Skip to content

Instantly share code, notes, and snippets.

@hierynomus

hierynomus/ecs.yaml

Created March 26, 2019 11:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hierynomus/d7afee2a315dea0e3487e320b045c14b to your computer and use it in GitHub Desktop.
Save hierynomus/d7afee2a315dea0e3487e320b045c14b to your computer and use it in GitHub Desktop.
Download ZIP
CFN problems...
Raw
ecs.yaml
---
AWSTemplateFormatVersion: 2010-09-09
Description: |
Sub template to setup an ECS cluster for running XebiaLabs JetPack
Parameters:
EnvironmentName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
Description: An environment name that will be prefixed to resource names.
Type: String
InstanceType:
AllowedValues:
- m5.large
- m5.xlarge
Description: Which instance type should we use to build the ECS cluster?
Type: String
Default: m5.large
MinimumClusterSize:
Description: How many ECS hosts need to be deployed minimally?
Type: Number
Default: 2
DesiredClusterSize:
Description: How many ECS hosts do you want to initially deploy?
Type: Number
Default: 2
MaximumClusterSize:
Description: How many ECS hosts need to be deployed maximally?
Type: Number
Default: 2
VPC:
Description: Choose which VPC this ECS cluster should be deployed to
Type: AWS::EC2::VPC::Id
Subnets:
Description: The private subnets this ECS cluster should be deployed to
Type: List<AWS::EC2::Subnet::Id>
ECSAMI:
Description: The recommended AMI ID for ECS.
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ecs/optimized-ami/amazon-linux/recommended/image_id
ECSSecurityGroup:
Description: The security group to attach to the ECS cluster instances
Type: AWS::EC2::SecurityGroup::Id
KeyPairName:
Description: The name of an existing public/private key pair, which allows you to securely connect to your instance after it launches
Type: AWS::EC2::KeyPair::KeyName
MountPoint:
Description: The Linux mount point for the EFS volume
Type: String
MinLength: '1'
Default: /mnt/efs
Filesystem:
Description: EFS FileSystem to be used on ECS for persistent sotrage
Type: String
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Ref EnvironmentName
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier: !Ref Subnets
LaunchConfigurationName: !Ref ECSLaunchConfiguration
MinSize: !Ref MinimumClusterSize
MaxSize: !Ref MaximumClusterSize
DesiredCapacity: !Ref DesiredClusterSize
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} ECS host
PropagateAtLaunch: true
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: 1
MaxBatchSize: 1
PauseTime: PT15M
SuspendProcesses:
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
WaitOnResourceSignals: true
ECSLaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: !Ref ECSAMI
InstanceType: !Ref InstanceType
KeyName: !Ref KeyPairName
SecurityGroups:
- !Ref ECSSecurityGroup
IamInstanceProfile: !Ref ECSInstanceProfile
UserData:
"Fn::Base64": !Sub |
#!/bin/bash
yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
yum install -y https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm
yum install -y aws-cfn-bootstrap hibagent
/opt/aws/bin/cfn-init -v --region ${AWS::Region} --stack ${AWS::StackName} --resource ECSLaunchConfiguration
/opt/aws/bin/cfn-signal -e $? --region ${AWS::Region} --stack ${AWS::StackName} --resource ECSAutoScalingGroup
/usr/bin/enable-ec2-spot-hibernation
Metadata:
AWS::CloudFormation::Init:
configSets:
MountConfig:
- setup
- mount
setup:
packages:
yum:
collectd: []
nfs-utils: []
commands:
01_add_instance_to_cluster:
command: !Sub echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
02_enable_cloudwatch_agent:
command: !Sub /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c ssm:${ECSCloudWatchParameter} -s
03_createdir:
command: !Sub "mkdir -p /${MountPoint}"
files:
/etc/cfn/cfn-hup.conf:
mode: 000400
owner: root
group: root
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.ECSLaunchConfiguration.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -v --region ${AWS::Region} --stack ${AWS::StackName} --resource ECSLaunchConfiguration
mount:
commands:
01_mount:
command: !Sub >
mount -t nfs4 -o nfsvers=4.1 ${Filesystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}
02_fstab:
command: !Sub >
echo ${Filesystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint} nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 0 0 >> /etc/fstab
# 03_permissions:
# command: !Sub "chown -R ec2-user:ec2-user /${MountPoint}"
03_permissions_ecs_xld:
command: !Sub "mkdir -p /${MountPoint}/xl-deploy/repository && mkdir -p /${MountPoint}/xl-deploy/work && chmod g+w -R /${MountPoint}"
04_permissions_ecs_xlr:
command: !Sub "mkdir -p /${MountPoint}/xl-release/repository && mkdir -p /${MountPoint}/xl-release/work && chmod g+w -R /${MountPoint}"
05_restart_docker_and_ecs:
command: "service docker restart && start ecs"
services:
sysvinit:
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
ECSInstanceRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: !Sub ${EnvironmentName}-ECSInstanceRole-${AWS::Region}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- 'ec2.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
Policies:
- PolicyName: ecs-service
PolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}]
}
ECSInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref ECSInstanceRole
ECSServiceAutoScalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- application-autoscaling.amazonaws.com
Path: /
Policies:
- PolicyName: ecs-service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action:
- application-autoscaling:*
- cloudwatch:DescribeAlarms
- cloudwatch:PutMetricAlarm
- ecs:DescribeServices
- ecs:UpdateService
Resource: "*"
ECSServiceRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: !Sub ${EnvironmentName}-ECSServiceRole-${AWS::Region}
AssumeRolePolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "ecs.amazonaws.com" ]},
"Action": [ "sts:AssumeRole" ]
}]
}
Policies:
- PolicyName: !Sub ecs-service-${AWS::StackName}
PolicyDocument:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
}]
}
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: !Sub ${EnvironmentName}-ECSTaskExecutionRole-${AWS::Region}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
ECSCloudWatchParameter:
Type: AWS::SSM::Parameter
Properties:
Description: ECS
Name: !Sub "AmazonCloudWatch-${ECSCluster}-ECS"
Type: String
Value: !Sub |
{
"logs": {
"force_flush_interval": 5,
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/messages",
"log_group_name": "${ECSCluster}-/var/log/messages",
"log_stream_name": "{instance_id}",
"timestamp_format": "%b %d %H:%M:%S"
},
{
"file_path": "/var/log/dmesg",
"log_group_name": "${ECSCluster}-/var/log/dmesg",
"log_stream_name": "{instance_id}"
},
{
"file_path": "/var/log/docker",
"log_group_name": "${ECSCluster}-/var/log/docker",
"log_stream_name": "{instance_id}",
"timestamp_format": "%Y-%m-%dT%H:%M:%S.%f"
},
{
"file_path": "/var/log/ecs/ecs-init.log",
"log_group_name": "${ECSCluster}-/var/log/ecs/ecs-init.log",
"log_stream_name": "{instance_id}",
"timestamp_format": "%Y-%m-%dT%H:%M:%SZ"
},
{
"file_path": "/var/log/ecs/ecs-agent.log.*",
"log_group_name": "${ECSCluster}-/var/log/ecs/ecs-agent.log",
"log_stream_name": "{instance_id}",
"timestamp_format": "%Y-%m-%dT%H:%M:%SZ"
},
{
"file_path": "/var/log/ecs/audit.log",
"log_group_name": "${ECSCluster}-/var/log/ecs/audit.log",
"log_stream_name": "{instance_id}",
"timestamp_format": "%Y-%m-%dT%H:%M:%SZ"
}
]
}
}
},
"metrics": {
"append_dimensions": {
"AutoScalingGroupName": "${!aws:AutoScalingGroupName}",
"InstanceId": "${!aws:InstanceId}",
"InstanceType": "${!aws:InstanceType}"
},
"metrics_collected": {
"collectd": {
"metrics_aggregation_interval": 60
},
"disk": {
"measurement": [
"used_percent"
],
"metrics_collection_interval": 60,
"resources": [
"/"
]
},
"mem": {
"measurement": [
"mem_used_percent"
],
"metrics_collection_interval": 60
},
"statsd": {
"metrics_aggregation_interval": 60,
"metrics_collection_interval": 10,
"service_address": ":8125"
}
}
}
}
Outputs:
Cluster:
Description: A reference to the ECS cluster
Value: !Ref ECSCluster
ECSServiceAutoScalingRole:
Description: A reference to ECS service auto scaling role
Value: !GetAtt ECSServiceAutoScalingRole.Arn
ECSServiceRole:
Description: A reference to ECS service role
Value: !GetAtt ECSServiceRole.Arn
ECSRole:
Description: A reference to the ECS Role
Value: !GetAtt ECSInstanceRole.Arn
ECSTaskExecutionRole:
Description: A reference to the ECS Task Execution Role
Value: !GetAtt ECSTaskExecutionRole.Arn
ECSAutoScalingGroupName:
Description: A reference to ECS AutoScaling Group Name
Value: !Ref ECSAutoScalingGroup
...
Raw
efs.yaml
Description: >
This template deploys an EFS file system that can be used from ECS services for persistent data.
Parameters:
EnvironmentName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
Description: An environment name that will be prefixed to resource names.
Type: String
EFSNameTag:
MinLength: 1
Description: The name of the EFS volume.
Type: String
Default: xl-jetpack-EFSvolume
VPCID:
Type: AWS::EC2::VPC::Id
Description: The VPC EFS should be deployed to
ECSSecurityGroup:
Description: The security group to attach to the ECS cluster instances
Type: AWS::EC2::SecurityGroup::Id
Subnets:
Description: The private subnets this EFS can be mount
Type: List<AWS::EC2::Subnet::Id>
Resources:
MountTargetSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPCID
GroupDescription: Security group for mount target
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref ECSSecurityGroup
IpProtocol: '-1'
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-EFS-Hosts
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
FileSystemTags:
- Key: Name
Value:
Ref: EnvironmentName
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SubnetId: !Select [ 0, !Ref Subnets ]
SecurityGroups:
- Ref: MountTargetSecurityGroup
Outputs:
Filesystem:
Description: A reference to the EFS FileSystem
Value: !Ref FileSystem
Raw
securitygroups.yaml
Description: >
This template contains the security groups required by our entire stack.
Parameters:
EnvironmentName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
Description: An environment name that will be prefixed to resource names.
Type: String
VPCID:
Type: AWS::EC2::VPC::Id
Description: The VPC ID the Security Groups should be deployed to
Resources:
ECSHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPCID
GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
SecurityGroupIngress:
# Only allow inbound access to ECS from the ELB
- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: '-1'
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-ECS-Hosts
# This security group defines who/where is allowed to access the Application Load Balancer.
# The Ingress rules will be added to this Security Group by the subtemplates of this stack.
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPCID
GroupDescription: Access to the load balancer that sits in front of ECS
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-LoadBalancers
Outputs:
ECSHostSecurityGroup:
Description: A reference to the security group for ECS hosts
Value: !Ref ECSHostSecurityGroup
LoadBalancerSecurityGroup:
Description: A reference to the security group for load balancers
Value: !Ref LoadBalancerSecurityGroup
Raw
vpc.yaml
---
AWSTemplateFormatVersion: "2010-09-09"
Description: "Generated Template for a VPC"
Parameters:
cidrBlockVpc:
Default: "10.0.0.0/19"
Type: String
Description: "Enter a valid /19 cidr block."
AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/19'
yourHomeIPRange:
Default: "0.0.0.0/0"
Type: String
Description: "Enter a valid cidr block to allow traffic to SSH."
AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref cidrBlockVpc
EnableDnsHostnames: true
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}"
InternetGateway:
Type: AWS::EC2::InternetGateway
GatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PublicRouteTable"
PublicRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref PublicRouteTable
NoInternetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-NoInternetRouteTable"
BlockInboundDefaultNetworkAcl:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
RuleNumber: 1
Protocol: -1
RuleAction: "deny"
Egress: False
CidrBlock: "0.0.0.0/0"
PortRange:
From: 0
To: 65535
BlockOutboundDefaultNetworkAcl:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
RuleNumber: 1
Protocol: -1
RuleAction: "deny"
Egress: True
CidrBlock: "0.0.0.0/0"
PortRange:
From: 0
To: 65535
PublicNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-Public"
InboundPublicNetworkAclEntryHTTP:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PublicNetworkAcl"
RuleNumber: 100
Protocol: 6
RuleAction: "allow"
Egress: False
CidrBlock: "0.0.0.0/0"
PortRange:
From: 80
To: 80
InboundPublicNetworkAclEntryHTTPS:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PublicNetworkAcl"
RuleNumber: 110
Protocol: 6
RuleAction: "allow"
Egress: False
CidrBlock: "0.0.0.0/0"
PortRange:
From: 443
To: 443
InboundPublicNetworkAclEntrySSH:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PublicNetworkAcl"
RuleNumber: 120
Protocol: 6
RuleAction: "allow"
Egress: False
CidrBlock: !Ref yourHomeIPRange
PortRange:
From: 22
To: 22
InboundPublicNetworkAclEntryRDP:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PublicNetworkAcl"
RuleNumber: 130
Protocol: 6
RuleAction: "allow"
Egress: False
CidrBlock: !Ref yourHomeIPRange
PortRange:
From: 3389
To: 3389
InboundPublicNetworkAclEntryHighPorts:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PublicNetworkAcl"
RuleNumber: 140
Protocol: 6
RuleAction: "allow"
Egress: False
CidrBlock: "0.0.0.0/0"
PortRange:
From: 1024
To: 65535
OutboundPublicNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref "PublicNetworkAcl"
RuleNumber: 100
Protocol: -1
RuleAction: "allow"
Egress: True
CidrBlock: "0.0.0.0/0"
PortRange:
From: 0
To: 65535
PublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref "VPC"
AvailabilityZone: !Join ["", [!Ref "AWS::Region", "a"]]
CidrBlock:
!Select
- 0
- 'Fn::Cidr':
- !Select
- 0
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
- 8
- 8
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PublicSubnetA"
- Key: "Layer"
Value: "public"
- Key: "LayerCidr"
Value:
!Select
- 0
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
PublicSubnetANetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref PublicSubnetA
NetworkAclId: !Ref PublicNetworkAcl
PublicRouteTableAAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetA
RouteTableId: !Ref PublicRouteTable
NATA:
DependsOn: GatewayAttachment
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !Sub "${EIPA.AllocationId}"
SubnetId: !Ref PublicSubnetA
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-NATA"
EIPA:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PublicSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref "VPC"
AvailabilityZone: !Join ["", [!Ref "AWS::Region", "b"]]
CidrBlock:
!Select
- 1
- 'Fn::Cidr':
- !Select
- 0
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
- 8
- 8
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PublicSubnetB"
- Key: "Layer"
Value: "public"
- Key: "LayerCidr"
Value:
!Select
- 0
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
PublicSubnetBNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref PublicSubnetB
NetworkAclId: !Ref PublicNetworkAcl
PublicRouteTableBAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetB
RouteTableId: !Ref PublicRouteTable
NATB:
DependsOn: GatewayAttachment
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !Sub "${EIPB.AllocationId}"
SubnetId: !Ref PublicSubnetB
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-NATB"
EIPB:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PrivateNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-Private"
InboundPrivateNetworkAclEntryLocal:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PrivateNetworkAcl"
RuleNumber: 100
Protocol: -1
RuleAction: "allow"
Egress: False
CidrBlock: !Ref cidrBlockVpc
PortRange:
From: 0
To: 65535
InboundPrivateNetworkAclEntryReturnTraffic:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "PrivateNetworkAcl"
RuleNumber: 110
Protocol: -1
RuleAction: "allow"
Egress: False
CidrBlock: 0.0.0.0/0
PortRange:
From: 1024
To: 65535
OutboundPrivateNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref "PrivateNetworkAcl"
RuleNumber: 100
Protocol: -1
RuleAction: "allow"
Egress: True
CidrBlock: 0.0.0.0/0
PortRange:
From: 0
To: 65535
PrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref "VPC"
AvailabilityZone: !Join ["", [!Ref "AWS::Region", "a"]]
CidrBlock:
!Select
- 0
- 'Fn::Cidr':
- !Select
- 1
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
- 8
- 8
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PrivateSubnetA"
- Key: "Layer"
Value: "private"
- Key: "LayerCidr"
Value:
!Select
- 1
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
PrivateSubnetANetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref PrivateSubnetA
NetworkAclId: !Ref PrivateNetworkAcl
PrivateRouteTableAAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnetA
RouteTableId: !Ref PrivateRouteTableA
PrivateRouteTableA:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PrivateRouteTableA"
- Key: "Layer"
Value: "private"
PrivateNATARoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTableA
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NATA
PrivateSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref "VPC"
AvailabilityZone: !Join ["", [!Ref "AWS::Region", "b"]]
CidrBlock:
!Select
- 1
- 'Fn::Cidr':
- !Select
- 1
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
- 8
- 8
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PrivateSubnetB"
- Key: "Layer"
Value: "private"
- Key: "LayerCidr"
Value:
!Select
- 1
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
PrivateSubnetBNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref PrivateSubnetB
NetworkAclId: !Ref PrivateNetworkAcl
PrivateRouteTableBAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnetB
RouteTableId: !Ref PrivateRouteTableB
PrivateRouteTableB:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-PrivateRouteTableB"
- Key: "Layer"
Value: "private"
PrivateNATBRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTableB
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NATB
DataNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-Data"
InboundDataNetworkAclEntry:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
NetworkAclId: !Ref "DataNetworkAcl"
RuleNumber: 100
Protocol: -1
RuleAction: "allow"
Egress: False
CidrBlock: !Ref cidrBlockVpc
PortRange:
From: 0
To: 65535
OutboundDataNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref "DataNetworkAcl"
RuleNumber: 100
Protocol: -1
RuleAction: "allow"
Egress: True
CidrBlock: !Ref cidrBlockVpc
PortRange:
From: 0
To: 65535
DataSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref "VPC"
AvailabilityZone: !Join ["", [!Ref "AWS::Region", "a"]]
CidrBlock:
!Select
- 0
- 'Fn::Cidr':
- !Select
- 2
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
- 8
- 8
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-DataSubnetA"
- Key: "Layer"
Value: "data"
- Key: "LayerCidr"
Value:
!Select
- 2
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
DataSubnetANetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref DataSubnetA
NetworkAclId: !Ref DataNetworkAcl
DataRouteTableAAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref DataSubnetA
RouteTableId: !Ref NoInternetRouteTable
DataSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref "VPC"
AvailabilityZone: !Join ["", [!Ref "AWS::Region", "b"]]
CidrBlock:
!Select
- 1
- 'Fn::Cidr':
- !Select
- 2
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
- 8
- 8
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-DataSubnetB"
- Key: "Layer"
Value: "data"
- Key: "LayerCidr"
Value:
!Select
- 2
- 'Fn::Cidr':
- !Ref "cidrBlockVpc"
- 4
- 11
DataSubnetBNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref DataSubnetB
NetworkAclId: !Ref DataNetworkAcl
DataRouteTableBAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref DataSubnetB
RouteTableId: !Ref NoInternetRouteTable
Outputs:
VPCID:
Description: The VPC ID
Value: !Ref VPC
Export:
Name: !Sub "${AWS::StackName}-VPCID"
PublicSubnetIDs:
Description: A list of publicSubnetsIDs
Value: !Join [ ', ', [ !Ref "PublicSubnetA", !Ref "PublicSubnetB" ] ]
Export:
Name: !Sub "${AWS::StackName}-publicSubnetIDs"
PrivateSubnetIDs:
Description: A list of privateSubnetsIDs
Value: !Join [ ', ', [ !Ref "PrivateSubnetA", !Ref "PrivateSubnetB" ] ]
Export:
Name: !Sub "${AWS::StackName}-privateSubnetIDs"
DataSubnetIDs:
Description: A list of dataSubnetsIDs
Value: !Join [ ', ', [ !Ref "DataSubnetA", !Ref "DataSubnetB" ] ]
Export:
Name: !Sub "${AWS::StackName}-dataSubnetIDs"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment