1. はじめに
- 作成するリソース概要
sample.json
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"LogsLogGroupCloudTrail": {
"Type": "AWS::Logs::LogGroup",
"Route53HostedZoneInternal": {
"Type": "AWS::Route53::HostedZone",
"DHCPOptions": {
"Type": "AWS::EC2::DHCPOptions",
"VPCDHCPOptionsAssociation": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"SNSTopicCrit": {
"Type": "AWS::SNS::Topic",
"SNSTopicWarn": {
"Type": "AWS::SNS::Topic",
"SNSTopicInfo": {
"Type": "AWS::SNS::Topic",
"S3BucketCloudTrail": {
"Type": "AWS::S3::Bucket",
"S3BucketPolicyCloudTrail": {
"Type": "AWS::S3::BucketPolicy",
"IAMRoleCloudTrailCloudWatchLogs": {
"Type": "AWS::IAM::Role",
"IAMRoleEC2CloudWatchLogs": {
"Type": "AWS::IAM::Role",
"IAMInstanceProfileIAMRoleEC2CloudWatchLogs": {
"Type": "AWS::IAM::InstanceProfile",
"CloudTrail": {
"Type": "AWS::CloudTrail::Trail",
"IAMRoleOpsWorksEC2": {
"Type": "AWS::IAM::Role",
"IAMInstanceProfileOpsWorksEC2": {
"Type": "AWS::IAM::InstanceProfile",
"IAMRoleOpsWorksService": {
"Type": "AWS::IAM::Role",
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Route": {
"Type": "AWS::EC2::Route",
"Subnet": {
"Type": "AWS::EC2::Subnet",
"SubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"OpsWorksStack": {
"Type": "AWS::OpsWorks::Stack",
"OpsWorksLayer": {
"Type": "AWS::OpsWorks::Layer",
"Properties": {
"CustomRecipes": {
"Setup": [
"bashrc::default",
"basic-package-install::default",
"cloudwatchlogs-install::default",
"disable-ipv6::default",
"etc_logrotateconf::default",
"etc_profile-history_prompt::default",
"etc_ssh_sshdconfig-security::default",
"etc_sysconfig_ntpd::default",
"etc_yumconf-keepcache::default",
"iptables_off::default",
"lang::default",
"monit-basicsetting::default",
"monit-install::default",
"postfix::default",
"rsyslog::default",
"sysstat::default",
"system-scripts::default",
"timezone::default"
}
"OpsWorksInstance" : {
"Type": "AWS::OpsWorks::Instance",
- 使用上の注意は、こちら
2. 制限
- AWS::OpsWorks::Layer OpsWorksLayer Shortname: only lower case a-z, 0-9, and - or _ characters are allowed
3. テンプレート
sample.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "sample.json",
"Parameters": {
"AccountCodeName": {
"Description": "AWS Account Code name",
"Type": "String",
"ConstraintDescription": "Input AWS account code name here."
},
"GitSSHKey": {
"Description": "Change SSH key newlines to commas.",
"Type": "CommaDelimitedList",
"NoEcho": "true"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"CidrBlock": "10.1.0.0/16",
"Tags": [
{
"Key": "Name",
"Value": "demo"
}
]
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "demo"
}
]
}
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
}
},
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "demo",
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "demo"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": "10.1.0.0/16",
"FromPort": "22",
"ToPort": "22"
},
{
"IpProtocol": "tcp",
"CidrIp": "xxx.xxx.xxx.xxx/32",
"FromPort": "22",
"ToPort": "22"
}
]
}
},
"LogsLogGroupCloudTrail": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
},
"Route53HostedZoneInternal": {
"Type": "AWS::Route53::HostedZone",
"Properties": {
"HostedZoneConfig": {
"Comment": "Internal DNS"
},
"Name": {
"Fn::Join": [
"",
[
{
"Ref": "AccountCodeName"
},
".local"
]
]
},
"VPCs": [
{
"VPCId": {
"Ref": "VPC"
},
"VPCRegion": "ap-northeast-1"
}
]
}
},
"DHCPOptions": {
"Type": "AWS::EC2::DHCPOptions",
"Properties": {
"DomainName": {
"Fn::Join": [
"",
[
"ap-northeast-1.compute.internal ",
{
"Ref": "AccountCodeName"
},
".local"
]
]
},
"DomainNameServers": [
"AmazonProvidedDNS"
],
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AccountCodeName"
}
}
]
}
},
"VPCDHCPOptionsAssociation": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"DhcpOptionsId": {
"Ref": "DHCPOptions"
}
}
},
"SNSTopicCrit": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": "xxx@xxx.xx",
"Protocol": "email"
}
],
"TopicName": {
"Fn::Join": [
"-",
[
{
"Ref": "AccountCodeName"
},
"crit"
]
]
},
"DisplayName": {
"Ref": "AccountCodeName"
}
}
},
"SNSTopicWarn": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": "xxx@xxx.xx",
"Protocol": "email"
}
],
"TopicName": {
"Fn::Join": [
"-",
[
{
"Ref": "AccountCodeName"
},
"warn"
]
]
},
"DisplayName": {
"Ref": "AccountCodeName"
}
}
},
"SNSTopicInfo": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [
{
"Endpoint": "xxx@xxx.xx",
"Protocol": "email"
}
],
"TopicName": {
"Fn::Join": [
"-",
[
{
"Ref": "AccountCodeName"
},
"info"
]
]
},
"DisplayName": {
"Ref": "AccountCodeName"
}
}
},
"S3BucketCloudTrail": {
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Join": [
"",
[
{
"Ref": "AccountCodeName"
},
"-cloudtrail-logs"
]
]
}
}
},
"S3BucketPolicyCloudTrail": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3BucketCloudTrail"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "S3BucketCloudTrail"
}
]
]
}
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "S3BucketCloudTrail"
},
"/AWSLogs/",
{
"Ref": "AWS::AccountId"
},
"/*"
]
]
},
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
}
},
"IAMRoleCloudTrailCloudWatchLogs": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"RoleName": "CloudTrail_CloudWatchLogs",
"Policies": [
{
"PolicyName": "CloudTrail_CloudWatchLogs",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::GetAtt": [
"LogsLogGroupCloudTrail",
"Arn"
]
}
]
}
]
}
}
]
}
},
"IAMRoleEC2CloudWatchLogs": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"RoleName": "EC2_CloudWatchLogs",
"Policies": [
{
"PolicyName": "EC2_CloudWatchLogs",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
}
]
}
},
"IAMInstanceProfileIAMRoleEC2CloudWatchLogs": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "IAMRoleEC2CloudWatchLogs"
}
]
}
},
"CloudTrail": {
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"CloudWatchLogsLogGroupArn": {
"Fn::GetAtt": [
"LogsLogGroupCloudTrail",
"Arn"
]
},
"CloudWatchLogsRoleArn": {
"Fn::GetAtt": [
"IAMRoleCloudTrailCloudWatchLogs",
"Arn"
]
},
"IncludeGlobalServiceEvents": true,
"IsLogging": true,
"IsMultiRegionTrail": true,
"S3BucketName": {
"Ref": "S3BucketCloudTrail"
}
}
},
"IAMRoleOpsWorksEC2": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"RoleName": "OpsWorks_EC2"
}
},
"IAMInstanceProfileOpsWorksEC2": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "IAMRoleOpsWorksEC2"
}
]
}
},
"IAMRoleOpsWorksService": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "opsworks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"RoleName": "OpsWorks_Service",
"Policies": [
{
"PolicyName": "OpsWorks_Service",
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2:*",
"iam:PassRole",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DescribeAlarms",
"ecs:*",
"elasticloadbalancing:*",
"rds:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
}
]
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "demo"
}
]
}
},
"Route": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "RouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
}
},
"Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"AvailabilityZone": "ap-northeast-1a",
"CidrBlock": "10.1.0.0/24",
"Tags": [
{
"Key": "Name",
"Value": "demo"
}
]
}
},
"SubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "Subnet"
},
"RouteTableId": {
"Ref": "RouteTable"
}
}
},
"OpsWorksStack": {
"Type": "AWS::OpsWorks::Stack",
"Properties": {
"Name": "ami",
"ConfigurationManager": {
"Name": "Chef",
"Version": "12"
},
"UseCustomCookbooks": "true",
"CustomCookbooksSource": {
"Type": "git",
"Url": "git@github.com:tonishy/awsec2-settings.git",
"Revision": "master",
"SshKey": {
"Fn::Join": [
"\n",
{
"Ref": "GitSSHKey"
}
]
}
},
"VpcId": {
"Ref": "VPC"
},
"DefaultSubnetId": {
"Ref": "Subnet"
},
"DefaultInstanceProfileArn": {
"Fn::GetAtt": [
"IAMInstanceProfileOpsWorksEC2",
"Arn"
]
},
"ServiceRoleArn": {
"Fn::GetAtt": [
"IAMRoleOpsWorksService",
"Arn"
]
},
"DefaultOs": "Amazon Linux 2016.03",
"DefaultRootDeviceType": "ebs",
"DefaultSshKeyName": "aws-tonishy",
"HostnameTheme": "Layer_Dependent",
"UseOpsworksSecurityGroups": "false"
}
},
"OpsWorksLayer": {
"Type": "AWS::OpsWorks::Layer",
"Properties": {
"Type": "custom",
"Name": "demo",
"Shortname": "demo",
"StackId": {
"Ref": "OpsWorksStack"
},
"EnableAutoHealing": "true",
"CustomRecipes": {
"Setup": [
"bashrc::default",
"basic-package-install::default",
"cloudwatchlogs-install::default",
"disable-ipv6::default",
"etc_logrotateconf::default",
"etc_profile-history_prompt::default",
"etc_ssh_sshdconfig-security::default",
"etc_sysconfig_ntpd::default",
"etc_yumconf-keepcache::default",
"iptables_off::default",
"lang::default",
"monit-basicsetting::default",
"monit-install::default",
"postfix::default",
"rsyslog::default",
"sysstat::default",
"system-scripts::default",
"timezone::default"
]
},
"AutoAssignPublicIps": "true",
"AutoAssignElasticIps": "false",
"CustomSecurityGroupIds": [
{"Ref": "SecurityGroup"}
],
"CustomInstanceProfileArn": {
"Fn::GetAtt": [
"IAMInstanceProfileIAMRoleEC2CloudWatchLogs",
"Arn"
]
}
}
},
"OpsWorksInstance" : {
"Type": "AWS::OpsWorks::Instance",
"Properties": {
"StackId" : {"Ref": "OpsWorksStack"},
"LayerIds" : [ {"Ref": "OpsWorksLayer"}],
"InstanceType" : "t2.micro"
}
}
},
"Outputs": {
"VPC": {
"Description": "Name:demo",
"Value": {
"Ref": "VPC"
}
},
"InternetGateway": {
"Description": "Name:demo",
"Value": {
"Ref": "InternetGateway"
}
},
"VPCGatewayAttachment": {
"Value": {
"Ref": "VPCGatewayAttachment"
}
},
"SecurityGroup": {
"Description": "Name:demo",
"Value": {
"Ref": "SecurityGroup"
}
},
"LogsLogGroupCloudTrail": {
"Description": "Name:demo",
"Value": {
"Fn::GetAtt": [
"LogsLogGroupCloudTrail",
"Arn"
]
}
},
"Route53HostedZoneInternal": {
"Description": "Internal DNS",
"Value": {
"Ref": "Route53HostedZoneInternal"
}
},
"VPCDHCPOptionsAssociation": {
"Value": {
"Ref": "VPCDHCPOptionsAssociation"
}
},
"SNSTopicCrit": {
"Value": {
"Fn::GetAtt": [
"SNSTopicCrit",
"TopicName"
]
}
},
"SNSTopicWarn": {
"Value": {
"Fn::GetAtt": [
"SNSTopicWarn",
"TopicName"
]
}
},
"SNSTopicInfo": {
"Value": {
"Fn::GetAtt": [
"SNSTopicInfo",
"TopicName"
]
}
},
"S3BucketCloudTrail": {
"Value": {
"Ref": "S3BucketCloudTrail"
}
},
"S3BucketPolicyCloudTrail": {
"Value": {
"Ref": "S3BucketPolicyCloudTrail"
}
},
"IAMRoleCloudTrailCloudWatchLogs": {
"Value": {
"Ref": "IAMRoleCloudTrailCloudWatchLogs"
}
},
"IAMRoleEC2CloudWatchLogs": {
"Description": "Name:template",
"Value": {
"Ref": "IAMRoleEC2CloudWatchLogs"
}
},
"IAMInstanceProfileIAMRoleEC2CloudWatchLogs": {
"Description": "Name:template",
"Value": {
"Fn::GetAtt": [
"IAMInstanceProfileIAMRoleEC2CloudWatchLogs",
"Arn"
]
}
},
"CloudTrail": {
"Value": {
"Ref": "CloudTrail"
}
},
"IAMRoleOpsWorksEC2": {
"Value": {
"Fn::GetAtt": [
"IAMRoleOpsWorksEC2",
"Arn"
]
}
},
"IAMInstanceProfileOpsWorksEC2": {
"Value": {
"Fn::GetAtt": [
"IAMInstanceProfileOpsWorksEC2",
"Arn"
]
}
},
"IAMRoleOpsWorksService": {
"Value": {
"Fn::GetAtt": [
"IAMRoleOpsWorksService",
"Arn"
]
}
},
"RouteTable": {
"Description": "public",
"Value": {
"Ref": "RouteTable"
}
},
"Route": {
"Value": {
"Ref": "Route"
}
},
"Subnet": {
"Value": {
"Ref": "Subnet"
}
},
"SubnetRouteTableAssociation": {
"Value": {
"Ref": "SubnetRouteTableAssociation"
}
},
"OpsWorksStack": {
"Description": "Name: ami",
"Value": {
"Ref": "OpsWorksStack"
}
},
"OpsWorksLayer": {
"Description": "Name:ami",
"Value": {
"Ref": "OpsWorksLayer"
}
},
"OpsWorksInstance" : {
"Description" : "Name:ami",
"Value" : { "Ref" : "OpsWorksInstance" }
}
}
}