vpc.yaml 14 KB


  1. AWSTemplateFormatVersion: "2010-09-09"
  2. Transform: AWS::Serverless-2016-10-31
  3. Description: Amazon S3 Find and Forget VPC (uksb-1qjminsd5)
  4. Globals:
  5. Function:
  6. Runtime: python3.9
  7. Timeout: 30
  8. Layers: !Ref CommonLayers
  9. Parameters:
  10. FlowLogsGroup:
  11. Type: String
  12. Default: ""
  13. FlowLogsRoleArn:
  14. Type: String
  15. Default: ""
  16. KMSKeyArns:
  17. Description: Comma-delimited list of KMS Key Id Arns used for Client-side Encryption. Leave list empty if data is not encrypted with CSE-KMS
  18. Type: String
  19. Default: ""
  20. PrivateSubnetIpBlocks:
  21. Description: Comma-delimited list of CIDR blocks for the private subnets
  22. Type: CommaDelimitedList
  23. Default: "10.0.0.0/22,10.0.4.0/22,10.0.8.0/22"
  24. VpcIpBlock:
  25. Description: CIDR block for the VPC
  26. Type: String
  27. Default: 10.0.0.0/16
  28. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
  29. CommonLayers:
  30. Type: CommaDelimitedList
  31. Mappings:
  32. Regions:
  33. ap-northeast-1:
  34. HasThreeAZs: true
  35. ap-northeast-2:
  36. HasThreeAZs: true
  37. ap-south-1:
  38. HasThreeAZs: true
  39. ap-southeast-1:
  40. HasThreeAZs: true
  41. ap-southeast-2:
  42. HasThreeAZs: true
  43. ca-central-1:
  44. HasThreeAZs: true
  45. eu-central-1:
  46. HasThreeAZs: true
  47. eu-north-1:
  48. HasThreeAZs: true
  49. eu-west-1:
  50. HasThreeAZs: true
  51. eu-west-2:
  52. HasThreeAZs: true
  53. eu-west-3:
  54. HasThreeAZs: true
  55. sa-east-1:
  56. HasThreeAZs: true
  57. us-east-1:
  58. HasThreeAZs: true
  59. us-east-2:
  60. HasThreeAZs: true
  61. us-west-1:
  62. HasThreeAZs: false
  63. us-west-2:
  64. HasThreeAZs: true
  65. cn-north-1:
  66. HasThreeAZs: true
  67. Conditions:
  68. HasThreeAZs: !Equals [!FindInMap [Regions, !Ref "AWS::Region", HasThreeAZs], true]
  69. EnableFlowLogs: !And
  70. - !Not [!Equals [!Ref FlowLogsGroup, ""]]
  71. - !Not [!Equals [!Ref FlowLogsRoleArn, ""]]
  72. WithKMS: !Not [!Equals [!Ref KMSKeyArns, ""]]
  73. ChinaRegion: !Equals [!Select [0, !Split ["-", !Ref "AWS::Region"]], "cn"]
  74. Resources:
  75. VPC:
  76. Type: AWS::EC2::VPC
  77. Properties:
  78. EnableDnsSupport: true
  79. EnableDnsHostnames: true
  80. CidrBlock: !Ref VpcIpBlock
  81. Tags:
  82. - Key: Name
  83. Value: !Sub ${AWS::StackName} VPC
  84. FlowLog:
  85. Type: AWS::EC2::FlowLog
  86. Condition: EnableFlowLogs
  87. Properties:
  88. DeliverLogsPermissionArn: !Ref FlowLogsRoleArn
  89. LogGroupName: !Ref FlowLogsGroup
  90. ResourceId: !Ref VPC
  91. ResourceType: VPC
  92. TrafficType: ALL
  93. PrivateNetworkAcl:
  94. Type: AWS::EC2::NetworkAcl
  95. Properties:
  96. VpcId: !Ref VPC
  97. PrivateNetworkAclEntryInAllowVPC:
  98. Type: AWS::EC2::NetworkAclEntry
  99. Properties:
  100. NetworkAclId: !Ref PrivateNetworkAcl
  101. RuleNumber: 99
  102. Protocol: -1
  103. RuleAction: allow
  104. Egress: false
  105. CidrBlock: 0.0.0.0/0
  106. PrivateNetworkAclEntryOutAllowVPC:
  107. Type: AWS::EC2::NetworkAclEntry
  108. Properties:
  109. NetworkAclId: !Ref PrivateNetworkAcl
  110. RuleNumber: 99
  111. Protocol: -1
  112. RuleAction: allow
  113. Egress: true
  114. CidrBlock: 0.0.0.0/0
  115. PrivateRouteTable1:
  116. Type: AWS::EC2::RouteTable
  117. Properties:
  118. VpcId: !Ref VPC
  119. PrivateRouteTable2:
  120. Type: AWS::EC2::RouteTable
  121. Properties:
  122. VpcId: !Ref VPC
  123. PrivateRouteTable3:
  124. Type: AWS::EC2::RouteTable
  125. Condition: HasThreeAZs
  126. Properties:
  127. VpcId: !Ref VPC
  128. PrivateRouteTableAssociation1:
  129. Type: AWS::EC2::SubnetRouteTableAssociation
  130. Properties:
  131. SubnetId: !Ref PrivateSubnet1
  132. RouteTableId: !Ref PrivateRouteTable1
  133. PrivateRouteTableAssociation2:
  134. Type: AWS::EC2::SubnetRouteTableAssociation
  135. Properties:
  136. SubnetId: !Ref PrivateSubnet2
  137. RouteTableId: !Ref PrivateRouteTable2
  138. PrivateRouteTableAssociation3:
  139. Type: AWS::EC2::SubnetRouteTableAssociation
  140. Condition: HasThreeAZs
  141. Properties:
  142. SubnetId: !Ref PrivateSubnet3
  143. RouteTableId: !Ref PrivateRouteTable3
  144. PrivateSubnet1:
  145. Type: AWS::EC2::Subnet
  146. Properties:
  147. VpcId: !Ref VPC
  148. CidrBlock: !Select [0, !Ref PrivateSubnetIpBlocks]
  149. AvailabilityZone: !Select [0, !GetAZs '']
  150. Tags:
  151. - Key: Name
  152. Value: !Sub ${AWS::StackName} Private Subnet 1
  153. PrivateSubnet2:
  154. Type: AWS::EC2::Subnet
  155. Properties:
  156. VpcId: !Ref VPC
  157. CidrBlock: !Select [1, !Ref PrivateSubnetIpBlocks]
  158. AvailabilityZone: !Select [1, !GetAZs '']
  159. Tags:
  160. - Key: Name
  161. Value: !Sub ${AWS::StackName} Private Subnet 2
  162. PrivateSubnet3:
  163. Type: AWS::EC2::Subnet
  164. Condition: HasThreeAZs
  165. Properties:
  166. VpcId: !Ref VPC
  167. CidrBlock: !Select [2, !Ref PrivateSubnetIpBlocks]
  168. AvailabilityZone: !Select [2, !GetAZs '']
  169. Tags:
  170. - Key: Name
  171. Value: !Sub ${AWS::StackName} Private Subnet 3
  172. PrivateSubnetNetworkAclAssociation1:
  173. Type: AWS::EC2::SubnetNetworkAclAssociation
  174. Properties:
  175. SubnetId: !Ref PrivateSubnet1
  176. NetworkAclId: !Ref PrivateNetworkAcl
  177. PrivateSubnetNetworkAclAssociation2:
  178. Type: AWS::EC2::SubnetNetworkAclAssociation
  179. Properties:
  180. SubnetId: !Ref PrivateSubnet2
  181. NetworkAclId: !Ref PrivateNetworkAcl
  182. PrivateSubnetNetworkAclAssociation3:
  183. Type: AWS::EC2::SubnetNetworkAclAssociation
  184. Condition: HasThreeAZs
  185. Properties:
  186. SubnetId: !Ref PrivateSubnet3
  187. NetworkAclId: !Ref PrivateNetworkAcl
  188. SecurityGroup:
  189. Type: AWS::EC2::SecurityGroup
  190. Properties:
  191. GroupDescription: !Ref AWS::StackName
  192. VpcId: !Ref VPC
  193. SecurityGroupEgress:
  194. - IpProtocol: tcp
  195. Description: Egress Rule for VPC Endpoints
  196. FromPort: 443
  197. ToPort: 443
  198. CidrIp: 0.0.0.0/0
  199. SecurityGroupIngress:
  200. - IpProtocol: tcp
  201. Description: Ingress Rule
  202. FromPort: 443
  203. ToPort: 443
  204. CidrIp: !Ref VpcIpBlock
  205. GetEndpointSubnetFunction:
  206. Type: AWS::Serverless::Function
  207. Properties:
  208. Handler: get_vpce_subnets.handler
  209. CodeUri: ../backend/lambdas/custom_resources/
  210. Description: Custom Lambda resource for the Amazon S3 Find and Forget Cloudformation Stack
  211. Policies:
  212. - Statement:
  213. - Effect: Allow
  214. Action:
  215. - ec2:DescribeSubnets
  216. - ec2:DescribeVpcEndpointServices
  217. Resource: '*'
  218. # Endpoints
  219. CloudWatchEndpointSubnets:
  220. Type: Custom::Setup
  221. Condition: ChinaRegion
  222. Properties:
  223. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  224. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.monitoring'
  225. SubnetIds:
  226. - !Ref PrivateSubnet1
  227. - !Ref PrivateSubnet2
  228. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  229. VpcEndpointType: Interface
  230. CloudWatchEndpoint:
  231. Type: AWS::EC2::VPCEndpoint
  232. Properties:
  233. PrivateDnsEnabled: true
  234. SecurityGroupIds: [!Ref SecurityGroup]
  235. ServiceName: !If
  236. - ChinaRegion
  237. - !GetAtt CloudWatchEndpointSubnets.ServiceName
  238. - !Sub 'com.amazonaws.${AWS::Region}.monitoring'
  239. SubnetIds: !If
  240. - ChinaRegion
  241. - !Split [',', !Ref CloudWatchEndpointSubnets]
  242. - - !Ref PrivateSubnet1
  243. - !Ref PrivateSubnet2
  244. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  245. VpcEndpointType: Interface
  246. VpcId: !Ref VPC
  247. CloudWatchLogsEndpointSubnets:
  248. Type: Custom::Setup
  249. Condition: ChinaRegion
  250. Properties:
  251. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  252. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
  253. SubnetIds:
  254. - !Ref PrivateSubnet1
  255. - !Ref PrivateSubnet2
  256. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  257. VpcEndpointType: Interface
  258. CloudWatchLogsEndpoint:
  259. Type: AWS::EC2::VPCEndpoint
  260. Properties:
  261. PrivateDnsEnabled: true
  262. SecurityGroupIds: [!Ref SecurityGroup]
  263. ServiceName: !If
  264. - ChinaRegion
  265. - !GetAtt CloudWatchLogsEndpointSubnets.ServiceName
  266. - !Sub 'com.amazonaws.${AWS::Region}.logs'
  267. SubnetIds: !If
  268. - ChinaRegion
  269. - !Split [',', !Ref CloudWatchLogsEndpointSubnets]
  270. - - !Ref PrivateSubnet1
  271. - !Ref PrivateSubnet2
  272. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  273. VpcEndpointType: Interface
  274. VpcId: !Ref VPC
  275. ECREndpointSubnets:
  276. Type: Custom::Setup
  277. Condition: ChinaRegion
  278. Properties:
  279. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  280. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr'
  281. SubnetIds:
  282. - !Ref PrivateSubnet1
  283. - !Ref PrivateSubnet2
  284. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  285. VpcEndpointType: Interface
  286. ECREndpoint:
  287. Type: AWS::EC2::VPCEndpoint
  288. Properties:
  289. PrivateDnsEnabled: true
  290. SecurityGroupIds: [!Ref SecurityGroup]
  291. ServiceName: !If
  292. - ChinaRegion
  293. - !GetAtt ECREndpointSubnets.ServiceName
  294. - !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr'
  295. SubnetIds: !If
  296. - ChinaRegion
  297. - !Split [',', !Ref ECREndpointSubnets]
  298. - - !Ref PrivateSubnet1
  299. - !Ref PrivateSubnet2
  300. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  301. VpcEndpointType: Interface
  302. VpcId: !Ref VPC
  303. ECRAPIEndpointSubnets:
  304. Type: Custom::Setup
  305. Condition: ChinaRegion
  306. Properties:
  307. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  308. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api'
  309. SubnetIds:
  310. - !Ref PrivateSubnet1
  311. - !Ref PrivateSubnet2
  312. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  313. VpcEndpointType: Interface
  314. ECRAPIEndpoint:
  315. Type: AWS::EC2::VPCEndpoint
  316. Properties:
  317. PrivateDnsEnabled: true
  318. SecurityGroupIds: [!Ref SecurityGroup]
  319. ServiceName: !If
  320. - ChinaRegion
  321. - !GetAtt ECRAPIEndpointSubnets.ServiceName
  322. - !Sub 'com.amazonaws.${AWS::Region}.ecr.api'
  323. SubnetIds: !If
  324. - ChinaRegion
  325. - !Split [',', !Ref ECRAPIEndpointSubnets]
  326. - - !Ref PrivateSubnet1
  327. - !Ref PrivateSubnet2
  328. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  329. VpcEndpointType: Interface
  330. VpcId: !Ref VPC
  331. S3Endpoint:
  332. Type: AWS::EC2::VPCEndpoint
  333. Properties:
  334. RouteTableIds:
  335. - !Ref PrivateRouteTable1
  336. - !Ref PrivateRouteTable2
  337. - !If [HasThreeAZs, !Ref PrivateRouteTable3, !Ref 'AWS::NoValue']
  338. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
  339. VpcId: !Ref VPC
  340. SQSEndpointSubnets:
  341. Type: Custom::Setup
  342. Condition: ChinaRegion
  343. Properties:
  344. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  345. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sqs'
  346. SubnetIds:
  347. - !Ref PrivateSubnet1
  348. - !Ref PrivateSubnet2
  349. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  350. VpcEndpointType: Interface
  351. SQSEndpoint:
  352. Type: AWS::EC2::VPCEndpoint
  353. Properties:
  354. PrivateDnsEnabled: true
  355. SecurityGroupIds: [!Ref SecurityGroup]
  356. ServiceName: !If
  357. - ChinaRegion
  358. - !GetAtt SQSEndpointSubnets.ServiceName
  359. - !Sub 'com.amazonaws.${AWS::Region}.sqs'
  360. SubnetIds: !If
  361. - ChinaRegion
  362. - !Split [',', !Ref SQSEndpointSubnets]
  363. - - !Ref PrivateSubnet1
  364. - !Ref PrivateSubnet2
  365. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  366. VpcEndpointType: Interface
  367. VpcId: !Ref VPC
  368. DynamoEndpoint:
  369. Type: AWS::EC2::VPCEndpoint
  370. Properties:
  371. RouteTableIds:
  372. - !Ref PrivateRouteTable1
  373. - !Ref PrivateRouteTable2
  374. - !If [HasThreeAZs, !Ref PrivateRouteTable3, !Ref 'AWS::NoValue']
  375. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.dynamodb'
  376. VpcId: !Ref VPC
  377. STSEndpointSubnets:
  378. Type: Custom::Setup
  379. Condition: ChinaRegion
  380. Properties:
  381. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  382. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sts'
  383. SubnetIds:
  384. - !Ref PrivateSubnet1
  385. - !Ref PrivateSubnet2
  386. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  387. VpcEndpointType: Interface
  388. STSEndpoint:
  389. Type: AWS::EC2::VPCEndpoint
  390. Properties:
  391. PrivateDnsEnabled: true
  392. SecurityGroupIds: [!Ref SecurityGroup]
  393. ServiceName: !If
  394. - ChinaRegion
  395. - !GetAtt STSEndpointSubnets.ServiceName
  396. - !Sub 'com.amazonaws.${AWS::Region}.sts'
  397. SubnetIds: !If
  398. - ChinaRegion
  399. - !Split [',', !Ref STSEndpointSubnets]
  400. - - !Ref PrivateSubnet1
  401. - !Ref PrivateSubnet2
  402. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  403. VpcEndpointType: Interface
  404. VpcId: !Ref VPC
  405. KMSEndpointSubnets:
  406. Type: Custom::Setup
  407. Condition: ChinaRegion
  408. Properties:
  409. ServiceToken: !GetAtt GetEndpointSubnetFunction.Arn
  410. ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kms'
  411. SubnetIds:
  412. - !Ref PrivateSubnet1
  413. - !Ref PrivateSubnet2
  414. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  415. VpcEndpointType: Interface
  416. KMSEndpoint:
  417. Type: AWS::EC2::VPCEndpoint
  418. Condition: WithKMS
  419. Properties:
  420. PrivateDnsEnabled: true
  421. SecurityGroupIds: [!Ref SecurityGroup]
  422. ServiceName: !If
  423. - ChinaRegion
  424. - !GetAtt KMSEndpointSubnets.ServiceName
  425. - !Sub 'com.amazonaws.${AWS::Region}.kms'
  426. SubnetIds: !If
  427. - ChinaRegion
  428. - !Split [',', !Ref KMSEndpointSubnets]
  429. - - !Ref PrivateSubnet1
  430. - !Ref PrivateSubnet2
  431. - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
  432. VpcEndpointType: Interface
  433. VpcId: !Ref VPC
  434. Outputs:
  435. Subnets:
  436. Value: !If
  437. - HasThreeAZs
  438. - !Sub ${PrivateSubnet1},${PrivateSubnet2},${PrivateSubnet3}
  439. - !Sub ${PrivateSubnet1},${PrivateSubnet2}
  440. SecurityGroup:
  441. Value: !Ref SecurityGroup
  442. Metadata:
  443. AWS::CloudFormation::Interface:
  444. ParameterGroups:
  445. - Label:
  446. default: "Network Configuration"
  447. Parameters:
  448. - VpcIpBlock
  449. - PrivateSubnetIpBlocks
  450. - Label:
  451. default: "Optional Logging Configuration"
  452. Parameters:
  453. - FlowLogsGroup
  454. - FlowLogsRoleArn