Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
247 lines (223 sloc) 5.57 KB
AWSTemplateFormatVersion: 2010-09-09
Description: "Fargate for serverless bastion"
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: SSH Configuration
Parameters:
- Password
Parameters:
Password:
Description: SSH password
Type: String
Mappings:
SubnetConfig:
VPC:
CIDR: 10.0.0.0/16
Public1:
CIDR: 10.0.10.0/24
Public2:
CIDR: 10.0.20.0/24
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: true
EnableDnsHostnames: true
CidrBlock:
Fn::FindInMap:
- SubnetConfig
- VPC
- CIDR
Tags:
- Key: Application
Value: !Ref AWS::StackName
InternetGateway:
Type: AWS::EC2::InternetGateway
DependsOn: VPC
Properties:
Tags:
- Key: Application
Value: !Ref AWS::StackName
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnet1:
Type: AWS::EC2::Subnet
DependsOn: AttachGateway
Properties:
VpcId: !Ref VPC
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
CidrBlock:
Fn::FindInMap:
- SubnetConfig
- Public1
- CIDR
Tags:
- Key: Name
Value: "Public Subnet 1"
- Key: Application
Value: !Ref AWS::StackName
PublicSubnet2:
Type: AWS::EC2::Subnet
DependsOn: AttachGateway
Properties:
VpcId: !Ref VPC
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
CidrBlock:
Fn::FindInMap:
- SubnetConfig
- Public2
- CIDR
Tags:
- Key: Name
Value: "Public Subnet 2"
- Key: Application
Value: !Ref AWS::StackName
PublicRouteTable:
Type: AWS::EC2::RouteTable
DependsOn:
- VPC
- AttachGateway
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public
- Key: Application
Value: !Ref AWS::StackName
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
DependsOn: AttachGateway
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref PublicRouteTable
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
DependsOn: AttachGateway
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref PublicRouteTable
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SecurityGroup for Bastion host
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: "0.0.0.0/0"
Tags:
- Key: Name
Value: sg-for-bastion
CloudWatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 1
BastionCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Ref AWS::StackName
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Path: /
TaskRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: deny-all
PolicyDocument:
Statement:
- Effect: Deny
Action: "*"
Resource: "*"
Path: /
BastionTask:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Ref AWS::StackName
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn: !Ref TaskRole
ExecutionRoleArn: !Ref ExecutionRole
Cpu: 256
Memory: 512
ContainerDefinitions:
- Name: bastion
Image: pottava/fargate-shell:1.0
Command:
- "-d"
PortMappings:
- ContainerPort: 22
HostPort: 22
Environment:
- Name: SSH_PASSWORD
Value: !Ref Password
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref CloudWatchLogsGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: bastion
Essential: true
BastionService:
Type: AWS::ECS::Service
Properties:
LaunchType: FARGATE
Cluster: !Ref BastionCluster
DesiredCount: 1
TaskDefinition: !Ref BastionTask
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
SecurityGroups:
- !Ref SecurityGroup
Outputs:
PublicSubnet1:
Value: !Ref PublicSubnet1
PublicSubnet2:
Value: !Ref PublicSubnet2
SecurityGroup:
Value: !Ref SecurityGroup
Cluster:
Value: !Ref BastionCluster