-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
a1562ac
commit 907e426
Showing
1 changed file
with
329 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,329 @@ | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: UID 2.0 CloudFormation template | ||
| Parameters: | ||
| APIToken: | ||
| Description: UID2 API Token | ||
| Type: String | ||
| NoEcho: true | ||
| CoreBaseURL: | ||
| Description: UID2 CoreBaseURL | ||
| Type: String | ||
| NoEcho: true | ||
| OptoutBaseURL: | ||
| Description: OptoutBaseURL | ||
| Type: String | ||
| NoEcho: true | ||
| DeployToEnvironment: | ||
| Description: Environment to deploy to prod/integ | ||
| Type: String | ||
| Default: prod | ||
| AllowedValues: | ||
| - prod | ||
| - integ | ||
| TrustNetworkCidr: | ||
| Description: The IP address range that can be used to SSH and HTTPS to the EC2 instances | ||
| Type: String | ||
| MinLength: '9' | ||
| MaxLength: '18' | ||
| Default: 10.0.0.0/8 | ||
| AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' | ||
| ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. | ||
| InstanceType: | ||
| Description: EC2 instance type. Minimum 4 vCPUs needed. | ||
| Type: String | ||
| Default: m5.2xlarge | ||
| AllowedValues: | ||
| - m5.2xlarge | ||
| - m5.4xlarge | ||
| - m5a.2xlarge | ||
| - m5a.4xlarge | ||
| - m5n.2xlarge | ||
| - m5n.4xlarge | ||
| - m6i.2xlarge | ||
| - m6i.4xlarge | ||
| - r6i.2xlarge | ||
| - r6i.4xlarge | ||
| ConstraintDescription: must be a valid EC2 instance type. | ||
| RootVolumeSize: | ||
| Description: Instance root volume size | ||
| Type: Number | ||
| Default: 15 | ||
| VpcId: | ||
| Type: String | ||
| Description: VPC ID of your existing Virtual Private Cloud (VPC) | ||
| Default: '' | ||
| ConstraintDescription: must be the VPC ID of an existing Virtual Private Cloud. | ||
| VpcSubnet1: | ||
| Description: AZ1 Subnet ID from an existing VPC | ||
| Type: String | ||
| Default: '' | ||
| VpcSubnet2: | ||
| Description: AZ2 Subnet ID from an existing VPC | ||
| Type: String | ||
| Default: '' | ||
| SSHKeyName: | ||
| Description: Name of an existing EC2 KeyPair to enable SSH access to the instance | ||
| Type: 'AWS::EC2::KeyPair::KeyName' | ||
| ConstraintDescription: must be the name of an existing EC2 KeyPair. | ||
| Metadata: | ||
| 'AWS::CloudFormation::Interface': | ||
| ParameterGroups: | ||
| - Label: | ||
| default: Application Configuration | ||
| Parameters: | ||
| - APIToken | ||
| - DeployToEnvironment | ||
| - CoreBaseURL | ||
| - OptoutBaseURL | ||
| - Label: | ||
| default: Instance Configuration | ||
| Parameters: | ||
| - InstanceType | ||
| - RootVolumeSize | ||
| - SSHKeyName | ||
| - Label: | ||
| default: Infrastructure Configuration | ||
| Parameters: | ||
| - TrustNetworkCidr | ||
| - VpcId | ||
| - VpcSubnet1 | ||
| - VpcSubnet2 | ||
| - NewVpcCidr | ||
| - Subnet1Cidr | ||
| - Subnet2Cidr | ||
| ParameterLabels: | ||
| APIToken: | ||
| default: OPERATOR_KEY provided by UID2 Administrator. | ||
| CoreBaseURL: | ||
| default: CoreBaseURL provided by UID2 Administrator. | ||
| OptoutBaseURL: | ||
| default: CoreBaseURL provided by UID2 Administrator. | ||
| DeployToEnvironment: | ||
| default: UID2 environment to deploy to. Prod - production; Integ - integration test. | ||
| InstanceType: | ||
| default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. | ||
| SSHKeyName: | ||
| default: Key Name for SSH to EC2 (required) | ||
| RootVolumeSize: | ||
| default: Instance root Volume size, enter in GB | ||
| TrustNetworkCidr: | ||
| default: Trusted Network CIDR (required) | ||
| VpcId: | ||
| default: Existing VPC ID (required) | ||
| VpcSubnet: | ||
| default: Existing Subnet ID (required) | ||
| CustomizeEnclaceResource: | ||
| default: Enclave resource configuration auto calculated or manual | ||
| EnclavememoryinMB: | ||
| default: If choose to false for CustomizeEnclaceResource, enter memory for Enclave in MB | ||
| EnclaveCPUCount: | ||
| default: If choose to false for CustomizeEnclaceResource, enter CPU count for Enclave | ||
| Mappings: | ||
| RegionMap: | ||
| us-east-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| us-east-2: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| us-west-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| us-west-2: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| eu-central-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| eu-west-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| eu-west-2: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| eu-west-3: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| eu-south-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| eu-north-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| me-south-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ap-east-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ap-south-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ap-northeast-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ap-northeast-2: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ap-southeast-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ap-southeast-2: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| sa-east-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| ca-central-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| af-south-1: | ||
| AMI: ami-xxxxxxxxxxxxxxxxx | ||
| Resources: | ||
| KMSKey: | ||
| Type: AWS::KMS::Key | ||
| Properties: | ||
| Description: Key for Secret Encryption | ||
| EnableKeyRotation: true | ||
| KeyPolicy: | ||
| Version: 2012-10-17 | ||
| Id: key-default-1 | ||
| Statement: | ||
| - Sid: Enable IAM User Permissions | ||
| Effect: Allow | ||
| Principal: | ||
| AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' | ||
| Action: 'kms:*' | ||
| Resource: '*' | ||
| - Effect: Allow | ||
| Principal: | ||
| AWS: | ||
| - !GetAtt WorkerRole.Arn | ||
| Action: | ||
| - 'kms:Decrypt*' | ||
| - 'kms:GenerateDataKey*' | ||
| - 'kms:Describe*' | ||
| Resource: '*' | ||
| SSMKEYAlias: | ||
| Type: AWS::KMS::Alias | ||
| Properties: | ||
| AliasName: !Sub 'alias/uid-secret-${AWS::StackName}' | ||
| TargetKeyId: !Ref KMSKey | ||
| TokenSecret: | ||
| Type: AWS::SecretsManager::Secret | ||
| Properties: | ||
| Description: UID2 Token | ||
| KmsKeyId: !GetAtt KMSKey.Arn | ||
| Name: !Sub 'uid2-config-stack-${AWS::StackName}' | ||
| SecretString: !Sub '{ | ||
| "api_token":"${APIToken}", | ||
| "service_instances":6, | ||
| "enclave_cpu_count":6, | ||
| "enclave_memory_mb":24576, | ||
| "environment":"${DeployToEnvironment}", | ||
| "core_base_url": "${CoreBaseURL}", | ||
| "optout_base_url": "${OptoutBaseURL}" | ||
| }' | ||
| WorkerRole: | ||
| Type: 'AWS::IAM::Role' | ||
| Properties: | ||
| AssumeRolePolicyDocument: | ||
| Version: 2012-10-17 | ||
| Statement: | ||
| - Effect: Allow | ||
| Principal: | ||
| Service: | ||
| - ec2.amazonaws.com | ||
| Action: | ||
| - 'sts:AssumeRole' | ||
| Path: / | ||
| Policies: | ||
| - PolicyName: kms-secret-access | ||
| PolicyDocument: | ||
| Statement: | ||
| - Effect: Allow | ||
| Action: | ||
| - 'kms:Decrypt*' | ||
| - 'kms:GenerateDataKey*' | ||
| - 'kms:Describe*' | ||
| Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/uid-secret-${AWS::StackName}' | ||
| - Effect: Allow | ||
| Action: 'secretsmanager:GetSecretValue' | ||
| Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:uid2-config-stack-${AWS::StackName}*' | ||
| ManagedPolicyArns: | ||
| - 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy' | ||
| WorkerInstanceProfile: | ||
| Type: 'AWS::IAM::InstanceProfile' | ||
| Properties: | ||
| Path: / | ||
| Roles: | ||
| - !Ref WorkerRole | ||
| SecurityGroup: | ||
| Type: 'AWS::EC2::SecurityGroup' | ||
| Properties: | ||
| GroupDescription: UID2 EC2 Security Group | ||
| SecurityGroupIngress: | ||
| - IpProtocol: tcp | ||
| FromPort: '22' | ||
| ToPort: '22' | ||
| CidrIp: !Ref TrustNetworkCidr | ||
| Description: "Allow Inbound SSH" | ||
| - IpProtocol: tcp | ||
| FromPort: '80' | ||
| ToPort: '80' | ||
| CidrIp: !Ref TrustNetworkCidr | ||
| Description: "Allow Inbound HTTP" | ||
| - IpProtocol: tcp | ||
| FromPort: '9080' | ||
| ToPort: '9080' | ||
| CidrIp: !Ref TrustNetworkCidr | ||
| Description: "Prometheus metrics" | ||
| SecurityGroupEgress: | ||
| - IpProtocol: tcp | ||
| FromPort: '443' | ||
| ToPort: '443' | ||
| CidrIp: 0.0.0.0/0 | ||
| Description: "Allow Outbound HTTPS" | ||
| - IpProtocol: udp | ||
| FromPort: '53' | ||
| ToPort: '53' | ||
| CidrIp: 0.0.0.0/0 | ||
| Description: "Allow Outbound DNS" | ||
| VpcId: !Ref VpcId | ||
| LaunchTemplate: | ||
| Type: AWS::EC2::LaunchTemplate | ||
| Properties: | ||
| LaunchTemplateData: | ||
| BlockDeviceMappings: | ||
| - DeviceName: /dev/xvda | ||
| Ebs: | ||
| Encrypted: true | ||
| VolumeSize: !Ref RootVolumeSize | ||
| VolumeType: gp3 | ||
| IamInstanceProfile: | ||
| Name: !Ref WorkerInstanceProfile | ||
| ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI] | ||
| InstanceType: !Ref InstanceType | ||
| EnclaveOptions: | ||
| Enabled: true | ||
| KeyName: !Ref SSHKeyName | ||
| SecurityGroupIds: | ||
| - !Ref SecurityGroup | ||
| UserData: !Base64 | ||
| Fn::Sub: | | ||
| #!/bin/bash -ex | ||
| export UID2_CONFIG_SECRET_KEY="uid2-config-stack-${AWS::StackName}" | ||
| sudo yum update -y --security | ||
| while ! nc -z localhost 80;do sleep 10;done | ||
| /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region} | ||
| AutoScalingGroup: | ||
| Type: AWS::AutoScaling::AutoScalingGroup | ||
| DependsOn: | ||
| - TokenSecret | ||
| - SSMKEYAlias | ||
| Properties: | ||
| LaunchTemplate: | ||
| LaunchTemplateId: !Ref LaunchTemplate | ||
| Version: !GetAtt LaunchTemplate.LatestVersionNumber | ||
| MetricsCollection: | ||
| - Granularity: 1Minute | ||
| Metrics: | ||
| - GroupTotalInstances | ||
| MaxSize: 1 | ||
| MinSize: 1 | ||
| VPCZoneIdentifier: | ||
| - !Ref VpcSubnet1 | ||
| - !Ref VpcSubnet2 | ||
| Tags: | ||
| - Key: Name | ||
| Value: 'UID2 Instance' | ||
| PropagateAtLaunch: true | ||
| CreationPolicy: | ||
| ResourceSignal: | ||
| Count: 1 | ||
| Timeout: PT10M | ||
| UpdatePolicy: | ||
| AutoScalingRollingUpdate: | ||
| PauseTime: PT10M | ||
| WaitOnResourceSignals: true |