Last active
June 22, 2018 14:20
-
-
Save samkeen/2929a138e7b5d9757904 to your computer and use it in GitHub Desktop.
Same as lean version, but with NAT Gateway and Bastion host
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Description": "VPC Across 3 AZs", | |
"Parameters": { | |
"EnvName": { | |
"Type": "String", | |
"Default": "Dev", | |
"AllowedValues": [ | |
"Dev", "Test", "Prod" | |
], | |
"Description": "Select the environment name" | |
}, | |
"TargetAZs": { | |
"Description": "AZs to create Subnets for. Hardcoded to 3 currently, if you do not supply 3, STACK WILL FAIL.", | |
"Type": "List<AWS::EC2::AvailabilityZone::Name>" | |
}, | |
"BastionKeyName": { | |
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the bastion host", | |
"Type": "AWS::EC2::KeyPair::KeyName", | |
"ConstraintDescription": "must be the name of an existing EC2 KeyPair." | |
}, | |
"BastionInstanceType": { | |
"Description": "Bastion Host EC2 instance type", | |
"Type": "String", | |
"Default": "t2.micro", | |
"AllowedValues": [ | |
"t1.micro", "t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large", "m1.small", "m1.medium", "m1.large", | |
"m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", | |
"m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large", | |
"c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge", "c4.2xlarge", "c4.4xlarge", | |
"c4.8xlarge", "g2.2xlarge", "g2.8xlarge", "r3.large", "r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", | |
"i2.xlarge", "i2.2xlarge", "i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge", | |
"hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge" | |
], | |
"ConstraintDescription": "must be a valid EC2 instance type." | |
}, | |
"BastionSSHLocation": { | |
"Description": "Lockdown SSH access to the bastion host (default can be accessed from anywhere)", | |
"Type": "String", | |
"MinLength": "9", | |
"MaxLength": "18", | |
"Default": "0.0.0.0/0", | |
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", | |
"ConstraintDescription": "must be a valid CIDR range of the form x.x.x.x/x." | |
} | |
}, | |
"Mappings": { | |
"SubnetConfig": { | |
"VPC": { | |
"CIDR": "10.0.0.0/16" | |
}, "AZ1-Public": { | |
"CIDR": "10.0.32.0/20" | |
}, "AZ1-Private": { | |
"CIDR": "10.0.0.0/19" | |
}, "AZ2-Public": { | |
"CIDR": "10.0.96.0/20" | |
}, "AZ2-Private": { | |
"CIDR": "10.0.64.0/19" | |
}, "AZ3-Public": { | |
"CIDR": "10.0.160.0/20" | |
}, "AZ3-Private": { | |
"CIDR": "10.0.128.0/19" | |
} | |
}, | |
"AWSInstanceType2Arch": { | |
"t1.micro": {"Arch": "PV64"}, | |
"t2.nano": {"Arch": "HVM64"}, | |
"t2.micro": {"Arch": "HVM64"}, | |
"t2.small": {"Arch": "HVM64"}, | |
"t2.medium": {"Arch": "HVM64"}, | |
"t2.large": {"Arch": "HVM64"}, | |
"m1.small": {"Arch": "PV64"}, | |
"m1.medium": {"Arch": "PV64"}, | |
"m1.large": {"Arch": "PV64"}, | |
"m1.xlarge": {"Arch": "PV64"}, | |
"m2.xlarge": {"Arch": "PV64"}, | |
"m2.2xlarge": {"Arch": "PV64"}, | |
"m2.4xlarge": {"Arch": "PV64"}, | |
"m3.medium": {"Arch": "HVM64"}, | |
"m3.large": {"Arch": "HVM64"}, | |
"m3.xlarge": {"Arch": "HVM64"}, | |
"m3.2xlarge": {"Arch": "HVM64"}, | |
"m4.large": {"Arch": "HVM64"}, | |
"m4.xlarge": {"Arch": "HVM64"}, | |
"m4.2xlarge": {"Arch": "HVM64"}, | |
"m4.4xlarge": {"Arch": "HVM64"}, | |
"m4.10xlarge": {"Arch": "HVM64"}, | |
"c1.medium": {"Arch": "PV64"}, | |
"c1.xlarge": {"Arch": "PV64"}, | |
"c3.large": {"Arch": "HVM64"}, | |
"c3.xlarge": {"Arch": "HVM64"}, | |
"c3.2xlarge": {"Arch": "HVM64"}, | |
"c3.4xlarge": {"Arch": "HVM64"}, | |
"c3.8xlarge": {"Arch": "HVM64"}, | |
"c4.large": {"Arch": "HVM64"}, | |
"c4.xlarge": {"Arch": "HVM64"}, | |
"c4.2xlarge": {"Arch": "HVM64"}, | |
"c4.4xlarge": {"Arch": "HVM64"}, | |
"c4.8xlarge": {"Arch": "HVM64"}, | |
"g2.2xlarge": {"Arch": "HVMG2"}, | |
"g2.8xlarge": {"Arch": "HVMG2"}, | |
"r3.large": {"Arch": "HVM64"}, | |
"r3.xlarge": {"Arch": "HVM64"}, | |
"r3.2xlarge": {"Arch": "HVM64"}, | |
"r3.4xlarge": {"Arch": "HVM64"}, | |
"r3.8xlarge": {"Arch": "HVM64"}, | |
"i2.xlarge": {"Arch": "HVM64"}, | |
"i2.2xlarge": {"Arch": "HVM64"}, | |
"i2.4xlarge": {"Arch": "HVM64"}, | |
"i2.8xlarge": {"Arch": "HVM64"}, | |
"d2.xlarge": {"Arch": "HVM64"}, | |
"d2.2xlarge": {"Arch": "HVM64"}, | |
"d2.4xlarge": {"Arch": "HVM64"}, | |
"d2.8xlarge": {"Arch": "HVM64"}, | |
"hi1.4xlarge": {"Arch": "HVM64"}, | |
"hs1.8xlarge": {"Arch": "HVM64"}, | |
"cr1.8xlarge": {"Arch": "HVM64"}, | |
"cc2.8xlarge": {"Arch": "HVM64"} | |
}, | |
"AWSRegionArch2AMI": { | |
"us-east-1": {"PV64": "ami-5fb8c835", "HVM64": "ami-60b6c60a", "HVMG2": "ami-e998ea83"}, | |
"us-west-2": {"PV64": "ami-d93622b8", "HVM64": "ami-f0091d91", "HVMG2": "ami-315f4850"}, | |
"us-west-1": {"PV64": "ami-56ea8636", "HVM64": "ami-d5ea86b5", "HVMG2": "ami-943956f4"}, | |
"eu-west-1": {"PV64": "ami-95e33ce6", "HVM64": "ami-bff32ccc", "HVMG2": "ami-83fd23f0"}, | |
"eu-central-1": {"PV64": "ami-794a5915", "HVM64": "ami-bc5b48d0", "HVMG2": "ami-ba1a09d6"}, | |
"ap-northeast-1": {"PV64": "ami-393c1957", "HVM64": "ami-383c1956", "HVMG2": "ami-08e5c166"}, | |
"ap-northeast-2": {"PV64": "NOT_SUPPORTED", "HVM64": "ami-249b554a", "HVMG2": "NOT_SUPPORTED"}, | |
"ap-southeast-1": {"PV64": "ami-34bd7a57", "HVM64": "ami-c9b572aa", "HVMG2": "ami-5a15d239"}, | |
"ap-southeast-2": {"PV64": "ami-ced887ad", "HVM64": "ami-48d38c2b", "HVMG2": "ami-0c1a446f"}, | |
"sa-east-1": {"PV64": "ami-7d15ad11", "HVM64": "ami-6817af04", "HVMG2": "NOT_SUPPORTED"}, | |
"cn-north-1": {"PV64": "ami-18ac6575", "HVM64": "ami-43a36a2e", "HVMG2": "NOT_SUPPORTED"} | |
} | |
}, | |
"Resources": { | |
"VPC": { | |
"Type": "AWS::EC2::VPC", | |
"Properties": { | |
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "VPC", "CIDR"]}, | |
"InstanceTenancy": "default", | |
"EnableDnsSupport": "true", | |
"EnableDnsHostnames": "false", | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC"]]} | |
} | |
] | |
} | |
}, | |
"SubnetAz1Public": { | |
"Type": "AWS::EC2::Subnet", "Properties": { | |
"CidrBlock": { | |
"Fn::FindInMap": ["SubnetConfig", "AZ1-Public", "CIDR"] | |
}, | |
"AvailabilityZone": { | |
"Fn::Select": ["0", {"Ref": "TargetAZs"}] | |
}, | |
"VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", | |
"Value": { | |
"Fn::Join": [ | |
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["0", {"Ref": "TargetAZs"}]}, "-public"] | |
] | |
} | |
} | |
] | |
} | |
}, | |
"SubnetAz1Private": { | |
"Type": "AWS::EC2::Subnet", "Properties": { | |
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ1-Private", "CIDR"]}, | |
"AvailabilityZone": {"Fn::Select": ["0", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", | |
"Value": { | |
"Fn::Join": [ | |
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["0", {"Ref": "TargetAZs"}]}, "-private"] | |
] | |
} | |
} | |
] | |
} | |
}, | |
"SubnetAz2Public": { | |
"Type": "AWS::EC2::Subnet", | |
"Properties": { | |
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ2-Public", "CIDR"]}, | |
"AvailabilityZone": {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", | |
"Value": { | |
"Fn::Join": [ | |
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "-public"] | |
] | |
} | |
} | |
] | |
} | |
}, | |
"SubnetAz2Private": { | |
"Type": "AWS::EC2::Subnet", | |
"Properties": { | |
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ2-Private", "CIDR"]}, | |
"AvailabilityZone": {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", | |
"Value": { | |
"Fn::Join": [ | |
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "-private"] | |
] | |
} | |
} | |
] | |
} | |
}, | |
"SubnetAz3Public": { | |
"Type": "AWS::EC2::Subnet", | |
"Properties": { | |
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ3-Public", "CIDR"]}, | |
"AvailabilityZone": {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", | |
"Value": { | |
"Fn::Join": [ | |
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "-public"] | |
] | |
} | |
} | |
] | |
} | |
}, | |
"SubnetAz3Private": { | |
"Type": "AWS::EC2::Subnet", | |
"Properties": { | |
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ3-Private", "CIDR"]}, | |
"AvailabilityZone": {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", | |
"Value": { | |
"Fn::Join": [ | |
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "-private"] | |
] | |
} | |
} | |
] | |
} | |
}, | |
"InternetGateway": { | |
"Type": "AWS::EC2::InternetGateway", | |
"Properties": { | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": "Dev-Internet_Gateway" | |
} | |
] | |
} | |
}, | |
"RouteTableInternal": { | |
"Type": "AWS::EC2::RouteTable", | |
"Properties": { | |
"VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": "Dev-Internal-RouteTable" | |
} | |
] | |
} | |
}, | |
"RouteTablePublic": { | |
"Type": "AWS::EC2::RouteTable", | |
"Properties": { | |
"VpcId": {"Ref": "VPC"}, | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": "Dev-Public-RouteTable" | |
} | |
] | |
} | |
}, | |
"GwAttachmentInternetGateway": { | |
"Type": "AWS::EC2::VPCGatewayAttachment", | |
"Properties": { | |
"VpcId": {"Ref": "VPC"}, | |
"InternetGatewayId": {"Ref": "InternetGateway"} | |
} | |
}, "RouteTableAssocAz1Private": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTableInternal"}, | |
"SubnetId": {"Ref": "SubnetAz1Private"} | |
} | |
}, | |
"RouteTableAssocAz3Private": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTableInternal"}, | |
"SubnetId": {"Ref": "SubnetAz3Private"} | |
} | |
}, | |
"RouteTableAssocAz2Private": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTableInternal"}, | |
"SubnetId": {"Ref": "SubnetAz2Private"} | |
} | |
}, | |
"RouteTableAssocAz1Public": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTablePublic"}, | |
"SubnetId": {"Ref": "SubnetAz1Public"} | |
} | |
}, | |
"RouteTableAssocAz3Public": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTablePublic"}, | |
"SubnetId": {"Ref": "SubnetAz3Public"} | |
} | |
}, | |
"RouteTableAssocAz2Public": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTablePublic"}, | |
"SubnetId": {"Ref": "SubnetAz2Public"} | |
} | |
}, | |
"RouteTablePublicRoute1": { | |
"Type": "AWS::EC2::Route", | |
"Properties": { | |
"DestinationCidrBlock": "0.0.0.0/0", | |
"RouteTableId": {"Ref": "RouteTablePublic"}, | |
"GatewayId": {"Ref": "InternetGateway"} | |
}, | |
"DependsOn": "GwAttachmentInternetGateway" | |
}, | |
"NatGatewayElasticIP": { | |
"DependsOn": "GwAttachmentInternetGateway", | |
"Type": "AWS::EC2::EIP", | |
"Properties": { | |
"Domain": "vpc" | |
} | |
}, | |
"NatGateway": { | |
"DependsOn": "GwAttachmentInternetGateway", | |
"Type": "AWS::EC2::NatGateway", | |
"Properties": { | |
"AllocationId": {"Fn::GetAtt": ["NatGatewayElasticIP", "AllocationId"]}, | |
"SubnetId": {"Ref": "SubnetAz1Public"} | |
} | |
}, | |
"NatGatewayRoute": { | |
"Type": "AWS::EC2::Route", | |
"Properties": { | |
"RouteTableId": {"Ref": "RouteTableInternal"}, | |
"DestinationCidrBlock": "0.0.0.0/0", | |
"NatGatewayId": {"Ref": "NatGateway"} | |
} | |
}, | |
"BastionIPAddress": { | |
"Type": "AWS::EC2::EIP", | |
"DependsOn": "GwAttachmentInternetGateway", | |
"Properties": { | |
"Domain": "vpc", | |
"InstanceId": {"Ref": "BastionHost"} | |
} | |
}, | |
"BastionHost": { | |
"Type": "AWS::EC2::Instance", | |
"Properties": { | |
"InstanceType": {"Ref": "BastionInstanceType"}, | |
"KeyName": {"Ref": "BastionKeyName"}, | |
"SubnetId": {"Ref": "SubnetAz1Public"}, | |
"ImageId": { | |
"Fn::FindInMap": [ | |
"AWSRegionArch2AMI", {"Ref": "AWS::Region"}, | |
{"Fn::FindInMap": ["AWSInstanceType2Arch", {"Ref": "BastionInstanceType"}, "Arch"]} | |
] | |
}, | |
"SecurityGroupIds": [{"Ref": "BastionSecurityGroup"}], | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC_BastionHost"]]} | |
} | |
] | |
} | |
}, | |
"BastionSecurityGroup": { | |
"Type": "AWS::EC2::SecurityGroup", | |
"Properties": { | |
"GroupDescription": "Enable access to the Bastion host", | |
"VpcId": {"Ref": "VPC"}, | |
"SecurityGroupIngress": [ | |
{"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": {"Ref": "BastionSSHLocation"}} | |
], | |
"SecurityGroupEgress": [ | |
{ | |
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", | |
"CidrIp": {"Fn::FindInMap": ["SubnetConfig", "AZ1-Private", "CIDR"]} | |
}, | |
{ | |
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", | |
"CidrIp": {"Fn::FindInMap": ["SubnetConfig", "AZ2-Private", "CIDR"]} | |
}, | |
{ | |
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", | |
"CidrIp": {"Fn::FindInMap": ["SubnetConfig", "AZ3-Private", "CIDR"]} | |
} | |
], | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC_BastionHost_SG"]]} | |
} | |
] | |
} | |
}, | |
"SshAccessSecurityGroup": { | |
"Type": "AWS::EC2::SecurityGroup", | |
"Properties": { | |
"GroupDescription": "Add this SG to instances in private subnets to allow ssh connect from Bastion host", | |
"VpcId": {"Ref": "VPC"}, | |
"SecurityGroupIngress": [ | |
{ | |
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", | |
"SourceSecurityGroupId": {"Ref": "BastionSecurityGroup"} | |
} | |
], | |
"Tags": [ | |
{ | |
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC_AllowBastionSshConnect"]]} | |
} | |
] | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks that help me