fadeojo · September 10, 2019 14:08
diff --git a/cfn.yml b/cfn.yml
  ElasticLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      CrossZone: "true"
      Listeners:
        - LoadBalancerPort: "443"
          InstancePort: "8200"
          Protocol: HTTPS
          SSLCertificateId:
            <your ssl cert arn>
      HealthCheck:
        Target: HTTP:8200/v1/sys/health # This will help inform the loadbalancer which node is the leader when running HA
        HealthyThreshold: "2"
        UnhealthyThreshold: "2"
        Interval: "5"
        Timeout: "2"
      Subnets: <your subnets>
      SecurityGroups:
        - !Ref "ElbSecurityGroup"
  ElbSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: <your vpc id>
      GroupDescription: Enable public access to ELB
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: "443"
          ToPort: "443"
          CidrIp: "0.0.0.0/0"
  WebServerGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      LaunchConfigurationName: !Ref "LaunchConfig"
      MinSize: "2"
      MaxSize: "2"
      LoadBalancerNames:
        - !Ref "ElasticLoadBalancer"
      VPCZoneIdentifier: <vpc zone identifier>
      Tags:
        - Key: Name
          Value: vault
          PropagateAtLaunch: true
    CreationPolicy:
      ResourceSignal:
        Timeout: PT15M
        Count: "1"
    UpdatePolicy:
      AutoScalingRollingUpdate:
        MinInstancesInService: "0"
        MaxBatchSize: "1"
        PauseTime: PT15M
        WaitOnResourceSignals: "true"
  LaunchConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Metadata:
      Comment: Configure Vault and CloudFormation
      AWS::CloudFormation::Init:
        config:
          commands:
            vaultConfig:
              command: !Sub "/usr/local/bin/create-vault-config.sh ${VaultDB} ${EncryptionKey}"
          files:
            /etc/cfn/cfn-hup.conf:
              content: !Join
                - ""
                - - "[main]\n"
                  - stack=
                  - !Ref "AWS::StackId"
                  - "\n"
                  - region=
                  - !Ref "AWS::Region"
                  - "\n"
              mode: "000400"
              owner: root
              group: root
            /etc/cfn/hooks.d/cfn-auto-reloader.conf:
              content: !Join
                - ""
                - - "[cfn-auto-reloader-hook]\n"
                  - "triggers=post.update\n"
                  - "path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n"
                  - "action=/opt/aws/bin/cfn-init -v "
                  - "    --stack "
                  - !Ref "AWS::StackName"
                  - "    --resource LaunchConfig "
                  - "    --region "
                  - !Ref "AWS::Region"
                  - "\n"
                  - "runas=root\n"
          services:
            sysvinit:
              cfn-hup:
                enabled: "true"
                ensureRunning: "true"
                files:
                  - /etc/cfn/cfn-hup.conf
                  - /etc/cfn/hooks.d/cfn-auto-reloader.conf
              vault.sysvinit:
                enabled: "true"
                ensureRunning: "true"
                commands:
                  - "vaultConfig"
    Properties:
      ImageId: <your image ID>
      SecurityGroups: <you security group>
      IamInstanceProfile: <your instance profile role>
      InstanceType: "t2.medium"
      UserData: !Base64
        Fn::Join:
          - ""
          - - "#!/bin/bash -xe\n"
            - "yum update -y aws-cfn-bootstrap\n"
            - "/opt/aws/bin/cfn-init -v "
            - "    --stack "
            - !Ref "AWS::StackName"
            - "    --resource LaunchConfig "
            - "    --region "
            - !Ref "AWS::Region"
            - "\n"
            - "/opt/aws/bin/cfn-signal -e $? "
            - "    --stack "
            - !Ref "AWS::StackName"
            - "    --resource WebServerGroup "
            - "    --region "
            - !Ref "AWS::Region"
            - "\n"
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: <your vpc id>
      GroupDescription: Enable SSH access and HTTP from the load balancer only
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: "22"
          ToPort: "22"
          CidrIp: 172.16.0.0/12
        - IpProtocol: tcp
          FromPort: "8200"
          ToPort: "8200"
          SourceSecurityGroupId: !Ref "ElbSecurityGroup"
  InstanceProfileRole:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - !Ref "InstanceRole"
  InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - !Ref "InstancePolicyVault"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
  InstancePolicyVault:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
              - dynamodb:DescribeLimits
              - dynamodb:DescribeTimeToLive
              - dynamodb:ListTagsOfResource
              - dynamodb:DescribeReservedCapacityOfferings
              - dynamodb:DescribeReservedCapacity
              - dynamodb:ListTables
              - dynamodb:BatchGetItem
              - dynamodb:BatchWriteItem
              - dynamodb:CreateTable
              - dynamodb:DeleteItem
              - dynamodb:GetItem
              - dynamodb:GetRecords
              - dynamodb:PutItem
              - dynamodb:Query
              - dynamodb:UpdateItem
              - dynamodb:Scan
              - dynamodb:DescribeTable
            Resource:
              - !GetAtt "EncryptionKey.Arn" # Encryption key for Vault seal
              - !GetAtt "VaultDB.Arn" # Dynamo db to run Vault in HA mode
          - Effect: Allow
            Action:
              - "sts:AssumeRole"
            Resource: "*"
      Description: Allows attaching and describing EBS volumes
  EncryptionKey:
    Type: AWS::KMS::Key
    Properties:
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Id: kms
        Statement:
          - Sid: Allow administration of the key
            Effect: Allow
            Principal:
              AWS: <principal>
            Action:
              - <kms actions>
            Resource: <resource>
  EncryptionKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      TargetKeyId: !Ref "EncryptionKey"
      AliasName: <alias name>
  VaultDB:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: "Path"
          AttributeType: "S"
        - AttributeName: "Key"
          AttributeType: "S"
      KeySchema:
        - AttributeName: "Path"
          KeyType: "HASH"
        - AttributeName: "Key"
          KeyType: "RANGE"
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5
	ElasticLoadBalancer:
	Type: AWS::ElasticLoadBalancing::LoadBalancer
	Properties:
	CrossZone: "true"
	Listeners:
	- LoadBalancerPort: "443"
	InstancePort: "8200"
	Protocol: HTTPS
	SSLCertificateId:
	<your ssl cert arn>
	HealthCheck:
	Target: HTTP:8200/v1/sys/health # This will help inform the loadbalancer which node is the leader when running HA
	HealthyThreshold: "2"
	UnhealthyThreshold: "2"
	Interval: "5"
	Timeout: "2"
	Subnets: <your subnets>
	SecurityGroups:
	- !Ref "ElbSecurityGroup"
	ElbSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	VpcId: <your vpc id>
	GroupDescription: Enable public access to ELB
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: "443"
	ToPort: "443"
	CidrIp: "0.0.0.0/0"
	WebServerGroup:
	Type: AWS::AutoScaling::AutoScalingGroup
	Properties:
	LaunchConfigurationName: !Ref "LaunchConfig"
	MinSize: "2"
	MaxSize: "2"
	LoadBalancerNames:
	- !Ref "ElasticLoadBalancer"
	VPCZoneIdentifier: <vpc zone identifier>
	Tags:
	- Key: Name
	Value: vault
	PropagateAtLaunch: true
	CreationPolicy:
	ResourceSignal:
	Timeout: PT15M
	Count: "1"
	UpdatePolicy:
	AutoScalingRollingUpdate:
	MinInstancesInService: "0"
	MaxBatchSize: "1"
	PauseTime: PT15M
	WaitOnResourceSignals: "true"
	LaunchConfig:
	Type: AWS::AutoScaling::LaunchConfiguration
	Metadata:
	Comment: Configure Vault and CloudFormation
	AWS::CloudFormation::Init:
	config:
	commands:
	vaultConfig:
	command: !Sub "/usr/local/bin/create-vault-config.sh ${VaultDB} ${EncryptionKey}"
	files:
	/etc/cfn/cfn-hup.conf:
	content: !Join
	- ""
	- - "[main]\n"
	- stack=
	- !Ref "AWS::StackId"
	- "\n"
	- region=
	- !Ref "AWS::Region"
	- "\n"
	mode: "000400"
	owner: root
	group: root
	/etc/cfn/hooks.d/cfn-auto-reloader.conf:
	content: !Join
	- ""
	- - "[cfn-auto-reloader-hook]\n"
	- "triggers=post.update\n"
	- "path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n"
	- "action=/opt/aws/bin/cfn-init -v "
	- " --stack "
	- !Ref "AWS::StackName"
	- " --resource LaunchConfig "
	- " --region "
	- !Ref "AWS::Region"
	- "\n"
	- "runas=root\n"
	services:
	sysvinit:
	cfn-hup:
	enabled: "true"
	ensureRunning: "true"
	files:
	- /etc/cfn/cfn-hup.conf
	- /etc/cfn/hooks.d/cfn-auto-reloader.conf
	vault.sysvinit:
	enabled: "true"
	ensureRunning: "true"
	commands:
	- "vaultConfig"
	Properties:
	ImageId: <your image ID>
	SecurityGroups: <you security group>
	IamInstanceProfile: <your instance profile role>
	InstanceType: "t2.medium"
	UserData: !Base64
	Fn::Join:
	- ""
	- - "#!/bin/bash -xe\n"
	- "yum update -y aws-cfn-bootstrap\n"
	- "/opt/aws/bin/cfn-init -v "
	- " --stack "
	- !Ref "AWS::StackName"
	- " --resource LaunchConfig "
	- " --region "
	- !Ref "AWS::Region"
	- "\n"
	- "/opt/aws/bin/cfn-signal -e $? "
	- " --stack "
	- !Ref "AWS::StackName"
	- " --resource WebServerGroup "
	- " --region "
	- !Ref "AWS::Region"
	- "\n"
	InstanceSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	VpcId: <your vpc id>
	GroupDescription: Enable SSH access and HTTP from the load balancer only
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: "22"
	ToPort: "22"
	CidrIp: 172.16.0.0/12
	- IpProtocol: tcp
	FromPort: "8200"
	ToPort: "8200"
	SourceSecurityGroupId: !Ref "ElbSecurityGroup"
	InstanceProfileRole:
	Type: AWS::IAM::InstanceProfile
	Properties:
	Path: /
	Roles:
	- !Ref "InstanceRole"
	InstanceRole:
	Type: AWS::IAM::Role
	Properties:
	ManagedPolicyArns:
	- !Ref "InstancePolicyVault"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Action:
	- sts:AssumeRole
	Effect: Allow
	Principal:
	Service:
	- ec2.amazonaws.com
	InstancePolicyVault:
	Type: AWS::IAM::ManagedPolicy
	Properties:
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Action:
	- kms:Encrypt
	- kms:Decrypt
	- kms:ReEncrypt*
	- kms:GenerateDataKey*
	- kms:DescribeKey
	- dynamodb:DescribeLimits
	- dynamodb:DescribeTimeToLive
	- dynamodb:ListTagsOfResource
	- dynamodb:DescribeReservedCapacityOfferings
	- dynamodb:DescribeReservedCapacity
	- dynamodb:ListTables
	- dynamodb:BatchGetItem
	- dynamodb:BatchWriteItem
	- dynamodb:CreateTable
	- dynamodb:DeleteItem
	- dynamodb:GetItem
	- dynamodb:GetRecords
	- dynamodb:PutItem
	- dynamodb:Query
	- dynamodb:UpdateItem
	- dynamodb:Scan
	- dynamodb:DescribeTable
	Resource:
	- !GetAtt "EncryptionKey.Arn" # Encryption key for Vault seal
	- !GetAtt "VaultDB.Arn" # Dynamo db to run Vault in HA mode
	- Effect: Allow
	Action:
	- "sts:AssumeRole"
	Resource: "*"
	Description: Allows attaching and describing EBS volumes
	EncryptionKey:
	Type: AWS::KMS::Key
	Properties:
	EnableKeyRotation: true
	KeyPolicy:
	Version: "2012-10-17"
	Id: kms
	Statement:
	- Sid: Allow administration of the key
	Effect: Allow
	Principal:
	AWS: <principal>
	Action:
	- <kms actions>
	Resource: <resource>
	EncryptionKeyAlias:
	Type: AWS::KMS::Alias
	Properties:
	TargetKeyId: !Ref "EncryptionKey"
	AliasName: <alias name>
	VaultDB:
	Type: AWS::DynamoDB::Table
	Properties:
	AttributeDefinitions:
	- AttributeName: "Path"
	AttributeType: "S"
	- AttributeName: "Key"
	AttributeType: "S"
	KeySchema:
	- AttributeName: "Path"
	KeyType: "HASH"
	- AttributeName: "Key"
	KeyType: "RANGE"
	ProvisionedThroughput:
	ReadCapacityUnits: 5
	WriteCapacityUnits: 5