('@aws-cdk/aws-elasticache');
import lambda = require('@aws-cdk/aws-lambda');
import secretsmanager = require('@aws-cdk/aws-secretsmanager')
import path = require('path');
import { RedisRbacRotation, RedisSingleAuthRotation } from './lib/redisRotator';
export class RedisAuthRotationDemo extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const clusterId = 'redisDemoCluster'
const vpc = new ec2.Vpc(this, "elasticache-demo-vpc", {
subnetConfiguration: [
{
cidrMask: 24,
name: 'Private',
subnetType: ec2.SubnetType.PRIVATE,
},
{
cidrMask: 24,
name: 'Public',
subnetType: ec2.SubnetType.PUBLIC,
},
]
});
const ecSecurityGroup = new ec2.SecurityGroup(this, 'ElastiCacheSG', {
vpc: vpc,
description: 'SecurityGroup associated with the ElastiCache Redis Cluster'
});
ecSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(6379), 'Redis ingress 6379')
const rotatorSecurityGroup = new ec2.SecurityGroup(this, 'RotatorSG', {
vpc: vpc,
description: 'SecurityGroup for rotator function'
});
rotatorSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.allTraffic(), 'All port inbound')
let privateSubnets: string[] = []
vpc.privateSubnets.forEach(function(value){
privateSubnets.push(value.subnetId)
});
const ecSubnetGroup = new elasticache.CfnSubnetGroup(this, 'ElastiCacheSubnetGroup', {
description: 'Elasticache Subnet Group',
subnetIds: privateSubnets
});
const redisSingleAuth = new RedisSingleAuthRotation(this, 'SingleAuth', {
replicationGroupId: 'redisSingleAuthDemo',
elasticacheSubnetGroup: ecSubnetGroup,
elasticacheSecurityGroupIds: [ecSecurityGroup.securityGroupId],
rotatorFunctionSecurityGroups: [ecSecurityGroup, rotatorSecurityGroup],
rotationSchedule: cdk.Duration.days(15),
rotatorVpc: vpc
})
const redisRbac = new RedisRbacRotation(this, 'RedisRbacRotator', {
replicationGroupId: 'redisRbacRotatorDemo',
elasticacheSubnetGroupName: ecSubnetGroup.ref,
elasticacheSecurityGroupIds: [ecSecurityGroup.securityGroupId],
rotatorFunctionSecurityGroups: [ecSecurityGroup, rotatorSecurityGroup],
rotationSchedule: cdk.Duration.days(15),
rotatorVpc: vpc
})
redisRbac.node.addDependency(ecSubnetGroup);
redisRbac.node.addDependency(ecSecurityGroup);
redisRbac.node.addDependency(vpc);
}
}
const app = new cdk.App();
new RedisAuthRotationDemo(app, 'RedisSecretRotationDemo');
app.synth();