Parameters: ProjectName: Type: String Description: Project name to link stacks Default: am-multi-account VpcCIDR: Description: Please enter the IP range (CIDR notation) for this VPC Type: String Default: 10.193.0.0/16 PublicSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone Type: String Default: 10.193.10.0/24 PublicSubnet2CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone Type: String Default: 10.193.11.0/24 PrivateSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone Type: String Default: 10.193.20.0/24 PrivateSubnet2CIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone Type: String Default: 10.193.21.0/24 FrontendAccountId: Type: String PeerVPCId: Type: String PeerRoleArn: Type: String Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref ProjectName InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref ProjectName InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PublicSubnet1CIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${ProjectName} Public Subnet (AZ1) PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 1, !GetAZs '' ] CidrBlock: !Ref PublicSubnet2CIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${ProjectName} Public Subnet (AZ2) PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PrivateSubnet1CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${ProjectName} Private Subnet (AZ1) PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 1, !GetAZs '' ] CidrBlock: !Ref PrivateSubnet2CIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${ProjectName} Private Subnet (AZ2) NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${ProjectName} Public Routes DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${ProjectName} Private Routes (AZ1) DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref PrivateSubnet1 PrivateRouteTable2: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${ProjectName} Private Routes (AZ2) DefaultPrivateRoute2: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable2 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway2 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable2 SubnetId: !Ref PrivateSubnet2 NodesSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow traffic from frontend EKS GroupName: frontend-eks-rules SecurityGroupIngress: - IpProtocol: "-1" CidrIp: "10.192.0.0/16" VpcId: !Ref VPC VPCPeeringConnection: Type: 'AWS::EC2::VPCPeeringConnection' Properties: VpcId: !Ref VPC PeerVpcId: !Ref PeerVPCId PeerOwnerId: !Ref FrontendAccountId PeerRoleArn: !Ref PeerRoleArn NodesSDPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: ['appmesh-preview:*'] Resource: '*' - Effect: Allow Action: ['servicediscovery:CreateService'] Resource: '*' - Effect: Allow Action: ['servicediscovery:DeleteService'] Resource: '*' - Effect: Allow Action: ['servicediscovery:GetService'] Resource: '*' - Effect: Allow Action: ['servicediscovery:GetInstance'] Resource: '*' - Effect: Allow Action: ['servicediscovery:RegisterInstance'] Resource: '*' - Effect: Allow Action: ['servicediscovery:DeregisterInstance'] Resource: '*' - Effect: Allow Action: ['servicediscovery:ListInstances'] Resource: '*' - Effect: Allow Action: ['servicediscovery:ListNamespaces'] Resource: '*' - Effect: Allow Action: ['servicediscovery:ListServices'] Resource: '*' - Effect: Allow Action: ['servicediscovery:GetOperation'] Resource: '*' - Effect: Allow Action: ['servicediscovery:GetInstancesHealthStatus'] Resource: '*' - Effect: Allow Action: ['servicediscovery:UpdateInstanceCustomHealthStatus'] Resource: '*' - Effect: Allow Action: ['route53:GetHealthCheck'] Resource: '*' - Effect: Allow Action: ['route53:CreateHealthCheck'] Resource: '*' - Effect: Allow Action: ['route53:UpdateHealthCheck'] Resource: '*' - Effect: Allow Action: ['route53:ChangeResourceRecordSets'] Resource: '*' - Effect: Allow Action: ['route53:DeleteHealthCheck'] Resource: '*' AppServerServiceDiscoveryNamespace: Type: AWS::ServiceDiscovery::HttpNamespace Properties: Name: !Sub '${ProjectName}.local' Outputs: VPC: Description: A reference to the created VPC Value: !Ref VPC Export: Name: !Sub '${ProjectName}:VPC' PublicSubnets: Description: A list of the public subnets Value: !Join [ ",", [ !Ref PublicSubnet1, !Ref PublicSubnet2 ]] PrivateSubnets: Description: A list of the private subnets Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2 ]] PublicSubnet1: Description: A reference to the public subnet in the 1st Availability Zone Value: !Ref PublicSubnet1 Export: Name: !Sub '${ProjectName}:PublicSubnet1' PublicSubnet2: Description: A reference to the public subnet in the 2nd Availability Zone Value: !Ref PublicSubnet2 Export: Name: !Sub '${ProjectName}:PublicSubnet2' PrivateSubnet1: Description: A reference to the private subnet in the 1st Availability Zone Value: !Ref PrivateSubnet1 Export: Name: !Sub '${ProjectName}:PrivateSubnet1' PrivateSubnet2: Description: A reference to the private subnet in the 2nd Availability Zone Value: !Ref PrivateSubnet2 Export: Name: !Sub '${ProjectName}:PrivateSubnet2' PrivateRouteTable1: Value: !Ref PrivateRouteTable1 Export: Name: !Sub '${ProjectName}:PrivateRouteTable1' PrivateRouteTable2: Value: !Ref PrivateRouteTable2 Export: Name: !Sub '${ProjectName}:PrivateRouteTable2' VPCPeeringConnectionId: Value: !Ref VPCPeeringConnection Export: Name: !Sub '${ProjectName}:VPCPeeringConnectionId' NodesSecurityGroup: Value: !Ref NodesSecurityGroup Export: Name: !Sub '${ProjectName}:NodesSecurityGroup' NodesSDPolicy: Description: IAM Policy that will be added to the EKS nodes Value: !Ref NodesSDPolicy Export: Name: !Sub '${ProjectName}:NodesSDPolicy' AppServerServiceDiscoveryNamespace: Description: A SDS namespace that will be used by appserver Value: !Ref AppServerServiceDiscoveryNamespace Export: Name: !Sub '${ProjectName}:AppServerServiceDiscoveryNamespace'