A fully functional kickstarter codebase for the DDoS resilient reference architecture on AWS described in the AWS whitepaper AWS Best Practices for DDos Resiliency
-
Prerequisites
- aws-cli
- terraform
- terragrunt
- AWS account
- IAM user in AWS with programmatic access activate (ACCESS_KEY_ID, SECRET_ACCESS_KEY)
- configure aws-cli to use a AWS_PROFILE with the downloaded ACCESS_KEY_ID, SECRET_ACCESS_KEY associated
- Buy a domain and register it in AWS Route53
- Read my blog post for a more information about this stack
-
Prepare environment
cd ~/workspace/ddos-resilient-reference-architecture cp example.env ./prod/.env
-
Alias terraform and terragrunt to use your AWS_PROFILE
alias aws-REPLACE_WITH_YOUR_AWS_PROFILE="AWS_PROFILE=REPLACE_WITH_YOUR_AWS_PROFILE aws" alias terraform-REPLACE_WITH_YOUR_AWS_PROFILE="AWS_PROFILE=REPLACE_WITH_YOUR_AWS_PROFILE terraform" alias terragrunt-REPLACE_WITH_YOUR_AWS_PROFILE="AWS_PROFILE=REPLACE_WITH_YOUR_AWS_PROFILE terragrunt" alias sam-REPLACE_WITH_YOUR_AWS_PROFILE="AWS_PROFILE=REPLACE_WITH_YOUR_AWS_PROFILE sam"
-
In order to create the ddos resilient architecture in one go using terragrunt we need to have one S3 bucket in place that we use as an artifact store for our AWS Lambda functions.
cd ~/workspace/ddos-resilient-reference-architecture/prod/s3 source ../.env terragrunt-REPLACE_WITH_YOUR_AWS_PROFILE apply
-
A AWS Lambda function that ensures that the security groups we attach to the alb let through cloudfront requests. The lambda function is triggered by the SNS event (AmazonIpSpaceChanged).
- Clone the lambda function
cd ~/workspace git clone git@github.com:petersiemen/update-security-group-for-cloudfront-access.git cd ~/workspace/update-security-group-for-cloudfront-access sam package --s3-prefix update-security-group-for-cloudfront-access/v1.0 --s3-bucket REPLACE_WITH_YOUR_S3_BUCKET_FOR_LAMBDA_ARTIFACTS
- Clone the lambda function
-
Another AWS Lambda function proxied by API Gateway to showcase how to securely host an API using regional API Gateway deployments and a customer CloudFront distribution
- Clone the lambda function
cd ~/workspace git clone git@github.com:petersiemen/lambda-api-gateway.git cd ~/workspace/lambda-api-gateway sam package --s3-prefix lambda-api-gateway/v1.0 --s3-bucket REPLACE_WITH_YOUR_S3_BUCKET_FOR_LAMBDA_ARTIFACTS
- Clone the lambda function
-
Update
TF_VAR_lambda_update_security_groups_prefix
andTF_VAR_lambda_api_gateway_prefix
in~/workspace/ddos-resilient-reference-architecture/prod/.env
file with the hashed prefix that bothsam package
commands returned. -
Terragrunt the ddos resilient reference architecture
cd ~/workspace/ddos-resilient-reference-architecture/prod source .env terragrunt-REPLACE_WITH_YOUR_AWS_PROFILE apply-all
-
We need to trigger the AWS Lambda function manually once to simulate the SNS Topic Notification (arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged) in order to update the security groups attached to the alb with the up to date list of IP addresses of all cloudfront edge locations
aws-REPLACE_WITH_YOUR_AWS_PROFILE lambda invoke --function-name UpdateSecurityGroups --payload file://~/workspace/update-security-group-for-cloudfront-access/events/event.json response.json