admin-ansible-ec2.yaml
---

Ansible Admin EC2 CloudFormation Deployment

This CloudFormation template will deploy a single EC2 instance with its own security group. That security group has Admin rights in this account, so be sure to remove this stack as soon as you are finished.

AWSTemplateFormatVersion: '2010-09-09'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

HostName to be used in tagging the EC2 instance.

HostName: Type: String Description: Enter the name of the host or service, ie 'account-foundation-deployer', etc. Default: account-foundation-deployer

SSH Key Pair to be used on the application EC2 instances for emergency administrative access.

KeyName: Description: Amazon EC2 Key Pair Type: AWS::EC2::KeyPair::KeyName

VPCID is the ID of the VPC where this template will be deployed.

VPCID: Description: Target VPC Type: AWS::EC2::VPC::Id InstanceSubnet: Description: Private Subnet Type: AWS::EC2::Subnet::Id ClientIP: Description: Your IP Address Type: String

Tags

TagOwner: Description: Name of the Owner of this resource (Full Name) Type: String TagNetid: Description: UA NetID of responsible person Type: String TagProjectName: Description: Name of the Project this is for, or JIRA ticket for more info Type: String

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Instance Settings Parameters: - HostName - KeyName - VPCID - InstanceSubnet - ClientIP - Label: default: Tags Parameters: - TagOwner - TagNetid - TagProjectName ParameterLabels: {}

Resources

This is the EC2 instance deployed by the template.

Resources:

EC2 Instance

Deploys the EC2 instance with some tags.

Ec2Instance: Type: AWS::EC2::Instance

A CreationPolicy prevents this resource creation from completing until it receives the signal from cfn-signal.

CreationPolicy: ResourceSignal: Count: 1 Timeout: PT20M Properties: ImageId: ami-7172b611 KeyName: !Ref KeyName InstanceType: t2.micro AvailabilityZone: us-west-2a IamInstanceProfile: !Ref InstanceProfile NetworkInterfaces: - AssociatePublicIpAddress: 'true' DeviceIndex: '0' SubnetId: !Ref InstanceSubnet GroupSet: - !Ref InstanceSecurityGroup UserData: Fn::Base64: !Sub - | #!/bin/bash -e

Basic Updates

sudo yum update -y sudo yum install -y git vim telnet

Try to install Zabbix Agent

ZabbixParam=$(aws ssm get-parameters --region ${AWS::Region} --names "ZabbixAPIUsername" --with-decryption --query 'Parameters[0].Value' --output text) if [ $ZabbixParam = "__aws_host_remover" ]; then wget https://s3-us-west-2.amazonaws.com/ua-uits-ecs-public/zabbix/zabbix-agent-install.zip unzip zabbix-agent-install.zip cd zabbix ./install_zabbix_agent.sh "${ZabbixHostname}" "${ZabbixMetadata}" fi

Install Amazon SSM

curl https://amazon-ssm-${AWS::Region}.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/amazon-ssm-agent.rpm yum install -y /tmp/amazon-ssm-agent.rpm

Install Ansible Components

sudo easy_install pip sudo yum install -y python-paramiko sudo pip install ansible==2.0.0 sudo pip install -U boto

Make sure the AWS cli is up to date

sudo pip install awscli --upgrade

Check out the service-catalog project

git clone https://bitbucket.org/ua-ecs/service-catalog.git /home/ec2-user/service-catalog git_success=$? chown -R ec2-user /home/ec2-user/service-catalog/

Signal CloudFormation with the result of the checkout

/opt/aws/bin/cfn-signal -e $git_success --stack ${AWS::StackName} --region ${AWS::Region} --resource Ec2Instance - { ZabbixHostname: !Sub "${HostName}.${AWS::AccountId}.aws", ZabbixMetadata: "aws-server" } Tags: - Key: Name Value: !Ref HostName - Key: owner Value: !Ref TagOwner - Key: netid Value: !Ref TagNetid - Key: projectname Value: !Ref TagProjectName

Instance Security Group

Security group for the EC2 instance, that allows you to SSH into the instance

InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow ssh to client host VpcId: !Ref VPCID SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: !Sub "${ClientIP}/32" Tags: - Key: Name Value: !Sub "${HostName} Security Group" - Key: owner Value: !Ref TagOwner - Key: netid Value: !Ref TagNetid - Key: projectname Value: !Ref TagProjectName

Instance Role

This is the IAM role that will be applied to the EC2 Instances. Again this policy is pretty broad, so be careful!

InstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: !Sub "${HostName}-adminPolicy" PolicyDocument: Version: '2012-10-17' Statement: - Sid: Stmt1452033379000 Effect: Allow Action: - "*" Resource: - "*"

Instance Profile

InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref InstanceRole

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: InstancePrivateIP: Description: The Private IP address of the instance Value: !GetAtt Ec2Instance.PrivateIp InstancePublicIP: Description: The Public IP address of the instance Value: !GetAtt Ec2Instance.PublicIp InstanceID: Description: The Instance ID Value: !Ref Ec2Instance