Parameters: VPCId: Type: String SgId: Type: String PubSubnet1Id: Type: String EfsId: Type: String DeploymentName: Type: String Hostname: Type: String Ami: Type: String Resources: EfsAPData: Type: AWS::EFS::AccessPoint Properties: FileSystemId: !Ref EfsId RootDirectory: Path: !Sub /${DeploymentName}/data # CreationInfo: # OwnerUid: !FindInMap [Config, Container, Uid] # OwnerGid: !FindInMap [Config, Container, Gid] # Permissions: !FindInMap [Config, Container, Permission] AppSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable HTTP access VpcId: !Ref VPCId SecurityGroupIngress: - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '443' ToPort: '443' CidrIp: 0.0.0.0/0 app01: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref Ami InstanceType: 't4g.small' SubnetId: !Ref PubSubnet1Id SecurityGroupIds: - !Ref SgId - !Ref AppSecurityGroup BlockDeviceMappings: - DeviceName: "/dev/sda1" Ebs: Encrypted: true VolumeSize: 100 VolumeType: "gp2" DeleteOnTermination: false IamInstanceProfile: !Ref SSMInstanceProfile UserData: Fn::Base64: !Sub | #!/bin/bash hostnamectl set-hostname ${Hostname} #yum-config-manager --add-repo https://pkgs.tailscale.com/stable/amazon-linux/2/tailscale.repo yum update -y yum install -y git amazon-efs-utils python3 python3-pip jq gcc #tailscale amazon-linux-extras install ansible2 docker -y systemctl enable docker systemctl start docker usermod -aG docker ssm-user mkdir /mnt/data chmod 777 /mnt/data echo "${EfsAPData}:/ /mnt/data efs _netdev,noresvport,tls,iam 0 0" >> /etc/fstab mount /mnt/data Tags: - Key: "Name" Value: !Ref Hostname - Key: "Purpose" Value: hosting - Key: "Environment" Value: prod - Key: "Application" Value: dockerhost - Key: "Owner" Value: dan@project-conquer.com - Key: "Managed By" Value: dan@project-conquer.com - Key: "Managed Status" Value: active - Key: "Schedule" Value: always-on - Key: "backupFrequency" Value: daily AmazonEC2RoleforSSM: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess - arn:aws:iam::aws:policy/AmazonRDSFullAccess SSMForEC2Policy: Type: 'AWS::IAM::Policy' Properties: PolicyName: SSMForEC2 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - ssm:DescribeAssociation - ssm:GetDeployablePatchSnapshotForInstance - ssm:GetDocument - ssm:DescribeDocument - ssm:GetManifest - ssm:GetParameters - ssm:ListAssociations - ssm:ListInstanceAssociations - ssm:PutInventory - ssm:PutComplianceItems - ssm:PutConfigurePackageResult - ssm:UpdateAssociationStatus - ssm:UpdateInstanceAssociationStatus - ssm:UpdateInstanceInformation - ds:CreateComputer - ds:DescribeDirectories Resource: "*" - Effect: Allow Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel Resource: "*" - Effect: Allow Action: - ec2messages:AcknowledgeMessage - ec2messages:DeleteMessage - ec2messages:FailMessage - ec2messages:GetEndpoint - ec2messages:GetMessages - ec2messages:SendReply Resource: "*" - Effect: Allow Action: - s3:GetObject Resource: - !Sub arn:aws:s3:::aws-ssm-${AWS::Region}/* - !Sub arn:aws:s3:::aws-windows-downloads-${AWS::Region}/* - !Sub arn:aws:s3:::amazon-ssm-${AWS::Region}/* - !Sub arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/* - !Sub arn:aws:s3:::${AWS::Region}-birdwatcher-prod/* - !Sub arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/* - Effect: Allow Action: - secretsmanager:DescribeSecret - secretsmanager:GetSecretValue - secretsmanager:List* Resource: "*" - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutLogEvents Resource: '*' - Sid: AllowRDSAccess Effect: Allow Action: rds-db:connect Resource: !Sub 'arn:aws:rds-db:${AWS::Region}:${AWS::AccountId}:dbuser:*/ecloud_prod' - Sid: DenyRDSDeleteDatabase Effect: Deny Action: rds:DeleteDBInstance Resource: '*' - Sid: ECSDeployments Effect: Allow Action: - ecs:* - iam:* - cloudformation:* - ec2:* Resource: '*' Roles: - !Ref AmazonEC2RoleforSSM SSMInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - Ref: AmazonEC2RoleforSSM