AWSTemplateFormatVersion: "2010-09-09" Parameters: AvailabilityZones: Type: List VPCCidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 PublicSubnet1Cidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 PublicSubnet2Cidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 VPCName: Type: String Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VPCCidr EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: !Ref VPCName VPCPublicSubnet1: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref PublicSubnet1Cidr VpcId: !Ref VPC AvailabilityZone: !Select [0, !Ref AvailabilityZones] MapPublicIpOnLaunch: true Tags: - Key: Name Value: PublicSubnet1 - Key: subnet-type Value: Public VPCPublicSubnet1RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: PublicSubnet1 VPCPublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref VPCPublicSubnet1RouteTable SubnetId: !Ref VPCPublicSubnet1 VPCPublicSubnet1DefaultRoute: Type: AWS::EC2::Route DependsOn: - VPCGW Properties: RouteTableId: !Ref VPCPublicSubnet1RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref VPCIGW VPCPublicSubnet2: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref PublicSubnet2Cidr VpcId: !Ref VPC AvailabilityZone: !Select [1, !Ref AvailabilityZones] MapPublicIpOnLaunch: true Tags: - Key: Name Value: PublicSubnet2 - Key: subnet-type Value: Public VPCPublicSubnet2RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: PublicSubnet2 VPCPublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref VPCPublicSubnet2RouteTable SubnetId: !Ref VPCPublicSubnet2 VPCPublicSubnet2DefaultRoute: Type: AWS::EC2::Route DependsOn: - VPCGW Properties: RouteTableId: !Ref VPCPublicSubnet2RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref VPCIGW VPCIGW: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: VPCIGW VPCGW: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref VPCIGW # -- Create FlowLogs and CloudWatch Logs Group including Service Role policy. -- # VpcFlowLogsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: AllowFlowLogs Effect: Allow Principal: Service: vpc-flow-logs.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: cloudwatchlogsrole PolicyDocument: Version: "2012-10-17" Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Effect: Allow Resource: '*' VpcFlowLogGroup: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 90 VpcFlowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt VpcFlowLogsRole.Arn LogGroupName: !Ref VpcFlowLogGroup ResourceId: !Ref VPC ResourceType: VPC TrafficType: ALL Outputs: VpcID: Value: !Ref VPC PublicSubnets: Value: !Join - ',' - - !Ref VPCPublicSubnet1 - !Ref VPCPublicSubnet2 VPCPublicSubnet1RouteTable: Value: !Ref VPCPublicSubnet1RouteTable VPCPublicSubnet2RouteTable: Value: !Ref VPCPublicSubnet2RouteTable