basic_ec2.yaml
---

FinMod EC2 Template

This CloudFormation template creates an EC2 instance that mounts an EFS volume.

AWSTemplateFormatVersion: '2010-09-09' Description: Basic EC2 instance that allows for SSH access and mounts an EFS volume.

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Application Information Parameters: - EFSStackName - MountPath - S3Bucket - Label: default: Instance Settings Parameters: - InstanceType - AmazonLinuxAmi - VPCStackName - EC2Subnet - KeyName - Label: default: Tags Parameters: - TagService - TagEnvironment - TagCreatedBy - TagContactNetId - TagAccountNumber - TagSubAccount - TagTicketNumber - TagResourceFunction ParameterLabels: InstanceType: default: 'EC2 Instance Type:' AmazonLinuxAmi: default: 'Amazon Linux 2 AMI:' KeyName: default: 'SSH Key Pair Name'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: EFSStackName: Description: "Name of the EFS CloudFormation Stack for the EFS volume we are mounting" Type: String MinLength: '2' Default: "financials-saas-efs" MountPath: Description: "Path the user will see as the root directory of the mounted EFS volume." Type: String Default: "/finmod-shared-efs" S3FileBucket: Description: 'The name of the S3 bucket with developer resources' Type: String MinLength: 1 Default: finmod-developer-resources InstanceType: Description: "EC2 instance type" Type: String Default: m6a.large AmazonLinuxAmi: Description: "Amazon Linux 2 Latest AMI ID" Type : AWS::SSM::Parameter::Value<String> Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 AllowedValues: - /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 VPCStackName: Description: "Name of the VPC CloudFormation Stack" Type: String Default: ua-uits-financials-saas-nonprod-vpc EC2Subnet: Description: "Select the private subnet to use for this instance" Type: AWS::EC2::Subnet::Id MinLength: 1 KeyName: Description: "Amazon EC2 Key Pair for SSH access" Type: AWS::EC2::KeyPair::KeyName Default: finmod-development TagService: Description: "Service name (from the service catalog) that is utilizing this resource" Type: String Default: "Financials Modernization Integration" TagEnvironment: Description: "Type of environment that is using this resource, such as 'dev', 'tst', 'prd'." Type: String TagCreatedBy: Description: "NetID of the user that created this resource" Type: String TagContactNetId: Description: "NetID of the person to contact for information about this resource" Type: String TagAccountNumber: Description: "Financial system account number for the service utilizing this resource" Type: String Default: "1192801" TagSubAccount: Description: "Financial system subaccount number for the service utilizing this resource" Type: String Default: "INTGR" TagTicketNumber: Description: "Ticket number that this resource is for" Type: String TagResourceFunction: Description: "Human-readable description of what function this resource is providing" Type: String Default: "Instance for developers"

Resources

This is the EC2 instance deployed by the template.

Resources:

EC2 Instance

Deploys the Boomi Atom EC2 instance with some tags.

Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: !Ref AmazonLinuxAmi KeyName: !Ref KeyName InstanceType: !Ref InstanceType IamInstanceProfile: !Ref EnvInstanceProfile BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeType: gp3 VolumeSize: '100' DeleteOnTermination: 'true' Encrypted: 'false' SecurityGroupIds: - !Ref InstanceSecurityGroup - Fn::ImportValue: !Sub "${EFSStackName}-target-sg" SubnetId: !Ref EC2Subnet Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction UserData: Fn::Base64: !Sub - | #!/bin/bash

Basic Updates

yum update -y

Install developer tools

yum install -y git vim

Install JDK 17 (https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/amazon-linux-install.html)

yum install -y java-17-amazon-corretto-devel

Install Maven 3.9.2 (downloaded from https://dlcdn.apache.org/maven/maven-3/3.9.2/binaries/apache-maven-3.9.2-bin.tar.gz)

cd /opt aws s3 cp s3://${S3FileBucket}/apache-maven-3.9.2-bin.tar.gz . tar -xzf apache-maven-3.9.2-bin.tar.gz ln -s /opt/apache-maven-3.9.2 /opt/maven aws s3 cp s3://${S3FileBucket}/set-maven-env-vars.sh /etc/profile.d chmod 744 /etc/profile.d/set-maven-env-vars.sh source /etc/profile.d/set-maven-env-vars.sh

Install ojdbc .jar file into maven repo cd /opt aws s3 cp s3://${S3FileBucket}/ojdbc8-12.2.0.1.jar . mvn install:install-file -Dfile=./ojdbc8-12.2.0.1.jar -DgroupId=com.oracle -DartifactId=ojdbc8 -Dversion=12.2.0.1 -Dpackaging=jar -DgeneratePom=true

Set the Time Zone

sed -i 's/ZONE="UTC"/ZONE="America\/Phoenix"/' /etc/sysconfig/clock ln -sf /usr/share/zoneinfo/America/Phoenix /etc/localtime

Create directory and mount EFS volume

mkdir ${MountPath} mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 "${efsid}.efs.${AWS::Region}.amazonaws.com:/" ${MountPath} - efsid: Fn::ImportValue: !Sub "${EFSStackName}-fs-id"

Instance Security Group

Security group for the EC2 instance, that allows you to SSH into the instance

InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: !Sub "${AWS::StackName} EC2 Security Group" VpcId: Fn::ImportValue: !Sub "${VPCStackName}-vpcid" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.138.0.0/17" Description: "Allow SSH when logged into Mosaic VPN" Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: Boomi Atom Security Group - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Instance Role

This is the IAM role that will be applied to the EC2 Instance. Any AWS specific permissions that the node might need should be defined here.

EnvInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com - ssm.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM Policies: - PolicyName: "S3Read" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "s3:GetObject" Resource: !Join ["", ["arn:aws:s3:::", !Ref S3FileBucket, "/*"]]

Instance Profile

This is just a little construct to connect a set of roles together into a profile. The profile is referenced by the EC2 Instance.

EnvInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref EnvInstanceRole

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: InstanceID: Description: "The Instance ID" Value: !Ref "Ec2Instance" InstanceSecurityGroup: Description: "This instances's security group, which was added as a new inbound rule for the shared mounted EFS volume." Value: !Ref "InstanceSecurityGroup" Export: Name: !Sub "${AWS::StackName}-instance-sg" InstancePrivateIP: Description: "The private IP address of the instance" Value: !GetAtt Ec2Instance.PrivateIp InstancePrivateDNSName: Description: "The private DNS name of the instance" Value: !GetAtt Ec2Instance.PrivateDnsName