Updated to use local version of Pams project

tenwit · May 12, 2020 · c858813 · c858813
1 parent b04027b
commit c858813
Show file tree

Hide file tree

Showing 10 changed files with 240 additions and 739 deletions.
diff --git a/.env b/.env
@@ -0,0 +1,3 @@
+PROJECT=puulumi_examples
+DESCRIPTION=Demo code
+STACK=stack_transforms
diff --git a/PamsVpc.ts b/PamsVpc.ts
@@ -0,0 +1,115 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import { CidrBlock } from "@pulumi/awsx/ec2";
+
+export interface PamsVpcArgs {
+  cidrBlock: CidrBlock; // The VPC CIDR block. /18 to /23 only.
+  ingressCidrBlocks: Map<string, CidrBlock>; // Named CIDR blocks to allow ingress from.
+  // For example, [ ["93tt", "158.140.232.61/32"], ["ccl", "10.8.0.0/24"] ]
+}
+
+export interface PamsVpcSubnets {
+  bastion: awsx.ec2.Subnet;
+  isolated: awsx.ec2.Subnet;
+}
+
+export class PamsVpc extends pulumi.ComponentResource {
+  // These are rarely needed; consider making these local variables in the constructor.
+  public vpc: awsx.ec2.Vpc;
+  public publicNacl: aws.ec2.DefaultNetworkAcl;
+  public isolatedNacl: Promise<aws.ec2.NetworkAcl>;
+  private readonly cidrBlock: CidrBlock;
+  private readonly ingressCidrBlocks: Map<string, CidrBlock>;
+  private readonly opts: Object;
+
+  private parentOpts(parent: pulumi.Resource): any {
+    return { ...this.opts, parent };
+  }
+
+  /**
+    * One of the two pairs of subnets containing the PAMS instances.
+    */
+  public async blue(): Promise<PamsVpcSubnets> {
+    return {
+      bastion: (await this.vpc.publicSubnets)[0],
+      isolated: (await this.vpc.isolatedSubnets)[0]
+    }
+  }
+
+  /**
+   * One of the two pairs of subnets containing the PAMS instances.
+   */
+  public async green(): Promise<PamsVpcSubnets> {
+    return {
+      bastion: (await this.vpc.publicSubnets)[1],
+      isolated: (await this.vpc.isolatedSubnets)[1]
+    }
+  }
+
+  /**
+   * The public subnets (`blue().bastion` and `green().bastion`) allow
+   * access only from the CIDRs passed in to the class constructor as the
+   * "ingressCidrBlocks" parameter.
+   */
+  private configurePublicNacl(name: string, ingressCidrBlocks: Map<string, CidrBlock>): aws.ec2.DefaultNetworkAcl {
+    var nacl = new aws.ec2.DefaultNetworkAcl(`${name}-public`, {
+      defaultNetworkAclId: this.vpc.vpc.defaultNetworkAclId,
+      subnetIds: this.vpc.publicSubnetIds
+    }, this.parentOpts(this));
+    let ruleNum = 200;
+    ingressCidrBlocks.forEach((cidrBlock, key) =>
+      new aws.ec2.NetworkAclRule(`${name}-${key}`, {
+        ruleNumber: ruleNum++,
+        ruleAction: "allow", protocol: "-1",
+        networkAclId: nacl.id,
+        cidrBlock: cidrBlock
+      }, this.parentOpts(nacl))
+    );
+    return nacl;
+  }
+
+  private async createIsolatedNacl(name: string, ingressCidrBlocks: Map<string, CidrBlock>): Promise<aws.ec2.NetworkAcl> {
+    // The isolated subnets allow access only from the public subnets.
+    var nacl = new aws.ec2.NetworkAcl(`${name}-isolated`, {
+      vpcId: this.vpc.id,
+      subnetIds: this.vpc.isolatedSubnetIds
+    }, this.parentOpts(this));
+
+    new aws.ec2.NetworkAclRule(`${name}-blue`, {
+      ruleNumber: 200,
+      ruleAction: "allow", protocol: "-1",
+      networkAclId: nacl.id,
+      cidrBlock: (await this.blue()).bastion.subnet.cidrBlock
+    }, this.parentOpts(nacl));
+    new aws.ec2.NetworkAclRule(`${name}-green`, {
+      ruleNumber: 201,
+      ruleAction: "allow", protocol: "-1",
+      networkAclId: nacl.id,
+      cidrBlock: (await this.green()).bastion.subnet.cidrBlock
+    }, this.parentOpts(nacl));
+
+    return nacl;
+  }
+
+  constructor(name: string, args: PamsVpcArgs, opts: pulumi.ComponentResourceOptions = {}) {
+    super("pams:vpc:PamsVpc", name, args, opts);
+    this.opts = opts;
+    this.cidrBlock = args.cidrBlock;
+    this.ingressCidrBlocks = args.ingressCidrBlocks;
+
+    this.vpc = new awsx.ec2.Vpc(name, {
+      cidrBlock: args.cidrBlock,
+      numberOfAvailabilityZones: 2,
+      numberOfNatGateways: 0,
+      subnets: [
+        { type: "public", name: "bastion" },
+        { type: "isolated", name: "pams" }
+      ]
+    }, { ...opts, parent: this });
+
+    this.publicNacl = this.configurePublicNacl(name, args.ingressCidrBlocks);
+    this.isolatedNacl = this.createIsolatedNacl(name, args.ingressCidrBlocks);
+    this.registerOutputs();
+  }
+}
diff --git a/Pulumi.stack_transforms.yaml b/Pulumi.stack_transforms.yaml
@@ -1,2 +1,3 @@
 config:
+  aws:profile: gsfa-sandbox
   aws:region: ap-southeast-2
diff --git a/autotag.ts b/autotag.ts
@@ -244,9 +244,8 @@ function isTaggable(t: string): boolean {
  */
 export function registerAutoTags(autoTags: Record<string, string>): void {
   pulumi.runtime.registerStackTransformation((args) => {
-    pulumi.log.info(`Attempting to add tag to ${args.props["tags"]}`);
     if (isTaggable(args.type)) {
-      pulumi.log.info(`Tagging with ${autoTags}`);
+      pulumi.log.info(`Tagging a ${args.type} with ${autoTags}`);
       args.props["tags"] = { ...autoTags, ...args.props["tags"] };
       return { props: args.props, opts: args.opts };
     }

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,57 @@
+version: "3.7"
+services:
+  login:
+    image: pams/pulumi
+    environment:
+      - PULUMI_ACCESS_TOKEN
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+    command: login
+
+  npm:
+    image: pams/pulumi
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+    entrypoint: npm
+
+  sh:
+    image: pams/pulumi
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+    entrypoint: sh
+
+  pulumi:
+    image: pams/pulumi
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+      - type: bind
+        source: ~/.aws
+        target: /app/.aws
+    working_dir: /app
+
+  new:
+    image: pams/pulumi
+    volumes:
+      - type: bind
+        source: .
+        target: /app
+    command:
+      - new
+      - -c
+      - "aws:region=ap-southeast-2"
+      - aws-typescript
+      - -n
+      - ${PROJECT}
+      - -d
+      - ${DESCRIPTION}
+      - -s
+      - ${STACK}
+      - --force
diff --git a/index.ts b/index.ts
@@ -3,6 +3,7 @@ import * as aws from "@pulumi/aws";
 import * as awsx from "@pulumi/awsx";
 
 import { registerAutoTags } from "./autotag";
+import { PamsVpc } from "./PamsVpc";
 
 // Automatically inject tags.
 registerAutoTags({
@@ -11,16 +12,28 @@ registerAutoTags({
   "Env": "PoC",
 });
 
-const vpc = new awsx.ec2.Vpc("PoC", {
+// const vpc = new awsx.ec2.Vpc("PoC", {
+//   cidrBlock: "192.168.96.0/23",
+//   numberOfAvailabilityZones: 2,
+//   numberOfNatGateways: 0,
+//   subnets: [
+//     { type: "public", name: "bastion" },
+//     { type: "isolated", name: "private" }
+//   ]
+// });
+const vpc = new PamsVpc("VpcPoc", {
   cidrBlock: "192.168.96.0/23",
-  numberOfAvailabilityZones: 2,
-  numberOfNatGateways: 0,
-  subnets: [
-    { type: "public", name: "bastion" },
-    { type: "isolated", name: "private" }
-  ]
-});
+  ingressCidrBlocks: new Map([
+    ["datacom", "10.8.0.0/24"],
+    ["ccl", "120.136.4.242/32"],
+    ["93tt", "158.140.232.61/32"],
+    ["paul-vodafone", "27.252.192.0/19"],
+    ["glen", "101.98.188.0/24"],
+    ["daniel", "203.109.197.0/24"]
+  ])
+}, {})
 
-export const vpc_poc_id = vpc.id;
-export const vpc_poc_PrivateSubnetIds = vpc.privateSubnetIds;
-export const vpc_poc_PublicSubnetIds = vpc.publicSubnetIds;
+export { }
+export const vpc_poc_id = vpc.vpc.id;
+export const vpc_poc_PrivateSubnetIds = vpc.isolatedNacl.then(nacl => nacl.subnetIds);
+export const vpc_poc_PublicSubnetIds = vpc.publicNacl.subnetIds;