in source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/cluster_stack.py [0:0]
def build_cluster_settings(self):
# cluster settings are applied in the current module_id scope. module_id should not be provided in the key for settings.
cluster_settings = {
'deployment_id': self.deployment_id,
'network.vpc_id': self.vpc.vpc_id,
'network.cluster_prefix_list_id': self.cluster_prefix_list.attr_prefix_list_id
}
public_subnets = self.context.config().get_list('cluster.network.public_subnets', [])
is_external_alb_public = self.context.config().get_bool('cluster.load_balancers.external_alb.public', default=True)
if Utils.is_empty(public_subnets):
if is_external_alb_public:
for subnet in self.vpc.public_subnets:
public_subnets.append(subnet.subnet_id)
cluster_settings['network.public_subnets'] = public_subnets
load_balancer_subnets = self.context.config().get_list("cluster.network.load_balancer_subnets", [])
if Utils.is_not_empty(load_balancer_subnets):
cluster_settings['network.load_balancer_subnets'] = load_balancer_subnets
infrastructure_host_subnets = self.context.config().get_list("cluster.network.infrastructure_host_subnets", [])
if Utils.is_not_empty(load_balancer_subnets):
cluster_settings['network.infrastructure_host_subnets'] = infrastructure_host_subnets
private_subnets = self.context.config().get_list('cluster.network.private_subnets', [])
if Utils.is_empty(private_subnets):
for subnet in self.vpc.private_subnets:
private_subnets.append(subnet.subnet_id)
cluster_settings['network.private_subnets'] = private_subnets
if not self.context.config().get_bool('cluster.network.use_existing_vpc', False):
cluster_settings['network.nat_gateway_ips'] = []
for eip in self.vpc.nat_gateway_ips:
cluster_settings['network.nat_gateway_ips'].append(f'{eip.ref}')
# SecurityGroupIds
for name, security_group in self.security_groups.items():
cluster_settings[f'network.security_groups.{name}'] = security_group.security_group_id
# RoleArns
for name, role in self.roles.items():
cluster_settings[f'iam.roles.{name}'] = role.role_arn
# Policy Arns
cluster_settings['iam.policies.amazon_ssm_managed_instance_core_arn'] = self.amazon_ssm_managed_instance_core_policy.managed_policy_arn
cluster_settings['iam.policies.cloud_watch_agent_server_arn'] = self.cloud_watch_agent_server_policy.managed_policy_arn
cluster_settings['iam.policies.dcv_host_role_managed_policy_arn'] = self.dcv_host_role_managed_policy.managed_policy_arn
if self.amazon_prometheus_remote_write_policy is not None:
cluster_settings['iam.policies.amazon_prometheus_remote_write_arn'] = self.amazon_prometheus_remote_write_policy.managed_policy_arn
cluster_settings['solution.solution_metrics_lambda_arn'] = self.solution_metrics_lambda.function_arn
cluster_settings['cluster_settings_lambda_arn'] = self.cluster_settings_lambda.function_arn
cluster_settings['self_signed_certificate_lambda_arn'] = self.self_signed_certificate_lambda.function_arn
# route53 - private hosted zone settings
cluster_settings['route53.private_hosted_zone_id'] = self.private_hosted_zone.hosted_zone_id
cluster_settings['route53.private_hosted_zone_arn'] = self.private_hosted_zone.hosted_zone_arn
# certificates
if not self.context.config().get_bool('cluster.load_balancers.external_alb.certificates.provided', required=True):
cluster_settings['load_balancers.external_alb.certificates.certificate_secret_arn'] = self.external_certificate.get_att_string('certificate_secret_arn')
cluster_settings['load_balancers.external_alb.certificates.private_key_secret_arn'] = self.external_certificate.get_att_string('private_key_secret_arn')
cluster_settings['load_balancers.external_alb.certificates.acm_certificate_arn'] = self.external_certificate.get_att_string('acm_certificate_arn')
else:
cluster_settings['load_balancers.external_alb.certificates.provided'] = self.context.config().get_string('cluster.load_balancers.external_alb.certificates.provided', required=True)
cluster_settings['load_balancers.external_alb.certificates.acm_certificate_arn'] = self.context.config().get_string('cluster.load_balancers.external_alb.certificates.acm_certificate_arn', required=True)
cluster_settings['load_balancers.internal_alb.certificates.certificate_secret_arn'] = self.internal_certificate.get_att_string('certificate_secret_arn')
cluster_settings['load_balancers.internal_alb.certificates.private_key_secret_arn'] = self.internal_certificate.get_att_string('private_key_secret_arn')
cluster_settings['load_balancers.internal_alb.certificates.acm_certificate_arn'] = self.internal_certificate.get_att_string('acm_certificate_arn')
cluster_settings['load_balancers.internal_alb.certificates.custom_dns_name'] = f'internal-alb.{self.private_hosted_zone.zone_name}'
# cluster endpoints
cluster_settings['cluster_endpoints_lambda_arn'] = self.cluster_endpoints_lambda.function_arn
cluster_settings['load_balancers.external_alb.load_balancer_arn'] = self.external_alb.load_balancer_arn
cluster_settings['load_balancers.external_alb.load_balancer_dns_name'] = self.external_alb.load_balancer_dns_name
cluster_settings['load_balancers.external_alb.https_listener_arn'] = self.external_alb_https_listener.attr_listener_arn
cluster_settings['load_balancers.internal_alb.load_balancer_arn'] = self.internal_alb.load_balancer_arn
cluster_settings['load_balancers.internal_alb.load_balancer_dns_name'] = self.internal_alb.load_balancer_dns_name
cluster_settings['load_balancers.internal_alb.https_listener_arn'] = self.internal_alb_https_listener.attr_listener_arn
cluster_settings['ec2.state_change_notifications_sns_topic_arn'] = self.ec2_events_sns_topic.topic_arn
cluster_settings['ec2.state_change_notifications_sns_topic_name'] = self.ec2_events_sns_topic.topic_name
if self.internal_alb_dcv_broker_client_listener:
cluster_settings['load_balancers.internal_alb.dcv_broker_client_listener_arn'] = self.internal_alb_dcv_broker_client_listener.attr_listener_arn
if self.internal_alb_dcv_broker_agent_listener:
cluster_settings['load_balancers.internal_alb.dcv_broker_agent_listener_arn'] = self.internal_alb_dcv_broker_agent_listener.attr_listener_arn
if self.internal_alb_dcv_broker_gateway_listener:
cluster_settings['load_balancers.internal_alb.dcv_broker_gateway_listener_arn'] = self.internal_alb_dcv_broker_gateway_listener.attr_listener_arn
# vpc interface endpoints endpoint_url configuration
# vpc interface endpoint url will be updated only once during provisioning.
# if admin has updated the configuration, the endpoint_url for the endpoint will not be updated.
# gateway endpoints do not need any additional configuration as traffic to applicable services will be routed automatically once provisioned
if self.vpc_interface_endpoints is not None:
for service in self.vpc_interface_endpoints:
endpoint_config_key = f'network.vpc_interface_endpoints.{service}.endpoint_url'
existing_endpoint_url = self.context.config().get_string(f'cluster.{endpoint_config_key}')
if Utils.is_empty(existing_endpoint_url):
endpoint = self.vpc_interface_endpoints[service]
cluster_settings[endpoint_config_key] = endpoint.get_endpoint_url()
else:
cluster_settings[endpoint_config_key] = existing_endpoint_url
# backups
if self.context.config().get_bool('cluster.backups.enabled', default=False):
cluster_settings['backups.role_arn'] = self.backup_role.role_arn
cluster_settings['backups.backup_vault.arn'] = self.backup_vault.backup_vault_arn
cluster_settings['backups.backup_plan.arn'] = self.backup_plan.get_backup_plan_arn()
cdk.CustomResource(
self.stack,
f'{self.cluster_name}-{self.module_id}-settings',
service_token=self.cluster_settings_lambda.function_arn,
properties={
'cluster_name': self.cluster_name,
'module_id': self.module_id,
'version': self.release_version,
'settings': cluster_settings
},
resource_type='Custom::ClusterSettings'
)