# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. # Permission is hereby granted, free of charge, to any person obtaining a copy of this # software and associated documentation files (the "Software"), to deal in the Software # without restriction, including without limitation the rights to use, copy, modify, # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. AWSTemplateFormatVersion: 2010-09-09 Description: >- This template creates a Multi-AZ (two Availability Zones), multi-subnet VPC infrastructure and associates one Non RFC 1918 CIDR Block to the newly created VPC. **WARNING** This template creates AWS resources You will be billed for the AWS resources used if you create a stack from this template. Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Availability Zone Configuration # Specify the Availability Zones and how many should be used for the subnets Parameters: - AvailabilityZones - Label: default: Network Configuration # Specify VPC, Public, Private and Partner Subnets Parameters: - VPCCIDR - Environment - AvailabilityZones - PublicSubnet1ACIDR - PublicSubnet2ACIDR - PrivateSubnet2Z1CIDR - PrivateSubnet2Z2CIDR # Parameter Labels ParameterLabels: AvailabilityZones: default: Availability Zones PrivateSubnet2Z1CIDR: default: Private subnet 1 AZ 1 CIDR PrivateSubnet2Z2CIDR: default: Private subnet 2 AZ 2 CIDR PublicSubnet1ACIDR: default: Public subnet 1A CIDR PublicSubnet2ACIDR: default: Public subnet 2A CIDR Environment: default: Environment for the VPC VPCCIDR: default: VPC CIDR AmiId: default: AMI ID pointer in AWS Systems Manager Parameter Store InstanceType: default: Instance type to use to launch the Squid instances WhitelistDomains: default: List of whitelisted domains separated by a comma # This section outlines the allowed, default and types of values for each parameter. Parameters: AvailabilityZones: Description: >- Please specify two (2) or three (3 -optional) Availability Zones which will be used by the subnets in the VPC. Note: The logical order is preserved. Type: 'List' Default: us-east-1a,us-east-1c # The allowed list of environments that can be associated with the VPC creation Environment: Description: >- Set environment in which the VPC will be created. Type: String PrivateSubnet2Z1CIDR: AllowedPattern: >- ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx Default: 10.0.10.0/25 Description: CIDR block for Private subnet 1 AZ 1 located in Availability Zone 1 Type: String PrivateSubnet2Z2CIDR: AllowedPattern: >- ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx Default: 10.0.32.0/24 Description: CIDR block for Private subnet 2 AZ 2 located in Availability Zone 2 Type: String PublicSubnet1ACIDR: AllowedPattern: >- ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx Default: 10.0.128.0/25 Description: CIDR block for the public DMZ subnet 1A located in Availability Zone 1 Type: String PublicSubnet2ACIDR: AllowedPattern: >- ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx Default: 10.0.144.0/25 Description: CIDR block for the public DMZ subnet 2A located in Availability Zone 2 Type: String VPCCIDR: AllowedPattern: >- ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx Description: CIDR block for the VPC Type: String # This section outlines the AWS resources that will be created as a result of running # this CloudFormation stack. Resources: # VPC VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: !Ref VPCCIDR EnableDnsSupport: 'true' EnableDnsHostnames: 'true' Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, !Ref 'AWS::Region' ] ] # Internet Gateway InternetGateway: Type: 'AWS::EC2::InternetGateway' Properties: Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, igw ] ] - Key: Network Value: Public # Virtual Private Gateway VPCGWGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway NAT: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt EIP.AllocationId SubnetId: Ref: PublicSubnet1A EIP: Type: AWS::EC2::EIP Properties: Domain: vpc Route: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateSubnetRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: NAT # All the subnet resources DependsOn the Non RFC 1918 VPC CIDR Block to be created. # This avoids the race/synchronization situation where the creation of # any subnet requiring that resource does not occur before that resource is created. PublicSubnet1A: Type: 'AWS::EC2::Subnet' DependsOn: - VPC Properties: VpcId: !Ref VPC CidrBlock: !Ref PublicSubnet1ACIDR AvailabilityZone: !Select - '0' - !Ref AvailabilityZones Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, public, subnet1 ] ] - Key: Network Value: Public MapPublicIpOnLaunch: true PublicSubnet2A: Type: 'AWS::EC2::Subnet' DependsOn: - VPC Properties: VpcId: !Ref VPC CidrBlock: !Ref PublicSubnet2ACIDR AvailabilityZone: !Select - '1' - !Ref AvailabilityZones Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, public, subnet2 ] ] - Key: Network Value: Public MapPublicIpOnLaunch: true PrivateSubnet2Z1: Type: 'AWS::EC2::Subnet' DependsOn: - VPC Properties: VpcId: !Ref VPC CidrBlock: !Ref PrivateSubnet2Z1CIDR AvailabilityZone: !Select - '0' - !Ref AvailabilityZones Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, private, subnet1 ] ] - Key: Network Value: Private PrivateSubnet2Z2: Type: 'AWS::EC2::Subnet' DependsOn: - VPC Properties: VpcId: !Ref VPC CidrBlock: !Ref PrivateSubnet2Z2CIDR AvailabilityZone: !Select - '1' - !Ref AvailabilityZones Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, private, subnet2 ] ] - Key: Network Value: Private PrivateSubnetRouteTable1: Type: 'AWS::EC2::RouteTable' Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, private, routetable ] ] - Key: Network Value: Private PrivateSubnet2Z1RouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref PrivateSubnet2Z1 RouteTableId: !Ref PrivateSubnetRouteTable1 PrivateSubnet2Z2RouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref PrivateSubnet2Z2 RouteTableId: !Ref PrivateSubnetRouteTable1 PublicSubnetRouteTable1: Type: 'AWS::EC2::RouteTable' Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, public, routetable ] ] - Key: Network Value: Public PublicSubnetRoute1: DependsOn: VPCGWGatewayAttachment Type: 'AWS::EC2::Route' Properties: RouteTableId: !Ref PublicSubnetRouteTable1 DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1ARouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref PublicSubnet1A RouteTableId: !Ref PublicSubnetRouteTable1 PublicSubnet2ARouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref PublicSubnet2A RouteTableId: !Ref PublicSubnetRouteTable1 # Security Groups PublicSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security Group for Public Instances VpcId: !Ref VPC Tags: - Key: Name Value: !Join [ "-", [ sample, !Ref Environment, public, sg ] ] PrivateSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security Group for Private Instances VpcId: !Ref VPC Tags: - Key: Name Value: !Join [ "-", [ sample, !Ref Environment, private, sg ] ] # Network Access Lists PublicNetworkAcl: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, public, nacl ] ] PublicNetworkAclIngressEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: PublicNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow CidrBlock: 0.0.0.0/0 PublicNetworkAclEgressEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: PublicNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow Egress: 'true' CidrBlock: 0.0.0.0/0 PublicSubnet1ANACLAssociation: Type: 'AWS::EC2::SubnetNetworkAclAssociation' Properties: SubnetId: !Ref PublicSubnet1A NetworkAclId: !Ref PublicNetworkAcl PublicSubnet2ANACLAssociation: Type: 'AWS::EC2::SubnetNetworkAclAssociation' Properties: SubnetId: !Ref PublicSubnet2A NetworkAclId: !Ref PublicNetworkAcl PrivateNetworkAcl: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Join [ "-", [ !Ref Environment, private, nacl ] ] PrivateNetworkAclIngressEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: PrivateNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow CidrBlock: 0.0.0.0/0 PrivateNetworkAclEgressEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: PrivateNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow Egress: 'true' CidrBlock: 0.0.0.0/0 PrivateSubnet2Z1NACLAssociation: Type: 'AWS::EC2::SubnetNetworkAclAssociation' Properties: SubnetId: !Ref PrivateSubnet2Z1 NetworkAclId: !Ref PrivateNetworkAcl PrivateSubnet2Z2NACLAssociation: Type: 'AWS::EC2::SubnetNetworkAclAssociation' Properties: SubnetId: !Ref PrivateSubnet2Z2 NetworkAclId: !Ref PrivateNetworkAcl # This represents the outputs from from running the CloudFormation stack which typically # corresponds to the AWS resources being consumed. Outputs: PrivateSubnet2Z1CIDR: Description: Private subnet 1 AZ 1 CIDR in Availability Zone 1 Value: !Ref PrivateSubnet2Z1CIDR Export: Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1CIDR' PrivateSubnet2Z1ID: Description: Private subnet 1 AZ 1 ID in Availability Zone 1 Value: !Ref PrivateSubnet2Z1 Export: Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1ID' PrivateSubnet2Z1CIDR: Description: Private subnet 1 AZ 1 CIDR in Availability Zone 1 Value: !Ref PrivateSubnet2Z1CIDR Export: Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1CIDR' PrivateSubnet2Z1ID: Description: Private subnet 1 AZ 1 ID in Availability Zone 1 Value: !Ref PrivateSubnet2Z1 Export: Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1ID' PrivateSubnet2Z2CIDR: Description: Private subnet 1 AZ 1 CIDR in Availability Zone 1 Value: !Ref PrivateSubnet2Z2CIDR Export: Name: !Sub '${AWS::StackName}-PrivateSubnet2Z2CIDR' PrivateSubnet2Z2ID: Description: Private subnet 2 AZ 2 ID in Availability Zone 2 Value: !Ref PrivateSubnet2Z2 Export: Name: !Sub '${AWS::StackName}-PrivateSubnet2Z2ID' PublicSubnet1ACIDR: Description: Public subnet 1A CIDR in Availability Zone 1 Value: !Ref PublicSubnet1ACIDR Export: Name: !Sub '${AWS::StackName}-PublicSubnet1ACIDR' PublicSubnet1AID: Description: Public subnet 1A ID in Availability Zone 1 Value: !Ref PublicSubnet1A Export: Name: !Sub '${AWS::StackName}-PublicSubnet1AID' PublicSubnet2ACIDR: Description: Public subnet 2A CIDR in Availability Zone 2 Value: !Ref PublicSubnet2ACIDR Export: Name: !Sub '${AWS::StackName}-PublicSubnet2ACIDR' PublicSubnet2AID: Description: Public subnet 2A ID in Availability Zone 2 Value: !Ref PublicSubnet2A Export: Name: !Sub '${AWS::StackName}-PublicSubnet2AID' PrivateSubnetRouteTable1: Value: !Ref PrivateSubnetRouteTable1 Description: Private subnet route table Export: Name: !Sub '${AWS::StackName}-PrivateSubnetRouteTable1' PublicSubnetRouteTable1: Value: !Ref PublicSubnetRouteTable1 Description: Public subnet route table Export: Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable1' VPCCIDR: Value: !Ref VPCCIDR Description: VPC CIDR Export: Name: !Sub '${AWS::StackName}-VPCCIDR' VPCID: Value: !Ref VPC Description: VPC ID Export: Name: !Sub '${AWS::StackName}-VPCID'