-
Notifications
You must be signed in to change notification settings - Fork 402
/
vpc-bastion.cfn.yml
168 lines (140 loc) · 4.27 KB
/
vpc-bastion.cfn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
---
AWSTemplateFormatVersion: 2010-09-09
Description: SASKV5 VPC + Bastion
Parameters:
TemplateBucket:
Type: String
Default: awslabs-startup-kit-templates-deploy-v5
Description: The template bucket for the CloudFormation templates
AvailabilityZone1:
Description: The first availability zone in the region
Type: AWS::EC2::AvailabilityZone::Name
ConstraintDescription: Must be a valid availability zone
AvailabilityZone2:
Description: The second availability zone in the region
Type: AWS::EC2::AvailabilityZone::Name
ConstraintDescription: Must be a valid availability zone
SSHFrom:
Description: Limit SSH access to bastion hosts to a CIDR IP block
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
ELBIngressPort:
Description: The ELB ingress port used by security groups
Type: Number
MinValue: 0
MaxValue: 65535
ConstraintDescription: TCP ports must be between 0 - 65535
Default: 80
AppIngressPort:
Description: The application ingress port used by security groups
Type: Number
MinValue: 0
MaxValue: 65535
ConstraintDescription: TCP ports must be between 0 - 65535
Default: 80
KeyName:
Description: EC2 key pair name for bastion host SSH access
Type: AWS::EC2::KeyPair::KeyName
LogRetentionInDays:
Description: Number of days you would like your CloudWatch Logs to be retained
Type: Number
Default: 90
# For more information on the google-authenticator PAM module, see: https://github.com/google/google-authenticator-libpam
MFA:
Description: Set to true to install MFA using the google-authenticator PAM module on your bastion host
Type: String
ConstraintDescription: Value must be true or false
Default: false
AllowedValues:
- true
- false
EnvironmentName:
Type: String
Description: Environment name - dev or prod
Default: dev
AllowedValues:
- dev
- prod
ConstraintDescription: Specify either dev or prod
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Environment
Parameters:
- EnvironmentName
- Label:
default: Region Availability Zones
Parameters:
- AvailabilityZone1
- AvailabilityZone2
- Label:
default: Ingress Ports
Parameters:
- ELBIngressPort
- AppIngressPort
- Label:
default: Bastion
Parameters:
- KeyName
- LogRetentionInDays
- MFA
- SSHFrom
ParameterLabels:
AvailabilityZone1:
default: Availability Zone 1
AvailabilityZone2:
default: Availability Zone 2
ELBIngressPort:
default: Load Balancer Port
AppIngressPort:
default: Application Port
SSHFrom:
default: Bastion SSH Whitelist
TemplateBucket:
default: CloudFormation Bucket
EnvironmentName:
default: Environment
KeyName:
default: EC2 Key Pair
LogRetentionInDays:
default: Log Retention
MFA:
default: Multi-Factor
SSHFrom:
default: SSH Whitelist
Conditions:
IsProd: !Equals [ !Ref EnvironmentName, prod ]
Resources:
VpcStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub https://s3.amazonaws.com/${TemplateBucket}/templates/vpc.cfn.yml
Parameters:
AvailabilityZone1: !Ref AvailabilityZone1
AvailabilityZone2: !Ref AvailabilityZone2
SSHFrom: !Ref SSHFrom
ELBIngressPort: !Ref ELBIngressPort
AppIngressPort: !Ref AppIngressPort
SingleNatGateway: !If [ IsProd, false, true ]
BastionStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub https://s3.amazonaws.com/${TemplateBucket}/templates/bastion.cfn.yml
Parameters:
NetworkStackName: !GetAtt VpcStack.Outputs.Name
KeyName: !Ref KeyName
LogRetentionInDays: !Ref LogRetentionInDays
MFA: !Ref MFA
DependsOn: VpcStack
Outputs:
VpcStackName:
Value: !GetAtt VpcStack.Outputs.Name
Export:
Name: !Sub ${AWS::StackName}-VpcStackName
BastionStackName:
Value: !GetAtt BastionStack.Outputs.Name
Export:
Name: !Sub ${AWS::StackName}-BastionStackName