Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
aws-sample-cf/control-tower-client-vpc.yaml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
327 lines (291 sloc)
8.18 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: This stack creates the underlying infrastructure for the Control Tower Client Account | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- Label: VPC and Subnet CIDR configuration | |
Parameters: | |
- VPCCIDR | |
- PublicSubnet1ACIDR | |
- PublicSubnet1BCIDR | |
- PrivateSubnet1ACIDR | |
- PrivateSubnet1BCIDR | |
- PrivateSubnet2ACIDR | |
- PrivateSubnet2BCIDR | |
ParameterLabels: | |
VPCCIDR: VPC CIDR | |
PublicSubnet1ACIDR: Public subnet 1A CIDR | |
PublicSubnet1BCIDR: Public subnet 1A CIDR | |
PrivateSubnet1ACIDR: Private subnet 1A CIDR | |
PrivateSubnet1BCIDR: Private subnet 1B CIDR | |
PrivateSubnet2ACIDR: Private subnet 2A CIDR | |
PrivateSubnet2BCIDR: Private subnet 2B CIDR | |
Parameters: | |
VPCCIDR: | |
Default: 172.16.0.0/16 | |
Description: CIDR block for the Primary VPC | |
Type: String | |
PublicSubnet1ACIDR: | |
Default: 172.16.16.0/20 | |
Description: CIDR block for public subnet 1A located in Availability Zone 1 | |
Type: String | |
PublicSubnet1BCIDR: | |
Default: 172.16.32.0/20 | |
Description: CIDR block for public subnet 1A located in Availability Zone 2 | |
Type: String | |
PrivateSubnet1ACIDR: | |
Default: 172.16.48.0/20 | |
Description: CIDR block for private subnet 1A located in Availability Zone 1 | |
Type: String | |
PrivateSubnet1BCIDR: | |
Default: 172.16.64.0/20 | |
Description: CIDR block for private subnet 1B located in Availability Zone 2 | |
Type: String | |
PrivateSubnet2ACIDR: | |
Default: 172.16.80.0/20 | |
Description: CIDR block for private subnet 2A located in Availability Zone 1 | |
Type: String | |
PrivateSubnet2BCIDR: | |
Default: 172.16.96.0/20 | |
Description: CIDR block for private subnet 2B located in Availability Zone 2 | |
Type: String | |
Resources: | |
PrimaryVPC: | |
Type: 'AWS::EC2::VPC' | |
Properties: | |
CidrBlock: !Ref VPCCIDR | |
Tags: | |
- Key: Name | |
Value: PrimaryVPC | |
PublicSubnet1A: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
CidrBlock: !Ref PublicSubnet1ACIDR | |
AvailabilityZone: !Select | |
- '0' | |
- !GetAZs | |
Ref: 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: PublicSubnet1A | |
PublicSubnet1B: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
CidrBlock: !Ref PublicSubnet1BCIDR | |
AvailabilityZone: !Select | |
- '1' | |
- !GetAZs | |
Ref: 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: PublicSubnet1B | |
PrivateSubnet1A: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
CidrBlock: !Ref PrivateSubnet1ACIDR | |
AvailabilityZone: !Select | |
- '0' | |
- !GetAZs | |
Ref: 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: PrivateSubnet1A | |
PrivateSubnet1B: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
CidrBlock: !Ref PrivateSubnet1BCIDR | |
AvailabilityZone: !Select | |
- '1' | |
- !GetAZs | |
Ref: 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: PrivateSubnet1B | |
PrivateSubnet2A: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
CidrBlock: !Ref PrivateSubnet2ACIDR | |
AvailabilityZone: !Select | |
- '0' | |
- !GetAZs | |
Ref: 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: PrivateSubnet2A | |
PrivateSubnet2B: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
CidrBlock: !Ref PrivateSubnet2BCIDR | |
AvailabilityZone: !Select | |
- '1' | |
- !GetAZs | |
Ref: 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: PrivateSubnet2B | |
PublicRouteTable: | |
Type: 'AWS::EC2::RouteTable' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
Tags: | |
- Key: Name | |
Value: PublicRouteTable | |
PublicSubnetRouteTableAssociationA: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
SubnetId: !Ref PublicSubnet1A | |
PublicSubnetRouteTableAssociationB: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
SubnetId: !Ref PublicSubnet1B | |
PrivateRouteTableA: | |
Type: 'AWS::EC2::RouteTable' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
Tags: | |
- Key: Name | |
Value: PrivateRouteTableA | |
PrivateRouteTableB: | |
Type: 'AWS::EC2::RouteTable' | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
Tags: | |
- Key: Name | |
Value: PrivateRouteTableB | |
PrivateRouteTableAssociation1A: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableA | |
SubnetId: !Ref PrivateSubnet1A | |
PrivateRouteTableAssociation1B: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableB | |
SubnetId: !Ref PrivateSubnet1B | |
PrivateRouteTableAssociation2A: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableA | |
SubnetId: !Ref PrivateSubnet2A | |
PrivateRouteTableAssociation2B: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableB | |
SubnetId: !Ref PrivateSubnet2B | |
InternetGateway: | |
Type: AWS::EC2::InternetGateway | |
DeletionPolicy: Retain | |
Properties: | |
Tags: | |
- Key: Network | |
Value: Public | |
- Key: Name | |
Value: InternetGateway | |
VPCGatewayAttachment: | |
Type: AWS::EC2::VPCGatewayAttachment | |
DeletionPolicy: Retain | |
Properties: | |
VpcId: !Ref PrimaryVPC | |
InternetGatewayId: !Ref InternetGateway | |
PublicSubnetRoute: | |
DependsOn: VPCGatewayAttachment | |
DeletionPolicy: Retain | |
Type: AWS::EC2::Route | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
DestinationCidrBlock: 0.0.0.0/0 | |
GatewayId: !Ref InternetGateway | |
IAMServiceRoleVPCFlowLogs: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- vpc-flow-logs.amazonaws.com | |
Action: | |
- 'sts:AssumeRole' | |
Path: / | |
RoleName: IAMServiceRoleVPCFlowLogs | |
Policies: | |
- PolicyName: aws-iamservicerole-vpcflowlogs-policy | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Action: | |
- 'logs:CreateLogGroup' | |
- 'logs:CreateLogStream' | |
- 'logs:PutLogEvents' | |
- 'logs:DescribeLogGroups' | |
- 'logs:DescribeLogStreams' | |
Resource: '*' | |
Effect: Allow | |
VPCFlowLogLogGroup: | |
Type: AWS::Logs::LogGroup | |
Properties: | |
LogGroupName: !Sub ${AWS::AccountId}-FlowLog | |
RetentionInDays: 90 | |
VPCFlowLog: | |
DependsOn: PrimaryVPC | |
Type: AWS::EC2::FlowLog | |
Properties: | |
DeliverLogsPermissionArn: !GetAtt IAMServiceRoleVPCFlowLogs.Arn | |
LogGroupName: !Ref VPCFlowLogLogGroup | |
ResourceId: !Ref PrimaryVPC | |
ResourceType: VPC | |
TrafficType: ALL | |
VPCFlowLogStream: | |
Type: AWS::Logs::LogStream | |
Properties: | |
LogGroupName: !Ref VPCFlowLogLogGroup | |
Outputs: | |
oVPCClient: | |
Value: !Ref PrimaryVPC | |
Export: | |
Name: oVPCClient | |
oPublicSubnetRouteTable: | |
Value: !Ref PublicRouteTable | |
Export: | |
Name: oPublicSubnetRouteTable | |
oPrivateSubnetRouteTableA: | |
Value: !Ref PrivateRouteTableA | |
Export: | |
Name: oPrivateSubnetRouteTableA | |
oPrivateSubnetRouteTableB: | |
Value: !Ref PrivateRouteTableB | |
Export: | |
Name: oPrivateSubnetRouteTableB | |
oPublicSubnet1A: | |
Value: !Ref PublicSubnet1A | |
Export: | |
Name: oPublicSubnet1A | |
oPublicSubnet1B: | |
Value: !Ref PublicSubnet1B | |
Export: | |
Name: oPublicSubnet1B | |
oPrivateSubnet1A: | |
Value: !Ref PrivateSubnet1A | |
Export: | |
Name: oPrivateSubnet1A | |
oPrivateSubnet1B: | |
Value: !Ref PrivateSubnet1B | |
Export: | |
Name: oPrivateSubnet1B | |
oPrivateSubnet2A: | |
Value: !Ref PrivateSubnet2A | |
Export: | |
Name: oPrivateSubnet2A | |
oPrivateSubnet2B: | |
Value: !Ref PrivateSubnet2B | |
Export: | |
Name: oPrivateSubnet2B |