Merge branch 'develop' into s3-vpc-endpoint

Author: copelco

CHANGELOG.rst

@@ -20,7 +20,7 @@ Change Log
 What's new in 2.0.0:
 
 * Re-purpose use_aes256_encryption flag to support encryption across S3, RDS, Elasticache (Redis only), and RDS (thanks @dsummersl)
-* Add support for Customer Managed CMKs with ``CustomerManagedCmkArn`` parameter
+* Add support for Customer Managed CMKs with ``CustomerManagedCmkArn`` parameter (not applied to public buckets)
 * Add configurable ContainerVolumeSize to change root volume size of EC2 instances (thanks @dsummersl)
 * Change generated template output from JSON to YAML (thanks @cchurch)
 * Add required DBParameterGroup by default, which allows configuring database specific parameters. This avoids having to reboot a production database instance to add a DBParameterGroup in the future. (thanks @cchurch)
@@ -34,6 +34,7 @@ What's new in 2.0.0:
 * Add RDS and ElastiCache endpoint outputs.
 * Add CustomAppCertificateArn parameter to allow association with an existing ACM certificate.
 * Add VPC Endpoint for S3.
+* Add DatabaseReplication parameter to add a database replica (** this will fail if DatabaseBackupRetentionDays is 0.**).
 
 
 `1.4.0`_ (2019-08-05)

README.rst

@@ -310,6 +310,8 @@ These environment variables are:
 * ``DATABASE_URL``: The URL to the RDS instance created as part of this stack. If ``(none)`` is
   selected for the ``DatabaseClass`` during stack creation, the value of this variable will be
   an empty string (``''``).
+* ``DATABASE_REPLICA_URL``: The URL to the RDS database replica instance. This is an empty string
+  if there's no replica database.
 * ``CACHE_URL``: The URL to the Redis or Memcached instance created as part of this stack (may be
   used as a cache or session storage, e.g.). If using Redis, note that it supports multiple
   databases and no database ID is included as part of the URL, so you should append a forward slash

stack/assets.py

@@ -64,22 +64,6 @@
 )
 
 common_bucket_conf = dict(
-    BucketEncryption=BucketEncryption(
-        ServerSideEncryptionConfiguration=If(
-            use_aes256_encryption_cond,
-            [
-                ServerSideEncryptionRule(
-                    ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
-                        SSEAlgorithm=If(use_cmk_arn, 'aws:kms', 'AES256'),
-                        KMSMasterKeyID=If(use_cmk_arn, Ref(cmk_arn), Ref("AWS::NoValue")),
-                    )
-                )
-            ],
-            [
-                ServerSideEncryptionRule()
-            ]
-        )
-    ),
     VersioningConfiguration=VersioningConfiguration(
         Status="Enabled"
     ),
@@ -118,6 +102,21 @@
     Bucket(
         "AssetsBucket",
         AccessControl=Ref(assets_bucket_access_control),
+        BucketEncryption=BucketEncryption(
+            ServerSideEncryptionConfiguration=If(
+                use_aes256_encryption_cond,
+                [
+                    ServerSideEncryptionRule(
+                        ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
+                            SSEAlgorithm='AES256'
+                        )
+                    )
+                ],
+                [
+                    ServerSideEncryptionRule()
+                ]
+            )
+        ),
         **common_bucket_conf,
     )
 )
@@ -142,6 +141,22 @@
             IgnorePublicAcls=True,
             RestrictPublicBuckets=True,
         ),
+        BucketEncryption=BucketEncryption(
+            ServerSideEncryptionConfiguration=If(
+                use_aes256_encryption_cond,
+                [
+                    ServerSideEncryptionRule(
+                        ServerSideEncryptionByDefault=ServerSideEncryptionByDefault(
+                            SSEAlgorithm=If(use_cmk_arn, 'aws:kms', 'AES256'),
+                            KMSMasterKeyID=If(use_cmk_arn, Ref(cmk_arn), Ref("AWS::NoValue")),
+                        )
+                    )
+                ],
+                [
+                    ServerSideEncryptionRule()
+                ]
+            )
+        ),
         **common_bucket_conf,
     )
 )
@@ -304,7 +319,7 @@
     # Output CloudFront url
     template.add_output(Output(
         "AssetsDistributionDomainName",
-        Description="The assest CDN domain name",
+        Description="The assets CDN domain name",
         Value=GetAtt(distribution, "DomainName"),
         Condition=assets_use_cloudfront_condition,
     ))

stack/bastion.py

@@ -4,6 +4,7 @@
     Condition,
     Equals,
     FindInMap,
+    GetAtt,
     If,
     Join,
     Not,
@@ -43,8 +44,8 @@
     Parameter(
         "BastionAMI",
         Description="(Optional) Bastion or VPN server AMI in the same region as this stack.",
-        Type="AWS::EC2::Image::Id",
-        Default=dont_create_value,
+        Type="String",
+        Default="",
     ),
     group="Bastion Server",
     label="AMI",
@@ -181,7 +182,7 @@
 template.add_condition(bastion_type_is_ssh_set, Equals("SSH", Ref(bastion_type)))
 
 bastion_ami_set = "BastionAMISet"
-template.add_condition(bastion_ami_set, Not(Equals(dont_create_value, Ref(bastion_ami))))
+template.add_condition(bastion_ami_set, Not(Equals("", Ref(bastion_ami))))
 
 bastion_type_and_ami_set = "BastionTypeAndAMISet"
 template.add_condition(bastion_type_and_ami_set, And(Condition(bastion_type_set), Condition(bastion_ami_set)))
@@ -279,6 +280,7 @@
     "BastionEIP",
     template=template,
     Condition=bastion_type_set,
+    Domain="vpc",
 )
 
 bastion_instance = ec2.Instance(
@@ -318,7 +320,7 @@
     "BastionEIPAssociation",
     template=template,
     InstanceId=Ref(bastion_instance),
-    EIP=Ref(bastion_eip),
+    AllocationId=GetAtt(bastion_eip, "AllocationId"),
     Condition=bastion_type_and_ami_set,
 )
 

stack/common.py

@@ -158,7 +158,7 @@
 cmk_arn = template.add_parameter(
     Parameter(
         "CustomerManagedCmkArn",
-        Description="KMS CMK ARN to encrypt stack resources.",
+        Description="KMS CMK ARN to encrypt stack resources (except for public buckets).",
         Type="String",
         Default="",
     ),

stack/database.py

@@ -1,6 +1,8 @@
 from collections import OrderedDict
 
 from troposphere import (
+    And,
+    Condition,
     Equals,
     FindInMap,
     GetAtt,
@@ -97,6 +99,27 @@
 db_condition = "DatabaseCondition"
 template.add_condition(db_condition, Not(Equals(Ref(db_class), dont_create_value)))
 
+db_replication = template.add_parameter(
+    Parameter(
+        "DatabaseReplication",
+        Type="String",
+        AllowedValues=["true", "false"],
+        Default="false",
+        Description="Whether to create a database server replica - "
+        "WARNING this will fail if DatabaseBackupRetentionDays is 0.",
+    ),
+    group="Database",
+    label="Database replication"
+)
+db_replication_condition = "DatabaseReplicationCondition"
+template.add_condition(
+    db_replication_condition,
+    And(
+        Condition(db_condition),
+        Equals(Ref(db_replication), "true")
+    )
+)
+
 db_engine = template.add_parameter(
     Parameter(
         "DatabaseEngine",
@@ -361,6 +384,16 @@
     KmsKeyId=If(use_cmk_arn, Ref(cmk_arn), Ref("AWS::NoValue")),
 )
 
+db_replica = rds.DBInstance(
+    "DatabaseReplica",
+    template=template,
+    Condition=db_replication_condition,
+    SourceDBInstanceIdentifier=Ref(db_instance),
+    DBInstanceClass=Ref(db_class),
+    Engine=Ref(db_engine),
+    VPCSecurityGroups=[Ref(db_security_group)],
+)
+
 db_url = If(
     db_condition,
     Join("", [
@@ -377,6 +410,22 @@
     "",  # defaults to empty string if no DB was created
 )
 
+db_replica_url = If(
+    db_replication_condition,
+    Join("", [
+        Ref(db_engine),
+        "://",
+        Ref(db_user),
+        ":_PASSWORD_@",
+        GetAtt(db_replica, 'Endpoint.Address'),
+        ":",
+        GetAtt(db_replica, 'Endpoint.Port'),
+        "/",
+        Ref(db_name),
+    ]),
+    "",  # defaults to empty string if no DB was created
+)
+
 template.add_output([
     Output(
         "DatabaseURL",
@@ -386,6 +435,15 @@
     ),
 ])
 
+template.add_output([
+    Output(
+        "DatabaseReplicaURL",
+        Description="URL to connect (without the password) to the database replica.",
+        Value=db_replica_url,
+        Condition=db_replication_condition,
+    ),
+])
+
 template.add_output([
     Output(
         "DatabasePort",
@@ -403,3 +461,12 @@
         Condition=db_condition,
     ),
 ])
+
+template.add_output([
+    Output(
+        "DatabaseReplicaAddress",
+        Description="The connection endpoint for the database replica.",
+        Value=GetAtt(db_replica, "Endpoint.Address"),
+        Condition=db_replication_condition
+    ),
+])

stack/environment.py

@@ -18,6 +18,8 @@
     db_instance,
     db_name,
     db_password,
+    db_replica,
+    db_replication_condition,
     db_user
 )
 from .domain import domain_name, domain_name_alternates
@@ -53,6 +55,23 @@
         ]),
         "",  # defaults to empty string if no DB was created
     )),
+    ("DATABASE_REPLICA_URL", If(
+        db_replication_condition,
+        Join("", [
+            Ref(db_engine),
+            "://",
+            Ref(db_user),
+            ":",
+            Ref(db_password),
+            "@",
+            GetAtt(db_replica, 'Endpoint.Address'),
+            ":",
+            GetAtt(db_replica, 'Endpoint.Port'),
+            "/",
+            Ref(db_name),
+        ]),
+        "",  # defaults to empty string if no DB was created
+    )),
     ("CACHE_URL", cache_url),
     ("REDIS_URL", redis_url),
 ]