Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

aws-sample-cf/control-tower-client-vpc.yaml

Go to file
 
 
Cannot retrieve contributors at this time
327 lines (291 sloc) 8.18 KB
Raw Blame
Open in GitHub Desktop
AWSTemplateFormatVersion: 2010-09-09
Description: This stack creates the underlying infrastructure for the Control Tower Client Account
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label: VPC and Subnet CIDR configuration
Parameters:
- VPCCIDR
- PublicSubnet1ACIDR
- PublicSubnet1BCIDR
- PrivateSubnet1ACIDR
- PrivateSubnet1BCIDR
- PrivateSubnet2ACIDR
- PrivateSubnet2BCIDR
ParameterLabels:
VPCCIDR: VPC CIDR
PublicSubnet1ACIDR: Public subnet 1A CIDR
PublicSubnet1BCIDR: Public subnet 1A CIDR
PrivateSubnet1ACIDR: Private subnet 1A CIDR
PrivateSubnet1BCIDR: Private subnet 1B CIDR
PrivateSubnet2ACIDR: Private subnet 2A CIDR
PrivateSubnet2BCIDR: Private subnet 2B CIDR
Parameters:
VPCCIDR:
Default: 172.16.0.0/16
Description: CIDR block for the Primary VPC
Type: String
PublicSubnet1ACIDR:
Default: 172.16.16.0/20
Description: CIDR block for public subnet 1A located in Availability Zone 1
Type: String
PublicSubnet1BCIDR:
Default: 172.16.32.0/20
Description: CIDR block for public subnet 1A located in Availability Zone 2
Type: String
PrivateSubnet1ACIDR:
Default: 172.16.48.0/20
Description: CIDR block for private subnet 1A located in Availability Zone 1
Type: String
PrivateSubnet1BCIDR:
Default: 172.16.64.0/20
Description: CIDR block for private subnet 1B located in Availability Zone 2
Type: String
PrivateSubnet2ACIDR:
Default: 172.16.80.0/20
Description: CIDR block for private subnet 2A located in Availability Zone 1
Type: String
PrivateSubnet2BCIDR:
Default: 172.16.96.0/20
Description: CIDR block for private subnet 2B located in Availability Zone 2
Type: String
Resources:
PrimaryVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VPCCIDR
Tags:
- Key: Name
Value: PrimaryVPC
PublicSubnet1A:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PublicSubnet1ACIDR
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PublicSubnet1A
PublicSubnet1B:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PublicSubnet1BCIDR
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PublicSubnet1B
PrivateSubnet1A:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet1ACIDR
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet1A
PrivateSubnet1B:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet1BCIDR
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet1B
PrivateSubnet2A:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet2ACIDR
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet2A
PrivateSubnet2B:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet2BCIDR
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet2B
PublicRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: PublicRouteTable
PublicSubnetRouteTableAssociationA:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1A
PublicSubnetRouteTableAssociationB:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1B
PrivateRouteTableA:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: PrivateRouteTableA
PrivateRouteTableB:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: PrivateRouteTableB
PrivateRouteTableAssociation1A:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableA
SubnetId: !Ref PrivateSubnet1A
PrivateRouteTableAssociation1B:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableB
SubnetId: !Ref PrivateSubnet1B
PrivateRouteTableAssociation2A:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableA
SubnetId: !Ref PrivateSubnet2A
PrivateRouteTableAssociation2B:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableB
SubnetId: !Ref PrivateSubnet2B
InternetGateway:
Type: AWS::EC2::InternetGateway
DeletionPolicy: Retain
Properties:
Tags:
- Key: Network
Value: Public
- Key: Name
Value: InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
DeletionPolicy: Retain
Properties:
VpcId: !Ref PrimaryVPC
InternetGatewayId: !Ref InternetGateway
PublicSubnetRoute:
DependsOn: VPCGatewayAttachment
DeletionPolicy: Retain
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
IAMServiceRoleVPCFlowLogs:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- vpc-flow-logs.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
RoleName: IAMServiceRoleVPCFlowLogs
Policies:
- PolicyName: aws-iamservicerole-vpcflowlogs-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
Resource: '*'
Effect: Allow
VPCFlowLogLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub ${AWS::AccountId}-FlowLog
RetentionInDays: 90
VPCFlowLog:
DependsOn: PrimaryVPC
Type: AWS::EC2::FlowLog
Properties:
DeliverLogsPermissionArn: !GetAtt IAMServiceRoleVPCFlowLogs.Arn
LogGroupName: !Ref VPCFlowLogLogGroup
ResourceId: !Ref PrimaryVPC
ResourceType: VPC
TrafficType: ALL
VPCFlowLogStream:
Type: AWS::Logs::LogStream
Properties:
LogGroupName: !Ref VPCFlowLogLogGroup
Outputs:
oVPCClient:
Value: !Ref PrimaryVPC
Export:
Name: oVPCClient
oPublicSubnetRouteTable:
Value: !Ref PublicRouteTable
Export:
Name: oPublicSubnetRouteTable
oPrivateSubnetRouteTableA:
Value: !Ref PrivateRouteTableA
Export:
Name: oPrivateSubnetRouteTableA
oPrivateSubnetRouteTableB:
Value: !Ref PrivateRouteTableB
Export:
Name: oPrivateSubnetRouteTableB
oPublicSubnet1A:
Value: !Ref PublicSubnet1A
Export:
Name: oPublicSubnet1A
oPublicSubnet1B:
Value: !Ref PublicSubnet1B
Export:
Name: oPublicSubnet1B
oPrivateSubnet1A:
Value: !Ref PrivateSubnet1A
Export:
Name: oPrivateSubnet1A
oPrivateSubnet1B:
Value: !Ref PrivateSubnet1B
Export:
Name: oPrivateSubnet1B
oPrivateSubnet2A:
Value: !Ref PrivateSubnet2A
Export:
Name: oPrivateSubnet2A
oPrivateSubnet2B:
Value: !Ref PrivateSubnet2B
Export:
Name: oPrivateSubnet2B