-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathec2.yaml
317 lines (317 loc) · 9.38 KB
/
ec2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
AWSTemplateFormatVersion: "2010-09-09"
# Version 1.0 - Initial version
Description: Template to create the client ec2s. Version 1.0
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "Network Configuration"
Parameters:
- VPCId
- SubnetId
- Environment
- Label:
default: "EC2 Configuration"
Parameters:
- EC2Options
- EC2OS
- EC2Size
- Label:
default: "Additional Configuration"
Parameters:
- UserData
- Schedule
- Label:
default: "EBS Volumes"
Parameters:
- EC2RootVolumeSize
- EBSVolume1Mount
- EBSVolume1Size
- EBSVolume2Mount
- EBSVolume2Size
- Label:
default: "Tags"
Parameters:
- ISEDProjectId
- CostCentre
ParameterLabels:
VPCId:
default: "(*) The vpc ID to launch the instance into."
SubnetId:
default: "(*) The subnet ID to launch the instance into."
EC2Options:
default: "(*) RDS Options. Create or Restore instance"
EC2OS:
default: "(*) The instace OS"
EC2Size:
default: "(*) The instance type."
Environment:
default: "(*) Environment."
UserData:
default: "The user data to make available to the instance."
Schedule:
default: "(*) EC2 Schedule"
EC2RootVolumeSize:
default: "(*) Root Volume Size in GB"
EBSVolume1Size:
default: "EBS Volume 1 Size in GB"
EBSVolume2Size:
default: "EBS Volume 2 Size in GB"
EBSVolume1Mount:
default: "EBS Volume 1 mount point (Leave Blanc if attaching this volume)"
EBSVolume2Mount:
default: "EBS Volume 2 mount point (Leave Blanc if attaching this volume)"
ISEDProjectId:
default: "(*) Project Id Cost Tag"
CostCentre:
default: "(*) Cost Centre Cost Tag"
Mappings:
AmiMap:
Ubuntu-Server-18.04-LTS:
ImageId: ami-0d0eaed20348a3389
Linux:
ImageId: ""
Windows-2016:
ImageId: ""
Windows-2019:
ImageId: ""
Parameters:
# ===== Network Section =====
VPCId:
Type: AWS::EC2::VPC::Id
SubnetId:
Type: AWS::EC2::Subnet::Id
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- uat
- qa
- prod
# ===== EC2 Section =====
EC2Options:
Type: String
Default: Create
AllowedValues:
- Create
- Restore
EC2OS:
Type: String
Default: Linux
AllowedValues:
- Linux
- Windows-2016
- Windows-2019
- Ubuntu-Server-18.04-LTS
EC2Size:
Type: String
Default: t3.small
AllowedValues:
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- r5.small
- r5.medium
- r5.large
- r5.xlarge
- r5.2xlarge
- m5.large
# ===== Additional Configuration Section =====
UserData:
Type: String
Schedule:
Type: String
Default: <Always On>
AllowedValues:
- <Always On>
- end-of-week-shutdown
- mon-6am-fri-6pm
- office-hours
- 24-7
# ===== EBS Volume Section =====
EC2RootVolumeSize:
Type: String
Default: 8
EBSVolume1Size:
Type: String
EBSVolume1Mount:
Type: String
EBSVolume2Size:
Type: String
EBSVolume2Mount:
Type: String
# ===== Tags Section =====
ISEDProjectId:
Type: String
Default: cops-aws
CostCentre:
Type: String
Default: cio-rdad
# ===== Other =====
EC2Ami:
Type: String
Description: Specify if restoring from Ami, otherwise leave blank
LatestLinuxAmiId:
Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
Description: Reference to the latest Amazon Linux 2 AMI
Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
LatestWindows2016AmiId:
Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
Description: Reference to the latest Windows Server 2016 AMI
Default: "/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base"
LatestWindows2019AmiId:
Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
Description: Reference to the latest Windows Server 2016 AMI
Default: "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base"
S3Templates:
Type: AWS::SSM::Parameter::Value<String>
Default: S3Templates
Conditions:
IsProd: !Equals [ !Ref Environment, prod ]
IsWindows: !Or [!Equals [ !Ref EC2OS, Windows-2016 ], !Equals [ !Ref EC2OS, Windows-2019 ]]
IsWindows2016: !Equals [ !Ref EC2OS, Windows-2016 ]
IsWindows2019: !Equals [ !Ref EC2OS, Windows-2019 ]
IsLinux: !Or [ !Equals [ !Ref EC2OS, Linux], !Equals [ !Ref EC2OS, Ubuntu Server 18.04 LTS ] ]
IsAWSLinux: !Equals [ !Ref EC2OS, Linux ]
IsEC2Restore: !Equals [ !Ref EC2Options, "Restore" ]
IsSchedule: !Not [!Equals [ !Ref Schedule, <Always On> ]]
IsVolume1: !Not [ !Equals [ !Ref EBSVolume1Mount, "" ]]
IsVolume2: !Not [ !Equals [ !Ref EBSVolume2Mount, "" ]]
HasUserData: !Not [ !Equals [ !Ref UserData, "" ] ]
Resources:
SecurityGroupEC2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "EC2 Security Group"
# "GroupName"s need to be unique. Defining one as below means we can't
# have two EC2s for the same ISEDProjectId. Let AWS generate a GroupName
# instead. We can differentiate them via the "Name" tag below
# GroupName: !Join ['-', ["secg-ec2", !Ref "AWS::AccountId", !Ref ISEDProjectId ] ]
VpcId: !Ref VPCId
Tags:
- Key: Name
Value: !Join ['-', ["sg-ec2", !Ref "AWS::AccountId", !Ref ISEDProjectId ] ]
- Key: ised-cost-centre
Value: !Ref CostCentre
- Key: ised-project-id
Value: !Ref ISEDProjectId
- Key: ised-environment
Value: !Ref Environment
# Open SSH Port
Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Condition: IsLinux
Properties:
GroupId: !Ref SecurityGroupEC2
IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 100.96.192.0/24
# Open RDP Port
IngressRDP:
Type: AWS::EC2::SecurityGroupIngress
Condition: IsWindows
Properties:
GroupId: !Ref SecurityGroupEC2
IpProtocol: tcp
FromPort: 3389
ToPort: 3389
CidrIp: 100.96.192.0/24
Egress1:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref SecurityGroupEC2
IpProtocol: -1
CidrIp: 0.0.0.0/0
EC2:
Type: AWS::EC2::Instance
Properties:
DisableApiTermination: false
IamInstanceProfile:
Fn::ImportValue: ManagedInstanceProfile
InstanceInitiatedShutdownBehavior: stop
EbsOptimized: true
# If restoring an EC2, use the provided AMI. Otherwise use the latest AMI
# for the OS type chosen
ImageId: !If [ IsEC2Restore, !Ref EC2Ami, !If [ IsWindows2016, !Ref LatestWindows2016AmiId, !If [ IsWindows2019, !Ref LatestWindows2019AmiId, !If [IsAWSLinux, !Ref LatestLinuxAmiId, !FindInMap [AmiMap, !Ref EC2OS, ImageId] ] ] ] ]
InstanceType: !Ref EC2Size
KeyName: !Ref ISEDProjectId
Monitoring: false
UserData: !If [ HasUserData, !Ref UserData, !Ref "AWS::NoValue" ]
BlockDeviceMappings:
- DeviceName: !If [ IsLinux, "/dev/xvda", "/dev/sda1" ]
Ebs:
DeleteOnTermination: true
VolumeSize: !Ref EC2RootVolumeSize
NetworkInterfaces:
- DeleteOnTermination: true
DeviceIndex: 0
GroupSet: [ !Ref SecurityGroupEC2 ]
SubnetId: !Ref SubnetId
Tags:
- Key: Name
Value: !Join ['-', ["ec2", !Ref "AWS::AccountId", !Ref ISEDProjectId, !Ref "Environment" ] ]
- Key: ised-cost-centre
Value: !Ref CostCentre
- Key: ised-project-id
Value: !Ref ISEDProjectId
- Key: ised-environment
Value: !Ref Environment
- Key: ised-backup
Value: !If [ IsProd, backup-prod, backup-dev ]
- Key: Patch Group
Value:
!If
- IsProd
- !If
- IsWindows
- prod-windows
- prod-linux2
- !If
- IsWindows
- dev-windows
- dev-linux2
- !If
- IsSchedule
- Key: ised-schedule
Value: !Ref Schedule
- !Ref AWS::NoValue
EBSVolume1:
Type: AWS::CloudFormation::Stack
DependsOn: EC2
Condition: IsVolume1
Properties:
TemplateURL: !Join [ '', [!Ref S3Templates, "ebs.yaml" ]]
Parameters:
EC2Id: !Ref EC2
EBSVolumeSize: !Ref EBSVolume1Size
EBSVolumeMount: !Ref EBSVolume1Mount
AvailabilityZone: !GetAtt EC2.AvailabilityZone
Environment: !Ref Environment
# ===== Tags =====
ISEDProjectId: !Ref ISEDProjectId
CostCentre: !Ref CostCentre
EBSVolume2:
Type: AWS::CloudFormation::Stack
DependsOn: EC2
Condition: IsVolume2
Properties:
TemplateURL: !Join [ '', [!Ref S3Templates, "ebs.yaml" ]]
Parameters:
EC2Id: !Ref EC2
EBSVolumeSize: !Ref EBSVolume2Size
EBSVolumeMount: !Ref EBSVolume2Mount
AvailabilityZone: !GetAtt EC2.AvailabilityZone
Environment: !Ref Environment
# ===== Tags =====
ISEDProjectId: !Ref ISEDProjectId
CostCentre: !Ref CostCentre
Outputs:
InstanceId:
Value: !Ref EC2
EC2SecurityGroup:
Value: !Ref SecurityGroupEC2
EC2PrivateIp:
Value: !GetAtt EC2.PrivateIp