diff --git a/scripts/aws/input.yml b/scripts/aws/input.yml deleted file mode 100644 index a833abf..0000000 --- a/scripts/aws/input.yml +++ /dev/null @@ -1,329 +0,0 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: UID 2.0 CloudFormation template -Parameters: - APIToken: - Description: UID2 API Token - Type: String - NoEcho: true - CoreBaseURL: - Description: UID2 CoreBaseURL - Type: String - NoEcho: true - OptoutBaseURL: - Description: OptoutBaseURL - Type: String - NoEcho: true - DeployToEnvironment: - Description: Environment to deploy to prod/integ - Type: String - Default: prod - AllowedValues: - - prod - - integ - TrustNetworkCidr: - Description: The IP address range that can be used to SSH and HTTPS to the EC2 instances - Type: String - MinLength: '9' - MaxLength: '18' - Default: 10.0.0.0/8 - AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' - ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. - InstanceType: - Description: EC2 instance type. Minimum 4 vCPUs needed. - Type: String - Default: m5.2xlarge - AllowedValues: - - m5.2xlarge - - m5.4xlarge - - m5a.2xlarge - - m5a.4xlarge - - m5n.2xlarge - - m5n.4xlarge - - m6i.2xlarge - - m6i.4xlarge - - r6i.2xlarge - - r6i.4xlarge - ConstraintDescription: must be a valid EC2 instance type. - RootVolumeSize: - Description: Instance root volume size - Type: Number - Default: 15 - VpcId: - Type: String - Description: VPC ID of your existing Virtual Private Cloud (VPC) - Default: '' - ConstraintDescription: must be the VPC ID of an existing Virtual Private Cloud. - VpcSubnet1: - Description: AZ1 Subnet ID from an existing VPC - Type: String - Default: '' - VpcSubnet2: - Description: AZ2 Subnet ID from an existing VPC - Type: String - Default: '' - SSHKeyName: - Description: Name of an existing EC2 KeyPair to enable SSH access to the instance - Type: 'AWS::EC2::KeyPair::KeyName' - ConstraintDescription: must be the name of an existing EC2 KeyPair. -Metadata: - 'AWS::CloudFormation::Interface': - ParameterGroups: - - Label: - default: Application Configuration - Parameters: - - APIToken - - DeployToEnvironment - - CoreBaseURL - - OptoutBaseURL - - Label: - default: Instance Configuration - Parameters: - - InstanceType - - RootVolumeSize - - SSHKeyName - - Label: - default: Infrastructure Configuration - Parameters: - - TrustNetworkCidr - - VpcId - - VpcSubnet1 - - VpcSubnet2 - - NewVpcCidr - - Subnet1Cidr - - Subnet2Cidr - ParameterLabels: - APIToken: - default: OPERATOR_KEY provided by UID2 Administrator. - CoreBaseURL: - default: CoreBaseURL provided by UID2 Administrator. - OptoutBaseURL: - default: CoreBaseURL provided by UID2 Administrator. - DeployToEnvironment: - default: UID2 environment to deploy to. Prod - production; Integ - integration test. - InstanceType: - default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. - SSHKeyName: - default: Key Name for SSH to EC2 (required) - RootVolumeSize: - default: Instance root Volume size, enter in GB - TrustNetworkCidr: - default: Trusted Network CIDR (required) - VpcId: - default: Existing VPC ID (required) - VpcSubnet: - default: Existing Subnet ID (required) - CustomizeEnclaceResource: - default: Enclave resource configuration auto calculated or manual - EnclavememoryinMB: - default: If choose to false for CustomizeEnclaceResource, enter memory for Enclave in MB - EnclaveCPUCount: - default: If choose to false for CustomizeEnclaceResource, enter CPU count for Enclave -Mappings: - RegionMap: - us-east-1: - AMI: ami-xxxxxxxxxxxxxxxxx - us-east-2: - AMI: ami-xxxxxxxxxxxxxxxxx - us-west-1: - AMI: ami-xxxxxxxxxxxxxxxxx - us-west-2: - AMI: ami-xxxxxxxxxxxxxxxxx - eu-central-1: - AMI: ami-xxxxxxxxxxxxxxxxx - eu-west-1: - AMI: ami-xxxxxxxxxxxxxxxxx - eu-west-2: - AMI: ami-xxxxxxxxxxxxxxxxx - eu-west-3: - AMI: ami-xxxxxxxxxxxxxxxxx - eu-south-1: - AMI: ami-xxxxxxxxxxxxxxxxx - eu-north-1: - AMI: ami-xxxxxxxxxxxxxxxxx - me-south-1: - AMI: ami-xxxxxxxxxxxxxxxxx - ap-east-1: - AMI: ami-xxxxxxxxxxxxxxxxx - ap-south-1: - AMI: ami-xxxxxxxxxxxxxxxxx - ap-northeast-1: - AMI: ami-xxxxxxxxxxxxxxxxx - ap-northeast-2: - AMI: ami-xxxxxxxxxxxxxxxxx - ap-southeast-1: - AMI: ami-xxxxxxxxxxxxxxxxx - ap-southeast-2: - AMI: ami-xxxxxxxxxxxxxxxxx - sa-east-1: - AMI: ami-xxxxxxxxxxxxxxxxx - ca-central-1: - AMI: ami-xxxxxxxxxxxxxxxxx - af-south-1: - AMI: ami-xxxxxxxxxxxxxxxxx -Resources: - KMSKey: - Type: AWS::KMS::Key - Properties: - Description: Key for Secret Encryption - EnableKeyRotation: true - KeyPolicy: - Version: 2012-10-17 - Id: key-default-1 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' - Action: 'kms:*' - Resource: '*' - - Effect: Allow - Principal: - AWS: - - !GetAtt WorkerRole.Arn - Action: - - 'kms:Decrypt*' - - 'kms:GenerateDataKey*' - - 'kms:Describe*' - Resource: '*' - SSMKEYAlias: - Type: AWS::KMS::Alias - Properties: - AliasName: !Sub 'alias/uid-secret-${AWS::StackName}' - TargetKeyId: !Ref KMSKey - TokenSecret: - Type: AWS::SecretsManager::Secret - Properties: - Description: UID2 Token - KmsKeyId: !GetAtt KMSKey.Arn - Name: !Sub 'uid2-config-stack-${AWS::StackName}' - SecretString: !Sub '{ - "api_token":"${APIToken}", - "service_instances":6, - "enclave_cpu_count":6, - "enclave_memory_mb":24576, - "environment":"${DeployToEnvironment}", - "core_base_url": "${CoreBaseURL}", - "optout_base_url": "${OptoutBaseURL}" - }' - WorkerRole: - Type: 'AWS::IAM::Role' - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: - - ec2.amazonaws.com - Action: - - 'sts:AssumeRole' - Path: / - Policies: - - PolicyName: kms-secret-access - PolicyDocument: - Statement: - - Effect: Allow - Action: - - 'kms:Decrypt*' - - 'kms:GenerateDataKey*' - - 'kms:Describe*' - Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/uid-secret-${AWS::StackName}' - - Effect: Allow - Action: 'secretsmanager:GetSecretValue' - Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:uid2-config-stack-${AWS::StackName}*' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy' - WorkerInstanceProfile: - Type: 'AWS::IAM::InstanceProfile' - Properties: - Path: / - Roles: - - !Ref WorkerRole - SecurityGroup: - Type: 'AWS::EC2::SecurityGroup' - Properties: - GroupDescription: UID2 EC2 Security Group - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: '22' - ToPort: '22' - CidrIp: !Ref TrustNetworkCidr - Description: "Allow Inbound SSH" - - IpProtocol: tcp - FromPort: '80' - ToPort: '80' - CidrIp: !Ref TrustNetworkCidr - Description: "Allow Inbound HTTP" - - IpProtocol: tcp - FromPort: '9080' - ToPort: '9080' - CidrIp: !Ref TrustNetworkCidr - Description: "Prometheus metrics" - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: '443' - ToPort: '443' - CidrIp: 0.0.0.0/0 - Description: "Allow Outbound HTTPS" - - IpProtocol: udp - FromPort: '53' - ToPort: '53' - CidrIp: 0.0.0.0/0 - Description: "Allow Outbound DNS" - VpcId: !Ref VpcId - LaunchTemplate: - Type: AWS::EC2::LaunchTemplate - Properties: - LaunchTemplateData: - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: true - VolumeSize: !Ref RootVolumeSize - VolumeType: gp3 - IamInstanceProfile: - Name: !Ref WorkerInstanceProfile - ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI] - InstanceType: !Ref InstanceType - EnclaveOptions: - Enabled: true - KeyName: !Ref SSHKeyName - SecurityGroupIds: - - !Ref SecurityGroup - UserData: !Base64 - Fn::Sub: | - #!/bin/bash -ex - export UID2_CONFIG_SECRET_KEY="uid2-config-stack-${AWS::StackName}" - sudo yum update -y --security - while ! nc -z localhost 80;do sleep 10;done - /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region} - AutoScalingGroup: - Type: AWS::AutoScaling::AutoScalingGroup - DependsOn: - - TokenSecret - - SSMKEYAlias - Properties: - LaunchTemplate: - LaunchTemplateId: !Ref LaunchTemplate - Version: !GetAtt LaunchTemplate.LatestVersionNumber - MetricsCollection: - - Granularity: 1Minute - Metrics: - - GroupTotalInstances - MaxSize: 1 - MinSize: 1 - VPCZoneIdentifier: - - !Ref VpcSubnet1 - - !Ref VpcSubnet2 - Tags: - - Key: Name - Value: 'UID2 Instance' - PropagateAtLaunch: true - CreationPolicy: - ResourceSignal: - Count: 1 - Timeout: PT10M - UpdatePolicy: - AutoScalingRollingUpdate: - PauseTime: PT10M - WaitOnResourceSignals: true