CloudFormationをとりあえず実行してみたい人のためのチュートリアル

#はじめに
この記事はLIFULL Advent Calendar2018その２の22日目の記事です。
AWSでインフラ構築をしたことはあるけど、CloudFormationという単語はなんとなく避けておりました。
ですが、意を決して取り組んでみると思いの外簡単・便利だったので、とりあえず言葉だけ知っていて試してみたいと思っている方向けに、簡単に実行できるチュートリアルを作りました。
※テンプレートの説明は反響があれば別記事で書こうと思います。

#CloudFormationで構築する環境
今回、CloudFormation（CFNと略すらしいです）を使って構築するインフラ構成は下図のようなシンプルなものにしました。

#準備
まず、AWSをcliで実行するためのインストールを行います。

$ sudo easy_install pip
$ sudo pip install awscli
$ aws --version

次に、AWSコンソール上でアクセスキーを発行し、下記の通り登録を行います。

$ aws configure --profile cfn
AWS Access Key ID [None]: 発行したアクセスキー
AWS Secret Access Key [None]: 発行したシークレットアクセスキー
Default region name [None]: ap-northeast-1
Default output format [None]:

また、インスタンスを作成する際に必要なキーペアをsampleという名前で作成してダウンロードしておきます。

#実行手順
テンプレートファイルは、ページ下部のものをコピーしてください。（行数がすごいですが殆どサブネット関連の定義の繰り返しだったりします）
下記のコマンドでローカルからcfnを実行します。
※file://のパスはテンプレートを配置した場所によって異なります

$ ls -al
total 24
-rw-r--r--  1 shodak  shodak  10170 12 22 17:59 sample-template.yml
$ aws cloudformation create-stack --stack-name sample --template-body file://sample-template.yml --profile cfn

下記のリンクから実際にスタックが実行されているところが見れると思います。
https://ap-northeast-1.console.aws.amazon.com/cloudformation/home?region=ap-northeast-1#/stacks

構成図の通りにできているかと思います。
試しにbastionサーバーとapplicationサーバーにsshログインしてみます。
※面倒なので.ssh/configに下記の設定を追加しました。

~/.ssh/config

Host sample-bastion
  User ec2-user
  HostName 18.182.92.135
  Port 22
  Identityfile ~/.ssh/sample.pem

Host sample-application
  User ec2-user
  HostName 172.31.254.253
  Port 22
  Identityfile ~/.ssh/sample.pem
  ProxyCommand ssh -W %h:%p sample-bastion

$ mv Downloads/sample.pem ~/.ssh/
# 鍵の権限変更を忘れずに
$ chmod 400 ~/.ssh/sample.pem
$ ssh sample-bastion

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
15 package(s) needed for security, out of 16 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-0-65 ~]$

bastionサーバーにログインできたので、applicationサーバーも試します。

$ ssh sample-application

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-31-254-103 ~]$ curl http://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

applicationサーバーにもログインでき、外部にも疎通していることが確認できました。
一通り確認したらstackを削除しましょう。
stackを削除することで、cloudformationによって生成されたリソースが全て削除されるため、お試しで環境を作りたい時に撤収が捗ります。

#今回実行したサンプルテンプレート

sample-template.yml

AWSTemplateFormatVersion: 2010-09-09
Description: Sample-template
Resources:
  VpcTemplate:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 172.31.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: sample
  BastionEIP:
    Type: AWS::EC2::EIP
    Properties:
      InstanceId:
        Ref: BastionInstance
      Domain:
        Ref: VpcTemplate
  NatGatewayEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain:
        Ref: VpcTemplate
  IGW:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: sample-igw
  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId:
        Fn::GetAtt:
        - NatGatewayEIP
        - AllocationId
      SubnetId:
        Ref: PublicSubnet1a
      Tags:
        - Key: Name
          Value: sample-nat-gateway
  VpcIgwAttach:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId:
        Ref: VpcTemplate
      InternetGatewayId:
        Ref: IGW
  PublicSubnet1a:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: VpcTemplate
      CidrBlock: 172.31.0.0/24
      AvailabilityZone: ap-northeast-1a
      Tags:
        - Key: Name
          Value: public-subnet-1a
  PublicSubnet1c:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: VpcTemplate
      CidrBlock: 172.31.1.0/24
      AvailabilityZone: ap-northeast-1c
      Tags:
        - Key: Name
          Value: public-subnet-1c
  PrivateSubnet1a:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: VpcTemplate
      CidrBlock: 172.31.254.0/24
      AvailabilityZone: ap-northeast-1a
      Tags:
        - Key: Name
          Value: private-subnet-1a
  PublicSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId:
        Ref: VpcTemplate
      Tags:
        - Key: Name
          Value: public-igw
  PrivateSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId:
        Ref: VpcTemplate
      Tags:
        - Key: Name
          Value: private-nat
  PublicSubnetRouteTableAssociationA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet1a
      RouteTableId:
        Ref: PublicSubnetRouteTable
  PublicSubnetRouteTableAssociationC:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet1c
      RouteTableId:
        Ref: PublicSubnetRouteTable
  PrivateSubnetRouteTableAssociationA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        Ref: PrivateSubnet1a
      RouteTableId:
        Ref: PrivateSubnetRouteTable
  RouteTableIGWAssociation:
    Type: AWS::EC2::Route
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      RouteTableId:
        Ref: PublicSubnetRouteTable
      GatewayId:
        Ref: IGW
  RouteTableNatGatewayAssociation:
    Type: AWS::EC2::Route
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      RouteTableId:
        Ref: PrivateSubnetRouteTable
      NatGatewayId:
        Ref: NatGateway
  AclPublic:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId:
        Ref: VpcTemplate
      Tags:
        - Key: Name
          Value: public
  AclPrivate:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId:
        Ref: VpcTemplate
      Tags:
        - Key: Name
          Value: private
  AclPublicInSsh:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: false
      Protocol: 6
      PortRange:
        From: 22
        To: 22
      RuleAction: allow
      RuleNumber: 100
      NetworkAclId:
        Ref: AclPublic
  AclPublicInHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: false
      Protocol: 6
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      RuleNumber: 200
      NetworkAclId:
        Ref: AclPublic
  AclPublicInHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: false
      Protocol: 6
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      RuleNumber: 300
      NetworkAclId:
        Ref: AclPublic
  AclPublicEphemeralIn:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: false
      Protocol: 6
      PortRange:
        From: 1024
        To: 65535
      RuleAction: allow
      RuleNumber: 400
      NetworkAclId:
        Ref: AclPublic
  AclPublicIn:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 172.31.0.0/23
      Egress: false
      Protocol: -1
      RuleAction: allow
      RuleNumber: 500
      NetworkAclId:
        Ref: AclPublic
  AclPublicOutSsh:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 22
        To: 22
      RuleAction: allow
      RuleNumber: 100
      NetworkAclId:
        Ref: AclPublic
  AclPublicOutHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      RuleNumber: 200
      NetworkAclId:
        Ref: AclPublic
  AclPublicOutHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      RuleNumber: 300
      NetworkAclId:
        Ref: AclPublic
  AclPublicEphemeralOut:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 1024
        To: 65535
      RuleAction: allow
      RuleNumber: 400
      NetworkAclId:
        Ref: AclPublic
  AclPublicOut:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 172.31.0.0/23
      Egress: true
      Protocol: -1
      RuleAction: allow
      RuleNumber: 500
      NetworkAclId:
        Ref: AclPublic
  AclPrivateInSsh:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 172.31.0.0/23
      Egress: false
      Protocol: 6
      PortRange:
        From: 22
        To: 22
      RuleAction: allow
      RuleNumber: 100
      NetworkAclId:
        Ref: AclPrivate
  AclPrivateInHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 172.31.0.0/23
      Egress: false
      Protocol: 6
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      RuleNumber: 200
      NetworkAclId:
        Ref: AclPrivate
  AclPrivateInHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 172.31.0.0/23
      Egress: false
      Protocol: 6
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      RuleNumber: 300
      NetworkAclId:
        Ref: AclPrivate
  AclPrivateEphemeralIn:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: false
      Protocol: 6
      PortRange:
        From: 1024
        To: 65535
      RuleAction: allow
      RuleNumber: 400
      NetworkAclId:
        Ref: AclPrivate
  AclPrivateOutHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      RuleNumber: 200
      NetworkAclId:
        Ref: AclPrivate
  AclPrivateOutHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      RuleNumber: 300
      NetworkAclId:
        Ref: AclPrivate
  AclPrivateEphemeralOut:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      CidrBlock: 0.0.0.0/0
      Egress: true
      Protocol: 6
      PortRange:
        From: 1024
        To: 65535
      RuleAction: allow
      RuleNumber: 400
      NetworkAclId:
        Ref: AclPrivate
  PublicSubnet1aAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet1a
      NetworkAclId:
        Ref: AclPublic
  PublicSubnet1cAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId:
        Ref: PublicSubnet1c
      NetworkAclId:
        Ref: AclPublic
  PrivateSubnetAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId:
        Ref: PrivateSubnet1a
      NetworkAclId:
        Ref: AclPrivate
  BastionSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Ref: VpcTemplate
      GroupDescription: SG for Bastion
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: bastion-sg
  ApplicationSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Ref: VpcTemplate
      GroupDescription: SG for Application
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId:
            Ref: BastionSecurityGroup
      Tags:
        - Key: Name
          Value: bastion-sg
  BastionInstance:
    Type: AWS::EC2::Instance
    Properties:
      LaunchTemplate:
        LaunchTemplateId:
          Ref: BastionInstanceLaunchTemplate
        Version:
          Fn::GetAtt: 'BastionInstanceLaunchTemplate.LatestVersionNumber'
      SubnetId:
        Ref: PublicSubnet1a
      Tags:
        - Key: Name
          Value: bastion
  ApplicationInstance:
    Type: AWS::EC2::Instance
    Properties:
      LaunchTemplate:
        LaunchTemplateId:
          Ref: ApplicationInstanceLaunchTemplate
        Version:
          Fn::GetAtt: 'ApplicationInstanceLaunchTemplate.LatestVersionNumber'
      SubnetId:
        Ref: PrivateSubnet1a
      Tags:
        - Key: Name
          Value: application
  BastionInstanceLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        SecurityGroupIds:
          - Ref: BastionSecurityGroup
        InstanceInitiatedShutdownBehavior: stop
        KeyName: sample
        ImageId: ami-0a2de1c3b415889d2
        Monitoring:
          Enabled: false
        CreditSpecification:
          CpuCredits: standard
        InstanceType: t2.micro
        BlockDeviceMappings:
          - DeviceName: /dev/xvda
            Ebs:
              VolumeSize: 8
              VolumeType: gp2
              DeleteOnTermination: true
  ApplicationInstanceLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        SecurityGroupIds:
          - Ref: ApplicationSecurityGroup
        InstanceInitiatedShutdownBehavior: stop
        KeyName: sample
        ImageId: ami-0a2de1c3b415889d2
        Monitoring:
          Enabled: false
        CreditSpecification:
          CpuCredits: standard
        InstanceType: t2.micro
        BlockDeviceMappings:
          - DeviceName: /dev/xvda
            Ebs:
              VolumeSize: 8
              VolumeType: gp2
              DeleteOnTermination: true

#最後に
cfnで何かのリソースを定義したい時は、公式のリファレンスをみつつ、具体例が欲しいところはググって調べています。
sampleのテンプレートではパラメータを活用していなかったり、NACLの定義のところが冗長だったりするので、もっと簡潔にかけるようにこれから努力したいと思います。