admin-terraform.yaml
---

Ansible Admin EC2 CloudFormation Deployment

This CloudFormation template will deploy a single EC2 instance with its own security group. That security group has Admin rights in this account, so be sure to remove this stack as soon as you are finished.

AWSTemplateFormatVersion: '2010-09-09'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

HostName to be used in tagging the EC2 instance.

HostName: Type: String Description: Enter the name of the host or service, ie 'account-foundation-deployer', etc. Default: account-foundation-deployer

Instance Type

InstanceType: Description: EC2 Instance Type Type: String AllowedValues: [t2.micro, t2.small, t2.medium] Default: t2.micro

SSH Key Pair to be used on the application EC2 instances for emergency administrative access.

KeyName: Description: Amazon EC2 Key Pair Type: AWS::EC2::KeyPair::KeyName

VPCID is the ID of the VPC where this template will be deployed.

VPCID: Description: Target VPC Type: AWS::EC2::VPC::Id InstanceSubnet: Description: Private Subnet Type: AWS::EC2::Subnet::Id AvailabilityZone: Description: Availabilty Zone of Selected Subnet. MUST MATCH! Type: AWS::EC2::AvailabilityZone::Name ClientIP: Description: Your IP Address Type: String

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: dev ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. AccountNumberTag: Type: String Description: Identifies the financial system account number. TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource.

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Instance Settings Parameters: - HostName - InstanceType - KeyName - VPCID - InstanceSubnet - AvailabilityZone - ClientIP - Label: default: Tags Parameters: - ServiceTag - EnvironmentTag - ContactNetidTag - AccountNumberTag - TicketNumberTag ParameterLabels: ServiceTag: default: "Service Name:" EnvironmentTag: default: 'Environment Type:' ContactNetidTag: default: 'Contact NetID:' AccountNumberTag: default: 'Financial Account Number:' TicketNumberTag: default: 'Ticket Number:'

Mappings

Mappings:

Map for Amazon Linux 2016.09.1 !FindInMap [AMIforRegion, !Ref "AWS::Region", 64]

AMIforRegion: us-east-1: "64": "ami-9be6f38c" us-west-2: "64": "ami-1e299d7e" us-gov-west-1: "64": "ami-ffa61d9e"

Resources

This is the EC2 instance deployed by the template.

Resources:

EC2 Instance

Deploys the EC2 instance with some tags.

Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: !FindInMap [AMIforRegion, !Ref "AWS::Region", "64"] KeyName: !Ref KeyName InstanceType: !Ref InstanceType AvailabilityZone: !Ref AvailabilityZone IamInstanceProfile: !Ref InstanceProfile NetworkInterfaces: - AssociatePublicIpAddress: 'true' DeviceIndex: '0' SubnetId: !Ref InstanceSubnet GroupSet: - !Ref InstanceSecurityGroup UserData: Fn::Base64: !Sub | #!/bin/bash

Basic Updates

sudo yum update -y sudo yum install -y git vim telnet

Install Amazon SSM

curl https://amazon-ssm-${AWS::Region}.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/amazon-ssm-agent.rpm sudo yum install -y /tmp/amazon-ssm-agent.rpm

Make sure the AWS cli is up to date

sudo pip install awscli --upgrade

Install Terraform

TERRAFORM_VERSION=0.8.7 wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip sudo mv terraform /usr/local/bin/ Tags: - Key: Name Value: !Ref HostName - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: ticketnumber Value: !Ref TicketNumberTag

Instance Security Group

Security group for the EC2 instance, that allows you to SSH into the instance

InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow ssh to client host VpcId: !Ref VPCID SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: !Sub "${ClientIP}/32" Tags: - Key: Name Value: !Sub "${HostName} Security Group" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: ticketnumber Value: !Ref TicketNumberTag

Instance Role

This is the IAM role that will be applied to the EC2 Instances. Again this policy is pretty broad, so be careful!

InstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: !Sub "${HostName}-adminPolicy" PolicyDocument: Version: '2012-10-17' Statement: - Sid: Stmt1452033379000 Effect: Allow Action: - "*" Resource: - "*"

Instance Profile

InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref InstanceRole

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: InstancePrivateIP: Description: The Private IP address of the instance Value: !GetAtt Ec2Instance.PrivateIp InstancePublicIP: Description: The Public IP address of the instance Value: !GetAtt Ec2Instance.PublicIp InstanceID: Description: The Instance ID Value: !Ref Ec2Instance