Skip to content

Instantly share code, notes, and snippets.

@matbos

matbos/private_subnet_S3_and_SSM.yaml

Created June 7, 2020 23:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save matbos/c5d798ea25327d9e966095adfb70f120 to your computer and use it in GitHub Desktop.
Save matbos/c5d798ea25327d9e966095adfb70f120 to your computer and use it in GitHub Desktop.
Download ZIP
VPC with private subnets using VPC Endpoint for access to S3 and Parameter Store
Raw
private_subnet_S3_and_SSM.yaml
AWSTemplateFormatVersion: 2010-09-09
Description: >-
VPC with private subnets using VPC Endpoint for access to S3 and Parameter Store
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref Vpc
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: eu-west-1a
CidrBlock: 10.0.1.0/24
VpcId: !Ref Vpc
SubnetATableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: eu-west-1b
CidrBlock: 10.0.2.0/24
VpcId: !Ref Vpc
SubnetBTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: eu-west-1c
CidrBlock: 10.0.3.0/24
VpcId: !Ref Vpc
SubnetCTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetC
S3VpcEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref Vpc
VpcEndpointType: Gateway
RouteTableIds:
- !Ref RouteTable
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for Lambda
VpcId: !Ref Vpc
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
- PolicyName: AccessSSMParameterStore
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ssm:GetParameter
Resource: '*'
Lambda:
Type: AWS::Lambda::Function
Properties:
FunctionName: ReadingSSMParameterStoreLambda
Role: !GetAtt LambdaRole.Arn
Runtime: python3.7
Timeout: 3
MemorySize: 128
Handler: index.lambda_handler
Code:
ZipFile: >-
import boto3
def lambda_handler(event, context):
try:
ssm = boto3.client('ssm')
parameter = ssm.get_parameter(Name='/application/config/password', WithDecryption=True, )
return parameter['Parameter']['Value']
except Exception as e:
return 'Problem fetching parameter from parameter store'
VpcConfig:
SecurityGroupIds:
- !Ref LambdaSecurityGroup
SubnetIds:
- !Ref SubnetA
- !Ref SubnetB
- !Ref SubnetC
SSMVpcEndpointSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for SSM VPC Endpoint
VpcId: !Ref Vpc
SSMVpcEndpointSecurityGroupSelfIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
SourceSecurityGroupId: !Ref SSMVpcEndpointSecurityGroup
FromPort: -1
ToPort: -1
IpProtocol: -1
GroupId: !Ref SSMVpcEndpointSecurityGroup
SSMVpcEndpointSecurityGroupIngressLambda:
Type: AWS::EC2::SecurityGroupIngress
Properties:
SourceSecurityGroupId: !Ref LambdaSecurityGroup
FromPort: -1
ToPort: -1
IpProtocol: -1
GroupId: !Ref SSMVpcEndpointSecurityGroup
SSMVpcEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref Vpc
VpcEndpointType: Interface
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm
PrivateDnsEnabled: true
SecurityGroupIds:
- !Ref SSMVpcEndpointSecurityGroup
SubnetIds:
- !Ref SubnetA
- !Ref SubnetB
- !Ref SubnetC
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment