Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "AWSTemplateFormatVersion": "2010-09-09",
- "Description": "AWS CloudFormation template that creates a NAT jumpbox to expose a VPC only Databases or service",
- "Parameters": {
- "KeyName": {
- "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
- "Type": "AWS::EC2::KeyPair::KeyName",
- "MinLength": "1",
- "ConstraintDescription": "Can contain only ASCII characters."
- },
- "InstanceType": {
- "Description": "The EC2 instance class",
- "Type": "String",
- "Default": "t2.micro",
- "AllowedValues": [
- "t2.micro",
- "t2.small",
- "t2.medium",
- "m3.medium",
- "m3.large",
- "m3.xlarge",
- "m3.2xlarge",
- "c3.large",
- "c3.xlarge",
- "c3.2xlarge",
- "c3.4xlarge",
- "c3.8xlarge",
- "r3.large",
- "r3.xlarge",
- "r3.2xlarge",
- "r3.4xlarge",
- "r3.8xlarge",
- "i2.xlarge",
- "i2.2xlarge",
- "i2.4xlarge",
- "i2.8xlarge",
- "hi1.4xlarge",
- "hs1.8xlarge",
- "cr1.8xlarge",
- "cc2.8xlarge"
- ],
- "ConstraintDescription": "Must be a valid EC2 instance type"
- },
- "Subnet": {
- "Type": "AWS::EC2::Subnet::Id",
- "Description": "Subnet that has access to your Database"
- },
- "SourceAddress": {
- "Description": "The source range you want to allow access from: example 0.0.0.0/0",
- "Type": "String",
- "MinLength": "9",
- "MaxLength": "18",
- "Default": "0.0.0.0/0",
- "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
- "ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x"
- },
- "DestinationAddress": {
- "Description": "Internal service/ Database destination IP address: example 172.1.24.23",
- "Type": "String",
- "MinLength": "6",
- "MaxLength": "100",
- "Default": "0.0.0.0",
- "ConstraintDescription": "Must be a valid /32 IP or DNS address"
- },
- "SourcePort": {
- "Description": "The port the service must listen on: example 3306",
- "Type": "String",
- "MinLength": "1",
- "MaxLength": "6",
- "Default": "3306",
- "AllowedPattern": "(\\d{0,9})",
- "ConstraintDescription": "Must be a valid port: example 3306"
- },
- "DestinationPort": {
- "Description": "The remote port the service is listening on: example 3306",
- "Type": "String",
- "MinLength": "1",
- "MaxLength": "6",
- "Default": "3306",
- "AllowedPattern": "(\\d{0,9})",
- "ConstraintDescription": "Must be a valid port: example 3306"
- }
- },
- "Mappings": {
- "AWSInstanceType2Arch": {
- "t2.micro": {
- "Arch": "HVM64"
- },
- "t2.small": {
- "Arch": "HVM64"
- },
- "t2.medium": {
- "Arch": "HVM64"
- },
- "m3.medium": {
- "Arch": "HVM64"
- },
- "m3.large": {
- "Arch": "HVM64"
- },
- "m3.xlarge": {
- "Arch": "HVM64"
- },
- "m3.2xlarge": {
- "Arch": "HVM64"
- },
- "c3.large": {
- "Arch": "HVM64"
- },
- "c3.xlarge": {
- "Arch": "HVM64"
- },
- "c3.2xlarge": {
- "Arch": "HVM64"
- },
- "c3.4xlarge": {
- "Arch": "HVM64"
- },
- "c3.8xlarge": {
- "Arch": "HVM64"
- },
- "r3.large": {
- "Arch": "HVM64"
- },
- "r3.xlarge": {
- "Arch": "HVM64"
- },
- "r3.2xlarge": {
- "Arch": "HVM64"
- },
- "r3.4xlarge": {
- "Arch": "HVM64"
- },
- "r3.8xlarge": {
- "Arch": "HVM64"
- },
- "i2.xlarge": {
- "Arch": "HVM64"
- },
- "i2.2xlarge": {
- "Arch": "HVM64"
- },
- "i2.4xlarge": {
- "Arch": "HVM64"
- },
- "i2.8xlarge": {
- "Arch": "HVM64"
- },
- "hi1.4xlarge": {
- "Arch": "HVM64"
- },
- "hs1.8xlarge": {
- "Arch": "HVM64"
- },
- "cr1.8xlarge": {
- "Arch": "HVM64"
- },
- "cc2.8xlarge": {
- "Arch": "HVM64"
- }
- },
- "AWSRegionArch2AMI": {
- "us-east-1": {
- "HVM64": "ami-22ce4934"
- },
- "us-east-2": {
- "HVM64": "ami-7bfcd81e"
- },
- "us-west-1": {
- "HVM64": "ami-9e247efe"
- },
- "us-west-2": {
- "HVM64": "ami-8ca83fec"
- },
- "ca-central-1": {
- "HVM64": "ami-8601bce2"
- },
- "eu-west-1": {
- "HVM64": "ami-e5083683"
- },
- "eu-west-2": {
- "HVM64": "ami-11130775"
- },
- "eu-central-1": {
- "HVM64": "ami-5b06d634"
- },
- "ap-southeast-1": {
- "HVM64": "ami-a2bc03c1"
- },
- "ap-southeast-2": {
- "HVM64": "ami-8bf2fde8"
- },
- "ap-northeast-2": {
- "HVM64": "ami-8369baed"
- },
- "ap-northeast-1": {
- "HVM64": "ami-859bbfe2"
- },
- "ap-south-1": {
- "HVM64": "ami-815625ee"
- },
- "sa-east-1": {
- "HVM64": "ami-a97013c5"
- }
- }
- },
- "Resources": {
- "NatVPCHost": {
- "Type": "AWS::EC2::Instance",
- "Metadata": {
- "AWS::CloudFormation::Init": {
- "config": {
- "packages": {
- "yum": {
- "compat-iptables": [],
- "httpd": [],
- "tcping": [],
- "joe": []
- }
- },
- "files": {
- "/var/spool/cron/root": {
- "content": {
- "Fn::Join": [
- "",
- [
- "* * * * * /root/natrefresh.sh\n"
- ]
- ]
- },
- "mode": "000600",
- "owner": "root",
- "group": "root"
- },
- "/root/natcfn.version": {
- "content": {
- "Fn::Join": [
- "",
- [
- "2017-04-15 v1.2a\n"
- ]
- ]
- },
- "mode": "000600",
- "owner": "root",
- "group": "root"
- },
- "/root/natrefresh.sh": {
- "content": {
- "Fn::Join": [
- "",
- [
- "#!/bin/bash\n",
- "PATH=\"$PATH:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin\"\n",
- "DESTINATION=`cat /root/destination.dns | grep DestinationAddress | awk '{printf $2\"\\n\" }'`\n",
- "SOURCE=`cat /root/destination.dns | grep SourceAddress | awk '{printf $2\"\\n\" }'`\n",
- "DESTINATIONPORT=`cat /root/destination.dns | grep DestinationPort | awk '{printf $2\"\\n\" }'`\n",
- "SOURCEPORT=`cat /root/destination.dns | grep SourcePort | awk '{printf $2\"\\n\" }'`\n",
- "STATUS=\"/var/www/html/index.html\"\n",
- "lookup()\n",
- "{\n",
- "export HOSTR=`host $DESTINATION | awk '{ printf $4 \"\\n\"}' | grep \"\\.\"`\n",
- "[ -z $HOSTR ] && HOSTR=\"$DESTINATION\"\n",
- "}\n",
- "refreshcheck()\n",
- "{\n",
- "INIT=`grep -q \"$HOSTR\" /etc/sysconfig/iptables`\n",
- "echo $INIT | grep -q MASQUERADE || refresh\n",
- "}\n",
- "clearnat()\n",
- "{\n",
- "iptables -F\n",
- "iptables -X\n",
- "iptables -t nat -F\n",
- "iptables -t nat -X\n",
- "iptables -t mangle -F\n",
- "iptables -t mangle -X\n",
- "iptables -P INPUT ACCEPT\n",
- "iptables -P FORWARD ACCEPT\n",
- "iptables -P OUTPUT ACCEPT\n",
- "rm -f /etc/sysconfig/iptables\n",
- "}\n",
- "recreatenat()\n",
- "{\n",
- "iptables --table nat --append POSTROUTING --source $SOURCE --destination $DESTINATION --jump MASQUERADE\n",
- "iptables --table nat --append PREROUTING --protocol tcp --dport $SOURCEPORT --jump DNAT --to-destination $HOSTR:$DESTINATIONPORT\n",
- "/sbin/service iptables save\n",
- "}\n",
- "refresh()\n",
- "{\n",
- "clearnat\n",
- "recreatenat\n",
- "}\n",
- "status()\n",
- "{\n",
- "rm -f $STATUS\n",
- "VERSION=`cat /root/natcfn.version`\n",
- "tcping -t 1 -q $HOSTR $DESTINATIONPORT && echo \"<center><h1><b><u>Status</b></u></h1></br></br><h1><font color=\"black\">Connection to $HOSTR port $DESTINATIONPORT successfull</h1></font>\" >> $STATUS\n",
- "tcping -t 1 -q $HOSTR $DESTINATIONPORT || echo \"<center><h1><b><u>Status</b></u></h1></br></br><h1><font color=\"red\">Unable to connect to $HOSTR on port $DESTINATIONPORT</h1></font>\" >> $STATUS\n",
- "echo \"</br></br> \" >> $STATUS\n",
- "echo \"<align=right>Version $VERSION\" >> $STATUS\n",
- "echo \"</align>\" >> $STATUS\n",
- "}\n",
- "lookup\n",
- "grep -q \".com\" /root/destination.dns && refreshcheck\n",
- "[ -f /etc/sysconfig/iptables ] || refreshcheck\n",
- "status\n"
- ]
- ]
- },
- "mode": "000500",
- "owner": "root",
- "group": "root"
- },
- "/root/destination.dns": {
- "content": {
- "Fn::Join": [
- "",
- [
- "DestinationAddress ",
- {
- "Ref": "DestinationAddress"
- },
- "\n",
- "SourceAddress ",
- {
- "Ref": "SourceAddress"
- },
- "\n",
- "DestinationPort ",
- {
- "Ref": "DestinationPort"
- },
- "\n",
- "SourcePort ",
- {
- "Ref": "SourcePort"
- },
- "\n"
- ]
- ]
- },
- "mode": "000600",
- "owner": "root",
- "group": "root"
- }
- }
- }
- }
- },
- "Properties": {
- "ImageId": {
- "Fn::FindInMap": [
- "AWSRegionArch2AMI",
- {
- "Ref": "AWS::Region"
- },
- {
- "Fn::FindInMap": [
- "AWSInstanceType2Arch",
- {
- "Ref": "InstanceType"
- },
- "Arch"
- ]
- }
- ]
- },
- "InstanceType": {
- "Ref": "InstanceType"
- },
- "SecurityGroupIds": [
- {
- "Fn::GetAtt": [
- "NatVPCSecurityGroup",
- "GroupId"
- ]
- }
- ],
- "KeyName": {
- "Ref": "KeyName"
- },
- "SubnetId": {
- "Ref": "Subnet"
- },
- "UserData": {
- "Fn::Base64": {
- "Fn::Join": [
- "",
- [
- "#!/bin/bash\n",
- "# Helper function\n",
- "function error_exit \n",
- "{\n",
- " /opt/aws/bin/cfn-signal -e 1 -r \"$1\" '",
- {
- "Ref": "WaitHandle"
- },
- "'\n",
- " exit 1\n",
- "}\n",
- "yum-config-manager --enable epel\n",
- "sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf\n",
- "# Install the files and packages from the metadata\n",
- "/opt/aws/bin/cfn-init -v ",
- " --stack ",
- {
- "Ref": "AWS::StackName"
- },
- " --resource NatVPCHost ",
- " --region ",
- {
- "Ref": "AWS::Region"
- },
- "\n",
- "yum update -y\n",
- "/opt/aws/bin/cfn-signal -e 0 -r \"cfn-int setup complete\" '",
- {
- "Ref": "WaitHandle"
- },
- "'\n",
- "/root/natrefresh.sh\n",
- "chkconfig httpd on\n",
- "service httpd start\n",
- "reboot\n"
- ]
- ]
- }
- }
- }
- },
- "NatVPCSecurityGroup": {
- "Type": "AWS::EC2::SecurityGroup",
- "Properties": {
- "GroupDescription": "Enable incoming access on the NAT instance",
- "SecurityGroupIngress": [
- {
- "IpProtocol": "tcp",
- "FromPort": {
- "Ref": "SourcePort"
- },
- "ToPort": {
- "Ref": "SourcePort"
- },
- "CidrIp": {
- "Ref": "SourceAddress"
- }
- }
- ]
- }
- },
- "WaitCondition": {
- "Type": "AWS::CloudFormation::WaitCondition",
- "Properties": {
- "Handle": {
- "Ref": "WaitHandle"
- },
- "Timeout": "1200"
- }
- },
- "WaitHandle": {
- "Type": "AWS::CloudFormation::WaitConditionHandle"
- }
- },
- "Outputs": {
- "Endpoint": {
- "Description": "",
- "Value": {
- "Fn::Join": [
- "",
- [
- {
- "Fn::GetAtt": [
- "NatVPCHost",
- "PublicDnsName"
- ]
- },
- " port ",
- {
- "Ref": "SourcePort"
- }
- ]
- ]
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement