AWS Network FIrewallを配置した検査用VPCと、被検査VPCを作成するためのCloudFormationテンプレート

nfw.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: nfwkensyou
Parameters:
  VpcNwMngCidr:
    Description: CIDR of vpc-NwMng
    Type: String
    Default: 10.0.0.0/24
  SubnetNwMngPublicACidr:
    Description: CIDR of subnet-NwMng-public-a
    Type: String
    Default: 10.0.0.0/28
  SubnetNwMngPublicCCidr:
    Description: CIDR of subnet-NwMng-public-c
    Type: String
    Default: 10.0.0.16/28
  SubnetNwMngFirewallACidr:
    Description: CIDR of subnet-NwMng-nfw-a
    Type: String
    Default: 10.0.0.32/28
  SubnetNwMngFirewallCCidr:
    Description: CIDR of subnet-NwMng-nfw-c
    Type: String
    Default: 10.0.0.48/28
  SubnetNwMngEndpointACidr:
    Description: CIDR of subnet-NwMng-endpoint-a
    Type: String
    Default: 10.0.0.128/28
  SubnetNwMngEndpointCCidr:
    Description: CIDR of subnet-NwMng-endpoint-c
    Type: String
    Default: 10.0.0.144/28
  SubnetNwMngTransitACidr:
    Description: CIDR of subnet-NwMng-tgw-a
    Type: String
    Default: 10.0.0.160/28
  SubnetNwMngTransitCCidr:
    Description: CIDR of subnet-NwMng-tgw-c
    Type: String
    Default: 10.0.0.176/28
  VpcSpoke1Cidr:
    Description: CIDR of vpc-Spoke1
    Type: String
    Default: 10.0.1.0/24
  SubnetSpoke1ProtectedACidr:
    Description: CIDR of subnet-Spoke1-protected-a
    Type: String
    Default: 10.0.1.64/28
  SubnetSpoke1ProtectedCCidr:
    Description: CIDR of subnet-Spoke1-protected-c
    Type: String
    Default: 10.0.1.80/28
  SubnetSpoke1PrivateACidr:
    Description: CIDR of subnet-Spoke1-private-a
    Type: String
    Default: 10.0.1.96/28
  SubnetSpoke1PrivateCCidr:
    Description: CIDR of subnet-Spoke1-private-c
    Type: String
    Default: 10.0.1.112/28
  SubnetSpoke1EndpointACidr:
    Description: CIDR of subnet-Spoke1-endpoint-a
    Type: String
    Default: 10.0.1.128/28
  SubnetSpoke1EndpointCCidr:
    Description: CIDR of subnet-Spoke1-endpoint-c
    Type: String
    Default: 10.0.1.144/28
  SubnetSpoke1TransitACidr:
    Description: CIDR of subnet-Spoke1-tgw-a
    Type: String
    Default: 10.0.1.160/28
  SubnetSpoke1TransitCCidr:
    Description: CIDR of subnet-Spoke1-tgw-c
    Type: String
    Default: 10.0.1.176/28
  Ec2Spoke1PrivateIp:
    Description: Private IP of ec2-Spoke1-protected-a
    Type: String
    Default: 10.0.1.68
  VpcSpoke2Cidr:
    Description: CIDR of vpc-Spoke2
    Type: String
    Default: 10.0.2.0/24
  SubnetSpoke2ProtectedACidr:
    Description: CIDR of subnet-Spoke2-protected-a
    Type: String
    Default: 10.0.2.64/28
  SubnetSpoke2ProtectedCCidr:
    Description: CIDR of subnet-Spoke2-protected-c
    Type: String
    Default: 10.0.2.80/28
  SubnetSpoke2PrivateACidr:
    Description: CIDR of subnet-Spoke2-private-a
    Type: String
    Default: 10.0.2.96/28
  SubnetSpoke2PrivateCCidr:
    Description: CIDR of subnet-Spoke2-private-c
    Type: String
    Default: 10.0.2.112/28
  SubnetSpoke2EndpointACidr:
    Description: CIDR of subnet-Spoke2-endpoint-a
    Type: String
    Default: 10.0.2.128/28
  SubnetSpoke2EndpointCCidr:
    Description: CIDR of subnet-Spoke2-endpoint-c
    Type: String
    Default: 10.0.2.144/28
  SubnetSpoke2TransitACidr:
    Description: CIDR of subnet-Spoke2-tgw-a
    Type: String
    Default: 10.0.2.160/28
  SubnetSpoke2TransitCCidr:
    Description: CIDR of subnet-Spoke2-tgw-c
    Type: String
    Default: 10.0.2.176/28
  Ec2Spoke2PrivateIp:
    Description: Private IP of ec2-Spoke2-protected-c
    Type: String
    Default: 10.0.2.84
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: Parameters related to vpc-NwMng
        Parameters:
          - VpcNwMngCidr
          - SubnetNwMngPublicACidr
          - SubnetNwMngPublicCCidr
          - SubnetNwMngFirewallACidr
          - SubnetNwMngFirewallCCidr
          - SubnetNwMngEndpointACidr
          - SubnetNwMngEndpointCCidr
          - SubnetNwMngTransitACidr
          - SubnetNwMngTransitCCidr
      -
        Label:
          default: Parameters related to vpc-Spoke1
        Parameters:
          - VpcSpoke1Cidr
          - SubnetSpoke1ProtectedACidr
          - SubnetSpoke1ProtectedCCidr
          - SubnetSpoke1PrivateACidr
          - SubnetSpoke1PrivateCCidr
          - SubnetSpoke1EndpointACidr
          - SubnetSpoke1EndpointCCidr
          - SubnetSpoke1TransitACidr
          - SubnetSpoke1TransitCCidr
          - Ec2Spoke1PrivateIp
      -
        Label:
          default: Parameters related to vpc-Spoke2
        Parameters:
          - VpcSpoke2Cidr
          - SubnetSpoke2ProtectedACidr
          - SubnetSpoke2ProtectedCCidr
          - SubnetSpoke2PrivateACidr
          - SubnetSpoke2PrivateCCidr
          - SubnetSpoke2EndpointACidr
          - SubnetSpoke2EndpointCCidr
          - SubnetSpoke2TransitACidr
          - SubnetSpoke2TransitCCidr
          - Ec2Spoke2PrivateIp
Resources:
#######################################################################
##　　　　　　　　　　　 共通 　　　　　　　　　　　　　　                ##
#######################################################################
# VPCフローログ用IAMロール
  FlowLogsRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: role-vpcflowlogs
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - vpc-flow-logs.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
  FlowLogsPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: FlowLogsPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
#              - logs:CreateLogGroup # スタック削除操作を行って、VPCフローログ格納用ロググループが削除された後に同名のロググループが作成されてしまう現象を回避するためコメントアウトする。
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogGroups
              - logs:DescribeLogStreams
            Effect: Allow
            Resource: '*'
      Roles:
        - !Ref FlowLogsRole
# セッションマネージャ用IAMロール
  EC2IAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: role-ec2-sessionmanager
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - Ref: EC2IAMRole
      InstanceProfileName: EC2InstanceProfile-sessionmanager
# Transit Gateway
  TGWCommon:
    Type: AWS::EC2::TransitGateway
    Properties:
      AmazonSideAsn: 65000
      Description: TGW Network Firewall Demo
      AutoAcceptSharedAttachments: enable
      DefaultRouteTableAssociation: disable
      DnsSupport: enable
      VpnEcmpSupport: enable
      Tags:
        - Key: Name
          Value: tgw-Common
          
#######################################################################
##　　　　　　　　　　　 vpc-NwMng関連リソース 　　　　　　　　　　　　　　##
#######################################################################
  VpcNwMng:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcNwMngCidr
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: vpc-NwMng
## VPCフローログ
  LogGroupVPCFlowLogNwMng:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: vpcflowlog-NwMng
  VPCFlowLogNwMng:
    Type: AWS::EC2::FlowLog
    Properties:
      DeliverLogsPermissionArn: !GetAtt 
        - FlowLogsRole
        - Arn
      LogGroupName: !Ref LogGroupVPCFlowLogNwMng
      ResourceId: !Ref VpcNwMng
      ResourceType: VPC
      Tags:
        - Key: Name
          Value: vpcflowlog-NwMng
      TrafficType: ALL
## サブネット
  SubnetNwMngPublicA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetNwMngPublicACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-public-a
  SubnetNwMngPublicC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetNwMngPublicCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-public-c
  SubnetNwMngFirewallA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetNwMngFirewallACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-nfw-a
  SubnetNwMngFirewallC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetNwMngFirewallCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-nfw-c
  SubnetNwMngEndpointA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetNwMngEndpointACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-endpoint-a
  SubnetNwMngEndpointC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetNwMngEndpointCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-endpoint-c
  SubnetNwMngTransitA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetNwMngTransitACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-tgw-a
  SubnetNwMngTransitC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcNwMng
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetNwMngTransitCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-NwMng-tgw-c
## Internet Gateway
  IgwNwMng:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: igw-NwMng
  IgwNwMngAttach:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VpcNwMng
      InternetGatewayId: !Ref IgwNwMng
## Nat Gagteway
  NgwNwMngA:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt 
        - EipNgwNwMngA
        - AllocationId
      SubnetId: !Ref SubnetNwMngPublicA
      Tags:
        - Key: Name
          Value: ngw-NwMng-a
  EipNgwNwMngA:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: eip-ngw-NwMng-a
  NgwNwMngC:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt 
        - EipNgwNwMngC
        - AllocationId
      SubnetId: !Ref SubnetNwMngPublicC
      Tags:
        - Key: Name
          Value: ngw-NwMng-c
  EipNgwNwMngC:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: eip-ngw-NwMng-c
## ルートテーブル
### rtb.NwMng-public-a
  RtbNwMngPublicA:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-public-a
  RtbNwMngPublicARoute0:
    Type: AWS::EC2::Route
    DependsOn: IgwNwMngAttach
    Properties:
      RouteTableId: !Ref RtbNwMngPublicA
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IgwNwMng
  RtbNwMngPublicARoute1:
    Type: AWS::EC2::Route
    DependsOn: NetworkFirewallNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngPublicA
      DestinationCidrBlock: !Ref VpcSpoke1Cidr
      VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ]
  RtbNwMngPublicARoute2:
    Type: AWS::EC2::Route
    DependsOn: NetworkFirewallNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngPublicA
      DestinationCidrBlock: !Ref VpcSpoke2Cidr
      VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ]
### rtb.NwMng-public-c
  RtbNwMngPublicC:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-public-c
  RtbNwMngPublicCRoute0:
    Type: AWS::EC2::Route
    DependsOn: IgwNwMngAttach
    Properties:
      RouteTableId: !Ref RtbNwMngPublicC
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IgwNwMng
  RtbNwMngPublicCRoute1:
    Type: AWS::EC2::Route
    DependsOn: NetworkFirewallNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngPublicC
      DestinationCidrBlock: !Ref VpcSpoke1Cidr
      VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'c:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ]
  RtbNwMngPublicCRoute2:
    Type: AWS::EC2::Route
    DependsOn: NetworkFirewallNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngPublicC
      DestinationCidrBlock: !Ref VpcSpoke2Cidr
      VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'c:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ]
### rtb-NwMng-nfw-a
  RtbNwMngFirewallA:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-nfw-a
  RtbNwMngFirewallARoute0:
    Type: AWS::EC2::Route
    DependsOn: NgwNwMngA
    Properties:
      RouteTableId: !Ref RtbNwMngFirewallA
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NgwNwMngA
  RtbNwMngFirewallARoute1:
    Type: AWS::EC2::Route
    DependsOn: TGWAttNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngFirewallA
      DestinationCidrBlock: !Ref VpcSpoke1Cidr
      TransitGatewayId: !Ref TGWCommon
  RtbNwMngFirewallARoute2:
    Type: AWS::EC2::Route
    DependsOn: TGWAttNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngFirewallA
      DestinationCidrBlock: !Ref VpcSpoke2Cidr
      TransitGatewayId: !Ref TGWCommon
### rtb-NwMng-nfw-c
  RtbNwMngFirewallC:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-nfw-c
  RtbNwMngFirewallCRoute0:
    Type: AWS::EC2::Route
    DependsOn: NgwNwMngC
    Properties:
      RouteTableId: !Ref RtbNwMngFirewallC
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NgwNwMngC
  RtbNwMngFirewallCRoute1:
    Type: AWS::EC2::Route
    DependsOn: TGWAttNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngFirewallC
      DestinationCidrBlock: !Ref VpcSpoke1Cidr
      TransitGatewayId: !Ref TGWCommon
  RtbNwMngFirewallCRoute2:
    Type: AWS::EC2::Route
    DependsOn: TGWAttNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngFirewallC
      DestinationCidrBlock: !Ref VpcSpoke2Cidr
      TransitGatewayId: !Ref TGWCommon
### rtb-NwMng-endpoint
  RtbNwMngEndpoint:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-endpoint
### rtb-NwMng-tgw-a
  RtbNwMngTransitA:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-tgw-a
  RtbNwMngTransitARoute0:
    Type: AWS::EC2::Route
    DependsOn: NetworkFirewallNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngTransitA
      DestinationCidrBlock: 0.0.0.0/0
      VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ]
### rtb-NwMng-tgw-c
  RtbNwMngTransitC:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcNwMng
      Tags:
        - Key: Name
          Value: rtb-NwMng-tgw-c
  RtbNwMngTransitCRoute0:
    Type: AWS::EC2::Route
    DependsOn: NetworkFirewallNwMng
    Properties:
      RouteTableId: !Ref RtbNwMngTransitC
      DestinationCidrBlock: 0.0.0.0/0
      VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'c:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ]
## ルートテーブルへのサブネット関連付け
  SubnetRouteTableAssociationSubnetNwMngPublicA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngPublicA
    Properties:
      SubnetId: !Ref SubnetNwMngPublicA
      RouteTableId: !Ref RtbNwMngPublicA
  SubnetRouteTableAssociationSubnetNwMngPublicC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngPublicC
    Properties:
      SubnetId: !Ref SubnetNwMngPublicC
      RouteTableId: !Ref RtbNwMngPublicC
  SubnetRouteTableAssociationSubnetNwMngFirewallA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngFirewallA
    Properties:
      SubnetId: !Ref SubnetNwMngFirewallA
      RouteTableId: !Ref RtbNwMngFirewallA
  SubnetRouteTableAssociationSubnetNwMngFirewallC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngFirewallC
    Properties:
      SubnetId: !Ref SubnetNwMngFirewallC
      RouteTableId: !Ref RtbNwMngFirewallC
  SubnetRouteTableAssociationSubnetNwMngEndpointA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngEndpointA
    Properties:
      SubnetId: !Ref SubnetNwMngEndpointA
      RouteTableId: !Ref RtbNwMngEndpoint
  SubnetRouteTableAssociationSubnetNwMngEndpointC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngEndpointC
    Properties:
      SubnetId: !Ref SubnetNwMngEndpointC
      RouteTableId: !Ref RtbNwMngEndpoint
  SubnetRouteTableAssociationSubnetNwMngTransitA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngTransitA
    Properties:
      SubnetId: !Ref SubnetNwMngTransitA
      RouteTableId: !Ref RtbNwMngTransitA
  SubnetRouteTableAssociationSubnetNwMngTransitC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetNwMngTransitC
    Properties:
      SubnetId: !Ref SubnetNwMngTransitC
      RouteTableId: !Ref RtbNwMngTransitC
# Network Firewall
## NFW本体
  NetworkFirewallNwMng:
    Type: AWS::NetworkFirewall::Firewall
    Properties:
      FirewallName: nfw-NwMng
      FirewallPolicyArn: !Ref FirewallNwMngPolicy
      VpcId: !Ref VpcNwMng
      SubnetMappings:
        - SubnetId: !Ref SubnetNwMngFirewallA
        - SubnetId: !Ref SubnetNwMngFirewallC
      Tags:
        - Key: Name
          Value: nfw-NwMng
## ファイアウォールポリシー
  FirewallNwMngPolicy:
    Type: AWS::NetworkFirewall::FirewallPolicy
    Properties:
      FirewallPolicyName: nfw-policy-NwMng
      FirewallPolicy:
        StatelessDefaultActions:
          - aws:forward_to_sfe
        StatelessFragmentDefaultActions:
          - aws:forward_to_sfe
        ### 暗黙的拒否になるよう評価順序を「厳密な順序」にした上でステートフルデフォルトアクションを「確立された接続をドロップ」に設定
        StatefulEngineOptions: 
          RuleOrder: STRICT_ORDER
          StreamExceptionPolicy: DROP
        StatefulDefaultActions:
          - aws:drop_established
          - aws:alert_established
        StatefulRuleGroupReferences:
          - ResourceArn: !Ref InternalStatefulRuleGroup
            Priority: 1
          - ResourceArn: !Ref InternetEgressStatefulRuleGroup
            Priority: 2
      Tags:
        - Key: Name
          Value: nfw-policy-NwMng
## ルールグループ(内部通信用)
  InternalStatefulRuleGroup:
    Type: AWS::NetworkFirewall::RuleGroup
    Properties:
      RuleGroupName: nfw-rulegroup-NwMng-Internal
      Type: STATEFUL
      Capacity: 100
      RuleGroup:
        StatefulRuleOptions:
          RuleOrder: STRICT_ORDER
        RulesSource:
          StatefulRules:
            - Action: ALERT
              Header:
                Protocol: IP
                Source: !Ref VpcSpoke1Cidr
                SourcePort: ANY
                Destination: !Ref VpcSpoke2Cidr
                DestinationPort: ANY
                Direction: ANY
              RuleOptions:
                - Keyword: sid:1001
                
            - Action: PASS
              Header:
                Protocol: IP
                Source: !Ref VpcSpoke1Cidr
                SourcePort: ANY
                Destination: !Ref VpcSpoke2Cidr
                DestinationPort: ANY
                Direction: ANY
              RuleOptions:
                - Keyword: sid:1002
      Tags:
        - Key: Name
          Value: nfw-rulegroup-NwMng-Internal
## ルールグループ(インターネット通信用)
  InternetEgressStatefulRuleGroup:
    Type: AWS::NetworkFirewall::RuleGroup
    Properties:
      RuleGroupName: nfw-rulegroup-NwMng-InternetEgress
      Type: STATEFUL
      Capacity: 100
      RuleGroup:
        StatefulRuleOptions:
          RuleOrder: STRICT_ORDER
        RulesSource:
          StatefulRules:
            - Action: ALERT
              Header:
                Protocol: IP
                Source: !Sub ${VpcSpoke1Cidr},${VpcSpoke2Cidr}
                SourcePort: ANY
                Destination: ANY
                DestinationPort: ANY
                Direction: FORWARD
              RuleOptions:
                - Keyword: sid:2001
            - Action: PASS
              Header:
                Protocol: IP
                Source: !Sub ${VpcSpoke1Cidr},${VpcSpoke2Cidr}
                SourcePort: ANY
                Destination: ANY
                DestinationPort: ANY
                Direction: FORWARD
              RuleOptions:
                - Keyword: sid:2002
      Tags:
        - Key: Name
          Value: nfw-rulegroup-NwMng-InternetEgress
## NFWログ
### ログ出力設定
  NetworkFirewallNwMngLog:
    Type: AWS::NetworkFirewall::LoggingConfiguration
    Properties:
      FirewallArn: !Ref NetworkFirewallNwMng
      LoggingConfiguration:
        LogDestinationConfigs:
          - LogType: FLOW
            LogDestinationType: CloudWatchLogs
            LogDestination:
              logGroup: nfw-flowlog-NwMng
          - LogType: ALERT
            LogDestinationType: CloudWatchLogs
            LogDestination:
              logGroup: nfw-alertlog-NwMng
### フローログ出力先
  LogGroupNetworkFirewallFlowNwMng:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: nfw-flowlog-NwMng
### アラートログ出力先
  LogGroupNetworkFirewallAlertNwMng:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: nfw-alertlog-NwMng
# Transit Gatewayアタッチメント及びルートテーブル
  TGWAttNwMng:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      Options:
        ApplianceModeSupport: enable
      SubnetIds: 
        - !Ref SubnetNwMngTransitA
        - !Ref SubnetNwMngTransitC
      Tags:
        - Key: Name
          Value: tgw-attach-NwMng
      TransitGatewayId: !Ref TGWCommon
      VpcId: !Ref VpcNwMng
  TGWRouteTableNwMng:
    Type: AWS::EC2::TransitGatewayRouteTable
    Properties:
      Tags:
        - Key: Name
          Value: tgw-rtb-NwMng
      TransitGatewayId: !Ref TGWCommon
  TGWCommonRoute0:
    Type: AWS::EC2::TransitGatewayRoute
    Properties:
      DestinationCidrBlock: !Ref VpcSpoke1Cidr
      TransitGatewayAttachmentId: !Ref TGWAttSpoke1
      TransitGatewayRouteTableId: !Ref TGWRouteTableNwMng
   
  TGWCommonRoute1:
    Type: AWS::EC2::TransitGatewayRoute
    Properties:
      DestinationCidrBlock: !Ref VpcSpoke2Cidr
      TransitGatewayAttachmentId: !Ref TGWAttSpoke2
      TransitGatewayRouteTableId: !Ref TGWRouteTableNwMng
  AssociateVpcNwMngRouteTable:
    Type: AWS::EC2::TransitGatewayRouteTableAssociation
    Properties:
      TransitGatewayAttachmentId: !Ref TGWAttNwMng
      TransitGatewayRouteTableId: !Ref TGWRouteTableNwMng
#######################################################################
##　　　　　　　　　　　 vpc-Spoke1関連リソース 　　　　　　　　　　　　   ##
#######################################################################
  VpcSpoke1:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcSpoke1Cidr
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: vpc-Spoke1
## VPCフローログ
  LogGroupVPCFlowLogSpoke1:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: vpcflowlog-Spoke1
  VPCFlowLogSpoke1:
    Type: AWS::EC2::FlowLog
    Properties:
      DeliverLogsPermissionArn: !GetAtt 
        - FlowLogsRole
        - Arn
      LogGroupName: !Ref LogGroupVPCFlowLogSpoke1
      ResourceId: !Ref VpcSpoke1
      ResourceType: VPC
      Tags:
        - Key: Name
          Value: vpcflowlog-Spoke1
      TrafficType: ALL
## サブネット
  SubnetSpoke1ProtectedA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke1ProtectedACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-protected-a
  SubnetSpoke1ProtectedC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke1ProtectedCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-protected-c
  SubnetSpoke1PrivateA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke1PrivateACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-private-a
  SubnetSpoke1PrivateC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke1PrivateCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-private-c
  SubnetSpoke1EndpointA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke1EndpointACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-endpoint-a
  SubnetSpoke1EndpointC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke1EndpointCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-endpoint-c
  SubnetSpoke1TransitA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke1TransitACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-tgw-a
  SubnetSpoke1TransitC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke1
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke1TransitCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke1-tgw-c
## ルートテーブル
### rtb.Spoke1-protected
  RtbSpoke1Protected:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke1
      Tags:
        - Key: Name
          Value: rtb-Spoke1-protected
  RtbSpoke1ProtectedARoute0:
    Type: AWS::EC2::Route
    DependsOn: TGWAttSpoke1
    Properties:
      RouteTableId: !Ref RtbSpoke1Protected
      DestinationCidrBlock: 0.0.0.0/0
      TransitGatewayId: !Ref TGWCommon
### rtb-Spoke1-private
  RtbSpoke1Private:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke1
      Tags:
        - Key: Name
          Value: rtb-Spoke1-private
          
### rtb-Spoke1-endpoint
  RtbSpoke1Endpoint:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke1
      Tags:
        - Key: Name
          Value: rtb-Spoke1-endpoint
### rtb-Spoke1-tgw
  RtbSpoke1Transit:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke1
      Tags:
        - Key: Name
          Value: rtb-Spoke1-tgw
## ルートテーブルへのサブネット関連付け
  SubnetRouteTableAssociationSubnetSpoke1ProtectedA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1ProtectedA
    Properties:
      SubnetId: !Ref SubnetSpoke1ProtectedA
      RouteTableId: !Ref RtbSpoke1Protected
      
  SubnetRouteTableAssociationSubnetSpoke1ProtectedC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1ProtectedC
    Properties:
      SubnetId: !Ref SubnetSpoke1ProtectedC
      RouteTableId: !Ref RtbSpoke1Protected
      
  SubnetRouteTableAssociationSubnetSpoke1PrivateA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1PrivateA
    Properties:
      SubnetId: !Ref SubnetSpoke1PrivateA
      RouteTableId: !Ref RtbSpoke1Private
      
  SubnetRouteTableAssociationSubnetSpoke1PrivateC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1PrivateC
    Properties:
      SubnetId: !Ref SubnetSpoke1PrivateC
      RouteTableId: !Ref RtbSpoke1Private
      
  SubnetRouteTableAssociationSubnetSpoke1EndpointA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1EndpointA
    Properties:
      SubnetId: !Ref SubnetSpoke1EndpointA
      RouteTableId: !Ref RtbSpoke1Endpoint
      
  SubnetRouteTableAssociationSubnetSpoke1EndpointC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1EndpointC
    Properties:
      SubnetId: !Ref SubnetSpoke1EndpointC
      RouteTableId: !Ref RtbSpoke1Endpoint  
      
  SubnetRouteTableAssociationSubnetSpoke1TransitA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1TransitA
    Properties:
      SubnetId: !Ref SubnetSpoke1TransitA
      RouteTableId: !Ref RtbSpoke1Transit
      
  SubnetRouteTableAssociationSubnetSpoke1TransitC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke1TransitC
    Properties:
      SubnetId: !Ref SubnetSpoke1TransitC
      RouteTableId: !Ref RtbSpoke1Transit
# EC2
  Ec2Spoke1:
    Type: AWS::EC2::Instance
    Properties:
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            DeleteOnTermination: true
            Encrypted: false
            VolumeType: gp3
            VolumeSize: 8
            Iops: 3000
      DisableApiTermination: false
      EbsOptimized: false
      IamInstanceProfile: !Ref EC2InstanceProfile
      ImageId: ami-07fb3592ea2a31402
      InstanceType: t4g.nano
      Monitoring: false
      NetworkInterfaces:
        - AssociatePublicIpAddress: false
          DeleteOnTermination: true 
          DeviceIndex: 0
          GroupSet:
            - !Ref SgEc2Spoke1 # SecurityGroup
          PrivateIpAddresses:
            - PrivateIpAddress: !Ref Ec2Spoke1PrivateIp
              Primary: true
          SubnetId: !Ref SubnetSpoke1ProtectedA # Subnet
      SourceDestCheck: true
      Tags:
        - Key: Name
          Value: ec2-spoke1-protected-a # Name
## EC2用セキュリティグループ
  SgEc2Spoke1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: for ec2-Spoke1
      GroupName: sec-ec2-Spoke1
      ### vpc-Spoke2からの疎通を許可。ログインにはセッションマネージャを使用するためvpc-Spoke1CIDRは許可しなくて良い。
      SecurityGroupIngress: 
        - CidrIp: !Ref VpcSpoke2Cidr
          FromPort: -1
          ToPort: -1
          IpProtocol: -1
      Tags:
        - Key: Name
          Value: sec-ec2-Spoke1
      VpcId: !Ref VpcSpoke1
# VPCエンドポイント
## セッションマネージャ利用のためのVPCエンドポイント3つ
  Spoke1Ssm:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SgVpceSpoke1
      ServiceName: com.amazonaws.ap-northeast-1.ssm
      SubnetIds: 
        - !Ref SubnetSpoke1EndpointA
      VpcEndpointType: Interface
      VpcId: !Ref VpcSpoke1
  Spoke1SsmMessages:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SgVpceSpoke1
      ServiceName: com.amazonaws.ap-northeast-1.ssmmessages
      SubnetIds: 
        - !Ref SubnetSpoke1EndpointA
      VpcEndpointType: Interface
      VpcId: !Ref VpcSpoke1
  Spoke1Ec2Message:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SgVpceSpoke1
      ServiceName: com.amazonaws.ap-northeast-1.ec2messages
      SubnetIds: 
        - !Ref SubnetSpoke1EndpointA # EndPoint Subnet
      VpcEndpointType: Interface
      VpcId: !Ref VpcSpoke1
      
## VPCエンドポイント用セキュリティグループ
  SgVpceSpoke1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: temp
      GroupName: sec-vpce-Spoke1 
      SecurityGroupIngress: 
        - CidrIp: !Ref VpcSpoke1Cidr # vpc-Spoke1のCIDRからの通信を許可
          FromPort: 443
          ToPort: 443
          IpProtocol: tcp
      Tags:
        - Key: Name
          Value: sec-vpce-Spoke1
      VpcId: !Ref VpcSpoke1
# Transit Gatewayアタッチメント及びルートテーブル
  TGWAttSpoke1:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      SubnetIds: 
        - !Ref SubnetSpoke1TransitA
        - !Ref SubnetSpoke1TransitC
      Tags:
        - Key: Name
          Value: tgw-attach-Spoke1
      TransitGatewayId: !Ref TGWCommon
      VpcId: !Ref VpcSpoke1
      
  TGWRouteTableSpoke1:
    Type: AWS::EC2::TransitGatewayRouteTable
    Properties:
      Tags:
        - Key: Name
          Value: tgw-rtb-Spoke1
      TransitGatewayId: !Ref TGWCommon
      
  TGWSpoke1Route0:
    Type: AWS::EC2::TransitGatewayRoute
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      TransitGatewayAttachmentId: !Ref TGWAttNwMng
      TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke1
      
  AssociateVpcSpoke1RouteTable:
    Type: AWS::EC2::TransitGatewayRouteTableAssociation
    Properties:
      TransitGatewayAttachmentId: !Ref TGWAttSpoke1
      TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke1
#######################################################################
##　　　　　　　　　　　 vpc-Spoke2関連リソース 　　　　　　　　　　 ##
#######################################################################
  VpcSpoke2:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcSpoke2Cidr
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: vpc-Spoke2
## VPCフローログ
  LogGroupVPCFlowLogSpoke2:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: vpcflowlog-Spoke2
  VPCFlowLogSpoke2:
    Type: AWS::EC2::FlowLog
    Properties:
      DeliverLogsPermissionArn: !GetAtt 
        - FlowLogsRole
        - Arn
      LogGroupName: !Ref LogGroupVPCFlowLogSpoke2
      ResourceId: !Ref VpcSpoke2
      ResourceType: VPC
      Tags:
        - Key: Name
          Value: vpcflowlog-Spoke2
      TrafficType: ALL
## サブネット
  SubnetSpoke2ProtectedA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke2ProtectedACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-protected-a
  SubnetSpoke2ProtectedC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke2ProtectedCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-protected-c
  SubnetSpoke2PrivateA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke2PrivateACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-private-a
  SubnetSpoke2PrivateC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke2PrivateCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-private-c
  SubnetSpoke2EndpointA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke2EndpointACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-endpoint-a
  SubnetSpoke2EndpointC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke2EndpointCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-endpoint-c
  SubnetSpoke2TransitA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref SubnetSpoke2TransitACidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-tgw-a
  SubnetSpoke2TransitC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VpcSpoke2
      AvailabilityZone: ap-northeast-1c
      CidrBlock: !Ref SubnetSpoke2TransitCCidr
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: subnet-Spoke2-tgw-c
## ルートテーブル
### rtb.Spoke2-protected
  RtbSpoke2Protected:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke2
      Tags:
        - Key: Name
          Value: rtb-Spoke2-protected
  RtbSpoke2ProtectedARoute0:
    Type: AWS::EC2::Route
    DependsOn: TGWAttSpoke2
    Properties:
      RouteTableId: !Ref RtbSpoke2Protected
      DestinationCidrBlock: 0.0.0.0/0
      TransitGatewayId: !Ref TGWCommon
### rtb-Spoke2-private
  RtbSpoke2Private:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke2
      Tags:
        - Key: Name
          Value: rtb-Spoke2-private
          
### rtb-Spoke2-endpoint
  RtbSpoke2Endpoint:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke2
      Tags:
        - Key: Name
          Value: rtb-Spoke2-endpoint
### rtb-Spoke2-tgw
  RtbSpoke2Transit:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcSpoke2
      Tags:
        - Key: Name
          Value: rtb-Spoke2-tgw
## ルートテーブルへのサブネット関連付け
  SubnetRouteTableAssociationSubnetSpoke2ProtectedA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2ProtectedA
    Properties:
      SubnetId: !Ref SubnetSpoke2ProtectedA
      RouteTableId: !Ref RtbSpoke2Protected
      
  SubnetRouteTableAssociationSubnetSpoke2ProtectedC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2ProtectedC
    Properties:
      SubnetId: !Ref SubnetSpoke2ProtectedC
      RouteTableId: !Ref RtbSpoke2Protected
      
  SubnetRouteTableAssociationSubnetSpoke2PrivateA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2PrivateA
    Properties:
      SubnetId: !Ref SubnetSpoke2PrivateA
      RouteTableId: !Ref RtbSpoke2Private
      
  SubnetRouteTableAssociationSubnetSpoke2PrivateC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2PrivateC
    Properties:
      SubnetId: !Ref SubnetSpoke2PrivateC
      RouteTableId: !Ref RtbSpoke2Private
      
  SubnetRouteTableAssociationSubnetSpoke2EndpointA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2EndpointA
    Properties:
      SubnetId: !Ref SubnetSpoke2EndpointA
      RouteTableId: !Ref RtbSpoke2Endpoint
      
  SubnetRouteTableAssociationSubnetSpoke2EndpointC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2EndpointC
    Properties:
      SubnetId: !Ref SubnetSpoke2EndpointC
      RouteTableId: !Ref RtbSpoke2Endpoint  
      
  SubnetRouteTableAssociationSubnetSpoke2TransitA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2TransitA
    Properties:
      SubnetId: !Ref SubnetSpoke2TransitA
      RouteTableId: !Ref RtbSpoke2Transit
      
  SubnetRouteTableAssociationSubnetSpoke2TransitC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn: SubnetSpoke2TransitC
    Properties:
      SubnetId: !Ref SubnetSpoke2TransitC
      RouteTableId: !Ref RtbSpoke2Transit
# EC2
  Ec2Spoke2:
    Type: AWS::EC2::Instance
    Properties:
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            DeleteOnTermination: true
            Encrypted: false
            VolumeType: gp3
            VolumeSize: 8
            Iops: 3000
      DisableApiTermination: false
      EbsOptimized: false
      IamInstanceProfile: !Ref EC2InstanceProfile
      ImageId: ami-07fb3592ea2a31402
      InstanceType: t4g.nano
      Monitoring: false
      NetworkInterfaces:
        - AssociatePublicIpAddress: false
          DeleteOnTermination: true 
          DeviceIndex: 0
          GroupSet:
            - !Ref SgEc2Spoke2 # SecurityGroup
          PrivateIpAddresses:
            - PrivateIpAddress: !Ref Ec2Spoke2PrivateIp
              Primary: true
          SubnetId: !Ref SubnetSpoke2ProtectedC # Subnet
      SourceDestCheck: true
      Tags:
        - Key: Name
          Value: ec2-Spoke2-protected-c # Name
## EC2用セキュリティグループ
  SgEc2Spoke2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: for ec2-Spoke2
      GroupName: sec-ec2-Spoke2
      ### vpc-Spoke1からの疎通を許可。ログインにはセッションマネージャを使用するためvpc-Spoke2CIDRは許可しなくて良い。
      SecurityGroupIngress: 
        - CidrIp: !Ref VpcSpoke1Cidr
          FromPort: -1
          ToPort: -1
          IpProtocol: -1
      Tags:
        - Key: Name
          Value: sec-ec2-Spoke2
      VpcId: !Ref VpcSpoke2
# VPCエンドポイント
## セッションマネージャ利用のためのVPCエンドポイント3つ
  Spoke2Ssm:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SgVpceSpoke2
      ServiceName: com.amazonaws.ap-northeast-1.ssm
      SubnetIds: 
        - !Ref SubnetSpoke2EndpointA
      VpcEndpointType: Interface
      VpcId: !Ref VpcSpoke2
  Spoke2SsmMessages:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SgVpceSpoke2
      ServiceName: com.amazonaws.ap-northeast-1.ssmmessages
      SubnetIds: 
        - !Ref SubnetSpoke2EndpointA
      VpcEndpointType: Interface
      VpcId: !Ref VpcSpoke2
  Spoke2Ec2Message:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SgVpceSpoke2
      ServiceName: com.amazonaws.ap-northeast-1.ec2messages
      SubnetIds: 
        - !Ref SubnetSpoke2EndpointA # EndPoint Subnet
      VpcEndpointType: Interface
      VpcId: !Ref VpcSpoke2
      
## VPCエンドポイント用セキュリティグループ
  SgVpceSpoke2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: temp
      GroupName: sec-vpce-Spoke2 
      SecurityGroupIngress: 
        - CidrIp: !Ref VpcSpoke2Cidr # vpc-Spoke2のCIDRからの通信を許可
          FromPort: 443
          ToPort: 443
          IpProtocol: tcp
      Tags:
        - Key: Name
          Value: sec-vpce-Spoke2
      VpcId: !Ref VpcSpoke2
# Transit Gatewayアタッチメント及びルートテーブル
  TGWAttSpoke2:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      SubnetIds: 
        - !Ref SubnetSpoke2TransitA
        - !Ref SubnetSpoke2TransitC
      Tags:
        - Key: Name
          Value: tgw-attach-Spoke2
      TransitGatewayId: !Ref TGWCommon
      VpcId: !Ref VpcSpoke2
  TGWRouteTableSpoke2:
    Type: AWS::EC2::TransitGatewayRouteTable
    Properties:
      Tags:
        - Key: Name
          Value: tgw-rtb-Spoke2
      TransitGatewayId: !Ref TGWCommon
      
  TGWSpoke2Route0:
    Type: AWS::EC2::TransitGatewayRoute
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      TransitGatewayAttachmentId: !Ref TGWAttNwMng
      TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke2
  AssociateVpcSpoke2RouteTable:
    Type: AWS::EC2::TransitGatewayRouteTableAssociation
    Properties:
      TransitGatewayAttachmentId: !Ref TGWAttSpoke2
      TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke2