Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
308 lines (308 sloc) 9.94 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: "Redshift stack for Redshift/Kinesis Demo."
Parameters:
DatabaseName:
Description: The name of the first database to be created when the cluster is
created
Type: String
Default: dev
AllowedPattern: "([a-z]|[0-9])+"
ClusterType:
Description: The type of cluster
Type: String
Default: single-node
AllowedValues:
- single-node
- multi-node
NumberOfNodes:
Description: The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1
Type: Number
Default: "1"
NodeType:
Description: The type of node to be provisioned
Type: String
Default: dc2.large
AllowedValues:
- dc2.large
- dc2.8xlarge
- ra3.16xlarge
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Type: String
AllowedPattern: "([a-z])([a-z]|[0-9])*"
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Type: String
NoEcho: "true"
InboundTraffic:
Description: Allow inbound traffic to the cluster from this CIDR range.
Type: String
MinLength: "9"
MaxLength: "18"
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
FirehoseCidr:
Description: Allow inbound traffic to the cluster from the Kinesis Firehose CIDR in us-east-1.
Type: String
Default: "52.70.63.192/27"
MinLength: "9"
MaxLength: "18"
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
QuickSightCidr:
Description: Allow inbound traffic to the cluster from QuickSight CIDR in us-east-1.
Type: String
Default: "52.23.63.224/27"
MinLength: "9"
MaxLength: "18"
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
PortNumber:
Description: The port number on which the cluster accepts incoming connections.
Type: Number
Default: "5439"
Conditions:
IsMultiNodeCluster:
Fn::Equals:
- Ref: ClusterType
- multi-node
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
DependsOn:
- AttachGateway
- ClusterPermissionsRole
- LogBucket
Properties:
ClusterType: !Ref ClusterType
NumberOfNodes:
Fn::If:
- IsMultiNodeCluster
- Ref: NumberOfNodes
- Ref: AWS::NoValue
NodeType: !Ref NodeType
DBName: !Ref DatabaseName
MasterUsername: !Ref MasterUsername
MasterUserPassword: !Ref MasterUserPassword
ClusterParameterGroupName: !Ref RedshiftClusterParameterGroup
VpcSecurityGroupIds:
- Ref: SecurityGroup
ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup
PubliclyAccessible: "true"
Port: !Ref PortNumber
IamRoles:
- !GetAtt ClusterPermissionsRole.Arn
LoggingProperties:
BucketName: !Ref LogBucket
S3KeyPrefix: "redshiftlogs"
RedshiftClusterParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Cluster parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: enable_user_activity_logging
ParameterValue: "true"
RedshiftClusterSubnetGroup:
Type: AWS::Redshift::ClusterSubnetGroup
Properties:
Description: Cluster subnet group
SubnetIds:
- Ref: PublicSubnet
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId: !Ref VPC
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group
SecurityGroupIngress:
- CidrIp: !Ref InboundTraffic
FromPort: !Ref PortNumber
ToPort: !Ref PortNumber
IpProtocol: tcp
Description: External access (your IP address)
- CidrIp: !Ref FirehoseCidr
FromPort: !Ref PortNumber
ToPort: !Ref PortNumber
IpProtocol: tcp
Description: Kinesis Firehose access (us-east-1)
- CidrIp: !Ref QuickSightCidr
FromPort: !Ref PortNumber
ToPort: !Ref PortNumber
IpProtocol: tcp
Description: QuickSight access (us-east-1)
VpcId: !Ref VPC
MyInternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref MyInternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyInternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref PublicRouteTable
ClusterPermissionsRole:
Type: AWS::IAM::Role
Properties:
RoleName: ClusterPermissionsRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- redshift.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: ClusterPermissionsPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- redshift:DescribeClusters
Resource: "*"
- Effect: Allow
Action:
- redshift:ModifyClusterIamRoles
- redshift:CreateCluster
Resource: "arn:aws:redshift:*"
- Effect: Allow
Action:
- "s3:*"
Resource:
- !GetAtt DataBucket.Arn
- !Join [ "/", [ !GetAtt DataBucket.Arn, "*" ] ]
# - Effect: Allow
# Action:
# - iam:PassRole
# Resource: !GetAtt LogPermissionsRole.Arn
# - Effect: Allow
# Action:
# - "s3:*"
# ManagedPolicyArns:
# - arn:aws:iam::aws:policy/AmazonS3FullAccess
LogPermissionsRole:
Type: AWS::IAM::Role
Properties:
RoleName: LogPermissionsRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::193672423079:user/logs
Action:
- sts:AssumeRole
Policies:
- PolicyName: LogPermissionsPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "s3:*"
Resource:
- !GetAtt LogBucket.Arn
- !Join [ "/", [ !GetAtt LogBucket.Arn, "*" ] ]
Path: /
LogBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref LogBucket
PolicyDocument:
Statement:
- Effect: Allow
Action:
- "s3:*"
Resource:
- !GetAtt LogBucket.Arn
- !Join [ "/", [ !GetAtt LogBucket.Arn, "*" ] ]
Principal:
AWS: arn:aws:iam::193672423079:user/logs
DataBucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Suspended
LogBucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Suspended
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}"
ClusterJDBCURL:
Description: Cluster endpoint
Value: !Sub "jdbc:redshift://${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}/dev"
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "ClusterJDBCURL" ] ]
ClusterName:
Description: Name of cluster
Value: !Ref RedshiftCluster
ParameterGroupName:
Description: Name of parameter group
Value: !Ref RedshiftClusterParameterGroup
RedshiftClusterSubnetGroupName:
Description: Name of cluster subnet group
Value: !Ref RedshiftClusterSubnetGroup
RedshiftClusterSecurityGroupName:
Description: Name of cluster security group
Value: !Ref SecurityGroup
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Value: !Ref MasterUsername
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "MasterUsername" ] ]
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Value: !Ref MasterUserPassword
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "MasterUserPassword" ] ]
DataBucket:
Description: The bucket from which files are loaded into Redshift.
Value: !Ref DataBucket
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "DataBucket" ] ]
DataBucketArn:
Description: The bucket from which files are loaded into Redshift.
Value: !GetAtt DataBucket.Arn
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "DataBucketArn" ] ]
LogBucket:
Description: The bucket from which Redshift logs are sent to.
Value: !Ref LogBucket
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "LogBucket" ] ]
LogBucketArn:
Description: The bucket from which Redshift logs are sent to.
Value: !GetAtt LogBucket.Arn
Export:
Name: !Join [ "-", [ !Ref "AWS::StackName", "LogBucketArn" ] ]
You can’t perform that action at this time.