AWSTemplateFormatVersion: '2010-09-09' Description: The template creates the Security VPC that provides domain name whitelisting using Squid. Parameters: Domains: Description: The domains to whitelist Type: String Default: 'amazonaws.com' CidrBlock: Default: '10.0.0.0/16' Description: The CIDR Block for the VPC Type: String AZCount: Type: Number MinValue: 1 MaxValue: 2 Default: 1 Mappings: RegionMap: us-east-1: HVM64: ami-009d6802948d06e52 us-east-2: HVM64: ami-02e680c4540db351e us-west-1: HVM64: ami-011b6930a81cd6aaf us-west-2: HVM64: ami-01bbe152bf19d0289 ca-central-1: HVM64: ami-076b4adb3f90cd384 eu-west-1: HVM64: ami-09693313102a30b2c eu-west-2: HVM64: ami-0274e11dced17bb5b eu-west-3: HVM64: ami-051707cdba246187b eu-central-1: HVM64: ami-034fffcc6a0063961 ap-south-1: HVM64: ami-06bcd1131b2f55803 ap-northeast-1: HVM64: ami-0a2de1c3b415889d2 ap-northeast-2: HVM64: ami-0b4fdb56a00adb616 ap-southeast-1: HVM64: ami-0b84d2c53ad5250c2 ap-southeast-2: HVM64: ami-08589eca6dcc9b39c Conditions: TwoAZs: !Equals [ !Ref AZCount, 2 ] Resources: TransitGateway: Type: "AWS::EC2::TransitGateway" Properties: AmazonSideAsn: 64513 AutoAcceptSharedAttachments: enable Description: A transit gateway to support a centralized squid server Tags: - Key: Name Value: !Sub ${AWS::StackName} VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref CidrBlock Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub SecurityVpc-${AWS::StackName} PublicSecurityVpcSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Sub - ${a}.${b}.0.0/24 - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Public-SecurityVpc-${AWS::StackName} PublicSecurityVpcSubnet2: Type: AWS::EC2::Subnet Condition: TwoAZs Properties: VpcId: !Ref 'VPC' CidrBlock: !Sub - ${a}.${b}.1.0/24 - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Public-2-SecurityVpc-${AWS::StackName} PrivateSecurityVpcSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Sub - ${a}.${b}.2.0/24 - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Private-SecurityVpc-${AWS::StackName} PrivateSecurityVpcSubnet2: Type: AWS::EC2::Subnet Condition: TwoAZs Properties: VpcId: !Ref 'VPC' CidrBlock: !Sub - ${a}.${b}.3.0/24 - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Private-2-SecurityVpc-${AWS::StackName} ProtectedSecurityVpcSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Sub - ${a}.${b}.4.0/24 - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Protected-SecurityVpc1-${AWS::StackName} ProtectedSecurityVpcSubnet2: Type: AWS::EC2::Subnet Condition: TwoAZs Properties: VpcId: !Ref 'VPC' CidrBlock: !Sub - ${a}.${b}.5.0/24 - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref CidrBlock ]]]] AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Protected-SecurityVpc2-${AWS::StackName} InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Application Value: !Ref 'AWS::StackId' AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref 'VPC' InternetGatewayId: !Ref 'InternetGateway' RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Public-SecurityVpc-${AWS::StackName} PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Private-SecurityVpc-${AWS::StackName} PrivateRouteTable2: Type: AWS::EC2::RouteTable Condition: TwoAZs Properties: VpcId: !Ref 'VPC' Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Private-2-SecurityVpc-${AWS::StackName} SquidRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Squid-SecurityVpc-${AWS::StackName} SquidRouteTable2: Type: AWS::EC2::RouteTable Condition: TwoAZs Properties: VpcId: !Ref 'VPC' Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub Squid-2-SecurityVpc-${AWS::StackName} Route: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref 'RouteTable' DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref 'InternetGateway' SubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PublicSecurityVpcSubnet' RouteTableId: !Ref 'RouteTable' SubnetRouteTableAssociation2: Type: AWS::EC2::SubnetRouteTableAssociation Condition: TwoAZs Properties: SubnetId: !Ref 'PublicSecurityVpcSubnet2' RouteTableId: !Ref 'RouteTable' PrivateRoute: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref 'PrivateRouteTable' DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref 'NATGateway' PrivateRoute2: Type: AWS::EC2::Route Condition: TwoAZs DependsOn: AttachGateway Properties: RouteTableId: !Ref 'PrivateRouteTable2' DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref 'NATGateway2' SquidRoute: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref 'SquidRouteTable' DestinationCidrBlock: 0.0.0.0/0 NetworkInterfaceId: !Ref 'SquidENI' SquidRoute2: Type: AWS::EC2::Route Condition: TwoAZs DependsOn: AttachGateway Properties: RouteTableId: !Ref 'SquidRouteTable2' DestinationCidrBlock: 0.0.0.0/0 NetworkInterfaceId: !Ref 'SquidENI2' PrivateSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PrivateSecurityVpcSubnet' RouteTableId: !Ref 'PrivateRouteTable' PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Condition: TwoAZs Properties: SubnetId: !Ref 'PrivateSecurityVpcSubnet2' RouteTableId: !Ref 'PrivateRouteTable2' ProtectedSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'ProtectedSecurityVpcSubnet' RouteTableId: !Ref 'SquidRouteTable' ProtectedSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Condition: TwoAZs Properties: SubnetId: !Ref 'ProtectedSecurityVpcSubnet2' RouteTableId: !Ref 'SquidRouteTable2' NetworkAcl: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref 'VPC' Tags: - Key: Application Value: !Ref 'AWS::StackId' InboundHTTPNetworkAclEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref 'NetworkAcl' RuleNumber: '100' Protocol: '-1' RuleAction: allow Egress: 'false' CidrBlock: 0.0.0.0/0 OutboundHTTPNetworkAclEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref 'NetworkAcl' RuleNumber: '100' Protocol: '-1' RuleAction: allow Egress: 'true' CidrBlock: 0.0.0.0/0 PublicSecurityVpcSubnetNetworkAclAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref 'PublicSecurityVpcSubnet' NetworkAclId: !Ref 'NetworkAcl' PublicSecurityVpcSubnet2NetworkAclAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Condition: TwoAZs Properties: SubnetId: !Ref 'PublicSecurityVpcSubnet2' NetworkAclId: !Ref 'NetworkAcl' PrivateSecurityVpcSubnetNetworkAclAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref 'PrivateSecurityVpcSubnet' NetworkAclId: !Ref 'NetworkAcl' PrivateSecurityVpcSubnet2NetworkAclAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Condition: TwoAZs Properties: SubnetId: !Ref 'PrivateSecurityVpcSubnet2' NetworkAclId: !Ref 'NetworkAcl' ProtectedSecurityVpcSubnetNetworkAclAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref 'ProtectedSecurityVpcSubnet' NetworkAclId: !Ref 'NetworkAcl' ProtectedSecurityVpcSubnet2NetworkAclAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Condition: TwoAZs Properties: SubnetId: !Ref 'ProtectedSecurityVpcSubnet2' NetworkAclId: !Ref 'NetworkAcl' IPAddress: Type: AWS::EC2::EIP DependsOn: AttachGateway Properties: Domain: vpc IPAddress2: Type: AWS::EC2::EIP Condition: TwoAZs DependsOn: AttachGateway Properties: Domain: vpc NATGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt IPAddress.AllocationId SubnetId: !Ref PublicSecurityVpcSubnet Tags: - Key: Application Value: !Ref 'AWS::StackId' NATGateway2: Type: AWS::EC2::NatGateway Condition: TwoAZs Properties: AllocationId: !GetAtt IPAddress2.AllocationId SubnetId: !Ref PublicSecurityVpcSubnet2 Tags: - Key: Application Value: !Ref 'AWS::StackId' SquidENI: Type: AWS::EC2::NetworkInterface Properties: Description: String GroupSet: - !Ref 'SquidSecurityGroup' SourceDestCheck: false SubnetId: !Ref PrivateSecurityVpcSubnet SquidENI2: Type: AWS::EC2::NetworkInterface Condition: TwoAZs Properties: Description: String GroupSet: - !Ref 'SquidSecurityGroup' SourceDestCheck: false SubnetId: !Ref PrivateSecurityVpcSubnet2 SquidSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VPC GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: '0.0.0.0/0' - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '443' ToPort: '443' CidrIp: 0.0.0.0/0 - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 10.0.0.0/8 Tags: - Key: Application Value: !Ref 'AWS::StackId' - Key: Name Value: !Sub SquidSecurityGroup-${AWS::StackName} SecurityVpcAttachment: Type: "AWS::EC2::TransitGatewayAttachment" Properties: SubnetIds: !If - TwoAZs - - !Ref 'ProtectedSecurityVpcSubnet' - !Ref 'ProtectedSecurityVpcSubnet2' - - !Ref 'ProtectedSecurityVpcSubnet' Tags: - Key: Name Value: !Sub SecurityVpc-${AWS::StackName} TransitGatewayId: !Ref TransitGateway VpcId: !Ref VPC SecurityTransitGatewayRouteTable: Type: "AWS::EC2::TransitGatewayRouteTable" Properties: Tags: - Key: Name Value: !Sub SecurityVpc-${AWS::StackName} TransitGatewayId: !Ref TransitGateway SpokeTransitGatewayRouteTable: Type: "AWS::EC2::TransitGatewayRouteTable" Properties: Tags: - Key: Name Value: !Sub SpokeVpc-${AWS::StackName} TransitGatewayId: !Ref TransitGateway SpokeDefaultTGWRoute: Type: "AWS::EC2::TransitGatewayRoute" Properties: DestinationCidrBlock: 0.0.0.0/0 TransitGatewayAttachmentId: !Ref SecurityVpcAttachment TransitGatewayRouteTableId: !Ref SpokeTransitGatewayRouteTable SecurityTransitGatewayRoutePropagation: Type: "AWS::EC2::TransitGatewayRouteTablePropagation" Properties: TransitGatewayAttachmentId: !Ref SecurityVpcAttachment TransitGatewayRouteTableId: !Ref SecurityTransitGatewayRouteTable SpokeTransitGatewayRoutePropagation: Type: "AWS::EC2::TransitGatewayRouteTablePropagation" Properties: TransitGatewayAttachmentId: !Ref SecurityVpcAttachment TransitGatewayRouteTableId: !Ref SpokeTransitGatewayRouteTable SecurityVpcTgwAssociation: Type: "AWS::EC2::TransitGatewayRouteTableAssociation" Properties: TransitGatewayAttachmentId: !Ref SecurityVpcAttachment TransitGatewayRouteTableId: !Ref SecurityTransitGatewayRouteTable SquidRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM SquidProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SquidRole SquidRolePolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ec2:DetachNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:AttachNetworkInterface Resource: - '*' Description: Role for the squid instance Roles: - !Ref 'SquidRole' SquidASG: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: - PrivateSubnetRouteTableAssociation Properties: AutoScalingGroupName: !Sub SquidASG-${AWS::StackName} HealthCheckType: EC2 LaunchConfigurationName: !Ref SquidLC MaxSize: 1 DesiredCapacity: 1 MinSize: 1 Tags: - Key: Application Value: !Ref 'AWS::StackId' PropagateAtLaunch: true - Key: Name Value: !Sub Squid-AZ1-${AWS::StackName} PropagateAtLaunch: true VPCZoneIdentifier: - !Ref PrivateSecurityVpcSubnet SquidASG2: Type: AWS::AutoScaling::AutoScalingGroup Condition: TwoAZs DependsOn: - PrivateSubnetRouteTableAssociation Properties: AutoScalingGroupName: !Sub SquidASG-2-${AWS::StackName} HealthCheckType: EC2 LaunchConfigurationName: !Ref SquidLC MaxSize: 1 DesiredCapacity: 1 MinSize: 1 Tags: - Key: Application Value: !Ref 'AWS::StackId' PropagateAtLaunch: true - Key: Name Value: !Sub Squid-AZ2-${AWS::StackName} PropagateAtLaunch: true VPCZoneIdentifier: - !Ref PrivateSecurityVpcSubnet2 SquidLC: Type: AWS::AutoScaling::LaunchConfiguration Metadata: Comment: Install a transparent squid proxy AWS::CloudFormation::Init: configSets: Install: - Install Install: files: /etc/squid/update-domains.sh: content: | WHITELIST= SSLWHITELIST= for i in ${1//,/ } do SSLWHITELIST+="acl allowed_https_sites ssl::server_name .$i\n" WHITELIST+="acl allowed_http_sites dstdomain .$i\n" done sed -i "s/#acl allowed_http_sites dstdomain DOMAIN/$WHITELIST/" /etc/squid/squid.proxy.conf sed -i "s/#acl allowed_https_sites ssl::server_name DOMAIN/$SSLWHITELIST/" /etc/squid/squid.proxy.conf mode: '000755' owner: root group: root /etc/squid/attach-eni.sh: content: !Sub - | #!/bin/bash NEXT_WAIT_TIME=0 CURR_AZ=$(curl http://169.254.169.254/latest/meta-data/placement/availability-zone) AZ1="${AZ1}" AZ2="${AZ2}" echo "[$AZ1]" echo "[$AZ2]" echo "[$CURR_AZ]" if [ "$CURR_AZ" == "$AZ1" ]; then SQUID_ENI="${SquidENI}" echo "In AZ1...." else SQUID_ENI="${SquidENI2}" echo "In AZ2...." fi echo "[$CURR_AZ]" SQUID_ENI_STATUS=$(aws ec2 describe-network-interfaces --filter Name=network-interface-id,Values=$SQUID_ENI --region ${AWS::Region} --query NetworkInterfaces[0].Status --output text) if [ "$SQUID_ENI_STATUS" == "in-use" ]; then echo "ENI is in use" SQUID_ATTACHMENT_ID=$(aws ec2 describe-network-interfaces --filter Name=network-interface-id,Values=$SQUID_ENI --region ${AWS::Region} --query NetworkInterfaces[0].Attachment.AttachmentId --output text) aws ec2 detach-network-interface --attachment-id $SQUID_ATTACHMENT_ID --region ${AWS::Region} fi until [ "$SQUID_ENI_STATUS" == "available" ] || [ $NEXT_WAIT_TIME -eq 8 ]; do sleep $(( NEXT_WAIT_TIME++ )) SQUID_ENI_STATUS=$(aws ec2 describe-network-interfaces --filter Name=network-interface-id,Values=$SQUID_ENI --region ${AWS::Region} --query NetworkInterfaces[0].Status --output text) done INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) aws ec2 attach-network-interface --network-interface-id $SQUID_ENI --instance-id $INSTANCE_ID --device-index 1 --region ${AWS::Region} - SquidENI: !Ref SquidENI SquidENI2: !If - TwoAZs - !Ref SquidENI2 - !Ref SquidENI AZ1: Fn::Select: - 0 - Fn::GetAZs: "" AZ2: Fn::Select: - 1 - Fn::GetAZs: "" mode: '000755' owner: root group: root /etc/squid/squid.proxy.conf: content: !Sub | visible_hostname squid #Handling HTTP requests http_port 3129 intercept #acl allowed_http_sites dstdomain DOMAIN http_access allow allowed_http_sites #Handling HTTPS requests https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept acl SSL_port port 443 http_access allow SSL_port #acl allowed_https_sites ssl::server_name DOMAIN acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 allowed_https_sites ssl_bump splice step3 allowed_https_sites ssl_bump terminate step2 all http_access deny all mode: '000644' owner: root group: root /etc/cfn/cfn-hup.conf: content: !Sub | [main] stack=${AWS::StackId} region=${AWS::Region} mode: '000400' owner: root group: root /etc/cfn/hooks.d/cfn-auto-reloader.conf: content: !Sub | [cfn-auto-reloader-hook] triggers=post.update path=Resources.SquidLC.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource SquidASG --region ${AWS::Region} runas=root mode: '000400' owner: root group: root services: sysvinit: cfn-hup: enabled: 'true' ensureRunning: 'true' files: - /etc/cfn/cfn-hup.conf - /etc/cfn/hooks.d/cfn-auto-reloader.conf Properties: ImageId: !FindInMap - RegionMap - !Ref 'AWS::Region' - HVM64 InstanceType: 't2.medium' IamInstanceProfile: !Ref 'SquidProfile' SecurityGroups: - !Ref 'SquidSecurityGroup' UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y squid yum install -y aws-cfn-bootstrap echo "Yum Install Complete" /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --configsets Install --resource SquidLC --region ${AWS::Region} /etc/squid/attach-eni.sh mv /etc/squid/squid.conf /etc/squid/squid.orig.conf DOMAINS="$(echo -e '${Domains}' | tr -d '[:space:]')" /etc/squid/update-domains.sh "$DOMAINS" cat /etc/squid/squid.proxy.conf cp /etc/squid/squid.proxy.conf /etc/squid/squid.conf mkdir /etc/squid/ssl cd /etc/squid/ssl openssl genrsa -out squid.key 2048 openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid" openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt cat squid.key squid.crt | tee squid.pem iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 service iptables save service squid start # -e $? /opt/aws/bin/cfn-signal --stack ${AWS::StackName} --resource SquidLC --region ${AWS::Region} CreationPolicy: ResourceSignal: Count: 1 Timeout: PT15M Outputs: Name: Value: !Ref AWS::StackName TransitGateway: Value: !Ref TransitGateway Export: Name: !Sub ${AWS::StackName}-TransitGateway ImageId: Value: !FindInMap - RegionMap - !Ref 'AWS::Region' - HVM64 Export: Name: !Sub ${AWS::StackName}-ImageId TgwRouteTable: Value: !Ref SpokeTransitGatewayRouteTable Export: Name: !Sub ${AWS::StackName}-TgwRouteTable TgwSecurityVpcRouteTable: Value: !Ref SecurityTransitGatewayRouteTable Export: Name: !Sub ${AWS::StackName}-TgwSecurityVpcRouteTable SecurityVpc: Value: !Ref VPC Description: The VPC ID for the security VPC. Export: Name: !Sub ${AWS::StackName}-SecurityVpc SecurityPrivateRouteTable: Value: !Ref PrivateRouteTable Export: Name: !Sub ${AWS::StackName}-SecurityPrivateRouteTable SecurityProtectedRouteTable: Value: !Ref SquidRouteTable Export: Name: !Sub ${AWS::StackName}-SecurityProtectedRouteTable SecurityPrivateRouteTable2: Value: !If - TwoAZs - !Ref PrivateRouteTable2 - SingleAZ Export: Name: !Sub ${AWS::StackName}-SecurityPrivateRouteTable2 SecurityProtectedRouteTable2: Value: !If - TwoAZs - !Ref SquidRouteTable2 - SingleAZ Export: Name: !Sub ${AWS::StackName}-SecurityProtectedRouteTable2