Skip to content

Instantly share code, notes, and snippets.

@coreysan
Last active June 28, 2018 17:26
Show Gist options
  • Save coreysan/7152d525a69e240ef6927a9456550570 to your computer and use it in GitHub Desktop.
Save coreysan/7152d525a69e240ef6927a9456550570 to your computer and use it in GitHub Desktop.
AWS ELK Stack Templates

Templates for starting infra development using AWS CloudFormation

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template is intended to be deployed into an existing VPC with two public subnets. It will create an auto-scaling group of Linux bastion instances in the public VPC subnets. **WARNING** This template creates Amazon EC2 instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0037)",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Network Configuration"
},
"Parameters": [
"VPCID",
"PublicSubnet1ID",
"PublicSubnet2ID",
"RemoteAccessCIDR"
]
},
{
"Label": {
"default": "Amazon EC2 Configuration"
},
"Parameters": [
"KeyPairName",
"BastionAMIOS",
"BastionInstanceType"
]
},
{
"Label": {
"default": "Linux Bastion Configuration"
},
"Parameters": [
"NumBastionHosts",
"EnableBanner",
"BastionBanner",
"EnableTCPForwarding",
"EnableX11Forwarding"
]
},
{
"Label": {
"default": "AWS Quick Start Configuration"
},
"Parameters": [
"QSS3BucketName",
"QSS3KeyPrefix"
]
}
],
"ParameterLabels": {
"BastionAMIOS": {
"default": "Bastion AMI Operating System"
},
"BastionBanner": {
"default": "Bastion Banner"
},
"BastionInstanceType": {
"default": "Bastion Instance Type"
},
"EnableBanner": {
"default": "Enable Banner"
},
"EnableTCPForwarding": {
"default": "Enable TCP Forwarding"
},
"EnableX11Forwarding": {
"default": "Enable X11 Forwarding"
},
"KeyPairName": {
"default": "Key Pair Name"
},
"NumBastionHosts": {
"default": "Number of Bastion Hosts"
},
"PublicSubnet1ID": {
"default": "Public Subnet 1 ID"
},
"PublicSubnet2ID": {
"default": "Public Subnet 2 ID"
},
"QSS3BucketName": {
"default": "Quick Start S3 Bucket Name"
},
"QSS3KeyPrefix": {
"default": "Quick Start S3 Key Prefix"
},
"RemoteAccessCIDR": {
"default": "Allowed Bastion External Access CIDR"
},
"VPCID": {
"default": "VPC ID"
}
}
}
},
"Parameters": {
"BastionAMIOS": {
"AllowedValues": [
"Amazon-Linux-HVM",
"CentOS-7-HVM",
"Ubuntu-Server-14.04-LTS-HVM",
"Ubuntu-Server-16.04-LTS-HVM"
],
"Default": "Amazon-Linux-HVM",
"Description": "The Linux distribution for the AMI to be used for the bastion instances",
"Type": "String"
},
"BastionBanner": {
"Default": "https://s3.amazonaws.com/quickstart-reference/linux/bastion/latest/scripts/banner_message.txt",
"Description": "Banner text to display upon login",
"Type": "String"
},
"BastionInstanceType": {
"AllowedValues": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge"
],
"Default": "t2.micro",
"Description": "Amazon EC2 instance type for the bastion instances",
"Type": "String"
},
"EnableBanner": {
"AllowedValues": [
"true",
"false"
],
"Default": "false",
"Description": "To include a banner to be displayed when connecting via SSH to the bastion, set this parameter to true",
"Type": "String"
},
"EnableTCPForwarding": {
"Type": "String",
"Description": "Enable/Disable TCP Forwarding",
"Default": "false",
"AllowedValues": [
"true",
"false"
]
},
"EnableX11Forwarding": {
"Type": "String",
"Description": "Enable/Disable X11 Forwarding",
"Default": "false",
"AllowedValues": [
"true",
"false"
]
},
"KeyPairName": {
"Description": "Enter a Public/private key pair. If you do not have one in this region, please create it before continuing",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"NumBastionHosts": {
"AllowedValues": [
"1",
"2",
"3",
"4"
],
"Default": "1",
"Description": "Enter the number of bastion hosts to create",
"Type": "String"
},
"PublicSubnet1ID": {
"Description": "ID of the public subnet 1 that you want to provision the first bastion into (e.g., subnet-a0246dcd)",
"Type": "AWS::EC2::Subnet::Id"
},
"PublicSubnet2ID": {
"Description": "ID of the public subnet 2 you want to provision the second bastion into (e.g., subnet-e3246d8e)",
"Type": "AWS::EC2::Subnet::Id"
},
"QSS3BucketName": {
"AllowedPattern": "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$",
"ConstraintDescription": "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).",
"Default": "quickstart-reference",
"Description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).",
"Type": "String"
},
"QSS3KeyPrefix": {
"AllowedPattern": "^[0-9a-zA-Z-/]*$",
"ConstraintDescription": "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).",
"Default": "linux/bastion/latest/",
"Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).",
"Type": "String"
},
"RemoteAccessCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x",
"Description": "Allowed CIDR block for external SSH access to the bastions",
"Type": "String"
},
"VPCID": {
"Description": "ID of the VPC (e.g., vpc-0343606e)",
"Type": "AWS::EC2::VPC::Id"
}
},
"Rules": {
"SubnetsInVPC": {
"Assertions": [
{
"Assert": {
"Fn::EachMemberIn": [
{
"Fn::ValueOfAll": [
"AWS::EC2::Subnet::Id",
"VpcId"
]
},
{
"Fn::RefAll": "AWS::EC2::VPC::Id"
}
]
},
"AssertDescription": "All subnets must exist in the VPC"
}
]
}
},
"Mappings": {
"AWSAMIRegionMap": {
"AMI": {
"AMZNLINUXHVM": "amzn-ami-hvm-2017.09.1.20180108-x86_64-gp2",
"CENTOS7HVM": "CentOS Linux 7 x86_64 HVM EBS 1708_11.01-b7ee8a69-ee97-4a49-9e68-afaee216db2e-ami-95096eef.4",
"US1404HVM": "ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20180110",
"US1604HVM": "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20180109"
},
"ap-northeast-1": {
"AMZNLINUXHVM": "ami-33c25b55",
"CENTOS7HVM": "ami-4dd5522b",
"US1404HVM": "ami-816cf4e7",
"US1604HVM": "ami-d39a02b5"
},
"ap-northeast-2": {
"AMZNLINUXHVM": "ami-d9b616b7",
"CENTOS7HVM": "ami-53a1073d",
"US1404HVM": "ami-7246e61c",
"US1604HVM": "ami-67973709"
},
"ap-south-1": {
"AMZNLINUXHVM": "ami-fedb8f91",
"CENTOS7HVM": "ami-82a3eaed",
"US1404HVM": "ami-2390c74c",
"US1604HVM": "ami-5d055232"
},
"ap-southeast-1": {
"AMZNLINUXHVM": "ami-889cecf4",
"CENTOS7HVM": "ami-a6e88dda",
"US1404HVM": "ami-1384f76f",
"US1604HVM": "ami-325d2e4e"
},
"ap-southeast-2": {
"AMZNLINUXHVM": "ami-ccab56ae",
"CENTOS7HVM": "ami-5b778339",
"US1404HVM": "ami-c831ccaa",
"US1604HVM": "ami-37df2255"
},
"ca-central-1": {
"AMZNLINUXHVM": "ami-61f97c05",
"CENTOS7HVM": "ami-b111aad5",
"US1404HVM": "ami-ccaf2aa8",
"US1604HVM": "ami-f0870294"
},
"eu-central-1": {
"AMZNLINUXHVM": "ami-0fc85a60",
"CENTOS7HVM": "ami-1e038d71",
"US1404HVM": "ami-a531a3ca",
"US1604HVM": "ami-af79ebc0"
},
"eu-west-1": {
"AMZNLINUXHVM": "ami-e487179d",
"CENTOS7HVM": "ami-192a9460",
"US1404HVM": "ami-34f2604d",
"US1604HVM": "ami-4d46d534"
},
"eu-west-2": {
"AMZNLINUXHVM": "ami-51809835",
"CENTOS7HVM": "ami-c8d7c9ac",
"US1404HVM": "ami-606b7004",
"US1604HVM": "ami-d7aab2b3"
},
"eu-west-3": {
"AMZNLINUXHVM": "ami-fe03b483",
"CENTOS7HVM": "ami-0c60d771",
"US1404HVM": "ami-03fd4b7e",
"US1604HVM": "ami-5e0eb923"
},
"sa-east-1": {
"AMZNLINUXHVM": "ami-1226647e",
"CENTOS7HVM": "ami-6b5c1b07",
"US1404HVM": "ami-926527fe",
"US1604HVM": "ami-1157157d"
},
"us-east-1": {
"AMZNLINUXHVM": "ami-cb9ec1b1",
"CENTOS7HVM": "ami-02e98f78",
"US1404HVM": "ami-33e4bc49",
"US1604HVM": "ami-41e0b93b"
},
"us-east-2": {
"AMZNLINUXHVM": "ami-caaf84af",
"CENTOS7HVM": "ami-e0eac385",
"US1404HVM": "ami-854b61e0",
"US1604HVM": "ami-2581aa40"
},
"us-west-1": {
"AMZNLINUXHVM": "ami-95eeeef5",
"CENTOS7HVM": "ami-b1a59fd1",
"US1404HVM": "ami-915f5cf1",
"US1604HVM": "ami-79aeae19"
},
"us-west-2": {
"AMZNLINUXHVM": "ami-32cf7b4a",
"CENTOS7HVM": "ami-b63ae0ce",
"US1404HVM": "ami-b88c3bc0",
"US1604HVM": "ami-1ee65166"
}
},
"LinuxAMINameMap": {
"Amazon-Linux-HVM": {
"Code": "AMZNLINUXHVM"
},
"CentOS-7-HVM": {
"Code": "CENTOS7HVM"
},
"Ubuntu-Server-14.04-LTS-HVM": {
"Code": "US1404HVM"
},
"Ubuntu-Server-16.04-LTS-HVM": {
"Code": "US1604HVM"
}
}
},
"Conditions": {
"2BastionCondition": {
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "NumBastionHosts"
},
"2"
]
},
{
"Condition": "3BastionCondition"
},
{
"Condition": "4BastionCondition"
}
]
},
"3BastionCondition": {
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "NumBastionHosts"
},
"3"
]
},
{
"Condition": "4BastionCondition"
}
]
},
"4BastionCondition": {
"Fn::Equals": [
{
"Ref": "NumBastionHosts"
},
"4"
]
},
"GovCloudCondition": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-gov-west-1"
]
}
},
"Resources": {
"BastionMainLogGroup": {
"Type": "AWS::Logs::LogGroup"
},
"SSHMetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {
"Ref": "BastionMainLogGroup"
},
"FilterPattern": "ON FROM USER PWD",
"MetricTransformations": [
{
"MetricName": "SSHCommandCount",
"MetricValue": 1,
"MetricNamespace": {
"Fn::Join": [
"/",
[
"AWSQuickStart",
{
"Ref": "AWS::StackName"
}
]
]
}
}
]
}
},
"BastionHostRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": {
"Fn::Sub": [
"arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*",
{
"Partition": {
"Fn::If": [
"GovCloudCondition",
"aws-us-gov",
"aws"
]
}
}
]
},
"Effect": "Allow"
}
]
},
"PolicyName": "aws-quick-start-s3-policy"
},
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy",
"logs:PutMetricFilter",
"logs:CreateLogGroup"
],
"Resource": {
"Fn::Sub": [
"arn:${Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*",
{
"Partition": {
"Fn::If": [
"GovCloudCondition",
"aws-us-gov",
"aws"
]
}
}
]
},
"Effect": "Allow"
}
]
},
"PolicyName": "bastion-cloudwatch-logs-policy"
},
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AssociateAddress",
"ec2:DescribeAddresses"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
},
"PolicyName": "bastion-eip-policy"
}
],
"Path": "/",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
}
},
"BastionHostProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "BastionHostRole"
}
],
"Path": "/"
}
},
"EIP1": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"EIP2": {
"Type": "AWS::EC2::EIP",
"Condition": "2BastionCondition",
"Properties": {
"Domain": "vpc"
}
},
"EIP3": {
"Type": "AWS::EC2::EIP",
"Condition": "3BastionCondition",
"Properties": {
"Domain": "vpc"
}
},
"EIP4": {
"Type": "AWS::EC2::EIP",
"Condition": "4BastionCondition",
"Properties": {
"Domain": "vpc"
}
},
"BastionAutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"LaunchConfigurationName": {
"Ref": "BastionLaunchConfiguration"
},
"VPCZoneIdentifier": [
{
"Ref": "PublicSubnet1ID"
},
{
"Ref": "PublicSubnet2ID"
}
],
"MinSize": {
"Ref": "NumBastionHosts"
},
"MaxSize": {
"Ref": "NumBastionHosts"
},
"Cooldown": "300",
"DesiredCapacity": {
"Ref": "NumBastionHosts"
},
"Tags": [
{
"Key": "Name",
"Value": "LinuxBastion",
"PropagateAtLaunch": "true"
}
]
},
"CreationPolicy": {
"ResourceSignal": {
"Count": {
"Ref": "NumBastionHosts"
},
"Timeout": "PT30M"
}
}
},
"BastionLaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata": {
"AWS::CloudFormation::Authentication": {
"S3AccessCreds": {
"type": "S3",
"roleName": {
"Ref": "BastionHostRole"
},
"buckets": [
{
"Ref": "QSS3BucketName"
}
]
}
},
"AWS::CloudFormation::Init": {
"config": {
"files": {
"/tmp/bastion_bootstrap.sh": {
"source": {
"Fn::Sub": [
"https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh",
{
"QSS3Region": {
"Fn::If": [
"GovCloudCondition",
"s3-us-gov-west-1",
"s3"
]
}
}
]
},
"mode": "000550",
"owner": "root",
"group": "root",
"authentication": "S3AccessCreds"
}
},
"commands": {
"b-bootstrap": {
"command": {
"Fn::Join": [
"",
[
"./tmp/bastion_bootstrap.sh",
" --banner ",
{
"Ref": "BastionBanner"
},
" --enable ",
{
"Ref": "EnableBanner"
},
" --tcp-forwarding ",
{
"Ref": "EnableTCPForwarding"
},
" --x11-forwarding ",
{
"Ref": "EnableX11Forwarding"
}
]
]
}
}
}
}
}
},
"Properties": {
"KeyName": {
"Ref": "KeyPairName"
},
"IamInstanceProfile": {
"Ref": "BastionHostProfile"
},
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
{
"Fn::FindInMap": [
"LinuxAMINameMap",
{
"Ref": "BastionAMIOS"
},
"Code"
]
}
]
},
"SecurityGroups": [
{
"Ref": "BastionSecurityGroup"
}
],
"InstanceType": {
"Ref": "BastionInstanceType"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"export PATH=$PATH:/usr/local/bin\n",
"which pip &> /dev/null\n",
"if [ $? -ne 0 ] ; then\n",
" echo \"PIP NOT INSTALLED\"\n",
" [ `which yum` ] && $(yum install -y epel-release; yum install -y python-pip) && echo \"PIP INSTALLED\"\n",
" [ `which apt-get` ] && apt-get -y update && apt-get -y install python-pip && echo \"PIP INSTALLED\"\n",
"fi\n",
"pip install --upgrade pip &> /dev/null\n",
"pip install awscli --ignore-installed six &> /dev/null\n",
"easy_install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz\n",
"EIP_LIST=\"",
{
"Ref": "EIP1"
},
",",
{
"Fn::If": [
"2BastionCondition",
{
"Ref": "EIP2"
},
"Null"
]
},
",",
{
"Fn::If": [
"3BastionCondition",
{
"Ref": "EIP3"
},
"Null"
]
},
",",
{
"Fn::If": [
"4BastionCondition",
{
"Ref": "EIP4"
},
"Null"
]
},
"\"\n",
"CLOUDWATCHGROUP=",
{
"Ref": "BastionMainLogGroup"
},
"\n",
"cfn-init -v --stack ",
{
"Ref": "AWS::StackName"
},
" --resource BastionLaunchConfiguration --region ",
{
"Ref": "AWS::Region"
},
"\n",
"cfn-signal -e $? --stack ",
{
"Ref": "AWS::StackName"
},
" --resource BastionAutoScalingGroup --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
}
},
"BastionSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enables SSH Access to Bastion Hosts",
"VpcId": {
"Ref": "VPCID"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": {
"Ref": "RemoteAccessCIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "RemoteAccessCIDR"
}
}
]
}
}
},
"Outputs": {
"BastionAutoScalingGroup": {
"Description": "Auto Scaling Group Reference ID",
"Value": {
"Ref": "BastionAutoScalingGroup"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-BastionAutoScalingGroup"
}
}
},
"EIP1": {
"Description": "Elastic IP 1 for Bastion",
"Value": {
"Ref": "EIP1"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-EIP1"
}
}
},
"EIP2": {
"Condition": "2BastionCondition",
"Description": "Elastic IP 2 for Bastion",
"Value": {
"Ref": "EIP2"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-EIP2"
}
}
},
"EIP3": {
"Condition": "3BastionCondition",
"Description": "Elastic IP 3 for Bastion",
"Value": {
"Ref": "EIP3"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-EIP3"
}
}
},
"EIP4": {
"Condition": "4BastionCondition",
"Description": "Elastic IP 4 for Bastion",
"Value": {
"Ref": "EIP4"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-EIP4"
}
}
},
"CloudWatchLogs": {
"Description": "CloudWatch Logs GroupName. Your SSH logs will be stored here.",
"Value": {
"Ref": "BastionMainLogGroup"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-CloudWatchLogs"
}
}
},
"BastionSecurityGroupID": {
"Description": "Bastion Security Group ID",
"Value": {
"Ref": "BastionSecurityGroup"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-BastionSecurityGroupID"
}
}
}
}
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template creates a Multi-AZ, multi-subnet VPC infrastructure with managed NAT gateways in the public subnet for each Availability Zone. You can also create additional private subnets with dedicated custom network access control lists (ACLs). If you deploy the Quick Start in a region that doesn't support NAT gateways, NAT instances are deployed instead. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0027)",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Availability Zone Configuration"
},
"Parameters": [
"AvailabilityZones",
"NumberOfAZs"
]
},
{
"Label": {
"default": "Network Configuration"
},
"Parameters": [
"VPCCIDR",
"PublicSubnet1CIDR",
"PublicSubnet2CIDR",
"PublicSubnet3CIDR",
"PublicSubnet4CIDR",
"CreatePrivateSubnets",
"PrivateSubnet1ACIDR",
"PrivateSubnet2ACIDR",
"PrivateSubnet3ACIDR",
"PrivateSubnet4ACIDR",
"CreateAdditionalPrivateSubnets",
"PrivateSubnet1BCIDR",
"PrivateSubnet2BCIDR",
"PrivateSubnet3BCIDR",
"PrivateSubnet4BCIDR",
"VPCTenancy"
]
},
{
"Label": {
"default": "Amazon EC2 Configuration"
},
"Parameters": [
"KeyPairName",
"NATInstanceType"
]
}
],
"ParameterLabels": {
"AvailabilityZones": {
"default": "Availability Zones"
},
"CreateAdditionalPrivateSubnets": {
"default": "Create additional private subnets with dedicated network ACLs"
},
"CreatePrivateSubnets": {
"default": "Create private subnets"
},
"KeyPairName": {
"default": "Key pair name"
},
"NATInstanceType": {
"default": "NAT instance type"
},
"NumberOfAZs": {
"default": "Number of Availability Zones"
},
"PrivateSubnet1ACIDR": {
"default": "Private subnet 1A CIDR"
},
"PrivateSubnet1BCIDR": {
"default": "Private subnet 1B with dedicated network ACL CIDR"
},
"PrivateSubnet2ACIDR": {
"default": "Private subnet 2A CIDR"
},
"PrivateSubnet2BCIDR": {
"default": "Private subnet 2B with dedicated network ACL CIDR"
},
"PrivateSubnet3ACIDR": {
"default": "Private subnet 3A CIDR"
},
"PrivateSubnet3BCIDR": {
"default": "Private subnet 3B with dedicated network ACL CIDR"
},
"PrivateSubnet4ACIDR": {
"default": "Private subnet 4A CIDR"
},
"PrivateSubnet4BCIDR": {
"default": "Private subnet 4B with dedicated network ACL CIDR"
},
"PublicSubnet1CIDR": {
"default": "Public subnet 1 CIDR"
},
"PublicSubnet2CIDR": {
"default": "Public subnet 2 CIDR"
},
"PublicSubnet3CIDR": {
"default": "Public subnet 3 CIDR"
},
"PublicSubnet4CIDR": {
"default": "Public subnet 4 CIDR"
},
"VPCCIDR": {
"default": "VPC CIDR"
},
"VPCTenancy": {
"default": "VPC Tenancy"
}
}
}
},
"Parameters": {
"AvailabilityZones": {
"Description": "List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.",
"Type": "List<AWS::EC2::AvailabilityZone::Name>"
},
"CreateAdditionalPrivateSubnets": {
"AllowedValues": [
"true",
"false"
],
"Default": "false",
"Description": "Set to true to create a network ACL protected subnet in each Availability Zone. If false, the CIDR parameters for those subnets will be ignored. If true, it also requires that the 'Create private subnets' parameter is also true to have any effect.",
"Type": "String"
},
"CreatePrivateSubnets": {
"AllowedValues": [
"true",
"false"
],
"Default": "true",
"Description": "Set to false to create only public subnets. If false, the CIDR parameters for ALL private subnets will be ignored.",
"Type": "String"
},
"KeyPairName": {
"Description": "Public/private key pairs allow you to securely connect to your NAT instance after it launches. This is used only if the region does not support NAT gateways.",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"NATInstanceType": {
"AllowedValues": [
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m3.medium",
"m3.large",
"m4.large"
],
"Default": "t2.small",
"Description": "Amazon EC2 instance type for the NAT instances. This is used only if the region does not support NAT gateways.",
"Type": "String"
},
"NumberOfAZs": {
"AllowedValues": [
"2",
"3",
"4"
],
"Default": "2",
"Description": "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.",
"Type": "String"
},
"PrivateSubnet1ACIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.0.0/19",
"Description": "CIDR block for private subnet 1A located in Availability Zone 1",
"Type": "String"
},
"PrivateSubnet1BCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.192.0/21",
"Description": "CIDR block for private subnet 1B with dedicated network ACL located in Availability Zone 1",
"Type": "String"
},
"PrivateSubnet2ACIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.32.0/19",
"Description": "CIDR block for private subnet 2A located in Availability Zone 2",
"Type": "String"
},
"PrivateSubnet2BCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.200.0/21",
"Description": "CIDR block for private subnet 2B with dedicated network ACL located in Availability Zone 2",
"Type": "String"
},
"PrivateSubnet3ACIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.64.0/19",
"Description": "CIDR block for private subnet 3A located in Availability Zone 3",
"Type": "String"
},
"PrivateSubnet3BCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.208.0/21",
"Description": "CIDR block for private subnet 3B with dedicated network ACL located in Availability Zone 3",
"Type": "String"
},
"PrivateSubnet4ACIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.96.0/19",
"Description": "CIDR block for private subnet 4A located in Availability Zone 4",
"Type": "String"
},
"PrivateSubnet4BCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.216.0/21",
"Description": "CIDR block for private subnet 4B with dedicated network ACL located in Availability Zone 4",
"Type": "String"
},
"PublicSubnet1CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.128.0/20",
"Description": "CIDR block for the public DMZ subnet 1 located in Availability Zone 1",
"Type": "String"
},
"PublicSubnet2CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.144.0/20",
"Description": "CIDR block for the public DMZ subnet 2 located in Availability Zone 2",
"Type": "String"
},
"PublicSubnet3CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.160.0/20",
"Description": "CIDR block for the public DMZ subnet 3 located in Availability Zone 3",
"Type": "String"
},
"PublicSubnet4CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.176.0/20",
"Description": "CIDR block for the public DMZ subnet 4 located in Availability Zone 4",
"Type": "String"
},
"VPCCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.0.0/16",
"Description": "CIDR block for the VPC",
"Type": "String"
},
"VPCTenancy": {
"AllowedValues": [
"default",
"dedicated"
],
"Default": "default",
"Description": "The allowed tenancy of instances launched into the VPC",
"Type": "String"
}
},
"Mappings": {
"AWSAMIRegionMap": {
"AMI": {
"AWSNATHVM": "amzn-ami-vpc-nat-hvm-2017.03.0.20170401-x86_64-ebs"
},
"us-gov-west-1": {
"AWSNATHVM": "ami-3f0a8f5e"
}
}
},
"Conditions": {
"3AZCondition": {
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "NumberOfAZs"
},
"3"
]
},
{
"Condition": "4AZCondition"
}
]
},
"4AZCondition": {
"Fn::Equals": [
{
"Ref": "NumberOfAZs"
},
"4"
]
},
"AdditionalPrivateSubnetsCondition": {
"Fn::And": [
{
"Fn::Equals": [
{
"Ref": "CreatePrivateSubnets"
},
"true"
]
},
{
"Fn::Equals": [
{
"Ref": "CreateAdditionalPrivateSubnets"
},
"true"
]
}
]
},
"AdditionalPrivateSubnets&3AZCondition": {
"Fn::And": [
{
"Condition": "AdditionalPrivateSubnetsCondition"
},
{
"Condition": "3AZCondition"
}
]
},
"AdditionalPrivateSubnets&4AZCondition": {
"Fn::And": [
{
"Condition": "AdditionalPrivateSubnetsCondition"
},
{
"Condition": "4AZCondition"
}
]
},
"GovCloudCondition": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-gov-west-1"
]
},
"NATInstanceCondition": {
"Fn::And": [
{
"Condition": "PrivateSubnetsCondition"
},
{
"Condition": "GovCloudCondition"
}
]
},
"NATGatewayCondition": {
"Fn::And": [
{
"Condition": "PrivateSubnetsCondition"
},
{
"Fn::Not": [
{
"Condition": "GovCloudCondition"
}
]
}
]
},
"NATInstance&3AZCondition": {
"Fn::And": [
{
"Condition": "NATInstanceCondition"
},
{
"Condition": "3AZCondition"
}
]
},
"NATInstance&4AZCondition": {
"Fn::And": [
{
"Condition": "NATInstanceCondition"
},
{
"Condition": "4AZCondition"
}
]
},
"NATGateway&3AZCondition": {
"Fn::And": [
{
"Condition": "NATGatewayCondition"
},
{
"Condition": "3AZCondition"
}
]
},
"NATGateway&4AZCondition": {
"Fn::And": [
{
"Condition": "NATGatewayCondition"
},
{
"Condition": "4AZCondition"
}
]
},
"NVirginiaRegionCondition": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
},
"PrivateSubnetsCondition": {
"Fn::Equals": [
{
"Ref": "CreatePrivateSubnets"
},
"true"
]
},
"PrivateSubnets&3AZCondition": {
"Fn::And": [
{
"Condition": "PrivateSubnetsCondition"
},
{
"Condition": "3AZCondition"
}
]
},
"PrivateSubnets&4AZCondition": {
"Fn::And": [
{
"Condition": "PrivateSubnetsCondition"
},
{
"Condition": "4AZCondition"
}
]
},
"S3VPCEndpointCondition": {
"Fn::And": [
{
"Condition": "PrivateSubnetsCondition"
},
{
"Fn::Not": [
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-gov-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-north-1"
]
}
]
}
]
}
]
}
},
"Resources": {
"DHCPOptions": {
"Type": "AWS::EC2::DHCPOptions",
"Properties": {
"DomainName": {
"Fn::If": [
"NVirginiaRegionCondition",
"ec2.internal",
{
"Fn::Join": [
"",
[
{
"Ref": "AWS::Region"
},
".compute.internal"
]
]
}
]
},
"DomainNameServers": [
"AmazonProvidedDNS"
]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "VPCCIDR"
},
"InstanceTenancy": {
"Ref": "VPCTenancy"
},
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
}
]
}
},
"VPCDHCPOptionsAssociation": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"DhcpOptionsId": {
"Ref": "DHCPOptions"
}
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
}
},
"PrivateSubnet1A": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet1ACIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 1A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet1B": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet1BCIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 1B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet2A": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet2ACIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 2A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet2B": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet2BCIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 2B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet3A": {
"Condition": "PrivateSubnets&3AZCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet3ACIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"2",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 3A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet3B": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet3BCIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"2",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 3B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet4A": {
"Condition": "PrivateSubnets&4AZCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet4ACIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"3",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 4A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet4B": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PrivateSubnet4BCIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"3",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 4B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PublicSubnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PublicSubnet1CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Public subnet 1"
},
{
"Key": "Network",
"Value": "Public"
}
],
"MapPublicIpOnLaunch": true
}
},
"PublicSubnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PublicSubnet2CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Public subnet 2"
},
{
"Key": "Network",
"Value": "Public"
}
],
"MapPublicIpOnLaunch": true
}
},
"PublicSubnet3": {
"Condition": "3AZCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PublicSubnet3CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"2",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Public subnet 3"
},
{
"Key": "Network",
"Value": "Public"
}
],
"MapPublicIpOnLaunch": true
}
},
"PublicSubnet4": {
"Condition": "4AZCondition",
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Ref": "PublicSubnet4CIDR"
},
"AvailabilityZone": {
"Fn::Select": [
"3",
{
"Ref": "AvailabilityZones"
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "Public subnet 4"
},
{
"Key": "Network",
"Value": "Public"
}
],
"MapPublicIpOnLaunch": true
}
},
"PrivateSubnet1ARouteTable": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 1A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet1ARoute": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet1ARouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance1"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway1"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet1ARouteTableAssociation": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet1A"
},
"RouteTableId": {
"Ref": "PrivateSubnet1ARouteTable"
}
}
},
"PrivateSubnet2ARouteTable": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 2A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet2ARoute": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet2ARouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance2"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway2"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet2ARouteTableAssociation": {
"Condition": "PrivateSubnetsCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet2A"
},
"RouteTableId": {
"Ref": "PrivateSubnet2ARouteTable"
}
}
},
"PrivateSubnet3ARouteTable": {
"Condition": "PrivateSubnets&3AZCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 3A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet3ARoute": {
"Condition": "PrivateSubnets&3AZCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet3ARouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance3"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway3"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet3ARouteTableAssociation": {
"Condition": "PrivateSubnets&3AZCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet3A"
},
"RouteTableId": {
"Ref": "PrivateSubnet3ARouteTable"
}
}
},
"PrivateSubnet4ARouteTable": {
"Condition": "PrivateSubnets&4AZCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 4A"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet4ARoute": {
"Condition": "PrivateSubnets&4AZCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet4ARouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance4"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway4"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet4ARouteTableAssociation": {
"Condition": "PrivateSubnets&4AZCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet4A"
},
"RouteTableId": {
"Ref": "PrivateSubnet4ARouteTable"
}
}
},
"PrivateSubnet1BRouteTable": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 1B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet1BRoute": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet1BRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance1"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway1"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet1BRouteTableAssociation": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet1B"
},
"RouteTableId": {
"Ref": "PrivateSubnet1BRouteTable"
}
}
},
"PrivateSubnet1BNetworkAcl": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "NACL Protected subnet 1"
},
{
"Key": "Network",
"Value": "NACL Protected"
}
]
}
},
"PrivateSubnet1BNetworkAclEntryInbound": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "false",
"NetworkAclId": {
"Ref": "PrivateSubnet1BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet1BNetworkAclEntryOutbound": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"NetworkAclId": {
"Ref": "PrivateSubnet1BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet1BNetworkAclAssociation": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet1B"
},
"NetworkAclId": {
"Ref": "PrivateSubnet1BNetworkAcl"
}
}
},
"PrivateSubnet2BRouteTable": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 2B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet2BRoute": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet2BRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance2"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway2"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet2BRouteTableAssociation": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet2B"
},
"RouteTableId": {
"Ref": "PrivateSubnet2BRouteTable"
}
}
},
"PrivateSubnet2BNetworkAcl": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "NACL Protected subnet 2"
},
{
"Key": "Network",
"Value": "NACL Protected"
}
]
}
},
"PrivateSubnet2BNetworkAclEntryInbound": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "false",
"NetworkAclId": {
"Ref": "PrivateSubnet2BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet2BNetworkAclEntryOutbound": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"NetworkAclId": {
"Ref": "PrivateSubnet2BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet2BNetworkAclAssociation": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet2B"
},
"NetworkAclId": {
"Ref": "PrivateSubnet2BNetworkAcl"
}
}
},
"PrivateSubnet3BRouteTable": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 3B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet3BRoute": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet3BRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance3"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway3"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet3BRouteTableAssociation": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet3B"
},
"RouteTableId": {
"Ref": "PrivateSubnet3BRouteTable"
}
}
},
"PrivateSubnet3BNetworkAcl": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "NACL Protected subnet 3"
},
{
"Key": "Network",
"Value": "NACL Protected"
}
]
}
},
"PrivateSubnet3BNetworkAclEntryInbound": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "false",
"NetworkAclId": {
"Ref": "PrivateSubnet3BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet3BNetworkAclEntryOutbound": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"NetworkAclId": {
"Ref": "PrivateSubnet3BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet3BNetworkAclAssociation": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet3B"
},
"NetworkAclId": {
"Ref": "PrivateSubnet3BNetworkAcl"
}
}
},
"PrivateSubnet4BRouteTable": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Private subnet 4B"
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnet4BRoute": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateSubnet4BRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance4"
},
{
"Ref": "AWS::NoValue"
}
]
},
"NatGatewayId": {
"Fn::If": [
"NATGatewayCondition",
{
"Ref": "NATGateway4"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"PrivateSubnet4BRouteTableAssociation": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet4B"
},
"RouteTableId": {
"Ref": "PrivateSubnet4BRouteTable"
}
}
},
"PrivateSubnet4BNetworkAcl": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "NACL Protected subnet 4"
},
{
"Key": "Network",
"Value": "NACL Protected"
}
]
}
},
"PrivateSubnet4BNetworkAclEntryInbound": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "false",
"NetworkAclId": {
"Ref": "PrivateSubnet4BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet4BNetworkAclEntryOutbound": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"NetworkAclId": {
"Ref": "PrivateSubnet4BNetworkAcl"
},
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100"
}
},
"PrivateSubnet4BNetworkAclAssociation": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet4B"
},
"NetworkAclId": {
"Ref": "PrivateSubnet4BNetworkAcl"
}
}
},
"PublicSubnetRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "Public Subnets"
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"PublicSubnetRoute": {
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PublicSubnetRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
}
},
"PublicSubnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet1"
},
"RouteTableId": {
"Ref": "PublicSubnetRouteTable"
}
}
},
"PublicSubnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet2"
},
"RouteTableId": {
"Ref": "PublicSubnetRouteTable"
}
}
},
"PublicSubnet3RouteTableAssociation": {
"Condition": "3AZCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet3"
},
"RouteTableId": {
"Ref": "PublicSubnetRouteTable"
}
}
},
"PublicSubnet4RouteTableAssociation": {
"Condition": "4AZCondition",
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet4"
},
"RouteTableId": {
"Ref": "PublicSubnetRouteTable"
}
}
},
"NAT1EIP": {
"Condition": "PrivateSubnetsCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance1"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"NAT2EIP": {
"Condition": "PrivateSubnetsCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance2"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"NAT3EIP": {
"Condition": "PrivateSubnets&3AZCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance3"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"NAT4EIP": {
"Condition": "PrivateSubnets&4AZCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "NATInstance4"
},
{
"Ref": "AWS::NoValue"
}
]
}
}
},
"NATGateway1": {
"Condition": "NATGatewayCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"NAT1EIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet1"
}
}
},
"NATGateway2": {
"Condition": "NATGatewayCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"NAT2EIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet2"
}
}
},
"NATGateway3": {
"Condition": "NATGateway&3AZCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"NAT3EIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet3"
}
}
},
"NATGateway4": {
"Condition": "NATGateway&4AZCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"NAT4EIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet4"
}
}
},
"NATInstance1": {
"Condition": "NATInstanceCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"AWSNATHVM"
]
},
"InstanceType": {
"Ref": "NATInstanceType"
},
"Tags": [
{
"Key": "Name",
"Value": "NAT1"
}
],
"NetworkInterfaces": [
{
"GroupSet": [
{
"Ref": "NATInstanceSecurityGroup"
}
],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "PublicSubnet1"
}
}
],
"KeyName": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "KeyPairName"
},
{
"Ref": "AWS::NoValue"
}
]
},
"SourceDestCheck": "false"
}
},
"NATInstance2": {
"Condition": "NATInstanceCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"AWSNATHVM"
]
},
"InstanceType": {
"Ref": "NATInstanceType"
},
"Tags": [
{
"Key": "Name",
"Value": "NAT2"
}
],
"NetworkInterfaces": [
{
"GroupSet": [
{
"Ref": "NATInstanceSecurityGroup"
}
],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "PublicSubnet2"
}
}
],
"KeyName": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "KeyPairName"
},
{
"Ref": "AWS::NoValue"
}
]
},
"SourceDestCheck": "false"
}
},
"NATInstance3": {
"Condition": "NATInstance&3AZCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"AWSNATHVM"
]
},
"InstanceType": {
"Ref": "NATInstanceType"
},
"Tags": [
{
"Key": "Name",
"Value": "NAT3"
}
],
"NetworkInterfaces": [
{
"GroupSet": [
{
"Ref": "NATInstanceSecurityGroup"
}
],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "PublicSubnet3"
}
}
],
"KeyName": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "KeyPairName"
},
{
"Ref": "AWS::NoValue"
}
]
},
"SourceDestCheck": "false"
}
},
"NATInstance4": {
"Condition": "NATInstance&4AZCondition",
"DependsOn": "VPCGatewayAttachment",
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"AWSNATHVM"
]
},
"InstanceType": {
"Ref": "NATInstanceType"
},
"Tags": [
{
"Key": "Name",
"Value": "NAT4"
}
],
"NetworkInterfaces": [
{
"GroupSet": [
{
"Ref": "NATInstanceSecurityGroup"
}
],
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"DeleteOnTermination": "true",
"SubnetId": {
"Ref": "PublicSubnet4"
}
}
],
"KeyName": {
"Fn::If": [
"NATInstanceCondition",
{
"Ref": "KeyPairName"
},
{
"Ref": "AWS::NoValue"
}
]
},
"SourceDestCheck": "false"
}
},
"NATInstanceSecurityGroup": {
"Condition": "NATInstanceCondition",
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enables outbound internet access for the VPC via the NAT instances",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": "1",
"ToPort": "65535",
"CidrIp": {
"Ref": "VPCCIDR"
}
}
]
}
},
"S3VPCEndpoint": {
"Condition": "S3VPCEndpointCondition",
"Type": "AWS::EC2::VPCEndpoint",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
},
"RouteTableIds": [
{
"Ref": "PrivateSubnet1ARouteTable"
},
{
"Ref": "PrivateSubnet2ARouteTable"
},
{
"Fn::If": [
"PrivateSubnets&3AZCondition",
{
"Ref": "PrivateSubnet3ARouteTable"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"PrivateSubnets&4AZCondition",
{
"Ref": "PrivateSubnet4ARouteTable"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"AdditionalPrivateSubnetsCondition",
{
"Ref": "PrivateSubnet1BRouteTable"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"AdditionalPrivateSubnetsCondition",
{
"Ref": "PrivateSubnet2BRouteTable"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"AdditionalPrivateSubnets&3AZCondition",
{
"Ref": "PrivateSubnet3BRouteTable"
},
{
"Ref": "AWS::NoValue"
}
]
},
{
"Fn::If": [
"AdditionalPrivateSubnets&4AZCondition",
{
"Ref": "PrivateSubnet4BRouteTable"
},
{
"Ref": "AWS::NoValue"
}
]
}
],
"ServiceName": {
"Fn::Join": [
"",
[
"com.amazonaws.",
{
"Ref": "AWS::Region"
},
".s3"
]
]
},
"VpcId": {
"Ref": "VPC"
}
}
}
},
"Outputs": {
"NAT1EIP": {
"Condition": "PrivateSubnetsCondition",
"Description": "NAT 1 IP address",
"Value": {
"Ref": "NAT1EIP"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-NAT1EIP"
}
}
},
"NAT2EIP": {
"Condition": "PrivateSubnetsCondition",
"Description": "NAT 2 IP address",
"Value": {
"Ref": "NAT2EIP"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-NAT2EIP"
}
}
},
"NAT3EIP": {
"Condition": "PrivateSubnets&3AZCondition",
"Description": "NAT 3 IP address",
"Value": {
"Ref": "NAT3EIP"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-NAT3EIP"
}
}
},
"NAT4EIP": {
"Condition": "PrivateSubnets&4AZCondition",
"Description": "NAT 4 IP address",
"Value": {
"Ref": "NAT4EIP"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-NAT4EIP"
}
}
},
"PrivateSubnet1ACIDR": {
"Condition": "PrivateSubnetsCondition",
"Description": "Private subnet 1A CIDR in Availability Zone 1",
"Value": {
"Ref": "PrivateSubnet1ACIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet1ACIDR"
}
}
},
"PrivateSubnet1AID": {
"Condition": "PrivateSubnetsCondition",
"Description": "Private subnet 1A ID in Availability Zone 1",
"Value": {
"Ref": "PrivateSubnet1A"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet1AID"
}
}
},
"PrivateSubnet1BCIDR": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Description": "Private subnet 1B CIDR in Availability Zone 1",
"Value": {
"Ref": "PrivateSubnet1BCIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet1BCIDR"
}
}
},
"PrivateSubnet1BID": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Description": "Private subnet 1B ID in Availability Zone 1",
"Value": {
"Ref": "PrivateSubnet1B"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet1BID"
}
}
},
"PrivateSubnet2ACIDR": {
"Condition": "PrivateSubnetsCondition",
"Description": "Private subnet 2A CIDR in Availability Zone 2",
"Value": {
"Ref": "PrivateSubnet2ACIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet2ACIDR"
}
}
},
"PrivateSubnet2AID": {
"Condition": "PrivateSubnetsCondition",
"Description": "Private subnet 2A ID in Availability Zone 2",
"Value": {
"Ref": "PrivateSubnet2A"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet2AID"
}
}
},
"PrivateSubnet2BCIDR": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Description": "Private subnet 2B CIDR in Availability Zone 2",
"Value": {
"Ref": "PrivateSubnet2BCIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet2BCIDR"
}
}
},
"PrivateSubnet2BID": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Description": "Private subnet 2B ID in Availability Zone 2",
"Value": {
"Ref": "PrivateSubnet2B"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet2BID"
}
}
},
"PrivateSubnet3ACIDR": {
"Condition": "PrivateSubnets&3AZCondition",
"Description": "Private subnet 3A CIDR in Availability Zone 3",
"Value": {
"Ref": "PrivateSubnet3ACIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet3ACIDR"
}
}
},
"PrivateSubnet3AID": {
"Condition": "PrivateSubnets&3AZCondition",
"Description": "Private subnet 3A ID in Availability Zone 3",
"Value": {
"Ref": "PrivateSubnet3A"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet3AID"
}
}
},
"PrivateSubnet3BCIDR": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Description": "Private subnet 3B CIDR in Availability Zone 3",
"Value": {
"Ref": "PrivateSubnet3BCIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet3BCIDR"
}
}
},
"PrivateSubnet3BID": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Description": "Private subnet 3B ID in Availability Zone 3",
"Value": {
"Ref": "PrivateSubnet3B"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet3BID"
}
}
},
"PrivateSubnet4ACIDR": {
"Condition": "PrivateSubnets&4AZCondition",
"Description": "Private subnet 4A CIDR in Availability Zone 4",
"Value": {
"Ref": "PrivateSubnet4ACIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet4ACIDR"
}
}
},
"PrivateSubnet4AID": {
"Condition": "PrivateSubnets&4AZCondition",
"Description": "Private subnet 4A ID in Availability Zone 4",
"Value": {
"Ref": "PrivateSubnet4A"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet4AID"
}
}
},
"PrivateSubnet4BCIDR": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Description": "Private subnet 4B CIDR in Availability Zone 4",
"Value": {
"Ref": "PrivateSubnet4BCIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet4BCIDR"
}
}
},
"PrivateSubnet4BID": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Description": "Private subnet 4B ID in Availability Zone 4",
"Value": {
"Ref": "PrivateSubnet4B"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet4BID"
}
}
},
"PublicSubnet1CIDR": {
"Description": "Public subnet 1 CIDR in Availability Zone 1",
"Value": {
"Ref": "PublicSubnet1CIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet1CIDR"
}
}
},
"PublicSubnet1ID": {
"Description": "Public subnet 1 ID in Availability Zone 1",
"Value": {
"Ref": "PublicSubnet1"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet1ID"
}
}
},
"PublicSubnet2CIDR": {
"Description": "Public subnet 2 CIDR in Availability Zone 2",
"Value": {
"Ref": "PublicSubnet2CIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet2CIDR"
}
}
},
"PublicSubnet2ID": {
"Description": "Public subnet 2 ID in Availability Zone 2",
"Value": {
"Ref": "PublicSubnet2"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet2ID"
}
}
},
"PublicSubnet3CIDR": {
"Condition": "3AZCondition",
"Description": "Public subnet 3 CIDR in Availability Zone 3",
"Value": {
"Ref": "PublicSubnet3CIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet3CIDR"
}
}
},
"PublicSubnet3ID": {
"Condition": "3AZCondition",
"Description": "Public subnet 3 ID in Availability Zone 3",
"Value": {
"Ref": "PublicSubnet3"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet3ID"
}
}
},
"PublicSubnet4CIDR": {
"Condition": "4AZCondition",
"Description": "Public subnet 4 CIDR in Availability Zone 4",
"Value": {
"Ref": "PublicSubnet4CIDR"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet4CIDR"
}
}
},
"PublicSubnet4ID": {
"Condition": "4AZCondition",
"Description": "Public subnet 4 ID in Availability Zone 4",
"Value": {
"Ref": "PublicSubnet4"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnet4ID"
}
}
},
"S3VPCEndpoint": {
"Condition": "S3VPCEndpointCondition",
"Description": "S3 VPC Endpoint",
"Value": {
"Ref": "S3VPCEndpoint"
},
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-S3VPCEndpoint"
}
}
},
"PrivateSubnet1ARouteTable": {
"Condition": "PrivateSubnetsCondition",
"Value": {
"Ref": "PrivateSubnet1ARouteTable"
},
"Description": "Private subnet 1A route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet1ARouteTable"
}
}
},
"PrivateSubnet1BRouteTable": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Value": {
"Ref": "PrivateSubnet1BRouteTable"
},
"Description": "Private subnet 1B route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet1BRouteTable"
}
}
},
"PrivateSubnet2ARouteTable": {
"Condition": "PrivateSubnetsCondition",
"Value": {
"Ref": "PrivateSubnet2ARouteTable"
},
"Description": "Private subnet 2A route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet2ARouteTable"
}
}
},
"PrivateSubnet2BRouteTable": {
"Condition": "AdditionalPrivateSubnetsCondition",
"Value": {
"Ref": "PrivateSubnet2BRouteTable"
},
"Description": "Private subnet 2B route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet2BRouteTable"
}
}
},
"PrivateSubnet3ARouteTable": {
"Condition": "PrivateSubnets&3AZCondition",
"Value": {
"Ref": "PrivateSubnet3ARouteTable"
},
"Description": "Private subnet 3A route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet3ARouteTable"
}
}
},
"PrivateSubnet3BRouteTable": {
"Condition": "AdditionalPrivateSubnets&3AZCondition",
"Value": {
"Ref": "PrivateSubnet3BRouteTable"
},
"Description": "Private subnet 3B route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet3BRouteTable"
}
}
},
"PrivateSubnet4ARouteTable": {
"Condition": "PrivateSubnets&4AZCondition",
"Value": {
"Ref": "PrivateSubnet4ARouteTable"
},
"Description": "Private subnet 4A route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet4ARouteTable"
}
}
},
"PrivateSubnet4BRouteTable": {
"Condition": "AdditionalPrivateSubnets&4AZCondition",
"Value": {
"Ref": "PrivateSubnet4BRouteTable"
},
"Description": "Private subnet 4B route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PrivateSubnet4BRouteTable"
}
}
},
"PublicSubnetRouteTable": {
"Value": {
"Ref": "PublicSubnetRouteTable"
},
"Description": "Public subnet route table",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-PublicSubnetRouteTable"
}
}
},
"VPCCIDR": {
"Value": {
"Ref": "VPCCIDR"
},
"Description": "VPC CIDR",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-VPCCIDR"
}
}
},
"VPCID": {
"Value": {
"Ref": "VPC"
},
"Description": "VPC ID",
"Export": {
"Name": {
"Fn::Sub": "${AWS::StackName}-VPCID"
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment