Created
September 15, 2017 15:44
-
-
Save fijimunkii/65f907bd6d085123164c63a5d4b6cbf1 to your computer and use it in GitHub Desktop.
simple bastion host cloud formation template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Bastion Host for SSH access into ECS cluster v1.1 | |
| Parameters: | |
| S3Bucket: | |
| Description: S3 bucket name | |
| Type: String | |
| Default: bastion-host | |
| S3Key: | |
| Description: S3 object key | |
| Type: String | |
| Default: id_rsa | |
| KeyName: | |
| Description: SSH Key Name | |
| Type: String | |
| Default: fijimunkii | |
| ClusterName: | |
| Description: The name of an existing ECS cluster | |
| Type: String | |
| Default: AppEcs | |
| SecurityGroup: | |
| Type: AWS::EC2::SecurityGroup::Id | |
| Description: The security group assigned to the EC2 instances in the ECS cluster | |
| Default: sg-157d957d | |
| Subnet: | |
| Type: AWS::EC2::Subnet::Id | |
| Description: Public subnet associated with the ECS VPC | |
| Default: subnet-b8e7b4d1 | |
| Mappings: | |
| RegionMap: | |
| us-east-2: | |
| "64": "ami-8a7859ef" | |
| Resources: | |
| EC2Role: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Join [ -, [ !Ref ClusterName, BastionHostRole ] ] | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Principal: {Service: [ ec2.amazonaws.com ]} | |
| Action: ["sts:AssumeRole"] | |
| Path: / | |
| Policies: | |
| - PolicyName: !Join [ -, [ !Ref ClusterName, BastionHostPolicy ] ] | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Effect: Allow | |
| Action: ['s3:GetObject','s3:GetObject'] | |
| Resource: !Sub 'arn:aws:s3:::${S3Bucket}/${S3Key}' | |
| RootInstanceProfile: | |
| Type: AWS::IAM::InstanceProfile | |
| Properties: | |
| Path: / | |
| Roles: [ !Ref EC2Role ] | |
| EC2Instance: | |
| Type: AWS::EC2::Instance | |
| Properties: | |
| ImageId: !FindInMap [ RegionMap, !Ref "AWS::Region", 64 ] | |
| InstanceType: t2.micro | |
| IamInstanceProfile: !Ref RootInstanceProfile | |
| KeyName: !Ref KeyName | |
| NetworkInterfaces: | |
| - AssociatePublicIpAddress: "true" | |
| DeviceIndex: "0" | |
| GroupSet: [ !Ref SecurityGroup ] | |
| SubnetId: !Ref Subnet | |
| Tags: | |
| - Key: Name | |
| Value: !Join [ -, [ !Ref ClusterName, BastionHost ] ] | |
| UserData: | |
| "Fn::Base64": | |
| !Sub | | |
| #!/bin/bash | |
| aws s3 cp s3://${S3Bucket}/${S3Key} /home/ec2-user/.ssh/id_rsa --region ${AWS::Region} | |
| chmod 0600 /home/ec2-user/.ssh/id_rsa | |
| chown ec2-user:ec2-user /home/ec2-user/.ssh/id_rsa |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment