Skip to content

Instantly share code, notes, and snippets.

@y13i

y13i/ecs-softethervpn.cfn.json

Last active January 25, 2021 12:37
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save y13i/786c32708e3c4e6e4034e7067f700a46 to your computer and use it in GitHub Desktop.
Save y13i/786c32708e3c4e6e4034e7067f700a46 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ecs-softethervpn.cfn.json
{
"Parameters": {
"InstanceType": {
"Type": "String",
"Default": "t3a.micro"
},
"ImageId": {
"Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>",
"Default": "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id"
},
"VpcCidr": {
"Type": "String",
"Description": "VPC network ranges.",
"Default": "10.0.0.0/16"
},
"AllowedCidr": {
"Type": "String"
},
"DomainName": {
"Type": "String"
},
"HostedZoneId": {
"Type": "AWS::Route53::HostedZone::Id"
},
"Username": {
"Type": "String"
},
"Password": {
"Type": "String",
"NoEcho": true
},
"PreSharedKey": {
"Type": "String",
"NoEcho": true
},
"Enabled": {
"Type": "String",
"AllowedValues": ["true", "false"]
}
},
"Conditions": {
"EnabledCondition": {
"Fn::Equals": [{ "Ref": "Enabled" }, "true"]
}
},
"Resources": {
"Vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
"CidrBlock": { "Ref": "VpcCidr" },
"Tags": [{ "Key": "Name", "Value": { "Ref": "AWS::StackName" } }]
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [{ "Key": "Name", "Value": { "Ref": "AWS::StackName" } }]
}
},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": { "Ref": "Vpc" },
"InternetGatewayId": { "Ref": "InternetGateway" }
}
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": { "Ref": "Vpc" },
"Tags": [
{
"Key": "Name",
"Value": { "Fn::Sub": "${AWS::StackName}-public" }
}
]
}
},
"PublicToInternetRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": { "Ref": "PublicRouteTable" },
"GatewayId": { "Ref": "InternetGateway" }
}
},
"PublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::Select": [0, { "Fn::Cidr": [{ "Ref": "VpcCidr" }, 3, 8] }]
},
"MapPublicIpOnLaunch": true,
"AvailabilityZone": {
"Fn::Select": [0, { "Fn::GetAZs": { "Ref": "AWS::Region" } }]
},
"VpcId": { "Ref": "Vpc" },
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": ["-", [{ "Ref": "AWS::StackName" }, "public"]]
}
}
]
}
},
"PublicSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": { "Ref": "PublicRouteTable" },
"SubnetId": { "Ref": "PublicSubnet" }
}
},
"Ec2InstanceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
]
}
},
"Ec2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [{ "Ref": "Ec2InstanceRole" }]
}
},
"LaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateData": {
"ImageId": {
"Ref": "ImageId"
},
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroupIds": [
{ "Fn::GetAtt": ["Vpc", "DefaultSecurityGroup"] }
],
"IamInstanceProfile": {
"Arn": { "Fn::GetAtt": ["Ec2InstanceProfile", "Arn"] }
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"cat << 'EOF' > /etc/ecs/ecs.config",
{ "Fn::Sub": "ECS_CLUSTER=${Cluster}" },
"ECS_ENABLE_CONTAINER_METADATA=true",
"ECS_ENABLE_TASK_ENI=true",
"ECS_ENABLE_SPOT_INSTANCE_DRAINING=true",
"ECS_ENABLE_UNTRACKED_IMAGE_CLEANUP=true",
"ECS_CONTAINER_INSTANCE_PROPAGATE_TAGS_FROM=ec2_instance",
"EOF",
"yum install -y awslogs",
"cat << 'EOF' > /etc/awslogs/awslogs.conf",
"[general]",
"state_file = /var/lib/awslogs/agent-state",
"",
"[/var/log/dmesg]",
"file = /var/log/dmesg",
{ "Fn::Sub": "log_group_name = ${LogGroup}" },
{
"Fn::Sub": "log_stream_name = ${Cluster}/{instance_id}/var/log/dmesg"
},
"",
"[/var/log/messages]",
"file = /var/log/messages",
{ "Fn::Sub": "log_group_name = ${LogGroup}" },
{
"Fn::Sub": "log_stream_name = ${Cluster}/{instance_id}/var/log/messages"
},
"datetime_format = %b %d %H:%M:%S",
"",
"[/var/log/docker]",
"file = /var/log/docker",
{ "Fn::Sub": "log_group_name = ${LogGroup}" },
{
"Fn::Sub": "log_stream_name = ${Cluster}/{instance_id}/var/log/docker"
},
"datetime_format = %Y-%m-%dT%H:%M:%S.%f",
"",
"[/var/log/ecs/ecs-init.log]",
"file = /var/log/ecs/ecs-init.log",
{ "Fn::Sub": "log_group_name = ${LogGroup}" },
{
"Fn::Sub": "log_stream_name = ${Cluster}/{instance_id}/var/log/ecs/ecs-init.log"
},
"datetime_format = %Y-%m-%dT%H:%M:%SZ",
"",
"[/var/log/ecs/ecs-agent.log]",
"file = /var/log/ecs/ecs-agent.log.*",
{ "Fn::Sub": "log_group_name = ${LogGroup}" },
{
"Fn::Sub": "log_stream_name = ${Cluster}/{instance_id}/var/log/ecs/ecs-agent.log"
},
"datetime_format = %Y-%m-%dT%H:%M:%SZ",
"",
"[/var/log/ecs/audit.log]",
"file = /var/log/ecs/audit.log.*",
{ "Fn::Sub": "log_group_name = ${LogGroup}" },
{
"Fn::Sub": "log_stream_name = ${Cluster}/{instance_id}/var/log/ecs/audit.log"
},
"datetime_format = %Y-%m-%dT%H:%M:%SZ",
"EOF",
"cat << 'EOF' > /etc/awslogs/awscli.conf",
"[plugins]",
"cwlogs = cwlogs",
"[default]",
{ "Fn::Sub": "region = ${AWS::Region}" },
"EOF",
"systemctl enable awslogsd.service",
"systemctl start awslogsd"
]
]
}
}
}
}
},
"Instance": {
"Condition": "EnabledCondition",
"Type": "AWS::EC2::Instance",
"Properties": {
"LaunchTemplate": {
"Version": "1",
"LaunchTemplateId": { "Ref": "LaunchTemplate" }
},
"SubnetId": { "Ref": "PublicSubnet" }
}
},
"Cluster": {
"Type": "AWS::ECS::Cluster"
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": { "RetentionInDays": 365 }
},
"TaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Memory": "512",
"ContainerDefinitions": [
{
"Name": "softethervpn",
"Image": "siomiz/softethervpn",
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"awslogs-group": { "Ref": "LogGroup" },
"awslogs-region": { "Ref": "AWS::Region" }
}
},
"LinuxParameters": {
"Capabilities": {
"Add": ["NET_ADMIN"]
}
},
"PortMappings": [
{
"ContainerPort": 500,
"HostPort": 500,
"Protocol": "udp"
},
{
"ContainerPort": 4500,
"HostPort": 4500,
"Protocol": "udp"
}
],
"Environment": [
{
"Name": "USERS",
"Value": { "Fn::Sub": "${Username}:${Password}" }
},
{
"Name": "PSK",
"Value": { "Ref": "PreSharedKey" }
}
]
}
]
}
},
"Service": {
"Condition": "EnabledCondition",
"DependsOn": ["Instance"],
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": { "Ref": "Cluster" },
"DesiredCount": 1,
"TaskDefinition": { "Ref": "TaskDefinition" },
"DeploymentConfiguration": {
"MinimumHealthyPercent": 0
}
}
},
"SecurityGroupIngressUDP500": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Fn::GetAtt": ["Vpc", "DefaultSecurityGroup"] },
"IpProtocol": "udp",
"CidrIp": { "Ref": "AllowedCidr" },
"FromPort": 500,
"ToPort": 500
}
},
"SecurityGroupIngressUDP4500": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Fn::GetAtt": ["Vpc", "DefaultSecurityGroup"] },
"IpProtocol": "udp",
"CidrIp": { "Ref": "AllowedCidr" },
"FromPort": 4500,
"ToPort": 4500
}
},
"RecordSetGroup": {
"Condition": "EnabledCondition",
"Type": "AWS::Route53::RecordSetGroup",
"Properties": {
"HostedZoneId": { "Ref": "HostedZoneId" },
"RecordSets": [
{
"Name": {
"Fn::Sub": "${AWS::StackName}-${AWS::Region}.${DomainName}"
},
"Type": "CNAME",
"ResourceRecords": [
{ "Fn::GetAtt": ["Instance", "PublicDnsName"] }
],
"TTL": "60"
}
]
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment