CloudFormation — VPC, SG, Gateway, EC2 Instance, S3 Bucket, IAM

Пример конфигурации CloudFormation, который создает VPC, Gateway, Security Group, EC2 Instance, подключает уже существующую IAM роль, которой разрешен доступ на чтение в приватном S3 Bucket, который уже существует и нем лежит скрипт для дальнейшей настройки EC2 Instance. Пример использования UserData в EC2 Instance

AWSTemplateFormatVersion: "2010-09-09"
Description: 'Auto create VPC with instance'

########################################### BLOCK WITH ENVIRONMENTS ###########################################
Parameters:

  ProjectName:
    Type: String
    Default: Test-VPC
    Description: Name of project.

  VpcBlock:
    Type: String
    Default: 192.168.0.0/16
    Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range.

  SubNetwork01:
    Type: String
    Default: 192.168.1.0/24
    Description: CIDR block for subnetwork 01 (part from pool VPC Block).

  SSHKeyName:
    Type: String
    Default: artem-aws-key
    Description: Name of SSH key.

  Image:
    Type: String
    Default: ami-0ff8a91507f77f867
    Description: Image for instance (Default - Amazon Linux, if you changes it, you must check Instance UserData)

  Region:
    Type: String
    Default: us-east-1b
    Description: Region (Default - U.S. Virginia)

  Bucket:
    Type: String
    Default: private-s3-bucket
    Description: Name of Bucket

  AIMRoleName:
    Type: String
    Default: artem-s3
    Description: Name of AIM role
    ConstraintDescription: (read permission from S3 Bucket)

############################################# BLOCK WITH NETWORK  #############################################

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcBlock
      EnableDnsSupport: true
      EnableDnsHostnames: true

  InternetGateway:
    Type: AWS::EC2::InternetGateway

  VPCGatewayAttachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Name
        Value: Public Subnets
      - Key: Network
        Value: Public

  Route:
    DependsOn: VPCGatewayAttachment
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

### IF YOU NEED MORE, THAT ONE SUBNET, DUPLICATE BLOCK BELOW WITH OTHER NAME AND ADD CIDR BLOCK FOR IT

  SubNet01:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: !Ref SubNetwork01
      VpcId: !Ref VPC
      AvailabilityZone: !Ref Region

  Subnet01RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref SubNet01
      RouteTableId: !Ref RouteTable

########################################## BLOCK WITH SECURITY GROUP  #########################################

  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Ref ProjectName
      GroupDescription: !Ref ProjectName
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
          Description: SSH
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
          Description: HTTP

  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: 
      - !Ref AIMRoleName

########################################## BLOCK WITH EC2 INSTANCES  ##########################################

  Ec2Instance:
    Type: AWS::EC2::Instance
    Metadata:
      AWS::CloudFormation::Authentication:
        rolebased:
          type: "S3"
          buckets:
          - !Ref AIMRoleName
          roleName:
          - !Ref AIMRoleName
    Properties:
      IamInstanceProfile: !Ref InstanceProfile
      ImageId: !Ref Image
      InstanceType: t2.micro
      KeyName: !Ref SSHKeyName
      BlockDeviceMappings:
        -
          DeviceName: /dev/sdm
          Ebs:
            VolumeType: io1
            Iops: 200
            DeleteOnTermination: true
            VolumeSize: 20
      NetworkInterfaces:
        -
          AssociatePublicIpAddress: true
          DeleteOnTermination: true
          DeviceIndex: 0
          SubnetId: !Ref SubNet01
          GroupSet:
          - !Ref InstanceSecurityGroup
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash -x
          /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource Ec2Instance --region ${AWS::Region}
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource Ec2Instance --region ${AWS::Region}
          aws s3 cp s3://private-s3-bucket/my_script.sh /tmp/my_script.sh
          chmod +x /tmp/my_script.sh
          /tmp/my_script.sh

###############################################################################################################
0 0 vote
Рейтинг статьи

Метки: Метки

Подписаться
Уведомление о
guest
0 комментариев
Inline Feedbacks
View all comments