uar-datamig-sbx.yaml

uar-datamig-sbx CloudFormation Deployment

This CloudFormation template creates an IAM user who is allowed to create certain CloudFormation stacks and pass a role along to run.

AWSTemplateFormatVersion: '2010-09-09' Description: CloudFormation Data Migration SBX

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

HostName to be used in tagging the EC2 instance.

HostName: Type: String Description: Enter the name of the host or service, ie 'ps-deployer', etc. Default: "dm-deployer"

SSH Key Pair to be used on the application EC2 instances for emergency administrative access.

KeyName: Description: Amazon EC2 Key Pair Type: AWS::EC2::KeyPair::KeyName Default: "uar-development-keypair"

AZ, needs to match up to private subnet 1

AvailabilityZone: Description: Availabilty Zone of Selected Subnet Type: AWS::EC2::AvailabilityZone::Name Default: "us-west-2a"

Hosted Zone Name for Route 53 Entry

HostedZoneName: Description: Availabilty Zone of Selected Subnet Type: String Default: "uar-nonprod-aws.arizona.edu" ImageId: Description: Latest Amazon Linux 2 AMI Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2

Deployer ARN

FdnDeployerARN: Description: The ARN of the CloudFormation deployer role for this AWS account. Type: String Default: "arn:aws:iam::545994247412:role/fdn-CloudFormationAdminDeployer" DBSecurityGroup: Description: Database Security Group Type: String Default: "sg-0b2c7c5cd6b05bf5e"

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. Default: "UAccess Research" EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: "dev" ContactNetIdTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. Default: "fimbresrc" AccountNumberTag: Type: String Description: Identifies the financial system account number. Default: "1192622" SubAccountTag: Description: Identifies the financial system subaccount number Type: String Default: "12AWS" TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource. Default: "UARSaaS-158" CreatedByTag: Type: String Description: Created by Tag Default: "fimbresrc" ResourceFunctionTag: Type: String Description: Resource function Tag Default: "uar-datamig-sbx" ResourceGroupNameTag: Type: String Description: Resource group name Tag Default: "uar-datamig-sbx"

Resources

These are all of the resources deployed by this template.

Resources:

Instance Role

This is the IAM role that will be applied to the EC2 Instances. Again this policy is pretty broad, so be careful!

InstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonS3FullAccess" - "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"

Instance Profile

InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref InstanceRole

EC2 Instance

Deploys the EC2 instance with some tags.

Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: !Ref ImageId KeyName: !Ref KeyName InstanceType: t2.small AvailabilityZone: !Ref AvailabilityZone IamInstanceProfile: !Ref InstanceProfile BlockDeviceMappings: - DeviceName: "/dev/xvda" Ebs: VolumeSize: "100" VolumeType: "gp2" Encrypted: "true" NetworkInterfaces: - AssociatePublicIpAddress: "false" DeviceIndex: "0" SubnetId: !ImportValue admin-tech-nonprod-vpc-private-subnet-a GroupSet: - !Ref InstanceSecurityGroup UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y git vim telnet wget zip unzip

Enable repo to install python 3.8 for data migration work

amazon-linux-extras enable python3.8 yum install -y python3.8 pip install awscli --upgrade curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip ./aws/install #Send cfn-init signal that our stack creation is complete yum install aws-cfn-bootstrap -y /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource Ec2Instance --region ${AWS::Region} Tags: - Key: Name Value: !Ref HostName - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetIdTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubAccountTag - Key: ticketnumber Value: !Ref TicketNumberTag - Key: createdby Value: !Ref CreatedByTag - Key: resourcegroupnametag Value: !Ref ResourceGroupNameTag

Instance Security Group

Security group for the EC2 instance, that allows you to SSH into the instance

InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Allow ssh to uar-datamig-sbx" VpcId: !ImportValue admin-tech-nonprod-vpc-vpcid SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.138.0.0/17" Description: "Mosaic VPN" Tags: - Key: "Name" Value: !Sub "${HostName} Security Group" #Use to add the Instance SG to the DB SG #This is needed to have the app servers connect to the DB AppInstToDB1521: Type: "AWS::EC2::SecurityGroupIngress" Properties: GroupId: !Ref DBSecurityGroup IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" SourceSecurityGroupId: !Ref InstanceSecurityGroup Description: "App Instance security adding to DB SG" #DNS Record for EC2 Instance DeployerDnsRecord: Type: AWS::Route53::RecordSet Properties: HostedZoneName: !Sub "${HostedZoneName}." Name: !Sub "${HostName}.${HostedZoneName}." Type: A TTL: '900' ResourceRecords: - !GetAtt Ec2Instance.PrivateIp Outputs: InstancePrivateIP: Description: The Private IP address of the instance Value: !GetAtt Ec2Instance.PrivateIp InstanceID: Description: The Instance ID Value: !Ref Ec2Instance