ssm_vpc_endpoint

VPC Endpoint for SSM.

Context: We need the rootski database to be secure. We do not want people in the outside world to be able to access the backend database at all. To achieve this, we will set the security group rules on the database to only accept traffic from IP addresses local to the AWS Lightsail VPC where the database is running.

The rootski REST API runs inside of AWS Lambda. We need the rootksi lambda function to be able to reach the backend database over the network. This means that the rootski Lambda will need to be on the same network as the rootski database and have a local IP address for that network. This way, the lambda function will be able to access the database.

To achieve this, we manually created a VPC peering connection from the Lightsail VPC to the rootski AWS account (us-west-2) “Default VPC”. We now deploy the lambda function into the Default VPC, so the lambda is on the same network!

Problem: If you deploy a lambda function into a VPC, it loses internet access unless the VPC has an “internet gateway” AKA an EC2 instance that costs ~$33.50/mo. That… is not an option for us. The issue is that the rootski lambda function needs to access at least three services:

1. Lightsail instance with the rootski database

2. AWS SSM Parameter store

3. AWS Cognito

(1) is taken care of. (3) is the subject of another construct. (2) is addressed here. For each EC2-related AWS service such as DynamoDB, SSM, API Gateway, etc., you have the option to turn on a “VPC Endpoint” which an endpoint that libraries such as boto3 can hit without leaving a VPC. In this way, our lambda function will be able to access SSM. Yaaaay!

Classes

SsmVpcEndpoint

Create a VPC Endpoint in the Default VPC for SSM.

class SsmVpcEndpoint

class rootski_backend_cdk.lambda_rest_api.rest_api_constructs.ssm_vpc_endpoint.SsmVpcEndpoint(*args: Any, **kwargs)

Bases: constructs.Construct

Create a VPC Endpoint in the Default VPC for SSM.

default_vpc

Default VPC in the region this construct is deployed in.

classmethod is_construct(x: Any) → bool

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters

x – Any object.

Returns

true if x is an object created from a class which extends Construct.

property node: constructs.Node

The tree node.

ssm_endpoint

VPC Endpoint for SSM allowing services in any Default VPC subnet to access SSM without leaving the VPC

ssm_endpoint_security_group

Security Group restricting access to the SSM VPC Endpoint; in this case, all services are allowed

to_string() → str

Returns a string representation of this construct.