AWSTemplateFormatVersion: 2010-09-09
Parameters:
# EnvironmentName:
# Type: String
# Default: test-environment
SelectRegion:
Type: String
Default: TokyoRegion
AllowedValues:
- TokyoRegion
- OsakaRegion
KeyPair:
Type: AWS::EC2::KeyPair::KeyName
Default: ""
LinuxLatestAmi:
Type: AWS::SSM::Parameter::Value<String>
Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
InstanceType:
Type: String
AllowedValues: ["t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large", "t2.xlarge", "t2.2xlarge"]
Default: "t2.micro"
Mappings:
TokyoRegion:
VPC:
VPCCidrBlock: 10.0.0.0/16
Subnet:
PrivateSubnet: 10.0.1.0/16
OsakaRegion:
VPC:
VPCCidrBlock: 192.168.0.0/16
Subnet:
PrivateSubnet: 192.168.1.0/16
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !FindInMap [ !Ref SelectRegion, VPC, VPCCidrBlock ]
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-VPC"
Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !FindInMap [ !Ref SelectRegion, Subnet, PrivateSubnet ]
#GIPは取得しない
MapPublicIpOnLaunch: 'False'
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-Subnet"
EC2Linux:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LinuxLatestAmi
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref InstanceProfile
KeyName: !Ref KeyPair
SubnetId: !Ref Subnet
SecurityGroupIds:
- !GetAtt EC2LinuxSecurityGroup.GroupId
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-EC2Linux"
EC2LinuxSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SGlinux
VpcId: !Ref VPC
#インバウンドルールは設定しない。アウトバウンドルールは全て許可する。
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-EC2LinuxSecurityGroup"
EC2Role:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: !Sub ${AWS::StackName}-EC2Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
MaxSessionDuration: 3600
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref EC2Role
# --------------------------------------------------------------------------------------------
# for SSM setting Zone
# --------------------------------------------------------------------------------------------
SSMSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SGlinux
VpcId: !Ref VPC
#SSM用のセキュリティグループ
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-SSMSecurityGroup"
# ------------------------------------------------------------#
# Create ssm End Point
# ------------------------------------------------------------#
ssmEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm"
SubnetIds:
- !Ref Subnet
VpcId: !Ref VPC
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref SSMSecurityGroup
PrivateDnsEnabled: true
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-ssmEndpoint"
# ------------------------------------------------------------#
# Create EC2Message End Point
# ------------------------------------------------------------#
EC2MessageEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages"
SubnetIds:
- !Ref Subnet
VpcId: !Ref VPC
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref SSMSecurityGroup
PrivateDnsEnabled: true
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-EC2MessageEndpoint"
# ------------------------------------------------------------#
# Create ssmmessages End Point
# ------------------------------------------------------------#
ssmmessagesEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages"
SubnetIds:
- !Ref Subnet
VpcId: !Ref VPC
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref SSMSecurityGroup
PrivateDnsEnabled: true
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-${SelectRegion}-ssmmessagesEndpoint"