├── .gitignore ├── .metadata ├── .taskcat.yml ├── CODEOWNERS ├── LICENSE.txt ├── NOTICE.txt ├── README.md ├── cfn-module └── .rpdk-config ├── manifests └── app-manager │ └── app-manager-manifest.yaml └── templates └── aws-vpc.template.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | # TaskCat 2 | taskcat_outputs/ 3 | .taskcat/ 4 | .taskcat_overrides.yml 5 | functions/packages/ 6 | *.zip 7 | 8 | # cfn module build 9 | cfn-module/*.zip 10 | cfn-module/*.json 11 | cfn-module/fragments/ 12 | cfn-module/rpdk.log 13 | 14 | # Docs 15 | docs/ 16 | index.html 17 | prod_example.html 18 | 19 | # macOS 20 | .DS_Store 21 | 22 | # IDE workspace settings 23 | .vscode/ 24 | .idea/ 25 | -------------------------------------------------------------------------------- /.metadata: -------------------------------------------------------------------------------- 1 | language_type: cloudformation 2 | -------------------------------------------------------------------------------- /.taskcat.yml: -------------------------------------------------------------------------------- 1 | project: 2 | name: quickstart-aws-vpc 3 | owner: quickstart@amazon.com 4 | package_lambda: false 5 | template: templates/aws-vpc.template.yaml 6 | regions: 7 | - af-south-1 8 | - ap-east-1 9 | - ap-northeast-1 10 | - ap-northeast-2 11 | - ap-northeast-3 12 | - ap-south-1 13 | - ap-southeast-1 14 | - ap-southeast-2 15 | - ap-southeast-3 16 | - ca-central-1 17 | - eu-central-1 18 | - eu-north-1 19 | - eu-south-1 20 | - eu-west-1 21 | - eu-west-2 22 | - eu-west-3 23 | - me-south-1 24 | - sa-east-1 25 | - us-east-1 26 | - us-east-2 27 | - us-west-1 28 | - us-west-2 29 | - us-gov-east-1 30 | - us-gov-west-1 31 | - cn-north-1 32 | - cn-northwest-1 33 | tests: 34 | vpc-complete-all-possible-regions: 35 | parameters: 36 | AvailabilityZones: $[taskcat_getaz_2] 37 | CreateAdditionalPrivateSubnets: 'true' 38 | CreatePrivateSubnets: 'true' 39 | NumberOfAZs: '2' 40 | vpc-defaults-all-possible-regions: 41 | parameters: 42 | AvailabilityZones: $[taskcat_getaz_2] 43 | CreateAdditionalPrivateSubnets: 'false' 44 | CreatePrivateSubnets: 'true' 45 | NumberOfAZs: '2' 46 | vpc-public-all-possible-regions: 47 | parameters: 48 | AvailabilityZones: $[taskcat_getaz_2] 49 | CreateAdditionalPrivateSubnets: 'false' 50 | CreateNATGateways: 'false' 51 | CreatePrivateSubnets: 'false' 52 | NumberOfAZs: '2' 53 | vpc-private-all-possible-regions: 54 | parameters: 55 | AvailabilityZones: $[taskcat_getaz_2] 56 | CreateAdditionalPrivateSubnets: 'false' 57 | CreatePublicSubnets: 'false' 58 | CreateNATGateways: 'false' 59 | NumberOfAZs: '2' 60 | 3az-complete-all-possible-regions: 61 | parameters: 62 | AvailabilityZones: $[taskcat_getaz_3] 63 | CreateAdditionalPrivateSubnets: 'true' 64 | CreatePrivateSubnets: 'true' 65 | NumberOfAZs: '3' 66 | regions: 67 | - af-south-1 68 | - ap-east-1 69 | - ap-northeast-1 70 | - ap-northeast-2 71 | - ap-northeast-3 72 | - ap-south-1 73 | - ap-southeast-1 74 | - ap-southeast-2 75 | - ap-southeast-3 76 | - ca-central-1 77 | - eu-central-1 78 | - eu-north-1 79 | - eu-south-1 80 | - eu-west-1 81 | - eu-west-2 82 | - eu-west-3 83 | - me-south-1 84 | - sa-east-1 85 | - us-east-1 86 | - us-east-2 87 | # https://aws.amazon.com/about-aws/global-infrastructure/regions_az/ 88 | # *New customers can access two Availability Zones in US West (Northern California). 89 | # - us-west-1 90 | - us-west-2 91 | - us-gov-east-1 92 | - us-gov-west-1 93 | - cn-north-1 94 | - cn-northwest-1 95 | 4az-complete-all-possible-regions: 96 | parameters: 97 | AvailabilityZones: $[taskcat_getaz_4] 98 | CreateAdditionalPrivateSubnets: 'true' 99 | CreatePrivateSubnets: 'true' 100 | NumberOfAZs: '4' 101 | regions: 102 | # 20220816 - apne1-az3 is currently unavailable 103 | # - ap-northeast-1 104 | - ap-northeast-2 105 | - us-east-1 106 | - us-west-2 107 | 4az-public-all-possible-regions: 108 | parameters: 109 | AvailabilityZones: $[taskcat_getaz_4] 110 | CreateAdditionalPrivateSubnets: 'false' 111 | CreateNATGateways: 'false' 112 | CreatePrivateSubnets: 'false' 113 | NumberOfAZs: '4' 114 | regions: 115 | # 20220816 - apne1-az3 is currently unavailable 116 | # - ap-northeast-1 117 | - ap-northeast-2 118 | - us-east-1 119 | - us-west-2 120 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @tlindsay42 @aws-quickstart/aws_quickstart_team 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # quickstart-aws-vpc 2 | ## Deprecation Notice 3 | 4 | :x: This repository is subject to deprecation in Q4 2024. For more details, [please review this announcement](https://github.com/aws-ia/.announcements/issues/1). 5 | 6 | ## This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-aws-vpc. 7 | ***We will archive this repository and keep it publicly available until May 1, 2024.*** 8 | -------------------------------------------------------------------------------- /cfn-module/.rpdk-config: -------------------------------------------------------------------------------- 1 | { 2 | "artifact_type": "MODULE", 3 | "typeName": "AWSQS::VPC::VPCQS::MODULE", 4 | "settings": {} 5 | } 6 | -------------------------------------------------------------------------------- /manifests/app-manager/app-manager-manifest.yaml: -------------------------------------------------------------------------------- 1 | ssm_app_manager: 2 | should_upload: true 3 | documents_list: 4 | - document_name: AWSQuickStarts-AWS-VPC 5 | template_name: aws-vpc.template.yaml 6 | -------------------------------------------------------------------------------- /templates/aws-vpc.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: >- 3 | This template creates a Multi-AZ, multisubnet VPC infrastructure with 4 | managed NAT gateways in the public subnet for each Availability Zone. You can 5 | also create additional private subnets with dedicated custom network access 6 | control lists (ACLs). If you deploy the Quick Start in an AWS Region that doesn't 7 | support NAT gateways, NAT instances are deployed instead. 8 | **WARNING** This template creates AWS resources. You will be billed for the 9 | AWS resources used if you create a stack from this template. (qs-1qnnspaap) 10 | Metadata: 11 | LICENSE: Apache License, Version 2.0 12 | QuickStartDocumentation: 13 | EntrypointName: Launch a new VPC 14 | AWS::CloudFormation::Interface: 15 | ParameterGroups: 16 | - Label: 17 | default: Availability Zone configuration 18 | Parameters: 19 | - AvailabilityZones 20 | - NumberOfAZs 21 | - Label: 22 | default: Network configuration 23 | Parameters: 24 | - VPCCIDR 25 | - CreatePublicSubnets 26 | - PublicSubnet1CIDR 27 | - PublicSubnet2CIDR 28 | - PublicSubnet3CIDR 29 | - PublicSubnet4CIDR 30 | - PublicSubnetTag1 31 | - PublicSubnetTag2 32 | - PublicSubnetTag3 33 | - CreatePrivateSubnets 34 | - CreateNATGateways 35 | - PrivateSubnet1ACIDR 36 | - PrivateSubnet2ACIDR 37 | - PrivateSubnet3ACIDR 38 | - PrivateSubnet4ACIDR 39 | - PrivateSubnetATag1 40 | - PrivateSubnetATag2 41 | - PrivateSubnetATag3 42 | - CreateAdditionalPrivateSubnets 43 | - PrivateSubnet1BCIDR 44 | - PrivateSubnet2BCIDR 45 | - PrivateSubnet3BCIDR 46 | - PrivateSubnet4BCIDR 47 | - PrivateSubnetBTag1 48 | - PrivateSubnetBTag2 49 | - PrivateSubnetBTag3 50 | - VPCTenancy 51 | - Label: 52 | default: VPC Flow Logs configuration 53 | Parameters: 54 | - CreateVPCFlowLogsToCloudWatch 55 | - VPCFlowLogsLogFormat 56 | - VPCFlowLogsLogGroupRetention 57 | - VPCFlowLogsMaxAggregationInterval 58 | - VPCFlowLogsTrafficType 59 | - VPCFlowLogsCloudWatchKMSKey 60 | ParameterLabels: 61 | AvailabilityZones: 62 | default: Availability Zones 63 | CreateAdditionalPrivateSubnets: 64 | default: Create additional private subnets 65 | CreateNATGateways: 66 | default: Create NAT gateways 67 | CreatePrivateSubnets: 68 | default: Create private subnets 69 | CreatePublicSubnets: 70 | default: Create public subnets 71 | CreateVPCFlowLogsToCloudWatch: 72 | default: Create VPC flow logs (CloudWatch) 73 | NumberOfAZs: 74 | default: Number of Availability Zones 75 | PrivateSubnet1ACIDR: 76 | default: Private subnet 1A CIDR 77 | PrivateSubnet1BCIDR: 78 | default: Private subnet 1B with dedicated network ACL CIDR 79 | PrivateSubnet2ACIDR: 80 | default: Private subnet 2A CIDR 81 | PrivateSubnet2BCIDR: 82 | default: Private subnet 2B with dedicated network ACL CIDR 83 | PrivateSubnet3ACIDR: 84 | default: Private subnet 3A CIDR 85 | PrivateSubnet3BCIDR: 86 | default: Private subnet 3B with dedicated network ACL CIDR 87 | PrivateSubnet4ACIDR: 88 | default: Private subnet 4A CIDR 89 | PrivateSubnet4BCIDR: 90 | default: Private subnet 4B with dedicated network ACL CIDR 91 | PrivateSubnetATag1: 92 | default: Tag pair 1 for private A subnets 93 | PrivateSubnetATag2: 94 | default: Tag pair 2 for private A subnets 95 | PrivateSubnetATag3: 96 | default: Tag pair 3 for private A subnets 97 | PrivateSubnetBTag1: 98 | default: Tag pair 1 for private B subnets 99 | PrivateSubnetBTag2: 100 | default: Tag pair 2 for private B subnets 101 | PrivateSubnetBTag3: 102 | default: Tag pair 3 for private B subnets 103 | PublicSubnet1CIDR: 104 | default: Public subnet 1 CIDR 105 | PublicSubnet2CIDR: 106 | default: Public subnet 2 CIDR 107 | PublicSubnet3CIDR: 108 | default: Public subnet 3 CIDR 109 | PublicSubnet4CIDR: 110 | default: Public subnet 4 CIDR 111 | PublicSubnetTag1: 112 | default: Tag pair 1 for public subnets 113 | PublicSubnetTag2: 114 | default: Tag pair 2 for public subnets 115 | PublicSubnetTag3: 116 | default: Tag pair 3 for public subnets 117 | VPCCIDR: 118 | default: VPC CIDR 119 | VPCFlowLogsCloudWatchKMSKey: 120 | default: CloudWatch Logs KMS key for VPC flow logs 121 | VPCFlowLogsLogFormat: 122 | default: VPC flow logs - log format 123 | VPCFlowLogsLogGroupRetention: 124 | default: VPC flow logs - log group retention 125 | VPCFlowLogsMaxAggregationInterval: 126 | default: VPC flow logs - max aggregation interval 127 | VPCFlowLogsTrafficType: 128 | default: VPC flow logs - traffic type 129 | VPCTenancy: 130 | default: VPC tenancy 131 | Parameters: 132 | AvailabilityZones: 133 | Type: List 134 | Description: >- 135 | Availability Zones to use for the subnets in the VPC. The 136 | specified logical order is preserved. 137 | CreateAdditionalPrivateSubnets: 138 | Type: String 139 | Description: >- 140 | Choose true to create additional private subnets with dedicated network ACLs in each Availability 141 | Zone. If false, the CIDR parameters for those subnets will be ignored. If 142 | true, the CreatePrivateSubnets parameter must also be 143 | true to have any effect. 144 | AllowedValues: 145 | - 'true' 146 | - 'false' 147 | Default: 'false' 148 | CreateNATGateways: 149 | Type: String 150 | Description: >- 151 | Choose false when creating only private subnets. If true, both 152 | CreatePublicSubnets and CreatePrivateSubnets must also be true. 153 | AllowedValues: 154 | - 'true' 155 | - 'false' 156 | Default: 'true' 157 | CreatePublicSubnets: 158 | Type: String 159 | Description: >- 160 | Choose false to create only private subnets. If false, 161 | CreatePrivateSubnets must be true, and the CIDR parameters for all public 162 | subnets will be ignored. 163 | AllowedValues: 164 | - 'true' 165 | - 'false' 166 | Default: 'true' 167 | CreatePrivateSubnets: 168 | Type: String 169 | Description: >- 170 | Choose false to create only public subnets. If false, the CIDR parameters 171 | for all private subnets will be ignored. 172 | AllowedValues: 173 | - 'true' 174 | - 'false' 175 | Default: 'true' 176 | CreateVPCFlowLogsToCloudWatch: 177 | Type: String 178 | Description: >- 179 | Choose true to create VPC flow logs for the VPC and publish them to 180 | CloudWatch. If false, VPC flow logs will not be created. 181 | AllowedValues: 182 | - 'true' 183 | - 'false' 184 | Default: 'false' 185 | NumberOfAZs: 186 | Type: String 187 | Description: >- 188 | Number of Availability Zones to use in the VPC. This must match your 189 | selections in the AvailabilityZones parameter. 190 | AllowedValues: 191 | - '2' 192 | - '3' 193 | - '4' 194 | Default: '2' 195 | PrivateSubnet1ACIDR: 196 | Type: String 197 | Description: >- 198 | CIDR block for private subnet 1A located in Availability Zone 1. 199 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 200 | ConstraintDescription: >- 201 | CIDR block parameter must be in the form x.x.x.x/16-28. 202 | Default: 10.0.0.0/19 203 | PrivateSubnet1BCIDR: 204 | Type: String 205 | Description: >- 206 | CIDR block for private subnet 1B with dedicated network ACL located in 207 | Availability Zone 1. 208 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 209 | ConstraintDescription: >- 210 | CIDR block parameter must be in the form x.x.x.x/16-28. 211 | Default: 10.0.192.0/21 212 | PrivateSubnet2ACIDR: 213 | Type: String 214 | Description: >- 215 | CIDR block for private subnet 2A located in Availability Zone 2. 216 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 217 | ConstraintDescription: >- 218 | CIDR block parameter must be in the form x.x.x.x/16-28. 219 | Default: 10.0.32.0/19 220 | PrivateSubnet2BCIDR: 221 | Type: String 222 | Description: >- 223 | CIDR block for private subnet 2B with dedicated network ACL located in 224 | Availability Zone 2. 225 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 226 | ConstraintDescription: >- 227 | CIDR block parameter must be in the form x.x.x.x/16-28. 228 | Default: 10.0.200.0/21 229 | PrivateSubnet3ACIDR: 230 | Type: String 231 | Description: >- 232 | CIDR block for private subnet 3A located in Availability Zone 3. 233 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 234 | ConstraintDescription: >- 235 | CIDR block parameter must be in the form x.x.x.x/16-28. 236 | Default: 10.0.64.0/19 237 | PrivateSubnet3BCIDR: 238 | Type: String 239 | Description: >- 240 | CIDR block for private subnet 3B with dedicated network ACL located 241 | in Availability Zone 3. 242 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 243 | ConstraintDescription: >- 244 | CIDR block parameter must be in the form x.x.x.x/16-28. 245 | Default: 10.0.208.0/21 246 | PrivateSubnet4ACIDR: 247 | Type: String 248 | Description: >- 249 | CIDR block for private subnet 4A located in Availability Zone 4. 250 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 251 | ConstraintDescription: >- 252 | CIDR block parameter must be in the form x.x.x.x/16-28. 253 | Default: 10.0.96.0/19 254 | PrivateSubnet4BCIDR: 255 | Type: String 256 | Description: >- 257 | CIDR block for private subnet 4B with dedicated network ACL located in 258 | Availability Zone 4. 259 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 260 | ConstraintDescription: >- 261 | CIDR block parameter must be in the form x.x.x.x/16-28. 262 | Default: 10.0.216.0/21 263 | PrivateSubnetATag1: 264 | Type: String 265 | Description: >- 266 | (Optional) Tag to add to private subnets A, in format 'key=value'. 267 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 268 | ConstraintDescription: >- 269 | Tags must be in format 'key=value'. Keys can contain only 270 | [a-zA-Z0-9+\-._:/@]. Values can contain 271 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 272 | Default: Network=Private 273 | PrivateSubnetATag2: 274 | Type: String 275 | Description: >- 276 | (Optional) Tag to add to private subnets A, in format 'key=value'. 277 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 278 | ConstraintDescription: >- 279 | Tags must be in format 'key=value'. Keys can contain only 280 | [a-zA-Z0-9+\-._:/@]. Values can contain 281 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 282 | Default: '' 283 | PrivateSubnetATag3: 284 | Type: String 285 | Description: >- 286 | (Optional) Tag to add to private subnets A, in format 'key=value'. 287 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 288 | ConstraintDescription: >- 289 | Tags must be in format 'key=value'. Keys can contain only 290 | [a-zA-Z0-9+\-._:/@]. Values can contain 291 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 292 | Default: '' 293 | PrivateSubnetBTag1: 294 | Type: String 295 | Description: >- 296 | (Optional) Tag to add to private subnets B, in format 'key=value'. 297 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 298 | ConstraintDescription: >- 299 | Tags must be in format 'key=value'. Keys can contain only 300 | [a-zA-Z0-9+\-._:/@]. Values can contain 301 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 302 | Default: Network=Private 303 | PrivateSubnetBTag2: 304 | Type: String 305 | Description: >- 306 | (Optional) Tag to add to private subnets B, in format 'key=value'. 307 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 308 | ConstraintDescription: >- 309 | Tags must be in format 'key=value'. Keys can contain only 310 | [a-zA-Z0-9+\-._:/@]. Values can contain 311 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 312 | Default: '' 313 | PrivateSubnetBTag3: 314 | Type: String 315 | Description: >- 316 | (Optional) Tag to add to private subnets B, in format 'key=value'. 317 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 318 | ConstraintDescription: >- 319 | Tags must be in format 'key=value'. Keys can contain only 320 | [a-zA-Z0-9+\-._:/@]. Values can contain 321 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 322 | Default: '' 323 | PublicSubnet1CIDR: 324 | Type: String 325 | Description: >- 326 | CIDR block for the public DMZ subnet 1 located in Availability Zone 1. 327 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 328 | ConstraintDescription: >- 329 | CIDR block parameter must be in the form x.x.x.x/16-28. 330 | Default: 10.0.128.0/20 331 | PublicSubnet2CIDR: 332 | Type: String 333 | Description: >- 334 | CIDR block for the public DMZ subnet 2 located in Availability Zone 2. 335 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 336 | ConstraintDescription: >- 337 | CIDR block parameter must be in the form x.x.x.x/16-28. 338 | Default: 10.0.144.0/20 339 | PublicSubnet3CIDR: 340 | Type: String 341 | Description: >- 342 | CIDR block for the public DMZ subnet 3 located in Availability Zone 3. 343 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 344 | ConstraintDescription: >- 345 | CIDR block parameter must be in the form x.x.x.x/16-28. 346 | Default: 10.0.160.0/20 347 | PublicSubnet4CIDR: 348 | Type: String 349 | Description: >- 350 | CIDR block for the public DMZ subnet 4 located in Availability Zone 4. 351 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 352 | ConstraintDescription: >- 353 | CIDR block parameter must be in the form x.x.x.x/16-28. 354 | Default: 10.0.176.0/20 355 | PublicSubnetTag1: 356 | Type: String 357 | Description: >- 358 | (Optional) Tag to add to public subnets, in format 'key=value'. 359 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 360 | ConstraintDescription: >- 361 | Tags must be in format 'key=value'. Keys can contain only 362 | [a-zA-Z0-9+\-._:/@]. Values can contain 363 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 364 | Default: Network=Public 365 | PublicSubnetTag2: 366 | Type: String 367 | Description: >- 368 | (Optional) Tag to add to public subnets, in format 'key=value'. 369 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 370 | ConstraintDescription: >- 371 | Tags must be in format 'key=value'. Keys can contain only 372 | [a-zA-Z0-9+\-._:/@]. Values can contain 373 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 374 | Default: '' 375 | PublicSubnetTag3: 376 | Type: String 377 | Description: >- 378 | (Optional) Tag to add to public subnets, in format 'key=value'. 379 | AllowedPattern: ^([a-zA-Z0-9+\-._:/@]+=[a-zA-Z0-9+\-.,_:/@ *\\"'\[\]\{\}]*)?$ 380 | ConstraintDescription: >- 381 | Tags must be in format 'key=value'. Keys can contain only 382 | [a-zA-Z0-9+\-._:/@]. Values can contain 383 | [a-zA-Z0-9+\-._:/@ *\\"'\[\]\{\}]. 384 | Default: '' 385 | VPCCIDR: 386 | Type: String 387 | Description: CIDR block for the VPC. 388 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 389 | ConstraintDescription: >- 390 | CIDR block parameter must be in the form x.x.x.x/16-28. 391 | Default: 10.0.0.0/16 392 | VPCFlowLogsCloudWatchKMSKey: 393 | Type: String 394 | Description: >- 395 | (Optional) KMS key ARN to use for encrypting the VPC flow logs data. If 396 | empty, encryption is enabled with CloudWatch Logs managing the 397 | server-side encryption keys. 398 | AllowedPattern: ^$|^arn:aws(-cn)?:kms:[a-z0-9-]+:\d{12}:key\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$ 399 | ConstraintDescription: >- 400 | Invalid KMS ARN or attempting to use in GovCloud. The AWS::Logs::LogGroup 401 | CloudFormation resource does not yet support the KmsKeyId property in 402 | GovCloud. Key ARN example: 403 | 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'. 404 | Default: '' 405 | VPCFlowLogsLogFormat: 406 | Type: String 407 | Description: >- 408 | The fields to include in the flow log record, in the order in which they 409 | should appear. Specify the fields using the ${field-id} format, separated 410 | by spaces. The default format is used as the default value. 411 | AllowedPattern: ^(\$\{[a-z-]+\})$|^((\$\{[a-z-]+\} )*\$\{[a-z-]+\})$ 412 | Default: >- 413 | ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} 414 | ${log-status} 415 | VPCFlowLogsLogGroupRetention: 416 | Type: String 417 | Description: Number of days to retain the VPC flow logs in CloudWatch. 418 | AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] 419 | Default: 14 420 | VPCFlowLogsMaxAggregationInterval: 421 | Type: String 422 | Description: >- 423 | The maximum interval of time during which a flow of packets is captured 424 | and aggregated into a flow log record. You can specify 60 seconds (1 425 | minute) or 600 seconds (10 minutes). 426 | AllowedValues: 427 | - 60 428 | - 600 429 | Default: 600 430 | VPCFlowLogsTrafficType: 431 | Type: String 432 | Description: >- 433 | The type of traffic to log. You can log traffic that the resource accepts 434 | or rejects, or all traffic. 435 | AllowedValues: 436 | - ACCEPT 437 | - ALL 438 | - REJECT 439 | Default: REJECT 440 | VPCTenancy: 441 | Type: String 442 | Description: The allowed tenancy of instances launched into the VPC. 443 | AllowedValues: 444 | - default 445 | - dedicated 446 | Default: default 447 | Rules: 448 | NAT: 449 | RuleCondition: !Equals [!Ref CreateNATGateways, 'true'] 450 | Assertions: 451 | - Assert: !And 452 | - !Equals [!Ref CreatePrivateSubnets, 'true'] 453 | - !Equals [!Ref CreatePublicSubnets, 'true'] 454 | AssertDescription: >- 455 | To enable NAT gateways, both CreatePrivateSubnets and 456 | CreatePublicSubnets must be set to 'true'. 457 | Subnets: 458 | Assertions: 459 | - Assert: !Or 460 | - !Equals [!Ref CreatePrivateSubnets, 'true'] 461 | - !Equals [!Ref CreatePublicSubnets, 'true'] 462 | AssertDescription: >- 463 | At least one of CreatePublicSubnets or CreatePrivateSubnets must be 464 | set to 'true'. 465 | Conditions: 466 | 3AZCondition: !Or 467 | - !Equals [!Ref NumberOfAZs, '3'] 468 | - !Condition 4AZCondition 469 | 4AZCondition: !Equals [!Ref NumberOfAZs, '4'] 470 | AdditionalPrivateSubnetsCondition: !And 471 | - !Equals [!Ref CreatePrivateSubnets, 'true'] 472 | - !Equals [!Ref CreateAdditionalPrivateSubnets, 'true'] 473 | AdditionalPrivateSubnets&3AZCondition: !And 474 | - !Condition AdditionalPrivateSubnetsCondition 475 | - !Condition 3AZCondition 476 | AdditionalPrivateSubnets&4AZCondition: !And 477 | - !Condition AdditionalPrivateSubnetsCondition 478 | - !Condition 4AZCondition 479 | AdditionalPrivateSubnets&PublicSubnets&NatGatewaysCondition: !And 480 | - !Condition AdditionalPrivateSubnetsCondition 481 | - !Condition PublicSubnetsCondition 482 | - !Condition NATGatewaysCondition 483 | AdditionalPrivateSubnets&PublicSubnets&NatGateways&3AZCondition: !And 484 | - !Condition AdditionalPrivateSubnets&3AZCondition 485 | - !Condition PublicSubnetsCondition 486 | - !Condition NATGatewaysCondition 487 | AdditionalPrivateSubnets&PublicSubnets&NatGateways&4AZCondition: !And 488 | - !Condition AdditionalPrivateSubnets&4AZCondition 489 | - !Condition PublicSubnetsCondition 490 | - !Condition NATGatewaysCondition 491 | NATGatewaysCondition: !Equals [!Ref CreateNATGateways, 'true'] 492 | NATGateways&PublicSubnets&PrivateSubnetsCondition: !And 493 | - !Condition NATGatewaysCondition 494 | - !Condition PublicSubnetsCondition 495 | - !Condition PrivateSubnetsCondition 496 | NATGateways&PublicSubnets&PrivateSubnets&3AZCondition: !And 497 | - !Condition NATGatewaysCondition 498 | - !Condition PublicSubnetsCondition 499 | - !Condition PrivateSubnetsCondition 500 | - !Condition 3AZCondition 501 | NATGateways&PublicSubnets&PrivateSubnets&4AZCondition: !And 502 | - !Condition NATGatewaysCondition 503 | - !Condition PublicSubnetsCondition 504 | - !Condition PrivateSubnetsCondition 505 | - !Condition 4AZCondition 506 | NVirginiaRegionCondition: !Equals [!Ref AWS::Region, us-east-1] 507 | PrivateSubnetsCondition: !Equals [!Ref CreatePrivateSubnets, 'true'] 508 | PrivateSubnets&3AZCondition: !And 509 | - !Condition PrivateSubnetsCondition 510 | - !Condition 3AZCondition 511 | PrivateSubnets&4AZCondition: !And 512 | - !Condition PrivateSubnetsCondition 513 | - !Condition 4AZCondition 514 | PublicSubnetsCondition: !Equals [!Ref CreatePublicSubnets, 'true'] 515 | PublicSubnets&3AZCondition: !And 516 | - !Condition PublicSubnetsCondition 517 | - !Condition 3AZCondition 518 | PublicSubnets&4AZCondition: !And 519 | - !Condition PublicSubnetsCondition 520 | - !Condition 4AZCondition 521 | PrivateSubnetATag1Condition: !Not [!Equals [!Ref PrivateSubnetATag1, '']] 522 | PrivateSubnetATag2Condition: !Not [!Equals [!Ref PrivateSubnetATag2, '']] 523 | PrivateSubnetATag3Condition: !Not [!Equals [!Ref PrivateSubnetATag3, '']] 524 | PrivateSubnetBTag1Condition: !Not [!Equals [!Ref PrivateSubnetBTag1, '']] 525 | PrivateSubnetBTag2Condition: !Not [!Equals [!Ref PrivateSubnetBTag2, '']] 526 | PrivateSubnetBTag3Condition: !Not [!Equals [!Ref PrivateSubnetBTag3, '']] 527 | PublicSubnetTag1Condition: !Not [!Equals [!Ref PublicSubnetTag1, '']] 528 | PublicSubnetTag2Condition: !Not [!Equals [!Ref PublicSubnetTag2, '']] 529 | PublicSubnetTag3Condition: !Not [!Equals [!Ref PublicSubnetTag3, '']] 530 | VPCFlowLogsCloudWatchKMSKeyCondition: !Not [!Equals [!Ref VPCFlowLogsCloudWatchKMSKey, '']] 531 | VPCFlowLogsToCloudWatchCondition: !Equals [!Ref CreateVPCFlowLogsToCloudWatch, 'true'] 532 | Resources: 533 | DHCPOptions: 534 | Type: AWS::EC2::DHCPOptions 535 | Properties: 536 | DomainName: !If [NVirginiaRegionCondition, ec2.internal, !Sub '${AWS::Region}.compute.internal'] 537 | DomainNameServers: 538 | - AmazonProvidedDNS 539 | Tags: 540 | - Key: Name 541 | Value: !Sub ${AWS::StackName} stack DHCPOptions 542 | - Key: StackName 543 | Value: !Ref AWS::StackName 544 | VPC: 545 | Type: AWS::EC2::VPC 546 | Properties: 547 | CidrBlock: !Ref VPCCIDR 548 | InstanceTenancy: !Ref VPCTenancy 549 | EnableDnsSupport: true 550 | EnableDnsHostnames: true 551 | Tags: 552 | - Key: Name 553 | Value: !Ref AWS::StackName 554 | VPCDHCPOptionsAssociation: 555 | Type: AWS::EC2::VPCDHCPOptionsAssociation 556 | Properties: 557 | VpcId: !Ref VPC 558 | DhcpOptionsId: !Ref DHCPOptions 559 | InternetGateway: 560 | Condition: PublicSubnetsCondition 561 | Type: AWS::EC2::InternetGateway 562 | Properties: 563 | Tags: 564 | - Key: Name 565 | Value: !Ref AWS::StackName 566 | VPCGatewayAttachment: 567 | Condition: PublicSubnetsCondition 568 | Type: AWS::EC2::VPCGatewayAttachment 569 | Properties: 570 | VpcId: !Ref VPC 571 | InternetGatewayId: !Ref InternetGateway 572 | PrivateSubnet1A: 573 | Condition: PrivateSubnetsCondition 574 | Type: AWS::EC2::Subnet 575 | Properties: 576 | VpcId: !Ref VPC 577 | CidrBlock: !Ref PrivateSubnet1ACIDR 578 | AvailabilityZone: !Select [0, !Ref AvailabilityZones] 579 | Tags: 580 | - Key: Name 581 | Value: Private subnet 1A 582 | - !If 583 | - PrivateSubnetATag1Condition 584 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag1]] 585 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag1]] 586 | - !Ref AWS::NoValue 587 | - !If 588 | - PrivateSubnetATag2Condition 589 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag2]] 590 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag2]] 591 | - !Ref AWS::NoValue 592 | - !If 593 | - PrivateSubnetATag3Condition 594 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag3]] 595 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag3]] 596 | - !Ref AWS::NoValue 597 | PrivateSubnet1B: 598 | Condition: AdditionalPrivateSubnetsCondition 599 | Type: AWS::EC2::Subnet 600 | Properties: 601 | VpcId: !Ref VPC 602 | CidrBlock: !Ref PrivateSubnet1BCIDR 603 | AvailabilityZone: !Select [0, !Ref AvailabilityZones] 604 | Tags: 605 | - Key: Name 606 | Value: Private subnet 1B 607 | - !If 608 | - PrivateSubnetBTag1Condition 609 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag1]] 610 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag1]] 611 | - !Ref AWS::NoValue 612 | - !If 613 | - PrivateSubnetBTag2Condition 614 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag2]] 615 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag2]] 616 | - !Ref AWS::NoValue 617 | - !If 618 | - PrivateSubnetBTag3Condition 619 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag3]] 620 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag3]] 621 | - !Ref AWS::NoValue 622 | PrivateSubnet2A: 623 | Condition: PrivateSubnetsCondition 624 | Type: AWS::EC2::Subnet 625 | Properties: 626 | VpcId: !Ref VPC 627 | CidrBlock: !Ref PrivateSubnet2ACIDR 628 | AvailabilityZone: !Select [1, !Ref AvailabilityZones] 629 | Tags: 630 | - Key: Name 631 | Value: Private subnet 2A 632 | - !If 633 | - PrivateSubnetATag1Condition 634 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag1]] 635 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag1]] 636 | - !Ref AWS::NoValue 637 | - !If 638 | - PrivateSubnetATag2Condition 639 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag2]] 640 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag2]] 641 | - !Ref AWS::NoValue 642 | - !If 643 | - PrivateSubnetATag3Condition 644 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag3]] 645 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag3]] 646 | - !Ref AWS::NoValue 647 | PrivateSubnet2B: 648 | Condition: AdditionalPrivateSubnetsCondition 649 | Type: AWS::EC2::Subnet 650 | Properties: 651 | VpcId: !Ref VPC 652 | CidrBlock: !Ref PrivateSubnet2BCIDR 653 | AvailabilityZone: !Select [1, !Ref AvailabilityZones] 654 | Tags: 655 | - Key: Name 656 | Value: Private subnet 2B 657 | - !If 658 | - PrivateSubnetBTag1Condition 659 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag1]] 660 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag1]] 661 | - !Ref AWS::NoValue 662 | - !If 663 | - PrivateSubnetBTag2Condition 664 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag2]] 665 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag2]] 666 | - !Ref AWS::NoValue 667 | - !If 668 | - PrivateSubnetBTag3Condition 669 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag3]] 670 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag3]] 671 | - !Ref AWS::NoValue 672 | PrivateSubnet3A: 673 | Condition: PrivateSubnets&3AZCondition 674 | Type: AWS::EC2::Subnet 675 | Properties: 676 | VpcId: !Ref VPC 677 | CidrBlock: !Ref PrivateSubnet3ACIDR 678 | AvailabilityZone: !Select [2, !Ref AvailabilityZones] 679 | Tags: 680 | - Key: Name 681 | Value: Private subnet 3A 682 | - !If 683 | - PrivateSubnetATag1Condition 684 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag1]] 685 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag1]] 686 | - !Ref AWS::NoValue 687 | - !If 688 | - PrivateSubnetATag2Condition 689 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag2]] 690 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag2]] 691 | - !Ref AWS::NoValue 692 | - !If 693 | - PrivateSubnetATag3Condition 694 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag3]] 695 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag3]] 696 | - !Ref AWS::NoValue 697 | PrivateSubnet3B: 698 | Condition: AdditionalPrivateSubnets&3AZCondition 699 | Type: AWS::EC2::Subnet 700 | Properties: 701 | VpcId: !Ref VPC 702 | CidrBlock: !Ref PrivateSubnet3BCIDR 703 | AvailabilityZone: !Select [2, !Ref AvailabilityZones] 704 | Tags: 705 | - Key: Name 706 | Value: Private subnet 3B 707 | - !If 708 | - PrivateSubnetBTag1Condition 709 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag1]] 710 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag1]] 711 | - !Ref AWS::NoValue 712 | - !If 713 | - PrivateSubnetBTag2Condition 714 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag2]] 715 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag2]] 716 | - !Ref AWS::NoValue 717 | - !If 718 | - PrivateSubnetBTag3Condition 719 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag3]] 720 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag3]] 721 | - !Ref AWS::NoValue 722 | PrivateSubnet4A: 723 | Condition: PrivateSubnets&4AZCondition 724 | Type: AWS::EC2::Subnet 725 | Properties: 726 | VpcId: !Ref VPC 727 | CidrBlock: !Ref PrivateSubnet4ACIDR 728 | AvailabilityZone: !Select [3, !Ref AvailabilityZones] 729 | Tags: 730 | - Key: Name 731 | Value: Private subnet 4A 732 | - !If 733 | - PrivateSubnetATag1Condition 734 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag1]] 735 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag1]] 736 | - !Ref AWS::NoValue 737 | - !If 738 | - PrivateSubnetATag2Condition 739 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag2]] 740 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag2]] 741 | - !Ref AWS::NoValue 742 | - !If 743 | - PrivateSubnetATag3Condition 744 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetATag3]] 745 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetATag3]] 746 | - !Ref AWS::NoValue 747 | PrivateSubnet4B: 748 | Condition: AdditionalPrivateSubnets&4AZCondition 749 | Type: AWS::EC2::Subnet 750 | Properties: 751 | VpcId: !Ref VPC 752 | CidrBlock: !Ref PrivateSubnet4BCIDR 753 | AvailabilityZone: !Select [3, !Ref AvailabilityZones] 754 | Tags: 755 | - Key: Name 756 | Value: Private subnet 4B 757 | - !If 758 | - PrivateSubnetBTag1Condition 759 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag1]] 760 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag1]] 761 | - !Ref AWS::NoValue 762 | - !If 763 | - PrivateSubnetBTag2Condition 764 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag2]] 765 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag2]] 766 | - !Ref AWS::NoValue 767 | - !If 768 | - PrivateSubnetBTag3Condition 769 | - Key: !Select [0, !Split ['=', !Ref PrivateSubnetBTag3]] 770 | Value: !Select [1, !Split ['=', !Ref PrivateSubnetBTag3]] 771 | - !Ref AWS::NoValue 772 | PublicSubnet1: 773 | Condition: PublicSubnetsCondition 774 | Type: AWS::EC2::Subnet 775 | Metadata: 776 | cfn_nag: 777 | rules_to_suppress: 778 | - id: W33 779 | reason: >- 780 | (W33) EC2 Subnet should not have MapPublicIpOnLaunch set to true. 781 | Properties: 782 | VpcId: !Ref VPC 783 | CidrBlock: !Ref PublicSubnet1CIDR 784 | AvailabilityZone: !Select [0, !Ref AvailabilityZones] 785 | Tags: 786 | - Key: Name 787 | Value: Public subnet 1 788 | - !If 789 | - PublicSubnetTag1Condition 790 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag1]] 791 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag1]] 792 | - !Ref AWS::NoValue 793 | - !If 794 | - PublicSubnetTag2Condition 795 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag2]] 796 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag2]] 797 | - !Ref AWS::NoValue 798 | - !If 799 | - PublicSubnetTag3Condition 800 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag3]] 801 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag3]] 802 | - !Ref AWS::NoValue 803 | MapPublicIpOnLaunch: true 804 | PublicSubnet2: 805 | Condition: PublicSubnetsCondition 806 | Type: AWS::EC2::Subnet 807 | Metadata: 808 | cfn_nag: 809 | rules_to_suppress: 810 | - id: W33 811 | reason: >- 812 | (W33) EC2 Subnet should not have MapPublicIpOnLaunch set to true. 813 | Properties: 814 | VpcId: !Ref VPC 815 | CidrBlock: !Ref PublicSubnet2CIDR 816 | AvailabilityZone: !Select [1, !Ref AvailabilityZones] 817 | Tags: 818 | - Key: Name 819 | Value: Public subnet 2 820 | - !If 821 | - PublicSubnetTag1Condition 822 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag1]] 823 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag1]] 824 | - !Ref AWS::NoValue 825 | - !If 826 | - PublicSubnetTag2Condition 827 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag2]] 828 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag2]] 829 | - !Ref AWS::NoValue 830 | - !If 831 | - PublicSubnetTag3Condition 832 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag3]] 833 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag3]] 834 | - !Ref AWS::NoValue 835 | MapPublicIpOnLaunch: true 836 | PublicSubnet3: 837 | Condition: PublicSubnets&3AZCondition 838 | Type: AWS::EC2::Subnet 839 | Metadata: 840 | cfn_nag: 841 | rules_to_suppress: 842 | - id: W33 843 | reason: >- 844 | (W33) EC2 Subnet should not have MapPublicIpOnLaunch set to true. 845 | Properties: 846 | VpcId: !Ref VPC 847 | CidrBlock: !Ref PublicSubnet3CIDR 848 | AvailabilityZone: !Select [2, !Ref AvailabilityZones] 849 | Tags: 850 | - Key: Name 851 | Value: Public subnet 3 852 | - !If 853 | - PublicSubnetTag1Condition 854 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag1]] 855 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag1]] 856 | - !Ref AWS::NoValue 857 | - !If 858 | - PublicSubnetTag2Condition 859 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag2]] 860 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag2]] 861 | - !Ref AWS::NoValue 862 | - !If 863 | - PublicSubnetTag3Condition 864 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag3]] 865 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag3]] 866 | - !Ref AWS::NoValue 867 | MapPublicIpOnLaunch: true 868 | PublicSubnet4: 869 | Condition: PublicSubnets&4AZCondition 870 | Type: AWS::EC2::Subnet 871 | Metadata: 872 | cfn_nag: 873 | rules_to_suppress: 874 | - id: W33 875 | reason: >- 876 | (W33) EC2 Subnet should not have MapPublicIpOnLaunch set to true. 877 | Properties: 878 | VpcId: !Ref VPC 879 | CidrBlock: !Ref PublicSubnet4CIDR 880 | AvailabilityZone: !Select [3, !Ref AvailabilityZones] 881 | Tags: 882 | - Key: Name 883 | Value: Public subnet 4 884 | - !If 885 | - PublicSubnetTag1Condition 886 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag1]] 887 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag1]] 888 | - !Ref AWS::NoValue 889 | - !If 890 | - PublicSubnetTag2Condition 891 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag2]] 892 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag2]] 893 | - !Ref AWS::NoValue 894 | - !If 895 | - PublicSubnetTag3Condition 896 | - Key: !Select [0, !Split ['=', !Ref PublicSubnetTag3]] 897 | Value: !Select [1, !Split ['=', !Ref PublicSubnetTag3]] 898 | - !Ref AWS::NoValue 899 | MapPublicIpOnLaunch: true 900 | PrivateSubnet1ARouteTable: 901 | Condition: PrivateSubnetsCondition 902 | Type: AWS::EC2::RouteTable 903 | Properties: 904 | VpcId: !Ref VPC 905 | Tags: 906 | - Key: Name 907 | Value: Private subnet 1A 908 | - Key: Network 909 | Value: Private 910 | PrivateSubnet1ARoute: 911 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 912 | Type: AWS::EC2::Route 913 | Properties: 914 | RouteTableId: !Ref PrivateSubnet1ARouteTable 915 | DestinationCidrBlock: 0.0.0.0/0 916 | NatGatewayId: !Ref NATGateway1 917 | PrivateSubnet1ARouteTableAssociation: 918 | Condition: PrivateSubnetsCondition 919 | Type: AWS::EC2::SubnetRouteTableAssociation 920 | Properties: 921 | SubnetId: !Ref PrivateSubnet1A 922 | RouteTableId: !Ref PrivateSubnet1ARouteTable 923 | PrivateSubnet2ARouteTable: 924 | Condition: PrivateSubnetsCondition 925 | Type: AWS::EC2::RouteTable 926 | Properties: 927 | VpcId: !Ref VPC 928 | Tags: 929 | - Key: Name 930 | Value: Private subnet 2A 931 | - Key: Network 932 | Value: Private 933 | PrivateSubnet2ARoute: 934 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 935 | Type: AWS::EC2::Route 936 | Properties: 937 | RouteTableId: !Ref PrivateSubnet2ARouteTable 938 | DestinationCidrBlock: 0.0.0.0/0 939 | NatGatewayId: !Ref NATGateway2 940 | PrivateSubnet2ARouteTableAssociation: 941 | Condition: PrivateSubnetsCondition 942 | Type: AWS::EC2::SubnetRouteTableAssociation 943 | Properties: 944 | SubnetId: !Ref PrivateSubnet2A 945 | RouteTableId: !Ref PrivateSubnet2ARouteTable 946 | PrivateSubnet3ARouteTable: 947 | Condition: PrivateSubnets&3AZCondition 948 | Type: AWS::EC2::RouteTable 949 | Properties: 950 | VpcId: !Ref VPC 951 | Tags: 952 | - Key: Name 953 | Value: Private subnet 3A 954 | - Key: Network 955 | Value: Private 956 | PrivateSubnet3ARoute: 957 | Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition 958 | Type: AWS::EC2::Route 959 | Properties: 960 | RouteTableId: !Ref PrivateSubnet3ARouteTable 961 | DestinationCidrBlock: 0.0.0.0/0 962 | NatGatewayId: !Ref NATGateway3 963 | PrivateSubnet3ARouteTableAssociation: 964 | Condition: PrivateSubnets&3AZCondition 965 | Type: AWS::EC2::SubnetRouteTableAssociation 966 | Properties: 967 | SubnetId: !Ref PrivateSubnet3A 968 | RouteTableId: !Ref PrivateSubnet3ARouteTable 969 | PrivateSubnet4ARouteTable: 970 | Condition: PrivateSubnets&4AZCondition 971 | Type: AWS::EC2::RouteTable 972 | Properties: 973 | VpcId: !Ref VPC 974 | Tags: 975 | - Key: Name 976 | Value: Private subnet 4A 977 | - Key: Network 978 | Value: Private 979 | PrivateSubnet4ARoute: 980 | Condition: NATGateways&PublicSubnets&PrivateSubnets&4AZCondition 981 | Type: AWS::EC2::Route 982 | Properties: 983 | RouteTableId: !Ref PrivateSubnet4ARouteTable 984 | DestinationCidrBlock: 0.0.0.0/0 985 | NatGatewayId: !Ref NATGateway4 986 | PrivateSubnet4ARouteTableAssociation: 987 | Condition: PrivateSubnets&4AZCondition 988 | Type: AWS::EC2::SubnetRouteTableAssociation 989 | Properties: 990 | SubnetId: !Ref PrivateSubnet4A 991 | RouteTableId: !Ref PrivateSubnet4ARouteTable 992 | PrivateSubnet1BRouteTable: 993 | Condition: AdditionalPrivateSubnetsCondition 994 | Type: AWS::EC2::RouteTable 995 | Properties: 996 | VpcId: !Ref VPC 997 | Tags: 998 | - Key: Name 999 | Value: Private subnet 1B 1000 | - Key: Network 1001 | Value: Private 1002 | PrivateSubnet1BRoute: 1003 | Condition: AdditionalPrivateSubnets&PublicSubnets&NatGatewaysCondition 1004 | Type: AWS::EC2::Route 1005 | Properties: 1006 | RouteTableId: !Ref PrivateSubnet1BRouteTable 1007 | DestinationCidrBlock: 0.0.0.0/0 1008 | NatGatewayId: !Ref NATGateway1 1009 | PrivateSubnet1BRouteTableAssociation: 1010 | Condition: AdditionalPrivateSubnetsCondition 1011 | Type: AWS::EC2::SubnetRouteTableAssociation 1012 | Properties: 1013 | SubnetId: !Ref PrivateSubnet1B 1014 | RouteTableId: !Ref PrivateSubnet1BRouteTable 1015 | PrivateSubnet1BNetworkAcl: 1016 | Condition: AdditionalPrivateSubnetsCondition 1017 | Type: AWS::EC2::NetworkAcl 1018 | Properties: 1019 | VpcId: !Ref VPC 1020 | Tags: 1021 | - Key: Name 1022 | Value: NACL Protected subnet 1 1023 | - Key: Network 1024 | Value: NACL Protected 1025 | PrivateSubnet1BNetworkAclEntryInbound: 1026 | Condition: AdditionalPrivateSubnetsCondition 1027 | Type: AWS::EC2::NetworkAclEntry 1028 | Metadata: 1029 | cfn_nag: 1030 | rules_to_suppress: 1031 | - id: W66 1032 | reason: >- 1033 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1034 | entry protocol should be either 6 for TCP, 17 for UDP, 1035 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1036 | block, ICMP type, and code). 1037 | Properties: 1038 | CidrBlock: 0.0.0.0/0 1039 | Egress: false 1040 | NetworkAclId: !Ref PrivateSubnet1BNetworkAcl 1041 | Protocol: -1 1042 | RuleAction: allow 1043 | RuleNumber: 100 1044 | PrivateSubnet1BNetworkAclEntryOutbound: 1045 | Condition: AdditionalPrivateSubnetsCondition 1046 | Type: AWS::EC2::NetworkAclEntry 1047 | Metadata: 1048 | cfn_nag: 1049 | rules_to_suppress: 1050 | - id: W66 1051 | reason: >- 1052 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1053 | entry protocol should be either 6 for TCP, 17 for UDP, 1054 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1055 | block, ICMP type, and code). 1056 | Properties: 1057 | CidrBlock: 0.0.0.0/0 1058 | Egress: true 1059 | NetworkAclId: !Ref PrivateSubnet1BNetworkAcl 1060 | Protocol: -1 1061 | RuleAction: allow 1062 | RuleNumber: 100 1063 | PrivateSubnet1BNetworkAclAssociation: 1064 | Condition: AdditionalPrivateSubnetsCondition 1065 | Type: AWS::EC2::SubnetNetworkAclAssociation 1066 | Properties: 1067 | SubnetId: !Ref PrivateSubnet1B 1068 | NetworkAclId: !Ref PrivateSubnet1BNetworkAcl 1069 | PrivateSubnet2BRouteTable: 1070 | Condition: AdditionalPrivateSubnetsCondition 1071 | Type: AWS::EC2::RouteTable 1072 | Properties: 1073 | VpcId: !Ref VPC 1074 | Tags: 1075 | - Key: Name 1076 | Value: Private subnet 2B 1077 | - Key: Network 1078 | Value: Private 1079 | PrivateSubnet2BRoute: 1080 | Condition: AdditionalPrivateSubnets&PublicSubnets&NatGatewaysCondition 1081 | Type: AWS::EC2::Route 1082 | Properties: 1083 | RouteTableId: !Ref PrivateSubnet2BRouteTable 1084 | DestinationCidrBlock: 0.0.0.0/0 1085 | NatGatewayId: !Ref NATGateway2 1086 | PrivateSubnet2BRouteTableAssociation: 1087 | Condition: AdditionalPrivateSubnetsCondition 1088 | Type: AWS::EC2::SubnetRouteTableAssociation 1089 | Properties: 1090 | SubnetId: !Ref PrivateSubnet2B 1091 | RouteTableId: !Ref PrivateSubnet2BRouteTable 1092 | PrivateSubnet2BNetworkAcl: 1093 | Condition: AdditionalPrivateSubnetsCondition 1094 | Type: AWS::EC2::NetworkAcl 1095 | Properties: 1096 | VpcId: !Ref VPC 1097 | Tags: 1098 | - Key: Name 1099 | Value: NACL Protected subnet 2 1100 | - Key: Network 1101 | Value: NACL Protected 1102 | PrivateSubnet2BNetworkAclEntryInbound: 1103 | Condition: AdditionalPrivateSubnetsCondition 1104 | Type: AWS::EC2::NetworkAclEntry 1105 | Metadata: 1106 | cfn_nag: 1107 | rules_to_suppress: 1108 | - id: W66 1109 | reason: >- 1110 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1111 | entry protocol should be either 6 for TCP, 17 for UDP, 1112 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1113 | block, ICMP type, and code). 1114 | Properties: 1115 | CidrBlock: 0.0.0.0/0 1116 | Egress: false 1117 | NetworkAclId: !Ref PrivateSubnet2BNetworkAcl 1118 | Protocol: -1 1119 | RuleAction: allow 1120 | RuleNumber: 100 1121 | PrivateSubnet2BNetworkAclEntryOutbound: 1122 | Condition: AdditionalPrivateSubnetsCondition 1123 | Type: AWS::EC2::NetworkAclEntry 1124 | Metadata: 1125 | cfn_nag: 1126 | rules_to_suppress: 1127 | - id: W66 1128 | reason: >- 1129 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1130 | entry protocol should be either 6 for TCP, 17 for UDP, 1131 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1132 | block, ICMP type, and code). 1133 | Properties: 1134 | CidrBlock: 0.0.0.0/0 1135 | Egress: true 1136 | NetworkAclId: !Ref PrivateSubnet2BNetworkAcl 1137 | Protocol: -1 1138 | RuleAction: allow 1139 | RuleNumber: 100 1140 | PrivateSubnet2BNetworkAclAssociation: 1141 | Condition: AdditionalPrivateSubnetsCondition 1142 | Type: AWS::EC2::SubnetNetworkAclAssociation 1143 | Properties: 1144 | SubnetId: !Ref PrivateSubnet2B 1145 | NetworkAclId: !Ref PrivateSubnet2BNetworkAcl 1146 | PrivateSubnet3BRouteTable: 1147 | Condition: AdditionalPrivateSubnets&3AZCondition 1148 | Type: AWS::EC2::RouteTable 1149 | Properties: 1150 | VpcId: !Ref VPC 1151 | Tags: 1152 | - Key: Name 1153 | Value: Private subnet 3B 1154 | - Key: Network 1155 | Value: Private 1156 | PrivateSubnet3BRoute: 1157 | Condition: AdditionalPrivateSubnets&PublicSubnets&NatGateways&3AZCondition 1158 | Type: AWS::EC2::Route 1159 | Properties: 1160 | RouteTableId: !Ref PrivateSubnet3BRouteTable 1161 | DestinationCidrBlock: 0.0.0.0/0 1162 | NatGatewayId: !Ref NATGateway3 1163 | PrivateSubnet3BRouteTableAssociation: 1164 | Condition: AdditionalPrivateSubnets&3AZCondition 1165 | Type: AWS::EC2::SubnetRouteTableAssociation 1166 | Properties: 1167 | SubnetId: !Ref PrivateSubnet3B 1168 | RouteTableId: !Ref PrivateSubnet3BRouteTable 1169 | PrivateSubnet3BNetworkAcl: 1170 | Condition: AdditionalPrivateSubnets&3AZCondition 1171 | Type: AWS::EC2::NetworkAcl 1172 | Properties: 1173 | VpcId: !Ref VPC 1174 | Tags: 1175 | - Key: Name 1176 | Value: NACL Protected subnet 3 1177 | - Key: Network 1178 | Value: NACL Protected 1179 | PrivateSubnet3BNetworkAclEntryInbound: 1180 | Condition: AdditionalPrivateSubnets&3AZCondition 1181 | Type: AWS::EC2::NetworkAclEntry 1182 | Metadata: 1183 | cfn_nag: 1184 | rules_to_suppress: 1185 | - id: W66 1186 | reason: >- 1187 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1188 | entry protocol should be either 6 for TCP, 17 for UDP, 1189 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1190 | block, ICMP type, and code). 1191 | Properties: 1192 | CidrBlock: 0.0.0.0/0 1193 | Egress: false 1194 | NetworkAclId: !Ref PrivateSubnet3BNetworkAcl 1195 | Protocol: -1 1196 | RuleAction: allow 1197 | RuleNumber: 100 1198 | PrivateSubnet3BNetworkAclEntryOutbound: 1199 | Condition: AdditionalPrivateSubnets&3AZCondition 1200 | Type: AWS::EC2::NetworkAclEntry 1201 | Metadata: 1202 | cfn_nag: 1203 | rules_to_suppress: 1204 | - id: W66 1205 | reason: >- 1206 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1207 | entry protocol should be either 6 for TCP, 17 for UDP, 1208 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1209 | block, ICMP type, and code). 1210 | Properties: 1211 | CidrBlock: 0.0.0.0/0 1212 | Egress: true 1213 | NetworkAclId: !Ref PrivateSubnet3BNetworkAcl 1214 | Protocol: -1 1215 | RuleAction: allow 1216 | RuleNumber: 100 1217 | PrivateSubnet3BNetworkAclAssociation: 1218 | Condition: AdditionalPrivateSubnets&3AZCondition 1219 | Type: AWS::EC2::SubnetNetworkAclAssociation 1220 | Properties: 1221 | SubnetId: !Ref PrivateSubnet3B 1222 | NetworkAclId: !Ref PrivateSubnet3BNetworkAcl 1223 | PrivateSubnet4BRouteTable: 1224 | Condition: AdditionalPrivateSubnets&4AZCondition 1225 | Type: AWS::EC2::RouteTable 1226 | Properties: 1227 | VpcId: !Ref VPC 1228 | Tags: 1229 | - Key: Name 1230 | Value: Private subnet 4B 1231 | - Key: Network 1232 | Value: Private 1233 | PrivateSubnet4BRoute: 1234 | Condition: AdditionalPrivateSubnets&PublicSubnets&NatGateways&4AZCondition 1235 | Type: AWS::EC2::Route 1236 | Properties: 1237 | RouteTableId: !Ref PrivateSubnet4BRouteTable 1238 | DestinationCidrBlock: 0.0.0.0/0 1239 | NatGatewayId: !Ref NATGateway4 1240 | PrivateSubnet4BRouteTableAssociation: 1241 | Condition: AdditionalPrivateSubnets&4AZCondition 1242 | Type: AWS::EC2::SubnetRouteTableAssociation 1243 | Properties: 1244 | SubnetId: !Ref PrivateSubnet4B 1245 | RouteTableId: !Ref PrivateSubnet4BRouteTable 1246 | PrivateSubnet4BNetworkAcl: 1247 | Condition: AdditionalPrivateSubnets&4AZCondition 1248 | Type: AWS::EC2::NetworkAcl 1249 | Properties: 1250 | VpcId: !Ref VPC 1251 | Tags: 1252 | - Key: Name 1253 | Value: NACL Protected subnet 4 1254 | - Key: Network 1255 | Value: NACL Protected 1256 | PrivateSubnet4BNetworkAclEntryInbound: 1257 | Condition: AdditionalPrivateSubnets&4AZCondition 1258 | Type: AWS::EC2::NetworkAclEntry 1259 | Metadata: 1260 | cfn_nag: 1261 | rules_to_suppress: 1262 | - id: W66 1263 | reason: >- 1264 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1265 | entry protocol should be either 6 for TCP, 17 for UDP, 1266 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1267 | block, ICMP type, and code). 1268 | Properties: 1269 | CidrBlock: 0.0.0.0/0 1270 | Egress: false 1271 | NetworkAclId: !Ref PrivateSubnet4BNetworkAcl 1272 | Protocol: -1 1273 | RuleAction: allow 1274 | RuleNumber: 100 1275 | PrivateSubnet4BNetworkAclEntryOutbound: 1276 | Condition: AdditionalPrivateSubnets&4AZCondition 1277 | Type: AWS::EC2::NetworkAclEntry 1278 | Metadata: 1279 | cfn_nag: 1280 | rules_to_suppress: 1281 | - id: W66 1282 | reason: >- 1283 | (W66) To avoid opening all ports for allow rules, EC2 NetworkACL 1284 | entry protocol should be either 6 for TCP, 17 for UDP, 1285 | 1 for ICMP, or 58 for ICMPv6 (which must include an IPv6 CIDR 1286 | block, ICMP type, and code). 1287 | Properties: 1288 | CidrBlock: 0.0.0.0/0 1289 | Egress: true 1290 | NetworkAclId: !Ref PrivateSubnet4BNetworkAcl 1291 | Protocol: -1 1292 | RuleAction: allow 1293 | RuleNumber: 100 1294 | PrivateSubnet4BNetworkAclAssociation: 1295 | Condition: AdditionalPrivateSubnets&4AZCondition 1296 | Type: AWS::EC2::SubnetNetworkAclAssociation 1297 | Properties: 1298 | SubnetId: !Ref PrivateSubnet4B 1299 | NetworkAclId: !Ref PrivateSubnet4BNetworkAcl 1300 | PublicSubnetRouteTable: 1301 | Condition: PublicSubnetsCondition 1302 | Type: AWS::EC2::RouteTable 1303 | Properties: 1304 | VpcId: !Ref VPC 1305 | Tags: 1306 | - Key: Name 1307 | Value: Public Subnets 1308 | - Key: Network 1309 | Value: Public 1310 | PublicSubnetRoute: 1311 | Condition: PublicSubnetsCondition 1312 | DependsOn: VPCGatewayAttachment 1313 | Type: AWS::EC2::Route 1314 | Properties: 1315 | RouteTableId: !Ref PublicSubnetRouteTable 1316 | DestinationCidrBlock: 0.0.0.0/0 1317 | GatewayId: !Ref InternetGateway 1318 | PublicSubnet1RouteTableAssociation: 1319 | Condition: PublicSubnetsCondition 1320 | Type: AWS::EC2::SubnetRouteTableAssociation 1321 | Properties: 1322 | SubnetId: !Ref PublicSubnet1 1323 | RouteTableId: !Ref PublicSubnetRouteTable 1324 | PublicSubnet2RouteTableAssociation: 1325 | Condition: PublicSubnetsCondition 1326 | Type: AWS::EC2::SubnetRouteTableAssociation 1327 | Properties: 1328 | SubnetId: !Ref PublicSubnet2 1329 | RouteTableId: !Ref PublicSubnetRouteTable 1330 | PublicSubnet3RouteTableAssociation: 1331 | Condition: PublicSubnets&3AZCondition 1332 | Type: AWS::EC2::SubnetRouteTableAssociation 1333 | Properties: 1334 | SubnetId: !Ref PublicSubnet3 1335 | RouteTableId: !Ref PublicSubnetRouteTable 1336 | PublicSubnet4RouteTableAssociation: 1337 | Condition: PublicSubnets&4AZCondition 1338 | Type: AWS::EC2::SubnetRouteTableAssociation 1339 | Properties: 1340 | SubnetId: !Ref PublicSubnet4 1341 | RouteTableId: !Ref PublicSubnetRouteTable 1342 | NAT1EIP: 1343 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1344 | DependsOn: VPCGatewayAttachment 1345 | Type: AWS::EC2::EIP 1346 | Properties: 1347 | Domain: vpc 1348 | Tags: 1349 | - Key: Name 1350 | Value: NAT1EIP 1351 | NAT2EIP: 1352 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1353 | DependsOn: VPCGatewayAttachment 1354 | Type: AWS::EC2::EIP 1355 | Properties: 1356 | Domain: vpc 1357 | Tags: 1358 | - Key: Name 1359 | Value: NAT2EIP 1360 | NAT3EIP: 1361 | Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition 1362 | Type: AWS::EC2::EIP 1363 | Properties: 1364 | Domain: vpc 1365 | Tags: 1366 | - Key: Name 1367 | Value: NAT3EIP 1368 | NAT4EIP: 1369 | Condition: NATGateways&PublicSubnets&PrivateSubnets&4AZCondition 1370 | DependsOn: VPCGatewayAttachment 1371 | Type: AWS::EC2::EIP 1372 | Properties: 1373 | Domain: vpc 1374 | Tags: 1375 | - Key: Name 1376 | Value: NAT4EIP 1377 | NATGateway1: 1378 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1379 | DependsOn: VPCGatewayAttachment 1380 | Type: AWS::EC2::NatGateway 1381 | Properties: 1382 | AllocationId: !GetAtt NAT1EIP.AllocationId 1383 | SubnetId: !Ref PublicSubnet1 1384 | Tags: 1385 | - Key: Name 1386 | Value: NATGateway1 1387 | NATGateway2: 1388 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1389 | DependsOn: VPCGatewayAttachment 1390 | Type: AWS::EC2::NatGateway 1391 | Properties: 1392 | AllocationId: !GetAtt NAT2EIP.AllocationId 1393 | SubnetId: !Ref PublicSubnet2 1394 | Tags: 1395 | - Key: Name 1396 | Value: NATGateway2 1397 | NATGateway3: 1398 | Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition 1399 | DependsOn: VPCGatewayAttachment 1400 | Type: AWS::EC2::NatGateway 1401 | Properties: 1402 | AllocationId: !GetAtt NAT3EIP.AllocationId 1403 | SubnetId: !Ref PublicSubnet3 1404 | Tags: 1405 | - Key: Name 1406 | Value: NATGateway3 1407 | NATGateway4: 1408 | Condition: NATGateways&PublicSubnets&PrivateSubnets&4AZCondition 1409 | DependsOn: VPCGatewayAttachment 1410 | Type: AWS::EC2::NatGateway 1411 | Properties: 1412 | AllocationId: !GetAtt NAT4EIP.AllocationId 1413 | SubnetId: !Ref PublicSubnet4 1414 | Tags: 1415 | - Key: Name 1416 | Value: NATGateway4 1417 | S3VPCEndpoint: 1418 | Condition: PrivateSubnetsCondition 1419 | Type: AWS::EC2::VPCEndpoint 1420 | Metadata: 1421 | cfn-lint: 1422 | config: 1423 | ignore_checks: 1424 | - EIAMPolicyActionWildcard 1425 | - EPolicyWildcardPrincipal 1426 | ignore_reasons: 1427 | EIAMPolicyActionWildcard: >- 1428 | This is based on AWS documentation- filtering via bucket policy 1429 | is generally preferred. 1430 | EIAMPolicyWildcardResource: >- 1431 | This is based on AWS documentation- filtering via bucket policy 1432 | is generally preferred. 1433 | Properties: 1434 | PolicyDocument: 1435 | Version: 2012-10-17 1436 | Statement: 1437 | - Action: '*' 1438 | Effect: Allow 1439 | Resource: '*' 1440 | Principal: '*' 1441 | RouteTableIds: 1442 | - !Ref PrivateSubnet1ARouteTable 1443 | - !Ref PrivateSubnet2ARouteTable 1444 | - !If [PrivateSubnets&3AZCondition, !Ref PrivateSubnet3ARouteTable, !Ref AWS::NoValue] 1445 | - !If [PrivateSubnets&4AZCondition, !Ref PrivateSubnet4ARouteTable, !Ref AWS::NoValue] 1446 | - !If [AdditionalPrivateSubnetsCondition, !Ref PrivateSubnet1BRouteTable, !Ref AWS::NoValue] 1447 | - !If [AdditionalPrivateSubnetsCondition, !Ref PrivateSubnet2BRouteTable, !Ref AWS::NoValue] 1448 | - !If [AdditionalPrivateSubnets&3AZCondition, !Ref PrivateSubnet3BRouteTable, !Ref AWS::NoValue] 1449 | - !If [AdditionalPrivateSubnets&4AZCondition, !Ref PrivateSubnet4BRouteTable, !Ref AWS::NoValue] 1450 | ServiceName: !Sub com.amazonaws.${AWS::Region}.s3 1451 | VpcId: !Ref VPC 1452 | VPCFlowLogsRole: 1453 | Condition: VPCFlowLogsToCloudWatchCondition 1454 | Type: AWS::IAM::Role 1455 | Properties: 1456 | Description: Rights to publish VPC flow logs to CloudWatch Logs. 1457 | AssumeRolePolicyDocument: 1458 | Version: 2012-10-17 1459 | Statement: 1460 | - Effect: Allow 1461 | Action: sts:AssumeRole 1462 | Principal: 1463 | Service: 1464 | - vpc-flow-logs.amazonaws.com 1465 | Path: / 1466 | Policies: 1467 | - PolicyName: CloudWatchLogGroup 1468 | PolicyDocument: 1469 | Version: 2012-10-17 1470 | Statement: 1471 | - Sid: CloudWatchLogs 1472 | Effect: Allow 1473 | Action: 1474 | - logs:CreateLogStream 1475 | - logs:PutLogEvents 1476 | - logs:DescribeLogGroups 1477 | - logs:DescribeLogStreams 1478 | Resource: !GetAtt VPCFlowLogsLogGroup.Arn 1479 | VPCFlowLogsLogGroup: 1480 | Condition: VPCFlowLogsToCloudWatchCondition 1481 | Type: AWS::Logs::LogGroup 1482 | Properties: 1483 | RetentionInDays: !Ref VPCFlowLogsLogGroupRetention 1484 | KmsKeyId: !If 1485 | - VPCFlowLogsCloudWatchKMSKeyCondition 1486 | - !Ref VPCFlowLogsCloudWatchKMSKey 1487 | - !Ref AWS::NoValue 1488 | VPCFlowLogsToCloudWatch: 1489 | Condition: VPCFlowLogsToCloudWatchCondition 1490 | Type: AWS::EC2::FlowLog 1491 | Properties: 1492 | LogDestinationType: cloud-watch-logs 1493 | LogGroupName: !Ref VPCFlowLogsLogGroup 1494 | DeliverLogsPermissionArn: !GetAtt VPCFlowLogsRole.Arn 1495 | LogFormat: !Ref VPCFlowLogsLogFormat 1496 | MaxAggregationInterval: !Ref VPCFlowLogsMaxAggregationInterval 1497 | ResourceId: !Ref VPC 1498 | ResourceType: VPC 1499 | TrafficType: !Ref VPCFlowLogsTrafficType 1500 | Tags: 1501 | - Key: Name 1502 | Value: VPC Flow Logs CloudWatch 1503 | Outputs: 1504 | NAT1EIP: 1505 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1506 | Description: NAT 1 IP address. 1507 | Value: !Ref NAT1EIP 1508 | Export: 1509 | Name: !Sub ${AWS::StackName}-NAT1EIP 1510 | NAT2EIP: 1511 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1512 | Description: NAT 2 IP address. 1513 | Value: !Ref NAT2EIP 1514 | Export: 1515 | Name: !Sub ${AWS::StackName}-NAT2EIP 1516 | NAT3EIP: 1517 | Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition 1518 | Description: NAT 3 IP address. 1519 | Value: !Ref NAT3EIP 1520 | Export: 1521 | Name: !Sub ${AWS::StackName}-NAT3EIP 1522 | NAT4EIP: 1523 | Condition: NATGateways&PublicSubnets&PrivateSubnets&4AZCondition 1524 | Description: NAT 4 IP address. 1525 | Value: !Ref NAT4EIP 1526 | Export: 1527 | Name: !Sub ${AWS::StackName}-NAT4EIP 1528 | NATGateway1ID: 1529 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1530 | Description: NATGateway 1 ID. 1531 | Value: !Ref NATGateway1 1532 | Export: 1533 | Name: !Sub ${AWS::StackName}-NATGateway1 1534 | NATGateway2ID: 1535 | Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition 1536 | Description: NATGateway 2 ID. 1537 | Value: !Ref NATGateway2 1538 | Export: 1539 | Name: !Sub ${AWS::StackName}-NATGateway2 1540 | NATGateway3ID: 1541 | Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition 1542 | Description: NATGateway 3 ID. 1543 | Value: !Ref NATGateway3 1544 | Export: 1545 | Name: !Sub ${AWS::StackName}-NATGateway3 1546 | NATGateway4ID: 1547 | Condition: NATGateways&PublicSubnets&PrivateSubnets&4AZCondition 1548 | Description: NATGateway 4 ID. 1549 | Value: !Ref NATGateway4 1550 | Export: 1551 | Name: !Sub ${AWS::StackName}-NATGateway4 1552 | PrivateSubnet1ACIDR: 1553 | Condition: PrivateSubnetsCondition 1554 | Description: Private subnet 1A CIDR in Availability Zone 1. 1555 | Value: !Ref PrivateSubnet1ACIDR 1556 | Export: 1557 | Name: !Sub ${AWS::StackName}-PrivateSubnet1ACIDR 1558 | PrivateSubnet1AID: 1559 | Condition: PrivateSubnetsCondition 1560 | Description: Private subnet 1A ID in Availability Zone 1. 1561 | Value: !Ref PrivateSubnet1A 1562 | Export: 1563 | Name: !Sub ${AWS::StackName}-PrivateSubnet1AID 1564 | PrivateSubnet1ARouteTable: 1565 | Condition: PrivateSubnetsCondition 1566 | Description: Private subnet 1A route table. 1567 | Value: !Ref PrivateSubnet1ARouteTable 1568 | Export: 1569 | Name: !Sub ${AWS::StackName}-PrivateSubnet1ARouteTable 1570 | PrivateSubnet1BCIDR: 1571 | Condition: AdditionalPrivateSubnetsCondition 1572 | Description: Private subnet 1B CIDR in Availability Zone 1. 1573 | Value: !Ref PrivateSubnet1BCIDR 1574 | Export: 1575 | Name: !Sub ${AWS::StackName}-PrivateSubnet1BCIDR 1576 | PrivateSubnet1BID: 1577 | Condition: AdditionalPrivateSubnetsCondition 1578 | Description: Private subnet 1B ID in Availability Zone 1. 1579 | Value: !Ref PrivateSubnet1B 1580 | Export: 1581 | Name: !Sub ${AWS::StackName}-PrivateSubnet1BID 1582 | PrivateSubnet1BRouteTable: 1583 | Condition: AdditionalPrivateSubnetsCondition 1584 | Description: Private subnet 1B route table. 1585 | Value: !Ref PrivateSubnet1BRouteTable 1586 | Export: 1587 | Name: !Sub ${AWS::StackName}-PrivateSubnet1BRouteTable 1588 | PrivateSubnet2ACIDR: 1589 | Condition: PrivateSubnetsCondition 1590 | Description: Private subnet 2A CIDR in Availability Zone 2. 1591 | Value: !Ref PrivateSubnet2ACIDR 1592 | Export: 1593 | Name: !Sub ${AWS::StackName}-PrivateSubnet2ACIDR 1594 | PrivateSubnet2AID: 1595 | Condition: PrivateSubnetsCondition 1596 | Description: Private subnet 2A ID in Availability Zone 2. 1597 | Value: !Ref PrivateSubnet2A 1598 | Export: 1599 | Name: !Sub ${AWS::StackName}-PrivateSubnet2AID 1600 | PrivateSubnet2ARouteTable: 1601 | Condition: PrivateSubnetsCondition 1602 | Value: !Ref PrivateSubnet2ARouteTable 1603 | Description: Private subnet 2A route table. 1604 | Export: 1605 | Name: !Sub ${AWS::StackName}-PrivateSubnet2ARouteTable 1606 | PrivateSubnet2BCIDR: 1607 | Condition: AdditionalPrivateSubnetsCondition 1608 | Description: Private subnet 2B CIDR in Availability Zone 2. 1609 | Value: !Ref PrivateSubnet2BCIDR 1610 | Export: 1611 | Name: !Sub ${AWS::StackName}-PrivateSubnet2BCIDR 1612 | PrivateSubnet2BID: 1613 | Condition: AdditionalPrivateSubnetsCondition 1614 | Description: Private subnet 2B ID in Availability Zone 2. 1615 | Value: !Ref PrivateSubnet2B 1616 | Export: 1617 | Name: !Sub ${AWS::StackName}-PrivateSubnet2BID 1618 | PrivateSubnet2BRouteTable: 1619 | Condition: AdditionalPrivateSubnetsCondition 1620 | Description: Private subnet 2B route table. 1621 | Value: !Ref PrivateSubnet2BRouteTable 1622 | Export: 1623 | Name: !Sub ${AWS::StackName}-PrivateSubnet2BRouteTable 1624 | PrivateSubnet3ACIDR: 1625 | Condition: PrivateSubnets&3AZCondition 1626 | Description: Private subnet 3A CIDR in Availability Zone 3. 1627 | Value: !Ref PrivateSubnet3ACIDR 1628 | Export: 1629 | Name: !Sub ${AWS::StackName}-PrivateSubnet3ACIDR 1630 | PrivateSubnet3AID: 1631 | Condition: PrivateSubnets&3AZCondition 1632 | Description: Private subnet 3A ID in Availability Zone 3. 1633 | Value: !Ref PrivateSubnet3A 1634 | Export: 1635 | Name: !Sub ${AWS::StackName}-PrivateSubnet3AID 1636 | PrivateSubnet3ARouteTable: 1637 | Condition: PrivateSubnets&3AZCondition 1638 | Description: Private subnet 3A route table. 1639 | Value: !Ref PrivateSubnet3ARouteTable 1640 | Export: 1641 | Name: !Sub ${AWS::StackName}-PrivateSubnet3ARouteTable 1642 | PrivateSubnet3BCIDR: 1643 | Condition: AdditionalPrivateSubnets&3AZCondition 1644 | Description: Private subnet 3B CIDR in Availability Zone 3. 1645 | Value: !Ref PrivateSubnet3BCIDR 1646 | Export: 1647 | Name: !Sub ${AWS::StackName}-PrivateSubnet3BCIDR 1648 | PrivateSubnet3BID: 1649 | Condition: AdditionalPrivateSubnets&3AZCondition 1650 | Description: Private subnet 3B ID in Availability Zone 3. 1651 | Value: !Ref PrivateSubnet3B 1652 | Export: 1653 | Name: !Sub ${AWS::StackName}-PrivateSubnet3BID 1654 | PrivateSubnet3BRouteTable: 1655 | Condition: AdditionalPrivateSubnets&3AZCondition 1656 | Description: Private subnet 3B route table. 1657 | Value: !Ref PrivateSubnet3BRouteTable 1658 | Export: 1659 | Name: !Sub ${AWS::StackName}-PrivateSubnet3BRouteTable 1660 | PrivateSubnet4ACIDR: 1661 | Condition: PrivateSubnets&4AZCondition 1662 | Description: Private subnet 4A CIDR in Availability Zone 4. 1663 | Value: !Ref PrivateSubnet4ACIDR 1664 | Export: 1665 | Name: !Sub ${AWS::StackName}-PrivateSubnet4ACIDR 1666 | PrivateSubnet4AID: 1667 | Condition: PrivateSubnets&4AZCondition 1668 | Description: Private subnet 4A ID in Availability Zone 4. 1669 | Value: !Ref PrivateSubnet4A 1670 | Export: 1671 | Name: !Sub ${AWS::StackName}-PrivateSubnet4AID 1672 | PrivateSubnet4ARouteTable: 1673 | Condition: PrivateSubnets&4AZCondition 1674 | Description: Private subnet 4A route table. 1675 | Value: !Ref PrivateSubnet4ARouteTable 1676 | Export: 1677 | Name: !Sub ${AWS::StackName}-PrivateSubnet4ARouteTable 1678 | PrivateSubnet4BCIDR: 1679 | Condition: AdditionalPrivateSubnets&4AZCondition 1680 | Description: Private subnet 4B CIDR in Availability Zone 4. 1681 | Value: !Ref PrivateSubnet4BCIDR 1682 | Export: 1683 | Name: !Sub ${AWS::StackName}-PrivateSubnet4BCIDR 1684 | PrivateSubnet4BID: 1685 | Condition: AdditionalPrivateSubnets&4AZCondition 1686 | Description: Private subnet 4B ID in Availability Zone 4. 1687 | Value: !Ref PrivateSubnet4B 1688 | Export: 1689 | Name: !Sub ${AWS::StackName}-PrivateSubnet4BID 1690 | PrivateSubnet4BRouteTable: 1691 | Condition: AdditionalPrivateSubnets&4AZCondition 1692 | Description: Private subnet 4B route table. 1693 | Value: !Ref PrivateSubnet4BRouteTable 1694 | Export: 1695 | Name: !Sub ${AWS::StackName}-PrivateSubnet4BRouteTable 1696 | PublicSubnet1CIDR: 1697 | Condition: PublicSubnetsCondition 1698 | Description: Public subnet 1 CIDR in Availability Zone 1. 1699 | Value: !Ref PublicSubnet1CIDR 1700 | Export: 1701 | Name: !Sub ${AWS::StackName}-PublicSubnet1CIDR 1702 | PublicSubnet1ID: 1703 | Condition: PublicSubnetsCondition 1704 | Description: Public subnet 1 ID in Availability Zone 1. 1705 | Value: !Ref PublicSubnet1 1706 | Export: 1707 | Name: !Sub ${AWS::StackName}-PublicSubnet1ID 1708 | PublicSubnet2CIDR: 1709 | Condition: PublicSubnetsCondition 1710 | Description: Public subnet 2 CIDR in Availability Zone 2. 1711 | Value: !Ref PublicSubnet2CIDR 1712 | Export: 1713 | Name: !Sub ${AWS::StackName}-PublicSubnet2CIDR 1714 | PublicSubnet2ID: 1715 | Condition: PublicSubnetsCondition 1716 | Description: Public subnet 2 ID in Availability Zone 2. 1717 | Value: !Ref PublicSubnet2 1718 | Export: 1719 | Name: !Sub ${AWS::StackName}-PublicSubnet2ID 1720 | PublicSubnet3CIDR: 1721 | Condition: PublicSubnets&3AZCondition 1722 | Description: Public subnet 3 CIDR in Availability Zone 3. 1723 | Value: !Ref PublicSubnet3CIDR 1724 | Export: 1725 | Name: !Sub ${AWS::StackName}-PublicSubnet3CIDR 1726 | PublicSubnet3ID: 1727 | Condition: PublicSubnets&3AZCondition 1728 | Description: Public subnet 3 ID in Availability Zone 3. 1729 | Value: !Ref PublicSubnet3 1730 | Export: 1731 | Name: !Sub ${AWS::StackName}-PublicSubnet3ID 1732 | PublicSubnet4CIDR: 1733 | Condition: PublicSubnets&4AZCondition 1734 | Description: Public subnet 4 CIDR in Availability Zone 4. 1735 | Value: !Ref PublicSubnet4CIDR 1736 | Export: 1737 | Name: !Sub ${AWS::StackName}-PublicSubnet4CIDR 1738 | PublicSubnet4ID: 1739 | Condition: PublicSubnets&4AZCondition 1740 | Description: Public subnet 4 ID in Availability Zone 4. 1741 | Value: !Ref PublicSubnet4 1742 | Export: 1743 | Name: !Sub ${AWS::StackName}-PublicSubnet4ID 1744 | PublicSubnetRouteTable: 1745 | Condition: PublicSubnetsCondition 1746 | Description: Public subnet route table. 1747 | Value: !Ref PublicSubnetRouteTable 1748 | Export: 1749 | Name: !Sub ${AWS::StackName}-PublicSubnetRouteTable 1750 | S3VPCEndpoint: 1751 | Condition: PrivateSubnetsCondition 1752 | Description: S3 VPC Endpoint. 1753 | Value: !Ref S3VPCEndpoint 1754 | Export: 1755 | Name: !Sub ${AWS::StackName}-S3VPCEndpoint 1756 | VPCCIDR: 1757 | Description: VPC CIDR. 1758 | Value: !Ref VPCCIDR 1759 | Export: 1760 | Name: !Sub ${AWS::StackName}-VPCCIDR 1761 | VPCID: 1762 | Description: VPC ID. 1763 | Value: !Ref VPC 1764 | Export: 1765 | Name: !Sub ${AWS::StackName}-VPCID 1766 | --------------------------------------------------------------------------------