K's Atelier

個人的な学習記録

VPCの実験用CloudFormationテンプレート

Engineering

簡単なVPC実験用CloudFormationテンプレート。

AWSTemplateFormatVersion: 2010-09-09
Resources:
  # VPC
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 172.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default



  # Internet Gateway
  IGW1:
    Type: AWS::EC2::InternetGateway
    Properties: 
      Tags: 
        - Key: stack
          Value: test

  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId:
         Ref: IGW1

  # Route Table
  publicRT:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: stack
        Value: test

  publicRoute:
    Type: AWS::EC2::Route
    Properties:
       RouteTableId: !Ref publicRT
       DestinationCidrBlock: 0.0.0.0/0
       GatewayId: !Ref IGW1
       
  # Subnets
  Subnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 172.0.0.0/24
      MapPublicIpOnLaunch: false

  Subnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 172.0.1.0/24
      MapPublicIpOnLaunch: false
      
  Subnet1RT:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref Subnet1
      RouteTableId: !Ref publicRT

  # Security Group
  SG1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow https to client host
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
          
  # IAM Role for SSM access
  ### Create IAM Role
  SSMRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ssmAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "ssmmessages:CreateDataChannel"
                  - "ssm:UpdateInstanceInformation"
                  - "ssmmessages:OpenDataChannel"
                  - "ssmmessages:OpenControlChannel"
                  - "ssmmessages:CreateControlChannel"
                Resource: '*'
  SSMInstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref SSMRole