Skip to content

Instantly share code, notes, and snippets.

@matbos

matbos/private_subnet_S3_and_SSM.yaml

Created June 7, 2020 23:19
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
VPC with private subnets using VPC Endpoint for access to S3 and Parameter Store
Raw
private_subnet_S3_and_SSM.yaml
AWSTemplateFormatVersion: 2010-09-09
Description: >-
VPC with private subnets using VPC Endpoint for access to S3 and Parameter Store
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref Vpc
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: eu-west-1a
CidrBlock: 10.0.1.0/24
VpcId: !Ref Vpc
SubnetATableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: eu-west-1b
CidrBlock: 10.0.2.0/24
VpcId: !Ref Vpc
SubnetBTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: eu-west-1c
CidrBlock: 10.0.3.0/24
VpcId: !Ref Vpc
SubnetCTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetC
S3VpcEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref Vpc
VpcEndpointType: Gateway
RouteTableIds:
- !Ref RouteTable
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for Lambda
VpcId: !Ref Vpc
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
- PolicyName: AccessSSMParameterStore
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ssm:GetParameter
Resource: '*'
Lambda:
Type: AWS::Lambda::Function
Properties:
FunctionName: ReadingSSMParameterStoreLambda
Role: !GetAtt LambdaRole.Arn
Runtime: python3.7
Timeout: 3
MemorySize: 128
Handler: index.lambda_handler
Code:
ZipFile: >-
import boto3
def lambda_handler(event, context):
try:
ssm = boto3.client('ssm')
parameter = ssm.get_parameter(Name='/application/config/password', WithDecryption=True, )
return parameter['Parameter']['Value']
except Exception as e:
return 'Problem fetching parameter from parameter store'
VpcConfig:
SecurityGroupIds:
- !Ref LambdaSecurityGroup
SubnetIds:
- !Ref SubnetA
- !Ref SubnetB
- !Ref SubnetC
SSMVpcEndpointSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for SSM VPC Endpoint
VpcId: !Ref Vpc
SSMVpcEndpointSecurityGroupSelfIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
SourceSecurityGroupId: !Ref SSMVpcEndpointSecurityGroup
FromPort: -1
ToPort: -1
IpProtocol: -1
GroupId: !Ref SSMVpcEndpointSecurityGroup
SSMVpcEndpointSecurityGroupIngressLambda:
Type: AWS::EC2::SecurityGroupIngress
Properties:
SourceSecurityGroupId: !Ref LambdaSecurityGroup
FromPort: -1
ToPort: -1
IpProtocol: -1
GroupId: !Ref SSMVpcEndpointSecurityGroup
SSMVpcEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref Vpc
VpcEndpointType: Interface
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm
PrivateDnsEnabled: true
SecurityGroupIds:
- !Ref SSMVpcEndpointSecurityGroup
SubnetIds:
- !Ref SubnetA
- !Ref SubnetB
- !Ref SubnetC
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment