Created
August 22, 2021 18:12
-
-
Save aqilzeeshan/f6f8d6aa17965322be518b769f163bb9 to your computer and use it in GitHub Desktop.
SessionManager_without_IGW.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Parameters: | |
LatestAmiId: | |
# Use public Systems Manager Parameter for AMI Image name | |
# https://aws.amazon.com/blogs/compute/query-for-the-latest-amazon-linux-ami-ids-using-aws-systems-manager-parameter-store/ | |
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> | |
Description: Select Amazon Linux(1) or 2 | |
Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2 | |
AllowedValues: | |
- /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2 # Amazon Linux [1] | |
- /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 # Amazon Linux 2 | |
InstanceType: | |
Type: String | |
Default: t2.nano | |
Description: Select an instance type | |
AllowedValues: | |
- t2.nano | |
- t2.micro | |
- t3.nano | |
- t3.micro | |
# Parameters for the 'harness' VPC to host this demo. All defaults are fine for our purposes. | |
VpcCidr: | |
Description: Please enter the IP range (CIDR notation) for this VPC | |
Type: String | |
Default: 10.192.0.0/16 | |
PrivateSubnetCidr: | |
Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone | |
Type: String | |
Default: 10.192.20.0/24 | |
Resources: | |
Ec2InPrivateSubnet: | |
Type: AWS::EC2::Instance | |
Properties: | |
ImageId: !Ref LatestAmiId | |
InstanceType: !Ref InstanceType | |
# KeyName: NO SSH Key needed | |
IamInstanceProfile: !Ref Ec2InstanceProfile | |
NetworkInterfaces: | |
- DeviceIndex: 0 | |
GroupSet: | |
- !Ref SecurityGroupEc2Instance | |
SubnetId: !Ref PrivateSubnet | |
Tags: | |
- Key: Name | |
Value: Session Manager test Instnace in Private Subnet | |
# By default, AWS Systems Manager doesn't have permission to perform actions on your instances. | |
# You must grant access by using an AWS Identity and Access Management (IAM) instance profile. | |
# https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html | |
Ec2InstanceProfile: | |
Type: AWS::IAM::InstanceProfile | |
Properties: | |
Path: / | |
Roles: [ !Ref Ec2InstanceRole ] | |
Ec2InstanceRole: | |
Type: AWS::IAM::Role | |
Properties: | |
ManagedPolicyArns: | |
# ********** This is really the only adjustment we need to make to enable use of SSM Session Manager | |
# All the AWS::CloudFormation::Init and cloud init script work is setting up cloudwatch logs | |
# to give visibility to the SSM Agent actions. | |
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM | |
AssumeRolePolicyDocument: | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: [ ec2.amazonaws.com ] | |
Action: | |
- sts:AssumeRole | |
Path: / | |
Vpc: | |
Type: AWS::EC2::VPC | |
Properties: | |
CidrBlock: !Ref VpcCidr | |
EnableDnsHostnames: True | |
EnableDnsSupport: True | |
# Three VPC endpoints are required for Session Manager without an internet gateway: | |
# 1. ssm | |
# 2. ssmmessages | |
# 3. ec2messages | |
# This solution will not work without in Regions that do not include all three | |
# of these VPC endpoints | |
SsmVpcEndpoint: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm | |
VpcId: !Ref Vpc | |
SubnetIds: | |
- !Ref PrivateSubnet | |
SecurityGroupIds: | |
- !Ref SecurityGroupVpcEndpoint | |
VpcEndpointType: Interface | |
PrivateDnsEnabled: True | |
SsmMessagesVpcEndpoint: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssmmessages | |
VpcId: !Ref Vpc | |
SubnetIds: | |
- !Ref PrivateSubnet | |
SecurityGroupIds: | |
- !Ref SecurityGroupVpcEndpoint | |
VpcEndpointType: Interface | |
PrivateDnsEnabled: True | |
Ec2MessagesVpcEndpoint: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
ServiceName: !Sub com.amazonaws.${AWS::Region}.ec2messages | |
VpcId: !Ref Vpc | |
SubnetIds: | |
- !Ref PrivateSubnet | |
SecurityGroupIds: | |
- !Ref SecurityGroupVpcEndpoint | |
VpcEndpointType: Interface | |
PrivateDnsEnabled: True | |
PrivateSubnet: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref Vpc | |
CidrBlock: !Ref PrivateSubnetCidr | |
AvailabilityZone: !Select [ 0, !GetAZs ] # Get the first AZ in the list | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName}-Private-Subnet | |
# Here is a private route table: | |
PrivateRouteTable: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref Vpc | |
Tags: | |
- Key: Name | |
Value: Private | |
PrivateSubnetRouteTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
SubnetId: !Ref PrivateSubnet | |
RouteTableId: !Ref PrivateRouteTable | |
SecurityGroupEc2Instance: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: SG for EC2 Instance | |
VpcId: !Ref Vpc | |
# Despite this security group containing no ingress rules, Session | |
# Manager can still provide shell access | |
SecurityGroupEgress: | |
# The SSM Agent connects to Session Manager over TCP 443 | |
- Description: allow outbound HTTPS to the VPC | |
CidrIp: !Ref VpcCidr | |
FromPort: 443 | |
ToPort: 443 | |
IpProtocol: tcp | |
SecurityGroupVpcEndpoint: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: SG for VPC Endpoints | |
VpcId: !Ref Vpc | |
SecurityGroupIngress: | |
# The SSM Agent connects to Session Manager over TCP 443 | |
- Description: allow inbound HTTPS from the EC2 instance | |
SourceSecurityGroupId: !Ref SecurityGroupEc2Instance | |
FromPort: 443 | |
ToPort: 443 | |
IpProtocol: tcp | |
SecurityGroupEgress: | |
# The SSM Agent connects to Session Manager over TCP 443 | |
- Description: allow outbound HTTPS to the VPC | |
CidrIp: !Ref VpcCidr | |
FromPort: 443 | |
ToPort: 443 | |
IpProtocol: tcp | |
Outputs: | |
SessionManagementListUrl: | |
Description: The URL to the Session Management Console listing all instances it is aware of | |
Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/start-session?region=${AWS::Region} | |
SessionManagementPublicSubnetInstanceUrl: | |
Description: The URL to the Session Management Console for this instance | |
Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/${Ec2InPrivateSubnet}?region=${AWS::Region} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment