Created
May 18, 2021 13:46
-
-
Save aLucaz/fb3adbe307d844821834557c19f1b8c9 to your computer and use it in GitHub Desktop.
Cloud Formation Yaml to create private RDS and EC2 connected via tcp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: | |
| Goal | |
| -> create a VPC with | |
| -> 1 public subnet | |
| -> 1 private subnet | |
| -> create an Internet Gateway | |
| -> create public instance as bastion | |
| -> create private RDS instance with its inbound rules | |
| Parameters: | |
| VpcCidr: | |
| Type: String | |
| Default: 10.0.0.0/16 | |
| PublicSubnetACidr: | |
| Type: String | |
| Default: 10.0.1.0/24 | |
| PublicSubnetBCidr: | |
| Type: String | |
| Default: 10.0.2.0/24 | |
| PrivateSubnetACidr: | |
| Type: String | |
| Default: 10.0.11.0/24 | |
| PrivateSubnetBCidr: | |
| Type: String | |
| Default: 10.0.12.0/24 | |
| BastionKeyPairName: | |
| Type: AWS::EC2::KeyPair::KeyName | |
| Default: poc-cf-keypair | |
| PublicInstanceType: | |
| AllowedValues: | |
| - t2.micro | |
| - t2.small | |
| Default: t2.micro | |
| Type: String | |
| PublicSubnetAAZ: | |
| AllowedValues: | |
| - us-west-1a | |
| Default: us-west-1a | |
| Type: String | |
| PublicSubnetBAZ: | |
| AllowedValues: | |
| - us-west-1b | |
| Default: us-west-1b | |
| Type: String | |
| PrivateInstanceType: | |
| AllowedValues: | |
| - t2.micro | |
| - t2.small | |
| Default: t2.micro | |
| Type: String | |
| PrivateSubnetAAZ: | |
| AllowedValues: | |
| - us-west-1a | |
| Default: us-west-1a | |
| Type: String | |
| PrivateSubnetBAZ: | |
| AllowedValues: | |
| - us-west-1b | |
| Default: us-west-1b | |
| Type: String | |
| DBInstanceID: | |
| Default: dbinstance | |
| Type: String | |
| MinLength: 1 | |
| MaxLength: 63 | |
| AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' | |
| DBName: | |
| Default: mydb | |
| Type: String | |
| MinLength: 1 | |
| MaxLength: 64 | |
| AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' | |
| DBInstanceClass: | |
| Default: db.t2.micro | |
| Type: String | |
| DBAllocatedStorage: | |
| Default: 20 | |
| Type: Number | |
| MinValue: 5 | |
| MaxValue: 1024 | |
| DBUsername: | |
| Default: test | |
| NoEcho: 'true' | |
| Type: String | |
| MinLength: 1 | |
| MaxLength: 16 | |
| AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' | |
| DBPassword: | |
| Default: 12345678 | |
| NoEcho: 'true' | |
| Type: String | |
| MinLength: 8 | |
| MaxLength: 41 | |
| AllowedPattern: '[a-zA-Z0-9]*' | |
| Mappings: | |
| RegionMap: | |
| us-west-1: | |
| HVM64: ami-0d382e80be7ffdae5 | |
| Resources: | |
| VPC: | |
| Type: AWS::EC2::VPC | |
| Properties: | |
| CidrBlock: !Ref VpcCidr | |
| EnableDnsSupport: true | |
| EnableDnsHostnames: true | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-vpc | |
| PublicSubnetA: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Ref PublicSubnetAAZ | |
| CidrBlock: !Ref PublicSubnetACidr | |
| MapPublicIpOnLaunch: True | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-public-subnet-a | |
| PublicSubnetB: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Ref PublicSubnetBAZ | |
| CidrBlock: !Ref PublicSubnetBCidr | |
| MapPublicIpOnLaunch: True | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-public-subnet-b | |
| PrivateSubnetA: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Ref PrivateSubnetAAZ | |
| CidrBlock: !Ref PrivateSubnetACidr | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-private-subnet-a | |
| PrivateSubnetB: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Ref PrivateSubnetBAZ | |
| CidrBlock: !Ref PrivateSubnetBCidr | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-private-subnet-b | |
| # Connecting VPC to internet | |
| InternetGateway: | |
| Type: AWS::EC2::InternetGateway | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: ig-vpc | |
| InternetGatewayAttachement: | |
| Type: AWS::EC2::VPCGatewayAttachment | |
| Properties: | |
| InternetGatewayId: !Ref InternetGateway | |
| VpcId: !Ref VPC | |
| # Creating VPC route table with an entry to route Internet traffic to the Internet Gateway | |
| PublicRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: Public routes | |
| DefaultPublicRoute: | |
| Type: AWS::EC2::Route | |
| DependsOn: InternetGatewayAttachement | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| GatewayId: !Ref InternetGateway | |
| # Creating public subnet A & B route table association | |
| PublicSubnetARouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| SubnetId: !Ref PublicSubnetA | |
| PublicSubnetBRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| SubnetId: !Ref PublicSubnetB | |
| # Now we neer Nat Gateway Associations to our private subnet | |
| NatGatewayAIP: | |
| Type: AWS::EC2::EIP | |
| DependsOn: InternetGatewayAttachement | |
| Properties: | |
| Domain: vpc | |
| NatGatewayA: | |
| Type: AWS::EC2::NatGateway | |
| Properties: | |
| AllocationId: !GetAtt NatGatewayAIP.AllocationId | |
| SubnetId: !Ref PublicSubnetA | |
| # Creating a private subnet A & B route table association, to this we need a Nat Gateway | |
| PrivateRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: Private routes | |
| DefaultPrivateRoute: | |
| Type: AWS::EC2::Route | |
| Properties: | |
| RouteTableId: !Ref PrivateRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| NatGatewayId: !Ref NatGatewayA | |
| PrivateSubnetARouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PrivateRouteTable | |
| SubnetId: !Ref PrivateSubnetA | |
| PrivateSubnetBRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PrivateRouteTable | |
| SubnetId: !Ref PrivateSubnetB | |
| # Creating a EC2 instance and SG as Bastion in public subnet | |
| BastionSG: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| VpcId: !Ref VPC | |
| GroupDescription: we use this instance as ssh bastion | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| FromPort: 22 | |
| ToPort: 22 | |
| CidrIp: 0.0.0.0/0 | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-bastion-sg | |
| BastionInstance: | |
| Type: AWS::EC2::Instance | |
| Properties: | |
| ImageId: !FindInMap | |
| - RegionMap | |
| - !Ref AWS::Region | |
| - HVM64 | |
| InstanceType: !Ref PublicInstanceType | |
| KeyName: !Ref BastionKeyPairName | |
| SubnetId: !Ref PublicSubnetA | |
| SecurityGroupIds: | |
| - !Ref BastionSG | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-bastion-instance | |
| # Creating Database instance | |
| DBPrivateSG: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| VpcId: !Ref VPC | |
| GroupDescription: this is our private instance | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| FromPort: 22 | |
| ToPort: 22 | |
| SourceSecurityGroupId: !Ref BastionSG | |
| - IpProtocol: tcp | |
| FromPort: 3306 | |
| ToPort: 3306 | |
| SourceSecurityGroupId: !Ref BastionSG | |
| Tags: | |
| - Key: Name | |
| Value: poc-cf-private-dg | |
| DBSubnetGroup: | |
| Type: AWS::RDS::DBSubnetGroup | |
| Properties: | |
| DBSubnetGroupDescription: we use this SG for our db | |
| SubnetIds: | |
| - !Ref PrivateSubnetA | |
| - !Ref PrivateSubnetB | |
| Tags: | |
| - Key: Name | |
| Value: DBSubnetGroup | |
| DB: | |
| Type: AWS::RDS::DBInstance | |
| Properties: | |
| DBInstanceIdentifier: !Ref DBInstanceID | |
| DBName: !Ref DBName | |
| DBInstanceClass: !Ref DBInstanceClass | |
| AllocatedStorage: !Ref DBAllocatedStorage | |
| Engine: MySQL | |
| EngineVersion: 5.7.22 | |
| MasterUsername: !Ref DBUsername | |
| MasterUserPassword: !Ref DBPassword | |
| AvailabilityZone: !Ref PrivateSubnetAAZ | |
| VPCSecurityGroups: | |
| - !GetAtt DBPrivateSG.GroupId | |
| DBSubnetGroupName: !Ref DBSubnetGroup | |
| PubliclyAccessible: False |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment