163 lines
5.9 KiB
Python
163 lines
5.9 KiB
Python
import os
|
|
from aws_cdk import (
|
|
Stack,
|
|
aws_ec2 as ec2,
|
|
aws_iam as iam,
|
|
aws_cognito as cognito,
|
|
CfnOutput
|
|
)
|
|
from constructs import Construct
|
|
|
|
class IptvUpdaterStack(Stack):
|
|
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
|
|
super().__init__(scope, construct_id, **kwargs)
|
|
|
|
# Create VPC
|
|
vpc = ec2.Vpc(self, "IptvUpdaterVPC",
|
|
max_azs=1, # Use only one AZ for free tier
|
|
nat_gateways=0, # No NAT Gateway to stay in free tier
|
|
subnet_configuration=[
|
|
ec2.SubnetConfiguration(
|
|
name="public",
|
|
subnet_type=ec2.SubnetType.PUBLIC,
|
|
cidr_mask=24
|
|
)
|
|
]
|
|
)
|
|
|
|
# Security Group
|
|
security_group = ec2.SecurityGroup(
|
|
self, "IptvUpdaterSG",
|
|
vpc=vpc,
|
|
allow_all_outbound=True
|
|
)
|
|
|
|
security_group.add_ingress_rule(
|
|
ec2.Peer.any_ipv4(),
|
|
ec2.Port.tcp(443),
|
|
"Allow HTTPS traffic"
|
|
)
|
|
|
|
security_group.add_ingress_rule(
|
|
ec2.Peer.any_ipv4(),
|
|
ec2.Port.tcp(80),
|
|
"Allow HTTP traffic"
|
|
)
|
|
|
|
security_group.add_ingress_rule(
|
|
ec2.Peer.any_ipv4(),
|
|
ec2.Port.tcp(22),
|
|
"Allow SSH traffic"
|
|
)
|
|
|
|
# Key pair for IPTV Updater instance
|
|
key_pair = ec2.KeyPair(
|
|
self,
|
|
"IptvUpdaterKeyPair",
|
|
key_pair_name="iptv-updater-key",
|
|
public_key_material="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZcD20mfOQ/al6VMXWWUcUILYIHyIy5gY9RmC6koicaMYTJ078yMUnYw9DONEIfvxZwceTrtdUWv7vOXjknh1bberF78Pi3vwwFKazdgjbyZnkM9r2N40+PqfOFYf03B53VIA8jdae6gaD3VvYdlwV5dqqW3N+JE/+7sXHLeENnqxeS5jNLoRKDIxHgV4MBnewWNdp77ZEHZFrG3Fj/0lnqq2EfDh+5E/Vhkc/mzkuXu2l5Z1szw2rcjJz4IYUjgnClorBVlmWwwiICrHbyVCYivaaVvpVmZoBy7WW1P8KFAiot4G6C0Klyn4sy2AwCQ7u65TyDtbCR89VuuwW0zLgERAfWMdhn/5HdIudcTScXEsUsADTqxb2x0IXVbs3uhxHCUcc7BVg0S7dpAbmpK+80NlDCH38LFcyrYASRD6/Le2skVePIFt0Tw1OnwPH/QqPG0Y9vLZJl8779pg+kpk+o1MaRnczPq9Sk9zr3dR4Sv82CObnjTeY5LCTvs06JBCtcey/vLk7RQYs43uXZgg746aWIcM0lgHPivh2JpUOAd/Kj1v4aEXTRgHyPPLQ4KKwnALcd4s6+ytXwf4gxumRmPf/7P6HYJQvY8pfVda8jEvu08rvSVMXb09Jq4tzS/JTX2flfEdF0qIyTNHnK/lum27fgP0yq6Pq24IWYXha9w== stefano@MSI"
|
|
)
|
|
|
|
# Create IAM role for EC2
|
|
role = iam.Role(
|
|
self, "IptvUpdaterRole",
|
|
assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")
|
|
)
|
|
|
|
# Add SSM managed policy
|
|
role.add_managed_policy(
|
|
iam.ManagedPolicy.from_aws_managed_policy_name(
|
|
"AmazonSSMManagedInstanceCore"
|
|
)
|
|
)
|
|
|
|
# Add Cognito permissions to instance role
|
|
role.add_managed_policy(
|
|
iam.ManagedPolicy.from_aws_managed_policy_name(
|
|
"AmazonCognitoReadOnly"
|
|
)
|
|
)
|
|
|
|
# EC2 Instance
|
|
instance = ec2.Instance(
|
|
self, "IptvUpdaterInstance",
|
|
vpc=vpc,
|
|
instance_type=ec2.InstanceType.of(
|
|
ec2.InstanceClass.T2,
|
|
ec2.InstanceSize.MICRO
|
|
),
|
|
machine_image=ec2.AmazonLinuxImage(
|
|
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2
|
|
),
|
|
security_group=security_group,
|
|
key_pair=key_pair,
|
|
role=role
|
|
)
|
|
|
|
# Create Elastic IP
|
|
eip = ec2.CfnEIP(
|
|
self, "IptvUpdaterEIP",
|
|
domain="vpc",
|
|
instance_id=instance.instance_id
|
|
)
|
|
|
|
# Add Cognito User Pool
|
|
user_pool = cognito.UserPool(
|
|
self, "IptvUpdaterUserPool",
|
|
user_pool_name="iptv-updater-users",
|
|
self_sign_up_enabled=False, # Only admins can create users
|
|
password_policy=cognito.PasswordPolicy(
|
|
min_length=8,
|
|
require_lowercase=True,
|
|
require_digits=True,
|
|
require_symbols=True,
|
|
require_uppercase=True
|
|
),
|
|
account_recovery=cognito.AccountRecovery.EMAIL_ONLY
|
|
)
|
|
|
|
# Add App Client with the correct callback URL
|
|
client = user_pool.add_client("IptvUpdaterClient",
|
|
o_auth=cognito.OAuthSettings(
|
|
flows=cognito.OAuthFlows(
|
|
authorization_code_grant=True
|
|
),
|
|
scopes=[cognito.OAuthScope.OPENID],
|
|
callback_urls=[
|
|
"http://localhost:8000/auth/callback", # For local testing
|
|
"https://*.amazonaws.com/auth/callback" # Will match EC2 public DNS
|
|
]
|
|
)
|
|
)
|
|
|
|
# Add domain for hosted UI
|
|
domain = user_pool.add_domain("IptvUpdaterDomain",
|
|
cognito_domain=cognito.CognitoDomainOptions(
|
|
domain_prefix="iptv-updater"
|
|
)
|
|
)
|
|
|
|
# Read the userdata script with proper path resolution
|
|
script_dir = os.path.dirname(os.path.abspath(__file__))
|
|
userdata_path = os.path.join(script_dir, "userdata.sh")
|
|
userdata_file = open(userdata_path, "rb").read()
|
|
|
|
# Creates a userdata object for Linux hosts
|
|
userdata = ec2.UserData.for_linux()
|
|
# Adds one or more commands to the userdata object.
|
|
userdata.add_commands(
|
|
f'echo "COGNITO_USER_POOL_ID={user_pool.user_pool_id}" >> /etc/environment',
|
|
f'echo "COGNITO_CLIENT_ID={client.user_pool_client_id}" >> /etc/environment'
|
|
)
|
|
userdata.add_commands(str(userdata_file, 'utf-8'))
|
|
|
|
# Update instance with userdata
|
|
instance.add_user_data(userdata.render())
|
|
|
|
# Outputs
|
|
CfnOutput(self, "InstancePublicIP", value=eip.attr_public_ip)
|
|
CfnOutput(self, "UserPoolId", value=user_pool.user_pool_id)
|
|
CfnOutput(self, "UserPoolClientId", value=client.user_pool_client_id)
|
|
CfnOutput(self, "CognitoDomainUrl",
|
|
value=f"https://{domain.domain_name}.auth.{self.region}.amazoncognito.com"
|
|
) |