---
AWSTemplateFormatVersion: 2010-09-09
Description: Provides networking configuration for a standard management VPC (qs-1nb14cqcg)
Metadata:
Stack:
Value: 2
VersionDate:
Value: 20160510
Identifier:
Value: template-vpc-management
Input:
Description: CIDR blocks, VPC names, KeyName, EC2 instance size
Output:
Description: Outputs ID of all deployed resources
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Region Config
Parameters:
- pRegionAZ1Name
- pRegionAZ2Name
- Label:
default: Management VPC Configuration
Parameters:
- pManagementVPCName
- pManagementCIDR
- pManagementDMZSubnetACIDR
- pManagementDMZSubnetBCIDR
- pManagementDMZSubnetPublicIP
- pVPCTenancy
- Label:
default: AWS Quick Start Configuration
Parameters:
- QSS3BucketName
- QSS3KeyPrefix
- Label:
default: Optional Components - Bastion
Parameters:
- pCreateBastionHost
- pEC2KeyPairBastion
- pBastionInstanceType
- pBastionAmi
- pBastionSSHCIDR
ParameterLabels:
pManagementVPCName:
default: Name of Management VPC to create
pManagementCIDR:
default: CIDR block of Management VPC
pManagementDMZSubnetACIDR:
default: CIDR block of Management DMZ SubnetA
pManagementDMZSubnetBCIDR:
default: CIDR block of Management DMZ SubnetB
pManagementDMZSubnetPublicIP:
default: Configure DMZ Subnet(s) for public ip.
pVPCTenancy:
default: Instance tenancy
QSS3BucketName:
default: Quick Start S3 Bucket Name
QSS3KeyPrefix:
default: Quick Start S3 Key Prefix
pCreateBastionHost:
default: Create Bastion Host
pEC2KeyPairBastion:
default: Bastion KeyPair
pBastionInstanceType:
default: Bastion Instance Type
pBastionAmi:
default: Bastion AMI
pBastionSSHCIDR:
default: Bastion SSH CIDR
Parameters:
pCreateBastionHost:
Description: Should a Bastion host be created inside the DMZ Subnet(s)?
Type: String
Default: true
AllowedValues:
- true
- false
pManagementDMZSubnetPublicIP:
Description: Should Public IPs be auto-assigned to instances launched in the DMZ subnet(s)?
Type: String
Default: false
AllowedValues:
- true
- false
pProductionVPC:
Description: Production VPC to peer with (optional)
Type: String
Default: ''
pProductionCIDR:
Description: CIDR of Production VPC
Type: String
Default: ''
pRouteTableProdPrivate:
Description: Route Table ID for Prod VPC Private
Type: String
Default: ''
pRouteTableProdPublic:
Description: Route Table ID for Prod VPC Public
Type: String
Default: ''
pRegionAZ1Name:
Description: Availability Zone 1 Name in Region
Type: String
Default: us-east-1b
pRegionAZ2Name:
Description: Availability Zone 2 Name in Region
Type: String
Default: us-west-1c
pEC2KeyPairBastion:
Description: Name of existing EC2 key pair for BASTION hosts
Type: String
Default: ''
pBastionInstanceType:
Description: Bastion EC2 instance type
Type: String
Default: m3.large
pManagementVPCName:
Description: Management VPC Name
Type: String
Default: Management VPC
pManagementCIDR:
Description: CIDR block for Management VPC
Type: String
Default: 10.10.0.0/16
pManagementDMZSubnetACIDR:
Description: CIDR block for Management AZ-1a subnet
Type: String
Default: 10.10.10.0/24
pManagementDMZSubnetBCIDR:
Description: CIDR block for Management AZ-1b subnet
Type: String
Default: 10.10.20.0/24
pManagementPrivateSubnetACIDR:
Description: CIDR block for Management AZ-1a subnet
Type: String
Default: 10.10.10.0/24
pManagementPrivateSubnetBCIDR:
Description: CIDR block for Management AZ-1b subnet
Type: String
Default: 10.10.20.0/24
pVPCTenancy:
Description: Instance tenancy behavior for this VPC
Type: String
Default: default
AllowedValues:
- default
- dedicated
pBastionSSHCIDR:
Type: String
Default: 0.0.0.0/0
Description: The CIDR Allowed SSH access to the bastion host
pBastionAmi:
Description: AMI to use for bastion host
Type: String
Default: ''
pEC2KeyPair:
Description: Name of existing EC2 key pair for production hosts
Type: String
Default: ''
pEnvironment:
Description: Environment (development, test, or production)
Type: String
Default: development
pSupportsNatGateway:
Description: Specifies whether this region supports NAT Gateway (this value is
determined by the main stack if it is invoked from there)
Type: String
Default: true
pNatInstanceType:
Description: Instance type to use for the NAT intstance if the region does not
support NAT Gateway (this value is determined by the main stack if it is invoked
from there)
Type: String
Default: ''
pNatAmi:
Description: AMI to use for the NAT intstance if the region does not support NAT
Gateway (this value is determined by the main stack if it is invoked from there)
Type: String
Default: ''
pFlowLogGroup:
Description: Log Group for capturing VPC Flow Logs
Type: String
Default: ''
QSS3BucketName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z\-\.]*[0-9a-zA-Z])*$
ConstraintDescription: Quick Start bucket name can include numbers, lowercase
letters, uppercase letters, periods (.), and hyphens (-). It cannot start or
end with a hyphen (-).
Default: aws-quickstart
Description: S3 bucket name for the Quick Start assets. Quick Start bucket name
can include numbers, lowercase letters, uppercase letters, periods (.), and
hyphens (-). It cannot start or end with a hyphen (-).
Type: String
QSS3KeyPrefix:
AllowedPattern: ^[0-9a-zA-Z-/]*$
ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters,
uppercase letters, hyphens (-), and forward slash (/).
Default: quickstart-compliance-nist/
Description: S3 key prefix for the Quick Start assets. Quick Start key prefix
can include numbers, lowercase letters, uppercase letters, hyphens (-), and
orward slash (/).
Type: String
Conditions:
cGovCloudCondition:
!Equals
- !Ref AWS::Region
- us-gov-west-1
cCreateBastionHost:
!Equals
- true
- !Ref pCreateBastionHost
cCreatePeeringProduction:
!Not
- !Equals
- ''
- !Ref pProductionVPC
cNeedNatInstance:
!Equals
- false
- !Ref pSupportsNatGateway
cSupportsNatGateway:
!Equals
- true
- !Ref pSupportsNatGateway
cEnableFlowLogs:
!Not
- !Equals
- !Ref pFlowLogGroup
- ''
cManagementSubnetDefaultRoute:
!Equals
- true
- !Ref pManagementDMZSubnetPublicIP
Resources:
rVPCManagement:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref pManagementCIDR
InstanceTenancy: !Ref pVPCTenancy
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Ref pManagementVPCName
rNatInstanceTemplate:
Type: AWS::CloudFormation::Stack
Condition: cNeedNatInstance
Properties:
TemplateURL:
!Sub
- https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-compliance-common/templates/nat-instance.template
- QSS3Region:
!If
- cGovCloudCondition
- s3-us-gov-west-1
- s3
TimeoutInMinutes: 20
Parameters:
pDMZSubnetA: !Ref rManagementDMZSubnetA
pSecurityGroupSSHFromVpc: !Ref rSecurityGroupSSHFromMgmt
pSecurityGroupVpcNat: !Ref rSecurityGroupVpcNat
pNatInstanceType: !Ref pNatInstanceType
pNatAmi: !Ref pNatAmi
pEC2KeyPair: !Ref pEC2KeyPair
pVpcId: !Ref rVPCManagement
pVpcName: !Ref pManagementVPCName
pRouteTablePrivateA: !Ref rRouteTableMgmtPrivate
pRouteTablePrivateB: ''
pEipNatAllocationId: !GetAtt rEIPProdNAT.AllocationId
rSecurityGroupVpcNat:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow NAT from Management VPC
VpcId: !Ref rVPCManagement
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: !Ref pManagementCIDR
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !Ref pManagementCIDR
Tags:
- Key: Name
Value: sg-web-access-ports-from-production
- Key: Environment
Value: !Ref pEnvironment
rManagementDMZSubnetA:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: !Ref pManagementDMZSubnetACIDR
AvailabilityZone: !Ref pRegionAZ1Name
MapPublicIpOnLaunch: !Ref pManagementDMZSubnetPublicIP
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: Management DMZ Subnet A
rManagementDMZSubnetB:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: !Ref pManagementDMZSubnetBCIDR
AvailabilityZone: !Ref pRegionAZ2Name
MapPublicIpOnLaunch: !Ref pManagementDMZSubnetPublicIP
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: Management DMZ Subnet B
rManagementPrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: !Ref pManagementPrivateSubnetACIDR
AvailabilityZone: !Ref pRegionAZ1Name
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: Management Private Subnet A
rManagementPrivateSubnetB:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: !Ref pManagementPrivateSubnetBCIDR
AvailabilityZone: !Ref pRegionAZ2Name
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: Management Private Subnet B
rIGWManagement:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: igw-management
rRouteTableMgmtPrivate:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: Management Private Route
rRouteTableMgmtDMZ:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: Management DMZ Route
rRouteMgmtIGW:
DependsOn:
- rGWAttachmentMgmtIGW
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref rRouteTableMgmtDMZ
GatewayId: !Ref rIGWManagement
DestinationCidrBlock: 0.0.0.0/0
rRouteAssocMgmtDMZA:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref rRouteTableMgmtDMZ
SubnetId: !Ref rManagementDMZSubnetA
rRouteAssocMgmtDMZB:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref rRouteTableMgmtDMZ
SubnetId: !Ref rManagementDMZSubnetB
rRouteAssocMgmtPrivA:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref rRouteTableMgmtPrivate
SubnetId: !Ref rManagementPrivateSubnetA
rRouteAssocMgmtPrivB:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref rRouteTableMgmtPrivate
SubnetId: !Ref rManagementPrivateSubnetB
rENIProductionBastion:
Condition: cCreateBastionHost
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref rManagementDMZSubnetA
GroupSet:
- !Ref rSecurityGroupBastion
Description: Interface for Bastion device
Tags:
- Key: Network
Value: MgmtBastionDevice
rMgmtBastionInstance:
Type: AWS::EC2::Instance
Condition: cCreateBastionHost
Properties:
InstanceType: !Ref pBastionInstanceType
KeyName: !Ref pEC2KeyPairBastion
Tags:
- Key: Name
Value: Bastion Server
ImageId: !Ref pBastionAmi
NetworkInterfaces:
- NetworkInterfaceId: !Ref rENIProductionBastion
DeviceIndex: 0
UserData: !Base64 |
#!/bin/bash
yum update -y
rEIPProdBastion:
Type: AWS::EC2::EIP
Condition: cCreateBastionHost
Properties:
Domain: vpc
AssociaterEIPProdBastion:
Type: AWS::EC2::EIPAssociation
Condition: cCreateBastionHost
DependsOn:
- rMgmtBastionInstance
Properties:
AllocationId: !GetAtt rEIPProdBastion.AllocationId
NetworkInterfaceId: !Ref rENIProductionBastion
rEIPManagementNAT:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
rSecurityGroupSSHFromMgmt:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref rVPCManagement
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref pManagementCIDR
Tags:
- Key: Name
Value: sg-ssh-access-from-management
- Key: Environment
Value: !Ref pEnvironment
rManagementNATInstanceInterface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref rManagementDMZSubnetA
GroupSet:
- !Ref rSecurityGroupSSHFromMgmt
- !Ref rSecurityGroupVpcNat
Description: Interface for Nat device
Tags:
- Key: Network
Value: rManagementNATInstanceInterface
AssociaterEIPManagementNAT:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt rEIPManagementNAT.AllocationId
NetworkInterfaceId: !Ref rManagementNATInstanceInterface
rEIPProdNAT:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
rNATGateway:
Type: AWS::EC2::NatGateway
Condition: cSupportsNatGateway
DependsOn: rIGWManagement
Properties:
AllocationId: !GetAtt rEIPProdNAT.AllocationId
SubnetId: !Ref rManagementDMZSubnetA
rGWAttachmentMgmtIGW:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref rVPCManagement
InternetGatewayId: !Ref rIGWManagement
rSecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Condition: cCreateBastionHost
Properties:
GroupDescription: SG for Bastion Instances
VpcId: !Ref rVPCManagement
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref pBastionSSHCIDR
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 1
ToPort: 65535
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: sg-ssh-access-from-bastion
- Key: Environment
Value: !Ref pEnvironment
rPeeringConnectionProduction:
Type: AWS::EC2::VPCPeeringConnection
Condition: cCreatePeeringProduction
Properties:
PeerVpcId: !Ref pProductionVPC
VpcId: !Ref rVPCManagement
Tags:
- Key: Name
Value: vpc-peer-production-management
- Key: Environment
Value: !Ref pEnvironment
rRouteMgmtProdPrivate:
Condition: cCreatePeeringProduction
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref rRouteTableMgmtPrivate
VpcPeeringConnectionId: !Ref rPeeringConnectionProduction
DestinationCidrBlock: !Ref pProductionCIDR
rRouteMgmtNGW:
Condition: cSupportsNatGateway
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref rRouteTableMgmtPrivate
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref rNATGateway
rRouteProdMgmt:
Condition: cCreatePeeringProduction
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref pRouteTableProdPrivate
VpcPeeringConnectionId: !Ref rPeeringConnectionProduction
DestinationCidrBlock: !Ref pManagementCIDR
rRouteProdMgmtPublic:
Condition: cCreatePeeringProduction
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref pRouteTableProdPublic
VpcPeeringConnectionId: !Ref rPeeringConnectionProduction
DestinationCidrBlock: !Ref pManagementCIDR
rRouteMgmtProdDMZ:
Condition: cCreatePeeringProduction
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref rRouteTableMgmtDMZ
VpcPeeringConnectionId: !Ref rPeeringConnectionProduction
DestinationCidrBlock: !Ref pProductionCIDR
rManagementVpcFlowLogsServiceRole:
Condition: cEnableFlowLogs
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowFlowLogs
Effect: Allow
Principal:
Service: vpc-flow-logs.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: cloudwatchlogsrole
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
Effect: Allow
Resource: '*'
rManagementVpcFlowLog:
Condition: cEnableFlowLogs
Type: AWS::EC2::FlowLog
Properties:
DeliverLogsPermissionArn: !GetAtt rManagementVpcFlowLogsServiceRole.Arn
LogGroupName: !Ref pFlowLogGroup
ResourceId: !Ref rVPCManagement
ResourceType: VPC
TrafficType: ALL
rManagementVpcFlowLogStream:
Condition: cEnableFlowLogs
Type: AWS::Logs::LogStream
Properties:
LogGroupName: !Ref pFlowLogGroup
Outputs:
rVPCManagement:
Value: !Ref rVPCManagement
rBastionInstanceIP:
Condition: cCreateBastionHost
Value:
!If
- cCreateBastionHost
- !Ref rEIPProdBastion
- ''
rManagementDMZSubnetA:
Value: !Ref rManagementDMZSubnetA
rManagementDMZSubnetB:
Value: !Ref rManagementDMZSubnetB
rManagementPrivateSubnetA:
Value: !Ref rManagementPrivateSubnetA
rManagementPrivateSubnetB:
Value: !Ref rManagementPrivateSubnetB
rRouteTableMgmtPrivate:
Value: !Ref rRouteTableMgmtPrivate
rRouteTableMgmtDMZ:
Value: !Ref rRouteTableMgmtDMZ
rSecurityGroupVpcNat:
Value: !Ref rSecurityGroupVpcNat
rEIPManagementNAT:
Value: !Ref rEIPProdNAT
rSecurityGroupSSHFromMgmt:
Value: !Ref rSecurityGroupSSHFromMgmt
...