LoginSignup
0
0

More than 1 year has passed since last update.

NATGatewayを自動作成・削除

Last updated at Posted at 2022-07-10

とりあえずできたので書き出し
そのうち図を書き足します

概要

平日の業務時間中だけサーバを使いたい。さらにNATゲートウェイも使わないので止めたい。
という貧乏な人コスト意識の高い方向けテンプレート

このテンプレートは

NATGWとSSM DocumentとEventBridgeを作るもの
NATGW: テンプレートの起動パラメータによって、作成・削除ができる
SSM Document: このテンプレートで作成したCFn Stackの更新(NATの作成削除を実行)できる
EventBridge: スケジュールでSSM Documentを実行する

起動パラメータ

  • NATGW 作成フラグ
  • メール通知送信先アドレス
  • NATGWを配置するパブリックサブネット
  • NATGWを経路にするプライベートサブネットのルートテーブル

作成するリソース

リソース 内容
NatGateway フラグtrueの時のみ作成
EIP フラグtrueの時のみ作成:NAT Gateway用EIP
Route フラグtrueの時のみ作成:NAT Gatewayのルート
IAM::Role SSM Document用のIAMロール
SNS::Topic SSM Automationで使用、終了通知用
SSM::Document SSM Document
IAM::Role EventBridge用のIAMロール
Events::Rule 起動用スケジュール
Events::Rule 終了用スケジュール
←(ここをクリックすると展開) CFnテンプレ全体はこちら


詳細

1,パラメータ

Parameters:
  CreateNAT:
    Type: String
    AllowedValues: [true, false]
  MailTo:
    Type: String
  PublicSubnetID:
      Type: String
  PrivateRouteTableID:
      Type: String
Conditions:
  isCreateNAT: !Equals [!Ref CreateNAT, "true"]

2,NAT Gateway

  NAT:
    Type: AWS::EC2::NatGateway
    Condition: isCreateNAT
    Properties:
      AllocationId: !GetAtt 
        - NatGatewayEIP
        - AllocationId
      SubnetId: !Ref PublicSubnetID
  NatGatewayEIP:
    Type: AWS::EC2::EIP
    Condition: isCreateNAT
    Properties:
      Domain: vpc
  PrivateRouteNAT:
    Type: AWS::EC2::Route
    Condition: isCreateNAT
    Properties:
      RouteTableId: !Ref PrivateRouteTableID
      NatGatewayId: !Ref NAT
      DestinationCidrBlock: "0.0.0.0/0"

3,SSM Document

3-1, Role

  AutomationAssumeRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'Role-automation-${AWS::StackName}'
      Path: "/"
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Principal:
            Service: 
              - ssm.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole
      Policies:
        - PolicyName: inline
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - cloudformation:UpdateStack
                  - sns:Publish
                  - ec2:*
                  - tag:GetResources
                Resource: 
                  - "*"
              - Effect: Allow
                Action: ssm:StartAutomationExecution
                Resource: 
                  - !Sub arn:aws:ssm:${AWS::Region}::automation-definition/AWS-StartEC2Instance:$DEFAULT
                  - !Sub arn:aws:ssm:${AWS::Region}::automation-definition/AWS-StopEC2Instance:$DEFAULT
              - Effect: Allow
                Action: iam:PassRole
                Resource:
                - !Sub "arn:aws:iam::${AWS::AccountId}:role/Role-automation-${AWS::StackName}"
                Condition:
                  StringLikeIfExists:
                    iam:PassedToService: ssm.amazonaws.com


3-2, SNS Topic

  SNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: !Sub "SampleTopic-${AWS::StackName}"
      Subscription:
        - Endpoint: !Ref MailTo
          Protocol: email

3-3, SSM Document

  SSMDocumentStartStopResorces:
    Type: AWS::SSM::Document
    Properties:
      DocumentFormat: YAML
      DocumentType: Automation
      Content:
        schemaVersion: "0.3"  
        description: CovProject Remove NATGateway and Start/Stop EC2 Instances(byTag)
        assumeRole: !GetAtt AutomationAssumeRole.Arn
        parameters:
          createFlg:
            type: String
            default: "ture"
            description: true is Create NAT and Start EC2Instance / false is Remove NAT and Stop EC2Instance  
            allowedValues:
              - "true"
              - "false"
        mainSteps: 
          - name: UpdateCFnStack
            action: aws:executeAwsApi
            inputs:
              Service: cloudformation
              Api: update_stack
              StackName: !Ref AWS::StackName
              UsePreviousTemplate: true
              Parameters:
                - ParameterKey: CreateNAT
                  ParameterValue: "{{ createFlg }}"
                - ParameterKey: MailTo
                  UsePreviousValue: True
                - ParameterKey: PublicSubnetID
                  UsePreviousValue: True
                - ParameterKey: PrivateRouteTableID
                  UsePreviousValue: True
              Capabilities:
                - CAPABILITY_NAMED_IAM
            outputs:
              - Name: stackId
                Selector: $.StackId
                Type: String
          - name: WaitCFnStack
            action: aws:waitForAwsResourceProperty
            timeoutSeconds: 300
            inputs:
              Service: cloudformation
              Api: DescribeStacks
              StackName: "{{ UpdateCFnStack.stackId }}"
              PropertySelector: Stacks[0].StackStatus
              DesiredValues:
                - UPDATE_COMPLETE
          - name: CheckIsStart
            action: aws:branch
            inputs:
              Choices:
              - NextStep: StopEC2
                Variable: "{{ createFlg }}"
                StringEquals: "false"
          - name: StartEC2
            action: aws:executeAwsApi
            inputs:
              Service: ssm
              Api: StartAutomationExecution
              DocumentName: AWS-StartEC2Instance
              TargetParameterName: "InstanceId"
              Targets:
                -
                  Key: tag:AutoStop
                  Values: 
                    - 'true'
          - name: StartCompletionNotice
            action: aws:executeAwsApi
            inputs:
              Service: sns
              Api: Publish
              TopicArn: !Ref SNSTopic
              Message: 'Message'
              Subject: 'subject Start'
            isEnd: true
          - name: StopEC2
            action: aws:executeAwsApi
            inputs:
              Service: ssm
              Api: StartAutomationExecution
              DocumentName: AWS-StopEC2Instance
              TargetParameterName: "InstanceId"
              Targets:
                -
                  Key: tag:AutoStop
                  Values: 
                    - 'true'
          - name: StopCompletionNotice
            action: aws:executeAwsApi
            inputs:
              Service: sns
              Api: Publish
              TopicArn: !Ref SNSTopic
              Message: 'Message'
              Subject: 'subject Stop'
            isEnd: true


4,EventBridge

4-1, Role

  EventBridgeRole:    
    Type: AWS::IAM::Role
    Properties: 
      RoleName: !Sub 'Role-events-${AWS::StackName}'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - "events.amazonaws.com"
            Action: sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: StopEc2Role_policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: ssm:StartAutomationExecution
                Resource: !Sub "arn:aws:ssm:ap-northeast-1:${AWS::AccountId}:automation-definition/${SSMDocumentStartStopResorces}:$DEFAULT"

4-2, EventBridge

  EventRuleEc2Start:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub "${AWS::StackName}StartRule"
      Description: !Sub "${AWS::StackName} Start."
      ScheduleExpression: "cron(00 23 ? * SUN-THU *)"
      State: ENABLED
      Targets:
        - Arn: !Sub "arn:aws:ssm:ap-northeast-1:${AWS::AccountId}:automation-definition/${SSMDocumentStartStopResorces}:$DEFAULT"
          Id: TargetStartCov
          RoleArn: !GetAtt EventBridgeRole.Arn
          Input: "{\"createFlg\":[\"true\"]}"
  EventRuleEc2Stop:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub "${AWS::StackName}StopRule"
      Description: !Sub "${AWS::StackName} Stop."
      ScheduleExpression: "cron(00 11 ? * MON-FRI *)"
      State: ENABLED
      Targets:
        - Arn: !Sub "arn:aws:ssm:ap-northeast-1:${AWS::AccountId}:automation-definition/${SSMDocumentStartStopResorces}:$DEFAULT"
          Id: TargetStopCov
          RoleArn: !GetAtt EventBridgeRole.Arn
          Input: "{\"createFlg\":[\"false\"]}"
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0