`I created this script for the CDK below but whenever i have run the script i get :
Here is your formatted text with all code indented by 4 spaces:
`
Evaluating: eq(”, ‘true’)
Expanded: eq(”, ‘true’)
Result: False
from aws_cdk import ( Stack,
Duration,
RemovalPolicy,
aws_ec2 as ec2,
aws_iam as iam,
aws_kms as kms,
aws_s3 as s3,
aws_ssm as ssm,
aws_logs as logs,
aws_s3_deployment as s3_deploy,
aws_cloudformation as cfn )
import aws_cdk.aws_imagebuilder as imagebuilder
from constructs import Construct
from cdk_nag import NagSuppressions
import settings
import json
import yaml
import os
class AmiStack(Stack):
def init(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().init(scope, construct_id, **kwargs)
stack_name=construct_id
# This boundary policy is required to be added to all stacks.
policy = iam.ManagedPolicy.from_managed_policy_name(self, “DeveloperBoundaryPolicy”, “DeveloperBoundaryPolicy”)
iam.PermissionsBoundary.of(self).apply(policy)
# Use the VPC created by Landing Zone.
# The VPC name is hardcoded since there is only VPC in the Common Services AWS account
self.vpc = ec2.Vpc.from_lookup(self, settings.vpc_name, vpc_name=settings.vpc_name)
# Add rules to permit ingress traffic from monitoring servers
# TODO: Find a way to avoid hard-coding the PRTG server IP address in the rule
self.ec2_security_group = ec2.SecurityGroup(self, f”{stack_name}-sg”,
vpc=self.vpc, allow_all_outbound=True, description=”Build Agent Security Group”)
self.s3key = kms.Key.from_lookup(self, f”{stack_name}-S3KeyLookup”, alias_name=”alias/aws/s3″)
# Create an S3 Bucket for Ansible Playbook storage.
self.ansible_bucket = s3.Bucket(self, f”{stack_name}-s3amibucket-test”,
access_control=s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
encryption=s3.BucketEncryption.KMS,
encryption_key=self.s3key,
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
removal_policy=RemovalPolicy.DESTROY,
auto_delete_objects=True)
# Be careful with this – it will force data deletion when paired with removal policy
# Suppress S3 bucket versioning warning. This does not apply to our stack.
NagSuppressions.add_resource_suppressions(self.ansible_bucket,
[{“id”: “Nucleus Nagpack-S3BucketVersioningEnabled”, “reason”:
“S3 bucket is a temporary datastore for ansible content. No versioning needed.”}])
# Create a bucket policy to enforce the use of HTTPS.
bucket_policy_statement = iam.PolicyStatement(
actions=[“s3:“],
effect=iam.Effect.DENY,
resources=[self.ansible_bucket.bucket_arn,
self.ansible_bucket.arn_for_objects(““)],
principals=[iam.AnyPrincipal()],
conditions={“Bool”: {“aws:SecureTransport”: “false”}})
self.ansible_bucket.add_to_resource_policy(bucket_policy_statement)
source_files = [s3_deploy.Source.asset(“./ec2_instance_setup/ansible”),
s3_deploy.Source.asset(“./ec2_instance_setup/system_config”)]
s3_deploy.BucketDeployment(self, f”{stack_name}-deploy-ansible-playbooks”,
sources=source_files,
destination_bucket=self.ansible_bucket,
destination_key_prefix=”ansible/playbooks”,
log_retention=logs.RetentionDays.ONE_WEEK,
server_side_encryption=s3_deploy.ServerSideEncryption.AES_256)
ssm.StringParameter(self, f”{stack_name}-BucketNameParameter”,
parameter_name=f”/ado/{stack_name}/ami/s3bucketarn”,
string_value=self.ansible_bucket.bucket_name)
# Adding Policy
image_builder_role = iam.Role(
self, f”{stack_name}-ImageBuilderRole”,
assumed_by=iam.CompositePrincipal(
iam.ServicePrincipal(“ec2.amazonaws.com”),
iam.ServicePrincipal(“imagebuilder.amazonaws.com”)))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“AmazonEC2ContainerRegistryFullAccess”))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“AmazonSSMManagedInstanceCore”))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“AmazonS3FullAccess”))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“AWSImageBuilderFullAccess”))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“EC2InstanceProfileForImageBuilder”))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“EC2InstanceProfileForImageBuilderECRContainerBuilds”))
image_builder_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name(“AmazonSSMFullAccess”))
image_builder_role.add_to_policy(iam.PolicyStatement(
actions=[“imagebuilder:GetComponent”,
“imagebuilder:StartImagePipelineExecution”,
“imagebuilder:GetImage”],
resources=[““],
effect=iam.Effect.ALLOW))
image_builder_role.add_to_policy(iam.PolicyStatement(
actions=[“s3:GetObject”],
resources=[““],
effect=iam.Effect.ALLOW))
image_builder_role.add_to_policy(iam.PolicyStatement(
actions=[“ec2:CreateLaunchTemplateVersion”,
“ec2:DescribeImages”],
resources=[“*”],
effect=iam.Effect.ALLOW))
# Create instance profile and attach role
instance_profile = iam.CfnInstanceProfile(
self, f”{stack_name}-ImageBuilderInstanceProfile”,
roles=[image_builder_role.role_name])
latest_amazon_linux_image = ec2.MachineImage.latest_amazon_linux2023()
base_image_ami_id = latest_amazon_linux_image.get_image(self).image_id
print(f”THIS IS BASE AMI ————– {base_image_ami_id}”)
launch_template = ec2.CfnLaunchTemplate(
self, f”{stack_name}-AmiLaunchTemplate”,
launch_template_name=”BuildAgent-AmiCustomTemplate”,
launch_template_data=ec2.CfnLaunchTemplate.LaunchTemplateDataProperty(
image_id=base_image_ami_id,
instance_type=”t3.large”,
security_group_ids=[self.ec2_security_group.security_group_id],
iam_instance_profile=ec2.CfnLaunchTemplate.IamInstanceProfileProperty(
arn=instance_profile.attr_arn),
block_device_mappings=[
ec2.CfnLaunchTemplate.BlockDeviceMappingProperty(
device_name=”/dev/xvda”,
ebs=ec2.CfnLaunchTemplate.EbsProperty(
volume_size=50,
delete_on_termination=True))]))
print(f”Curren DIR ——————- : {os.getcwd()}”)
# Creating image builder component
with open(“ec2_instance_setup/ansible/ami_component.yaml”, “r”) as file:
yaml_content = file.read()
my_component = imagebuilder.CfnComponent(
self, f”{stack_name}-AmiComponent”,
name = “AmiComponent”,
version = “1.0.0”,
platform=”Linux”,
supported_os_versions=[“Amazon Linux 2023”],
data=yaml_content)
# Creating image recipe
image_recipe = imagebuilder.CfnImageRecipe(
self, “ImageRecipe”,
name=”my-image-recipe”,
version=”1.0.0″,
components=[
imagebuilder.CfnImageRecipe.ComponentConfigurationProperty(
component_arn=my_component.attr_arn)],
parent_image = base_image_ami_id,
working_directory=”/tmp”,
block_device_mappings=[
{
“deviceName”: “/dev/xvda”,
“ebs”: {
“volumeSize”: 16,
“volumeType”: “gp2”,
“deleteOnTermination”: True}}])
vpc = ec2.Vpc.from_lookup(self,”VPC”,
vpc_name=settings.vpc_name)
selected_subnet = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED).subnets[0]
called_subnet_id = selected_subnet.subnet_id
instance_profile_name = instance_profile.ref
# Infrastructure for pipeline
infrastructure_configuration = imagebuilder.CfnInfrastructureConfiguration(self, f”{stack_name}-InfrastructureConfiguration”,
instance_profile_name=instance_profile_name,
name=f”{stack_name}-InfrastructureConfig”,
description=”Infrastructure configuration for test AMI image”,
instance_types=[“t3.medium”],
security_group_ids=[self.ec2_security_group.security_group_id ‘
i have tried adding the variable names through the azure UI page and no luck. tried creating the variable on the main page.`
Owoicho Emmanuel Ogah is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.