API tools faq
paste
Advertisement
AlistairCook

AWS NAT-RDS-Provisioning-Template

AlistairCook
Jul 19th, 2017
1,187
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.88 KB | None | 0 0
raw download clone embed print report
  1. {
  2. "AWSTemplateFormatVersion": "2010-09-09",
  3. "Description": "AWS CloudFormation template that creates a NAT jumpbox to expose a VPC only Databases or service",
  4. "Parameters": {
  5. "KeyName": {
  6. "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
  7. "Type": "AWS::EC2::KeyPair::KeyName",
  8. "MinLength": "1",
  9. "ConstraintDescription": "Can contain only ASCII characters."
  10. },
  11. "InstanceType": {
  12. "Description": "The EC2 instance class",
  13. "Type": "String",
  14. "Default": "t2.micro",
  15. "AllowedValues": [
  16. "t2.micro",
  17. "t2.small",
  18. "t2.medium",
  19. "m3.medium",
  20. "m3.large",
  21. "m3.xlarge",
  22. "m3.2xlarge",
  23. "c3.large",
  24. "c3.xlarge",
  25. "c3.2xlarge",
  26. "c3.4xlarge",
  27. "c3.8xlarge",
  28. "r3.large",
  29. "r3.xlarge",
  30. "r3.2xlarge",
  31. "r3.4xlarge",
  32. "r3.8xlarge",
  33. "i2.xlarge",
  34. "i2.2xlarge",
  35. "i2.4xlarge",
  36. "i2.8xlarge",
  37. "hi1.4xlarge",
  38. "hs1.8xlarge",
  39. "cr1.8xlarge",
  40. "cc2.8xlarge"
  41. ],
  42. "ConstraintDescription": "Must be a valid EC2 instance type"
  43. },
  44. "Subnet": {
  45. "Type": "AWS::EC2::Subnet::Id",
  46. "Description": "Subnet that has access to your Database"
  47. },
  48. "SourceAddress": {
  49. "Description": "The source range you want to allow access from: example 0.0.0.0/0",
  50. "Type": "String",
  51. "MinLength": "9",
  52. "MaxLength": "18",
  53. "Default": "0.0.0.0/0",
  54. "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
  55. "ConstraintDescription": "Must be a valid IP CIDR range of the form x.x.x.x/x"
  56. },
  57. "DestinationAddress": {
  58. "Description": "Internal service/ Database destination IP address: example 172.1.24.23",
  59. "Type": "String",
  60. "MinLength": "6",
  61. "MaxLength": "100",
  62. "Default": "0.0.0.0",
  63. "ConstraintDescription": "Must be a valid /32 IP or DNS address"
  64. },
  65. "SourcePort": {
  66. "Description": "The port the service must listen on: example 3306",
  67. "Type": "String",
  68. "MinLength": "1",
  69. "MaxLength": "6",
  70. "Default": "3306",
  71. "AllowedPattern": "(\\d{0,9})",
  72. "ConstraintDescription": "Must be a valid port: example 3306"
  73. },
  74. "DestinationPort": {
  75. "Description": "The remote port the service is listening on: example 3306",
  76. "Type": "String",
  77. "MinLength": "1",
  78. "MaxLength": "6",
  79. "Default": "3306",
  80. "AllowedPattern": "(\\d{0,9})",
  81. "ConstraintDescription": "Must be a valid port: example 3306"
  82. }
  83. },
  84. "Mappings": {
  85. "AWSInstanceType2Arch": {
  86. "t2.micro": {
  87. "Arch": "HVM64"
  88. },
  89. "t2.small": {
  90. "Arch": "HVM64"
  91. },
  92. "t2.medium": {
  93. "Arch": "HVM64"
  94. },
  95. "m3.medium": {
  96. "Arch": "HVM64"
  97. },
  98. "m3.large": {
  99. "Arch": "HVM64"
  100. },
  101. "m3.xlarge": {
  102. "Arch": "HVM64"
  103. },
  104. "m3.2xlarge": {
  105. "Arch": "HVM64"
  106. },
  107. "c3.large": {
  108. "Arch": "HVM64"
  109. },
  110. "c3.xlarge": {
  111. "Arch": "HVM64"
  112. },
  113. "c3.2xlarge": {
  114. "Arch": "HVM64"
  115. },
  116. "c3.4xlarge": {
  117. "Arch": "HVM64"
  118. },
  119. "c3.8xlarge": {
  120. "Arch": "HVM64"
  121. },
  122. "r3.large": {
  123. "Arch": "HVM64"
  124. },
  125. "r3.xlarge": {
  126. "Arch": "HVM64"
  127. },
  128. "r3.2xlarge": {
  129. "Arch": "HVM64"
  130. },
  131. "r3.4xlarge": {
  132. "Arch": "HVM64"
  133. },
  134. "r3.8xlarge": {
  135. "Arch": "HVM64"
  136. },
  137. "i2.xlarge": {
  138. "Arch": "HVM64"
  139. },
  140. "i2.2xlarge": {
  141. "Arch": "HVM64"
  142. },
  143. "i2.4xlarge": {
  144. "Arch": "HVM64"
  145. },
  146. "i2.8xlarge": {
  147. "Arch": "HVM64"
  148. },
  149. "hi1.4xlarge": {
  150. "Arch": "HVM64"
  151. },
  152. "hs1.8xlarge": {
  153. "Arch": "HVM64"
  154. },
  155. "cr1.8xlarge": {
  156. "Arch": "HVM64"
  157. },
  158. "cc2.8xlarge": {
  159. "Arch": "HVM64"
  160. }
  161. },
  162. "AWSRegionArch2AMI": {
  163. "us-east-1": {
  164. "HVM64": "ami-22ce4934"
  165. },
  166. "us-east-2": {
  167. "HVM64": "ami-7bfcd81e"
  168. },
  169. "us-west-1": {
  170. "HVM64": "ami-9e247efe"
  171. },
  172. "us-west-2": {
  173. "HVM64": "ami-8ca83fec"
  174. },
  175. "ca-central-1": {
  176. "HVM64": "ami-8601bce2"
  177. },
  178. "eu-west-1": {
  179. "HVM64": "ami-e5083683"
  180. },
  181. "eu-west-2": {
  182. "HVM64": "ami-11130775"
  183. },
  184. "eu-central-1": {
  185. "HVM64": "ami-5b06d634"
  186. },
  187. "ap-southeast-1": {
  188. "HVM64": "ami-a2bc03c1"
  189. },
  190. "ap-southeast-2": {
  191. "HVM64": "ami-8bf2fde8"
  192. },
  193. "ap-northeast-2": {
  194. "HVM64": "ami-8369baed"
  195. },
  196. "ap-northeast-1": {
  197. "HVM64": "ami-859bbfe2"
  198. },
  199. "ap-south-1": {
  200. "HVM64": "ami-815625ee"
  201. },
  202. "sa-east-1": {
  203. "HVM64": "ami-a97013c5"
  204. }
  205. }
  206. },
  207. "Resources": {
  208. "NatVPCHost": {
  209. "Type": "AWS::EC2::Instance",
  210. "Metadata": {
  211. "AWS::CloudFormation::Init": {
  212. "config": {
  213. "packages": {
  214. "yum": {
  215. "compat-iptables": [],
  216. "httpd": [],
  217. "tcping": [],
  218. "joe": []
  219. }
  220. },
  221. "files": {
  222. "/var/spool/cron/root": {
  223. "content": {
  224. "Fn::Join": [
  225. "",
  226. [
  227. "* * * * * /root/natrefresh.sh\n"
  228. ]
  229. ]
  230. },
  231. "mode": "000600",
  232. "owner": "root",
  233. "group": "root"
  234. },
  235. "/root/natcfn.version": {
  236. "content": {
  237. "Fn::Join": [
  238. "",
  239. [
  240. "2017-04-15 v1.2a\n"
  241. ]
  242. ]
  243. },
  244. "mode": "000600",
  245. "owner": "root",
  246. "group": "root"
  247. },
  248. "/root/natrefresh.sh": {
  249. "content": {
  250. "Fn::Join": [
  251. "",
  252. [
  253. "#!/bin/bash\n",
  254. "PATH=\"$PATH:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin\"\n",
  255. "DESTINATION=`cat /root/destination.dns | grep DestinationAddress | awk '{printf $2\"\\n\" }'`\n",
  256. "SOURCE=`cat /root/destination.dns | grep SourceAddress | awk '{printf $2\"\\n\" }'`\n",
  257. "DESTINATIONPORT=`cat /root/destination.dns | grep DestinationPort | awk '{printf $2\"\\n\" }'`\n",
  258. "SOURCEPORT=`cat /root/destination.dns | grep SourcePort | awk '{printf $2\"\\n\" }'`\n",
  259. "STATUS=\"/var/www/html/index.html\"\n",
  260. "lookup()\n",
  261. "{\n",
  262. "export HOSTR=`host $DESTINATION | awk '{ printf $4 \"\\n\"}' | grep \"\\.\"`\n",
  263. "[ -z $HOSTR ] && HOSTR=\"$DESTINATION\"\n",
  264. "}\n",
  265. "refreshcheck()\n",
  266. "{\n",
  267. "INIT=`grep -q \"$HOSTR\" /etc/sysconfig/iptables`\n",
  268. "echo $INIT | grep -q MASQUERADE || refresh\n",
  269. "}\n",
  270. "clearnat()\n",
  271. "{\n",
  272. "iptables -F\n",
  273. "iptables -X\n",
  274. "iptables -t nat -F\n",
  275. "iptables -t nat -X\n",
  276. "iptables -t mangle -F\n",
  277. "iptables -t mangle -X\n",
  278. "iptables -P INPUT ACCEPT\n",
  279. "iptables -P FORWARD ACCEPT\n",
  280. "iptables -P OUTPUT ACCEPT\n",
  281. "rm -f /etc/sysconfig/iptables\n",
  282. "}\n",
  283. "recreatenat()\n",
  284. "{\n",
  285. "iptables --table nat --append POSTROUTING --source $SOURCE --destination $DESTINATION --jump MASQUERADE\n",
  286. "iptables --table nat --append PREROUTING --protocol tcp --dport $SOURCEPORT --jump DNAT --to-destination $HOSTR:$DESTINATIONPORT\n",
  287. "/sbin/service iptables save\n",
  288. "}\n",
  289. "refresh()\n",
  290. "{\n",
  291. "clearnat\n",
  292. "recreatenat\n",
  293. "}\n",
  294. "status()\n",
  295. "{\n",
  296. "rm -f $STATUS\n",
  297. "VERSION=`cat /root/natcfn.version`\n",
  298. "tcping -t 1 -q $HOSTR $DESTINATIONPORT && echo \"<center><h1><b><u>Status</b></u></h1></br></br><h1><font color=\"black\">Connection to $HOSTR port $DESTINATIONPORT successfull</h1></font>\" >> $STATUS\n",
  299. "tcping -t 1 -q $HOSTR $DESTINATIONPORT || echo \"<center><h1><b><u>Status</b></u></h1></br></br><h1><font color=\"red\">Unable to connect to $HOSTR on port $DESTINATIONPORT</h1></font>\" >> $STATUS\n",
  300. "echo \"</br></br> \" >> $STATUS\n",
  301. "echo \"<align=right>Version $VERSION\" >> $STATUS\n",
  302. "echo \"</align>\" >> $STATUS\n",
  303. "}\n",
  304. "lookup\n",
  305. "grep -q \".com\" /root/destination.dns && refreshcheck\n",
  306. "[ -f /etc/sysconfig/iptables ] || refreshcheck\n",
  307. "status\n"
  308. ]
  309. ]
  310. },
  311. "mode": "000500",
  312. "owner": "root",
  313. "group": "root"
  314. },
  315. "/root/destination.dns": {
  316. "content": {
  317. "Fn::Join": [
  318. "",
  319. [
  320. "DestinationAddress ",
  321. {
  322. "Ref": "DestinationAddress"
  323. },
  324. "\n",
  325. "SourceAddress ",
  326. {
  327. "Ref": "SourceAddress"
  328. },
  329. "\n",
  330. "DestinationPort ",
  331. {
  332. "Ref": "DestinationPort"
  333. },
  334. "\n",
  335. "SourcePort ",
  336. {
  337. "Ref": "SourcePort"
  338. },
  339. "\n"
  340. ]
  341. ]
  342. },
  343. "mode": "000600",
  344. "owner": "root",
  345. "group": "root"
  346. }
  347. }
  348. }
  349. }
  350. },
  351. "Properties": {
  352. "ImageId": {
  353. "Fn::FindInMap": [
  354. "AWSRegionArch2AMI",
  355. {
  356. "Ref": "AWS::Region"
  357. },
  358. {
  359. "Fn::FindInMap": [
  360. "AWSInstanceType2Arch",
  361. {
  362. "Ref": "InstanceType"
  363. },
  364. "Arch"
  365. ]
  366. }
  367. ]
  368. },
  369. "InstanceType": {
  370. "Ref": "InstanceType"
  371. },
  372. "SecurityGroupIds": [
  373. {
  374. "Fn::GetAtt": [
  375. "NatVPCSecurityGroup",
  376. "GroupId"
  377. ]
  378. }
  379. ],
  380. "KeyName": {
  381. "Ref": "KeyName"
  382. },
  383. "SubnetId": {
  384. "Ref": "Subnet"
  385. },
  386. "UserData": {
  387. "Fn::Base64": {
  388. "Fn::Join": [
  389. "",
  390. [
  391. "#!/bin/bash\n",
  392. "# Helper function\n",
  393. "function error_exit \n",
  394. "{\n",
  395. " /opt/aws/bin/cfn-signal -e 1 -r \"$1\" '",
  396. {
  397. "Ref": "WaitHandle"
  398. },
  399. "'\n",
  400. " exit 1\n",
  401. "}\n",
  402. "yum-config-manager --enable epel\n",
  403. "sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf\n",
  404. "# Install the files and packages from the metadata\n",
  405. "/opt/aws/bin/cfn-init -v ",
  406. " --stack ",
  407. {
  408. "Ref": "AWS::StackName"
  409. },
  410. " --resource NatVPCHost ",
  411. " --region ",
  412. {
  413. "Ref": "AWS::Region"
  414. },
  415. "\n",
  416. "yum update -y\n",
  417. "/opt/aws/bin/cfn-signal -e 0 -r \"cfn-int setup complete\" '",
  418. {
  419. "Ref": "WaitHandle"
  420. },
  421. "'\n",
  422. "/root/natrefresh.sh\n",
  423. "chkconfig httpd on\n",
  424. "service httpd start\n",
  425. "reboot\n"
  426. ]
  427. ]
  428. }
  429. }
  430. }
  431. },
  432. "NatVPCSecurityGroup": {
  433. "Type": "AWS::EC2::SecurityGroup",
  434. "Properties": {
  435. "GroupDescription": "Enable incoming access on the NAT instance",
  436. "SecurityGroupIngress": [
  437. {
  438. "IpProtocol": "tcp",
  439. "FromPort": {
  440. "Ref": "SourcePort"
  441. },
  442. "ToPort": {
  443. "Ref": "SourcePort"
  444. },
  445. "CidrIp": {
  446. "Ref": "SourceAddress"
  447. }
  448. }
  449. ]
  450. }
  451. },
  452. "WaitCondition": {
  453. "Type": "AWS::CloudFormation::WaitCondition",
  454. "Properties": {
  455. "Handle": {
  456. "Ref": "WaitHandle"
  457. },
  458. "Timeout": "1200"
  459. }
  460. },
  461. "WaitHandle": {
  462. "Type": "AWS::CloudFormation::WaitConditionHandle"
  463. }
  464. },
  465. "Outputs": {
  466. "Endpoint": {
  467. "Description": "",
  468. "Value": {
  469. "Fn::Join": [
  470. "",
  471. [
  472. {
  473. "Fn::GetAtt": [
  474. "NatVPCHost",
  475. "PublicDnsName"
  476. ]
  477. },
  478. " port ",
  479. {
  480. "Ref": "SourcePort"
  481. }
  482. ]
  483. ]
  484. }
  485. }
  486. }
  487. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!