へっぽこエンジニアの覚え書き

主に、バッチとTeraTermマクロのことについて書きます。

CloudFormationでSSMしたい

AWSTemplateFormatVersion: 2010-09-09
Parameters:
#  EnvironmentName:
#    Type: String
#    Default: test-environment
  SelectRegion:
    Type: String
    Default: TokyoRegion
    AllowedValues:
      - TokyoRegion
      - OsakaRegion
  KeyPair:
    Type: AWS::EC2::KeyPair::KeyName
    Default: ""
  LinuxLatestAmi:
    Type: AWS::SSM::Parameter::Value<String>
    Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
  InstanceType:
    Type: String
    AllowedValues: ["t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large", "t2.xlarge", "t2.2xlarge"]
    Default: "t2.micro"

Mappings:
  TokyoRegion:
    VPC:
      VPCCidrBlock: 10.0.0.0/16
    Subnet:
      PrivateSubnet: 10.0.1.0/16
  OsakaRegion:
    VPC:
      VPCCidrBlock: 192.168.0.0/16
    Subnet:
      PrivateSubnet: 192.168.1.0/16

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !FindInMap [ !Ref SelectRegion, VPC, VPCCidrBlock ]
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-VPC"
  Subnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !FindInMap [ !Ref SelectRegion, Subnet, PrivateSubnet ]
      #GIPは取得しない
      MapPublicIpOnLaunch: 'False'
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-Subnet"
  EC2Linux:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref LinuxLatestAmi
      InstanceType: !Ref InstanceType
      IamInstanceProfile: !Ref InstanceProfile
      KeyName: !Ref KeyPair
      SubnetId: !Ref Subnet
      SecurityGroupIds:
        -  !GetAtt EC2LinuxSecurityGroup.GroupId
      Tags:
      - Key: Name
        Value: !Sub "${AWS::StackName}-${SelectRegion}-EC2Linux"
  EC2LinuxSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SGlinux
      VpcId: !Ref VPC
      #インバウンドルールは設定しない。アウトバウンドルールは全て許可する。
      SecurityGroupEgress:
      - IpProtocol: -1
        CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-EC2LinuxSecurityGroup"
  
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      RoleName: !Sub ${AWS::StackName}-EC2Role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      MaxSessionDuration: 3600
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - !Ref EC2Role

# --------------------------------------------------------------------------------------------
# for SSM setting Zone
# --------------------------------------------------------------------------------------------
  SSMSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SGlinux
      VpcId: !Ref VPC
      #SSM用のセキュリティグループ
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-SSMSecurityGroup"

# ------------------------------------------------------------#
# Create ssm End Point
# ------------------------------------------------------------#
  ssmEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm"
      SubnetIds: 
        - !Ref Subnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref SSMSecurityGroup
      PrivateDnsEnabled: true
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-ssmEndpoint"
  # ------------------------------------------------------------#
  # Create EC2Message End Point
  # ------------------------------------------------------------#
  EC2MessageEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages"
      SubnetIds: 
        - !Ref Subnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref SSMSecurityGroup
      PrivateDnsEnabled: true
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-EC2MessageEndpoint"
  # ------------------------------------------------------------#
  # Create ssmmessages End Point
  # ------------------------------------------------------------#
  ssmmessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages"
      SubnetIds: 
        - !Ref Subnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref SSMSecurityGroup
      PrivateDnsEnabled: true
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-${SelectRegion}-ssmmessagesEndpoint"