#* #* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. #* SPDX-License-Identifier: MIT-0 #* #* Permission is hereby granted, free of charge, to any person obtaining a copy of this #* software and associated documentation files (the "Software"), to deal in the Software #* without restriction, including without limitation the rights to use, copy, modify, #* merge, publish, distribute, sublicense, and/or sell copies of the Software, and to #* permit persons to whom the Software is furnished to do so. #* #* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, #* INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A #* PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT #* HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION #* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE #* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #* #------------------------------------------------------------------------------ # # Template: ssm-workshop-resources-episode-05.yaml # Purpose: CloudFormation template to deploy test instances episode 05. # # #------------------------------------------------------------------------------ AWSTemplateFormatVersion: '2010-09-09' Description: AWS CloudFormation template to launch test instances for the Systems Manager workshop. #----------------------------------------------------------- # Parameters #----------------------------------------------------------- Parameters : LatestAmazonLinuxAmiId : # Use public Systems Manager Parameter Type : 'AWS::SSM::Parameter::Value' Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' Resources: #------------------------------------------------- # IAM role and instance profile to enable Systems Manager registration on EC2 instances #------------------------------------------------- ManagedInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore Path: "/" RoleName: !Join [ '-', ['AmazonSSMManagedInstanceCore', !Ref 'AWS::Region'] ] ManagedInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref ManagedInstanceRole InstanceProfileName: !Sub 'ManagedInstanceProfile-${AWS::Region}' #------------------------------------------------- # VPC and required resources to enable network connectivity to AWS Systems Manager #------------------------------------------------- VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true InstanceTenancy: default Tags: - Key: Name Value: SSM-Workshop-CF InternetGateway: Type: 'AWS::EC2::InternetGateway' Properties: Tags: - Key: Name Value: SSM-Workshop-CF VPCGatewayAttachment: Type: 'AWS::EC2::VPCGatewayAttachment' Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway SubnetPublic: Type: 'AWS::EC2::Subnet' Properties: AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: 10.0.0.0/20 MapPublicIpOnLaunch: true VpcId: !Ref VPC Tags: - Key: Name Value: SSM-Workshop-CF RouteTablePublic: Type: 'AWS::EC2::RouteTable' Properties: VpcId: !Ref VPC Tags: - Key: Name Value: SSM-Workshop-CF RouteTableAssociationPublic: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref SubnetPublic RouteTableId: !Ref RouteTablePublic RouteTablePublicInternetRoute: Type: 'AWS::EC2::Route' DependsOn: VPCGatewayAttachment Properties: RouteTableId: !Ref RouteTablePublic DestinationCidrBlock: '0.0.0.0/0' GatewayId: !Ref InternetGateway NetworkAclPublic: Type: 'AWS::EC2::NetworkAcl' Properties: VpcId: !Ref VPC Tags: - Key: Name Value: SSM-Workshop-CF SubnetNetworkAclAssociationPublic: Type: 'AWS::EC2::SubnetNetworkAclAssociation' Properties: SubnetId: !Ref SubnetPublic NetworkAclId: !Ref NetworkAclPublic NetworkAclEntryInPublicAllowAll: Type: 'AWS::EC2::NetworkAclEntry' Properties: NetworkAclId: !Ref NetworkAclPublic RuleNumber: 100 Protocol: -1 RuleAction: allow Egress: false CidrBlock: '0.0.0.0/0' NetworkAclEntryOutPublicAllowAll: Type: 'AWS::EC2::NetworkAclEntry' Properties: NetworkAclId: !Ref NetworkAclPublic RuleNumber: 100 Protocol: -1 RuleAction: allow Egress: true CidrBlock: '0.0.0.0/0' InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Security Group for SSM Workshop test instances" GroupName: SSM-Workshop-CF SecurityGroupEgress: - IpProtocol: -1 FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: SSM-Workshop-CF VpcId: !Ref VPC #------------------------------------------------- # One Amazon Linux 2 EC2 instances using the latest AMI for Amazon Linux 2 #------------------------------------------------- LinuxEc2InstanceOne: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: !Ref LatestAmazonLinuxAmiId Monitoring: true NetworkInterfaces: - AssociatePublicIpAddress: "true" DeviceIndex: "0" GroupSet: - Ref: "InstanceSecurityGroup" SubnetId: Ref: "SubnetPublic" IamInstanceProfile: !Sub 'ManagedInstanceProfile-${AWS::Region}' Tags: - Key: Name Value: SampleApp #------------------------------------------------- # CloudWatch Alarm for CPU usage on the test instance #------------------------------------------------- CPUCloudWatchAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Monitor for CPU usage on SampleApp instance. AlarmName: !Join [ '-', [!Ref LinuxEc2InstanceOne, 'CPU-Spike'] ] ActionsEnabled: true AlarmActions: - !Join [ '', ['arn:aws:ssm-incidents::', !Ref 'AWS::AccountId', ':response-plan/sampleapp-performance-issues-response-plan'] ] ComparisonOperator: GreaterThanThreshold DatapointsToAlarm: 1 EvaluationPeriods: 1 MetricName: CPUUtilization Namespace: AWS/EC2 Statistic: Average Period: 60 Threshold: 60 Dimensions: - Name: InstanceId Value: !Ref LinuxEc2InstanceOne #------------------------------------------------- # IAM role for the EventBridge rule #------------------------------------------------- EventBridgeRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: sts:AssumeRole Path: "/" RoleName: !Join [ '-', ['EventBridgeIncidentManagerRole', !Ref 'AWS::Region'] ] Policies: - PolicyName: startIncidentPermissions PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm-incidents:StartIncident Resource: - !Join [ '', ['arn:aws:ssm-incidents::', !Ref 'AWS::AccountId', ':response-plan/*'] ] #------------------------------------------------- # EventBridge rule to monitor alarm state change #------------------------------------------------- EventBridgeMonitorAlarm: Type: AWS::Events::Rule Properties: Description: Test EventBridge rule to monitor CloudWatch alarm state changes EventPattern: source: - aws.cloudwatch detail-type: - CloudWatch Alarm State Change resources: - !GetAtt CPUCloudWatchAlarm.Arn detail: state: value: - ALARM Name: sampleAppAlarmRule RoleArn: !GetAtt EventBridgeRole.Arn State: DISABLED Targets: - Id: TestName Arn: !Join [ '', ['arn:aws:ssm-incidents::', !Ref 'AWS::AccountId', ':response-plan/sampleapp-performance-issues-response-plan'] ] RoleArn: !GetAtt EventBridgeRole.Arn