1 | import { IPrincipal, IRole } from '@aws-cdk/aws-iam';
|
2 | import { Resource, Stack } from '@aws-cdk/core';
|
3 | import { Construct } from 'constructs';
|
4 | import { InstanceType } from '.';
|
5 | import { CloudFormationInit } from './cfn-init';
|
6 | import { Connections } from './connections';
|
7 | import { ApplyCloudFormationInitOptions, IInstance, Instance } from './instance';
|
8 | import { IMachineImage } from './machine-image';
|
9 | import { IPeer } from './peer';
|
10 | import { ISecurityGroup } from './security-group';
|
11 | import { BlockDevice } from './volume';
|
12 | import { IVpc, SubnetSelection } from './vpc';
|
13 | /**
|
14 | * Properties of the bastion host
|
15 | *
|
16 | *
|
17 | */
|
18 | export interface BastionHostLinuxProps {
|
19 | /**
|
20 | * In which AZ to place the instance within the VPC
|
21 | *
|
22 | * @default - Random zone.
|
23 | */
|
24 | readonly availabilityZone?: string;
|
25 | /**
|
26 | * VPC to launch the instance in.
|
27 | */
|
28 | readonly vpc: IVpc;
|
29 | /**
|
30 | * The name of the instance
|
31 | *
|
32 | * @default 'BastionHost'
|
33 | */
|
34 | readonly instanceName?: string;
|
35 | /**
|
36 | * Select the subnets to run the bastion host in.
|
37 | * Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM.
|
38 | * You have to allow port 22 manually by using the connections field
|
39 | *
|
40 | * @default - private subnets of the supplied VPC
|
41 | */
|
42 | readonly subnetSelection?: SubnetSelection;
|
43 | /**
|
44 | * Security Group to assign to this instance
|
45 | *
|
46 | * @default - create new security group with no inbound and all outbound traffic allowed
|
47 | */
|
48 | readonly securityGroup?: ISecurityGroup;
|
49 | /**
|
50 | * Type of instance to launch
|
51 | * @default 't3.nano'
|
52 | */
|
53 | readonly instanceType?: InstanceType;
|
54 | /**
|
55 | * The machine image to use, assumed to have SSM Agent preinstalled.
|
56 | *
|
57 | * @default - An Amazon Linux 2 image which is kept up-to-date automatically (the instance
|
58 | * may be replaced on every deployment) and already has SSM Agent installed.
|
59 | */
|
60 | readonly machineImage?: IMachineImage;
|
61 | /**
|
62 | * Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes.
|
63 | *
|
64 | * Each instance that is launched has an associated root device volume,
|
65 | * either an Amazon EBS volume or an instance store volume.
|
66 | * You can use block device mappings to specify additional EBS volumes or
|
67 | * instance store volumes to attach to an instance when it is launched.
|
68 | *
|
69 | * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html
|
70 | *
|
71 | * @default - Uses the block device mapping of the AMI
|
72 | */
|
73 | readonly blockDevices?: BlockDevice[];
|
74 | /**
|
75 | * Apply the given CloudFormation Init configuration to the instance at startup
|
76 | *
|
77 | * @default - no CloudFormation init
|
78 | */
|
79 | readonly init?: CloudFormationInit;
|
80 | /**
|
81 | * Use the given options for applying CloudFormation Init
|
82 | *
|
83 | * Describes the configsets to use and the timeout to wait
|
84 | *
|
85 | * @default - default options
|
86 | */
|
87 | readonly initOptions?: ApplyCloudFormationInitOptions;
|
88 | /**
|
89 | * Whether IMDSv2 should be required on this instance
|
90 | *
|
91 | * @default - false
|
92 | */
|
93 | readonly requireImdsv2?: boolean;
|
94 | }
|
95 | /**
|
96 | * This creates a linux bastion host you can use to connect to other instances or services in your VPC.
|
97 | * The recommended way to connect to the bastion host is by using AWS Systems Manager Session Manager.
|
98 | *
|
99 | * The operating system is Amazon Linux 2 with the latest SSM agent installed
|
100 | *
|
101 | * You can also configure this bastion host to allow connections via SSH
|
102 | *
|
103 | *
|
104 | * @resource AWS::EC2::Instance
|
105 | */
|
106 | export declare class BastionHostLinux extends Resource implements IInstance {
|
107 | readonly stack: Stack;
|
108 | /**
|
109 | * Allows specify security group connections for the instance.
|
110 | */
|
111 | readonly connections: Connections;
|
112 | /**
|
113 | * The IAM role assumed by the instance.
|
114 | */
|
115 | readonly role: IRole;
|
116 | /**
|
117 | * The principal to grant permissions to
|
118 | */
|
119 | readonly grantPrincipal: IPrincipal;
|
120 | /**
|
121 | * The underlying instance resource
|
122 | */
|
123 | readonly instance: Instance;
|
124 | /**
|
125 | * @attribute
|
126 | */
|
127 | readonly instanceId: string;
|
128 | /**
|
129 | * @attribute
|
130 | */
|
131 | readonly instanceAvailabilityZone: string;
|
132 | /**
|
133 | * @attribute
|
134 | */
|
135 | readonly instancePrivateDnsName: string;
|
136 | /**
|
137 | * @attribute
|
138 | */
|
139 | readonly instancePrivateIp: string;
|
140 | /**
|
141 | * @attribute
|
142 | */
|
143 | readonly instancePublicDnsName: string;
|
144 | /**
|
145 | * @attribute
|
146 | */
|
147 | readonly instancePublicIp: string;
|
148 | constructor(scope: Construct, id: string, props: BastionHostLinuxProps);
|
149 | /**
|
150 | * Returns the AmazonLinuxCpuType corresponding to the given instance architecture
|
151 | * @param architecture the instance architecture value to convert
|
152 | */
|
153 | private toAmazonLinuxCpuType;
|
154 | /**
|
155 | * Allow SSH access from the given peer or peers
|
156 | *
|
157 | * Necessary if you want to connect to the instance using ssh. If not
|
158 | * called, you should use SSM Session Manager to connect to the instance.
|
159 | */
|
160 | allowSshAccessFrom(...peer: IPeer[]): void;
|
161 | }
|