Пример конфигурации CloudFormation, который создает VPC, Gateway, Security Group, EC2 Instance, подключает уже существующую IAM роль, которой разрешен доступ на чтение в приватном S3 Bucket, который уже существует и нем лежит скрипт для дальнейшей настройки EC2 Instance. Пример использования UserData в EC2 Instance
AWSTemplateFormatVersion: "2010-09-09"
Description: 'Auto create VPC with instance'
########################################### BLOCK WITH ENVIRONMENTS ###########################################
Parameters:
ProjectName:
Type: String
Default: Test-VPC
Description: Name of project.
VpcBlock:
Type: String
Default: 192.168.0.0/16
Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range.
SubNetwork01:
Type: String
Default: 192.168.1.0/24
Description: CIDR block for subnetwork 01 (part from pool VPC Block).
SSHKeyName:
Type: String
Default: artem-aws-key
Description: Name of SSH key.
Image:
Type: String
Default: ami-0ff8a91507f77f867
Description: Image for instance (Default - Amazon Linux, if you changes it, you must check Instance UserData)
Region:
Type: String
Default: us-east-1b
Description: Region (Default - U.S. Virginia)
Bucket:
Type: String
Default: private-s3-bucket
Description: Name of Bucket
AIMRoleName:
Type: String
Default: artem-s3
Description: Name of AIM role
ConstraintDescription: (read permission from S3 Bucket)
############################################# BLOCK WITH NETWORK #############################################
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcBlock
EnableDnsSupport: true
EnableDnsHostnames: true
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public Subnets
- Key: Network
Value: Public
Route:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
### IF YOU NEED MORE, THAT ONE SUBNET, DUPLICATE BLOCK BELOW WITH OTHER NAME AND ADD CIDR BLOCK FOR IT
SubNet01:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: !Ref SubNetwork01
VpcId: !Ref VPC
AvailabilityZone: !Ref Region
Subnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubNet01
RouteTableId: !Ref RouteTable
########################################## BLOCK WITH SECURITY GROUP #########################################
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Ref ProjectName
GroupDescription: !Ref ProjectName
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: SSH
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: HTTP
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref AIMRoleName
########################################## BLOCK WITH EC2 INSTANCES ##########################################
Ec2Instance:
Type: AWS::EC2::Instance
Metadata:
AWS::CloudFormation::Authentication:
rolebased:
type: "S3"
buckets:
- !Ref AIMRoleName
roleName:
- !Ref AIMRoleName
Properties:
IamInstanceProfile: !Ref InstanceProfile
ImageId: !Ref Image
InstanceType: t2.micro
KeyName: !Ref SSHKeyName
BlockDeviceMappings:
-
DeviceName: /dev/sdm
Ebs:
VolumeType: io1
Iops: 200
DeleteOnTermination: true
VolumeSize: 20
NetworkInterfaces:
-
AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: 0
SubnetId: !Ref SubNet01
GroupSet:
- !Ref InstanceSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -x
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource Ec2Instance --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource Ec2Instance --region ${AWS::Region}
aws s3 cp s3://private-s3-bucket/my_script.sh /tmp/my_script.sh
chmod +x /tmp/my_script.sh
/tmp/my_script.sh
###############################################################################################################