Created
October 15, 2017 16:24
-
-
Save eMahtab/3f0ce1cf6ef4846a2367477ee63b4834 to your computer and use it in GitHub Desktop.
Securely copying the files from S3 with EC2 IAM role with Cloudformation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "AWSTemplateFormatVersion" : "2010-09-09", | |
| "Description" : "AWS CloudFormation Sample Template VPC_with_PublicIPs_And_DNS: Sample template that creates a VPC with DNS and public IPs enabled. Note that you are billed for the AWS resources that you use when you create a stack from this template.", | |
| "Parameters": { | |
| "KeyPair": { | |
| "Description": "Name of the keypair to use for SSH access", | |
| "Type": "String" | |
| }, | |
| "BucketName" : { | |
| "Description" : "Name of bucket containing application war", | |
| "Type" : "String", | |
| "Default" : "war.bucket" | |
| } | |
| }, | |
| "Resources" : { | |
| "VPC" : { | |
| "Type" : "AWS::EC2::VPC", | |
| "Properties" : { | |
| "EnableDnsSupport" : "true", | |
| "EnableDnsHostnames" : "true", | |
| "CidrBlock" : "10.0.0.0/16" | |
| } | |
| }, | |
| "PublicSubnet" : { | |
| "Type" : "AWS::EC2::Subnet", | |
| "Properties" : { | |
| "VpcId" : { "Ref" : "VPC" }, | |
| "CidrBlock" : "10.0.0.0/24" | |
| } | |
| }, | |
| "InternetGateway" : { | |
| "Type" : "AWS::EC2::InternetGateway" | |
| }, | |
| "VPCGatewayAttachment" : { | |
| "Type" : "AWS::EC2::VPCGatewayAttachment", | |
| "Properties" : { | |
| "VpcId" : { "Ref" : "VPC" }, | |
| "InternetGatewayId" : { "Ref" : "InternetGateway" } | |
| } | |
| }, | |
| "PublicRouteTable" : { | |
| "Type" : "AWS::EC2::RouteTable", | |
| "Properties" : { | |
| "VpcId" : { "Ref" : "VPC" } | |
| } | |
| }, | |
| "PublicRoute" : { | |
| "Type" : "AWS::EC2::Route", | |
| "DependsOn" : "VPCGatewayAttachment", | |
| "Properties" : { | |
| "RouteTableId" : { "Ref" : "PublicRouteTable" }, | |
| "DestinationCidrBlock" : "0.0.0.0/0", | |
| "GatewayId" : { "Ref" : "InternetGateway" } | |
| } | |
| }, | |
| "PublicSubnetRouteTableAssociation" : { | |
| "Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
| "Properties" : { | |
| "SubnetId" : { "Ref" : "PublicSubnet" }, | |
| "RouteTableId" : { "Ref" : "PublicRouteTable" } | |
| } | |
| }, | |
| "PublicSubnetNetworkAclAssociation" : { | |
| "Type" : "AWS::EC2::SubnetNetworkAclAssociation", | |
| "Properties" : { | |
| "SubnetId" : { "Ref" : "PublicSubnet" }, | |
| "NetworkAclId" : { "Fn::GetAtt" : ["VPC", "DefaultNetworkAcl"] } | |
| } | |
| }, | |
| "WebServerSecurityGroup" : { | |
| "Type" : "AWS::EC2::SecurityGroup", | |
| "Properties" : { | |
| "GroupDescription" : "Enable HTTP ingress", | |
| "VpcId" : { "Ref" : "VPC" }, | |
| "SecurityGroupIngress" : [ | |
| {"IpProtocol" : "tcp","FromPort" : "80","ToPort" : "80","CidrIp" : "0.0.0.0/0"}, | |
| {"IpProtocol" : "tcp","FromPort" : "8080","ToPort" : "8080","CidrIp" : "0.0.0.0/0"}, | |
| {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}] | |
| } | |
| }, | |
| "InstanceRole":{ | |
| "Type":"AWS::IAM::Role", | |
| "Properties":{ | |
| "AssumeRolePolicyDocument":{ | |
| "Statement":[ | |
| { | |
| "Effect":"Allow", | |
| "Principal":{ | |
| "Service":[ | |
| "ec2.amazonaws.com" | |
| ] | |
| }, | |
| "Action":[ | |
| "sts:AssumeRole" | |
| ] | |
| } | |
| ] | |
| }, | |
| "Path":"/" | |
| } | |
| }, | |
| "RolePolicies":{ | |
| "Type":"AWS::IAM::Policy", | |
| "Properties":{ | |
| "PolicyName":"S3Download", | |
| "PolicyDocument":{ | |
| "Statement":[ | |
| { | |
| "Action":[ | |
| "s3:GetObject" | |
| ], | |
| "Effect":"Allow", | |
| "Resource":"arn:aws:s3:::war.bucket/*" | |
| } | |
| ] | |
| }, | |
| "Roles":[ | |
| { | |
| "Ref":"InstanceRole" | |
| } | |
| ] | |
| } | |
| }, | |
| "InstanceProfile":{ | |
| "Type":"AWS::IAM::InstanceProfile", | |
| "Properties":{ | |
| "Path":"/", | |
| "Roles":[ | |
| { | |
| "Ref":"InstanceRole" | |
| } | |
| ] | |
| } | |
| }, | |
| "WebServerInstance": { | |
| "Type": "AWS::EC2::Instance", | |
| "Metadata" : { | |
| "AWS::CloudFormation::Init" : { | |
| "config" : { | |
| "files" : { | |
| "/usr/share/tomcat7/webapps/sample.war" : { | |
| "source" : { | |
| "Fn::Join" : ["", ["https://s3.amazonaws.com/",{ "Ref" : "BucketName" },"/","sample.war"]] | |
| }, | |
| "owner" : "root", | |
| "mode" : "000777", | |
| "authentication": "S3AccessCreds" | |
| } | |
| } | |
| } | |
| }, | |
| "AWS::CloudFormation::Authentication": { | |
| "S3AccessCreds": { | |
| "type": "S3", | |
| "roleName": { | |
| "Ref": "InstanceRole" | |
| } | |
| } | |
| } | |
| }, | |
| "Properties": { | |
| "InstanceType": "t2.micro", | |
| "ImageId": "ami-8c1be5f6", | |
| "IamInstanceProfile": { "Ref": "InstanceProfile" }, | |
| "NetworkInterfaces" : [{ | |
| "GroupSet" : [{"Ref": "WebServerSecurityGroup"}], | |
| "AssociatePublicIpAddress" : "true", | |
| "DeviceIndex" : "0", | |
| "DeleteOnTermination" : "true", | |
| "SubnetId" : {"Ref": "PublicSubnet"} | |
| }], | |
| "KeyName": { | |
| "Ref": "KeyPair" | |
| }, | |
| "UserData": { | |
| "Fn::Base64": { | |
| "Fn::Join": [ | |
| "", | |
| [ | |
| "#!/bin/bash -xe\n", | |
| "sudo yum update -y\n", | |
| "sudo yum install -y tomcat7-webapps tomcat7-docs-webapp tomcat7-admin-webapps\n", | |
| "sudo service tomcat7 start\n", | |
| "yum update -y aws-cfn-bootstrap\n", | |
| "# Installing application\n", | |
| "/opt/aws/bin/cfn-init -s ",{ "Ref" : "AWS::StackName" }, | |
| " -r WebServerInstance ", | |
| " --region ", { "Ref" : "AWS::Region" } | |
| ] | |
| ] | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "Outputs" : { | |
| "URL" : { | |
| "Description" : "URL of the sample website", | |
| "Value" : { "Fn::Join" : [ "", [ "http://", { "Fn::GetAtt" : [ "WebServerInstance", "PublicDnsName" ]},":8080"]]} | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment