Parameters: VpcCidr: Type: String Default: 192.168.1.0/24 Description: CIDR of VPC (must be larger than /28) SubnetCidr: Type: String Default: 192.168.1.0/28 Description: CIDR of Subnet (must be larger than /28 and included in the vpcCidr) AL2AMIID: Type: AWS::SSM::Parameter::Value Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 Description: SSM Parameter path of the latest Amazon Linux 2 AMI Resources: BLEAFSICdkEnvVpcCAB2A9E0: Type: AWS::EC2::VPC Properties: CidrBlock: Ref: VpcCidr EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: PrivateCdkEnvStack/BLEAFSICdkEnvVpc BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47: Type: AWS::EC2::Subnet Properties: VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: Ref: SubnetCidr MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: cdk-private - Key: aws-cdk:subnet-type Value: Isolated - Key: Name Value: PrivateCdkEnvStack/BLEAFSICdkEnvVpc/cdk-privateSubnet1 BLEAFSICdkEnvVpccdkprivateSubnet1RouteTableA365EE5E: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 Tags: - Key: Name Value: PrivateCdkEnvStack/BLEAFSICdkEnvVpc/cdk-privateSubnet1 BLEAFSICdkEnvVpccdkprivateSubnet1RouteTableAssociation4484E348: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: BLEAFSICdkEnvVpccdkprivateSubnet1RouteTableA365EE5E SubnetId: Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 BLEAFSICdkEnvVpcSsmEndpointForPrivate42415D22: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .ssm VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 PrivateDnsEnabled: true SecurityGroupIds: - Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SubnetIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 VpcEndpointType: Interface BLEAFSICdkEnvVpcSsmMessagesEndpointForPrivateCFC2C728: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .ssmmessages VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 PrivateDnsEnabled: true SecurityGroupIds: - Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SubnetIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 VpcEndpointType: Interface BLEAFSICdkEnvVpcEc2EndpointForPrivate550F8BA3: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .ec2 VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 PrivateDnsEnabled: true SecurityGroupIds: - Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SubnetIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 VpcEndpointType: Interface BLEAFSICdkEnvVpcEc2MessagesEndpointForPrivateC44CE188: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .ec2messages VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 PrivateDnsEnabled: true SecurityGroupIds: - Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SubnetIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 VpcEndpointType: Interface BLEAFSICdkEnvVpcCloudformationEndpointForPrivate1964F132: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .cloudformation VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 PrivateDnsEnabled: true SecurityGroupIds: - Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SubnetIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 VpcEndpointType: Interface BLEAFSICdkEnvVpcSTSEndpointForPrivate228549D1: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .sts VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 PrivateDnsEnabled: true SecurityGroupIds: - Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SubnetIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 VpcEndpointType: Interface BLEAFSICdkEnvVpcS3EndpointForPrivateF27895DB: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: Fn::Join: - '' - - com.amazonaws. - Ref: AWS::Region - .s3 VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 RouteTableIds: - Ref: BLEAFSICdkEnvVpccdkprivateSubnet1RouteTableA365EE5E VpcEndpointType: Gateway BLEAFSICdkEnvInstanceSg17EEF39A: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: PrivateCdkEnvStack/BLEAFSICdkEnvInstanceSg SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow https traffic only FromPort: 443 ToPort: 443 IpProtocol: 'tcp' VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 BLEAFSIVpcEndpointSg29588707: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: PrivateCdkEnvStack/BLEAFSIVpcEndpointSg SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow https traffic only FromPort: 443 ToPort: 443 IpProtocol: 'tcp' VpcId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 BLEAFSIVpcEndpointSgfromPrivateCdkEnvStackBLEAFSICdkEnvInstanceSgCA1A5DBD4437ADFDADD: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp Description: VPC Endpoint Access FromPort: 443 ToPort: 443 GroupId: Fn::GetAtt: - BLEAFSIVpcEndpointSg29588707 - GroupId SourceSecurityGroupId: Fn::GetAtt: - BLEAFSICdkEnvInstanceSg17EEF39A - GroupId BLEAFSICdkSharedBucketAccessPolicy52ABA4FE: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Action: s3:ListBucket Effect: Allow Resource: arn:aws:s3:::bleafsi-share - Action: s3:GetObject Effect: Allow Resource: arn:aws:s3:::bleafsi-share/* Version: '2012-10-17' Description: '' Path: / BLEAFSICdkExecRole2FD1DD02: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: Fn::Join: - '' - - ec2. - Ref: AWS::URLSuffix Version: '2012-10-17' Description: EC2 instance role for cdk execution ManagedPolicyArns: - Ref: BLEAFSICdkSharedBucketAccessPolicy52ABA4FE - Fn::Join: - '' - - 'arn:' - Ref: AWS::Partition - :iam::aws:policy/AmazonSSMManagedInstanceCore BLEAFSICdkEnvInstanceInstanceProfile9EEF2E01: Type: AWS::IAM::InstanceProfile Properties: Roles: - Fn::Select: - 1 - Fn::Split: - / - Fn::Select: - 5 - Fn::Split: - ':' - Fn::GetAtt: - BLEAFSICdkExecRole2FD1DD02 - Arn BLEAFSICdkEnvInstance72D4CD20: Type: AWS::EC2::Instance CreationPolicy: ResourceSignal: Count: 1 Timeout: PT15M Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' IamInstanceProfile: Ref: BLEAFSICdkEnvInstanceInstanceProfile9EEF2E01 ImageId: Ref: AL2AMIID InstanceType: t3.medium SecurityGroupIds: - Fn::GetAtt: - BLEAFSICdkEnvInstanceSg17EEF39A - GroupId SubnetId: Ref: BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 BlockDeviceMappings: - DeviceName: '/dev/xvda' Ebs: VolumeType: 'gp3' VolumeSize: '8' Encrypted: 'true' Tags: - Key: Name Value: PrivateCdkEnvStack/BLEAFSICdkEnvInstance UserData: Fn::Base64: !Sub | #!/bin/bash whoami pwd cd /tmp aws s3api get-object --bucket bleafsi-share --key node-v16.15.0-linux-x64.tar.gz ./node-v16.15.0-linux-x64.tar.gz aws s3api get-object --bucket bleafsi-share --key awscli-exe-linux-x86_64.zip ./awscli-exe-linux-x86_64.zip tar xzvf node-v16.15.0-linux-x64.tar.gz -C /opt/ unzip awscli-exe-linux-x86_64.zip ./aws/install sudo tee /etc/profile.d/nodejs.sh << EOF #!/bin/bash export PATH=/opt/node-v16.15.0-linux-x64/bin:$PATH EOF source /etc/profile yum install git -y yum remove awscli -y aws --version if [[ $? == 0 ]]; then iawscli=true; else iawscli=false; fi npm -v if [[ $? == 0 ]]; then inpm=true; else inpm=false; fi if [[ "$iawscli" == true && "$inpm" == true ]]; then err=0; else err=1; fi /opt/aws/bin/cfn-signal -e $err --stack ${AWS::StackName} \ --resource BLEAFSICdkEnvInstance72D4CD20 --region ${AWS::Region} # VPC Flow Logs VpcFlowLogsE6FFDEF9: Type: AWS::Logs::LogGroup Properties: LogGroupName: /aws/vpc/flowlogs RetentionInDays: 731 UpdateReplacePolicy: Retain DeletionPolicy: Retain BLEAFSICdkEnvs3IAMRole3A51CC7C: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: vpc-flow-logs.amazonaws.com Version: '2012-10-17' BLEAFSICdkEnvs3IAMRoleDefaultPolicyA7072C52: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams Effect: Allow Resource: Fn::GetAtt: - VpcFlowLogsE6FFDEF9 - Arn - Action: iam:PassRole Effect: Allow Resource: Fn::GetAtt: - BLEAFSICdkEnvs3IAMRole3A51CC7C - Arn Version: '2012-10-17' PolicyName: BLEAFSICdkEnvs3IAMRoleDefaultPolicyA7072C52 Roles: - Ref: BLEAFSICdkEnvs3IAMRole3A51CC7C BLEAFSICdkEnvs3FlowLogCEDD55A6: Type: AWS::EC2::FlowLog Properties: ResourceId: Ref: BLEAFSICdkEnvVpcCAB2A9E0 ResourceType: VPC TrafficType: ALL DeliverLogsPermissionArn: Fn::GetAtt: - BLEAFSICdkEnvs3IAMRole3A51CC7C - Arn LogDestinationType: cloud-watch-logs LogGroupName: Ref: VpcFlowLogsE6FFDEF9 Tags: - Key: Name Value: CREATE-PRIVATE-ENV-ProxyEc2/BLEAFSICdkEnv Outputs: VpcId: Description: VPC ID Value: !Ref BLEAFSICdkEnvVpcCAB2A9E0 Export: Name: 'BLEAFSICDKPrivateEnv-VpcID' SubnetId: Description: Subnet ID Value: !Ref BLEAFSICdkEnvVpccdkprivateSubnet1SubnetB9DEBE47 Export: Name: 'BLEAFSICDKPrivateEnv-SubnetID' VpceSgId: Description: Security Group ID for VPC Endpoint Value: !Ref BLEAFSIVpcEndpointSg29588707 Export: Name: 'BLEAFSICDKPrivateEnv-VpceSgID' EC2RoleId: Description: IAM Role ID for CDK Instance Value: !Ref BLEAFSICdkExecRole2FD1DD02 Export: Name: 'BLEAFSICDKPrivateEnv-EC2RoleID'