AWSTemplateFormatVersion: "2010-09-09" Description: This AWS CloudFormation Template creates the necessary resources for the data protection workshops # This IAM user will be used for all login and development Resources: SystemVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: workshop Value: acm-private-ca InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: acm-private-ca GatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: Ref: InternetGateway VpcId: !Ref SystemVPC RouteTable: DependsOn: - SystemVPC Type: AWS::EC2::RouteTable Properties: Tags: - Key: Name Value: acm-private-ca VpcId: !Ref SystemVPC PublicRoute: DependsOn: - RouteTable - GatewayAttachment Type: AWS::EC2::Route Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway RouteTableId: !Ref RouteTable Subnet: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.0.0/24 MapPublicIpOnLaunch: true Tags: - Key: Name Value: acm-private-ca VpcId: !Ref SystemVPC AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" SubnetAssoc: DependsOn: - Subnet - RouteTable Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref Subnet SubnetTwo: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.128.0/24 MapPublicIpOnLaunch: true Tags: - Key: Name Value: acm-private-ca VpcId: !Ref SystemVPC AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: "" SubnetTwoAssoc: DependsOn: - SubnetTwo - RouteTable Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref SubnetTwo PublicNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref SystemVPC Tags: - Key: Network Value: Public InboundPublicNACLEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref PublicNACL RuleNumber: 100 Protocol: -1 RuleAction: allow Egress: false CidrBlock: '0.0.0.0/0' PortRange: From: 0 To: 65535 OutboundPublicNACLEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref PublicNACL RuleNumber: 100 Protocol: -1 RuleAction: allow Egress: true CidrBlock: 0.0.0.0/0 PortRange: From: 0 To: 65535 SubnetNACLAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref Subnet NetworkAclId: !Ref PublicNACL SubnetTwoNACLAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref SubnetTwo NetworkAclId: !Ref PublicNACL # Create the lambda function used for the origin behind the ALB LambdaOrigin: Type : AWS::Lambda::Function Properties: FunctionName: 'builders-lambda-origin-one' Handler: "index.lambda_handler" Role: !GetAtt LambdaOriginRole.Arn Runtime: 'python2.7' Tags: - Key: workshop Value: acm-private-ca Code: ZipFile: | from __future__ import print_function # This is the lambda origin behing the application load balancer def lambda_handler(event, context): response = { "statusCode": 200, "statusDescription": "200 OK", "isBase64Encoded": False, "headers": { "Content-Type": "text/html; charset=utf-8" } } response['body'] = """ Hello World!

Hello World!

""" return response # We will use admin privileges for now and make it least privilege as we learn LambdaOriginRole: Type : AWS::IAM::Role Properties: RoleName: 'acmcalblambdaoriginrole' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "lambda.amazonaws.com" Action: - "sts:AssumeRole" # We will use admin privileges for now and make it least privilege as we learn LambdaOriginPolicy: Type : AWS::IAM::Policy Properties: PolicyName : 'acm-alb-lambdaorigin-policy' PolicyDocument : Version: "2012-10-17" Statement: - Effect: "Allow" Action: "*" Resource: "*" Roles: - !Ref LambdaOriginRole ALBSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: 'ALB Security Group' VpcId: !Ref SystemVPC SecurityGroupIngress: - IpProtocol: tcp ToPort: 443 FromPort: 443 CidrIp: 0.0.0.0/0 # Creating a ALB in CF - Target group and listener will be createdin Boto ApplicationLoadBalancer: Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer' Properties: Scheme: internet-facing "Name" : "acm-pca-usecase-6-alb" SecurityGroups: - !Ref ALBSecurityGroup - !GetAtt SystemVPC.DefaultSecurityGroup Subnets: - Ref: Subnet - Ref: SubnetTwo Tags: - Key: workshop Value: acm-private-ca