Add VPCEndpoints and DualStack on created VPC (opensearch-project#1150)

* Add VPCEndpoints and DualStack on created VPC https://opensearch.atlassian.net/browse/MIGRATIONS-2145 Signed-off-by: Peter Nied <[email protected]> * Update security groups to allow IPv6 traffic Signed-off-by: Peter Nied <[email protected]> * Remove all IPv6 related changes Signed-off-by: Peter Nied <[email protected]> * Hardcode AMIs for use in the bootstrap machine With the current latest AL2023 image al2023-ami-2023.6.20241111.0-kernel-6.1-x86_64 npm install hangs indefinately. We are switching back to an older version that works and providing a way to incrementially update to AMIs that we have tested. Signed-off-by: Peter Nied <[email protected]> * Add govcloud images Signed-off-by: Peter Nied <[email protected]> * Revert "Remove all IPv6 related changes" This reverts commit c9f9cbb. Signed-off-by: Peter Nied <[email protected]> * Update to 2023.6.20241031 source Signed-off-by: Peter Nied <[email protected]> --------- Signed-off-by: Peter Nied <[email protected]>
lewijacn · Nov 20, 2024 · 41e0b5d · 41e0b5d
1 parent 51b2014
commit 41e0b5d
Show file tree

Hide file tree

Showing 6 changed files with 202 additions and 123 deletions.
diff --git a/deployment/cdk/opensearch-service-migration/lib/migration-assistance-stack.ts b/deployment/cdk/opensearch-service-migration/lib/migration-assistance-stack.ts
@@ -165,7 +165,8 @@ export class MigrationAssistanceStack extends Stack {
 
         const streamingSecurityGroup = new SecurityGroup(this, 'trafficStreamSourceSG', {
             vpc: props.vpc,
-            allowAllOutbound: false
+            allowAllOutbound: false,
+            allowAllIpv6Outbound: false,
         });
         streamingSecurityGroup.addIngressRule(streamingSecurityGroup, Port.allTraffic())
         createMigrationStringParameter(this, streamingSecurityGroup.securityGroupId, {
@@ -180,6 +181,7 @@ export class MigrationAssistanceStack extends Stack {
         const sharedLogsSG = new SecurityGroup(this, 'sharedLogsSG', {
             vpc: props.vpc,
             allowAllOutbound: false,
+            allowAllIpv6Outbound: false,
         });
         sharedLogsSG.addIngressRule(sharedLogsSG, Port.allTraffic());
 
@@ -205,6 +207,7 @@ export class MigrationAssistanceStack extends Stack {
             vpc: props.vpc,
             // Required for retrieving ECR image at service startup
             allowAllOutbound: true,
+            allowAllIpv6Outbound: true,
         })
         serviceSecurityGroup.addIngressRule(serviceSecurityGroup, Port.allTraffic());
 

diff --git a/deployment/cdk/opensearch-service-migration/lib/network-stack.ts b/deployment/cdk/opensearch-service-migration/lib/network-stack.ts
@@ -252,6 +252,7 @@ export class NetworkStack extends Stack {
             const defaultSecurityGroup = new SecurityGroup(this, 'osClusterAccessSG', {
                 vpc: this.vpc,
                 allowAllOutbound: false,
+                allowAllIpv6Outbound: false,
             });
             defaultSecurityGroup.addIngressRule(defaultSecurityGroup, Port.allTraffic());
 

diff --git a/deployment/migration-assistant-solution/lib/solutions-stack.ts b/deployment/migration-assistant-solution/lib/solutions-stack.ts
@@ -11,6 +11,9 @@ import {Construct} from 'constructs';
 import {
     BlockDeviceVolume,
     CloudFormationInit,
+    GatewayVpcEndpoint,
+    GatewayVpcEndpointAwsService,
+    IVpc,
     GenericLinuxImage,
     InitCommand,
     InitElement,
@@ -19,11 +22,15 @@ import {
     InstanceClass,
     InstanceSize,
     InstanceType,
+    InterfaceVpcEndpoint,
+    InterfaceVpcEndpointAwsService,
+    IpProtocol,
+    SecurityGroup,
     Vpc
 } from "aws-cdk-lib/aws-ec2";
-import {InstanceProfile, ManagedPolicy, Role, ServicePrincipal} from "aws-cdk-lib/aws-iam";
 import {CfnDocument} from "aws-cdk-lib/aws-ssm";
 import {Application, AttributeGroup} from "@aws-cdk/aws-servicecatalogappregistry-alpha";
+import { InstanceProfile, ManagedPolicy, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 
 export interface SolutionsInfrastructureStackProps extends StackProps {
     readonly solutionId: string;
@@ -79,7 +86,7 @@ function addParameterLabel(labels: Record<string, ParameterLabel>, parameter: Cf
     labels[parameter.logicalId] = {"default": labelName}
 }
 
-function importVPC(stack: Stack, vpdIdParameter: CfnParameter, availabilityZonesParameter: CfnParameter, privateSubnetIdsParameter: CfnParameter) {
+function importVPC(stack: Stack, vpdIdParameter: CfnParameter, availabilityZonesParameter: CfnParameter, privateSubnetIdsParameter: CfnParameter): IVpc {
     const availabilityZones = availabilityZonesParameter.valueAsList
     const privateSubnetIds = privateSubnetIdsParameter.valueAsList
     return Vpc.fromVpcAttributes(stack, 'ImportedVPC', {
@@ -95,6 +102,14 @@ function generateExportString(exports:  Record<string, string>): string {
         .join("; ");
 }
 
+function getVpcEndpointForEFS(stack: Stack): InterfaceVpcEndpointAwsService {
+    const isGovRegion = stack.region?.startsWith('us-gov-')
+    if (isGovRegion) {
+        return InterfaceVpcEndpointAwsService.ELASTIC_FILESYSTEM_FIPS;
+    }
+    return InterfaceVpcEndpointAwsService.ELASTIC_FILESYSTEM;
+}
+
 export class SolutionsInfrastructureStack extends Stack {
 
     constructor(scope: Construct, id: string, props: SolutionsInfrastructureStackProps) {
@@ -162,9 +177,33 @@ export class SolutionsInfrastructureStack extends Stack {
             role: bootstrapRole
         })
 
-        let vpc;
+        let vpc: IVpc;
         if (props.createVPC) {
-            vpc = new Vpc(this, 'Vpc', {});
+            vpc = new Vpc(this, 'Vpc', {
+                ipProtocol: IpProtocol.DUAL_STACK
+            });
+            // S3 used for storage and retrieval of snapshot data for backfills
+            new GatewayVpcEndpoint(this, 'S3VpcEndpoint', {
+                service: GatewayVpcEndpointAwsService.S3,
+                vpc: vpc,
+            });
+
+            const serviceEndpoints = [
+                // Logs and disk usage scales based on total data transfer 
+                InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
+                getVpcEndpointForEFS(this),
+
+                // Elastic container registry is used for all images in the solution
+                InterfaceVpcEndpointAwsService.ECR,
+                InterfaceVpcEndpointAwsService.ECR_DOCKER,
+            ];
+
+            serviceEndpoints.forEach(service => {
+                new InterfaceVpcEndpoint(this, `${service.shortName}VpcEndpoint`, {
+                    service,
+                    vpc: vpc,
+                });
+            })
         }
         else {
             const vpcIdParameter = new CfnParameter(this, 'VPCId', {
@@ -226,6 +265,11 @@ export class SolutionsInfrastructureStack extends Stack {
         amiMap['us-gov-west-1'] = 'ami-0e46a6a8d36d6f1f2';
         amiMap['us-gov-east-1'] = 'ami-0016d10ace091da71';
 
+        const securityGroup = new SecurityGroup(this, 'BootstrapSecurityGroup', {
+            vpc: vpc,
+            allowAllOutbound: true,
+            allowAllIpv6Outbound: true,
+        });
         new Instance(this, 'BootstrapEC2Instance', {
             vpc: vpc,
             vpcSubnets: {
@@ -245,6 +289,7 @@ export class SolutionsInfrastructureStack extends Stack {
             initOptions: {
                 printLog: true,
             },
+            securityGroup
         });
 
         const parameterGroups = [];