vikfork/cfn-bastion-host-client.yaml

## cfn-bastion-host-client.yaml
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  VPCStackName:
    Type: String
    Default: 'PrivateLinkVPCStack'
  EC2KeyPairName:
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: Can contain only ASCII characters.
  LatestAmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
Resources:
  MSKAdminInstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22 from BastionHostSecurityGroup
      VpcId: !ImportValue
        'Fn::Sub': '${VPCStackName}-VPCID'
      SecurityGroupIngress:
      - Description: ssh access from Cloud9 environment in VPC public subnet
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: !ImportValue
          'Fn::Sub': '${VPCStackName}-PublicSubnetFirstCidr'
      SecurityGroupEgress:
      - Description: all egress allowed
        IpProtocol: -1
        CidrIp: 0.0.0.0/0
  Cloud9EC2Bastion:
    Type: AWS::Cloud9::EnvironmentEC2
    Properties:
      AutomaticStopTimeMinutes: 600
      Description: "Cloud9 EC2 environment"
      InstanceType: m5.large
      SubnetId: !ImportValue
        'Fn::Sub': '${VPCStackName}-PublicSubnetOne'
      Tags:
        - Key: 'Purpose'
          Value: 'Cloud9EC2BastionHostInstance'
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Path: "/"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonMSKFullAccess
        - arn:aws:iam::aws:policy/IAMFullAccess
        - arn:aws:iam::aws:policy/AmazonS3FullAccess
  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref EC2Role
  MSKAdminInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: m5.large
      KeyName: !Ref 'EC2KeyPairName'
      IamInstanceProfile: !Ref EC2InstanceProfile
      AvailabilityZone:
        Fn::Select:
         - 0
         - Fn::GetAZs: {Ref: 'AWS::Region'}
      SubnetId: !ImportValue
        'Fn::Sub': '${VPCStackName}-PrivateSubnetOne'
      SecurityGroupIds: [!GetAtt MSKAdminInstanceSecurityGroup.GroupId]
      ImageId: !Ref LatestAmiId
      Tags:
        - Key: 'Name'
          Value: 'MSKAdminInstance'
      UserData:
        Fn::Base64:
          !Sub |
            #!/bin/bash
            yum update -y
            yum install python3.7 -y
            yum install java-1.8.0-openjdk-devel -y
            yum install nmap-ncat -y
            yum install git -y
            yum erase awscli -y
            yum install jq -y
            amazon-linux-extras install docker -y
            service docker start
            usermod -a -G docker ec2-user

            cd /home/ec2-user
            wget https://bootstrap.pypa.io/get-pip.py
            su -c "python3.7 get-pip.py --user" -s /bin/sh ec2-user
            su -c "/home/ec2-user/.local/bin/pip3 install boto3 --user" -s /bin/sh ec2-user
            su -c "/home/ec2-user/.local/bin/pip3 install awscli --user" -s /bin/sh ec2-user

            # install AWS CLI 2 - access with aws2
            curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
            unzip awscliv2.zip
            ./aws/install -b /usr/local/bin/aws2
            su -c "ln -s /usr/local/bin/aws2/aws ~/.local/bin/aws2" -s /bin/sh ec2-user

            # Create dirs, get Apache Kafka 2.7.1 and unpack it
            su -c "mkdir -p kafka271" -s /bin/sh ec2-user
            cd /home/ec2-user
            ln -s /home/ec2-user/kafka271 /home/ec2-user/kafka
            cd kafka271
            su -c "wget https://archive.apache.org/dist/kafka/2.7.1/kafka_2.13-2.7.1.tgz" -s /bin/sh ec2-user
            su -c "tar -xzf kafka_2.13-2.7.1.tgz --strip 1" -s /bin/sh ec2-user
Outputs:
  MSKAdminInstanceSecurityGroupId:
    Description: MSK Admin EC2 instance security group
    Value: !Ref MSKAdminInstanceSecurityGroup
    Export:
      Name: !Sub "${AWS::StackName}-MSKAdminInstanceSecurityGroupId"
	AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	VPCStackName:
	Type: String
	Default: 'PrivateLinkVPCStack'
	EC2KeyPairName:
	Type: AWS::EC2::KeyPair::KeyName
	ConstraintDescription: Can contain only ASCII characters.
	LatestAmiId:
	Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
	Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
	Resources:
	MSKAdminInstanceSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Enable SSH access via port 22 from BastionHostSecurityGroup
	VpcId: !ImportValue
	'Fn::Sub': '${VPCStackName}-VPCID'
	SecurityGroupIngress:
	- Description: ssh access from Cloud9 environment in VPC public subnet
	IpProtocol: tcp
	FromPort: 22
	ToPort: 22
	CidrIp: !ImportValue
	'Fn::Sub': '${VPCStackName}-PublicSubnetFirstCidr'
	SecurityGroupEgress:
	- Description: all egress allowed
	IpProtocol: -1
	CidrIp: 0.0.0.0/0
	Cloud9EC2Bastion:
	Type: AWS::Cloud9::EnvironmentEC2
	Properties:
	AutomaticStopTimeMinutes: 600
	Description: "Cloud9 EC2 environment"
	InstanceType: m5.large
	SubnetId: !ImportValue
	'Fn::Sub': '${VPCStackName}-PublicSubnetOne'
	Tags:
	- Key: 'Purpose'
	Value: 'Cloud9EC2BastionHostInstance'
	EC2Role:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Sid: ''
	Effect: Allow
	Principal:
	Service: ec2.amazonaws.com
	Action: 'sts:AssumeRole'
	Path: "/"
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/AmazonMSKFullAccess
	- arn:aws:iam::aws:policy/IAMFullAccess
	- arn:aws:iam::aws:policy/AmazonS3FullAccess
	EC2InstanceProfile:
	Type: AWS::IAM::InstanceProfile
	Properties:
	Roles:
	- !Ref EC2Role
	MSKAdminInstance:
	Type: AWS::EC2::Instance
	Properties:
	InstanceType: m5.large
	KeyName: !Ref 'EC2KeyPairName'
	IamInstanceProfile: !Ref EC2InstanceProfile
	AvailabilityZone:
	Fn::Select:
	- 0
	- Fn::GetAZs: {Ref: 'AWS::Region'}
	SubnetId: !ImportValue
	'Fn::Sub': '${VPCStackName}-PrivateSubnetOne'
	SecurityGroupIds: [!GetAtt MSKAdminInstanceSecurityGroup.GroupId]
	ImageId: !Ref LatestAmiId
	Tags:
	- Key: 'Name'
	Value: 'MSKAdminInstance'
	UserData:
	Fn::Base64:
	!Sub \|
	#!/bin/bash
	yum update -y
	yum install python3.7 -y
	yum install java-1.8.0-openjdk-devel -y
	yum install nmap-ncat -y
	yum install git -y
	yum erase awscli -y
	yum install jq -y
	amazon-linux-extras install docker -y
	service docker start
	usermod -a -G docker ec2-user

	cd /home/ec2-user
	wget https://bootstrap.pypa.io/get-pip.py
	su -c "python3.7 get-pip.py --user" -s /bin/sh ec2-user
	su -c "/home/ec2-user/.local/bin/pip3 install boto3 --user" -s /bin/sh ec2-user
	su -c "/home/ec2-user/.local/bin/pip3 install awscli --user" -s /bin/sh ec2-user

	# install AWS CLI 2 - access with aws2
	curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
	unzip awscliv2.zip
	./aws/install -b /usr/local/bin/aws2
	su -c "ln -s /usr/local/bin/aws2/aws ~/.local/bin/aws2" -s /bin/sh ec2-user

	# Create dirs, get Apache Kafka 2.7.1 and unpack it
	su -c "mkdir -p kafka271" -s /bin/sh ec2-user
	cd /home/ec2-user
	ln -s /home/ec2-user/kafka271 /home/ec2-user/kafka
	cd kafka271
	su -c "wget https://archive.apache.org/dist/kafka/2.7.1/kafka_2.13-2.7.1.tgz" -s /bin/sh ec2-user
	su -c "tar -xzf kafka_2.13-2.7.1.tgz --strip 1" -s /bin/sh ec2-user
	Outputs:
	MSKAdminInstanceSecurityGroupId:
	Description: MSK Admin EC2 instance security group
	Value: !Ref MSKAdminInstanceSecurityGroup
	Export:
	Name: !Sub "${AWS::StackName}-MSKAdminInstanceSecurityGroupId"