206 lines
6.1 KiB
YAML
206 lines
6.1 KiB
YAML
Parameters:
|
|
VPCId:
|
|
Type: String
|
|
SgId:
|
|
Type: String
|
|
PubSubnet1Id:
|
|
Type: String
|
|
EfsId:
|
|
Type: String
|
|
DeploymentName:
|
|
Type: String
|
|
Hostname:
|
|
Type: String
|
|
Ami:
|
|
Type: String
|
|
|
|
Resources:
|
|
|
|
EfsAPData:
|
|
Type: AWS::EFS::AccessPoint
|
|
Properties:
|
|
FileSystemId: !Ref EfsId
|
|
RootDirectory:
|
|
Path: !Sub /${DeploymentName}/data
|
|
# CreationInfo:
|
|
# OwnerUid: !FindInMap [Config, Container, Uid]
|
|
# OwnerGid: !FindInMap [Config, Container, Gid]
|
|
# Permissions: !FindInMap [Config, Container, Permission]
|
|
|
|
AppSecurityGroup:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupDescription: Enable HTTP access
|
|
VpcId: !Ref VPCId
|
|
SecurityGroupIngress:
|
|
- IpProtocol: tcp
|
|
FromPort: '80'
|
|
ToPort: '80'
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: tcp
|
|
FromPort: '443'
|
|
ToPort: '443'
|
|
CidrIp: 0.0.0.0/0
|
|
|
|
|
|
app01:
|
|
Type: "AWS::EC2::Instance"
|
|
Properties:
|
|
ImageId: !Ref Ami
|
|
InstanceType: 't4g.small'
|
|
SubnetId: !Ref PubSubnet1Id
|
|
SecurityGroupIds:
|
|
- !Ref SgId
|
|
- !Ref AppSecurityGroup
|
|
BlockDeviceMappings:
|
|
- DeviceName: "/dev/sda1"
|
|
Ebs:
|
|
Encrypted: true
|
|
VolumeSize: 100
|
|
VolumeType: "gp2"
|
|
DeleteOnTermination: false
|
|
IamInstanceProfile: !Ref SSMInstanceProfile
|
|
UserData:
|
|
Fn::Base64: !Sub |
|
|
#!/bin/bash
|
|
hostnamectl set-hostname ${Hostname}
|
|
#yum-config-manager --add-repo https://pkgs.tailscale.com/stable/amazon-linux/2/tailscale.repo
|
|
yum update -y
|
|
yum install -y git amazon-efs-utils python3 python3-pip jq gcc #tailscale
|
|
amazon-linux-extras install ansible2 docker -y
|
|
systemctl enable docker
|
|
systemctl start docker
|
|
usermod -aG docker ssm-user
|
|
mkdir /mnt/data
|
|
chmod 777 /mnt/data
|
|
echo "${EfsAPData}:/ /mnt/data efs _netdev,noresvport,tls,iam 0 0" >> /etc/fstab
|
|
mount /mnt/data
|
|
Tags:
|
|
- Key: "Name"
|
|
Value: !Ref Hostname
|
|
- Key: "Purpose"
|
|
Value: hosting
|
|
- Key: "Environment"
|
|
Value: prod
|
|
- Key: "Application"
|
|
Value: dockerhost
|
|
- Key: "Owner"
|
|
Value: dan@project-conquer.com
|
|
- Key: "Managed By"
|
|
Value: dan@project-conquer.com
|
|
- Key: "Managed Status"
|
|
Value: active
|
|
- Key: "Schedule"
|
|
Value: always-on
|
|
- Key: "backupFrequency"
|
|
Value: daily
|
|
|
|
AmazonEC2RoleforSSM:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal:
|
|
Service:
|
|
- ec2.amazonaws.com
|
|
Action:
|
|
- sts:AssumeRole
|
|
Path: "/"
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
|
|
- arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
|
|
- arn:aws:iam::aws:policy/AmazonRDSFullAccess
|
|
|
|
SSMForEC2Policy:
|
|
Type: 'AWS::IAM::Policy'
|
|
Properties:
|
|
PolicyName: SSMForEC2
|
|
PolicyDocument:
|
|
Version: 2012-10-17
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ssm:DescribeAssociation
|
|
- ssm:GetDeployablePatchSnapshotForInstance
|
|
- ssm:GetDocument
|
|
- ssm:DescribeDocument
|
|
- ssm:GetManifest
|
|
- ssm:GetParameters
|
|
- ssm:ListAssociations
|
|
- ssm:ListInstanceAssociations
|
|
- ssm:PutInventory
|
|
- ssm:PutComplianceItems
|
|
- ssm:PutConfigurePackageResult
|
|
- ssm:UpdateAssociationStatus
|
|
- ssm:UpdateInstanceAssociationStatus
|
|
- ssm:UpdateInstanceInformation
|
|
- ds:CreateComputer
|
|
- ds:DescribeDirectories
|
|
Resource: "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- ssmmessages:CreateControlChannel
|
|
- ssmmessages:CreateDataChannel
|
|
- ssmmessages:OpenControlChannel
|
|
- ssmmessages:OpenDataChannel
|
|
Resource: "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- ec2messages:AcknowledgeMessage
|
|
- ec2messages:DeleteMessage
|
|
- ec2messages:FailMessage
|
|
- ec2messages:GetEndpoint
|
|
- ec2messages:GetMessages
|
|
- ec2messages:SendReply
|
|
Resource: "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- s3:GetObject
|
|
Resource:
|
|
- !Sub arn:aws:s3:::aws-ssm-${AWS::Region}/*
|
|
- !Sub arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*
|
|
- !Sub arn:aws:s3:::amazon-ssm-${AWS::Region}/*
|
|
- !Sub arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*
|
|
- !Sub arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*
|
|
- !Sub arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*
|
|
- Effect: Allow
|
|
Action:
|
|
- secretsmanager:DescribeSecret
|
|
- secretsmanager:GetSecretValue
|
|
- secretsmanager:List*
|
|
Resource: "*"
|
|
- Effect: Allow
|
|
Action:
|
|
- logs:CreateLogGroup
|
|
- logs:CreateLogStream
|
|
- logs:DescribeLogGroups
|
|
- logs:DescribeLogStreams
|
|
- logs:PutLogEvents
|
|
Resource: '*'
|
|
- Sid: AllowRDSAccess
|
|
Effect: Allow
|
|
Action: rds-db:connect
|
|
Resource: !Sub 'arn:aws:rds-db:${AWS::Region}:${AWS::AccountId}:dbuser:*/ecloud_prod'
|
|
- Sid: DenyRDSDeleteDatabase
|
|
Effect: Deny
|
|
Action: rds:DeleteDBInstance
|
|
Resource: '*'
|
|
- Sid: ECSDeployments
|
|
Effect: Allow
|
|
Action:
|
|
- ecs:*
|
|
- iam:*
|
|
- cloudformation:*
|
|
- ec2:*
|
|
Resource: '*'
|
|
Roles:
|
|
- !Ref AmazonEC2RoleforSSM
|
|
|
|
SSMInstanceProfile:
|
|
Type: AWS::IAM::InstanceProfile
|
|
Properties:
|
|
Path: "/"
|
|
Roles:
|
|
- Ref: AmazonEC2RoleforSSM
|