fbpixel

AWS VPC CloudFormation template

AWS VPC CloudFormation template

Tommaso Doninelli - 26 Nov 2018


VPC Stack

This simple CloudFormation template can be used, with the great CFTPL, to bootstrap an AWS VPC

Stuff to note:

  • ip address are enclosed by three parenthesys: to preserve the / from being encoded by cftpl

---
AWSTemplateFormatVersion: '2010-09-09'
Description: Default VPC
Metadata:
  aws:
    region: eu-central-1
    capabilities: CAPABILITY_IAM
    isTemplate: true
    template:
      name: "test-tdw-vpc"
      vpc:
        cidr: 172.21.0.0/16
        region: eu-central-1
        subnets:
          - id: 1
            zone: eu-central-1a
            cidr: 172.21.10.0/24
          - id: 2
            zone: eu-central-1b
            cidr: 172.21.11.0/24
          - id: 3
            zone: eu-central-1c
            cidr: 172.21.12.0/24


Resources:
  DefaultVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: {{{vpc.cidr}}}
      InstanceTenancy: default
      EnableDnsSupport: true
      EnableDnsHostnames: true

  #{{#vpc.subnets}}
  Subnet{{id}}:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: {{{cidr}}}
      AvailabilityZone: {{zone}}
      VpcId: !Ref DefaultVPC
  #{{/vpc.subnets}}

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: stage
          Value: mah
  DHPCOptionsDev:
    Type: AWS::EC2::DHCPOptions
    Properties:
      DomainName: {{vpc.region}}.compute.internal
      DomainNameServers: [AmazonProvidedDNS]
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref DefaultVPC

      #{{#vpc.subnets}}
  subnetacl{{id}}:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      NetworkAclId: !Ref NetworkACL
      SubnetId: !Ref Subnet{{id}}
  #{{/vpc.subnets}}

  gw1:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref DefaultVPC
      InternetGatewayId: !Ref InternetGateway
  route1:
    Type: AWS::EC2::Route
    DependsOn: gw1
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      RouteTableId: !Ref RouteTable
      GatewayId: !Ref InternetGateway
  dchpassoc1:
    Type: AWS::EC2::VPCDHCPOptionsAssociation
    Properties:
      VpcId: !Ref DefaultVPC
      DhcpOptionsId: !Ref DHPCOptionsDev

  #{{#vpc.subnets}}
  rtbsubnet{{id}}:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref Subnet{{id}}
  #{{/vpc.subnets}}


  ##############
  # NetworkACL #
  ##############
  NetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref DefaultVPC
  ACLIngressRandom:
    Type: AWS::EC2::NetworkAclEntry
    Metadata:
      Note: Allows all traffic in and out
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: 'false'
      Protocol: '6'
      RuleAction: allow
      RuleNumber: '60'
      PortRange:
        From: '0'
        To: '65535'
      NetworkAclId:
        Ref: NetworkACL
  ACLOutboundAny:
    Type: AWS::EC2::NetworkAclEntry
    Metadata:
      Note: Allows all traffic in and out
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: 'true'
      Protocol: '6'
      RuleAction: allow
      RuleNumber: '50'
      PortRange:
        From: '0'
        To: '65535'
      NetworkAclId:
        Ref: NetworkACL

  ##################
  # Security Group #
  ##################
  ManagementSgroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Default rules that locks everything not really required
      VpcId:
        Ref: DefaultVPC
  ManagementSgroupSSH:
    Type: AWS::EC2::SecurityGroupIngress
    Metadata:
      Note: Allows SSH from specific host
    Properties:
      GroupId: !Ref ManagementSgroup
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: 1.2.3.4/32


Outputs:
  #{{#vpc.subnets}}
  OutputSubnet{{id}}:
    Description: Subnet {{zone}}
    Value: !Ref Subnet{{id}}
    Export:
      Name: !Join [":", [!Ref "AWS::StackName", "subnet-{{zone}}"]]
  #{{/vpc.subnets}}
  

CEO @ Hakuna Cloud

10 years as CTO, former Software Engineer at Amazon AWS, Cloud Solution Architect with projects in US, Europe and United Arab Emirates.

"I am a DevOps and automation advocate; you can test, deploy, analyze and improve even you’re grandma recipes. "