# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 AWSTemplateFormatVersion: 2010-09-09 Description: >- alphafold-cfn-network.yaml: Creates a VPC with 1 private and 1 public subnet Parameters: StackAvailabilityZone: Description: Availability zone to deploy stack resources Type: "AWS::EC2::AvailabilityZone::Name" ApplicationName: Description: Name of the application, if applicable Type: String Default: "Unknown" ################################################## # Network Configuration ################################################## Resources: VPC: Type: "AWS::EC2::VPC" Properties: EnableDnsSupport: "true" EnableDnsHostnames: "true" CidrBlock: "10.0.0.0/16" Tags: - Key: Application Value: !Ref ApplicationName - Key: Network Value: Public - Key: StackId Value: !Ref AWS::StackId VPCFlowLogRole: Type: "AWS::IAM::Role" Properties: Description: "Required service policies to support running Alphafold on AWS Batch" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - vpc-flow-logs.amazonaws.com Action: - "sts:AssumeRole" Policies: - PolicyName: VPCFlowLogPolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Resource: !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:vpc-flow-log/* Tags: - Key: Application Value: !Ref ApplicationName - Key: StackId Value: !Ref AWS::StackId VPCFlowLogsGroup: Type: AWS::Logs::LogGroup Properties: KmsKeyId: !GetAtt EncryptionKey.Arn RetentionInDays: 120 Tags: - Key: StackId Value: !Ref AWS::StackId VPCFlowLog: Type: "AWS::EC2::FlowLog" Properties: DeliverLogsPermissionArn: !GetAtt VPCFlowLogRole.Arn LogGroupName: !Ref VPCFlowLogsGroup ResourceId: !Ref VPC ResourceType: VPC Tags: - Key: Application Value: !Ref ApplicationName - Key: StackId Value: !Ref AWS::StackId TrafficType: ALL PublicSubnet0: Type: "AWS::EC2::Subnet" Properties: VpcId: !Ref VPC AvailabilityZone: !Ref StackAvailabilityZone CidrBlock: Fn::Select: - 0 - Fn::Cidr: [!GetAtt VPC.CidrBlock, 6, 8] Tags: - Key: Application Value: !Ref ApplicationName - Key: Network Value: Public - Key: StackId Value: !Ref AWS::StackId PrivateSubnet0: Type: "AWS::EC2::Subnet" Properties: VpcId: Ref: VPC AvailabilityZone: !Ref StackAvailabilityZone MapPublicIpOnLaunch: false CidrBlock: Fn::Select: - 3 - Fn::Cidr: [!GetAtt VPC.CidrBlock, 6, 8] Tags: - Key: Application Value: !Ref ApplicationName - Key: Network Value: Private - Key: StackId Value: !Ref AWS::StackId InternetGateway: Type: "AWS::EC2::InternetGateway" Properties: Tags: - Key: Application Value: !Ref ApplicationName - Key: Network Value: Public - Key: StackId Value: !Ref AWS::StackId GatewayToInternet: Type: "AWS::EC2::VPCGatewayAttachment" Properties: VpcId: Ref: VPC InternetGatewayId: Ref: InternetGateway PublicRouteTable: Type: "AWS::EC2::RouteTable" Properties: VpcId: Ref: VPC Tags: - Key: Application Value: !Ref ApplicationName - Key: Network Value: Public - Key: StackId Value: !Ref AWS::StackId PublicRoute: Type: "AWS::EC2::Route" DependsOn: GatewayToInternet Properties: RouteTableId: Ref: PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: InternetGateway PublicSubnetRouteTableAssociation0: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: Ref: PublicSubnet0 RouteTableId: Ref: PublicRouteTable ElasticIP0: Type: "AWS::EC2::EIP" Properties: Domain: vpc Tags: - Key: Application Value: !Ref ApplicationName - Key: StackId Value: !Ref AWS::StackId NATGateway0: Type: "AWS::EC2::NatGateway" Properties: AllocationId: "Fn::GetAtt": - ElasticIP0 - AllocationId SubnetId: Ref: PublicSubnet0 Tags: - Key: Application Value: !Ref ApplicationName - Key: StackId Value: !Ref AWS::StackId PrivateRouteTable0: Type: "AWS::EC2::RouteTable" Properties: VpcId: Ref: VPC Tags: - Key: Application Value: !Ref ApplicationName - Key: StackId Value: !Ref AWS::StackId PrivateRouteToInternet0: Type: "AWS::EC2::Route" Properties: RouteTableId: Ref: PrivateRouteTable0 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: NATGateway0 PrivateSubnetRouteTableAssociation0: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: Ref: PrivateSubnet0 RouteTableId: Ref: PrivateRouteTable0 EncryptionKey: Type: "AWS::KMS::Key" Properties: EnableKeyRotation: true KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: Fn::Join: [":", ["arn:aws:iam:", !Ref "AWS::AccountId", "root"]] Action: [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion", ] Resource: "*" - Sid: Enable CloudWatch Logs Encryption Effect: Allow Principal: Service: "logs.amazonaws.com" Action: [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", ] Resource: "*" Tags: - Key: Application Value: !Ref ApplicationName - Key: StackId Value: !Ref AWS::StackId S3Endpoint: Type: "AWS::EC2::VPCEndpoint" Properties: RouteTableIds: - !Ref PublicRouteTable - !Ref PrivateRouteTable0 ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3" VpcId: !Ref VPC Outputs: VPC: Description: A reference to the created VPC Value: !Ref VPC PrivateSubnet: Description: The private subnet Value: Ref: PrivateSubnet0 DefaultSecurityGroup: Description: ID of the default security group Value: !GetAtt VPC.DefaultSecurityGroup