Description: > This template deploys a VPC, with a pair of public and private subnets spread across two Availability Zones. It deploys an internet gateway, with a default route on the public subnets. It deploys a pair of NAT gateways (one in each AZ), and default routes for them in the private subnets. Please note, you will be billed for the AWS resources used if you create a stack from this template. Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0 Parameters: EnvironmentName: Description: An environment name that is prefixed to resource names Type: String Default: devsecops-cicd VpcCIDR: Description: Please enter the IP range (CIDR notation) for this VPC Type: String Default: 10.192.0.0/16 PublicSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone Type: String Default: 10.192.10.0/24 PublicSubnet2CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone Type: String Default: 10.192.11.0/24 AppSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone Type: String Default: 10.192.20.0/24 EBInstanceType: Type: String Description: "Specify instance type" Default: t2.small S3BucketName: Type: String Description: "Bucket Name for configuration for ElasticBeanStalk application" Default: dsop-bucket-1234567890 EBSolutionStack: Type: String Description: "Elastic Beanstalk solution stack name" Default: "64bit Amazon Linux 2 v3.2.5 running Corretto 11" Resources: EBServiceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - elasticbeanstalk.amazonaws.com Action: - 'sts:AssumeRole' Condition: StringEquals: 'sts:ExternalId': 'elasticbeanstalk' Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth - arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService RoleName: !Sub 'eb-service-role-${AWS::StackName}' EBEC2Role: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier - arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker - arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier RoleName: !Sub 'eb-ec2-role-${AWS::StackName}' EBEC2InstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: "EBEC2Role" #### VPC creation. subnets, NAT's, internetgateway, Route tables, security groups VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref EnvironmentName InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref EnvironmentName InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PublicSubnet1CIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Subnet (AZ1) PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 1, !GetAZs '' ] CidrBlock: !Ref PublicSubnet2CIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Subnet (AZ2) AppSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref AppSubnet1CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${EnvironmentName} App Subnet (AZ1) NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Routes DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 ###App subnet Natgateway and Route Table association PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Routes (AZ1) DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 AppSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref AppSubnet1 ##Security groups ELBSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Open loadbalancer for access SecurityGroupIngress: - IpProtocol: tcp Description: allow port 80 access FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp Description: allow port 443 access FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default from Load Balancer IpProtocol: "-1" VpcId: !Ref VPC WebSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable HTTP access via user defined port VpcId: !Ref VPC SecurityGroupIngress: - SourceSecurityGroupId: !Ref ELBSecurityGroup Description: allow port 80 access FromPort: 80 IpProtocol: tcp ToPort: 80 SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default from Instance IpProtocol: "-1" MyApplication: Type: AWS::ElasticBeanstalk::Application Properties: Description: AWS Elastic Beanstalk Sample Application MyApplicationVersion: Type: AWS::ElasticBeanstalk::ApplicationVersion Properties: ApplicationName: !Ref MyApplication Description: Sample Application Version SourceBundle: S3Bucket: !Ref S3BucketName S3Key: corretto.zip ConfigurationTemplate: Type: AWS::ElasticBeanstalk::ConfigurationTemplate DependsOn: [ 'EBServiceRole', 'EBEC2Role' ] Properties: ApplicationName: !Ref MyApplication Description: AWS ElasticBeanstalk Sample Configuration Template SolutionStackName: !Ref EBSolutionStack OptionSettings: - Namespace: 'aws:elasticbeanstalk:environment' OptionName: ServiceRole Value: !Ref EBServiceRole - Namespace: 'aws:autoscaling:launchconfiguration' OptionName: IamInstanceProfile Value: !Ref EBEC2InstanceProfile - Namespace: aws:elasticbeanstalk:environment OptionName: EnvironmentType Value: LoadBalanced - Namespace: aws:autoscaling:asg OptionName: MinSize Value: "1" - Namespace: aws:autoscaling:asg OptionName: MaxSize Value: "1" - Namespace: aws:autoscaling:trigger OptionName: MeasureName Value: CPUUtilization - Namespace: aws:autoscaling:trigger OptionName: MeasureName Value: CPUUtilization - Namespace: aws:autoscaling:launchconfiguration OptionName: SecurityGroups Value: !Ref WebSecurityGroup - Namespace: "aws:elasticbeanstalk:environment" OptionName: LoadBalancerType Value: application - Namespace: "aws:elbv2:loadbalancer" OptionName: SecurityGroups Value: !Ref ELBSecurityGroup - Namespace : "aws:elasticbeanstalk:environment:process:default" OptionName : HealthCheckPath Value : "/" - Namespace: "aws:elbv2:loadbalancer" OptionName: IdleTimeout Value : '1800' - Namespace: "aws:elbv2:listener:default" OptionName: Protocol Value : "HTTP" - Namespace: "aws:elbv2:listener:default" OptionName: ListenerEnabled Value : "true" - Namespace : "aws:elasticbeanstalk:command" OptionName: "DeploymentPolicy" Value : "AllAtOnce" #####launch configuration - Namespace: "aws:autoscaling:launchconfiguration" OptionName: InstanceType Value: !Ref EBInstanceType ### vpc configuration - Namespace: "aws:ec2:vpc" OptionName: VPCId Value: !Ref VPC - Namespace: "aws:ec2:vpc" OptionName: Subnets Value: !Join [ ',', [!Ref AppSubnet1] ] - Namespace: "aws:ec2:vpc" OptionName: ELBScheme Value: public - Namespace: "aws:ec2:vpc" OptionName: ELBSubnets Value: !Join [ ',', [!Ref PublicSubnet1, !Ref PublicSubnet2] ] MyEnvironment: Type: AWS::ElasticBeanstalk::Environment #DependsOn: DBInstance Properties: Description: AWS ElasticBeanstalk Sample Environment ApplicationName: !Ref MyApplication TemplateName: !Ref ConfigurationTemplate VersionLabel: !Ref MyApplicationVersion Outputs: VPC: Description: A reference to the created VPC Value: !Ref VPC PublicSubnets: Description: A list of the public subnets Value: !Join [ ",", [ !Ref PublicSubnet1, !Ref PublicSubnet2 ]] PrivateSubnets: Description: A list of the private subnets Value: !Join [ ",", [ !Ref AppSubnet1]] PublicSubnet1: Description: A reference to the public subnet in the 1st Availability Zone Value: !Ref PublicSubnet1 PublicSubnet2: Description: A reference to the public subnet in the 2nd Availability Zone Value: !Ref PublicSubnet2 AppSubnet1: Description: A reference to the private subnet in the 1st Availability Zone Value: !Ref AppSubnet1 WebSecurityGroup: Description: Web Security group Value: !Ref WebSecurityGroup EBApplication: Description: Elastic Beanstalk MyApplication Value: !Ref MyApplication EBEnvironment: Description: Elastic Beanstalk Environment Value: !Ref MyEnvironment EBEndPointURL: Description: Elastic Beanstalk EndpointURL Value: !GetAtt MyEnvironment.EndpointURL