AWSTemplateFormatVersion: "2010-09-09"
Description: This AWS CloudFormation Template creates the necessary resources for the data protection workshops
Parameters:
ResourceName:
Type: String
Default: builders
Description: Prefix for resources created in this session.
InstanceType:
Type: String
Default: t2.medium
AllowedValues:
- t2.small
- t2.medium
- t3.small
- t3.medium
Description: Pick an instance type for the Cloud9 environment
# This IAM user will be used for all login and development
Resources:
SystemVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
Tags:
- Key: workshop
Value: acm-private-ca
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: acm-private-ca
GatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId:
Ref: InternetGateway
VpcId: !Ref SystemVPC
RouteTable:
DependsOn:
- SystemVPC
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: acm-private-ca
VpcId: !Ref SystemVPC
PublicRoute:
DependsOn:
- RouteTable
- GatewayAttachment
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
Subnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: acm-private-ca
VpcId: !Ref SystemVPC
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
SubnetAssoc:
DependsOn:
- Subnet
- RouteTable
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet
SubnetTwo:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.128.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: acm-private-ca
VpcId: !Ref SystemVPC
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
SubnetTwoAssoc:
DependsOn:
- SubnetTwo
- RouteTable
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetTwo
PublicNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref SystemVPC
Tags:
-
Key: Network
Value: Public
InboundPublicNACLEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNACL
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: '0.0.0.0/0'
PortRange:
From: 0
To: 65535
OutboundPublicNACLEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNACL
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: 0.0.0.0/0
PortRange:
From: 0
To: 65535
SubnetNACLAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref Subnet
NetworkAclId: !Ref PublicNACL
SubnetTwoNACLAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetTwo
NetworkAclId: !Ref PublicNACL
cryptocloud9env:
Type : AWS::Cloud9::EnvironmentEC2
Properties:
# OwnerArn for event engine module
# OwnerArn: !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/TeamRole/MasterKey'
# OwnerArn for testing in AWS account
# OwnerArn: !Sub 'arn:aws:sts::${AWS::AccountId}:user/eventengine'
Description: "Cloud9 environment for the crypto builders python modules"
AutomaticStopTimeMinutes: 60
InstanceType: !Ref InstanceType
Name: "workshop-environment"
SubnetId: !Ref Subnet
Repositories:
- PathComponent: /data-protection
RepositoryUrl: https://github.com/aws-samples/data-protection
# We will use admin privileges for now and make it least privilege as we learn
cryptocloudninerole:
Type : AWS::IAM::Role
Properties:
RoleName: 'cryptobuildercloudninerole'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "cloud9.amazonaws.com"
Action:
- "sts:AssumeRole"
# Policy for a user trying out modules on a Cloud9 environment
cryptocloudninepolicy:
Type : AWS::IAM::Policy
Properties:
PolicyName : 'cryptobuilder-cloudnine-policy'
PolicyDocument :
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Roles:
- !Ref cryptocloudninerole
# Create the lambda function used for the origin behind the ALB
LambdaOrigin:
Type : AWS::Lambda::Function
Properties:
FunctionName: 'builders-lambda-origin-one'
Handler: "index.lambda_handler"
Role: !GetAtt LambdaOriginRole.Arn
Runtime: 'python2.7'
Tags:
- Key: workshop
Value: acm-private-ca
Code:
ZipFile: |
from __future__ import print_function
# This is the lambda origin behing the application load balancer
def lambda_handler(event, context):
response = {
"statusCode": 200,
"statusDescription": "200 OK",
"isBase64Encoded": False,
"headers": {
"Content-Type": "text/html; charset=utf-8"
}
}
response['body'] = """
Hello World!
Hello World!
"""
return response
# We will use admin privileges for now and make it least privilege as we learn
LambdaOriginRole:
Type : AWS::IAM::Role
Properties:
RoleName: 'acmcalblambdaoriginrole'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
# We will use admin privileges for now and make it least privilege as we learn
LambdaOriginPolicy:
Type : AWS::IAM::Policy
Properties:
PolicyName : 'acm-alb-lambdaorigin-policy'
PolicyDocument :
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Roles:
- !Ref LambdaOriginRole
ALBSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: 'ALB Security Group'
VpcId: !Ref SystemVPC
SecurityGroupIngress:
- IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
# Creating a ALB in CF - Target group and listener will be createdin Boto
ApplicationLoadBalancer:
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Properties:
Scheme: internet-facing
"Name" : "acm-pca-usecase-7-alb"
SecurityGroups:
- !Ref ALBSecurityGroup
- !GetAtt SystemVPC.DefaultSecurityGroup
Subnets:
- Ref: Subnet
- Ref: SubnetTwo
Tags:
- Key: workshop
Value: acm-private-ca