Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: App Stream vpc #523

Merged
merged 10 commits into from
Jun 11, 2021
Merged

feat: App Stream vpc #523

Changes from 8 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c645cbf
WIP
Jun 7, 2021
24b61de
Both subnets have access to S3
Jun 8, 2021
8cf81de
WIP: Conditional onboard account
Jun 8, 2021
2796093
Combined appstream CFN with onboard-account CFN
Jun 9, 2021
9fd3299
Remove old template
Jun 9, 2021
bb05e61
Keep 10.0.0.0
Jun 10, 2021
8188d0d
Update cidr range
Jun 10, 2021
740e0e1
Merge branch 'feat-secure-workspace-egress' into app-stream-vpc
nguyen102 Jun 10, 2021
137756e
New vpc cidr range
Jun 11, 2021
4320e60
New vpc cidr range
Jun 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
155 changes: 147 additions & 8 deletions ...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ AWSTemplateFormatVersion: 2010-09-09
Description: Service-Workbench-on-AWS Research-Account

Parameters:
EnableAppStream:
Type: String
AllowedValues: [true, false]
Description: Onboard this account to support AppStream

Namespace:
Type: String
Description: An environment name that will be prefixed to resource names
Expand All @@ -28,12 +33,18 @@ Parameters:
Type: String
Description: The arn of workflowRunner role

# Generous subnet allocation of 8192 addresses (ie room for a few concurrent EMR clusters)
# ending at 10.0.31.255
VpcPublicSubnet1Cidr:
jn1119 marked this conversation as resolved.
Show resolved Hide resolved
Description: Please enter the IP range (CIDR notation) for the public subnet in the 1st Availability Zone
# Generous subnet allocation of 4096 addresses (ie room for a few concurrent EMR clusters)
# Range from 10.0.32.0 to 10.0.47.255
Subnet1Cidr:
Description: Please enter the IP range (CIDR notation) for the first subnet
Type: String
Default: 10.0.40.0/20

# Range from 10.0.48.0 to 10.0.63.255
Subnet2Cidr:
Description: Please enter the IP range (CIDR notation) for the second subnet. This value is only used if AppStream is enabled. It's used for PrivateWorkspaceSubnet
Type: String
Default: 10.0.0.0/19
Default: 10.0.50.0/20

LaunchConstraintRolePrefix:
Description: Role name prefix to use when creating a launch constraint role in the on-boarded account
Expand Down Expand Up @@ -61,8 +72,13 @@ Metadata:
default: Deployment Configuration
Parameters:
- VpcCidr
- VpcPublicSubnet1Cidr

- Subnet1Cidr
Conditions:
isAppStream: !Equals
- !Ref EnableAppStream
- true
isNotAppStream:
!Not [Condition: isAppStream]
Resources:
# A role used for launching environments using AWS Service Catalog
# This is the role that code (ApiHandlerLambda and WorkflowLoopRunnerLambda) in central account
Expand Down Expand Up @@ -325,30 +341,34 @@ Resources:

InternetGateway:
Type: AWS::EC2::InternetGateway
Condition: isNotAppStream
Properties:
Tags:
- Key: Name
Value: !Sub ${Namespace} igw

InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Condition: isNotAppStream
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC

PublicSubnet1:
Type: AWS::EC2::Subnet
Condition: isNotAppStream
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs ]
CidrBlock: !Ref VpcPublicSubnet1Cidr
CidrBlock: !Ref Subnet1Cidr
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${Namespace} public subnet 1

PublicRouteTable:
Type: AWS::EC2::RouteTable
Condition: isNotAppStream
Properties:
VpcId: !Ref VPC
Tags:
Expand All @@ -357,6 +377,7 @@ Resources:

DefaultPublicRoute:
Type: AWS::EC2::Route
Condition: isNotAppStream
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
Expand All @@ -365,6 +386,7 @@ Resources:

PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: isNotAppStream
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
Expand Down Expand Up @@ -408,6 +430,111 @@ Resources:
AliasName: !Join ['', ['alias/', Ref: Namespace, '-encryption-key']]
TargetKeyId: !Ref EncryptionKey

#------------AppStream Resources Below-------
PrivateAppStreamSubnet:
Type: AWS::EC2::Subnet
Condition: isAppStream
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref Subnet1Cidr
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Private AppStream Subnet

PrivateWorkspaceSubnet:
Type: AWS::EC2::Subnet
Condition: isAppStream
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref Subnet2Cidr
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Private Workspace Subnet

PrivateWorkspaceRouteTable:
Type: 'AWS::EC2::RouteTable'
Condition: isAppStream
Properties:
VpcId: !Ref VPC

WorkspaceSubnetAssociationRouteTable:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Condition: isAppStream
Properties:
SubnetId: !Ref PrivateWorkspaceSubnet
RouteTableId: !Ref PrivateWorkspaceRouteTable

# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html
S3Endpoint:
Type: 'AWS::EC2::VPCEndpoint'
Condition: isAppStream
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: '*'
Action:
- 's3:GetObject'
- 's3:ListBucket'
- 's3:ListAllMyBuckets'
jn1119 marked this conversation as resolved.
Show resolved Hide resolved
Resource:
- '*'
RouteTableIds:
- !Ref PrivateWorkspaceRouteTable
VpcEndpointType: Gateway
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
VpcId: !Ref VPC

KMSEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Condition: isAppStream
Properties:
SubnetIds:
- !Ref PrivateWorkspaceSubnet
PrivateDnsEnabled: true
VpcEndpointType: Interface
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kms'
VpcId: !Ref VPC

STSEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Condition: isAppStream
Properties:
SubnetIds:
- !Ref PrivateWorkspaceSubnet
VpcEndpointType: Interface
PrivateDnsEnabled: true
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sts'
VpcId: !Ref VPC

EC2Endpoint:
Type: 'AWS::EC2::VPCEndpoint'
Condition: isAppStream
Properties:
SubnetIds:
- !Ref PrivateWorkspaceSubnet
VpcEndpointType: Interface
PrivateDnsEnabled: true
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2'
VpcId: !Ref VPC

# https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html
SagemakerNotebookEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Condition: isAppStream
Properties:
SubnetIds:
- !Ref PrivateAppStreamSubnet
VpcEndpointType: Interface
PrivateDnsEnabled: true
ServiceName: !Sub 'aws.sagemaker.${AWS::Region}.notebook'
VpcId: !Ref VPC

Outputs:
CrossAccountEnvMgmtRoleArn:
Description: The arn of the cross account role for environment management using AWS Service Catalog
Expand All @@ -423,8 +550,20 @@ Outputs:

VpcPublicSubnet1:
Description: A reference to the public subnet in the 1st Availability Zone
Condition: isNotAppStream
Value: !Ref PublicSubnet1

PrivateAppStreamSubnet:
Description: AppStream subnet
Condition: isAppStream
Value: !Ref PrivateAppStreamSubnet

PrivateWorkspaceSubnet:
Description: Workspace subnet
Condition: isAppStream
Value: !Ref PrivateWorkspaceSubnet

EncryptionKeyArn:
Description: KMS Encryption Key Arn
Value: !GetAtt [EncryptionKey, Arn]