AWSTemplateFormatVersion: 2010-09-09 Description: >- This template creates a single AZ, subnet VPC infrastructure with managed NAT gateway in the public subnet for the Availability Zone. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qnnspaap) Metadata: LICENSE: Apache License, Version 2.0 QuickStartDocumentation: EntrypointName: Launch a new VPC AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Availability Zone configuration Parameters: - AvailabilityZone - Label: default: Network configuration Parameters: - VPCCIDR - PublicSubnetCIDR ParameterLabels: AvailabilityZone: default: Availability Zone VPCCIDR: default: VPC CIDR Parameters: AvailabilityZone: Type: AWS::EC2::AvailabilityZone::Name Description: >- Availability Zone to use for the subnets in the VPC. The specified logical order is preserved. PrivateSubnetCIDR: Type: String Description: >- CIDR block for private subnet located in the Availability Zone. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: >- CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/19 PublicSubnetCIDR: Type: String Description: >- CIDR block for the public DMZ subnet 1 located in Availability Zone 1. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: >- CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.128.0/20 VPCCIDR: Type: String Description: CIDR block for the VPC. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: >- CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/16 Conditions: NVirginiaRegionCondition: !Equals [!Ref AWS::Region, us-east-1] Resources: DHCPOptions: Type: AWS::EC2::DHCPOptions Properties: DomainName: !If [NVirginiaRegionCondition, ec2.internal, !Sub '${AWS::Region}.compute.internal'] DomainNameServers: - AmazonProvidedDNS Tags: - Key: Name Value: !Sub ${AWS::StackName} stack DHCPOptions - Key: StackName Value: !Ref AWS::StackName VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VPCCIDR InstanceTenancy: default EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref AWS::StackName VPCDHCPOptionsAssociation: Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: VpcId: !Ref VPC DhcpOptionsId: !Ref DHCPOptions InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref AWS::StackName VPCGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway PrivateSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Ref PrivateSubnetCIDR AvailabilityZone: !Ref AvailabilityZone Tags: - Key: Name Value: Private subnet PublicSubnet: Type: AWS::EC2::Subnet Metadata: cfn_nag: rules_to_suppress: - id: W33 reason: >- (W33) EC2 Subnet should not have MapPublicIpOnLaunch set to true. Properties: VpcId: !Ref VPC CidrBlock: !Ref PublicSubnetCIDR AvailabilityZone: !Ref AvailabilityZone Tags: - Key: Name Value: Public subnet MapPublicIpOnLaunch: true PrivateSubnetRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: Private subnet A - Key: Network Value: Private PrivateSubnetRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateSubnetRouteTable DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NATGateway PrivateSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PrivateSubnet RouteTableId: !Ref PrivateSubnetRouteTable PublicSubnetRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: Public Subnets - Key: Network Value: Public PublicSubnetRoute: DependsOn: VPCGatewayAttachment Type: AWS::EC2::Route Properties: RouteTableId: !Ref PublicSubnetRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet RouteTableId: !Ref PublicSubnetRouteTable NATEIP: DependsOn: VPCGatewayAttachment Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: NATEIP NATGateway: DependsOn: VPCGatewayAttachment Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NATEIP.AllocationId SubnetId: !Ref PublicSubnet Tags: - Key: Name Value: NATGateway S3VPCEndpoint: Type: AWS::EC2::VPCEndpoint Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard - EPolicyWildcardPrincipal ignore_reasons: EIAMPolicyActionWildcard: >- This is based on AWS documentation- filtering via bucket policy is generally preferred. EIAMPolicyWildcardResource: >- This is based on AWS documentation- filtering via bucket policy is generally preferred. Properties: PolicyDocument: Version: 2012-10-17 Statement: - Action: '*' Effect: Allow Resource: '*' Principal: '*' RouteTableIds: - !Ref PrivateSubnetRouteTable ServiceName: !Sub com.amazonaws.${AWS::Region}.s3 VpcId: !Ref VPC Outputs: NATEIP: Description: NAT IP address. Value: !Ref NATEIP Export: Name: !Sub ${AWS::StackName}-NATEIP NATGatewayID: Description: NATGateway ID. Value: !Ref NATGateway Export: Name: !Sub ${AWS::StackName}-NATGateway PrivateSubnetCIDR: Description: Private subnet CIDR in the Availability Zone. Value: !Ref PrivateSubnetCIDR Export: Name: !Sub ${AWS::StackName}-PrivateSubnetCIDR PrivateSubnetID: Description: Private subnet ID in the Availability Zone. Value: !Ref PrivateSubnet Export: Name: !Sub ${AWS::StackName}-PrivateSubnetID PrivateSubnetRouteTable: Description: Private subnet route table. Value: !Ref PrivateSubnetRouteTable Export: Name: !Sub ${AWS::StackName}-PrivateSubnetRouteTable PublicSubnetCIDR: Description: Public subnet CIDR in the Availability Zone. Value: !Ref PublicSubnetCIDR Export: Name: !Sub ${AWS::StackName}-PublicSubnetCIDR PublicSubnetID: Description: Public subnet ID in the Availability Zone. Value: !Ref PublicSubnet Export: Name: !Sub ${AWS::StackName}-PublicSubnetID PublicSubnetRouteTable: Description: Public subnet route table. Value: !Ref PublicSubnetRouteTable Export: Name: !Sub ${AWS::StackName}-PublicSubnetRouteTable S3VPCEndpoint: Description: S3 VPC Endpoint. Value: !Ref S3VPCEndpoint Export: Name: !Sub ${AWS::StackName}-S3VPCEndpoint VPCCIDR: Description: VPC CIDR. Value: !Ref VPCCIDR Export: Name: !Sub ${AWS::StackName}-VPCCIDR VPCID: Description: VPC ID. Value: !Ref VPC Export: Name: !Sub ${AWS::StackName}-VPCID