-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudformation.yaml
481 lines (476 loc) · 14.5 KB
/
cloudformation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
AWSTemplateFormatVersion: "2010-09-09"
Description: Global accelerator to TCP proxy in any region
Parameters:
CIDR:
Description: Subnet IP range
Type: String
Default: 10.0.0.0/28
ClientIP:
Description: Client IP
Type: String
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
ProxyPort:
Description: Proxy port
Type: Number
ProxyStatsPassword:
Description: Password to log in proxy stats
Type: String
ProxyStatsPort:
Description: Proxy Stats port
Type: Number
Default: 8404
ProxyStatsUsername:
Description: Username to log in proxy stats
Type: String
Default: admin
ServerDomain:
Description: Server domain
Type: String
ServerPort:
Description: Server port
Type: Number
Mappings:
AMI:
ap-northeast-1:
Ubuntu2004LTS: ami-02a56e430b32bc0ba
ap-northeast-2:
Ubuntu2004LTS: ami-0cceb8e71553d73f0
ap-northeast-3:
Ubuntu2004LTS: ami-0c2a318a1451b5e04
ap-south-1:
Ubuntu2004LTS: ami-01ad2fc4607cc742e
ap-southeast-1:
Ubuntu2004LTS: ami-072466d111bc68d81
ap-southeast-2:
Ubuntu2004LTS: ami-0606a3915440b2b72
ca-central-1:
Ubuntu2004LTS: ami-07e39d7bd85085b96
eu-central-1:
Ubuntu2004LTS: ami-0afc0414aefc9eaa7
eu-north-1:
Ubuntu2004LTS: ami-0aacae1c06b3c30a0
eu-west-1:
Ubuntu2004LTS: ami-0c1aea1d6f3bdd76b
eu-west-2:
Ubuntu2004LTS: ami-00f314baca4922fe3
eu-west-3:
Ubuntu2004LTS: ami-021a18be6333356c7
sa-east-1:
Ubuntu2004LTS: ami-0a62c6929da4659cb
us-east-1:
Ubuntu2004LTS: ami-089b5711e63812c2a
us-east-2:
Ubuntu2004LTS: ami-0ac4906b9504bec77
us-west-1:
Ubuntu2004LTS: ami-04b8a53b12fd66ba7
us-west-2:
Ubuntu2004LTS: ami-0f6970790b38613ef
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref CIDR
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Ref CIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-PublicSubnet
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-PublicRouteTable
PublicRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref PublicRouteTable
PublicNetworkAcl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-PublicNetworkAcl
InboundClientStatsNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
RuleNumber: 100
Protocol: 6
Egress: false
RuleAction: allow
PortRange:
From: !Ref ProxyStatsPort
To: !Ref ProxyStatsPort
CidrBlock: !Sub ${ClientIP}/32
InboundClientProxyNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
RuleNumber: 110
Protocol: 6
Egress: false
RuleAction: allow
PortRange:
From: !Ref ProxyPort
To: !Ref ProxyPort
CidrBlock: 0.0.0.0/0
InboundEphemeralPortsNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
RuleNumber: 200
Protocol: 6
Egress: false
RuleAction: allow
PortRange:
From: 1024
To: 65535
CidrBlock: 0.0.0.0/0
OutboundPublicNetworkAclEntry:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref PublicNetworkAcl
RuleNumber: 100
Protocol: -1
Egress: true
RuleAction: allow
PortRange:
From: 0
To: 65535
CidrBlock: 0.0.0.0/0
PublicSubnetNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref PublicSubnet
NetworkAclId: !Ref PublicNetworkAcl
InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: !Sub ${AWS::StackName}-InstanceProfile
Roles:
- !Ref InstanceRole
Route53HealthCheckersSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${AWS::StackName}-Route53HealthCheckersSecurityGroup
GroupDescription: Route53 health checker IPs
VpcId: !Ref VPC
SecurityGroupIngress:
- Description: GLOBAL
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 15.177.0.0/18
- Description: cn-north-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 52.80.197.0/25
- Description: cn-north-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 52.80.197.128/25
- Description: cn-north-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 52.80.198.0/25
- Description: cn-northwest-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 52.83.34.128/25
- Description: cn-northwest-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 52.83.35.0/25
- Description: cn-northwest-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 52.83.35.128/25
- Description: ap-northeast-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.248.220.0/26
- Description: ap-northeast-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.250.253.192/26
- Description: ap-southeast-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.251.31.128/26
- Description: ap-southeast-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.255.254.192/26
- Description: ap-southeast-2
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.252.254.192/26
- Description: ap-southeast-2
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.252.79.128/26
- Description: eu-west-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 176.34.159.192/26
- Description: eu-west-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.228.16.0/26
- Description: sa-east-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 177.71.207.128/26
- Description: sa-east-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.232.40.64/26
- Description: us-east-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 107.23.255.0/26
- Description: us-east-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.243.31.192/26
- Description: us-west-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.183.255.128/26
- Description: us-west-1
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.241.32.64/26
- Description: us-west-2
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.244.52.192/26
- Description: us-west-2
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: 54.245.168.0/26
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-Route53HealthCheckersSecurityGroup
ClientSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${AWS::StackName}-ClientSecurityGroup
GroupDescription: Client IP
VpcId: !Ref VPC
SecurityGroupIngress:
- Description: Proxy
IpProtocol: tcp
FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
CidrIp: !Sub ${ClientIP}/32
- Description: Stats
IpProtocol: tcp
FromPort: !Ref ProxyStatsPort
ToPort: !Ref ProxyStatsPort
CidrIp: !Sub ${ClientIP}/32
Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [ AMI, !Ref AWS::Region, Ubuntu2004LTS ]
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref InstanceProfile
SubnetId: !Ref PublicSubnet
SecurityGroupIds:
- !GetAtt ClientSecurityGroup.GroupId
- !GetAtt Route53HealthCheckersSecurityGroup.GroupId
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
apt-get --yes update
apt-get --yes upgrade
wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz
mkdir -p /opt/aws/bin
python3 -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-py3-latest.tar.gz
/opt/aws/bin/cfn-init --verbose --region ${AWS::Region} --stack ${AWS::StackName} --resource Instance
/opt/aws/bin/cfn-signal --exit-code $? --region ${AWS::Region} --stack ${AWS::StackName} --resource Instance
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-Instance
CreationPolicy:
ResourceSignal:
Count: 1
Timeout: PT15M
Metadata:
AWS::CloudFormation::Init:
config:
commands:
01_enable_cfn_hup:
command: systemctl enable cfn-hup.service
02_start_cfn_hup:
command: systemctl start cfn-hup.service
03_install_haproxy:
command: apt-get --yes --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install haproxy
files:
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
interval=1
mode: '000400'
owner: root
group: root
/lib/systemd/system/cfn-hup.service:
content: !Sub |
[Unit]
Description=cfn-hup daemon
[Service]
Type=simple
ExecStart=/opt/aws/bin/cfn-hup
Restart=always
[Install]
WantedBy=multi-user.target
/etc/haproxy/haproxy.cfg:
content: !Sub |
global
log stdout format raw local0 info
defaults
mode tcp
timeout client 10s
timeout connect 5s
timeout server 10s
log global
frontend stats
mode http
bind *:${ProxyStatsPort}
stats auth ${ProxyStatsUsername}:${ProxyStatsPassword}
stats enable
stats uri /
stats refresh 10s
frontend my_frontend
bind :${ProxyPort}
default_backend my_backend
backend my_backend
server my_server ${ServerDomain}:${ServerPort} check
GlobalAccelerator:
Type: AWS::GlobalAccelerator::Accelerator
Properties:
Name: !Sub ${AWS::StackName}-GlobalAccelerator
Tags:
- Key: Application
Value: !Ref AWS::StackName
- Key: Name
Value: !Sub ${AWS::StackName}-GlobalAccelerator
GlobalAcceleratorListener:
Type: AWS::GlobalAccelerator::Listener
Properties:
AcceleratorArn: !Ref GlobalAccelerator
Protocol: TCP
PortRanges:
- FromPort: !Ref ProxyPort
ToPort: !Ref ProxyPort
- FromPort: !Ref ProxyStatsPort
ToPort: !Ref ProxyStatsPort
GlobalAcceleratorEndpoint:
Type: AWS::GlobalAccelerator::EndpointGroup
Properties:
ListenerArn: !Ref GlobalAcceleratorListener
EndpointGroupRegion: !Ref AWS::Region
EndpointConfigurations:
- EndpointId: !Ref Instance
HealthCheckProtocol: TCP
HealthCheckPort: !Ref ProxyPort
Outputs:
Proxy:
Description: Domain:Port to proxy
Value: !Sub ${GlobalAccelerator.DnsName}:${ProxyPort}
ProxyStats:
Description: Domain:Port to proxy stats
Value: !Sub ${GlobalAccelerator.DnsName}:${ProxyStatsPort}
ProxyStatsUsername:
Description: Username to log in proxy stats
Value: !Ref ProxyStatsUsername
ProxyStatsPassword:
Description: Password to log in proxy stats
Value: !Ref ProxyStatsPassword
ProxyInstanceId:
Description: InstanceId of the newly created EC2 instance
Value: !Ref Instance