# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: "2010-09-09" Description: Route53 Hosted Zones Sync - Serverless Architecture & Private Hosted Zone Parameters: LatestAmiId: Type: "AWS::SSM::Parameter::Value" Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" CidrBlock: Type: String Default: "10.128.0.0/16" Resources: # ---------- VPC RESOURCES ---------- # VPC resource VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref CidrBlock EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Join - "-" - - "vpc" - !Ref AWS::Region # Subnets VPCSubnetWorkload: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 6, 8]] AvailabilityZone: !Select - 0 - !GetAZs Ref: "AWS::Region" MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Join - "-" - - "workload-subnet" - !Ref AWS::Region VPCSubnetEndpoints: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 6, 8]] AvailabilityZone: !Select - 0 - !GetAZs Ref: "AWS::Region" MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Join - "-" - - "endpoints-subnet" - !Ref AWS::Region # Route Tables VPCRouteTableWorkload: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Join - "-" - - "workload-rt" - !Ref AWS::Region VPCWorkloadSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref VPCRouteTableWorkload SubnetId: !Ref VPCSubnetWorkload VPCRouteTableEndpoints: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Join - "-" - - "endpoints-rt" - !Ref AWS::Region VPCEndpointsSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref VPCRouteTableEndpoints SubnetId: !Ref VPCSubnetEndpoints # Security Groups (Instance and VPC endpoint) VPCInstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Production VPC - Instance Security Group VpcId: !Ref VPC SecurityGroupIngress: - Description: Allowing any traffic IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: !Ref CidrBlock VPCEndpointsSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Production VPC - Endpoints Security Group VpcId: !Ref VPC SecurityGroupIngress: - Description: Allowing HTTPS IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref VPCInstanceSecurityGroup # EC2 Instances EC2Instance: Type: AWS::EC2::Instance Properties: InstanceType: t3.micro SecurityGroupIds: - !Ref VPCInstanceSecurityGroup SubnetId: !Ref VPCSubnetWorkload ImageId: !Ref LatestAmiId IamInstanceProfile: !Ref EC2SSMInstanceProfileWorkloads Tags: - Key: Name Value: !Join - "-" - - "instance" - !Ref AWS::Region # SSM Endpoints SSMVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm VpcId: !Ref VPC SubnetIds: - !Ref VPCSubnetEndpoints SecurityGroupIds: - !Ref VPCEndpointsSecurityGroup VpcEndpointType: Interface PrivateDnsEnabled: True SSMMessagesVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub com.amazonaws.${AWS::Region}.ssmmessages VpcId: !Ref VPC SubnetIds: - !Ref VPCSubnetEndpoints SecurityGroupIds: - !Ref VPCEndpointsSecurityGroup VpcEndpointType: Interface PrivateDnsEnabled: True EC2MessagesVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub com.amazonaws.${AWS::Region}.ec2messages VpcId: !Ref VPC SubnetIds: - !Ref VPCSubnetEndpoints SecurityGroupIds: - !Ref VPCEndpointsSecurityGroup VpcEndpointType: Interface PrivateDnsEnabled: True # EC2 Instance Role (SSM access) EC2SSMIAMRoleWorkloads: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore Path: / EC2SSMInstanceProfileWorkloads: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref EC2SSMIAMRoleWorkloads Outputs: VpcId: Value: !Ref VPC Description: VPC ID