From 0f2cce6abf7f52c14e0c90e390446984512beec3 Mon Sep 17 00:00:00 2001 From: fred-vogt Date: Mon, 6 Jul 2020 15:00:52 -0700 Subject: [PATCH 1/4] deployment/service-templates - NLB support --- .../deployment/service_template_generator.py | 231 +++++++++++++++++- 1 file changed, 230 insertions(+), 1 deletion(-) diff --git a/cloudlift/deployment/service_template_generator.py b/cloudlift/deployment/service_template_generator.py index ac31d725..99d93836 100644 --- a/cloudlift/deployment/service_template_generator.py +++ b/cloudlift/deployment/service_template_generator.py @@ -16,6 +16,7 @@ PortMapping, Service, TaskDefinition) from troposphere.elasticloadbalancingv2 import Action, Certificate, Listener from troposphere.elasticloadbalancingv2 import LoadBalancer as ALBLoadBalancer +from troposphere.elasticloadbalancingv2 import LoadBalancer as NLBLoadBalancer from troposphere.elasticloadbalancingv2 import (Matcher, RedirectConfig, TargetGroup, TargetGroupAttribute) @@ -220,7 +221,70 @@ def _add_service(self, service_name, config): MinimumHealthyPercent=100, MaximumPercent=200 ) - if 'http_interface' in config: + if 'udp_interface' in config: + nlb, lb, service_listener, nlb_sg = self._add_nlb(cd, service_name, config, launch_type) + + if launch_type == self.LAUNCH_TYPE_FARGATE: + # if launch type is ec2, then services inherit the ec2 instance security group + # otherwise, we need to specify a security group for the service + service_security_group = SecurityGroup( + pascalcase("FargateService" + self.env + service_name), + GroupName=pascalcase("FargateService" + self.env + service_name), + SecurityGroupIngress=[{ + 'IpProtocol': 'UDP', + 'SourceSecurityGroupId': Ref(nlb_sg), + 'ToPort': int(config['udp_interface']['container_port']), + 'FromPort': int(config['udp_interface']['container_port']), + }], + VpcId=Ref(self.vpc), + GroupDescription=pascalcase("FargateService" + self.env + service_name) + ) + self.template.add_resource(service_security_group) + + launch_type_svc = { + 'NetworkConfiguration': NetworkConfiguration( + AwsvpcConfiguration=AwsvpcConfiguration( + Subnets=[ + Ref(self.private_subnet1), + Ref(self.private_subnet2) + ], + SecurityGroups=[ + Ref(service_security_group) + ] + ) + ) + } + else: + launch_type_svc = { + 'Role': Ref(self.ecs_service_role), + 'PlacementStrategies': self.PLACEMENT_STRATEGIES + } + svc = Service( + service_name, + LoadBalancers=[lb], + Cluster=self.cluster_name, + TaskDefinition=Ref(td), + DesiredCount=desired_count, + DependsOn=service_listener.title, + LaunchType=launch_type, + **launch_type_svc, + ) + self.template.add_output( + Output( + service_name + 'EcsServiceName', + Description='The ECS name which needs to be entered', + Value=GetAtt(svc, 'Name') + ) + ) + self.template.add_output( + Output( + service_name + "URL", + Description="The URL at which the service is accessible", + Value=Sub("udp://${" + nlb.name + ".DNSName}") + ) + ) + self.template.add_resource(svc) + elif 'http_interface' in config: alb, lb, service_listener, alb_sg = self._add_alb(cd, service_name, config, launch_type) if launch_type == self.LAUNCH_TYPE_FARGATE: @@ -342,6 +406,111 @@ def _gen_log_config(self, service_name): } ) + def _add_nlb(self, cd, service_name, config, launch_type): + sg_name = 'SG' + self.env + service_name + svc_nlb_sg = SecurityGroup( + re.sub(r'\W+', '', sg_name), + GroupName=self.env + '-' + service_name, + SecurityGroupIngress=self._generate_nlb_security_group_ingress( + config + ), + VpcId=Ref(self.vpc), + GroupDescription=Sub(service_name + "-nlb-sg") + ) + self.template.add_resource(svc_nlb_sg) + nlb_name = service_name + pascalcase(self.env) + if config['udp_interface']['internal']: + nlb_subnets = [ + Ref(self.private_subnet1), + Ref(self.private_subnet2) + ] + scheme = "internal" + nlb_name += 'Internal' + nlb_name = nlb_name[:32] + nlb = NLBLoadBalancer( + 'NLB' + service_name, + Subnets=nlb_subnets, + SecurityGroups=[ + self.nlb_security_group, + Ref(svc_nlb_sg) + ], + Name=nlb_name, + Tags=[ + {'Value': nlb_name, 'Key': 'Name'} + ], + Scheme=scheme, + Type="network" + ) + else: + nlb_subnets = [ + Ref(self.public_subnet1), + Ref(self.public_subnet2) + ] + nlb_name = nlb_name[:32] + nlb = NLBLoadBalancer( + 'NLB' + service_name, + Subnets=nlb_subnets, + SecurityGroups=[ + self.nlb_security_group, + Ref(svc_nlb_sg) + ], + Name=nlb_name, + Tags=[ + {'Value': nlb_name, 'Key': 'Name'} + ], + Type="network" + ) + + self.template.add_resource(nlb) + + target_group_name = "TargetGroup" + service_name + if config['udp_interface']['internal']: + target_group_name = target_group_name + 'Internal' + + target_group_config = {} + if launch_type == self.LAUNCH_TYPE_FARGATE: + target_group_config['TargetType'] = 'ip' + + service_target_group = TargetGroup( + target_group_name, + HealthyThresholdCount=2, + HealthCheckIntervalSeconds=30, + TargetGroupAttributes=[ + TargetGroupAttribute( + Key='deregistration_delay.timeout_seconds', + Value='30' + ) + ], + VpcId=Ref(self.vpc), + Protocol="UDP", + Port=int(config['udp_interface']['container_port']), + HealthCheckTimeoutSeconds=10, + UnhealthyThresholdCount=3, + **target_group_config + ) + + self.template.add_resource(service_target_group) + # Note: This is a ECS Loadbalancer definition. Not an NLB. + # Defining this causes the target group to add a target to the correct + # port in correct ECS cluster instance for the service container. + lb = LoadBalancer( + ContainerName=cd.Name, + TargetGroupArn=Ref(service_target_group), + ContainerPort=int(config['udp_interface']['container_port']) + ) + target_group_action = Action( + TargetGroupArn=Ref(target_group_name), + Type="forward" + ) + service_listener = self._add_service_listener( + service_name, + target_group_action, + nlb, + config['udp_interface']['internal'] + ) + self._add_nlb_alarms(service_name, nlb) + return nlb, lb, service_listener, svc_nlb_sg + def _add_alb(self, cd, service_name, config, launch_type): sg_name = 'SG' + self.env + service_name svc_alb_sg = SecurityGroup( @@ -492,6 +661,52 @@ def _add_service_listener(self, service_name, target_group_action, self.template.add_resource(http_redirection_listener) return service_listener + def _add_nlb_alarms(self, service_name, nlb): + unhealthy_alarm = Alarm( + 'ElbUnhealthyHostAlarm' + service_name, + EvaluationPeriods=1, + Dimensions=[ + MetricDimension( + Name='LoadBalancer', + Value=GetAtt(nlb, 'LoadBalancerFullName') + ) + ], + AlarmActions=[Ref(self.notification_sns_arn)], + OKActions=[Ref(self.notification_sns_arn)], + AlarmDescription='Triggers if any host is marked unhealthy', + Namespace='AWS/ApplicationELB', + Period=60, + ComparisonOperator='GreaterThanOrEqualToThreshold', + Statistic='Sum', + Threshold='1', + MetricName='UnHealthyHostCount', + TreatMissingData='notBreaching' + ) + self.template.add_resource(unhealthy_alarm) + rejected_connections_alarm = Alarm( + 'ElbRejectedConnectionsAlarm' + service_name, + EvaluationPeriods=1, + Dimensions=[ + MetricDimension( + Name='LoadBalancer', + Value=GetAtt(nlb, 'LoadBalancerFullName') + ) + ], + AlarmActions=[Ref(self.notification_sns_arn)], + OKActions=[Ref(self.notification_sns_arn)], + AlarmDescription='Triggers if load balancer has \ +rejected connections because the load balancer \ +had reached its maximum number of connections.', + Namespace='AWS/ApplicationELB', + Period=60, + ComparisonOperator='GreaterThanOrEqualToThreshold', + Statistic='Sum', + Threshold='1', + MetricName='RejectedConnectionCount', + TreatMissingData='notBreaching' + ) + self.template.add_resource(rejected_connections_alarm) + def _add_alb_alarms(self, service_name, alb): unhealthy_alarm = Alarm( 'ElbUnhealthyHostAlarm' + service_name, @@ -560,6 +775,20 @@ def _add_alb_alarms(self, service_name, alb): ) self.template.add_resource(http_code_elb5xx_alarm) + def _generate_nlb_security_group_ingress(self, config): + ingress_rules = [] + for access_ip in config['udp_interface']['restrict_access_to']: + if access_ip.find('/') == -1: + access_ip = access_ip + '/32' + port = config['udp_interface']['restrict_access_to']['container_port'] + ingress_rules.append({ + 'ToPort': port, + 'IpProtocol': 'UDP', + 'FromPort': port, + 'CidrIp': access_ip + }) + return ingress_rules + def _generate_alb_security_group_ingress(self, config): ingress_rules = [] for access_ip in config['http_interface']['restrict_access_to']: From 0cdf45ccdff465eb02bb4aa4e139551e36bec7b7 Mon Sep 17 00:00:00 2001 From: Sannithi Balaji Date: Thu, 9 Jul 2020 15:00:35 +0530 Subject: [PATCH 2/4] refactor to remove duplication of code --- .../deployment/service_template_generator.py | 319 +++++------------- 1 file changed, 81 insertions(+), 238 deletions(-) diff --git a/cloudlift/deployment/service_template_generator.py b/cloudlift/deployment/service_template_generator.py index 99d93836..0e40dec7 100644 --- a/cloudlift/deployment/service_template_generator.py +++ b/cloudlift/deployment/service_template_generator.py @@ -15,8 +15,7 @@ NetworkConfiguration, PlacementStrategy, PortMapping, Service, TaskDefinition) from troposphere.elasticloadbalancingv2 import Action, Certificate, Listener -from troposphere.elasticloadbalancingv2 import LoadBalancer as ALBLoadBalancer -from troposphere.elasticloadbalancingv2 import LoadBalancer as NLBLoadBalancer +from troposphere.elasticloadbalancingv2 import LoadBalancer as ELBv2 from troposphere.elasticloadbalancingv2 import (Matcher, RedirectConfig, TargetGroup, TargetGroupAttribute) @@ -406,169 +405,55 @@ def _gen_log_config(self, service_name): } ) - def _add_nlb(self, cd, service_name, config, launch_type): - sg_name = 'SG' + self.env + service_name - svc_nlb_sg = SecurityGroup( - re.sub(r'\W+', '', sg_name), - GroupName=self.env + '-' + service_name, - SecurityGroupIngress=self._generate_nlb_security_group_ingress( - config - ), - VpcId=Ref(self.vpc), - GroupDescription=Sub(service_name + "-nlb-sg") - ) - self.template.add_resource(svc_nlb_sg) - nlb_name = service_name + pascalcase(self.env) - if config['udp_interface']['internal']: - nlb_subnets = [ - Ref(self.private_subnet1), - Ref(self.private_subnet2) - ] - scheme = "internal" - nlb_name += 'Internal' - nlb_name = nlb_name[:32] - nlb = NLBLoadBalancer( - 'NLB' + service_name, - Subnets=nlb_subnets, - SecurityGroups=[ - self.nlb_security_group, - Ref(svc_nlb_sg) - ], - Name=nlb_name, - Tags=[ - {'Value': nlb_name, 'Key': 'Name'} - ], - Scheme=scheme, - Type="network" - ) - else: - nlb_subnets = [ - Ref(self.public_subnet1), - Ref(self.public_subnet2) - ] - nlb_name = nlb_name[:32] - nlb = NLBLoadBalancer( - 'NLB' + service_name, - Subnets=nlb_subnets, - SecurityGroups=[ - self.nlb_security_group, - Ref(svc_nlb_sg) - ], - Name=nlb_name, - Tags=[ - {'Value': nlb_name, 'Key': 'Name'} - ], - Type="network" - ) - - self.template.add_resource(nlb) - - target_group_name = "TargetGroup" + service_name - if config['udp_interface']['internal']: - target_group_name = target_group_name + 'Internal' - - target_group_config = {} - if launch_type == self.LAUNCH_TYPE_FARGATE: - target_group_config['TargetType'] = 'ip' - - service_target_group = TargetGroup( - target_group_name, - HealthyThresholdCount=2, - HealthCheckIntervalSeconds=30, - TargetGroupAttributes=[ - TargetGroupAttribute( - Key='deregistration_delay.timeout_seconds', - Value='30' - ) - ], - VpcId=Ref(self.vpc), - Protocol="UDP", - Port=int(config['udp_interface']['container_port']), - HealthCheckTimeoutSeconds=10, - UnhealthyThresholdCount=3, - **target_group_config - ) - - self.template.add_resource(service_target_group) - # Note: This is a ECS Loadbalancer definition. Not an NLB. - # Defining this causes the target group to add a target to the correct - # port in correct ECS cluster instance for the service container. - lb = LoadBalancer( - ContainerName=cd.Name, - TargetGroupArn=Ref(service_target_group), - ContainerPort=int(config['udp_interface']['container_port']) - ) - target_group_action = Action( - TargetGroupArn=Ref(target_group_name), - Type="forward" - ) - service_listener = self._add_service_listener( - service_name, - target_group_action, - nlb, - config['udp_interface']['internal'] - ) - self._add_nlb_alarms(service_name, nlb) - return nlb, lb, service_listener, svc_nlb_sg def _add_alb(self, cd, service_name, config, launch_type): sg_name = 'SG' + self.env + service_name + protocol = 'http' if 'http_interface' in config else 'udp' + elb_config = config[f'{protocol}_interface'] svc_alb_sg = SecurityGroup( re.sub(r'\W+', '', sg_name), GroupName=self.env + '-' + service_name, SecurityGroupIngress=self._generate_alb_security_group_ingress( - config - ), + elb_config, protocol), VpcId=Ref(self.vpc), GroupDescription=Sub(service_name + "-alb-sg") ) self.template.add_resource(svc_alb_sg) alb_name = service_name + pascalcase(self.env) - if config['http_interface']['internal']: + if elb_config['internal']: alb_subnets = [ Ref(self.private_subnet1), Ref(self.private_subnet2) ] scheme = "internal" alb_name += 'Internal' - alb_name = alb_name[:32] - alb = ALBLoadBalancer( - 'ALB' + service_name, - Subnets=alb_subnets, - SecurityGroups=[ - self.alb_security_group, - Ref(svc_alb_sg) - ], - Name=alb_name, - Tags=[ - {'Value': alb_name, 'Key': 'Name'} - ], - Scheme=scheme - ) else: + scheme = 'internet-facing' alb_subnets = [ Ref(self.public_subnet1), Ref(self.public_subnet2) ] - alb_name = alb_name[:32] - alb = ALBLoadBalancer( - 'ALB' + service_name, - Subnets=alb_subnets, - SecurityGroups=[ - self.alb_security_group, - Ref(svc_alb_sg) - ], - Name=alb_name, - Tags=[ - {'Value': alb_name, 'Key': 'Name'} - ] - ) + alb_name = alb_name[:32] + elb = ELBv2( + 'ALB' + service_name, + Subnets=alb_subnets, + SecurityGroups=[ + self.alb_security_group, + Ref(svc_alb_sg) + ], + Name=alb_name, + Tags=[ + {'Value': alb_name, 'Key': 'Name'} + ], + Scheme=scheme, + Type='application' if 'http_interface' in config else 'network' + ) - self.template.add_resource(alb) + self.template.add_resource(elb) target_group_name = "TargetGroup" + service_name - health_check_path = config['http_interface']['health_check_path'] if 'health_check_path' in config['http_interface'] else "/elb-check" - if config['http_interface']['internal']: + health_check_path = elb_config['health_check_path'] if 'health_check_path' in elb_config else "/elb-check" + if elb_config['internal']: target_group_name = target_group_name + 'Internal' target_group_config = {} @@ -589,7 +474,7 @@ def _add_alb(self, cd, service_name, config, launch_type): VpcId=Ref(self.vpc), Protocol="HTTP", Matcher=Matcher(HttpCode="200-399"), - Port=int(config['http_interface']['container_port']), + Port=int(elb_config['container_port']), HealthCheckTimeoutSeconds=10, UnhealthyThresholdCount=3, **target_group_config @@ -602,7 +487,7 @@ def _add_alb(self, cd, service_name, config, launch_type): lb = LoadBalancer( ContainerName=cd.Name, TargetGroupArn=Ref(service_target_group), - ContainerPort=int(config['http_interface']['container_port']) + ContainerPort=int(elb_config['container_port']) ) target_group_action = Action( TargetGroupArn=Ref(target_group_name), @@ -611,11 +496,11 @@ def _add_alb(self, cd, service_name, config, launch_type): service_listener = self._add_service_listener( service_name, target_group_action, - alb, - config['http_interface']['internal'] + elb, + elb_config['internal'] ) - self._add_alb_alarms(service_name, alb) - return alb, lb, service_listener, svc_alb_sg + self._add_elb_alarms(service_name, elb) + return elb, lb, service_listener, svc_alb_sg def _add_service_listener(self, service_name, target_group_action, alb, internal): @@ -661,60 +546,14 @@ def _add_service_listener(self, service_name, target_group_action, self.template.add_resource(http_redirection_listener) return service_listener - def _add_nlb_alarms(self, service_name, nlb): - unhealthy_alarm = Alarm( - 'ElbUnhealthyHostAlarm' + service_name, - EvaluationPeriods=1, - Dimensions=[ - MetricDimension( - Name='LoadBalancer', - Value=GetAtt(nlb, 'LoadBalancerFullName') - ) - ], - AlarmActions=[Ref(self.notification_sns_arn)], - OKActions=[Ref(self.notification_sns_arn)], - AlarmDescription='Triggers if any host is marked unhealthy', - Namespace='AWS/ApplicationELB', - Period=60, - ComparisonOperator='GreaterThanOrEqualToThreshold', - Statistic='Sum', - Threshold='1', - MetricName='UnHealthyHostCount', - TreatMissingData='notBreaching' - ) - self.template.add_resource(unhealthy_alarm) - rejected_connections_alarm = Alarm( - 'ElbRejectedConnectionsAlarm' + service_name, - EvaluationPeriods=1, - Dimensions=[ - MetricDimension( - Name='LoadBalancer', - Value=GetAtt(nlb, 'LoadBalancerFullName') - ) - ], - AlarmActions=[Ref(self.notification_sns_arn)], - OKActions=[Ref(self.notification_sns_arn)], - AlarmDescription='Triggers if load balancer has \ -rejected connections because the load balancer \ -had reached its maximum number of connections.', - Namespace='AWS/ApplicationELB', - Period=60, - ComparisonOperator='GreaterThanOrEqualToThreshold', - Statistic='Sum', - Threshold='1', - MetricName='RejectedConnectionCount', - TreatMissingData='notBreaching' - ) - self.template.add_resource(rejected_connections_alarm) - - def _add_alb_alarms(self, service_name, alb): + def _add_elb_alarms(self, service_name, elb_v2): unhealthy_alarm = Alarm( 'ElbUnhealthyHostAlarm' + service_name, EvaluationPeriods=1, Dimensions=[ MetricDimension( Name='LoadBalancer', - Value=GetAtt(alb, 'LoadBalancerFullName') + Value=GetAtt(elb_v2, 'LoadBalancerFullName') ) ], AlarmActions=[Ref(self.notification_sns_arn)], @@ -735,7 +574,7 @@ def _add_alb_alarms(self, service_name, alb): Dimensions=[ MetricDimension( Name='LoadBalancer', - Value=GetAtt(alb, 'LoadBalancerFullName') + Value=GetAtt(elb_v2, 'LoadBalancerFullName') ) ], AlarmActions=[Ref(self.notification_sns_arn)], @@ -751,61 +590,65 @@ def _add_alb_alarms(self, service_name, alb): MetricName='RejectedConnectionCount', TreatMissingData='notBreaching' ) - self.template.add_resource(rejected_connections_alarm) - http_code_elb5xx_alarm = Alarm( - 'ElbHTTPCodeELB5xxAlarm' + service_name, - EvaluationPeriods=1, - Dimensions=[ - MetricDimension( - Name='LoadBalancer', - Value=GetAtt(alb, 'LoadBalancerFullName') - ) - ], - AlarmActions=[Ref(self.notification_sns_arn)], - OKActions=[Ref(self.notification_sns_arn)], - AlarmDescription='Triggers if 5xx response originated \ -from load balancer', - Namespace='AWS/ApplicationELB', - Period=60, - ComparisonOperator='GreaterThanOrEqualToThreshold', - Statistic='Sum', - Threshold='3', - MetricName='HTTPCode_ELB_5XX_Count', - TreatMissingData='notBreaching' - ) - self.template.add_resource(http_code_elb5xx_alarm) + if elb_v2.Type == "network": + self.template.add_resource(rejected_connections_alarm) + http_code_elb5xx_alarm = Alarm( + 'ElbHTTPCodeELB5xxAlarm' + service_name, + EvaluationPeriods=1, + Dimensions=[ + MetricDimension( + Name='LoadBalancer', + Value=GetAtt(elb_v2, 'LoadBalancerFullName') + ) + ], + AlarmActions=[Ref(self.notification_sns_arn)], + OKActions=[Ref(self.notification_sns_arn)], + AlarmDescription='Triggers if 5xx response originated \ + from load balancer', + Namespace='AWS/ApplicationELB', + Period=60, + ComparisonOperator='GreaterThanOrEqualToThreshold', + Statistic='Sum', + Threshold='3', + MetricName='HTTPCode_ELB_5XX_Count', + TreatMissingData='notBreaching' + ) + self.template.add_resource(http_code_elb5xx_alarm) def _generate_nlb_security_group_ingress(self, config): ingress_rules = [] for access_ip in config['udp_interface']['restrict_access_to']: if access_ip.find('/') == -1: access_ip = access_ip + '/32' - port = config['udp_interface']['restrict_access_to']['container_port'] - ingress_rules.append({ - 'ToPort': port, - 'IpProtocol': 'UDP', - 'FromPort': port, - 'CidrIp': access_ip - }) + return ingress_rules - def _generate_alb_security_group_ingress(self, config): + def _generate_alb_security_group_ingress(self, config, protocol='http'): ingress_rules = [] - for access_ip in config['http_interface']['restrict_access_to']: + for access_ip in config['restrict_access_to']: if access_ip.find('/') == -1: access_ip = access_ip + '/32' - ingress_rules.append({ - 'ToPort': 80, - 'IpProtocol': 'TCP', - 'FromPort': 80, - 'CidrIp': access_ip - }) - ingress_rules.append({ - 'ToPort': 443, - 'IpProtocol': 'TCP', - 'FromPort': 443, - 'CidrIp': access_ip - }) + if protocol=='http': + ingress_rules.append({ + 'ToPort': 80, + 'IpProtocol': 'TCP', + 'FromPort': 80, + 'CidrIp': access_ip + }) + ingress_rules.append({ + 'ToPort': 443, + 'IpProtocol': 'TCP', + 'FromPort': 443, + 'CidrIp': access_ip + }) + else: + port = config['restrict_access_to']['container_port'] + ingress_rules.append({ + 'ToPort': port, + 'IpProtocol': 'UDP', + 'FromPort': port, + 'CidrIp': access_ip + }) return ingress_rules def _add_ecs_service_iam_role(self): From f3496d79d204d37e46d2c6e1421086ab86810702 Mon Sep 17 00:00:00 2001 From: Sannithi Balaji Date: Fri, 10 Jul 2020 13:43:42 +0530 Subject: [PATCH 3/4] minor fix --- cloudlift/deployment/service_template_generator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudlift/deployment/service_template_generator.py b/cloudlift/deployment/service_template_generator.py index 0e40dec7..5c85989c 100644 --- a/cloudlift/deployment/service_template_generator.py +++ b/cloudlift/deployment/service_template_generator.py @@ -221,7 +221,7 @@ def _add_service(self, service_name, config): MaximumPercent=200 ) if 'udp_interface' in config: - nlb, lb, service_listener, nlb_sg = self._add_nlb(cd, service_name, config, launch_type) + nlb, lb, service_listener, nlb_sg = self._add_alb(cd, service_name, config, launch_type) if launch_type == self.LAUNCH_TYPE_FARGATE: # if launch type is ec2, then services inherit the ec2 instance security group From 8264c0c2bb357a369a537f385e52e57420ad18a1 Mon Sep 17 00:00:00 2001 From: Sannithi Balaji Date: Fri, 10 Jul 2020 19:11:30 +0530 Subject: [PATCH 4/4] fixed bugs --- .../deployment/service_template_generator.py | 58 ++++++++++--------- 1 file changed, 32 insertions(+), 26 deletions(-) diff --git a/cloudlift/deployment/service_template_generator.py b/cloudlift/deployment/service_template_generator.py index 5c85989c..28cdf16d 100644 --- a/cloudlift/deployment/service_template_generator.py +++ b/cloudlift/deployment/service_template_generator.py @@ -169,11 +169,12 @@ def _add_service(self, service_name, config): "Cpu": 0 } - if 'http_interface' in config: + if 'http_interface' in config or 'udp_interface' in config: container_definition_arguments['PortMappings'] = [ PortMapping( ContainerPort=int( - config['http_interface']['container_port'] + config['http_interface']['container_port'] if 'http_interface' in config else + config['udp_interface']['container_port'] ) ) ] @@ -405,7 +406,6 @@ def _gen_log_config(self, service_name): } ) - def _add_alb(self, cd, service_name, config, launch_type): sg_name = 'SG' + self.env + service_name protocol = 'http' if 'http_interface' in config else 'udp' @@ -440,7 +440,7 @@ def _add_alb(self, cd, service_name, config, launch_type): SecurityGroups=[ self.alb_security_group, Ref(svc_alb_sg) - ], + ] if protocol == 'http' else [], Name=alb_name, Tags=[ {'Value': alb_name, 'Key': 'Name'} @@ -459,10 +459,12 @@ def _add_alb(self, cd, service_name, config, launch_type): target_group_config = {} if launch_type == self.LAUNCH_TYPE_FARGATE: target_group_config['TargetType'] = 'ip' + if protocol == 'http': + target_group_config['Matcher'] = Matcher(HttpCode="200-399") + target_group_config['HealthCheckPath'] = health_check_path service_target_group = TargetGroup( target_group_name, - HealthCheckPath=health_check_path, HealthyThresholdCount=2, HealthCheckIntervalSeconds=30, TargetGroupAttributes=[ @@ -472,11 +474,10 @@ def _add_alb(self, cd, service_name, config, launch_type): ) ], VpcId=Ref(self.vpc), - Protocol="HTTP", - Matcher=Matcher(HttpCode="200-399"), + Protocol=protocol.upper(), Port=int(elb_config['container_port']), HealthCheckTimeoutSeconds=10, - UnhealthyThresholdCount=3, + UnhealthyThresholdCount=2, **target_group_config ) @@ -493,12 +494,25 @@ def _add_alb(self, cd, service_name, config, launch_type): TargetGroupArn=Ref(target_group_name), Type="forward" ) - service_listener = self._add_service_listener( - service_name, - target_group_action, - elb, - elb_config['internal'] - ) + + if protocol == 'http': + service_listener = self._add_service_listener( + service_name, + target_group_action, + elb, + elb_config['internal'], + protocol + ) + elif protocol == 'udp': + service_listener = Listener( + "LoadBalancerListener" + service_name, + Protocol="UDP", + DefaultActions=[target_group_action], + LoadBalancerArn=Ref(elb), + Port=int(config['udp_interface']['container_port']), + ) + self.template.add_resource(service_listener) + self._add_elb_alarms(service_name, elb) return elb, lb, service_listener, svc_alb_sg @@ -615,20 +629,12 @@ def _add_elb_alarms(self, service_name, elb_v2): ) self.template.add_resource(http_code_elb5xx_alarm) - def _generate_nlb_security_group_ingress(self, config): - ingress_rules = [] - for access_ip in config['udp_interface']['restrict_access_to']: - if access_ip.find('/') == -1: - access_ip = access_ip + '/32' - - return ingress_rules - def _generate_alb_security_group_ingress(self, config, protocol='http'): ingress_rules = [] for access_ip in config['restrict_access_to']: if access_ip.find('/') == -1: access_ip = access_ip + '/32' - if protocol=='http': + if protocol == 'http': ingress_rules.append({ 'ToPort': 80, 'IpProtocol': 'TCP', @@ -642,11 +648,11 @@ def _generate_alb_security_group_ingress(self, config, protocol='http'): 'CidrIp': access_ip }) else: - port = config['restrict_access_to']['container_port'] + port = config['container_port'] ingress_rules.append({ - 'ToPort': port, + 'ToPort': int(port), 'IpProtocol': 'UDP', - 'FromPort': port, + 'FromPort': int(port), 'CidrIp': access_ip }) return ingress_rules