Skip to content

Commit

Permalink
updated autonomous deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
Thierry Delran committed Feb 16, 2024
1 parent 32f2c81 commit c01bdc2
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 44 deletions.
1 change: 0 additions & 1 deletion DeadlineStack/package/app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ def main():
s3_bucket_workers=config.s3_bucket_workers,
s3_bucket_workers_region=config.s3_bucket_workers_region,
fleet_config=config.fleet_config,
secret_domain_arn=config.secret_domain_arn,
custom_ami_id=config.custom_ami_id,
ec2_key_pair_name=config.ec2_key_pair_name
)
Expand Down
2 changes: 0 additions & 2 deletions DeadlineStack/package/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@ def __init__(self):
self.create_resource_tracker_role: bool = True
# AWS region deadline is deployed into (ex: "us-west-2")
self.aws_region:str = ""
# Active directory secret arn ex: arn:aws:secretsmanager:us-west-2:xxxxxx:secret:StudioADAdminAccountCredentials-xxxxx
self.secret_domain_arn:str = ""
# Deadline VPC CIDR required (ex:"172.0.0.0/16")
self.vpc_cidr: str = ""
# Bucket for workers script
Expand Down
76 changes: 35 additions & 41 deletions DeadlineStack/package/lib/deadline_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,6 @@ class DeadlineStackProps(StackProps):
s3_bucket_workers_region: str
# Spot instance fleet configuration
fleet_config: dict
# Secret domain arn
secret_domain_arn: str
# Custom AMI for Test EC2
custom_ami_id: str
# Keypair for the test EC2 instance
Expand Down Expand Up @@ -218,14 +216,6 @@ def __init__(self, scope: Construct, stack_id: str, *, props: DeadlineStackProps
resources=["arn:aws:s3:::"+props.s3_bucket_workers+"/*"]
)
]
),
"read_ad_credentials": PolicyDocument(
statements=[
PolicyStatement(
actions=["secretsmanager:GetSecretValue"],
resources=[props.secret_domain_arn]
)
]
)
},
)
Expand Down Expand Up @@ -304,7 +294,7 @@ def __init__(self, scope: Construct, stack_id: str, *, props: DeadlineStackProps
internal_protocol=ApplicationProtocol.HTTPS,
),
)
# render_queue.connections.allow_default_port_from(Peer.ipv4(props.sic_workstation_subnet_cidr))
render_queue.connections.allow_default_port_from(Peer.ipv4(props.vpc_cidr))

if props.create_resource_tracker_role:
# Creates the Resource Tracker Access role. This role is required to exist in your account so the resource tracker will work properly
Expand Down Expand Up @@ -377,25 +367,23 @@ def __init__(self, scope: Construct, stack_id: str, *, props: DeadlineStackProps
),
)

EC2 Instance Deployment
instance = Instance(
# Security Group for EC2 Instance to communicate with AWS Systems Manager
ssm_sg = SecurityGroup(
self,
"RepositoryAccessInstance",
instance_type=InstanceType.of(InstanceClass.COMPUTE5, InstanceSize.LARGE), # c5.large
machine_image=MachineImage.generic_windows({props.aws_region: props.custom_ami_id}), # Custom Windows AMI with Deadline client
"SSMSecurityGroup",
vpc=vpc,
vpc_subnets={"subnet_type": SubnetType.PRIVATE_WITH_EGRESS},
security_group=ssm_sg, # Ensure this SG allows necessary traffic for SSM
role=ssm_role, # Attach the IAM role for SSM
key_name=props.ec2_key_pair_name
description="Security group for EC2 instance to allow communication with AWS Systems Manager",
allow_all_outbound=True # Allows all outbound traffic by default
)

# Adding user data to connect to the repository
instance.user_data.add_commands(
"echo 'Configuring instance to access Deadline Repository'",
# Add commands here to configure the instance to connect to the repository
# Adding ingress rule to allow RDP access from any source
ssm_sg.add_ingress_rule(
peer=Peer.any_ipv4(),
connection=Port.tcp(3389),
description="Allow RDP access from any source"
)


# IAM Role for EC2 Fleet Connect through AWS Systems Manager
ssm_role = Role(
self,
Expand All @@ -407,30 +395,36 @@ def __init__(self, scope: Construct, stack_id: str, *, props: DeadlineStackProps
]
)

# Security Group for EC2 Instance to communicate with AWS Systems Manager
ssm_sg = SecurityGroup(
self,
"SSMSecurityGroup",
vpc=vpc,
description="Security group for EC2 instance to allow communication with AWS Systems Manager",
allow_all_outbound=True # Allows all outbound traffic by default
)

# Optionally, restrict outbound traffic to only AWS SSM endpoints (port 443)
ssm_sg.add_egress_rule(
peer=Peer.any_ipv4(), # or use specific CIDR blocks for AWS endpoints
connection=Port.tcp(443),
description="Allow outbound HTTPS to SSM endpoints"
)

# IAM policy to allow EC2 instance to access the S3 bucket
s3_access_policy = iam.PolicyStatement(
s3_access_policy = PolicyStatement(
actions=["s3:GetObject"],
resources=[f"arn:aws:s3:::{props.s3_bucket_workers}/*"]
)

# Attach the policy to the EC2 instance role
ec2_instance_role.add_to_policy(s3_access_policy)
ssm_role.add_to_policy(s3_access_policy)

# EC2 Instance Deployment
instance = Instance(
self,
"RepositoryAccessInstance",
instance_type=InstanceType.of(InstanceClass.COMPUTE5, InstanceSize.LARGE), # c5.large
machine_image=MachineImage.generic_windows({props.aws_region: props.custom_ami_id}), # Custom Windows AMI with Deadline client
vpc=vpc,
vpc_subnets={"subnet_type": SubnetType.PUBLIC}, # Deploy in a public subnet
security_group=ssm_sg,
role=ssm_role,
key_name=props.ec2_key_pair_name
)


# Adding user data to connect to the repository
instance.user_data.add_commands(
"echo 'Configuring instance to access Deadline Repository'",
# Add commands here to configure the instance to connect to the repository
)


# Modify user data to download the certificate from S3
instance.user_data.add_commands(
Expand Down

0 comments on commit c01bdc2

Please sign in to comment.