--- AWSTemplateFormatVersion: 2010-09-09 Description: Creates the Amazon FSx File Gateway environment for the FSx File Gateway workshop. Metadata: Authors: Description: Darryl Osborne (darrylo@amazon.com) AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC Environment Parameters: - VpcCidr - AvailabilityZones - PeerRegion - PeerVpc - PeerVpcCidr - DnsIpAddresses - Label: default: Gateway Environment Parameters: - GatewayInstanceType - KeyPair - LatestSgwAmiId ParameterLabels: AvailabilityZones: default: Availability Zones DnsIpAddresses: default: DNS Ip Addresses GatewayInstanceType: default: Instance type KeyPair: default: Key pair LatestSgwAmiId: default: Latest Storage Gateway AMI (do not change) PeerRegion: default: Peer region PeerVpc: default: Peer VPC Id PeerVpcCidr: default: Peer VPC CIDR VpcCidr: default: VPC CIDR Parameters: AvailabilityZones: Description: Select one Availability Zones. One public subnet will be created in the AZ. Type: AWS::EC2::AvailabilityZone::Name DnsIpAddresses: Description: Enter the two Ip addresses of the DNS servers from Region 0 (e.g. 10.0.0.7, 10.0.0.23) Type: String GatewayInstanceType: AllowedValues: - m5.2xlarge Default: m5.2xlarge Type: String KeyPair: Type: AWS::EC2::KeyPair::KeyName LatestSgwAmiId: Type: 'AWS::SSM::Parameter::Value' Default: '/aws/service/storagegateway/ami/FILE_FSX_SMB/latest' PeerRegion: AllowedValues: - us-east-1 - us-east-2 - us-west-1 - us-west-2 - af-south-1 - ap-east-1 - ap-south-1 - ap-northeast-2 - ap-southeast-1 - ap-southeast-2 - ap-northeast-1 - ca-central-1 - eu-central-1 - eu-west-1 - eu-west-2 - eu-west-3 - eu-south-1 - eu-north-1 - me-south-1 - sa-east-1 Description: Enter the region of the peered VPC Type: String PeerVpc: Description: Enter the VPC Id of the peered VPC Type: String PeerVpcCidr: AllowedValues: - 10.0.0.0/16 - 172.31.0.0/16 - 192.168.0.0/16 Default: 10.0.0.0/16 Description: Enter the private IPv4 CIDR of the peered VPC Type: String VpcCidr: AllowedValues: - 10.0.0.0/16 - 172.31.0.0/16 - 192.168.0.0/16 Default: 172.31.0.0/16 Description: Select the private IPv4 CIDR for the VPC. Type: String Resources: AttachInternetGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref Vpc DhcpOptions: Type: AWS::EC2::DHCPOptions Properties: DomainName: example.com DomainNameServers: - !Ref DnsIpAddresses DhcpOptionsAssociation: Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: DhcpOptionsId: !Ref DhcpOptions VpcId: !Ref Vpc InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Join [ '', [ 'VPC IGW | ', !Ref 'AWS::StackName' ] ] PublicRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicRouteTable: Type: AWS::EC2::RouteTable Properties: Tags: - Key: Name Value: !Join [ '', [ 'Public Route Table | ', !Ref 'AWS::StackName' ] ] - Key: Network Value: Public VpcId: !Ref Vpc PublicRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet RouteTableId: !Ref PublicRouteTable PublicSubnet: Type: AWS::EC2::Subnet Properties: AvailabilityZone: !Ref AvailabilityZones CidrBlock: !Select [ 1, !Cidr [ !GetAtt Vpc.CidrBlock, 2, 4 ] ] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Join [ '', [ 'Public Subnet | ', !Ref 'AWS::StackName' ] ] - Key: SubnetType Value: Public VpcId: !Ref Vpc PeeringPublicRoute: Type: 'AWS::EC2::Route' Properties: DestinationCidrBlock: !Ref PeerVpcCidr RouteTableId: !Ref PublicRouteTable VpcPeeringConnectionId: !Ref VpcPeeringConnection Vpc: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Join [ '', [ 'VPC | ', !Ref 'AWS::StackName' ] ] VpcPeeringConnection: Type: AWS::EC2::VPCPeeringConnection Properties: VpcId: !Ref Vpc PeerVpcId: !Ref PeerVpc PeerRegion: !Ref PeerRegion GatewaySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Amazon FSx File Gateway SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 445 ToPort: 445 SourceSecurityGroupId: !Ref WindowsSecurityGroup - IpProtocol: -1 CidrIp: !Ref PeerVpcCidr Tags: - Key: Name Value: "Gateway security group" VpcId: !Ref Vpc WindowsSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Windows Instance SecurityGroupIngress: - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: 0.0.0.0/0 - IpProtocol: -1 CidrIp: !Ref PeerVpcCidr Tags: - Key: Name Value: "Windows Instance security group" VpcId: !Ref Vpc GatewayInstance: Type: AWS::EC2::Instance Properties: BlockDeviceMappings: - DeviceName: /dev/sdb Ebs: DeleteOnTermination: true VolumeSize: 150 VolumeType: gp3 IamInstanceProfile: !Ref GatewayInstanceProfile ImageId: !Ref LatestSgwAmiId InstanceType: !Ref GatewayInstanceType KeyName: !Ref KeyPair Monitoring: true SecurityGroupIds: - !Ref GatewaySecurityGroup SubnetId: !Ref PublicSubnet Tags: - Key: Name Value: FSx Workshop Gateway Instance GatewayInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: '/' Roles: - !Ref GatewayInstanceRole GatewayInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM Outputs: VpcId: Value: !Ref Vpc VpcCidr: Value: !Ref VpcCidr GatewayPublicIp: Value: !GetAtt GatewayInstance.PublicIp