diff --git a/scripts/aws/input.yml b/scripts/aws/input.yml new file mode 100644 index 0000000..a833abf --- /dev/null +++ b/scripts/aws/input.yml @@ -0,0 +1,329 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: UID 2.0 CloudFormation template +Parameters: + APIToken: + Description: UID2 API Token + Type: String + NoEcho: true + CoreBaseURL: + Description: UID2 CoreBaseURL + Type: String + NoEcho: true + OptoutBaseURL: + Description: OptoutBaseURL + Type: String + NoEcho: true + DeployToEnvironment: + Description: Environment to deploy to prod/integ + Type: String + Default: prod + AllowedValues: + - prod + - integ + TrustNetworkCidr: + Description: The IP address range that can be used to SSH and HTTPS to the EC2 instances + Type: String + MinLength: '9' + MaxLength: '18' + Default: 10.0.0.0/8 + AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. + InstanceType: + Description: EC2 instance type. Minimum 4 vCPUs needed. + Type: String + Default: m5.2xlarge + AllowedValues: + - m5.2xlarge + - m5.4xlarge + - m5a.2xlarge + - m5a.4xlarge + - m5n.2xlarge + - m5n.4xlarge + - m6i.2xlarge + - m6i.4xlarge + - r6i.2xlarge + - r6i.4xlarge + ConstraintDescription: must be a valid EC2 instance type. + RootVolumeSize: + Description: Instance root volume size + Type: Number + Default: 15 + VpcId: + Type: String + Description: VPC ID of your existing Virtual Private Cloud (VPC) + Default: '' + ConstraintDescription: must be the VPC ID of an existing Virtual Private Cloud. + VpcSubnet1: + Description: AZ1 Subnet ID from an existing VPC + Type: String + Default: '' + VpcSubnet2: + Description: AZ2 Subnet ID from an existing VPC + Type: String + Default: '' + SSHKeyName: + Description: Name of an existing EC2 KeyPair to enable SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' + ConstraintDescription: must be the name of an existing EC2 KeyPair. +Metadata: + 'AWS::CloudFormation::Interface': + ParameterGroups: + - Label: + default: Application Configuration + Parameters: + - APIToken + - DeployToEnvironment + - CoreBaseURL + - OptoutBaseURL + - Label: + default: Instance Configuration + Parameters: + - InstanceType + - RootVolumeSize + - SSHKeyName + - Label: + default: Infrastructure Configuration + Parameters: + - TrustNetworkCidr + - VpcId + - VpcSubnet1 + - VpcSubnet2 + - NewVpcCidr + - Subnet1Cidr + - Subnet2Cidr + ParameterLabels: + APIToken: + default: OPERATOR_KEY provided by UID2 Administrator. + CoreBaseURL: + default: CoreBaseURL provided by UID2 Administrator. + OptoutBaseURL: + default: CoreBaseURL provided by UID2 Administrator. + DeployToEnvironment: + default: UID2 environment to deploy to. Prod - production; Integ - integration test. + InstanceType: + default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. + SSHKeyName: + default: Key Name for SSH to EC2 (required) + RootVolumeSize: + default: Instance root Volume size, enter in GB + TrustNetworkCidr: + default: Trusted Network CIDR (required) + VpcId: + default: Existing VPC ID (required) + VpcSubnet: + default: Existing Subnet ID (required) + CustomizeEnclaceResource: + default: Enclave resource configuration auto calculated or manual + EnclavememoryinMB: + default: If choose to false for CustomizeEnclaceResource, enter memory for Enclave in MB + EnclaveCPUCount: + default: If choose to false for CustomizeEnclaceResource, enter CPU count for Enclave +Mappings: + RegionMap: + us-east-1: + AMI: ami-xxxxxxxxxxxxxxxxx + us-east-2: + AMI: ami-xxxxxxxxxxxxxxxxx + us-west-1: + AMI: ami-xxxxxxxxxxxxxxxxx + us-west-2: + AMI: ami-xxxxxxxxxxxxxxxxx + eu-central-1: + AMI: ami-xxxxxxxxxxxxxxxxx + eu-west-1: + AMI: ami-xxxxxxxxxxxxxxxxx + eu-west-2: + AMI: ami-xxxxxxxxxxxxxxxxx + eu-west-3: + AMI: ami-xxxxxxxxxxxxxxxxx + eu-south-1: + AMI: ami-xxxxxxxxxxxxxxxxx + eu-north-1: + AMI: ami-xxxxxxxxxxxxxxxxx + me-south-1: + AMI: ami-xxxxxxxxxxxxxxxxx + ap-east-1: + AMI: ami-xxxxxxxxxxxxxxxxx + ap-south-1: + AMI: ami-xxxxxxxxxxxxxxxxx + ap-northeast-1: + AMI: ami-xxxxxxxxxxxxxxxxx + ap-northeast-2: + AMI: ami-xxxxxxxxxxxxxxxxx + ap-southeast-1: + AMI: ami-xxxxxxxxxxxxxxxxx + ap-southeast-2: + AMI: ami-xxxxxxxxxxxxxxxxx + sa-east-1: + AMI: ami-xxxxxxxxxxxxxxxxx + ca-central-1: + AMI: ami-xxxxxxxxxxxxxxxxx + af-south-1: + AMI: ami-xxxxxxxxxxxxxxxxx +Resources: + KMSKey: + Type: AWS::KMS::Key + Properties: + Description: Key for Secret Encryption + EnableKeyRotation: true + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' + Action: 'kms:*' + Resource: '*' + - Effect: Allow + Principal: + AWS: + - !GetAtt WorkerRole.Arn + Action: + - 'kms:Decrypt*' + - 'kms:GenerateDataKey*' + - 'kms:Describe*' + Resource: '*' + SSMKEYAlias: + Type: AWS::KMS::Alias + Properties: + AliasName: !Sub 'alias/uid-secret-${AWS::StackName}' + TargetKeyId: !Ref KMSKey + TokenSecret: + Type: AWS::SecretsManager::Secret + Properties: + Description: UID2 Token + KmsKeyId: !GetAtt KMSKey.Arn + Name: !Sub 'uid2-config-stack-${AWS::StackName}' + SecretString: !Sub '{ + "api_token":"${APIToken}", + "service_instances":6, + "enclave_cpu_count":6, + "enclave_memory_mb":24576, + "environment":"${DeployToEnvironment}", + "core_base_url": "${CoreBaseURL}", + "optout_base_url": "${OptoutBaseURL}" + }' + WorkerRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Action: + - 'sts:AssumeRole' + Path: / + Policies: + - PolicyName: kms-secret-access + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'kms:Decrypt*' + - 'kms:GenerateDataKey*' + - 'kms:Describe*' + Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/uid-secret-${AWS::StackName}' + - Effect: Allow + Action: 'secretsmanager:GetSecretValue' + Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:uid2-config-stack-${AWS::StackName}*' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy' + WorkerInstanceProfile: + Type: 'AWS::IAM::InstanceProfile' + Properties: + Path: / + Roles: + - !Ref WorkerRole + SecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: UID2 EC2 Security Group + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: !Ref TrustNetworkCidr + Description: "Allow Inbound SSH" + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: !Ref TrustNetworkCidr + Description: "Allow Inbound HTTP" + - IpProtocol: tcp + FromPort: '9080' + ToPort: '9080' + CidrIp: !Ref TrustNetworkCidr + Description: "Prometheus metrics" + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: '443' + ToPort: '443' + CidrIp: 0.0.0.0/0 + Description: "Allow Outbound HTTPS" + - IpProtocol: udp + FromPort: '53' + ToPort: '53' + CidrIp: 0.0.0.0/0 + Description: "Allow Outbound DNS" + VpcId: !Ref VpcId + LaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + VolumeSize: !Ref RootVolumeSize + VolumeType: gp3 + IamInstanceProfile: + Name: !Ref WorkerInstanceProfile + ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI] + InstanceType: !Ref InstanceType + EnclaveOptions: + Enabled: true + KeyName: !Ref SSHKeyName + SecurityGroupIds: + - !Ref SecurityGroup + UserData: !Base64 + Fn::Sub: | + #!/bin/bash -ex + export UID2_CONFIG_SECRET_KEY="uid2-config-stack-${AWS::StackName}" + sudo yum update -y --security + while ! nc -z localhost 80;do sleep 10;done + /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region} + AutoScalingGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: + - TokenSecret + - SSMKEYAlias + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref LaunchTemplate + Version: !GetAtt LaunchTemplate.LatestVersionNumber + MetricsCollection: + - Granularity: 1Minute + Metrics: + - GroupTotalInstances + MaxSize: 1 + MinSize: 1 + VPCZoneIdentifier: + - !Ref VpcSubnet1 + - !Ref VpcSubnet2 + Tags: + - Key: Name + Value: 'UID2 Instance' + PropagateAtLaunch: true + CreationPolicy: + ResourceSignal: + Count: 1 + Timeout: PT10M + UpdatePolicy: + AutoScalingRollingUpdate: + PauseTime: PT10M + WaitOnResourceSignals: true