#jinja2: lstrip_blocks: "True"
|
---
|
AWSTemplateFormatVersion: "2010-09-09"
|
Mappings:
|
RegionMapping: {{ aws_ami_region_mapping | to_json }}
|
|
Resources:
|
Vpc:
|
Type: "AWS::EC2::VPC"
|
Properties:
|
CidrBlock: "{{ aws_vpc_cidr }}"
|
EnableDnsSupport: true
|
EnableDnsHostnames: true
|
Tags:
|
- Key: Name
|
Value: "{{ aws_vpc_name }}"
|
- Key: Hostlication
|
Value:
|
Ref: "AWS::StackId"
|
|
VpcInternetGateway:
|
Type: "AWS::EC2::InternetGateway"
|
|
VpcRouteTable:
|
Type: "AWS::EC2::RouteTable"
|
Properties:
|
VpcId:
|
Ref: Vpc
|
|
VPCRouteInternetGateway:
|
DependsOn: VpcGA
|
Type: "AWS::EC2::Route"
|
Properties:
|
GatewayId:
|
Ref: VpcInternetGateway
|
DestinationCidrBlock: "0.0.0.0/0"
|
RouteTableId:
|
Ref: VpcRouteTable
|
|
VpcGA:
|
Type: "AWS::EC2::VPCGatewayAttachment"
|
Properties:
|
InternetGatewayId:
|
Ref: VpcInternetGateway
|
VpcId:
|
Ref: Vpc
|
|
PublicSubnet:
|
Type: "AWS::EC2::Subnet"
|
DependsOn:
|
- Vpc
|
Properties:
|
{% if aws_availability_zone is defined %}
|
AvailabilityZone: {{ aws_availability_zone }}
|
{% endif %}
|
|
CidrBlock: "{{ aws_public_subnet_cidr }}"
|
Tags:
|
- Key: Name
|
Value: "{{project_tag}}"
|
- Key: Hostlication
|
Value:
|
Ref: "AWS::StackId"
|
MapPublicIpOnLaunch: true
|
VpcId:
|
Ref: Vpc
|
|
PublicSubnetRTA:
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
Properties:
|
RouteTableId:
|
Ref: VpcRouteTable
|
SubnetId:
|
Ref: PublicSubnet
|
|
{% for security_group in security_groups|list %}
|
{{security_group['name']}}:
|
Type: "AWS::EC2::SecurityGroup"
|
Properties:
|
GroupDescription: Host
|
VpcId:
|
Ref: Vpc
|
Tags:
|
- Key: Name
|
Value: "{{security_group['name']}}"
|
{% endfor %}
|
|
{% for security_group in security_groups|list %}
|
{% for rule in security_group.rules %}
|
{{security_group['name']}}{{rule['name']}}:
|
Type: "AWS::EC2::SecurityGroup{{rule['rule_type']}}"
|
Properties:
|
GroupId:
|
Fn::GetAtt:
|
- "{{security_group['name']}}"
|
- GroupId
|
IpProtocol: {{rule['protocol']}}
|
FromPort: {{rule['from_port']}}
|
ToPort: {{rule['to_port']}}
|
{% if rule['cidr'] is defined %}
|
CidrIp: "{{rule['cidr']}}"
|
{% endif %}
|
|
{% if rule['from_group'] is defined %}
|
SourceSecurityGroupId:
|
Fn::GetAtt:
|
- "{{rule['from_group']}}"
|
- GroupId
|
{% endif %}
|
{% endfor %}
|
{% endfor %}
|
|
DnsZonePrivate:
|
Type: "AWS::Route53::HostedZone"
|
Properties:
|
Name: "{{ aws_dns_zone_private }}"
|
VPCs:
|
- VPCId:
|
Ref: Vpc
|
VPCRegion:
|
Ref: "AWS::Region"
|
HostedZoneConfig:
|
Comment: "{{ aws_comment }}"
|
|
|
DnsZonePublic:
|
Type: "AWS::Route53::HostedZone"
|
Properties:
|
Name: "{{ aws_dns_zone_public }}"
|
HostedZoneConfig:
|
Comment: "{{ aws_comment }}"
|
|
DnsPublicDelegation:
|
Type: "AWS::Route53::RecordSetGroup"
|
DependsOn:
|
- DnsZonePublic
|
Properties:
|
{% if HostedZoneId is defined %}
|
HostedZoneId: "{{ HostedZoneId }}"
|
{% else %}
|
HostedZoneName: "{{ aws_dns_zone_root }}"
|
{% endif %}
|
RecordSets:
|
- Name: "{{ aws_dns_zone_public }}"
|
Type: NS
|
TTL: {{ aws_dns_ttl_public }}
|
ResourceRecords:
|
"Fn::GetAtt":
|
- DnsZonePublic
|
- NameServers
|
|
|
{% for instance in instances %}
|
{% if instance['dns_loadbalancer'] | d(false) | bool
|
and not instance['unique'] | d(false) | bool %}
|
{{instance['name']}}DnsLoadBalancer:
|
Type: "AWS::Route53::RecordSetGroup"
|
DependsOn:
|
{% for c in range(1, (instance['count']|int)+1) %}
|
- {{instance['name']}}{{c}}
|
{% if instance['public_dns'] %}
|
- {{instance['name']}}{{c}}EIP
|
{% endif %}
|
{% endfor %}
|
Properties:
|
HostedZoneId:
|
Ref: DnsZonePublic
|
RecordSets:
|
- Name: "{{instance['name']}}.{{aws_dns_zone_public_prefix|d('')}}{{ aws_dns_zone_public }}"
|
Type: A
|
TTL: {{ aws_dns_ttl_public }}
|
ResourceRecords:
|
{% for c in range(1,(instance['count'] |int)+1) %}
|
- "Fn::GetAtt":
|
- {{instance['name']}}{{c}}
|
- PublicIp
|
{% endfor %}
|
{% endif %}
|
|
{% for c in range(1,(instance['count'] |int)+1) %}
|
{{instance['name']}}{{loop.index}}:
|
Type: "AWS::EC2::Instance"
|
Properties:
|
{% if custom_image is defined %}
|
ImageId: {{ custom_image.image_id }}
|
{% else %}
|
ImageId:
|
Fn::FindInMap:
|
- RegionMapping
|
- Ref: AWS::Region
|
- {{ instance.image | default(aws_default_image) }}
|
{% endif %}
|
InstanceType: "{{instance['flavor'][cloud_provider]}}"
|
KeyName: "{{instance.key_name | default(key_name)}}"
|
{% if instance['UserData'] is defined %}
|
{{instance['UserData']}}
|
{% endif %}
|
|
{% if instance['security_groups'] is defined %}
|
SecurityGroupIds:
|
{% for sg in instance.security_groups %}
|
- Ref: {{ sg }}
|
{% endfor %}
|
{% else %}
|
SecurityGroupIds:
|
- Ref: DefaultSG
|
{% endif %}
|
SubnetId:
|
Ref: PublicSubnet
|
Tags:
|
{% if instance['unique'] | d(false) | bool %}
|
- Key: Name
|
Value: {{instance['name']}}
|
- Key: internaldns
|
Value: {{instance['name']}}.{{aws_dns_zone_private_chomped}}
|
- Key: publicname
|
Value: {{instance['name']}}.{{aws_dns_zone_public_prefix|d('')}}{{subdomain_base }}
|
{% else %}
|
- Key: Name
|
Value: {{instance['name']}}{{loop.index}}
|
- Key: internaldns
|
Value: {{instance['name']}}{{loop.index}}.{{aws_dns_zone_private_chomped}}
|
- Key: publicname
|
Value: {{instance['name']}}{{loop.index}}.{{aws_dns_zone_public_prefix|d('')}}{{ subdomain_base}}
|
{% endif %}
|
- Key: "owner"
|
Value: "{{ email | default('unknownuser') }}"
|
- Key: "Project"
|
Value: "{{project_tag}}"
|
- Key: "{{project_tag}}"
|
Value: "{{ instance['name'] }}"
|
{% for tag in instance['tags'] %}
|
- Key: {{tag['key']}}
|
Value: {{tag['value']}}
|
{% endfor %}
|
BlockDeviceMappings:
|
{% if '/dev/sda1' not in instance.volumes|d([])|json_query('[].device_name')
|
and '/dev/sda1' not in instance.volumes|d([])|json_query('[].name')
|
%}
|
- DeviceName: "/dev/sda1"
|
Ebs:
|
VolumeSize: "{{ instance['rootfs_size'] | default(aws_default_rootfs_size) }}"
|
VolumeType: "{{ aws_default_volume_type }}"
|
{% endif %}
|
{% for vol in instance.volumes|default([]) if vol.enable|d(true) %}
|
- DeviceName: "{{ vol.name | default(vol.device_name) }}"
|
Ebs:
|
{% if cloud_provider in vol and 'type' in vol.ec2 %}
|
VolumeType: "{{ vol[cloud_provider].type }}"
|
{% else %}
|
VolumeType: "{{ aws_default_volume_type }}"
|
{% endif %}
|
VolumeSize: "{{ vol.size }}"
|
{% endfor %}
|
|
{{instance['name']}}{{loop.index}}InternalDns:
|
Type: "AWS::Route53::RecordSetGroup"
|
Properties:
|
HostedZoneId:
|
Ref: DnsZonePrivate
|
RecordSets:
|
{% if instance['unique'] | d(false) | bool %}
|
- Name: "{{instance['name']}}.{{aws_dns_zone_private}}"
|
{% else %}
|
- Name: "{{instance['name']}}{{loop.index}}.{{aws_dns_zone_private}}"
|
{% endif %}
|
Type: A
|
TTL: {{ aws_dns_ttl_private }}
|
ResourceRecords:
|
- "Fn::GetAtt":
|
- {{instance['name']}}{{loop.index}}
|
- PrivateIp
|
|
{% if instance['public_dns'] %}
|
{{instance['name']}}{{loop.index}}EIP:
|
Type: "AWS::EC2::EIP"
|
DependsOn:
|
- VpcGA
|
Properties:
|
InstanceId:
|
Ref: {{instance['name']}}{{loop.index}}
|
|
{{instance['name']}}{{loop.index}}PublicDns:
|
Type: "AWS::Route53::RecordSetGroup"
|
DependsOn:
|
- {{instance['name']}}{{loop.index}}EIP
|
Properties:
|
{% if secondary_stack is defined %}
|
HostedZoneName: "{{ aws_dns_zone_public }}"
|
{% else %}
|
HostedZoneId:
|
Ref: DnsZonePublic
|
{% endif %}
|
RecordSets:
|
{% if instance['unique'] | d(false) | bool %}
|
- Name: "{{instance['name']}}.{{aws_dns_zone_public_prefix|d('')}}{{ aws_dns_zone_public }}"
|
{% else %}
|
- Name: "{{instance['name']}}{{loop.index}}.{{aws_dns_zone_public_prefix|d('')}}{{ aws_dns_zone_public }}"
|
{% endif %}
|
Type: A
|
TTL: {{ aws_dns_ttl_public }}
|
ResourceRecords:
|
- "Fn::GetAtt":
|
- {{instance['name']}}{{loop.index}}
|
- PublicIp
|
{% endif %}
|
{% endfor %}
|
{% endfor %}
|
|
|
Route53User:
|
Type: AWS::IAM::User
|
Properties:
|
Policies:
|
- PolicyName: Route53Access
|
PolicyDocument:
|
Statement:
|
- Effect: Allow
|
Action: route53:GetHostedZone
|
Resource: arn:aws:route53:::change/*
|
|
- Effect: Allow
|
Action: route53:ListHostedZones
|
Resource: "*"
|
|
- Effect: Allow
|
Action:
|
- route53:ChangeResourceRecordSets
|
- route53:ListResourceRecordSets
|
- route53:GetHostedZone
|
Resource:
|
Fn::Join:
|
- ""
|
- - "arn:aws:route53:::hostedzone/"
|
- Ref: DnsZonePublic
|
|
- Effect: Allow
|
Action: route53:GetChange
|
Resource: arn:aws:route53:::change/*
|
|
Route53UserAccessKey:
|
DependsOn: Route53User
|
Type: AWS::IAM::AccessKey
|
Properties:
|
UserName:
|
Ref: Route53User
|
|
|
Outputs:
|
Route53internalzoneOutput:
|
Description: The ID of the internal route 53 zone
|
Value:
|
Ref: DnsZonePrivate
|
Route53User:
|
Value:
|
Ref: Route53User
|
Description: IAM User for Route53 (Let's Encrypt)
|
Route53UserAccessKey:
|
Value:
|
Ref: Route53UserAccessKey
|
Description: IAM User for Route53 (Let's Encrypt)
|
Route53UserSecretAccessKey:
|
Value:
|
Fn::GetAtt:
|
- Route53UserAccessKey
|
- SecretAccessKey
|
Description: IAM User for Route53 (Let's Encrypt)
|