-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
VA-411-1-2: Create load balancer for VA application
Create security groups in separate stack as they caused cyclic dependency issues.
- Loading branch information
Showing
5 changed files
with
237 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
import * as cdk from 'aws-cdk-lib' | ||
import { Environment } from './va-env-stage' | ||
import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs' | ||
import { aws_kms, RemovalPolicy } from 'aws-cdk-lib' | ||
import { Secret } from 'aws-cdk-lib/aws-secretsmanager' | ||
|
||
export class PersistentResourcesStack extends cdk.Stack { | ||
databasePasswordSecret: Secret | ||
applicationLogGroup: LogGroup | ||
|
||
constructor( | ||
scope: Environment, | ||
id: string, | ||
storageEncryptionKey: aws_kms.Key, | ||
props?: cdk.StackProps | ||
) { | ||
super(scope, id, props) | ||
|
||
// This password has been manually set using psql-va-[env].sh and CREATE USER 'va_application' | ||
this.databasePasswordSecret = new Secret(this, 'va-db-user-password', { | ||
secretName: '/db/password', | ||
description: 'Valtionavustukset application DB password (username va_application)', | ||
generateSecretString: { | ||
passwordLength: 64, | ||
requireEachIncludedType: true, | ||
includeSpace: false, | ||
excludePunctuation: true, | ||
}, | ||
removalPolicy: RemovalPolicy.RETAIN, | ||
}) | ||
|
||
this.applicationLogGroup = new LogGroup(this, 'va-log-group', { | ||
logGroupName: '/fargate/valtionavustukset-application', | ||
encryptionKey: storageEncryptionKey, | ||
retention: RetentionDays.ONE_YEAR, | ||
removalPolicy: RemovalPolicy.RETAIN, | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
import * as cdk from 'aws-cdk-lib' | ||
import { Environment } from './va-env-stage' | ||
import { Peer, Port, SecurityGroup, IVpc } from 'aws-cdk-lib/aws-ec2' | ||
import { CONTAINER_PORT } from './va-service-stack' | ||
|
||
export interface VaSecurityGroups { | ||
vaServiceSecurityGroup: SecurityGroup | ||
dbSecurityGroup: SecurityGroup | ||
albSecurityGroup: SecurityGroup | ||
dbAccessSecurityGroup: SecurityGroup | ||
} | ||
|
||
export class SecurityGroupStack extends cdk.Stack { | ||
securityGroups: VaSecurityGroups = {} as VaSecurityGroups | ||
|
||
constructor(scope: Environment, id: string, vpc: IVpc, props?: cdk.StackProps) { | ||
super(scope, id, props) | ||
|
||
/* ---------- DB ---------- */ | ||
this.securityGroups.dbAccessSecurityGroup = new cdk.aws_ec2.SecurityGroup( | ||
this, | ||
'AccessVADBSecurityGroup', | ||
{ | ||
vpc, | ||
securityGroupName: 'allow-db-access', | ||
description: 'Security group for accessing VA Postgres', | ||
allowAllOutbound: true, | ||
} | ||
) | ||
|
||
this.securityGroups.dbSecurityGroup = new cdk.aws_ec2.SecurityGroup(this, 'DBSecurityGroup', { | ||
vpc, | ||
securityGroupName: 'va-database', | ||
description: 'Security group for VA Postgres', | ||
allowAllOutbound: true, | ||
}) | ||
|
||
this.securityGroups.dbSecurityGroup.addIngressRule( | ||
this.securityGroups.dbAccessSecurityGroup, | ||
cdk.aws_ec2.Port.tcp(5432), | ||
'Allow access from VA DB security group' | ||
) | ||
|
||
/* ---------- VA Service ---------- */ | ||
this.securityGroups.vaServiceSecurityGroup = new SecurityGroup(this, 'va-app-sg', { | ||
vpc: vpc, | ||
securityGroupName: 'valtionavustukset-application', | ||
description: 'Valtionavustukset application security group', | ||
allowAllOutbound: true, | ||
}) | ||
|
||
this.securityGroups.albSecurityGroup = new SecurityGroup(this, 'alb-sg', { | ||
vpc, | ||
securityGroupName: 'application-load-balancer', | ||
description: 'Allow HTTP from public Internet', | ||
allowAllOutbound: true, | ||
}) | ||
|
||
this.securityGroups.albSecurityGroup.addIngressRule( | ||
Peer.ipv4('62.165.154.10/32'), | ||
Port.tcp(80), | ||
'Allow access from Reaktor office' | ||
) | ||
this.securityGroups.albSecurityGroup.addEgressRule( | ||
this.securityGroups.vaServiceSecurityGroup, | ||
Port.tcp(CONTAINER_PORT), | ||
'Allow egress to VA service' | ||
) | ||
this.securityGroups.vaServiceSecurityGroup.addIngressRule( | ||
this.securityGroups.albSecurityGroup, | ||
Port.tcp(CONTAINER_PORT), | ||
'Allow access from ALB' | ||
) | ||
} | ||
} |
Oops, something went wrong.