LoginSignup
0
0
@pyaasu

CloudFormationでssmを使う時だけendpoint作成してeventbridgeスケジューラーで自動削除したい。

Posted at

VPC,SG作成

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create VPC, subnets, and security groups.

Resources:
  # VPC
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: MyVPC

  # Subnet
  MyPrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: 10.0.1.0/24
      VpcId: !Ref MyVPC
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: MyPrivateSubnet

  # Security Group for General Use
  GeneralUseSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for general use
      VpcId: !Ref MyVPC
      SecurityGroupIngress: []
      Tags:
        - Key: Name
          Value: GeneralUseSG

  # Security Group for SSM Endpoint
  SSMEndpointSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for SSM endpoint
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 10.0.1.0/24
      Tags:
        - Key: Name
          Value: SSMEndpointSG

Outputs:
  VPCId:
    Description: The VPC ID
    Value: !Ref MyVPC
    Export:
      Name: VPCId

  PrivateSubnetId:
    Description: The Private Subnet ID
    Value: !Ref MyPrivateSubnet
    Export:
      Name: PrivateSubnetId

  GeneralUseSGId:
    Description: The Security Group ID for general use
    Value: !Ref GeneralUseSG
    Export:
      Name: GeneralUseSGId

  SSMEndpointSGId:
    Description: The Security Group ID for SSM Endpoint
    Value: !Ref SSMEndpointSG
    Export:
      Name: SSMEndpointSGId

coreロール作成

AWSTemplateFormatVersion: "2010-09-09"
Description: AmazonSSMManagedInstanceCore IAM Role
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - 
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
      Path: /
Outputs:
  DeleteSchedulerRoleARN:
    Value: !GetAtt Role.Arn
    Export:
      Name: AmazonSSMManagedInstanceCoreIAMRole

イベントブリッジロール作成

AWSTemplateFormatVersion: "2010-09-09"
Description: EventBridge Scheduler IAM Role
Resources:
  Role:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - scheduler.amazonaws.com
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/PowerUserAccess'
      Path: "/"

Outputs:
  DeleteSchedulerRoleARN:
    Value: !GetAtt Role.Arn
    Export:
      Name: DeleteSchedulerRoleARN

エンドポイント作成

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create SSM, EC2 messages, and SSM messages endpoints.

Parameters:
  VPCId:
    Type: String
    Description: The ID of the VPC
  PrivateSubnetId:
    Type: String
    Description: The ID of the private subnet
  SSMEndpointSGId:
    Type: String
    Description: The ID of the security group for SSM endpoint

Resources:
  # SSM Endpoint
  SSMEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # EC2 Messages Endpoint
  EC2MessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # SSM Messages Endpoint
  SSMMessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

Outputs:
  SSMEndpointId:
    Description: The SSM Endpoint ID
    Value: !Ref SSMEndpoint
    Export:
      Name: SSMEndpointId

  EC2MessagesEndpointId:
    Description: The EC2 Messages Endpoint ID
    Value: !Ref EC2MessagesEndpoint
    Export:
      Name: EC2MessagesEndpointId

  SSMMessagesEndpointId:
    Description: The SSM Messages Endpoint ID
    Value: !Ref SSMMessagesEndpoint
    Export:
      Name: SSMMessagesEndpointId

時限削除機能

Parameters:
  Hour:
    Description: Please type Delete Hour.
    Type: String
    Default: "13"
  Minute:
    Description: Please type Delete Minute.
    Type: String
    Default: "00"
  
Resources:
  EventSchedule:
    Type: AWS::Scheduler::Schedule
    Properties:
      Description: 'Delete Schedule'
      ScheduleExpression: !Sub "cron(${Minute} ${Hour} ? * * *)"
      ScheduleExpressionTimezone: "Asia/Tokyo"
      FlexibleTimeWindow:
        Mode: 'OFF'
      State: ENABLED
      Target:
        Arn: "arn:aws:scheduler:::aws-sdk:cloudformation:deleteStack"
        Input: !Sub "{ \"StackName\": \"${AWS::StackName}\" }"
        RoleArn: !ImportValue DeleteSchedulerRoleARN

残テスト:vpcエンドポイントと、イベントブリッジのマージ
↓エラー出てるけど進んだやつ

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create SSM, EC2 messages, and SSM messages endpoints.

Parameters:
  VPCId:
    Type: String
    Description: The ID of the VPC
  PrivateSubnetId:
    Type: String
    Description: The ID of the private subnet
  SSMEndpointSGId:
    Type: String
    Description: The ID of the security group for SSM endpoint
#削除したい時間を入力
  Hour:
    Description: Please type Delete Hour.
    Type: String
    Default: "13"
  Minute:
    Description: Please type Delete Minute.
    Type: String
    Default: "00"

Resources:
  # SSM Endpoint
  SSMEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # EC2 Messages Endpoint
  EC2MessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId

  # SSM Messages Endpoint
  SSMMessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
      VpcId: !Ref VPCId
      SubnetIds:
        - !Ref PrivateSubnetId
      SecurityGroupIds:
        - !Ref SSMEndpointSGId
#時間削除機能
  EventSchedule:
    Type: AWS::Scheduler::Schedule
    Properties:
      Description: 'Delete Schedule'
      ScheduleExpression: !Sub "cron(${Minute} ${Hour} ? * * *)"
      ScheduleExpressionTimezone: "Asia/Tokyo"
      FlexibleTimeWindow:
        Mode: 'OFF'
      State: ENABLED
      Target:
        Arn: "arn:aws:scheduler:::aws-sdk:cloudformation:deleteStack"
        Input: !Sub "{ \"StackName\": \"${AWS::StackName}\" }"
        RoleArn: !ImportValue DeleteSchedulerRoleARN


Outputs:
  SSMEndpointId:
    Description: The SSM Endpoint ID
    Value: !Ref SSMEndpoint
    Export:
      Name: SSMEndpointId

  EC2MessagesEndpointId:
    Description: The EC2 Messages Endpoint ID
    Value: !Ref EC2MessagesEndpoint
    Export:
      Name: EC2MessagesEndpointId

  SSMMessagesEndpointId:
    Description: The SSM Messages Endpoint ID
    Value: !Ref SSMMessagesEndpoint
    Export:
      Name: SSMMessagesEndpointId
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0