CloudFormationでssmを使う時だけendpoint作成してeventbridgeスケジューラーで自動削除したい。

Posted at 2024-06-05

VPC,SG作成

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create VPC, subnets, and security groups.

Resources:
  # VPC
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: MyVPC

  # Subnet
  MyPrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.1.0/24
      VpcId: !Ref MyVPC
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: MyPrivateSubnet

  # Security Group for General Use
  GeneralUseSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for general use
      VpcId: !Ref MyVPC
      SecurityGroupIngress: []
      Tags:
        - Key: Name
          Value: GeneralUseSG

  # Security Group for SSM Endpoint
  SSMEndpointSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for SSM endpoint
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 10.0.1.0/24
      Tags:
        - Key: Name
          Value: SSMEndpointSG

Outputs:
  VPCId:
    Description: The VPC ID
    Value: !Ref MyVPC
    Export:
      Name: VPCId

  PrivateSubnetId:
    Description: The Private Subnet ID
    Value: !Ref MyPrivateSubnet
    Export:
      Name: PrivateSubnetId

  GeneralUseSGId:
    Description: The Security Group ID for general use
    Value: !Ref GeneralUseSG
    Export:
      Name: GeneralUseSGId

  SSMEndpointSGId:
    Description: The Security Group ID for SSM Endpoint
    Value: !Ref SSMEndpointSG
    Export:
      Name: SSMEndpointSGId

coreロール作成

AWSTemplateFormatVersion: "2010-09-09"
Description: AmazonSSMManagedInstanceCore IAM Role
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - 
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
      Path: /
Outputs:
  DeleteSchedulerRoleARN:
    Value: !GetAtt Role.Arn
    Export:
      Name: AmazonSSMManagedInstanceCoreIAMRole

イベントブリッジロール作成

AWSTemplateFormatVersion: "2010-09-09"
Description: EventBridge Scheduler IAM Role
Resources:
  Role:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - scheduler.amazonaws.com
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/PowerUserAccess'
      Path: "/"

Outputs:
  DeleteSchedulerRoleARN:
    Value: !GetAtt Role.Arn
    Export:
      Name: DeleteSchedulerRoleARN

エンドポイント作成

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create SSM, EC2 messages, and SSM messages endpoints.

Parameters:
  VPCId:
    Type: String
    Description: The ID of the VPC
  PrivateSubnetId:
    Type: String
    Description: The ID of the private subnet
  SSMEndpointSGId:
    Type: String
    Description: The ID of the security group for SSM endpoint

Resources:
  # SSM Endpoint
  SSMEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # EC2 Messages Endpoint
  EC2MessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # SSM Messages Endpoint
  SSMMessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

Outputs:
  SSMEndpointId:
    Description: The SSM Endpoint ID
    Value: !Ref SSMEndpoint
    Export:
      Name: SSMEndpointId

  EC2MessagesEndpointId:
    Description: The EC2 Messages Endpoint ID
    Value: !Ref EC2MessagesEndpoint
    Export:
      Name: EC2MessagesEndpointId

  SSMMessagesEndpointId:
    Description: The SSM Messages Endpoint ID
    Value: !Ref SSMMessagesEndpoint
    Export:
      Name: SSMMessagesEndpointId

時限削除機能

Parameters:
  Hour:
    Description: Please type Delete Hour.
    Type: String
    Default: "13"
  Minute:
    Description: Please type Delete Minute.
    Type: String
    Default: "00"
  
Resources:
  EventSchedule:
    Type: AWS::Scheduler::Schedule
    Properties:
      Description: 'Delete Schedule'
      ScheduleExpression: !Sub "cron(${Minute} ${Hour} ? * * *)"
      ScheduleExpressionTimezone: "Asia/Tokyo"
      FlexibleTimeWindow:
        Mode: 'OFF'
      State: ENABLED
      Target:
        Arn: "arn:aws:scheduler:::aws-sdk:cloudformation:deleteStack"
        Input: !Sub "{ \"StackName\": \"${AWS::StackName}\" }"
        RoleArn: !ImportValue DeleteSchedulerRoleARN

残テスト：vpcエンドポイントと、イベントブリッジのマージ
↓エラー出てるけど進んだやつ

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create SSM, EC2 messages, and SSM messages endpoints.

Parameters:
  VPCId:
    Type: String
    Description: The ID of the VPC
  PrivateSubnetId:
    Type: String
    Description: The ID of the private subnet
  SSMEndpointSGId:
    Type: String
    Description: The ID of the security group for SSM endpoint
#削除したい時間を入力
  Hour:
    Description: Please type Delete Hour.
    Type: String
    Default: "13"
  Minute:
    Description: Please type Delete Minute.
    Type: String
    Default: "00"

Resources:
  # SSM Endpoint
  SSMEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # EC2 Messages Endpoint
  EC2MessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # SSM Messages Endpoint
  SSMMessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId
#時間削除機能
  EventSchedule:
    Type: AWS::Scheduler::Schedule
    Properties:
      Description: 'Delete Schedule'
      ScheduleExpression: !Sub "cron(${Minute} ${Hour} ? * * *)"
      ScheduleExpressionTimezone: "Asia/Tokyo"
      FlexibleTimeWindow:
        Mode: 'OFF'
      State: ENABLED
      Target:
        Arn: "arn:aws:scheduler:::aws-sdk:cloudformation:deleteStack"
        Input: !Sub "{ \"StackName\": \"${AWS::StackName}\" }"
        RoleArn: !ImportValue DeleteSchedulerRoleARN


Outputs:
  SSMEndpointId:
    Description: The SSM Endpoint ID
    Value: !Ref SSMEndpoint
    Export:
      Name: SSMEndpointId

  EC2MessagesEndpointId:
    Description: The EC2 Messages Endpoint ID
    Value: !Ref EC2MessagesEndpoint
    Export:
      Name: EC2MessagesEndpointId

  SSMMessagesEndpointId:
    Description: The SSM Messages Endpoint ID
    Value: !Ref SSMMessagesEndpoint
    Export:
      Name: SSMMessagesEndpointId

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up