AWSTemplateFormatVersion: "2010-09-09"
Description: This AWS CloudFormation Template creates the necessary resources for the data protection workshops
Parameters:
ResourceName:
Type: String
Default: builders
Description: Prefix for resources created in this session.
InstanceType:
Type: String
Default: t2.medium
AllowedValues:
- t2.small
- t2.medium
- t3.small
- t3.medium
Description: Pick an instance type for the Cloud9 environment
# This IAM user will be used for all login and development
Resources:
SystemVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
Tags:
- Key: workshop
Value: iot-usecase
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: iot-usecase
GatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId:
Ref: InternetGateway
VpcId: !Ref SystemVPC
RouteTable:
DependsOn:
- SystemVPC
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: iot-usecase
VpcId: !Ref SystemVPC
PublicRoute:
DependsOn:
- RouteTable
- GatewayAttachment
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
Subnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: iot-usecase
VpcId: !Ref SystemVPC
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
SubnetAssoc:
DependsOn:
- Subnet
- RouteTable
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet
# SubnetTwo:
# Type: AWS::EC2::Subnet
# Properties:
# CidrBlock: 10.0.128.0/24
# MapPublicIpOnLaunch: true
# Tags:
# - Key: Name
# Value: iot-usecase
# VpcId: !Ref SystemVPC
# AvailabilityZone:
# Fn::Select:
# - 1
# - Fn::GetAZs: ""
# SubnetTwoAssoc:
# DependsOn:
# - SubnetTwo
# - RouteTable
# Type: AWS::EC2::SubnetRouteTableAssociation
# Properties:
# RouteTableId: !Ref RouteTable
# SubnetId: !Ref SubnetTwo
PublicNACL:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref SystemVPC
Tags:
-
Key: Network
Value: Public
InboundPublicNACLEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNACL
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: '0.0.0.0/0'
PortRange:
From: 0
To: 65535
OutboundPublicNACLEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNACL
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: 0.0.0.0/0
PortRange:
From: 0
To: 65535
SubnetNACLAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref Subnet
NetworkAclId: !Ref PublicNACL
# SubnetTwoNACLAssociation:
# Type: AWS::EC2::SubnetNetworkAclAssociation
# Properties:
# SubnetId: !Ref SubnetTwo
# NetworkAclId: !Ref PublicNACL
cryptocloud9env:
Type : AWS::Cloud9::EnvironmentEC2
Properties:
# OwnerArn for event engine module
# OwnerArn: !Sub 'arn:aws:sts::${AWS::AccountId}:assumed-role/TeamRole/MasterKey'
# OwnerArn for testing in AWS account
# OwnerArn: !Sub 'arn:aws:sts::${AWS::AccountId}:user/eventengine'
Description: "IOT usecase Cloud9 environment"
AutomaticStopTimeMinutes: 60
InstanceType: !Ref InstanceType
Name: "IOT usecase environment"
SubnetId: !Ref Subnet
Repositories:
- PathComponent: /data-protection
RepositoryUrl: https://github.com/aws-samples/data-protection
# We will use admin privileges for now and make it least privilege as we learn
cryptocloudninerole:
Type : AWS::IAM::Role
Properties:
RoleName: 'iotbuildercloudninerole'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "cloud9.amazonaws.com"
Action:
- "sts:AssumeRole"
# Policy for a user trying out modules on a Cloud9 environment
cryptocloudninepolicy:
Type : AWS::IAM::Policy
Properties:
PolicyName : 'iotbuilder-cloudnine-policy'
PolicyDocument :
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "*"
Resource: "*"
Roles:
- !Ref cryptocloudninerole
S3Bucket:
DeletionPolicy: Delete
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
!Join
- "-"
- - "certificate-holder"
- !Ref "AWS::AccountId"
# # Create the lambda function used for the origin behind the ALB
# LambdaOrigin:
# Type : AWS::Lambda::Function
# Properties:
# FunctionName: 'builders-lambda-origin-one'
# Handler: "index.lambda_handler"
# Role: !GetAtt LambdaOriginRole.Arn
# Runtime: 'python2.7'
# Tags:
# - Key: workshop
# Value: acm-private-ca
# Code:
# ZipFile: |
# from __future__ import print_function
# # This is the lambda origin behing the application load balancer
# def lambda_handler(event, context):
# response = {
# "statusCode": 200,
# "statusDescription": "200 OK",
# "isBase64Encoded": False,
# "headers": {
# "Content-Type": "text/html; charset=utf-8"
# }
# }
# response['body'] = """
#
# Hello World!
#
#
#
# Hello World!
#
# """
# return response
# # We will use admin privileges for now and make it least privilege as we learn
# LambdaOriginRole:
# Type : AWS::IAM::Role
# Properties:
# RoleName: 'acmcalblambdaoriginrole'
# AssumeRolePolicyDocument:
# Version: "2012-10-17"
# Statement:
# -
# Effect: "Allow"
# Principal:
# Service:
# - "lambda.amazonaws.com"
# Action:
# - "sts:AssumeRole"
# # We will use admin privileges for now and make it least privilege as we learn
# LambdaOriginPolicy:
# Type : AWS::IAM::Policy
# Properties:
# PolicyName : 'acm-alb-lambdaorigin-policy'
# PolicyDocument :
# Version: "2012-10-17"
# Statement:
# -
# Effect: "Allow"
# Action: "*"
# Resource: "*"
# Roles:
# - !Ref LambdaOriginRole
# ALBSecurityGroup:
# Type: 'AWS::EC2::SecurityGroup'
# Properties:
# GroupDescription: 'ALB Security Group'
# VpcId: !Ref SystemVPC
# SecurityGroupIngress:
# - IpProtocol: tcp
# ToPort: 443
# FromPort: 443
# CidrIp: 0.0.0.0/0
# # Creating a ALB in CF - Target group and listener will be createdin Boto
# ApplicationLoadBalancer:
# Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
# Properties:
# Scheme: internet-facing
# "Name" : "acm-pca-usecase-7-alb"
# SecurityGroups:
# - !Ref ALBSecurityGroup
# - !GetAtt SystemVPC.DefaultSecurityGroup
# Subnets:
# - Ref: Subnet
# - Ref: SubnetTwo
# Tags:
# - Key: workshop
# Value: acm-private-ca