in iis-smbshare-sqlserver/typescript/lib/constructs/bastion-stack.ts [26:81]
constructor(scope: cdk.Construct, id: string, props: cdk.StackProps, bastionHostProps: BastionHostProps) {
super(scope, id, props);
// vpc where bastion host is placed
const customVPC = bastionHostProps.vpc
// define a role for the bastion host
const role = new iam.Role(scope, `${bastionHostProps.prefix}-bastion-instance-role`, {
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('ec2.amazonaws.com'),
new iam.ServicePrincipal('ssm.amazonaws.com')
),
managedPolicies: [
// allows access to bastion host via SSH using IAM and SSM
iam.ManagedPolicy.fromAwsManagedPolicyName(
'AmazonSSMManagedInstanceCore'
),
// allows host to access secrets maanger and retrieve secrets
iam.ManagedPolicy.fromAwsManagedPolicyName('SecretsManagerReadWrite'),
],
})
// create a security group for the bastion host
this.bastionSecurityGroup = new ec2.SecurityGroup(
scope,
`${bastionHostProps.prefix}-bastion-instance-sg`,
{
vpc: customVPC,
allowAllOutbound: true,
securityGroupName: `${bastionHostProps.prefix}-bastion-instance-sg`,
}
)
// finally create the bastion host
this.bastionHost = new ec2.Instance(scope, `${bastionHostProps.prefix}-bastion-instance`, {
instanceName: `${bastionHostProps.prefix}-bastion-instance`,
vpc: customVPC,
role: role as any,
instanceType: ec2.InstanceType.of(
ec2.InstanceClass.T2,
ec2.InstanceSize.MICRO
),
machineImage: ec2.MachineImage.latestAmazonLinux({
generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
}),
vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
keyName: bastionHostProps.keyName,
securityGroup: this.bastionSecurityGroup,
});
bastionHostProps.tags?.forEach(tag => Tags.of(this.bastionHost).add(tag.Key, tag.Value));
//outputs
new cdk.CfnOutput(scope, 'BastionHostInstanceId', { value: this.bastionHost.instanceId });
new cdk.CfnOutput(scope, 'BastionSecurityGroupId', { value: this.bastionSecurityGroup.securityGroupId});
}