--- AWSTemplateFormatVersion: '2010-09-09' Description: This template creates a VPC infrastructure for Oracle Simphony Application deployment on AWS. This template creates VPC, 2 Private Subnets, All required Security Groups, VPC End points for S3 bucket and Monitoring, Data lifecycle Manager for instance backup, Instance Profile for S3 and monitoring access. Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC Configuration Parameters: - UserSpecifiedVPCId - Subnet1ID - Subnet2ID - Label: default: Network Configuration Parameters: - VpcCIDR - Subnet1CIDR - Subnet2CIDR - Label: default: Backup Configuration Parameters: - DLMCrossRegionCopy ParameterLabels: UserSpecifiedVPCId: default: The VPC where to deploy simphony in Subnet1ID: default: The first private subnet Subnet2ID: default: A second private subnet VpcCIDR: default: VPC CIDR Subnet1CIDR: default: Private subnet 1 CIDR Subnet2CIDR: default: Private subnet 2 CIDR DLMCrossRegionCopy: default: DLM Cross Region Name Mappings: RegionMap: us-east-1: "S3ManagedPrefixListID" : "pl-63a5400a" ap-northeast-1: "S3ManagedPrefixListID" : "pl-61a54008" ap-northeast-2: "S3ManagedPrefixListID" : "pl-78a54011" ap-south-1: "S3ManagedPrefixListID" : "pl-78a54011" ap-southeast-1: "S3ManagedPrefixListID" : "pl-6fa54006" ap-southeast-2: "S3ManagedPrefixListID" : "pl-6ca54005" ca-central-1: "S3ManagedPrefixListID" : "pl-7da54014" eu-central-1: "S3ManagedPrefixListID" : "pl-6ea54007" eu-north-1: "S3ManagedPrefixListID" : "pl-c3aa4faa" eu-west-1: "S3ManagedPrefixListID" : "pl-6da54004" eu-west-2: "S3ManagedPrefixListID" : "pl-7ca54015" eu-west-3: "S3ManagedPrefixListID" : "pl-23ad484a" sa-east-1: "S3ManagedPrefixListID" : "pl-6aa54003" us-east-2: "S3ManagedPrefixListID" : "pl-7ba54012" us-west-1: "S3ManagedPrefixListID" : "pl-6ba54002" us-west-2: "S3ManagedPrefixListID" : "pl-68a54001" Parameters: VpcCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.0.0/24 Description: CIDR block for VPC Type: String UserSpecifiedVPCId: Type: String Default: '' Subnet1ID: Type: String Default: '' Subnet2ID: Type: String Default: '' Subnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.0.0/25 Description: CIDR block for subnet1 Type: String Subnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.0.128/25 Description: CIDR block for subnet2 Type: String DLMCrossRegionCopy: Description: DLM for cross region copy Type: String Default: us-east-2 Conditions: CreateVPC: !Equals [!Ref UserSpecifiedVPCId, ""] Resources: VPC: Type: AWS::EC2::VPC Condition: CreateVPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Ref 'AWS::StackName' PrivateSubnet1: Type: AWS::EC2::Subnet Condition: CreateVPC Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref 'AWS::Region' CidrBlock: !Ref Subnet1CIDR MapPublicIpOnLaunch: false VpcId: Ref: VPC PrivateSubnet2: Type: AWS::EC2::Subnet Condition: CreateVPC Properties: AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref 'AWS::Region' CidrBlock: !Ref Subnet2CIDR MapPublicIpOnLaunch: false VpcId: Ref: VPC SGBase: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Base Security Group for xcenter VpcId: !If [CreateVPC, !Ref VPC, !Ref UserSpecifiedVPCId] SecurityGroupIngress: - IpProtocol: TCP FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 Description: "ssh to ec2 instance" - IpProtocol: TCP FromPort: 8140 ToPort: 8140 CidrIp: 0.0.0.0/0 Description: "puppet master & agent communication port" - IpProtocol: TCP FromPort: 8080 ToPort: 8088 CidrIp: 0.0.0.0/0 Description: "Simphony applications port" - IpProtocol: TCP FromPort: 1433 ToPort: 1433 CidrIp: 0.0.0.0/0 Description: "SQL Server" - IpProtocol: TCP FromPort: 1522 ToPort: 1522 CidrIp: 0.0.0.0/0 Description: "Oracle DB" - IpProtocol: ICMP FromPort: 8 ToPort: -1 CidrIp: 0.0.0.0/0 Description: "Ping to verify connectivity" - IpProtocol: TCP FromPort: 2 ToPort: 3 CidrIp: 0.0.0.0/0 Description: "Simphony applications port" - IpProtocol: TCP FromPort: 1194 ToPort: 1194 CidrIp: 0.0.0.0/0 Description: "Simphony applications port" SecurityGroupEgress: - IpProtocol: TCP FromPort: 3128 ToPort: 3128 CidrIp: 0.0.0.0/0 Description: "Proxy server" - IpProtocol: TCP FromPort: 8080 ToPort: 8088 CidrIp: 0.0.0.0/0 Description: "Simphony applications port" - IpProtocol: TCP FromPort: 1433 ToPort: 1433 CidrIp: 0.0.0.0/0 Description: "SQL Server" - IpProtocol: TCP FromPort: 1522 ToPort: 1522 CidrIp: 0.0.0.0/0 Description: "Oracle DB" - IpProtocol: TCP FromPort: 2 ToPort: 3 CidrIp: 0.0.0.0/0 Description: "Simphony applications port" - IpProtocol: TCP FromPort: 1194 ToPort: 1194 CidrIp: 0.0.0.0/0 Description: "Simphony applications port" SGBaseIngress1: Type: 'AWS::EC2::SecurityGroupIngress' Properties: GroupId: !Ref SGBase IpProtocol: TCP FromPort: 1521 ToPort: 1521 SourceSecurityGroupId: !GetAtt SGBase.GroupId SGBaseIngress2: Type: 'AWS::EC2::SecurityGroupIngress' Properties: GroupId: !Ref SGBase IpProtocol: TCP FromPort: 61613 ToPort: 61616 SourceSecurityGroupId: !GetAtt SGBase.GroupId SGBaseEgress1: Type: 'AWS::EC2::SecurityGroupEgress' Properties: GroupId: !Ref SGBase IpProtocol: TCP FromPort: 1521 ToPort: 1521 DestinationSecurityGroupId: !GetAtt SGBase.GroupId SGBaseEgress2: Type: 'AWS::EC2::SecurityGroupEgress' Properties: GroupId: !Ref SGBase IpProtocol: "-1" FromPort: -1 ToPort: -1 DestinationSecurityGroupId: !GetAtt SGBase.GroupId SGBaseEgress3: Type: 'AWS::EC2::SecurityGroupEgress' Properties: GroupId: !Ref SGBase IpProtocol: "-1" FromPort: -1 ToPort: -1 DestinationPrefixListId : !FindInMap [RegionMap, !Ref "AWS::Region", S3ManagedPrefixListID] SGBaseEgress4: Type: 'AWS::EC2::SecurityGroupEgress' Properties: GroupId: !Ref SGBase IpProtocol: TCP FromPort: 61613 ToPort: 61616 DestinationSecurityGroupId: !GetAtt SGBase.GroupId SimphonyMonitoringVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: [ "*" ] Resource: "*" Principal: "*" PrivateDnsEnabled: true SecurityGroupIds: - !GetAtt SGBase.GroupId ServiceName: !Sub com.amazonaws.${AWS::Region}.monitoring SubnetIds: - !If [CreateVPC, !Ref PrivateSubnet1, !Ref Subnet1ID] - !If [CreateVPC, !Ref PrivateSubnet2, !Ref Subnet2ID] VpcEndpointType: "Interface" VpcId: !If [CreateVPC, !Ref VPC, !Ref UserSpecifiedVPCId] SimphonyS3VPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: [ "*" ] Resource: "*" Principal: "*" PrivateDnsEnabled: false ServiceName: !Sub com.amazonaws.${AWS::Region}.s3 VpcEndpointType: "Gateway" VpcId: !If [CreateVPC, !Ref VPC, !Ref UserSpecifiedVPCId] SimphonyManagedPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: Simphony_DLM Description: "Policy for Simphony backup Lifecycle Management" Path: "/" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: [ "ec2:CreateSnapshot", "ec2:CreateSnapshots", "ec2:DeleteSnapshot", "ec2:DescribeInstances", "ec2:DescribeVolumes", "ec2:DescribeSnapshots", "ec2:EnableFastSnapshotRestores", "ec2:DescribeFastSnapshotRestores", "ec2:DisableFastSnapshotRestores", "ec2:CopySnapshot" ] Resource: "*" - Effect: "Allow" Action: "ec2:CreateTags" Resource: "arn:aws:ec2:*::snapshot/*" SimphonyLifecycleRole: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: [ !Ref SimphonyManagedPolicy ] AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - "dlm.amazonaws.com" Path: / RoleName: Simphony_DLM SimphonyLifecyclePolicy: Type: "AWS::DLM::LifecyclePolicy" Properties: Description: "Simphony backup life cycle policy" State: "ENABLED" ExecutionRoleArn: !GetAtt - SimphonyLifecycleRole - Arn PolicyDetails: ResourceTypes: - "INSTANCE" TargetTags: - Key: "LCM_TAG" Value: "SIM" Schedules: - Name: "Daily Snapshots" TagsToAdd: - Key: "type" Value: "DailySnapshot" CreateRule: Interval: 24 IntervalUnit: "HOURS" Times: - "12:00" CrossRegionCopyRules: - CopyTags: true Encrypted: true RetainRule: Interval: 1 IntervalUnit: "DAYS" TargetRegion: Ref: DLMCrossRegionCopy RetainRule: Count: 3 CopyTags: false SimphonyS3Policy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: simphony_s3_policy Description: "Policy for Simphony S3 access" Path: "/" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: [ "s3:*" ] Resource: "*" SimphonyCloudWatchPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: simphony_cloudwatch_policy Description: "Policy for Simphony cloud watch access" Path: "/" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: [ "cloudwatch:PutMetricData", "ec2:DescribeTags", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ] Resource: "*" SimphonyEC2InstanceRole: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: [ !Ref SimphonyS3Policy, !Ref SimphonyCloudWatchPolicy ] AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - "ec2.amazonaws.com" Path: / RoleName: simphony_instance_role SimphonyProfile: Type: "AWS::IAM::InstanceProfile" Properties: InstanceProfileName: simphony_instance_profile Path: "/" Roles: - Ref: SimphonyEC2InstanceRole Outputs: SimphonyVpcID: Value: !If [CreateVPC, !Ref VPC, !Ref UserSpecifiedVPCId] Description: VPC ID Export: Name: !Sub '${AWS::StackName}-SimphonyVPCID' SimphonySubnet1ID: Value: !If [CreateVPC, !Ref PrivateSubnet1, !Ref Subnet1ID] Description: Private Subnet 1 ID Export: Name: !Sub '${AWS::StackName}-SimphonyPrivateSubnet1ID' SimphonySubnet2ID: Value: !If [CreateVPC, !Ref PrivateSubnet2, !Ref Subnet2ID] Description: Private Subnet 2 ID Export: Name: !Sub '${AWS::StackName}-SimphonyPrivateSubnet2ID' SimphonySecurityGroup: Value: !Ref 'SGBase' Description: Security Group ID Export: Name: !Sub '${AWS::StackName}-SimphonySecurityGroupID' SimphonyInstanceProfile: Value: !Ref 'SimphonyProfile' Description: Simphony Instance Profile ID Export: Name: !Sub '${AWS::StackName}-SimphonyInstanceProfile'