--- AWSTemplateFormatVersion: 2010-09-09 Description: SASKV5 VPC + Bastion Parameters: TemplateBucket: Type: String Default: awslabs-startup-kit-templates-deploy-v5 Description: The template bucket for the CloudFormation templates AvailabilityZone1: Description: The first availability zone in the region Type: AWS::EC2::AvailabilityZone::Name ConstraintDescription: Must be a valid availability zone AvailabilityZone2: Description: The second availability zone in the region Type: AWS::EC2::AvailabilityZone::Name ConstraintDescription: Must be a valid availability zone SSHFrom: Description: Limit SSH access to bastion hosts to a CIDR IP block Type: String MinLength: 9 MaxLength: 18 Default: 0.0.0.0/0 ELBIngressPort: Description: The ELB ingress port used by security groups Type: Number MinValue: 0 MaxValue: 65535 ConstraintDescription: TCP ports must be between 0 - 65535 Default: 80 AppIngressPort: Description: The application ingress port used by security groups Type: Number MinValue: 0 MaxValue: 65535 ConstraintDescription: TCP ports must be between 0 - 65535 Default: 80 KeyName: Description: EC2 key pair name for bastion host SSH access Type: AWS::EC2::KeyPair::KeyName LogRetentionInDays: Description: Number of days you would like your CloudWatch Logs to be retained Type: Number Default: 90 # For more information on the google-authenticator PAM module, see: https://github.com/google/google-authenticator-libpam MFA: Description: Set to true to install MFA using the google-authenticator PAM module on your bastion host Type: String ConstraintDescription: Value must be true or false Default: false AllowedValues: - true - false EnvironmentName: Type: String Description: Environment name - dev or prod Default: dev AllowedValues: - dev - prod ConstraintDescription: Specify either dev or prod Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Environment Parameters: - EnvironmentName - Label: default: Region Availability Zones Parameters: - AvailabilityZone1 - AvailabilityZone2 - Label: default: Ingress Ports Parameters: - ELBIngressPort - AppIngressPort - Label: default: Bastion Parameters: - KeyName - LogRetentionInDays - MFA - SSHFrom ParameterLabels: AvailabilityZone1: default: Availability Zone 1 AvailabilityZone2: default: Availability Zone 2 ELBIngressPort: default: Load Balancer Port AppIngressPort: default: Application Port SSHFrom: default: Bastion SSH Whitelist TemplateBucket: default: CloudFormation Bucket EnvironmentName: default: Environment KeyName: default: EC2 Key Pair LogRetentionInDays: default: Log Retention MFA: default: Multi-Factor SSHFrom: default: SSH Whitelist Conditions: IsProd: !Equals [ !Ref EnvironmentName, prod ] Resources: VpcStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub https://s3.amazonaws.com/${TemplateBucket}/templates/vpc.cfn.yml Parameters: AvailabilityZone1: !Ref AvailabilityZone1 AvailabilityZone2: !Ref AvailabilityZone2 SSHFrom: !Ref SSHFrom ELBIngressPort: !Ref ELBIngressPort AppIngressPort: !Ref AppIngressPort SingleNatGateway: !If [ IsProd, false, true ] BastionStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub https://s3.amazonaws.com/${TemplateBucket}/templates/bastion.cfn.yml Parameters: NetworkStackName: !GetAtt VpcStack.Outputs.Name KeyName: !Ref KeyName LogRetentionInDays: !Ref LogRetentionInDays MFA: !Ref MFA DependsOn: VpcStack Outputs: VpcStackName: Value: !GetAtt VpcStack.Outputs.Name Export: Name: !Sub ${AWS::StackName}-VpcStackName BastionStackName: Value: !GetAtt BastionStack.Outputs.Name Export: Name: !Sub ${AWS::StackName}-BastionStackName