AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create VPC, subnets,sg.
Resources:
# VPC
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC
# Subnet
MyPrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.1.0/24
VpcId: !Ref MyVPC
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: MyPrivateSubnet
# Security Group for General Use
GeneralUseSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for general use
VpcId: !Ref MyVPC
SecurityGroupIngress: []
Tags:
- Key: Name
Value: GeneralUseSG
Outputs:
VPCId:
Description: The VPC ID
Value: !Ref MyVPC
Export:
Name: VPCId
PrivateSubnetId:
Description: The Private Subnet ID
Value: !Ref MyPrivateSubnet
Export:
Name: PrivateSubnetId
VPC作成
EC2用のSG作成
アウトプットでVPCIDとPrivateSubnetIDをexport
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create SSM, EC2 messages, and SSM messages endpoints.
Parameters:
#削除したい時間を入力
Hour:
Description: Please type Delete Hour.
Type: String
Default: "13"
Minute:
Description: Please type Delete Minute.
Type: String
Default: "00"
Resources:
#SSMEndpointSG
# Security Group for SSM Endpoint
SSMEndpointSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for SSM endpoint
VpcId: !ImportValue VPCId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 10.0.1.0/24
Tags:
- Key: Name
Value: SSMEndpointSG
# SSM Endpoint
SSMEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub 'com.amazonaws.ap-northeast-1.ssm'
VpcId: !ImportValue VPCId
VpcEndpointType: Interface
SubnetIds:
- !ImportValue PrivateSubnetId
SecurityGroupIds:
- !Ref SSMEndpointSG
PrivateDnsEnabled: true
# EC2 Messages Endpoint
EC2MessagesEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub 'com.amazonaws.ap-northeast-1.ec2messages'
VpcEndpointType: Interface
VpcId: !ImportValue VPCId
SubnetIds:
- !ImportValue PrivateSubnetId
SecurityGroupIds:
- !Ref SSMEndpointSG
PrivateDnsEnabled: true
# SSM Messages Endpoint
SSMMessagesEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub 'com.amazonaws.ap-northeast-1.ssmmessages'
VpcEndpointType: Interface
VpcId: !ImportValue VPCId
SubnetIds:
- !ImportValue PrivateSubnetId
SecurityGroupIds:
- !Ref SSMEndpointSG
PrivateDnsEnabled: true
#時間削除機能
EventSchedule:
Type: AWS::Scheduler::Schedule
Properties:
Description: 'Delete Schedule'
ScheduleExpression: !Sub "cron(${Minute} ${Hour} ? * * *)"
ScheduleExpressionTimezone: "Asia/Tokyo"
FlexibleTimeWindow:
Mode: 'OFF'
State: ENABLED
Target:
Arn: "arn:aws:scheduler:::aws-sdk:cloudformation:deleteStack"
Input: !Sub "{ \"StackName\": \"${AWS::StackName}\" }"
RoleArn: !ImportValue DeleteSchedulerRoleARN
時限削除ルール付きで、SSMエンドポイントを作成する。
時間は自分で設定可能。(24h以内)
毎日消したほうが節約になります!!
AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM Role and Instance Profile for EC2 to use with Systems Manager.
#インスタンスにアタッチするまでCOMPLETEにならないです。
Resources:
# IAM ロール
MySSMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# インスタンスプロファイル
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MySSMRole
Outputs:
InstanceProfileName:
Description: Instance Profile Name
Value: !Ref MyInstanceProfile
Export:
Name: InstanceProfileName
IAMRoleName:
Description: IAM Role Name
Value: !Ref MySSMRole
Export:
Name: IAMRoleName
SSMroleはインスタンスプロファイルを設定してアウトプットを設定しないとec2にアタッチ出来ない罠
他のロール作成とマージ出来るかどうか
AWSTemplateFormatVersion: '2010-09-09'
Description: Create an IAM Role with minimal permissions for creating VPC Endpoints.
Resources:
# IAM ロール
VPCEndpointRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: MinimalVPCEndpointPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:CreateVpcEndpoint
- ec2:DeleteVpcEndpoints
- ec2:DescribeVpcEndpoints
- ec2:ModifyVpcEndpoint
- ec2:DescribeVpcEndpointServices
Resource: '*'
Outputs:
VPCEndpointRoleArn:
Description: ARN of the IAM Role for creating VPC Endpoints
Value: !GetAtt VPCEndpointRole.Arn
Export:
Name: VPCEndpointRoleArn
CFn用ロール
AWSTemplateFormatVersion: "2010-09-09"
Description: EventBridge Scheduler IAM Role
Resources:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- scheduler.amazonaws.com
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/PowerUserAccess'
Path: "/"
Outputs:
DeleteSchedulerRoleARN:
Value: !GetAtt Role.Arn
Export:
Name: DeleteSchedulerRoleARN
IAMロールすべてマージした。
疑問:Coreroleが作成中になるのだけど、これ、ずっと料金発生するのでは?
→1日7ドル
コードとして修正するのは難しそう。
めんどくさいけど手動作成?
EC2まで作っちゃう?
Resources:
# CFnでEndpoint作成する最小権限role
VPCEndpointRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: MinimalVPCEndpointPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:CreateVpcEndpoint
- ec2:DeleteVpcEndpoints
- ec2:DescribeVpcEndpoints
- ec2:ModifyVpcEndpoint
- ec2:DescribeVpcEndpointServices
Resource: '*'
#インスタンスにアタッチするまでCOMPLETEにならないです。
#作成したEC2にアタッチするロール
MySSMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# インスタンスプロファイル
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MySSMRole
#EventBridgeで自動リソース削除するためのrole
DeleteSchedulerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- scheduler.amazonaws.com
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/PowerUserAccess'
Path: "/"
Outputs:
#自動リソース削除
DeleteSchedulerRoleARN:
Value: !GetAtt DeleteSchedulerRole.Arn
Export:
Name: DeleteSchedulerRoleARN
#EC2用
InstanceProfileName:
Description: Instance Profile Name
Value: !Ref MyInstanceProfile
Export:
Name: InstanceProfileName
IAMRoleName:
Description: IAM Role Name
Value: !Ref MySSMRole
Export:
Name: IAMRoleName
#CFn用
VPCEndpointRoleArn:
Description: ARN of the IAM Role for creating VPC Endpoints
Value: !GetAtt VPCEndpointRole.Arn
Export:
Name: VPCEndpointRoleArn