Skip to content

Commit

Permalink
Merge pull request #1 from cloud/uva-vpc-examples
Browse files Browse the repository at this point in the history 
Uva vpc examples
  • Loading branch information
@sjeanes
sjeanes authored Oct 3, 2019
2 parents ac497e7 + 965a63b commit 048c2a6
Show file tree
Hide file tree
Showing 3 changed files with 371 additions and 0 deletions.
27 changes: 27 additions & 0 deletions GuardDutyMasterExecutionRole.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
AWSTemplateFormatVersion: 2010-09-09
Description: Configure the GuardDutyMasterExecutionRole to allow GuardDuty enabling script Assume Role into target accounts from the Guard Duty Master account.

Parameters:
AdministratorAccountId:
Type: String
Description: AWS Account ID of the administrator account (the account in which StackSet will be created).
MaxLength: 12
MinLength: 12

Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: GuardDutyMasterExecutionRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Ref AdministratorAccountId
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonGuardDutyFullAccess
17 changes: 17 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,19 @@
# sample-cf
A sample AWS CloudFormation template

## control-tower-client-vpc.yaml
Example of VPC template to replace default VPC created by Control Tower. This is
loosely based on the VPC template used by the Landing Zones solution. It creates
one public and two private subnets, each divided between two AZs, as well as an
Internet Gateway for the public subnet and a VPC Flow Log. Actual VPC CIDR
assignment and subnet IPs are parameterized. This is intended for use as a StackSet
to deploy to multiple client accounts, wherein each client account gets a different
parameter set to define it's VPC IP range.

## GuardDutyMasterExecutionRole.yml
For deployment into all accounts that will run GuardDuty and report findings back
to the Master account. This can be deployed via StackSets from the Master (assuming
you have the necessary StackSet execution roles created on Master and client accounts).
This allows the GuardyDuty setup script to assume role into the client accounts through
the Master account in order to enable GuardDuty in the clients and accept the
invitation from the Master.
327 changes: 327 additions & 0 deletions control-tower-client-vpc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,327 @@
AWSTemplateFormatVersion: 2010-09-09

Description: This stack creates the underlying infrastructure for the Control Tower Client Account

Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label: VPC and Subnet CIDR configuration
Parameters:
- VPCCIDR
- PublicSubnet1ACIDR
- PublicSubnet1BCIDR
- PrivateSubnet1ACIDR
- PrivateSubnet1BCIDR
- PrivateSubnet2ACIDR
- PrivateSubnet2BCIDR
ParameterLabels:
VPCCIDR: VPC CIDR
PublicSubnet1ACIDR: Public subnet 1A CIDR
PublicSubnet1BCIDR: Public subnet 1A CIDR
PrivateSubnet1ACIDR: Private subnet 1A CIDR
PrivateSubnet1BCIDR: Private subnet 1B CIDR
PrivateSubnet2ACIDR: Private subnet 2A CIDR
PrivateSubnet2BCIDR: Private subnet 2B CIDR

Parameters:
VPCCIDR:
Default: 172.16.0.0/16
Description: CIDR block for the Primary VPC
Type: String
PublicSubnet1ACIDR:
Default: 172.16.16.0/20
Description: CIDR block for public subnet 1A located in Availability Zone 1
Type: String
PublicSubnet1BCIDR:
Default: 172.16.32.0/20
Description: CIDR block for public subnet 1A located in Availability Zone 2
Type: String
PrivateSubnet1ACIDR:
Default: 172.16.48.0/20
Description: CIDR block for private subnet 1A located in Availability Zone 1
Type: String
PrivateSubnet1BCIDR:
Default: 172.16.64.0/20
Description: CIDR block for private subnet 1B located in Availability Zone 2
Type: String
PrivateSubnet2ACIDR:
Default: 172.16.80.0/20
Description: CIDR block for private subnet 2A located in Availability Zone 1
Type: String
PrivateSubnet2BCIDR:
Default: 172.16.96.0/20
Description: CIDR block for private subnet 2B located in Availability Zone 2
Type: String

Resources:
PrimaryVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VPCCIDR
Tags:
- Key: Name
Value: PrimaryVPC

PublicSubnet1A:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PublicSubnet1ACIDR
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PublicSubnet1A

PublicSubnet1B:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PublicSubnet1BCIDR
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PublicSubnet1B

PrivateSubnet1A:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet1ACIDR
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet1A

PrivateSubnet1B:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet1BCIDR
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet1B

PrivateSubnet2A:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet2ACIDR
AvailabilityZone: !Select
- '0'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet2A

PrivateSubnet2B:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref PrimaryVPC
CidrBlock: !Ref PrivateSubnet2BCIDR
AvailabilityZone: !Select
- '1'
- !GetAZs
Ref: 'AWS::Region'
Tags:
- Key: Name
Value: PrivateSubnet2B

PublicRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: PublicRouteTable

PublicSubnetRouteTableAssociationA:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1A

PublicSubnetRouteTableAssociationB:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1B

PrivateRouteTableA:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: PrivateRouteTableA

PrivateRouteTableB:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref PrimaryVPC
Tags:
- Key: Name
Value: PrivateRouteTableB

PrivateRouteTableAssociation1A:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableA
SubnetId: !Ref PrivateSubnet1A

PrivateRouteTableAssociation1B:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableB
SubnetId: !Ref PrivateSubnet1B

PrivateRouteTableAssociation2A:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableA
SubnetId: !Ref PrivateSubnet2A

PrivateRouteTableAssociation2B:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTableB
SubnetId: !Ref PrivateSubnet2B

InternetGateway:
Type: AWS::EC2::InternetGateway
DeletionPolicy: Retain
Properties:
Tags:
- Key: Network
Value: Public
- Key: Name
Value: InternetGateway

VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
DeletionPolicy: Retain
Properties:
VpcId: !Ref PrimaryVPC
InternetGatewayId: !Ref InternetGateway

PublicSubnetRoute:
DependsOn: VPCGatewayAttachment
DeletionPolicy: Retain
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway

IAMServiceRoleVPCFlowLogs:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- vpc-flow-logs.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
RoleName: IAMServiceRoleVPCFlowLogs
Policies:
- PolicyName: aws-iamservicerole-vpcflowlogs-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
Resource: '*'
Effect: Allow

VPCFlowLogLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub ${AWS::AccountId}-FlowLog
RetentionInDays: 90

VPCFlowLog:
DependsOn: PrimaryVPC
Type: AWS::EC2::FlowLog
Properties:
DeliverLogsPermissionArn: !GetAtt IAMServiceRoleVPCFlowLogs.Arn
LogGroupName: !Ref VPCFlowLogLogGroup
ResourceId: !Ref PrimaryVPC
ResourceType: VPC
TrafficType: ALL

VPCFlowLogStream:
Type: AWS::Logs::LogStream
Properties:
LogGroupName: !Ref VPCFlowLogLogGroup

Outputs:
oVPCClient:
Value: !Ref PrimaryVPC
Export:
Name: oVPCClient

oPublicSubnetRouteTable:
Value: !Ref PublicRouteTable
Export:
Name: oPublicSubnetRouteTable

oPrivateSubnetRouteTableA:
Value: !Ref PrivateRouteTableA
Export:
Name: oPrivateSubnetRouteTableA

oPrivateSubnetRouteTableB:
Value: !Ref PrivateRouteTableB
Export:
Name: oPrivateSubnetRouteTableB

oPublicSubnet1A:
Value: !Ref PublicSubnet1A
Export:
Name: oPublicSubnet1A

oPublicSubnet1B:
Value: !Ref PublicSubnet1B
Export:
Name: oPublicSubnet1B

oPrivateSubnet1A:
Value: !Ref PrivateSubnet1A
Export:
Name: oPrivateSubnet1A

oPrivateSubnet1B:
Value: !Ref PrivateSubnet1B
Export:
Name: oPrivateSubnet1B

oPrivateSubnet2A:
Value: !Ref PrivateSubnet2A
Export:
Name: oPrivateSubnet2A

oPrivateSubnet2B:
Value: !Ref PrivateSubnet2B
Export:
Name: oPrivateSubnet2B

0 comments on commit 048c2a6

Please sign in to comment.