-
Notifications
You must be signed in to change notification settings - Fork 7
/
prism.ts
107 lines (98 loc) · 3.47 KB
/
prism.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
import { BlockDeviceVolume, EbsDeviceVolumeType, HealthCheck } from "@aws-cdk/aws-autoscaling";
import { Peer, Port } from "@aws-cdk/aws-ec2";
import type { App } from "@aws-cdk/core";
import { Duration } from "@aws-cdk/core";
import { Stage } from "@guardian/cdk/lib/constants";
import { GuAutoScalingGroup, GuUserData } from "@guardian/cdk/lib/constructs/autoscaling";
import { GuDistributionBucketParameter } from "@guardian/cdk/lib/constructs/core";
import type { GuStackProps } from "@guardian/cdk/lib/constructs/core/stack";
import { GuStack } from "@guardian/cdk/lib/constructs/core/stack";
import { GuSecurityGroup, GuVpc } from "@guardian/cdk/lib/constructs/ec2";
import {
GuAllowPolicy,
GuAssumeRolePolicy,
GuDynamoDBReadPolicy,
GuGetS3ObjectPolicy,
GuInstanceRole,
} from "@guardian/cdk/lib/constructs/iam";
import { GuHttpsClassicLoadBalancer } from "@guardian/cdk/lib/constructs/loadbalancing";
export class PrismStack extends GuStack {
constructor(scope: App, id: string, props: GuStackProps) {
super(scope, id, props);
const vpc = GuVpc.fromIdParameter(this, "vpc");
const subnets = GuVpc.subnetsfromParameter(this);
const role = new GuInstanceRole(this, "InstanceRole", {
additionalPolicies: [
new GuAllowPolicy(this, "DescribeEC2BonusPolicy", {
resources: ["*"],
actions: ["EC2:Describe*"],
}),
new GuDynamoDBReadPolicy(this, "ConfigPolicy", { tableName: "config-deploy" }),
new GuGetS3ObjectPolicy(this, "DataPolicy", {
overrideId: true,
bucketName: "prism-data",
}),
new GuAssumeRolePolicy(this, "CrawlerPolicy", {
resources: ["arn:aws:iam::*:role/*Prism*", "arn:aws:iam::*:role/*prism*"],
}),
],
});
const appServerSecurityGroup = new GuSecurityGroup(this, "AppServerSecurityGroup", {
description: "application servers",
vpc,
allowAllOutbound: true,
overrideId: true,
});
const distBucket: string = this.getParam(GuDistributionBucketParameter.parameterName).valueAsString;
const userData = new GuUserData(this, {
distributable: {
bucketName: distBucket,
fileName: "prism.deb",
executionStatement: `dpkg -i /${this.app}/prism.deb`,
},
});
const asg = new GuAutoScalingGroup(this, "AutoscalingGroup", {
overrideId: true,
vpc,
vpcSubnets: { subnets },
role: role,
userData: userData.userData,
stageDependentProps: {
[Stage.CODE]: {
minimumInstances: 1,
},
[Stage.PROD]: {
minimumInstances: 2,
},
},
healthCheck: HealthCheck.elb({
grace: Duration.seconds(500),
}),
additionalSecurityGroups: [appServerSecurityGroup],
blockDevices: [
{
deviceName: "/dev/sda1",
volume: BlockDeviceVolume.ebs(8, {
volumeType: EbsDeviceVolumeType.GP2,
}),
},
],
});
const loadBalancer = new GuHttpsClassicLoadBalancer(this, "LoadBalancer", {
vpc,
crossZone: true,
subnetSelection: { subnets },
targets: [asg],
healthCheck: {
path: "/management/healthcheck",
unhealthyThreshold: 10,
interval: Duration.seconds(5),
timeout: Duration.seconds(3),
},
listener: {
allowConnectionsFrom: [Peer.ipv4("10.0.0.0/8")],
},
});
appServerSecurityGroup.connections.allowFrom(loadBalancer, Port.tcp(9000), "Port 9000 LB to fleet");
}
}