Last active
January 9, 2021 05:05
-
-
Save miyamoto-daisuke/7149842 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Description": "VPC knowhow template", | |
"Parameters": { | |
"KeyName": { | |
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances", | |
"Type": "String", | |
"MinLength": "1", | |
"MaxLength": "64", | |
"AllowedPattern": "[-_ a-zA-Z0-9]*", | |
"ConstraintDescription": "can contain only alphanumeric characters, spaces, dashes and underscores." | |
}, | |
"SSHFrom" : { | |
"Description" : "Lockdown SSH access to the bastion host (default can be accessed from anywhere)", | |
"Type" : "String", | |
"MinLength": "9", | |
"MaxLength": "18", | |
"Default" : "0.0.0.0/0", | |
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", | |
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x." | |
}, | |
"DBUsername": { | |
"Default": "admin", | |
"Description" : "The database admin account username", | |
"Type": "String", | |
"MinLength": "1", | |
"MaxLength": "16", | |
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*", | |
"ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters." | |
}, | |
"DBPassword" : { | |
"Description" : "Password of RDS master password", | |
"Type" : "String", | |
"NoEcho": "true", | |
"MinLength": "4" | |
}, | |
"HostedZone" : { | |
"Description" : "The DNS name of an existing Amazon Route 53 hosted zone", | |
"Type" : "String" | |
} | |
}, | |
"Mappings": { | |
"AWSNATAMI": { | |
"us-east-1": { "AMI": "ami-c6699baf" }, | |
"us-west-2": { "AMI": "ami-52ff7262" }, | |
"us-west-1": { "AMI": "ami-3bcc9e7e" }, | |
"eu-west-1": { "AMI": "ami-0b5b6c7f" }, | |
"ap-southeast-1": { "AMI": "ami-02eb9350" }, | |
"ap-southeast-2": { "AMI": "ami-ab990e91" }, | |
"ap-northeast-1": { "AMI": "ami-14d86d15" }, | |
"sa-east-1": { "AMI": "ami-0439e619" } | |
}, | |
"AWSAmazonLinuxAMI": { | |
"us-east-1": { "name":"Virginia", "201303": "ami-3275ee5b", "201309": "ami-35792c5c" }, | |
"us-west-2": { "name":"Oregon", "201303": "ami-ecbe2adc", "201309": "ami-d03ea1e0" }, | |
"us-west-1": { "name":"California", "201303": "ami-66d1fc23", "201309": "ami-687b4f2d" }, | |
"eu-west-1": { "name":"Ireland", "201303": "ami-44939930", "201309": "ami-149f7863" }, | |
"ap-southeast-1": { "name":"Singapole", "201303": "ami-aa9ed2f8", "201309": "ami-14f2b946" }, | |
"ap-southeast-2": { "name":"Sydney", "201303": "ami-363eaf0c", "201309": "ami-a148d59b" }, | |
"ap-northeast-1": { "name":"Tokyo", "201303": "ami-173fbf16", "201309": "ami-3561fe34" }, | |
"sa-east-1": { "name":"SaoPaulo", "201303": "ami-dd6bb0c0", "201309": "ami-9f6ec982" } | |
}, | |
"AZ": { | |
"us-east-1": { "primary": "us-east-1b", "secondary": "us-east-1c" }, | |
"us-west-2": { "primary": "us-west-2a", "secondary": "us-west-2b" }, | |
"us-west-1": { "primary": "us-west-1a", "secondary": "us-west-1b" }, | |
"eu-west-1": { "primary": "eu-west-1a", "secondary": "eu-west-1b" }, | |
"ap-southeast-1": { "primary": "ap-southeast-1a", "secondary": "ap-southeast-1b" }, | |
"ap-southeast-2": { "primary": "ap-southeast-2a", "secondary": "ap-southeast-2b" }, | |
"ap-northeast-1": { "primary": "ap-northeast-1a", "secondary": "ap-northeast-1c" }, | |
"sa-east-1": { "primary": "sa-east-1a", "secondary": "sa-east-1b" } | |
}, | |
"StackConfig" : { | |
"VPC" : { "CIDR" : "10.0.0.0/16" }, | |
"FrontendSubnet1" : { "CIDR" : "10.0.0.0/24" }, | |
"FrontendSubnet2" : { "CIDR" : "10.0.1.0/24" }, | |
"ApplicationSubnet1": { "CIDR" : "10.0.2.0/24" }, | |
"ApplicationSubnet2": { "CIDR" : "10.0.3.0/24" }, | |
"DatastoreSubnet1" : { "CIDR" : "10.0.4.0/24" }, | |
"DatastoreSubnet2" : { "CIDR" : "10.0.5.0/24" }, | |
"NATServer" : { "InstanceType" : "t1.micro" }, | |
"BastionServer" : { "InstanceType" : "t1.micro" }, | |
"ApplicationServer" : { "InstanceType" : "t1.micro" }, | |
"DBServer" : { "InstanceType" : "db.t1.micro", "AllocatedStorage" : "5", "DBName" : "mydb" } | |
} | |
}, | |
"Resources": { | |
"PowerUserRole" : { | |
"Type" : "AWS::IAM::Role", | |
"Properties" : { | |
"AssumeRolePolicyDocument" : { | |
"Statement": [ { | |
"Effect": "Allow", | |
"Principal": { | |
"Service": [ "ec2.amazonaws.com" ] | |
}, | |
"Action": [ "sts:AssumeRole" ] | |
} ] | |
}, | |
"Path" : "/", | |
"Policies" :[ { | |
"PolicyName" : "PowerUserPolicy", | |
"PolicyDocument" : { | |
"Statement": [ { | |
"Sid": "PowerUserStmt", | |
"Effect": "Allow", | |
"NotAction": "iam:*", | |
"Resource": "*" | |
} ] | |
} | |
}] | |
} | |
}, | |
"PowerUserProfile" : { | |
"Type" : "AWS::IAM::InstanceProfile", | |
"Properties" : { | |
"Path": "/", | |
"Roles" : [ { "Ref" : "PowerUserRole" } ] | |
} | |
}, | |
"VPC" : { | |
"Type" : "AWS::EC2::VPC", | |
"Properties" : { | |
"CidrBlock" : { "Fn::FindInMap" : [ "StackConfig", "VPC", "CIDR" ]}, | |
"InstanceTenancy" : "default", | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } }, | |
{"Key" : "Network", "Value" : "Public" } | |
] | |
} | |
}, | |
"InternetGateway" : { | |
"Type" : "AWS::EC2::InternetGateway", | |
"Properties" : { | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } }, | |
{"Key" : "Network", "Value" : "Public" } | |
] | |
} | |
}, | |
"AttachGateway" : { | |
"Type" : "AWS::EC2::VPCGatewayAttachment", | |
"Properties" : { | |
"VpcId" : {"Ref" : "VPC"}, | |
"InternetGatewayId" : {"Ref" : "InternetGateway"} | |
} | |
}, | |
"PublicRouteTable" : { | |
"Type" : "AWS::EC2::RouteTable", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, | |
{"Key" : "Network", "Value" : "Public" } | |
] | |
} | |
}, | |
"ProtectedRouteTable" : { | |
"Type" : "AWS::EC2::RouteTable", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"VpcId" : {"Ref" : "VPC"}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, | |
{"Key" : "Network", "Value" : "Protected" } | |
] | |
} | |
}, | |
"PublicRoute" : { | |
"Type" : "AWS::EC2::Route", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"RouteTableId" : { "Ref" : "PublicRouteTable" }, | |
"DestinationCidrBlock" : "0.0.0.0/0", | |
"GatewayId" : { "Ref" : "InternetGateway" } | |
} | |
}, | |
"ProtectedRoute": { | |
"Type": "AWS::EC2::Route", | |
"DependsOn" : "AttachGateway", | |
"Properties": { | |
"RouteTableId": { "Ref": "ProtectedRouteTable" }, | |
"DestinationCidrBlock": "0.0.0.0/0", | |
"InstanceId": { "Ref": "NATInstance" } | |
} | |
}, | |
"FrontendSubnet1": { | |
"Type": "AWS::EC2::Subnet", | |
"DependsOn" : "AttachGateway", | |
"Properties": { | |
"VpcId": { "Ref": "VPC" }, | |
"AvailabilityZone": { "Fn::FindInMap": [ "AZ", { "Ref": "AWS::Region" }, "primary" ]}, | |
"CidrBlock": { "Fn::FindInMap" : [ "StackConfig", "FrontendSubnet1", "CIDR" ]}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, | |
{"Key" : "Network", "Value" : "Public" } | |
] | |
} | |
}, | |
"FrontendSubnet2": { | |
"Type": "AWS::EC2::Subnet", | |
"DependsOn" : "AttachGateway", | |
"Properties": { | |
"VpcId": { "Ref": "VPC" }, | |
"AvailabilityZone": { "Fn::FindInMap": [ "AZ", { "Ref": "AWS::Region" }, "secondary" ]}, | |
"CidrBlock": { "Fn::FindInMap" : [ "StackConfig", "FrontendSubnet2", "CIDR" ]}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, | |
{"Key" : "Network", "Value" : "Public" } | |
] | |
} | |
}, | |
"ApplicationSubnet1" : { | |
"Type" : "AWS::EC2::Subnet", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"VpcId" : {"Ref" : "VPC"}, | |
"CidrBlock" : { "Fn::FindInMap" : [ "StackConfig", "ApplicationSubnet1", "CIDR" ]}, | |
"AvailabilityZone" : { "Fn::FindInMap": [ "AZ", { "Ref": "AWS::Region" }, "primary" ]}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, | |
{"Key" : "Network", "Value" : "Protected" } | |
] | |
} | |
}, | |
"ApplicationSubnet2" : { | |
"Type" : "AWS::EC2::Subnet", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"VpcId" : {"Ref" : "VPC"}, | |
"CidrBlock" : { "Fn::FindInMap" : [ "StackConfig", "ApplicationSubnet2", "CIDR" ]}, | |
"AvailabilityZone" : { "Fn::FindInMap": [ "AZ", { "Ref": "AWS::Region" }, "secondary" ]}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, | |
{"Key" : "Network", "Value" : "Protected" } | |
] | |
} | |
}, | |
"DatastoreSubnet1" : { | |
"Type" : "AWS::EC2::Subnet", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"CidrBlock" : { "Fn::FindInMap" : [ "StackConfig", "DatastoreSubnet1", "CIDR" ]}, | |
"AvailabilityZone" : { "Fn::FindInMap": [ "AZ", { "Ref": "AWS::Region" }, "primary" ]}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } }, | |
{"Key" : "Network", "Value" : "Protected" } | |
] | |
} | |
}, | |
"DatastoreSubnet2" : { | |
"Type" : "AWS::EC2::Subnet", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"CidrBlock" : { "Fn::FindInMap" : [ "StackConfig", "DatastoreSubnet2", "CIDR" ]}, | |
"AvailabilityZone" : { "Fn::FindInMap": [ "AZ", { "Ref": "AWS::Region" }, "secondary" ]}, | |
"Tags" : [ | |
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } }, | |
{"Key" : "Network", "Value" : "Protected" } | |
] | |
} | |
}, | |
"FrontendSubnet1RouteTableAssociation" : { | |
"Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties" : { | |
"SubnetId" : { "Ref" : "FrontendSubnet1" }, | |
"RouteTableId" : { "Ref" : "PublicRouteTable" } | |
} | |
}, | |
"FrontendSubnet2RouteTableAssociation" : { | |
"Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties" : { | |
"SubnetId" : { "Ref" : "FrontendSubnet2" }, | |
"RouteTableId" : { "Ref" : "PublicRouteTable" } | |
} | |
}, | |
"ApplicationSubnet1RouteTableAssociation" : { | |
"Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties" : { | |
"SubnetId" : { "Ref" : "ApplicationSubnet1" }, | |
"RouteTableId" : { "Ref" : "ProtectedRouteTable" } | |
} | |
}, | |
"ApplicationSubnet2RouteTableAssociation" : { | |
"Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties" : { | |
"SubnetId" : { "Ref" : "ApplicationSubnet2" }, | |
"RouteTableId" : { "Ref" : "ProtectedRouteTable" } | |
} | |
}, | |
"DatastoreSubnet1RouteTableAssociation" : { | |
"Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties" : { | |
"SubnetId" : { "Ref" : "DatastoreSubnet1" }, | |
"RouteTableId" : { "Ref" : "ProtectedRouteTable" } | |
} | |
}, | |
"DatastoreSubnet2RouteTableAssociation" : { | |
"Type" : "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties" : { | |
"SubnetId" : { "Ref" : "DatastoreSubnet2" }, | |
"RouteTableId" : { "Ref" : "ProtectedRouteTable" } | |
} | |
}, | |
"VPCDefaultSecurityGroup" : { | |
"Type" : "AWS::EC2::SecurityGroup", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"GroupDescription" : "Allow all communications in VPC", | |
"SecurityGroupIngress" : [ | |
{ "IpProtocol" : "tcp", "FromPort" : "0", "ToPort" : "65535", "CidrIp" : { "Fn::FindInMap" : [ "StackConfig", "VPC", "CIDR" ]} }, | |
{ "IpProtocol" : "udp", "FromPort" : "0", "ToPort" : "65535", "CidrIp" : { "Fn::FindInMap" : [ "StackConfig", "VPC", "CIDR" ]} }, | |
{ "IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : { "Fn::FindInMap" : [ "StackConfig", "VPC", "CIDR" ]} } | |
] | |
} | |
}, | |
"SSHSecurityGroup" : { | |
"Type" : "AWS::EC2::SecurityGroup", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"GroupDescription" : "Enable SSH access via port 22", | |
"SecurityGroupIngress" : [ | |
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" : "SSHFrom" }} | |
] | |
} | |
}, | |
"NATSecurityGroup" : { | |
"Type" : "AWS::EC2::SecurityGroup", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"GroupDescription" : "Marker security group for NAT." | |
} | |
}, | |
"PublicWebSecurityGroup" : { | |
"Type" : "AWS::EC2::SecurityGroup", | |
"Properties" : { | |
"VpcId" : { "Ref" : "VPC" }, | |
"GroupDescription" : "Public Security Group with HTTP access on port 443 from the internet", | |
"SecurityGroupIngress" : [ | |
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0" }, | |
{ "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "0.0.0.0/0" } | |
] | |
} | |
}, | |
"ApplicationSecurityGroup" : { | |
"Type" : "AWS::EC2::SecurityGroup", | |
"Properties" : { | |
"VpcId" : {"Ref" : "VPC"}, | |
"GroupDescription" : "Marker security group for Application server." | |
} | |
}, | |
"MySQLSecurityGroup" : { | |
"Type" : "AWS::EC2::SecurityGroup", | |
"Properties" : { | |
"VpcId" : {"Ref" : "VPC"}, | |
"GroupDescription" : "Marker security group for MySQL server." | |
} | |
}, | |
"NATDNSRecord" : { | |
"Type" : "AWS::Route53::RecordSet", | |
"Properties" : { | |
"HostedZoneName" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Comment" : "A record for the NAT instance.", | |
"Name" : { "Fn::Join" : [ "", ["nat.", {"Ref" : "HostedZone"}, "." ]]}, | |
"Type" : "A", | |
"TTL" : "300", | |
"ResourceRecords" : [ | |
{"Ref" :"NATInstanceEIP"} | |
] | |
} | |
}, | |
"NATLocalDNSRecord" : { | |
"Type" : "AWS::Route53::RecordSet", | |
"Properties" : { | |
"HostedZoneName" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Comment" : "A record for the private IP address of NAT instance.", | |
"Name" : { "Fn::Join" : [ "", ["nat.local.", {"Ref" : "HostedZone"}, "." ]]}, | |
"Type" : "A", | |
"TTL" : "300", | |
"ResourceRecords" : [ | |
{ "Fn::GetAtt" : [ "NATInstance", "PrivateIp" ] } | |
] | |
} | |
}, | |
"NATInstanceEIP": { | |
"Type": "AWS::EC2::EIP", | |
"DependsOn" : "AttachGateway", | |
"Properties": { | |
"Domain": "vpc", | |
"InstanceId": { "Ref": "NATInstance" } | |
} | |
}, | |
"NATInstance": { | |
"Type": "AWS::EC2::Instance", | |
"Properties": { | |
"InstanceType": { "Fn::FindInMap" : [ "StackConfig", "NATServer", "InstanceType" ]}, | |
"KeyName": { "Ref": "KeyName" }, | |
"SubnetId": { "Ref" : "FrontendSubnet1" }, | |
"SourceDestCheck": "false", | |
"ImageId": { "Fn::FindInMap": [ "AWSNATAMI", { "Ref": "AWS::Region" }, "AMI" ]}, | |
"IamInstanceProfile": { "Ref" : "PowerUserProfile" }, | |
"SecurityGroupIds" : [ | |
{ "Ref" : "NATSecurityGroup" }, | |
{ "Ref" : "VPCDefaultSecurityGroup" } | |
], | |
"Tags": [ | |
{ "Key": "Name", "Value": "NAT" } | |
] | |
} | |
}, | |
"BastionDNSRecord" : { | |
"Type" : "AWS::Route53::RecordSet", | |
"Properties" : { | |
"HostedZoneName" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Comment" : "A record for the Bastion instance.", | |
"Name" : { "Fn::Join" : [ "", ["bastion.", {"Ref" : "HostedZone"}, "." ]]}, | |
"Type" : "A", | |
"TTL" : "300", | |
"ResourceRecords" : [ | |
{"Ref" :"BastionInstanceEIP"} | |
] | |
} | |
}, | |
"BastionLocalDNSRecord" : { | |
"Type" : "AWS::Route53::RecordSet", | |
"Properties" : { | |
"HostedZoneName" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Comment" : "A record for the private IP address of Bastion instance.", | |
"Name" : { "Fn::Join" : [ "", ["bastion.local.", {"Ref" : "HostedZone"}, "." ]]}, | |
"Type" : "A", | |
"TTL" : "300", | |
"ResourceRecords" : [ | |
{ "Fn::GetAtt" : [ "BastionInstance", "PrivateIp" ] } | |
] | |
} | |
}, | |
"BastionInstanceEIP": { | |
"Type": "AWS::EC2::EIP", | |
"DependsOn" : "AttachGateway", | |
"Properties": { | |
"Domain": "vpc", | |
"InstanceId": { "Ref": "BastionInstance" } | |
} | |
}, | |
"BastionInstance": { | |
"Type": "AWS::EC2::Instance", | |
"Properties": { | |
"InstanceType": { "Fn::FindInMap" : [ "StackConfig", "BastionServer", "InstanceType" ]}, | |
"KeyName": { "Ref": "KeyName" }, | |
"SubnetId": { "Ref" : "FrontendSubnet1" }, | |
"ImageId": { "Fn::FindInMap": [ "AWSAmazonLinuxAMI", { "Ref": "AWS::Region" }, "201309" ]}, | |
"IamInstanceProfile": { "Ref" : "PowerUserProfile" }, | |
"SecurityGroupIds" : [ | |
{ "Ref" : "SSHSecurityGroup" }, | |
{ "Ref" : "VPCDefaultSecurityGroup" } | |
], | |
"Tags": [ | |
{ "Key": "Name", "Value": "Bastion" } | |
] | |
} | |
}, | |
"LoadBalancerDNSRecord" : { | |
"Type" : "AWS::Route53::RecordSetGroup", | |
"Properties" : { | |
"HostedZoneName" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Comment" : "Zone apex alias targeted to LoadBalancer.", | |
"RecordSets" : [ | |
{ | |
"Name" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Type" : "A", | |
"AliasTarget" : { | |
"HostedZoneId" : { "Fn::GetAtt" : ["ElasticLoadBalancer", "CanonicalHostedZoneNameID"] }, | |
"DNSName" : { "Fn::GetAtt" : ["ElasticLoadBalancer","CanonicalHostedZoneName"] } | |
} | |
} | |
] | |
} | |
}, | |
"ElasticLoadBalancer" : { | |
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer", | |
"DependsOn" : "AttachGateway", | |
"Properties" : { | |
"Subnets" : [ | |
{ "Ref" : "FrontendSubnet1" }, | |
{ "Ref" : "FrontendSubnet2" } | |
], | |
"Listeners" : [ | |
{ "LoadBalancerPort" : "80", "InstancePort" : "80", "Protocol" : "HTTP" } | |
], | |
"HealthCheck" : { | |
"Target" : "HTTP:80/index.html", | |
"HealthyThreshold" : "2", | |
"UnhealthyThreshold" : "2", | |
"Interval" : "6", | |
"Timeout" : "5" | |
}, | |
"SecurityGroups" : [ | |
{ "Ref" : "PublicWebSecurityGroup" } | |
] | |
} | |
}, | |
"ApplicationFleet" : { | |
"Type" : "AWS::AutoScaling::AutoScalingGroup", | |
"DependsOn" : "ProtectedRoute", | |
"UpdatePolicy" : { | |
"AutoScalingRollingUpdate" : { | |
"MaxBatchSize" : "1", | |
"MinInstancesInService" : "1", | |
"PauseTime" : "PT2M30S" | |
} | |
}, | |
"Properties" : { | |
"AvailabilityZones" : [ | |
{ "Fn::GetAtt" : [ "ApplicationSubnet1", "AvailabilityZone" ] }, | |
{ "Fn::GetAtt" : [ "ApplicationSubnet2", "AvailabilityZone" ] } | |
], | |
"VPCZoneIdentifier" : [ | |
{ "Ref" : "ApplicationSubnet1" }, | |
{ "Ref" : "ApplicationSubnet2" } | |
], | |
"LaunchConfigurationName" : { "Ref" : "ApplicationServerLaunchConfig" }, | |
"MinSize" : "2", | |
"MaxSize" : "2", | |
"DesiredCapacity" : "2", | |
"LoadBalancerNames" : [ { "Ref" : "ElasticLoadBalancer" } ], | |
"Tags" : [ | |
{ "Key" : "Name", "Value" : "Application", "PropagateAtLaunch" : "true" } | |
] | |
} | |
}, | |
"ApplicationServerLaunchConfig" : { | |
"Type" : "AWS::AutoScaling::LaunchConfiguration", | |
"Properties" : { | |
"InstanceType": { "Fn::FindInMap" : [ "StackConfig", "ApplicationServer", "InstanceType" ]}, | |
"KeyName": { "Ref" : "KeyName" }, | |
"ImageId": { "Fn::FindInMap": [ "AWSAmazonLinuxAMI", { "Ref": "AWS::Region" }, "201309" ]}, | |
"SecurityGroups": [ | |
{ "Ref" : "VPCDefaultSecurityGroup" }, | |
{ "Ref" : "ApplicationSecurityGroup" } | |
], | |
"IamInstanceProfile": { "Ref" : "PowerUserProfile" }, | |
"InstanceMonitoring" : "false", | |
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [ | |
"#! /bin/bash -v\n", | |
"yum update -y\n", | |
"# Install packages\n", | |
"/opt/aws/bin/cfn-init -s ", { "Ref" : "AWS::StackId" }, " -r ApplicationServerLaunchConfig ", | |
" --region ", { "Ref" : "AWS::Region" }, " || error_exit 'Failed to run cfn-init'\n" | |
]]}} | |
}, | |
"Metadata" : { | |
"AWS::CloudFormation::Init" : { | |
"config" : { | |
"packages" : { | |
"yum" : { | |
"httpd" : [], | |
"mysql55" : [] | |
} | |
}, | |
"files" : { | |
"/var/www/html/index.html" : { | |
"content" : "<html><head><title>Hello</title></head><body>Hello, world!</body></html>", | |
"mode" : "000644", | |
"owner" : "apache", | |
"group" : "apache" | |
} | |
}, | |
"services" : { | |
"sysvinit" : { | |
"httpd" : { "enabled" : "true", "ensureRunning" : "true" } | |
} | |
} | |
} | |
} | |
} | |
}, | |
"DatabaseDNSRecord" : { | |
"Type" : "AWS::Route53::RecordSet", | |
"Properties" : { | |
"HostedZoneName" : { "Fn::Join" : [ "", [{"Ref" : "HostedZone"}, "." ]]}, | |
"Comment" : "CNAME for the database.", | |
"Name" : { "Fn::Join" : [ "", ["rds.local.", {"Ref" : "HostedZone"}, "." ]]}, | |
"Type" : "CNAME", | |
"TTL" : "300", | |
"ResourceRecords" : [ | |
{ "Fn::GetAtt" : [ "DBInstance", "Endpoint.Address" ] } | |
] | |
} | |
}, | |
"DBParamGroup" : { | |
"Type": "AWS::RDS::DBParameterGroup", | |
"Properties" : { | |
"Description" : "Default parameter group for Portnoy", | |
"Family" : "MySQL5.6", | |
"Parameters" : { | |
"character_set_database" : "utf8mb4", | |
"character_set_client" : "utf8mb4", | |
"character_set_connection" : "utf8mb4", | |
"character_set_results" : "utf8mb4", | |
"character_set_server" : "utf8mb4", | |
"skip-character-set-client-handshake" : "TRUE" | |
} | |
} | |
}, | |
"DBSubnetGroup" : { | |
"Type" : "AWS::RDS::DBSubnetGroup", | |
"Properties" : { | |
"DBSubnetGroupDescription" : "Database subnets for RDS", | |
"SubnetIds" : [ | |
{ "Ref": "DatastoreSubnet1" }, | |
{ "Ref": "DatastoreSubnet2" } | |
] | |
} | |
}, | |
"DBInstance" : { | |
"Type" : "AWS::RDS::DBInstance", | |
"DeletionPolicy" : "Snapshot", | |
"Properties" : { | |
"DBInstanceClass" : { "Fn::FindInMap" : [ "StackConfig", "DBServer", "InstanceType" ]}, | |
"AllocatedStorage" : { "Fn::FindInMap" : [ "StackConfig", "DBServer", "AllocatedStorage" ]}, | |
"Engine" : "MySQL", | |
"MultiAZ" : "true", | |
"EngineVersion" : "5.6.13", | |
"MasterUsername" : {"Ref":"DBUsername"}, | |
"MasterUserPassword" : {"Ref":"DBPassword"}, | |
"DBName" : { "Fn::FindInMap" : [ "StackConfig", "DBServer", "DBName" ]}, | |
"BackupRetentionPeriod" : "35", | |
"DBParameterGroupName" : {"Ref":"DBParamGroup"}, | |
"DBSubnetGroupName" : {"Ref":"DBSubnetGroup"}, | |
"PreferredBackupWindow": "19:00-19:30", | |
"PreferredMaintenanceWindow": "sat:20:00-sat:20:30", | |
"VPCSecurityGroups" : [ | |
{ "Ref" : "VPCDefaultSecurityGroup" }, | |
{ "Ref" : "MySQLSecurityGroup" } | |
] | |
} | |
} | |
}, | |
"Outputs": { | |
"JdbcConnectionString": { | |
"Value": { "Fn::Join": [ "", [ | |
"jdbc:mysql://", | |
{ "Ref": "DatabaseDNSRecord" }, ":", | |
{ "Fn::GetAtt": [ "DBInstance", "Endpoint.Port" ] }, "/", | |
{ "Fn::FindInMap" : [ "StackConfig", "DBServer", "DBName" ]} | |
]]}, | |
"Description": "-" | |
}, | |
"SSHToBackendServer": { | |
"Value": { "Fn::Join":["", [ | |
"ssh -i /path/to/", { "Ref": "KeyName" }, ".pem", | |
" -oProxyCommand='ssh -i /path/to/", { "Ref": "KeyName" }, ".pem -W %h:%p ec2-user@", {"Ref" : "BastionDNSRecord"}, "'", | |
" ec2-user@<private-ip>" | |
]]}, | |
"Description": "SSH command to connect to the backend servers" | |
} | |
} | |
} |
あ、"VPCSecurityGroups" と "DBSecurityGroups" を併用することは出来ず、"VPCDefaultSecurityGroup" が使えないから "AWS::EC2::SecurityGroup" にしてるんですね。
…ここにコメント頂いても、メールで通知とか無いんですね。気付かずにすみません。
お考えの通りです。DBSecurityGroupは古い概念で、今はEC2 SecurityGroupに統合されつつあります。
参考にさせていただきます。
ありがとうございます。
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
参考にさせて頂きました!ありがとうございます。
気になったので、よかったら教えてください。
"MySQLSecurityGroup" の type が、"AWS::RDS::DBSecurityGroup" ではなく、"AWS::EC2::SecurityGroup" なのはどうしてでしょうか?