├── .gitignore ├── images └── nomad.png ├── functions └── packages │ └── ACMCert │ └── lambda.zip ├── scripts ├── scripts_userdata.sh ├── awslogs-config-file └── webjob.nomad ├── .gitmodules ├── README.md ├── NOTICE.txt ├── ci ├── config.yml ├── taskcat.yml └── quickstart-hashicorp-nomad.json ├── .taskcat.yml ├── templates ├── acm-cert-r53-record.template.yaml ├── quickstart-hashicorp-nomad-testing.template.yaml ├── copy-lambdas.template.yaml ├── quickstart-hashicorp-nomad-master.template.yaml ├── quickstart-hashicorp-nomad-cluster.template.yaml ├── quickstart-hashicorp-consul-servers.template.yaml ├── quickstart-hashicorp-nomad-clients.template.yaml └── quickstart-hashicorp-nomad-servers.template.yaml └── LICENSE.txt /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .taskcat_overrides.yml 3 | taskcat_outputs 4 | templates/reference 5 | 6 | -------------------------------------------------------------------------------- /images/nomad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-hashicorp-nomad/HEAD/images/nomad.png -------------------------------------------------------------------------------- /functions/packages/ACMCert/lambda.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-hashicorp-nomad/HEAD/functions/packages/ACMCert/lambda.zip -------------------------------------------------------------------------------- /scripts/scripts_userdata.sh: -------------------------------------------------------------------------------- 1 | #UserData and or scripts should be stored here, but only for source code revision purposes and CloudFormation templates should always refer to 'quickstart-reference' S3 bucket 2 | -------------------------------------------------------------------------------- /scripts/awslogs-config-file: -------------------------------------------------------------------------------- 1 | [general] 2 | state_file = /var/awslogs/state/agent-state 3 | 4 | [/var/log/syslog] 5 | #@erin upddate the file path below 6 | #file = /var/log/vault_audit.logstatus 7 | log_group_name = Nomad-Audit-Logs 8 | log_stream_name = {instance_id} 9 | datetime_format = %b %d %H:%M:%S 10 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "submodules/quickstart-linux-bastion"] 2 | path = submodules/quickstart-linux-bastion 3 | url = https://github.com/aws-quickstart/quickstart-linux-bastion.git 4 | branch = main 5 | [submodule "submodules/quickstart-aws-vpc"] 6 | path = submodules/quickstart-aws-vpc 7 | url = https://github.com/aws-quickstart/quickstart-aws-vpc.git 8 | branch = heads/main 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # quickstart-hashicorp-nomad 2 | ## Deprecation Notice 3 | 4 | :x: This repository is subject to deprecation in Q4 2024. For more details, [please review this announcement](https://github.com/aws-ia/.announcements/issues/1). 5 | 6 | ## This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-hashicorp-nomad. 7 | ***We will archive this repository and keep it publicly available until May 1, 2024.*** 8 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /ci/config.yml: -------------------------------------------------------------------------------- 1 | global: 2 | marketplace-ami: false 3 | owner: quickstart-eng@amazon.com 4 | qsname: quickstart-hashicorp-nomad 5 | regions: 6 | - ap-northeast-1 7 | - ap-northeast-2 8 | - ap-south-1 9 | - ap-southeast-1 10 | - ap-southeast-2 11 | - ca-central-1 12 | - eu-central-1 13 | - eu-west-1 14 | - sa-east-1 15 | - us-east-1 16 | - us-east-2 17 | - us-west-1 18 | - us-west-2 19 | reporting: true 20 | tests: 21 | nomad: 22 | parameter_input: quickstart-hashicorp-nomad.json 23 | template_file: quickstart-hashicorp-nomad-master.template 24 | regions: 25 | - us-east-1 26 | -------------------------------------------------------------------------------- /ci/taskcat.yml: -------------------------------------------------------------------------------- 1 | global: 2 | marketplace-ami: false 3 | owner: quickstart-eng@amazon.com 4 | qsname: quickstart-hashicorp-nomad 5 | regions: 6 | - ap-northeast-1 7 | - ap-northeast-2 8 | - ap-south-1 9 | - ap-southeast-1 10 | - ap-southeast-2 11 | - ca-central-1 12 | - eu-central-1 13 | - eu-west-1 14 | - sa-east-1 15 | - us-east-1 16 | - us-east-2 17 | - us-west-1 18 | - us-west-2 19 | reporting: true 20 | tests: 21 | nomad: 22 | parameter_input: quickstart-hashicorp-nomad.json 23 | template_file: quickstart-hashicorp-nomad-master.template 24 | regions: 25 | - us-east-1 26 | -------------------------------------------------------------------------------- /ci/quickstart-hashicorp-nomad.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "AccessCIDR", 4 | "ParameterValue": "0.0.0.0/0" 5 | }, 6 | { 7 | "ParameterKey": "AvailabilityZones", 8 | "ParameterValue": "$[taskcat_genaz_3]" 9 | }, 10 | { 11 | "ParameterKey": "KeyPairName", 12 | "ParameterValue": "tonynv" 13 | }, 14 | { 15 | "ParameterKey": "QSS3BucketName", 16 | "ParameterValue": "$[taskcat_autobucket]" 17 | }, 18 | { 19 | "ParameterKey": "QSS3KeyPrefix", 20 | "ParameterValue": "quickstart-hashicorp-nomad/" 21 | }, 22 | { 23 | "ParameterKey": "VPCCIDR", 24 | "ParameterValue": "10.0.0.0/16" 25 | } 26 | ] 27 | -------------------------------------------------------------------------------- /scripts/webjob.nomad: -------------------------------------------------------------------------------- 1 | job "webjob" { 2 | datacenters = ["__DC__"] 3 | type = "service" 4 | update { 5 | stagger = "30s" 6 | max_parallel = 1 7 | } 8 | group "webs" { 9 | count = 1 10 | task "frontend" { 11 | driver = "docker" 12 | config { 13 | image = "nginx:latest" 14 | } 15 | service { 16 | port = "http" 17 | check { 18 | type = "http" 19 | path = "/" 20 | interval = "10s" 21 | timeout = "5s" 22 | } 23 | } 24 | resources { 25 | cpu = 500 26 | memory = 128 27 | network { 28 | mbits = 100 29 | port "http" { 30 | static = 80 31 | } 32 | } 33 | } 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /.taskcat.yml: -------------------------------------------------------------------------------- 1 | project: 2 | name: quickstart-hashicorp-nomad 3 | owner: quickstart-eng@amazon.com 4 | package_lambda: false 5 | s3_regional_buckets: false 6 | regions: 7 | - us-west-2 8 | - us-east-1 9 | - us-east-2 10 | - ap-south-1 11 | - eu-west-1 12 | - eu-north-1 13 | - eu-central-1 14 | - eu-west-3 15 | - eu-west-2 16 | - ap-southeast-1 17 | - ap-northeast-1 18 | - ap-southeast-2 19 | - ap-northeast-2 20 | - sa-east-1 21 | tests: 22 | nomad: 23 | parameters: 24 | AccessCIDR: 0.0.0.0/0 25 | AvailabilityZones: $[taskcat_genaz_3] 26 | NomadClientNodeCount: '3' 27 | NomadServerNodeCount: '3' 28 | HostedZoneID: overrides 29 | KeyPairName: tonynv 30 | LoadBalancerFQDN: dummy.dns.name.com 31 | QSS3BucketName: $[taskcat_autobucket] 32 | QSS3KeyPrefix: quickstart-hashicorp-nomad/ 33 | SSLCertificateArn: '' 34 | regions: 35 | - us-west-2 36 | - us-east-1 37 | - us-east-2 38 | - ap-south-1 39 | - eu-west-1 40 | - eu-north-1 41 | - eu-central-1 42 | - eu-west-3 43 | - eu-west-2 44 | - ap-southeast-1 45 | - ap-northeast-1 46 | - ap-southeast-2 47 | - ap-northeast-2 48 | - sa-east-1 49 | template: templates/quickstart-hashicorp-nomad-master.template.yaml 50 | 51 | 52 | -------------------------------------------------------------------------------- /templates/acm-cert-r53-record.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: (qs-1nae6brn2) Creates R53 records and ACM Certificate. 3 | Metadata: 4 | AWS::CloudFormation::Interface: 5 | ParameterGroups: 6 | - Label: 7 | default: DNS Configuration 8 | Parameters: 9 | - DomainName 10 | - HostedZoneID 11 | - Label: 12 | default: AWS Quick Start Configuration 13 | Parameters: 14 | - LambdaZipsBucketName 15 | - QSS3KeyPrefix 16 | ParameterLabels: 17 | LambdaZipsBucketName: 18 | default: Lambda Zips S3 Bucket Name 19 | QSS3KeyPrefix: 20 | default: Quick Start S3 Key Prefix 21 | DomainName: 22 | default: Domain Name 23 | HostedZoneID: 24 | default: Route 53 Hosted Zone ID 25 | Parameters: 26 | LambdaZipsBucketName: 27 | Default: '' 28 | Description: >- 29 | S3 bucket name for the Quick Start assets. This string can include 30 | numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot 31 | start or end with a hyphen (-). 32 | Type: String 33 | QSS3KeyPrefix: 34 | AllowedPattern: ^[0-9a-zA-Z-/._]*$ 35 | ConstraintDescription: >- 36 | S3 key prefix can include numbers, lowercase letters, uppercase letters, 37 | hyphens (-), and forward slash (/). 38 | Default: '' 39 | Description: >- 40 | Alphanumeric string which identifies the S3 key prefix used to simulate a 41 | folder for your copy of the Quick Start assets if you decided to customize 42 | or extend them for your own use. 43 | Type: String 44 | HostedZoneID: 45 | Description: >- 46 | OPTIONAL: Route 53 Hosted Zone ID to use. If left blank, Route 53 will not 47 | be configured and DNS must be setup manually. If you specify this, you 48 | must also specify DomainName 49 | Type: String 50 | MaxLength: '32' 51 | Default: '' 52 | DomainName: 53 | Description: >- 54 | OPTIONAL: Domain Name configured for the cluster. If left blank, DNS must 55 | be configured manually, and an existing certificate must be used. 56 | Type: String 57 | Default: '' 58 | Conditions: 59 | SetupRoute53: 60 | !And 61 | - !Not [!Equals [!Ref HostedZoneID, '']] 62 | - !Not [!Equals [!Ref DomainName, '']] 63 | 64 | UseEmailForACMValidation: 65 | !And 66 | - !Equals [!Ref HostedZoneID, ''] 67 | - !Not [!Equals [!Ref DomainName, '']] 68 | 69 | Resources: 70 | ACMCertificateRole: 71 | Condition: SetupRoute53 72 | Type: AWS::IAM::Role 73 | Properties: 74 | AssumeRolePolicyDocument: 75 | Version: '2012-10-17' 76 | Statement: 77 | - Effect: Allow 78 | Principal: 79 | Service: lambda.amazonaws.com 80 | Action: sts:AssumeRole 81 | ManagedPolicyArns: 82 | - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 83 | Path: / 84 | Policies: 85 | - PolicyName: lambda-acm 86 | PolicyDocument: 87 | Version: '2012-10-17' 88 | Statement: 89 | - Effect: Allow 90 | Action: 91 | - acm:RequestCertificate 92 | - acm:DescribeCertificate 93 | - acm:DeleteCertificate 94 | Resource: 95 | - !Sub arn:${AWS::Partition}:acm:${AWS::Region}:${AWS::AccountId}:certificate/* 96 | - Effect: Allow 97 | Action: 98 | - route53:ChangeResourceRecordSets 99 | Resource: 100 | - !Sub arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneID} 101 | - Effect: Allow 102 | Action: 103 | - logs:FilterLogEvents 104 | Resource: 105 | - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/*ACMCertificateLambda* 106 | ACMCertificateLambda: 107 | Condition: SetupRoute53 108 | Type: AWS::Lambda::Function 109 | Properties: 110 | Description: 111 | Creates and verifies an ACM certificate using DNS validation and route53 112 | Handler: lambda_function.handler 113 | Runtime: python3.8 114 | Role: !GetAtt ACMCertificateRole.Arn 115 | Timeout: 900 116 | Code: 117 | S3Bucket: 118 | Ref: LambdaZipsBucketName 119 | S3Key: !Sub ${QSS3KeyPrefix}functions/packages/ACMCert/lambda.zip 120 | ACMCertificateDNS: 121 | Condition: SetupRoute53 122 | Type: AWS::CloudFormation::CustomResource 123 | Properties: 124 | ServiceToken: !GetAtt ACMCertificateLambda.Arn 125 | HostedZoneId: !Ref HostedZoneID 126 | HostNames: 127 | - !Ref DomainName 128 | - !Sub "*.${DomainName}" 129 | ACMCertificateEmail: 130 | Condition: UseEmailForACMValidation 131 | Type: AWS::CertificateManager::Certificate 132 | Properties: 133 | DomainName: 134 | Ref: DomainName 135 | SubjectAlternativeNames: 136 | - !Sub "*.${DomainName}" 137 | DomainValidationOptions: 138 | - DomainName: !Ref DomainName 139 | ValidationDomain: !Ref DomainName 140 | Outputs: 141 | ACMCertificate: 142 | Description: ARN of the ACM-Generated SSL Certificate 143 | Value: !If 144 | - SetupRoute53 145 | - !GetAtt ACMCertificateDNS.Arn 146 | - !If 147 | - UseEmailForACMValidation 148 | - !Ref ACMCertificateEmail 149 | - !Ref AWS::NoValue 150 | -------------------------------------------------------------------------------- /templates/quickstart-hashicorp-nomad-testing.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: 'Creates a VPC and BastionHost sufficient to test the cluster stack 3 | against to minimize teardown and recreation of otherwise stable resources. (qs-1nae6brn2)' 4 | Metadata: 5 | LintSpellExclude: 6 | - datacenter 7 | - xxxxxxxx 8 | SentenceCaseExclude: 9 | - Nomad 10 | - Consul 11 | 12 | QuickStartDocumentation: 13 | EntrypointName: "Launch into a new VPC" 14 | LICENSE: 'Apache License, Version 2.0' 15 | 'AWS::CloudFormation::Interface': 16 | ParameterGroups: 17 | - Label: 18 | default: "VPC network configuration" 19 | Parameters: 20 | - AvailabilityZones 21 | - VPCCIDR 22 | - PrivateSubnet1CIDR 23 | - PrivateSubnet2CIDR 24 | - PrivateSubnet3CIDR 25 | - PublicSubnet1CIDR 26 | - PublicSubnet2CIDR 27 | - PublicSubnet3CIDR 28 | - Label: 29 | default: "Access configuration" 30 | Parameters: 31 | - AccessCIDR 32 | - KeyPairName 33 | - Label: 34 | default: "AWS Quick Start configuration" 35 | Parameters: 36 | - QSS3BucketName 37 | - QSS3KeyPrefix 38 | ParameterLabels: 39 | AccessCIDR: 40 | default: Permitted IP range 41 | AvailabilityZones: 42 | default: Availability Zones 43 | KeyPairName: 44 | default: Key name 45 | PrivateSubnet1CIDR: 46 | default: Private Subnet 1 CIDR 47 | PrivateSubnet2CIDR: 48 | default: Private Subnet 2 CIDR 49 | PrivateSubnet3CIDR: 50 | default: Private Subnet 3 CIDR 51 | PublicSubnet1CIDR: 52 | default: Public Subnet 1 CIDR 53 | PublicSubnet2CIDR: 54 | default: Public Subnet 2 CIDR 55 | PublicSubnet3CIDR: 56 | default: Public Subnet 3 CIDR 57 | QSS3BucketName: 58 | default: Quick Start S3 bucket name 59 | QSS3KeyPrefix: 60 | default: Quick Start S3 key prefix 61 | VPCCIDR: 62 | default: VPC CIDR 63 | 64 | Parameters: 65 | AvailabilityZones: 66 | Description: >- 67 | List of Availability Zones to use for the subnets in the VPC. 68 | Note: the logical order is preserved; three Availability 69 | ZonesAZs are used for this deployment. 70 | Type: 'List' 71 | AccessCIDR: 72 | AllowedPattern: >- 73 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 74 | Description: >- 75 | The CIDR IP range that is permitted to access Nomad. Note: a value of 76 | 0.0.0.0/0 will allow access from ANY IP address. 77 | Type: String 78 | KeyPairName: 79 | Description: >- 80 | Public/private key pairs allow you to securely connect to your instance 81 | after it launches. 82 | Type: 'AWS::EC2::KeyPair::KeyName' 83 | #MinLength: 1 84 | PrivateSubnet1CIDR: 85 | AllowedPattern: >- 86 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 87 | Default: 10.0.0.0/19 88 | Description: CIDR block for private subnet 1 located in Availability Zone 1. 89 | Type: String 90 | PrivateSubnet2CIDR: 91 | AllowedPattern: >- 92 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 93 | Default: 10.0.32.0/19 94 | Description: CIDR block for private subnet 2 located in Availability Zone 2. 95 | Type: String 96 | PrivateSubnet3CIDR: 97 | AllowedPattern: >- 98 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 99 | Default: 10.0.64.0/19 100 | Description: CIDR block for private subnet 3 located in Availability Zone 3. 101 | Type: String 102 | PublicSubnet1CIDR: 103 | AllowedPattern: >- 104 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 105 | Default: 10.0.128.0/20 106 | Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1. 107 | Type: String 108 | PublicSubnet2CIDR: 109 | AllowedPattern: >- 110 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 111 | Default: 10.0.144.0/20 112 | Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2. 113 | Type: String 114 | PublicSubnet3CIDR: 115 | AllowedPattern: >- 116 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 117 | Default: 10.0.160.0/20 118 | Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3. 119 | Type: String 120 | QSS3BucketName: 121 | AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' 122 | ConstraintDescription: >- 123 | Quick Start bucket name can include numbers, lowercase letters, uppercase 124 | letters, and hyphens (-). It cannot start or end with a hyphen (-). 125 | Default: aws-quickstart 126 | Description: >- 127 | S3 bucket name for the Quick Start assets. Quick Start bucket name can 128 | include numbers, lowercase letters, uppercase letters, and hyphens (-). It 129 | cannot start or end with a hyphen (-). 130 | Type: String 131 | QSS3KeyPrefix: 132 | AllowedPattern: '^[0-9a-zA-Z-/]*$' 133 | ConstraintDescription: >- 134 | Quick Start key prefix can include numbers, lowercase letters, uppercase 135 | letters, hyphens (-), and forward slash (/). 136 | Default: quickstart-hashicorp-nomad/ 137 | Description: >- 138 | S3 key prefix for the Quick Start assets. Quick Start key prefix can 139 | include numbers, lowercase letters, uppercase letters, hyphens (-), and 140 | forward slash (/). 141 | Type: String 142 | VPCCIDR: 143 | AllowedPattern: >- 144 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 145 | Default: 10.0.0.0/16 146 | Description: CIDR block for the VPC. 147 | Type: String 148 | 149 | 150 | Resources: 151 | VPCStack: 152 | Type: 'AWS::CloudFormation::Stack' 153 | Properties: 154 | TemplateURL: !Sub >- 155 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml 156 | Parameters: 157 | AvailabilityZones: !Join [",", !Ref AvailabilityZones ] 158 | NumberOfAZs: '3' 159 | PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR 160 | PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR 161 | PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR 162 | PublicSubnet1CIDR: !Ref PublicSubnet1CIDR 163 | PublicSubnet2CIDR: !Ref PublicSubnet2CIDR 164 | PublicSubnet3CIDR: !Ref PublicSubnet3CIDR 165 | VPCCIDR: !Ref VPCCIDR 166 | 167 | BastionStack: 168 | Type: 'AWS::CloudFormation::Stack' 169 | Properties: 170 | TemplateURL: !Sub >- 171 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template 172 | Parameters: 173 | BastionAMIOS: Ubuntu-Server-20.04-LTS-HVM 174 | BastionInstanceType: 't3.medium' 175 | KeyPairName: !Ref KeyPairName 176 | PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID 177 | PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID 178 | QSS3BucketName: !Ref QSS3BucketName 179 | QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-linux-bastion/' 180 | RemoteAccessCIDR: !Ref AccessCIDR 181 | VPCID: !GetAtt VPCStack.Outputs.VPCID 182 | 183 | Outputs: 184 | PrivateSubnet1ACIDR: 185 | Value: !Ref PrivateSubnet1CIDR 186 | PrivateSubnet2ACIDR: 187 | Value: !Ref PrivateSubnet2CIDR 188 | PrivateSubnet3ACIDR: 189 | Value: !Ref PrivateSubnet3CIDR 190 | PublicSubnet1CIDR: 191 | Value: !Ref PublicSubnet1CIDR 192 | PublicSubnet2CIDR: 193 | Value: !Ref PublicSubnet2CIDR 194 | PublicSubnet3CIDR: 195 | Value: !Ref PublicSubnet3CIDR 196 | VPCCIDR: 197 | Value: !Ref VPCCIDR 198 | VPCID: 199 | Value: !GetAtt VPCStack.Outputs.VPCID 200 | BastionSecurityGroupID: 201 | Value: !GetAtt BastionStack.Outputs.BastionSecurityGroupID 202 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /templates/copy-lambdas.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: >- 3 | This template creates an S3 bucket in the same region where the stack is 4 | launched and copy the Lambda functions code from original bucket to the new 5 | bucket. (qs-1nae6brn2) 6 | Metadata: 7 | 'AWS::CloudFormation::Interface': 8 | ParameterGroups: 9 | - Label: {default: "AWS Quick Start configuration"} 10 | Parameters: 11 | - QSS3BucketName 12 | - QSS3KeyPrefix 13 | ParameterLabels: 14 | QSS3BucketName: 15 | default: Quick Start S3 bucket name 16 | QSS3KeyPrefix: 17 | default: Quick Start S3 key prefix 18 | Parameters: 19 | QSS3BucketName: 20 | AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 21 | ConstraintDescription: >- 22 | S3 bucket name can include numbers, lowercase letters, uppercase letters, 23 | and hyphens (-). It cannot start or end with a hyphen (-). 24 | Default: aws-quickstart 25 | Description: >- 26 | Alphanumeric string which identifies the S3 bucket name for the Quick 27 | Start assets. It's the bucket to store the copy of the Quick Start assets 28 | if you decided to customize or extend them for your own use. 29 | Type: String 30 | QSS3KeyPrefix: 31 | AllowedPattern: ^[0-9a-zA-Z-/._]*$ 32 | ConstraintDescription: >- 33 | S3 key prefix can include numbers, lowercase letters, uppercase letters, 34 | hyphens (-), and forward slash (/). 35 | Default: quickstart-codepipeline-bluegreen-deployment/ 36 | Description: >- 37 | Alphanumeric string which identifies the S3 key prefix used to simulate a 38 | folder for your copy of the Quick Start assets if you decided to customize 39 | or extend them for your own use. 40 | Type: String 41 | Resources: 42 | CopyObjects: 43 | Properties: 44 | ServiceToken: !GetAtt CopyObjectsFunction.Arn 45 | DestBucket: 46 | Ref: LambdaZipsBucket 47 | Objects: 48 | - functions/packages/ACMCert/lambda.zip 49 | SourceBucket: !Ref QSS3BucketName 50 | Prefix: !Ref QSS3KeyPrefix 51 | Type: AWS::CloudFormation::CustomResource 52 | CopyObjectsFunction: 53 | Properties: 54 | Code: 55 | ZipFile: | 56 | import json 57 | import logging 58 | import threading 59 | import boto3 60 | import cfnresponse 61 | 62 | def copy_objects(source_bucket, dest_bucket, prefix, objects): 63 | s3 = boto3.client('s3') 64 | for o in objects: 65 | key = prefix + o 66 | copy_source = { 67 | 'Bucket': source_bucket, 68 | 'Key': key 69 | } 70 | s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key) 71 | 72 | def delete_objects(bucket): 73 | client = boto3.client('s3') 74 | print("Collecting data from" + bucket) 75 | paginator = client.get_paginator('list_object_versions') 76 | result = paginator.paginate(Bucket=bucket) 77 | objects = [] 78 | for page in result: 79 | try: 80 | for k in page['Versions']: 81 | objects.append({'Key':k['Key'],'VersionId': k['VersionId']}) 82 | try: 83 | for k in page['DeleteMarkers']: 84 | version = k['VersionId'] 85 | key = k['Key'] 86 | objects.append({'Key': key,'VersionId': version}) 87 | except: 88 | pass 89 | print("deleting objects") 90 | client.delete_objects(Bucket=bucket, Delete={'Objects': objects}) 91 | # objects = [] 92 | except: 93 | pass 94 | print("bucket already empty") 95 | 96 | def timeout(event, context): 97 | logging.error('Execution is about to time out, sending failure response to CloudFormation') 98 | cfnresponse.send(event, context, cfnresponse.FAILED, {}, None) 99 | 100 | def handler(event, context): 101 | # make sure we send a failure to CloudFormation if the function is going to timeout 102 | timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context]) 103 | timer.start() 104 | 105 | print('Received event: %s' % json.dumps(event)) 106 | status = cfnresponse.SUCCESS 107 | try: 108 | source_bucket = event['ResourceProperties']['SourceBucket'] 109 | dest_bucket = event['ResourceProperties']['DestBucket'] 110 | prefix = event['ResourceProperties']['Prefix'] 111 | objects = event['ResourceProperties']['Objects'] 112 | if event['RequestType'] == 'Delete': 113 | delete_objects(dest_bucket) 114 | else: 115 | copy_objects(source_bucket, dest_bucket, prefix, objects) 116 | except Exception as e: 117 | logging.error('Exception: %s' % e, exc_info=True) 118 | status = cfnresponse.FAILED 119 | finally: 120 | timer.cancel() 121 | cfnresponse.send(event, context, status, {}, None) 122 | Description: Copies objects from a source S3 bucket to a destination S3 bucket 123 | Handler: index.handler 124 | Role: !GetAtt CopyObjectsRole.Arn 125 | Runtime: python3.8 126 | Timeout: 240 127 | Type: AWS::Lambda::Function 128 | CopyObjectsRole: 129 | Properties: 130 | AssumeRolePolicyDocument: 131 | Statement: 132 | - Action: sts:AssumeRole 133 | Effect: Allow 134 | Principal: 135 | Service: lambda.amazonaws.com 136 | Version: '2012-10-17' 137 | ManagedPolicyArns: 138 | - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 139 | Path: / 140 | Policies: 141 | - PolicyDocument: 142 | Statement: 143 | - Action: 144 | - s3:GetObject 145 | Effect: Allow 146 | Resource: 147 | - !Sub arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}* 148 | - Action: 149 | - s3:PutObject 150 | - s3:DeleteObject 151 | - s3:GetObject 152 | - s3:ListBucket 153 | - s3:ListBucketVersions 154 | - s3:DeleteObjectVersion 155 | - s3:GetObjectVersion 156 | - s3:GetBucketVersioning 157 | Effect: Allow 158 | Resource: 159 | - !Sub arn:${AWS::Partition}:s3:::${LambdaZipsBucket}/${QSS3KeyPrefix}* 160 | - !Sub arn:${AWS::Partition}:s3:::${LambdaZipsBucket} 161 | Version: '2012-10-17' 162 | PolicyName: object-copier 163 | Type: AWS::IAM::Role 164 | LambdaZipsBucket: 165 | Properties: 166 | Tags: [] 167 | BucketEncryption: 168 | ServerSideEncryptionConfiguration: 169 | - ServerSideEncryptionByDefault: 170 | SSEAlgorithm: AES256 171 | PublicAccessBlockConfiguration: 172 | BlockPublicAcls: true 173 | BlockPublicPolicy: true 174 | IgnorePublicAcls: true 175 | RestrictPublicBuckets: true 176 | VersioningConfiguration: 177 | Status: Enabled 178 | Type: AWS::S3::Bucket 179 | CleanUpS3Bucket: 180 | Properties: 181 | DestBucket: 182 | Ref: LambdaZipsBucket 183 | ServiceToken: !GetAtt CleanUpS3BucketFunction.Arn 184 | Type: AWS::CloudFormation::CustomResource 185 | CleanUpS3BucketFunction: 186 | Properties: 187 | Code: 188 | ZipFile: | 189 | import json 190 | import logging 191 | import threading 192 | import boto3 193 | import cfnresponse 194 | client = boto3.client('s3') 195 | 196 | def delete_NonVersionedobjects(bucket): 197 | print("Collecting data from" + bucket) 198 | paginator = client.get_paginator('list_objects_v2') 199 | result = paginator.paginate(Bucket=bucket) 200 | objects = [] 201 | for page in result: 202 | try: 203 | for k in page['Contents']: 204 | objects.append({'Key': k['Key']}) 205 | print("deleting objects") 206 | client.delete_objects(Bucket=bucket, Delete={'Objects': objects}) 207 | objects = [] 208 | except: 209 | pass 210 | print("bucket is already empty") 211 | 212 | def delete_versionedobjects(bucket): 213 | print("Collecting data from" + bucket) 214 | paginator = client.get_paginator('list_object_versions') 215 | result = paginator.paginate(Bucket=bucket) 216 | objects = [] 217 | for page in result: 218 | try: 219 | for k in page['Versions']: 220 | objects.append({'Key':k['Key'],'VersionId': k['VersionId']}) 221 | try: 222 | for k in page['DeleteMarkers']: 223 | version = k['VersionId'] 224 | key = k['Key'] 225 | objects.append({'Key': key,'VersionId': version}) 226 | except: 227 | pass 228 | print("deleting objects") 229 | client.delete_objects(Bucket=bucket, Delete={'Objects': objects}) 230 | # objects = [] 231 | except: 232 | pass 233 | print("bucket already empty") 234 | 235 | def timeout(event, context): 236 | logging.error('Execution is about to time out, sending failure response to CloudFormation') 237 | cfnresponse.send(event, context, cfnresponse.FAILED, {}, None) 238 | 239 | def handler(event, context): 240 | # make sure we send a failure to CloudFormation if the function is going to timeout 241 | timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context]) 242 | timer.start() 243 | 244 | print('Received event: %s' % json.dumps(event)) 245 | status = cfnresponse.SUCCESS 246 | try: 247 | dest_bucket = event['ResourceProperties']['DestBucket'] 248 | if event['RequestType'] == 'Delete': 249 | CheckifVersioned = client.get_bucket_versioning(Bucket=dest_bucket) 250 | print (CheckifVersioned) 251 | if 'Status' in CheckifVersioned: 252 | print (CheckifVersioned['Status']) 253 | print ("This is a versioned Bucket") 254 | delete_versionedobjects(dest_bucket) 255 | else: 256 | print ("This is not a versioned bucket") 257 | delete_NonVersionedobjects(dest_bucket) 258 | else: 259 | print("Nothing to do") 260 | except Exception as e: 261 | logging.error('Exception: %s' % e, exc_info=True) 262 | status = cfnresponse.FAILED 263 | finally: 264 | timer.cancel() 265 | cfnresponse.send(event, context, status, {}, None) 266 | Description: Empty the S3 Bucket 267 | Handler: index.handler 268 | Role: !GetAtt S3CleanUpRole.Arn 269 | Runtime: python3.8 270 | Timeout: 240 271 | Type: AWS::Lambda::Function 272 | S3CleanUpRole: 273 | Properties: 274 | AssumeRolePolicyDocument: 275 | Statement: 276 | - Action: sts:AssumeRole 277 | Effect: Allow 278 | Principal: 279 | Service: lambda.amazonaws.com 280 | Version: '2012-10-17' 281 | ManagedPolicyArns: 282 | - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 283 | Path: / 284 | Policies: 285 | - PolicyDocument: 286 | Statement: 287 | - Action: 288 | - s3:PutObject 289 | - s3:DeleteObject 290 | - s3:GetObject 291 | - s3:ListBucket 292 | - s3:ListBucketVersions 293 | - s3:DeleteObjectVersion 294 | - s3:GetObjectVersion 295 | - s3:GetBucketVersioning 296 | Effect: Allow 297 | Resource: 298 | - !GetAtt LambdaZipsBucket.Arn 299 | - !Sub arn:${AWS::Partition}:s3:::* 300 | Version: '2012-10-17' 301 | PolicyName: Empty-bucket 302 | Type: AWS::IAM::Role 303 | Outputs: 304 | LambdaZipsBucket: 305 | Description: S3 Bucket for the Lambda Function Code 306 | Value: 307 | Ref: LambdaZipsBucket 308 | -------------------------------------------------------------------------------- /templates/quickstart-hashicorp-nomad-master.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: 'HashiCorp Nomad + VPC Aug,28,2019 (qs-1nae6brn2)' 3 | Metadata: 4 | LintSpellExclude: 5 | - datacenter 6 | - xxxxxxxx 7 | SentenceCaseExclude: 8 | - Nomad 9 | - Consul 10 | QuickStartDocumentation: 11 | EntrypointName: "Launch into a new VPC" 12 | LICENSE: 'Apache License, Version 2.0' 13 | 'AWS::CloudFormation::Interface': 14 | ParameterGroups: 15 | - Label: 16 | default: "VPC network configuration" 17 | Parameters: 18 | - AvailabilityZones 19 | - VPCCIDR 20 | - PrivateSubnet1CIDR 21 | - PrivateSubnet2CIDR 22 | - PrivateSubnet3CIDR 23 | - PublicSubnet1CIDR 24 | - PublicSubnet2CIDR 25 | - PublicSubnet3CIDR 26 | - Label: 27 | default: "Access configuration" 28 | Parameters: 29 | - AccessCIDR 30 | - KeyPairName 31 | - Label: 32 | default: "Consul cluster configuration" 33 | Parameters: 34 | - CreateConsulCluster 35 | - ConsulServerInstanceType 36 | - ConsulServerNodeCount 37 | - EnableConsulServiceMesh 38 | - Label: 39 | default: "Nomad cluster setup" 40 | Parameters: 41 | - NomadServerInstanceType 42 | - NomadServerNodeCount 43 | - NomadClientInstanceType 44 | - NomadClientNodeCount 45 | - Label: 46 | default: "DNS and SSL configuration" 47 | Parameters: 48 | - LoadBalancerFQDN 49 | - HostedZoneID 50 | - SSLCertificateArn 51 | - Label: 52 | default: "AWS Quick Start configuration" 53 | Parameters: 54 | - QSS3BucketName 55 | - QSS3KeyPrefix 56 | ParameterLabels: 57 | AccessCIDR: 58 | default: Permitted IP range 59 | AvailabilityZones: 60 | default: Availability Zones 61 | KeyPairName: 62 | default: Key name 63 | PrivateSubnet1CIDR: 64 | default: Private Subnet 1 CIDR 65 | PrivateSubnet2CIDR: 66 | default: Private Subnet 2 CIDR 67 | PrivateSubnet3CIDR: 68 | default: Private Subnet 3 CIDR 69 | PublicSubnet1CIDR: 70 | default: Public Subnet 1 CIDR 71 | PublicSubnet2CIDR: 72 | default: Public Subnet 2 CIDR 73 | PublicSubnet3CIDR: 74 | default: Public Subnet 3 CIDR 75 | QSS3BucketName: 76 | default: Quick Start S3 bucket name 77 | QSS3KeyPrefix: 78 | default: Quick Start S3 key prefix 79 | VPCCIDR: 80 | default: VPC CIDR 81 | SSLCertificateArn: 82 | default: SSL certificate ARN 83 | HostedZoneID: 84 | default: Route 53 hosted zone ID 85 | LoadBalancerFQDN: 86 | default: Load balancer FQDN 87 | CreateConsulCluster: 88 | default: Create Consul cluster 89 | ConsulServerInstanceType: 90 | default: Consul server node instance type 91 | ConsulServerNodeCount: 92 | default: Number of Consul server nodes 93 | NomadServerInstanceType: 94 | default: Nomad server node instance type 95 | NomadServerNodeCount: 96 | default: Number of Nomad server nodes 97 | NomadClientInstanceType: 98 | default: Nomad client node instance type 99 | NomadClientNodeCount: 100 | default: Number of Nomad client nodes 101 | EnableConsulServiceMesh: 102 | default: Enable Consul service mesh 103 | 104 | Parameters: 105 | AvailabilityZones: 106 | Description: >- 107 | List of Availability Zones to use for the subnets in the VPC. 108 | Note: the logical order is preserved; three Availability 109 | ZonesAZs are used for this deployment. 110 | Type: 'List' 111 | AccessCIDR: 112 | AllowedPattern: >- 113 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 114 | Description: >- 115 | The CIDR IP range that is permitted to access Nomad. Note: a value of 116 | 0.0.0.0/0 will allow access from ANY IP address. 117 | Type: String 118 | CreateConsulCluster: 119 | Description: Create a Consul cluster to support this Nomad cluster. 120 | Type: String 121 | Default: "true" 122 | AllowedValues: 123 | - "true" 124 | - "false" 125 | ConsulServerNodeCount: 126 | Type: String 127 | Description: The number of Consul server nodes that will be created. You can choose 1, 3, 5, or 7 nodes, leave empty for none. 128 | AllowedValues: 129 | - "" 130 | - "1" 131 | - "3" 132 | - "5" 133 | - "7" 134 | Default: "3" 135 | ConsulServerInstanceType: 136 | Type: String 137 | Description: The EC2 instance type for the Consul instances. 138 | AllowedValues: 139 | - t2.micro 140 | - t2.small 141 | - t2.medium 142 | - t2.large 143 | - t3.micro 144 | - t3.small 145 | - t3.medium 146 | - t3.large 147 | - m5.large 148 | - m5.xlarge 149 | - m5.2xlarge 150 | - m4.large 151 | - m4.xlarge 152 | - m3.medium 153 | - m3.large 154 | - m3.xlarge 155 | - m3.2xlarge 156 | - c4.large 157 | - c4.xlarge 158 | - c4.2xlarge 159 | - c4.4xlarge 160 | - c4.8xlarge 161 | - c3.large 162 | - c3.xlarge 163 | - c3.2xlarge 164 | - c3.4xlarge 165 | - c3.8xlarge 166 | - r3.large 167 | - r3.xlarge 168 | - r3.2xlarge 169 | - r3.4xlarge 170 | - r3.8xlarge 171 | - i2.xlarge 172 | - i2.2xlarge 173 | - i2.4xlarge 174 | - i2.8xlarge 175 | ConstraintDescription: Choose an instance type. 176 | Default: m5.large 177 | EnableConsulServiceMesh: 178 | Description: Enable Consul service mesh for the Nomad cluster. 179 | Type: String 180 | Default: "true" 181 | AllowedValues: 182 | - "true" 183 | - "false" 184 | NomadServerInstanceType: 185 | Type: String 186 | Default: m5.large 187 | Description: The EC2 instance type for the Nomad instances. 188 | AllowedValues: 189 | - t2.micro 190 | - t2.small 191 | - t2.medium 192 | - t2.large 193 | - t3.micro 194 | - t3.small 195 | - t3.medium 196 | - t3.large 197 | - m5.large 198 | - m5.xlarge 199 | - m4.xlarge 200 | - m4.large 201 | - m4.xlarge 202 | - m3.medium 203 | - m3.large 204 | - m3.xlarge 205 | - m3.2xlarge 206 | - c4.large 207 | - c4.xlarge 208 | - c4.2xlarge 209 | - c4.4xlarge 210 | - c4.8xlarge 211 | - c3.large 212 | - c3.xlarge 213 | - c3.2xlarge 214 | - c3.4xlarge 215 | - c3.8xlarge 216 | - r3.large 217 | - r3.xlarge 218 | - r3.2xlarge 219 | - r3.4xlarge 220 | - r3.8xlarge 221 | - i2.xlarge 222 | - i2.2xlarge 223 | - i2.4xlarge 224 | - i2.8xlarge 225 | ConstraintDescription: Choose an instance type. m3.medium or larger recommended. 226 | NomadServerNodeCount: 227 | Type: String 228 | Description: The number of Nomad server nodes that will be created. You can choose 3, 5, or 7 nodes. 229 | AllowedValues: 230 | - "1" 231 | - "3" 232 | - "5" 233 | - "7" 234 | Default: "3" 235 | NomadClientInstanceType: 236 | Type: String 237 | Default: m5.large 238 | Description: The EC2 instance type for the Nomad instances. 239 | AllowedValues: 240 | - t2.micro 241 | - t2.small 242 | - t2.medium 243 | - t2.large 244 | - t3.micro 245 | - t3.small 246 | - t3.medium 247 | - t3.large 248 | - m5.large 249 | - m5.xlarge 250 | - m4.xlarge 251 | - m4.large 252 | - m4.xlarge 253 | - m3.medium 254 | - m3.large 255 | - m3.xlarge 256 | - m3.2xlarge 257 | - c4.large 258 | - c4.xlarge 259 | - c4.2xlarge 260 | - c4.4xlarge 261 | - c4.8xlarge 262 | - c3.large 263 | - c3.xlarge 264 | - c3.2xlarge 265 | - c3.4xlarge 266 | - c3.8xlarge 267 | - r3.large 268 | - r3.xlarge 269 | - r3.2xlarge 270 | - r3.4xlarge 271 | - r3.8xlarge 272 | - i2.xlarge 273 | - i2.2xlarge 274 | - i2.4xlarge 275 | - i2.8xlarge 276 | ConstraintDescription: Choose an instance type. m3.medium or larger recommended. 277 | NomadClientNodeCount: 278 | Type: String 279 | Description: The number of Nomad client nodes that will be created. 280 | Default: "3" 281 | KeyPairName: 282 | Description: >- 283 | Public/private key pairs allow you to securely connect to your instance 284 | after it launches. 285 | Type: 'AWS::EC2::KeyPair::KeyName' 286 | #MinLength: 1 287 | PrivateSubnet1CIDR: 288 | AllowedPattern: >- 289 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 290 | Default: 10.0.0.0/19 291 | Description: CIDR block for private subnet 1 located in Availability Zone 1. 292 | Type: String 293 | PrivateSubnet2CIDR: 294 | AllowedPattern: >- 295 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 296 | Default: 10.0.32.0/19 297 | Description: CIDR block for private subnet 2 located in Availability Zone 2. 298 | Type: String 299 | PrivateSubnet3CIDR: 300 | AllowedPattern: >- 301 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 302 | Default: 10.0.64.0/19 303 | Description: CIDR block for private subnet 3 located in Availability Zone 3. 304 | Type: String 305 | PublicSubnet1CIDR: 306 | AllowedPattern: >- 307 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 308 | Default: 10.0.128.0/20 309 | Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1. 310 | Type: String 311 | PublicSubnet2CIDR: 312 | AllowedPattern: >- 313 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 314 | Default: 10.0.144.0/20 315 | Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2. 316 | Type: String 317 | PublicSubnet3CIDR: 318 | AllowedPattern: >- 319 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 320 | Default: 10.0.160.0/20 321 | Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3. 322 | Type: String 323 | QSS3BucketName: 324 | AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' 325 | ConstraintDescription: >- 326 | Quick Start bucket name can include numbers, lowercase letters, uppercase 327 | letters, and hyphens (-). It cannot start or end with a hyphen (-). 328 | Default: aws-quickstart 329 | Description: >- 330 | S3 bucket name for the Quick Start assets. Quick Start bucket name can 331 | include numbers, lowercase letters, uppercase letters, and hyphens (-). It 332 | cannot start or end with a hyphen (-). 333 | Type: String 334 | QSS3KeyPrefix: 335 | AllowedPattern: '^[0-9a-zA-Z-/]*$' 336 | ConstraintDescription: >- 337 | Quick Start key prefix can include numbers, lowercase letters, uppercase 338 | letters, hyphens (-), and forward slash (/). 339 | Default: quickstart-hashicorp-nomad/ 340 | Description: >- 341 | S3 key prefix for the Quick Start assets. Quick Start key prefix can 342 | include numbers, lowercase letters, uppercase letters, hyphens (-), and 343 | forward slash (/). 344 | Type: String 345 | VPCCIDR: 346 | AllowedPattern: >- 347 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 348 | Default: 10.0.0.0/16 349 | Description: CIDR block for the VPC. 350 | Type: String 351 | SSLCertificateArn: 352 | Description: The Amazon resource name (ARN) of the SSL certificate to use for the load balancer. Use 'SSLCertificateArn' if you are not using 'LoadBalancerFQDN' and 'HostedZoneID'. 353 | Type: String 354 | Default: '' 355 | HostedZoneID: 356 | Description: Route 53 Hosted Zone ID of the domain name. Used in conjunction with 'LoadBalancerFQDN'. 357 | Type: String 358 | MaxLength: 32 359 | Default: '' 360 | LoadBalancerFQDN: 361 | Description: The fully qualified domain name for the load balancer. Use with 'HostedZoneID' if you are NOT using SSL. 362 | Type: String 363 | Default: '' 364 | 365 | Conditions: 366 | # GovCloudCondition: !Equals [!Ref AWS::Region, "us-gov-west-1" ] 367 | SetupRoute53: !And 368 | - !Not [!Equals [!Ref HostedZoneID, '']] 369 | - !Not [!Equals [!Ref 'LoadBalancerFQDN', '']] 370 | DeployConsul: !Equals [!Ref 'CreateConsulCluster', 'true'] 371 | 372 | Resources: 373 | VPCStack: 374 | Type: 'AWS::CloudFormation::Stack' 375 | Properties: 376 | TemplateURL: !Sub >- 377 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml 378 | Parameters: 379 | AvailabilityZones: !Join [",", !Ref AvailabilityZones ] 380 | NumberOfAZs: '3' 381 | PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR 382 | PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR 383 | PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR 384 | PublicSubnet1CIDR: !Ref PublicSubnet1CIDR 385 | PublicSubnet2CIDR: !Ref PublicSubnet2CIDR 386 | PublicSubnet3CIDR: !Ref PublicSubnet3CIDR 387 | VPCCIDR: !Ref VPCCIDR 388 | 389 | BastionStack: 390 | Type: 'AWS::CloudFormation::Stack' 391 | Properties: 392 | TemplateURL: !Sub >- 393 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template 394 | Parameters: 395 | BastionAMIOS: Ubuntu-Server-20.04-LTS-HVM 396 | BastionInstanceType: 't3.medium' 397 | KeyPairName: !Ref KeyPairName 398 | PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID 399 | PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID 400 | QSS3BucketName: !Ref QSS3BucketName 401 | QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-linux-bastion/' 402 | RemoteAccessCIDR: !Ref AccessCIDR 403 | VPCID: !GetAtt VPCStack.Outputs.VPCID 404 | 405 | HashiCorpNomadClusterStack: 406 | Type: 'AWS::CloudFormation::Stack' 407 | Properties: 408 | TemplateURL: !Sub >- 409 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/quickstart-hashicorp-nomad-cluster.template.yaml 410 | 411 | Parameters: 412 | BastionSecurityGroupID: !GetAtt BastionStack.Outputs.BastionSecurityGroupID 413 | PrivateSubnet1ID: !GetAtt VPCStack.Outputs.PrivateSubnet1AID 414 | PrivateSubnet2ID: !GetAtt VPCStack.Outputs.PrivateSubnet2AID 415 | PrivateSubnet3ID: !GetAtt VPCStack.Outputs.PrivateSubnet3AID 416 | PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID 417 | PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID 418 | PublicSubnet3ID: !GetAtt VPCStack.Outputs.PublicSubnet3ID 419 | VPCID: !GetAtt VPCStack.Outputs.VPCID 420 | VPCCIDR: !Ref VPCCIDR 421 | KeyPairName: !Ref KeyPairName 422 | CreateConsulCluster: !Ref CreateConsulCluster 423 | ConsulServerInstanceType: !Ref ConsulServerInstanceType 424 | ConsulServerNodeCount: !Ref ConsulServerNodeCount 425 | EnableConsulServiceMesh: !If [DeployConsul, !Ref EnableConsulServiceMesh, AWS::NoValue] 426 | NomadServerInstanceType: !Ref NomadServerInstanceType 427 | NomadServerNodeCount: !Ref NomadServerNodeCount 428 | NomadClientInstanceType: !Ref NomadClientInstanceType 429 | NomadClientNodeCount: !Ref NomadClientNodeCount 430 | QSS3BucketName: !Ref QSS3BucketName 431 | QSS3KeyPrefix: !Ref QSS3KeyPrefix 432 | SSLCertificateArn: !Ref SSLCertificateArn 433 | HostedZoneID: !Ref HostedZoneID 434 | LoadBalancerFQDN: !Ref LoadBalancerFQDN 435 | 436 | Outputs: 437 | 438 | NomadServerALB: 439 | Description: 440 | The public URL of your Nomad Load Balancer. Create a CNAME record pointing 441 | at this Load Balancer. 442 | Value: !GetAtt HashiCorpNomadClusterStack.Outputs.NomadServerALB 443 | 444 | ConsulServerALB: 445 | Condition: DeployConsul 446 | Description: 447 | The public URL of your Consul Load Balancer. Create a CNAME record pointing 448 | at this Load Balancer. 449 | Value: !GetAtt HashiCorpNomadClusterStack.Outputs.ConsulServerALB 450 | 451 | NomadServerFQDN: 452 | Condition: SetupRoute53 453 | Description: The public CNAME pointing to your Nomad Load Balancer. 454 | Value: !GetAtt HashiCorpNomadClusterStack.Outputs.NomadServerFQDN 455 | -------------------------------------------------------------------------------- /templates/quickstart-hashicorp-nomad-cluster.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: "HashiCorp Nomad (Please do not remove) Aug,28,2019 (qs-1nae6brn2)" 3 | Metadata: 4 | LintSpellExclude: 5 | - datacenter 6 | - xxxxxxxx 7 | SentenceCaseExclude: 8 | - Nomad 9 | - Consul 10 | QuickStartDocumentation: 11 | EntrypointName: "Launch into an existing VPC" 12 | LICENSE: "Apache License, Version 2.0" 13 | 'AWS::CloudFormation::Interface': 14 | ParameterGroups: 15 | - Label: {default: "VPC network configuration"} 16 | Parameters: 17 | - VPCID 18 | - VPCCIDR 19 | - PrivateSubnet1ID 20 | - PrivateSubnet2ID 21 | - PrivateSubnet3ID 22 | - PublicSubnet1ID 23 | - PublicSubnet2ID 24 | - PublicSubnet3ID 25 | - Label: {default: "Bastion and SSH access"} 26 | Parameters: 27 | - KeyPairName 28 | - BastionSecurityGroupID 29 | - Label: {default: "Consul cluster setup"} 30 | Parameters: 31 | - CreateConsulCluster 32 | - ConsulServerInstanceType 33 | - ConsulServerNodeCount 34 | # - ConsulServerAMIOS 35 | - ConsulEc2RetryTagKey 36 | - ConsulEc2RetryTagValue 37 | - ConsulDatacenter 38 | - Label: {default: "Nomad cluster setup"} 39 | Parameters: 40 | - NomadServerInstanceType 41 | - NomadServerNodeCount 42 | # - NomadServerAMIOS 43 | - NomadClientInstanceType 44 | - NomadClientNodeCount 45 | # - NomadClientAMIOS 46 | - NomadEc2RetryTagKey 47 | - NomadEc2RetryTagValue 48 | - NomadDatacenter 49 | - EnableConsulServiceMesh 50 | - EnableRawExecDriver 51 | - Label: {default: "DNS and SSL configuration"} 52 | Parameters: 53 | - LoadBalancerFQDN 54 | - HostedZoneID 55 | - SSLCertificateArn 56 | - Label: {default: "AWS Quick Start configuration"} 57 | Parameters: 58 | - QSS3BucketName 59 | - QSS3KeyPrefix 60 | ParameterLabels: 61 | PrivateSubnet1ID: 62 | default: Private Subnet 1 ID 63 | PrivateSubnet2ID: 64 | default: Private Subnet 2 ID 65 | PrivateSubnet3ID: 66 | default: Private Subnet 3 ID 67 | PublicSubnet1ID: 68 | default: Public Subnet 1 ID 69 | PublicSubnet2ID: 70 | default: Public Subnet 2 ID 71 | PublicSubnet3ID: 72 | default: Public Subnet 3 ID 73 | VPCID: 74 | default: VPC ID 75 | VPCCIDR: 76 | default: VPC CIDR block 77 | 78 | KeyPairName: 79 | default: Key name 80 | BastionSecurityGroupID: 81 | default: Bastion host security group ID 82 | 83 | CreateConsulCluster: 84 | default: Deploy a Consul cluster for this Nomad cluster 85 | ConsulServerInstanceType: 86 | default: Consul server node instance type 87 | ConsulServerNodeCount: 88 | default: Number of Consul server nodes 89 | # ConsulServerAMIOS: 90 | # default: Operating system for Nomad server nodes 91 | ConsulEc2RetryTagKey: 92 | default: Tag key for Consul cluster nodes 93 | ConsulEc2RetryTagValue: 94 | default: Tag value for Consul cluster nodes 95 | ConsulDatacenter: 96 | default: "Consul Config: datacenter" 97 | 98 | NomadServerInstanceType: 99 | default: Nomad server node instance type 100 | NomadServerNodeCount: 101 | default: Number of Nomad server nodes 102 | # NomadServerAMIOS: 103 | # default: Operating system for Nomad server nodes 104 | NomadClientInstanceType: 105 | default: Nomad client node instance type 106 | NomadClientNodeCount: 107 | default: Number of Nomad client nodes 108 | # NomadClientAMIOS: 109 | # default: Operating system for Nomad client nodes 110 | NomadEc2RetryTagKey: 111 | default: Tag key for Nomad cluster nodes 112 | NomadEc2RetryTagValue: 113 | default: Tag value for Nomad cluster nodes 114 | NomadDatacenter: 115 | default: "Nomad Config: datacenter" 116 | EnableConsulServiceMesh: 117 | default: Enable Consul service mesh for Nomad cluster 118 | EnableRawExecDriver: 119 | default: Enable raw_exec driver on Nomad clients. 120 | 121 | 122 | SSLCertificateArn: 123 | default: SSL certificate ARN 124 | HostedZoneID: 125 | default: Route 53 hosted zone ID 126 | LoadBalancerFQDN: 127 | default: Load balancer FQDN 128 | 129 | QSS3BucketName: 130 | default: Quick Start S3 bucket name 131 | QSS3KeyPrefix: 132 | default: Quick Start S3 key prefix 133 | 134 | Parameters: 135 | PrivateSubnet1ID: 136 | Description: "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-0bfd0f545bb088d9d)." 137 | Type: "AWS::EC2::Subnet::Id" 138 | 139 | PrivateSubnet2ID: 140 | Description: "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-0bfd0f545bb088d9d)." 141 | Type: "AWS::EC2::Subnet::Id" 142 | 143 | PrivateSubnet3ID: 144 | Description: "ID of the private subnet 3 in Availability Zone 3 (e.g., subnet-0bfd0f545bb088d9d)." 145 | Type: "AWS::EC2::Subnet::Id" 146 | 147 | PublicSubnet1ID: 148 | Description: "ID of the public subnet 1 in Availability Zone 1 (e.g., subnet-0bfd0f545bb088d9d)." 149 | Type: "AWS::EC2::Subnet::Id" 150 | 151 | PublicSubnet2ID: 152 | Description: "ID of the public subnet 2 in Availability Zone 2 (e.g., subnet-0bfd0f545bb088d9d)." 153 | Type: "AWS::EC2::Subnet::Id" 154 | 155 | PublicSubnet3ID: 156 | Description: "ID of the public subnet 3 in Availability Zone 3 (e.g., subnet-0bfd0f545bb088d9d)." 157 | Type: "AWS::EC2::Subnet::Id" 158 | 159 | QSS3BucketName: 160 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 161 | ConstraintDescription: >- 162 | Quick Start bucket name can include numbers, lowercase letters, uppercase 163 | letters, and hyphens (-). It cannot start or end with a hyphen (-). 164 | Default: "aws-quickstart" 165 | Description: >- 166 | S3 bucket name for the Quick Start assets. Quick Start bucket name can 167 | include numbers, lowercase letters, uppercase letters, and hyphens (-). It 168 | cannot start or end with a hyphen (-). 169 | Type: String 170 | 171 | QSS3KeyPrefix: 172 | AllowedPattern: "^[0-9a-zA-Z-/]*$" 173 | ConstraintDescription: >- 174 | Quick Start key prefix can include numbers, lowercase letters, uppercase 175 | letters, hyphens (-), and forward slash (/). 176 | Default: "quickstart-hashicorp-nomad/" 177 | Description: >- 178 | S3 key prefix for the Quick Start assets. Quick Start key prefix can 179 | include numbers, lowercase letters, uppercase letters, hyphens (-), and 180 | forward slash (/). 181 | Type: String 182 | 183 | VPCID: 184 | Description: VPC ID. 185 | Type: "AWS::EC2::VPC::Id" 186 | 187 | VPCCIDR: 188 | AllowedPattern: >- 189 | ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 190 | Description: CIDR block for the VPC. 191 | Type: String 192 | 193 | BastionSecurityGroupID: 194 | Description: ID of the bastion host security group to enable SSH connections (e.g., sg-7f16e910). 195 | Type: "AWS::EC2::SecurityGroup::Id" 196 | 197 | KeyPairName: 198 | Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. 199 | Type: "AWS::EC2::KeyPair::KeyName" 200 | # MinLength: 1 201 | ConstraintDescription: Must be the name of an existing EC2 KeyPair. 202 | 203 | 204 | CreateConsulCluster: 205 | Description: Enable Consul service mesh on the Nomad server cluster. 206 | Type: String 207 | Default: "false" 208 | AllowedValues: 209 | - "true" 210 | - "false" 211 | 212 | ConsulServerInstanceType: 213 | Type: String 214 | Description: The EC2 instance type for the Consul instances. 215 | AllowedValues: 216 | - t2.micro 217 | - t2.small 218 | - t2.medium 219 | - t2.large 220 | - t3.micro 221 | - t3.small 222 | - t3.medium 223 | - t3.large 224 | - m5.large 225 | - m5.xlarge 226 | - m5.2xlarge 227 | - m4.large 228 | - m4.xlarge 229 | - m3.medium 230 | - m3.large 231 | - m3.xlarge 232 | - m3.2xlarge 233 | - c4.large 234 | - c4.xlarge 235 | - c4.2xlarge 236 | - c4.4xlarge 237 | - c4.8xlarge 238 | - c3.large 239 | - c3.xlarge 240 | - c3.2xlarge 241 | - c3.4xlarge 242 | - c3.8xlarge 243 | - r3.large 244 | - r3.xlarge 245 | - r3.2xlarge 246 | - r3.4xlarge 247 | - r3.8xlarge 248 | - i2.xlarge 249 | - i2.2xlarge 250 | - i2.4xlarge 251 | - i2.8xlarge 252 | ConstraintDescription: Choose an instance type. 253 | Default: m5.large 254 | 255 | ConsulServerNodeCount: 256 | Type: String 257 | Description: The number of Consul server nodes that will be created. You can choose 3, 5, or 7 nodes. 258 | AllowedValues: 259 | - "" 260 | - "1" 261 | - "3" 262 | - "5" 263 | - "7" 264 | Default: "3" 265 | 266 | ConsulEc2RetryTagKey: 267 | Description: 'The EC2 instance tag key to filter on when joining to other Consul nodes.' 268 | Type: String 269 | Default: "quickstart-nomad-cluster" 270 | ConstraintDescription: 'Must match EC2 Tag Name requirements.' 271 | 272 | ConsulEc2RetryTagValue: 273 | Description: 'The EC2 instance tag value to filter on when joining to other Consul nodes.' 274 | Type: String 275 | Default: "consul-server-node" 276 | ConstraintDescription: 'Must match EC2 Tag Name requirements.' 277 | 278 | ConsulDatacenter: 279 | Description: 'The "datacenter" value to supply to the Consul configuration.' 280 | Type: String 281 | Default: "dc1" 282 | ConstraintDescription: Must be DNS-compatible name. 283 | 284 | # ConsulServerAMIOS: 285 | # AllowedValues: 286 | # - Amazon-Linux2-HVM 287 | # - Amazon-Linux2-HVM-ARM 288 | # - CentOS-7-HVM 289 | # - Ubuntu-Server-20.04-LTS-HVM 290 | # - SUSE-SLES-15-HVM 291 | # Default: Ubuntu-Server-20.04-LTS-HVM 292 | # Description: The Linux distribution for the AMI to be used for the Consul server instances. 293 | # Type: String 294 | 295 | NomadServerInstanceType: 296 | Type: String 297 | Description: The EC2 instance type for the Nomad instances. 298 | AllowedValues: 299 | - t2.micro 300 | - t2.small 301 | - t2.medium 302 | - t2.large 303 | - t3.micro 304 | - t3.small 305 | - t3.medium 306 | - t3.large 307 | - m5.large 308 | - m5.xlarge 309 | - m5.2xlarge 310 | - m4.large 311 | - m4.xlarge 312 | - m3.medium 313 | - m3.large 314 | - m3.xlarge 315 | - m3.2xlarge 316 | - c4.large 317 | - c4.xlarge 318 | - c4.2xlarge 319 | - c4.4xlarge 320 | - c4.8xlarge 321 | - c3.large 322 | - c3.xlarge 323 | - c3.2xlarge 324 | - c3.4xlarge 325 | - c3.8xlarge 326 | - r3.large 327 | - r3.xlarge 328 | - r3.2xlarge 329 | - r3.4xlarge 330 | - r3.8xlarge 331 | - i2.xlarge 332 | - i2.2xlarge 333 | - i2.4xlarge 334 | - i2.8xlarge 335 | ConstraintDescription: Choose an instance type. 336 | Default: m5.large 337 | 338 | NomadServerNodeCount: 339 | Type: String 340 | Description: The number of Nomad server nodes that will be created. You can choose 3, 5, or 7 nodes. 341 | AllowedValues: 342 | - "1" 343 | - "3" 344 | - "5" 345 | - "7" 346 | Default: "3" 347 | 348 | # NomadServerAMIOS: 349 | # AllowedValues: 350 | # - Amazon-Linux2-HVM 351 | # - Amazon-Linux2-HVM-ARM 352 | # - CentOS-7-HVM 353 | # - Ubuntu-Server-20.04-LTS-HVM 354 | # - SUSE-SLES-15-HVM 355 | # Default: Ubuntu-Server-20.04-LTS-HVM 356 | # Description: The Linux distribution for the AMI to be used for the Nomad server instances. 357 | # Type: String 358 | 359 | NomadClientInstanceType: 360 | Type: String 361 | Description: The EC2 instance type for the Nomad instances. 362 | AllowedValues: 363 | - t2.micro 364 | - t2.small 365 | - t2.medium 366 | - t2.large 367 | - t3.micro 368 | - t3.small 369 | - t3.medium 370 | - t3.large 371 | - m5.large 372 | - m5.xlarge 373 | - m5.2xlarge 374 | - m4.large 375 | - m4.xlarge 376 | - m3.medium 377 | - m3.large 378 | - m3.xlarge 379 | - m3.2xlarge 380 | - c4.large 381 | - c4.xlarge 382 | - c4.2xlarge 383 | - c4.4xlarge 384 | - c4.8xlarge 385 | - c3.large 386 | - c3.xlarge 387 | - c3.2xlarge 388 | - c3.4xlarge 389 | - c3.8xlarge 390 | - r3.large 391 | - r3.xlarge 392 | - r3.2xlarge 393 | - r3.4xlarge 394 | - r3.8xlarge 395 | - i2.xlarge 396 | - i2.2xlarge 397 | - i2.4xlarge 398 | - i2.8xlarge 399 | ConstraintDescription: Choose an instance type. 400 | Default: m5.large 401 | 402 | NomadClientNodeCount: 403 | Type: String 404 | Description: The number of Nomad client nodes that will be created. 405 | Default: "1" 406 | 407 | # NomadClientAMIOS: 408 | # AllowedValues: 409 | # - Amazon-Linux2-HVM 410 | # - Amazon-Linux2-HVM-ARM 411 | # - CentOS-7-HVM 412 | # - Ubuntu-Server-20.04-LTS-HVM 413 | # - SUSE-SLES-15-HVM 414 | # Default: Ubuntu-Server-20.04-LTS-HVM 415 | # Description: The Linux distribution for the AMI to be used for the Nomad client instances. 416 | # Type: String 417 | NomadEc2RetryTagKey: 418 | Description: 419 | The EC2 instance tag key to filter on when joining to other Nomad 420 | nodes. 421 | Type: String 422 | Default: "quickstart-nomad-cluster" 423 | ConstraintDescription: Must match EC2 Tag Name requirements. 424 | 425 | NomadEc2RetryTagValue: 426 | Description: 427 | The EC2 instance tag value to filter on when joining to other Nomad 428 | nodes. 429 | Type: String 430 | Default: "nomad-member-node" 431 | ConstraintDescription: Must match EC2 Tag Name requirements. 432 | 433 | NomadDatacenter: 434 | Description: 'The "datacenter" value to supply to the Nomad configuration.' 435 | Type: String 436 | Default: "dc1" 437 | ConstraintDescription: 'Must be DNS-compatible name.' 438 | EnableRawExecDriver: 439 | Description: Enable the raw_exec task driver on the Nomad clients. 440 | Type: String 441 | Default: "false" 442 | AllowedValues: 443 | - "true" 444 | - "false" 445 | 446 | EnableConsulServiceMesh: 447 | Description: Enable Consul service mesh in the Nomad cluster. 448 | Type: String 449 | Default: "true" 450 | AllowedValues: 451 | - "true" 452 | - "false" 453 | 454 | SSLCertificateArn: 455 | Description: The Amazon resource name (ARN) of the SSL certificate to use for the load balancer. Use 'SSLCertificateArn' if you are not using 'LoadBalancerFQDN' and 'HostedZoneID'. 456 | Type: String 457 | Default: '' 458 | 459 | HostedZoneID: 460 | Description: Route 53 Hosted Zone ID of the domain name. Used in conjunction with 'LoadBalancerFQDN'. 461 | Type: String 462 | MaxLength: 32 463 | Default: '' 464 | 465 | LoadBalancerFQDN: 466 | Description: The fully qualified domain name for the nomad load balancer. Use with 'HostedZoneID' if you are not using SSL. 467 | Type: String 468 | Default: '' 469 | 470 | Conditions: 471 | # GovCloudCondition: !Equals [!Ref AWS::Region, "us-gov-west-1"] 472 | GenerateSSL: !And 473 | - !Equals [!Ref SSLCertificateArn, ''] 474 | - !Not [!Equals [!Ref LoadBalancerFQDN, '']] 475 | SetupRoute53: !And 476 | - !Not 477 | - !Equals [!Ref HostedZoneID, ''] 478 | - !Not 479 | - !Equals [!Ref LoadBalancerFQDN, ''] 480 | DeployConsul: !Equals [!Ref 'CreateConsulCluster', 'true'] 481 | 482 | Resources: 483 | ConsulSecGroup: 484 | Type: 'AWS::EC2::SecurityGroup' 485 | Condition: DeployConsul 486 | Properties: 487 | GroupDescription: 'Enables SSH access.' 488 | VpcId: !Ref 'VPCID' 489 | SecurityGroupIngress: 490 | - IpProtocol: tcp 491 | FromPort: 22 492 | ToPort: 22 493 | SourceSecurityGroupId: !Ref BastionSecurityGroupID 494 | - IpProtocol: tcp 495 | FromPort: 0 496 | ToPort: 65535 497 | CidrIp: !Ref VPCCIDR 498 | Tags: 499 | - Key: Name 500 | Value: !Sub "${AWS::StackName}-ConsulSecGroup" 501 | 502 | ConsulServers: 503 | Type: 'AWS::CloudFormation::Stack' 504 | Condition: DeployConsul 505 | Properties: 506 | TemplateURL: !Sub >- 507 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/quickstart-hashicorp-consul-servers.template.yaml 508 | Parameters: 509 | PrivateSubnet1ID: !Ref 'PrivateSubnet1ID' 510 | PrivateSubnet2ID: !Ref 'PrivateSubnet2ID' 511 | PrivateSubnet3ID: !Ref 'PrivateSubnet3ID' 512 | PublicSubnet1ID: !Ref 'PublicSubnet1ID' 513 | PublicSubnet2ID: !Ref 'PublicSubnet2ID' 514 | PublicSubnet3ID: !Ref 'PublicSubnet3ID' 515 | VPCID: !Ref 'VPCID' 516 | KeyPairName: !Ref 'KeyPairName' 517 | ConsulServerInstanceType: !Ref 'ConsulServerInstanceType' 518 | ConsulServerNodeCount: !Ref 'ConsulServerNodeCount' 519 | ConsulServerSecurityGroup: !Ref 'ConsulSecGroup' 520 | EnableConsulServiceMesh: !Ref 'EnableConsulServiceMesh' 521 | ConsulEc2RetryTagKey: !Ref 'ConsulEc2RetryTagKey' 522 | ConsulEc2RetryTagValue: !Ref 'ConsulEc2RetryTagValue' 523 | ConsulDatacenter: !Ref 'ConsulDatacenter' 524 | QSS3BucketName: !Ref 'QSS3BucketName' 525 | QSS3KeyPrefix: !Ref 'QSS3KeyPrefix' 526 | SSLCertificateId: !If 527 | - GenerateSSL 528 | - !GetAtt 'ConfigureSSLStack.Outputs.ACMCertificate' 529 | - !Ref 'SSLCertificateArn' 530 | 531 | NomadSecGroup: 532 | Type: "AWS::EC2::SecurityGroup" 533 | Properties: 534 | GroupDescription: Enables SSH access. 535 | VpcId: !Ref VPCID 536 | SecurityGroupIngress: 537 | - IpProtocol: tcp 538 | FromPort: 22 539 | ToPort: 22 540 | SourceSecurityGroupId: !Ref BastionSecurityGroupID 541 | - IpProtocol: tcp 542 | FromPort: 0 543 | ToPort: 65535 544 | CidrIp: !Ref VPCCIDR 545 | Tags: 546 | - Key: Name 547 | Value: !Sub "${AWS::StackName}-NomadSecGroup" 548 | 549 | NomadServers: 550 | Type: 'AWS::CloudFormation::Stack' 551 | Properties: 552 | TemplateURL: !Sub >- 553 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/quickstart-hashicorp-nomad-servers.template.yaml 554 | Parameters: 555 | PrivateSubnet1ID: !Ref 'PrivateSubnet1ID' 556 | PrivateSubnet2ID: !Ref 'PrivateSubnet2ID' 557 | PrivateSubnet3ID: !Ref 'PrivateSubnet3ID' 558 | PublicSubnet1ID: !Ref 'PublicSubnet1ID' 559 | PublicSubnet2ID: !Ref 'PublicSubnet2ID' 560 | PublicSubnet3ID: !Ref 'PublicSubnet3ID' 561 | VPCID: !Ref 'VPCID' 562 | NomadServerInstanceType: !Ref 'NomadServerInstanceType' 563 | NomadServerNodeCount: !Ref 'NomadServerNodeCount' 564 | NomadServerSecurityGroup: !Ref 'NomadSecGroup' 565 | KeyPairName: !Ref 'KeyPairName' 566 | ConsulEc2RetryTagKey: !If [DeployConsul, !Ref 'ConsulEc2RetryTagKey', ''] 567 | ConsulEc2RetryTagValue: !If [DeployConsul, !Ref 'ConsulEc2RetryTagValue', ''] 568 | ConsulDatacenter: !If [DeployConsul, !Ref 'ConsulDatacenter', ''] 569 | EnableConsulServiceMesh: !If [DeployConsul, !Ref 'EnableConsulServiceMesh', 'false'] 570 | NomadEc2RetryTagKey: !Ref 'NomadEc2RetryTagKey' 571 | NomadEc2RetryTagValue: !Ref 'NomadEc2RetryTagValue' 572 | NomadDatacenter: !Ref 'NomadDatacenter' 573 | QSS3BucketName: !Ref 'QSS3BucketName' 574 | QSS3KeyPrefix: !Ref 'QSS3KeyPrefix' 575 | SSLCertificateId: !If 576 | - GenerateSSL 577 | - !GetAtt 'ConfigureSSLStack.Outputs.ACMCertificate' 578 | - !Ref 'SSLCertificateArn' 579 | 580 | NomadClients: 581 | Type: 'AWS::CloudFormation::Stack' 582 | DependsOn: NomadServers 583 | Properties: 584 | TemplateURL: !Sub >- 585 | https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/quickstart-hashicorp-nomad-clients.template.yaml 586 | Parameters: 587 | PrivateSubnet1ID: !Ref 'PrivateSubnet1ID' 588 | PrivateSubnet2ID: !Ref 'PrivateSubnet2ID' 589 | PrivateSubnet3ID: !Ref 'PrivateSubnet3ID' 590 | NomadClientInstanceType: !Ref 'NomadClientInstanceType' 591 | NomadClientNodeCount: !Ref 'NomadClientNodeCount' 592 | NomadClientSecurityGroup: !Ref 'NomadSecGroup' 593 | ConsulEc2RetryTagKey: !If [DeployConsul, !Ref 'ConsulEc2RetryTagKey', ''] 594 | ConsulEc2RetryTagValue: !If [DeployConsul, !Ref 'ConsulEc2RetryTagValue', ''] 595 | EnableConsulServiceMesh: !If [DeployConsul, !Ref 'EnableConsulServiceMesh', 'false'] 596 | ConsulDatacenter: !If [DeployConsul, !Ref 'ConsulDatacenter', ''] 597 | NomadDatacenter: !Ref 'NomadDatacenter' 598 | EnableRawExec: !Ref 'EnableRawExecDriver' 599 | KeyPairName: !Ref 'KeyPairName' 600 | NomadEc2RetryTagKey: !Ref 'NomadEc2RetryTagKey' 601 | NomadEc2RetryTagValue: !Ref 'NomadEc2RetryTagValue' 602 | QSS3BucketName: !Ref 'QSS3BucketName' 603 | QSS3KeyPrefix: !Ref 'QSS3KeyPrefix' 604 | 605 | LoadBalancerFQDNRecord: 606 | Condition: SetupRoute53 607 | Type: AWS::Route53::RecordSet 608 | Properties: 609 | Type: A 610 | Name: !Ref 'LoadBalancerFQDN' 611 | AliasTarget: 612 | HostedZoneId: !GetAtt 'NomadServers.Outputs.NomadALBCanonicalHostedZoneID' 613 | DNSName: !GetAtt 'NomadServers.Outputs.NomadALBDNSName' 614 | HostedZoneId: !Ref 'HostedZoneID' 615 | 616 | CopyLambdaStack: 617 | Condition: GenerateSSL 618 | Type: AWS::CloudFormation::Stack 619 | Properties: 620 | TemplateURL: !Sub "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/copy-lambdas.template.yaml" 621 | Parameters: 622 | QSS3BucketName: !Ref QSS3BucketName 623 | QSS3KeyPrefix: !Ref QSS3KeyPrefix 624 | 625 | ConfigureSSLStack: 626 | Condition: GenerateSSL 627 | Type: AWS::CloudFormation::Stack 628 | Properties: 629 | TemplateURL: !Sub "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/acm-cert-r53-record.template.yaml" 630 | Parameters: 631 | LambdaZipsBucketName: !GetAtt 'CopyLambdaStack.Outputs.LambdaZipsBucket' 632 | QSS3KeyPrefix: !Ref QSS3KeyPrefix 633 | DomainName: !Ref LoadBalancerFQDN 634 | HostedZoneID: !Ref HostedZoneID 635 | 636 | Outputs: 637 | NomadServerALB: 638 | Description: 639 | The public URL of your Nomad Load Balancer. Create a CNAME record pointing 640 | at this Load Balancer. 641 | Value: !Sub 'https://${NomadServers.Outputs.NomadALBDNSName}' 642 | 643 | ConsulServerALB: 644 | Condition: DeployConsul 645 | Description: 646 | The public URL of your Consul Load Balancer. Create a CNAME record pointing 647 | at this Load Balancer. 648 | Value: !Sub 'https://${ConsulServers.Outputs.ConsulALBDNSName}' 649 | 650 | NomadServerFQDN: 651 | Condition: SetupRoute53 652 | Description: The public CNAME pointing to your Nomad Load Balancer. 653 | Value: !Sub 'https://${LoadBalancerFQDN}' 654 | 655 | ConsulServerASG: 656 | Condition: DeployConsul 657 | Description: 'The AutoScaling Group for your Consul Servers.' 658 | Value: !GetAtt 'ConsulServers.Outputs.ConsulServerASG' 659 | 660 | NomadServerASG: 661 | Description: 'The AutoScaling Group for your Nomad Servers.' 662 | Value: !GetAtt 'NomadServers.Outputs.NomadServerASG' 663 | 664 | NomadClientASG: 665 | Description: 'The AutoScaling Group for your Nomad Clients.' 666 | Value: !GetAtt 'NomadClients.Outputs.NomadClientASG' 667 | -------------------------------------------------------------------------------- /templates/quickstart-hashicorp-consul-servers.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: "HashiCorp Consul (Please do not remove) Aug,28,2019 (qs-1nae6brn2)" 3 | Metadata: 4 | LintSpellExclude: 5 | - datacenter 6 | - xxxxxxxx 7 | SentenceCaseExclude: 8 | - Nomad 9 | - Consul 10 | QuickStartDocumentation: 11 | EntrypointName: "Launch into an existing VPC" 12 | LICENSE: "Apache License, Version 2.0" 13 | 'AWS::CloudFormation::Interface': 14 | ParameterGroups: 15 | - Label: {default: "VPC network configuration"} 16 | Parameters: 17 | - PrivateSubnet1ID 18 | - PrivateSubnet2ID 19 | - PrivateSubnet3ID 20 | - PublicSubnet1ID 21 | - PublicSubnet2ID 22 | - PublicSubnet3ID 23 | - VPCID 24 | - Label: {default: "Consul cluster ALB configuration"} 25 | Parameters: 26 | - SSLCertificateId 27 | - Label: {default: "Consul cluster setup"} 28 | Parameters: 29 | - ConsulServerSecurityGroup 30 | - ConsulServerInstanceType 31 | - ConsulServerNodeCount 32 | - ConsulServerAMIOS 33 | - KeyPairName 34 | - ConsulEc2RetryTagKey 35 | - ConsulEc2RetryTagValue 36 | - ConsulDatacenter 37 | - EnableConsulServiceMesh 38 | - Label: {default: "AWS Quick Start configuration"} 39 | Parameters: 40 | - QSS3BucketName 41 | - QSS3KeyPrefix 42 | ParameterLabels: 43 | KeyPairName: 44 | default: Key name 45 | PrivateSubnet1ID: 46 | default: Private Subnet 1 ID 47 | PrivateSubnet2ID: 48 | default: Private Subnet 2 ID 49 | PrivateSubnet3ID: 50 | default: Private Subnet 3 ID 51 | PublicSubnet1ID: 52 | default: Public Subnet 1 ID 53 | PublicSubnet2ID: 54 | default: Public Subnet 2 ID 55 | PublicSubnet3ID: 56 | default: Public Subnet 3 ID 57 | QSS3BucketName: 58 | default: Quick Start S3 bucket name 59 | QSS3KeyPrefix: 60 | default: Quick Start S3 key prefix 61 | VPCID: 62 | default: VPC ID 63 | SSLCertificateId: 64 | default: SSL certificate ARN or reference 65 | EnableConsulServiceMesh: 66 | default: Enable Consul service mesh for Consul cluster 67 | ConsulServerInstanceType: 68 | default: Consul server node instance type 69 | ConsulServerNodeCount: 70 | default: Number of Consul server nodes 71 | ConsulServerAMIOS: 72 | default: Operating system for Consul server nodes 73 | ConsulEc2RetryTagKey: 74 | default: Tag key for Consul cluster nodes 75 | ConsulEc2RetryTagValue: 76 | default: Tag value for Consul cluster nodes 77 | ConsulServerSecurityGroup: 78 | default: Consul Server security group ID 79 | ConsulDatacenter: 80 | default: The datacenter name to use for the Consul cluster configuration 81 | 82 | Parameters: 83 | # VPC network configuration 84 | PrivateSubnet1ID: 85 | Description: "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-00000000)." 86 | Type: "AWS::EC2::Subnet::Id" 87 | PrivateSubnet2ID: 88 | Description: "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-00000000)." 89 | Type: "AWS::EC2::Subnet::Id" 90 | PrivateSubnet3ID: 91 | Description: "ID of the private subnet 3 in Availability Zone 3 (e.g., subnet-00000000)." 92 | Type: "AWS::EC2::Subnet::Id" 93 | PublicSubnet1ID: 94 | Description: "ID of the public subnet 1 in Availability Zone 1 (e.g., subnet-00000000)." 95 | Type: "AWS::EC2::Subnet::Id" 96 | PublicSubnet2ID: 97 | Description: "ID of the public subnet 2 in Availability Zone 2 (e.g., subnet-00000000)." 98 | Type: "AWS::EC2::Subnet::Id" 99 | PublicSubnet3ID: 100 | Description: "ID of the public subnet 3 in Availability Zone 3 (e.g., subnet-00000000)." 101 | Type: "AWS::EC2::Subnet::Id" 102 | VPCID: 103 | Description: VPC ID. 104 | Type: "AWS::EC2::VPC::Id" 105 | 106 | # Consul cluster ALB configuration 107 | SSLCertificateId: 108 | Description: 'The SSL certificate to use for the Consul server ALB.' 109 | Type: 'String' 110 | 111 | # Consul cluster setup 112 | # -- Consul Instance Configuration -- 113 | ConsulServerSecurityGroup: 114 | Description: 'The security group to apply to client nodes at startup (e.g., sg-7f16e910).' 115 | Type: 'AWS::EC2::SecurityGroup::Id' 116 | ConsulServerInstanceType: 117 | Type: String 118 | Description: The EC2 instance type for the Consul instances. 119 | AllowedValues: 120 | - t2.micro 121 | - t2.small 122 | - t2.medium 123 | - t2.large 124 | - t3.micro 125 | - t3.small 126 | - t3.medium 127 | - t3.large 128 | - m5.large 129 | - m5.xlarge 130 | - m5.2xlarge 131 | - m4.large 132 | - m4.xlarge 133 | - m3.medium 134 | - m3.large 135 | - m3.xlarge 136 | - m3.2xlarge 137 | - c4.large 138 | - c4.xlarge 139 | - c4.2xlarge 140 | - c4.4xlarge 141 | - c4.8xlarge 142 | - c3.large 143 | - c3.xlarge 144 | - c3.2xlarge 145 | - c3.4xlarge 146 | - c3.8xlarge 147 | - r3.large 148 | - r3.xlarge 149 | - r3.2xlarge 150 | - r3.4xlarge 151 | - r3.8xlarge 152 | - i2.xlarge 153 | - i2.2xlarge 154 | - i2.4xlarge 155 | - i2.8xlarge 156 | ConstraintDescription: Choose an instance type. 157 | Default: m5.large 158 | ConsulServerNodeCount: 159 | Type: String 160 | Description: The number of Consul server nodes that will be created. You can choose 3, 5, or 7 nodes. 161 | AllowedValues: 162 | - "1" 163 | - "3" 164 | - "5" 165 | - "7" 166 | Default: "3" 167 | ConsulServerAMIOS: 168 | AllowedValues: 169 | - Amazon-Linux2-HVM 170 | - Amazon-Linux2-HVM-ARM 171 | - CentOS-7-HVM 172 | - Ubuntu-Server-20.04-LTS-HVM 173 | - SUSE-SLES-15-HVM 174 | Default: Ubuntu-Server-20.04-LTS-HVM 175 | Description: The Linux distribution for the AMI to be used for the Consul server instances. 176 | Type: String 177 | KeyPairName: 178 | Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. 179 | Type: "AWS::EC2::KeyPair::KeyName" 180 | # MinLength: 1 181 | ConstraintDescription: Must be the name of an existing EC2 KeyPair. 182 | # -- Consul Application Configuration -- 183 | ConsulEc2RetryTagKey: 184 | Description: 185 | The EC2 instance tag key to filter on when joining to other Consul 186 | nodes. 187 | Type: String 188 | Default: "quickstart-consul-cluster" 189 | ConstraintDescription: Must match EC2 Tag Name requirements. 190 | ConsulEc2RetryTagValue: 191 | Description: 192 | The EC2 instance tag value to filter on when joining to other Consul 193 | nodes. 194 | Type: String 195 | Default: "consul-member-node" 196 | ConstraintDescription: Must match EC2 Tag Name requirements. 197 | ConsulDatacenter: 198 | Description: 199 | The datacenter name to use for the Consul cluster configuration. 200 | Type: String 201 | Default: "dc1" 202 | ConstraintDescription: Must be DNS-compatible. 203 | EnableConsulServiceMesh: 204 | Description: Enable Consul service mesh on the Consul server cluster. 205 | Type: String 206 | Default: "true" 207 | AllowedValues: 208 | - "true" 209 | - "false" 210 | 211 | # AWS Quick Start configuration 212 | QSS3BucketName: 213 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 214 | ConstraintDescription: >- 215 | Quick Start bucket name can include numbers, lowercase letters, uppercase 216 | letters, and hyphens (-). It cannot start or end with a hyphen (-). 217 | Default: "aws-quickstart" 218 | Description: >- 219 | S3 bucket name for the Quick Start assets. Quick Start bucket name can 220 | include numbers, lowercase letters, uppercase letters, and hyphens (-). It 221 | cannot start or end with a hyphen (-). 222 | Type: String 223 | QSS3KeyPrefix: 224 | AllowedPattern: "^[0-9a-zA-Z-/]*$" 225 | ConstraintDescription: >- 226 | Quick Start key prefix can include numbers, lowercase letters, uppercase 227 | letters, hyphens (-), and forward slash (/). 228 | Default: "quickstart-hashicorp-consul/" 229 | Description: >- 230 | S3 key prefix for the Quick Start assets. Quick Start key prefix can 231 | include numbers, lowercase letters, uppercase letters, hyphens (-), and 232 | forward slash (/). 233 | Type: String 234 | 235 | Rules: 236 | ## This rule is broken for some reason? 237 | # SubnetsInVPC: 238 | # Assertions: 239 | # - Assert: 240 | # 'Fn::EachMemberIn': 241 | # - 'Fn::ValueOfAll': 242 | # - 'AWS::EC2::Subnet::Id' 243 | # - VpcId 244 | # - 'Fn::RefAll': 'AWS::EC2::VPC::Id' 245 | # AssertDescription: All subnets must exist in the VPC. 246 | ArmInstanceServer: 247 | RuleCondition: !Equals ["Amazon-Linux2-HVM-ARM", !Ref ConsulServerAMIOS] 248 | Assertions: 249 | - Assert: !Contains 250 | - - t4g.nano 251 | - t4g.medium 252 | - t4g.large 253 | - t4g.micro 254 | - t4g.small 255 | - t4g.2xlarge 256 | - t4g.xlarge 257 | - !Ref 'ConsulServerInstanceType' 258 | AssertDescription: This instance type must use ConsulServerInstanceType type of Amazon-Linux2-HVM-ARM. 259 | 260 | Mappings: 261 | RegionELBAccountId: 262 | ap-east-1: 263 | AccountId: "754344448648" 264 | ap-northeast-1: 265 | AccountId: "582318560864" 266 | ap-northeast-2: 267 | AccountId: "600734575887" 268 | ap-northeast-3: 269 | AccountId: "383597477331" 270 | ap-southeast-1: 271 | AccountId: "114774131450" 272 | ap-southeast-2: 273 | AccountId: "783225319266" 274 | ap-south-1: 275 | AccountId: "718504428378" 276 | me-south-1: 277 | AccountId: "076674570225" 278 | ca-central-1: 279 | AccountId: "985666609251" 280 | eu-central-1: 281 | AccountId: "054676820928" 282 | eu-north-1: 283 | AccountId: "897822967062" 284 | eu-west-1: 285 | AccountId: "156460612806" 286 | eu-west-2: 287 | AccountId: "652711504416" 288 | eu-west-3: 289 | AccountId: "009996457667" 290 | sa-east-1: 291 | AccountId: "507241528517" 292 | us-east-1: 293 | AccountId: "127311923021" 294 | us-east-2: 295 | AccountId: "033677994240" 296 | us-west-1: 297 | AccountId: "027434742980" 298 | us-west-2: 299 | AccountId: "797873946194" 300 | 301 | AWSAMIRegionMap: 302 | af-south-1: 303 | AMZNLINUX2: ami-0936d2754993c364e 304 | AMZNLINUX2ARM: ami-01d326fa7db123542 305 | US2004HVM: ami-022666956ad401a16 306 | CENTOS7HVM: ami-0a2be7731769e6cc1 307 | # SLES15HVM: ami-EXAMPLE 308 | ap-northeast-1: 309 | AMZNLINUX2: ami-0b276ad63ba2d6009 310 | AMZNLINUX2ARM: ami-012d44a21cdc6962e 311 | US2004HVM: ami-0b0ccc06abc611fa0 312 | CENTOS7HVM: ami-06a46da680048c8ae 313 | SLES15HVM: ami-056ac8ad44e6a7e1f 314 | ap-northeast-2: 315 | AMZNLINUX2: ami-0b827f3319f7447c6 316 | AMZNLINUX2ARM: ami-065bbf792e2f70fd9 317 | US2004HVM: ami-0f49ee52a88cc2435 318 | CENTOS7HVM: ami-06e83aceba2cb0907 319 | SLES15HVM: ami-0f81fff879bafe6b8 320 | ap-northeast-3: 321 | AMZNLINUX2: ami-07420201371095f81 322 | AMZNLINUX2ARM: ami-01a34fdc39c8106e0 323 | US2004HVM: ami-01ae085ceefba2dbf 324 | CENTOS7HVM: ami-02d6b455335e3af14 325 | SLES15HVM: ami-0d8518dd12d11dfc2 326 | ap-south-1: 327 | AMZNLINUX2: ami-00bf4ae5a7909786c 328 | AMZNLINUX2ARM: ami-059d1007dcf297b22 329 | US2004HVM: ami-0443fb07ed652c341 330 | CENTOS7HVM: ami-026f33d38b6410e30 331 | SLES15HVM: ami-01be89269d32f2a16 332 | ap-southeast-1: 333 | AMZNLINUX2: ami-0e5182fad1edfaa68 334 | AMZNLINUX2ARM: ami-0390917f7df0de28c 335 | US2004HVM: ami-0f0b17182b1d50c14 336 | CENTOS7HVM: ami-07f65177cb990d65b 337 | SLES15HVM: ami-070356c21596ddc67 338 | ap-southeast-2: 339 | AMZNLINUX2: ami-0c9fe0dec6325a30c 340 | AMZNLINUX2ARM: ami-03b50165937737652 341 | US2004HVM: ami-04b1878ebf78f7370 342 | CENTOS7HVM: ami-0b2045146eb00b617 343 | SLES15HVM: ami-0c4245381c67efb39 344 | ca-central-1: 345 | AMZNLINUX2: ami-0db72f413fc1ddb2a 346 | AMZNLINUX2ARM: ami-0858cdfa55eb68636 347 | US2004HVM: ami-04673916e7c7aa985 348 | CENTOS7HVM: ami-04a25c39dc7a8aebb 349 | SLES15HVM: ami-0c97d9b588207dad6 350 | eu-central-1: 351 | AMZNLINUX2: ami-00f22f6155d6d92c5 352 | AMZNLINUX2ARM: ami-0d1745d072234b13f 353 | US2004HVM: ami-05e1e66d082e56118 354 | CENTOS7HVM: ami-0e8286b71b81c3cc1 355 | SLES15HVM: ami-05dfd265ea534a3e9 356 | me-south-1: 357 | AMZNLINUX2: ami-0880769bc15eeec4f 358 | AMZNLINUX2ARM: ami-001dc219c441b922d 359 | US2004HVM: ami-03cc0b5db8321f2e5 360 | CENTOS7HVM: ami-011c71a894b10f35b 361 | SLES15HVM: ami-0252c6d3a59c7473b 362 | ap-east-1: 363 | AMZNLINUX2: ami-0aca22cb23f122f27 364 | AMZNLINUX2ARM: ami-01f5cec80321bd86e 365 | US2004HVM: ami-0c7e5903bee96ef81 366 | CENTOS7HVM: ami-0e5c29e6c87a9644f 367 | SLES15HVM: ami-0ad6e15bcbb2dbe38 368 | eu-north-1: 369 | AMZNLINUX2: ami-00517306b63c4628c 370 | AMZNLINUX2ARM: ami-00ac6cda13789bb30 371 | US2004HVM: ami-00888f2a5f9be4390 372 | CENTOS7HVM: ami-05788af9005ef9a93 373 | SLES15HVM: ami-0741fa1a008af40ad 374 | eu-south-1: 375 | AMZNLINUX2: ami-0f447354763f0eaac 376 | AMZNLINUX2ARM: ami-011d4067dedd119f5 377 | US2004HVM: ami-035e213233577516f 378 | CENTOS7HVM: ami-03014b98e9665115a 379 | SLES15HVM: ami-051cbea0e7660063d 380 | eu-west-1: 381 | AMZNLINUX2: ami-058b1b7fe545997ae 382 | AMZNLINUX2ARM: ami-0f7de803d86d96283 383 | US2004HVM: ami-0298c9e0d2c86b0ed 384 | CENTOS7HVM: ami-0b850cf02cc00fdc8 385 | SLES15HVM: ami-0a58a1b152ba55f1d 386 | eu-west-2: 387 | AMZNLINUX2: ami-03ac5a9b225e99b02 388 | AMZNLINUX2ARM: ami-0c11e20ede9c2bac5 389 | US2004HVM: ami-0230a6736b38ae83e 390 | CENTOS7HVM: ami-09e5afc68eed60ef4 391 | SLES15HVM: ami-01497522185aaa4ee 392 | eu-west-3: 393 | AMZNLINUX2: ami-062fdd189639d3e93 394 | AMZNLINUX2ARM: ami-0e95ca4242883dbf3 395 | US2004HVM: ami-06d3fffafe8d48b35 396 | CENTOS7HVM: ami-0cb72d2e599cffbf9 397 | SLES15HVM: ami-0f238bd4c6fdbefb0 398 | sa-east-1: 399 | AMZNLINUX2: ami-05e809fbeee38dd5e 400 | AMZNLINUX2ARM: ami-06302d3edd8e2b804 401 | US2004HVM: ami-04e56ee48b28650b3 402 | CENTOS7HVM: ami-0b30f38d939dd4b54 403 | SLES15HVM: ami-0772af912976aa692 404 | us-east-1: 405 | AMZNLINUX2: ami-0dc2d3e4c0f9ebd18 406 | AMZNLINUX2ARM: ami-008a8487adc2b32ec 407 | US2004HVM: ami-019212a8baeffb0fa 408 | CENTOS7HVM: ami-0affd4508a5d2481b 409 | SLES15HVM: ami-0b1764f3d7d2e2316 410 | us-gov-west-1: 411 | AMZNLINUX2: ami-0bbf3595bb2fb39ec 412 | AMZNLINUX2ARM: ami-6bd0e80a 413 | SLES15HVM: ami-57c0ba36 414 | us-gov-east-1: 415 | AMZNLINUX2: ami-0cc17d57bec8c6017 416 | AMZNLINUX2ARM: ami-4a31d93b 417 | SLES15HVM: ami-05e4bedfad53425e9 418 | us-east-2: 419 | AMZNLINUX2: ami-0233c2d874b811deb 420 | AMZNLINUX2ARM: ami-02de934ca4f3289e0 421 | US2004HVM: ami-0117d177e96a8481c 422 | CENTOS7HVM: ami-01e36b7901e884a10 423 | SLES15HVM: ami-05ea824317ffc0c20 424 | us-west-1: 425 | AMZNLINUX2: ami-0ed05376b59b90e46 426 | AMZNLINUX2ARM: ami-09027338004f91eb5 427 | US2004HVM: ami-0b08e71a81ba4200f 428 | CENTOS7HVM: ami-098f55b4287a885ba 429 | SLES15HVM: ami-00e34a7624e5a7107 430 | us-west-2: 431 | AMZNLINUX2: ami-0dc8f589abe99f538 432 | AMZNLINUX2ARM: ami-01ee617c4327490d3 433 | US2004HVM: ami-02868af3c3df4b3aa 434 | CENTOS7HVM: ami-0bc06212a56393ee1 435 | SLES15HVM: ami-0f1e3b3fb0fec0361 436 | cn-north-1: 437 | AMZNLINUX2: ami-0c52e2685c7218558 438 | AMZNLINUX2ARM: ami-088cc0c104292da9c 439 | CENTOS7HVM: ami-08c16f7e830c0e393 440 | SLES15HVM: ami-021392849b6221a81 441 | cn-northwest-1: 442 | AMZNLINUX2: ami-05b9b6d6acf8ae9b6 443 | AMZNLINUX2ARM: ami-0b5c6ceb80eb57861 444 | CENTOS7HVM: ami-0f21aa96a61df8c44 445 | SLES15HVM: ami-00e1de3ee6d0d28ea 446 | 447 | LinuxAMINameMap: 448 | Amazon-Linux2-HVM: 449 | Code: AMZNLINUX2 450 | OS: Amazon 451 | Amazon-Linux2-HVM-ARM: 452 | Code: AMZNLINUX2ARM 453 | OS: Amazon 454 | CentOS-7-HVM: 455 | Code: CENTOS7HVM 456 | OS: CentOS 457 | Ubuntu-Server-18.04-LTS-HVM: 458 | Code: US1804HVM 459 | OS: Ubuntu 460 | Ubuntu-Server-20.04-LTS-HVM: 461 | Code: US2004HVM 462 | OS: Ubuntu 463 | SUSE-SLES-15-HVM: 464 | Code: SLES15HVM 465 | OS: SLES 466 | 467 | Conditions: 468 | gRPCCondition: !Equals [!Ref EnableConsulServiceMesh, "true"] 469 | GovCloudCondition: !Equals [!Ref AWS::Region, "us-gov-west-1"] 470 | 471 | Resources: 472 | ConsulServerASG: 473 | Type: "AWS::AutoScaling::AutoScalingGroup" 474 | Properties: 475 | LaunchConfigurationName: !Ref ConsulServerLC 476 | MinSize: !Ref ConsulServerNodeCount 477 | MaxSize: !Ref ConsulServerNodeCount 478 | DesiredCapacity: !Ref ConsulServerNodeCount 479 | TargetGroupARNs: 480 | - !Ref ConsulServerTargetGroup 481 | HealthCheckType: "ELB" 482 | HealthCheckGracePeriod: "120" 483 | VPCZoneIdentifier: 484 | - !Ref PrivateSubnet1ID 485 | - !Ref PrivateSubnet2ID 486 | - !Ref PrivateSubnet3ID 487 | Tags: 488 | - Key: Name 489 | Value: !Sub "${AWS::StackName}-Consul-Server" 490 | PropagateAtLaunch: true 491 | - Key: !Ref ConsulEc2RetryTagKey 492 | Value: !Ref ConsulEc2RetryTagValue 493 | PropagateAtLaunch: true 494 | CreationPolicy: 495 | ResourceSignal: 496 | Count: !Ref ConsulServerNodeCount 497 | Timeout: PT20M 498 | 499 | ConsulServerTargetGroup: 500 | Type: AWS::ElasticLoadBalancingV2::TargetGroup 501 | Properties: 502 | HealthCheckEnabled: true 503 | HealthCheckIntervalSeconds: 30 504 | HealthCheckPath: /v1/status/leader 505 | HealthCheckPort: 8500 506 | HealthCheckProtocol: "HTTP" 507 | HealthCheckTimeoutSeconds: 5 508 | HealthyThresholdCount: !Ref ConsulServerNodeCount 509 | IpAddressType: ipv4 510 | Port: 8500 511 | Protocol: "HTTP" 512 | TargetGroupAttributes: 513 | - Key: stickiness.enabled 514 | Value: true 515 | - Key: stickiness.type 516 | Value: lb_cookie 517 | # default of one day stickiness 518 | # - Key: stickiness.lb_cookie.duration_seconds 519 | # Value: 86400 520 | VpcId: !Ref VPCID 521 | 522 | ConsulServerALB: 523 | Type: AWS::ElasticLoadBalancingV2::LoadBalancer 524 | Properties: 525 | Type: application 526 | IpAddressType: ipv4 527 | Scheme: internet-facing 528 | SecurityGroups: 529 | - !Ref ConsulServerALBSecGroup 530 | Subnets: 531 | - !Ref PublicSubnet1ID 532 | - !Ref PublicSubnet2ID 533 | - !Ref PublicSubnet3ID 534 | LoadBalancerAttributes: 535 | - Key: access_logs.s3.enabled 536 | Value: true 537 | - Key: access_logs.s3.bucket 538 | Value: !Ref ConsulServerLogsBucket 539 | - Key: access_logs.s3.prefix 540 | Value: ConsulALBLogs 541 | - Key: idle_timeout.timeout_seconds 542 | Value: 360 543 | 544 | ConsulServerALBListener: 545 | Type: "AWS::ElasticLoadBalancingV2::Listener" 546 | Properties: 547 | DefaultActions: 548 | - Type: "forward" 549 | ForwardConfig: 550 | TargetGroups: 551 | - TargetGroupArn: !Ref ConsulServerTargetGroup 552 | LoadBalancerArn: !Ref ConsulServerALB 553 | Port: 443 554 | Protocol: "HTTPS" 555 | Certificates: 556 | - CertificateArn: !Ref SSLCertificateId 557 | 558 | ConsulServerLogsBucket: 559 | Type: AWS::S3::Bucket 560 | DeletionPolicy: Retain 561 | UpdateReplacePolicy: Retain 562 | 563 | ConsulServerLogsBucketPolicy: 564 | Type: AWS::S3::BucketPolicy 565 | Properties: 566 | Bucket: !Ref ConsulServerLogsBucket 567 | PolicyDocument: 568 | Version: 2012-10-17 569 | Statement: 570 | - Sid: ConsulQSGALBAccessLogs 571 | Action: 572 | - "s3:PutObject" 573 | Effect: Allow 574 | Resource: 575 | !Sub "arn:${AWS::Partition}:s3:::${ConsulServerLogsBucket}/ConsulALBLogs/*" 576 | Principal: 577 | AWS: !Sub 578 | - "arn:${AWS::Partition}:iam::${RegionELBAccountId}:root" 579 | - RegionELBAccountId: !FindInMap 580 | - RegionELBAccountId 581 | - !Ref "AWS::Region" 582 | - AccountId 583 | 584 | ConsulServerALBSecGroup: 585 | Type: AWS::EC2::SecurityGroup 586 | Properties: 587 | GroupDescription: Enables ALB Access to cluster instances. 588 | VpcId: !Ref VPCID 589 | SecurityGroupIngress: 590 | # This is for the ALB 591 | - IpProtocol: tcp 592 | FromPort: 443 593 | ToPort: 443 594 | CidrIp: 0.0.0.0/0 595 | SecurityGroupEgress: 596 | - IpProtocol: "-1" 597 | CidrIp: 0.0.0.0/0 598 | Tags: 599 | - Key: Name 600 | Value: !Sub "${AWS::StackName}-ConsulServerALBSecGroup" 601 | 602 | ConsulServerLC: 603 | Type: AWS::AutoScaling::LaunchConfiguration 604 | Metadata: 605 | cfn-lint: 606 | config: 607 | ignore_checks: 608 | - E9101 #ignore warning about kill for Linux related command 609 | AWS::CloudFormation::Init: 610 | configSets: 611 | _base: 612 | - install_and_enable_cfn_hup 613 | - disable_motd 614 | - create_consul_group_user_dir 615 | - fetch_consul 616 | - fetch_vault 617 | - fetch_consul_template 618 | - setup_coredns 619 | 620 | _consul: 621 | - consul_install 622 | 623 | cs-consul-service-mesh: 624 | - ConfigSet: _base 625 | - enable_consul_service_mesh 626 | - ConfigSet: _consul 627 | 628 | cs_consul: 629 | - ConfigSet: _base 630 | - ConfigSet: _consul 631 | 632 | install_and_enable_cfn_hup: 633 | files: 634 | /etc/cfn/cfn-hup.conf: 635 | content: !Sub | 636 | [main] 637 | stack=${AWS::StackId} 638 | region=${AWS::Region} 639 | mode: "000400" 640 | owner: root 641 | group: root 642 | /etc/cfn/hooks.d/cfn-auto-reloader.conf: 643 | content: !Sub 644 | "[cfn-auto-reloader-hook] 645 | 646 | triggers=post.update 647 | 648 | path=Resources.ConsulServerLC.Metadata.AWS::CloudFormation::Init 649 | 650 | action=/usr/local/bin/cfn-init -v 651 | --stack ${AWS::StackName} 652 | --resource ConsulServerLC 653 | --configsets cs_install 654 | --region ${AWS::Region} 655 | 656 | runas=root" 657 | /lib/systemd/system/cfn-hup.service: 658 | content: | 659 | [Unit] 660 | Description=cfn-hup daemon 661 | 662 | [Service] 663 | Type=simple 664 | ExecStart=/usr/local/bin/cfn-hup 665 | Restart=always 666 | 667 | [Install] 668 | WantedBy=multi-user.target 669 | commands: 670 | 01enable_cfn_hup: 671 | command: systemctl enable cfn-hup.service 672 | 02start_cfn_hup: 673 | command: systemctl start cfn-hup.service 674 | 675 | disable_motd: 676 | files: 677 | /home/ubuntu/.hushlogin: 678 | content: | 679 | # disable motd 680 | user: ubuntu 681 | group: ubuntu 682 | mode: "000400" 683 | 684 | create_consul_group_user_dir: 685 | users: 686 | consul: 687 | homeDir: /srv/consul 688 | commands: 689 | 01_create_data_dir: 690 | command: mkdir -p /opt/consul/data 691 | 02_change_owner_to_consul: 692 | command: chown -R consul:consul /opt/consul/data 693 | 03_create_config_dir: 694 | command: mkdir -p /opt/consul/config 695 | 04_create_config_dir: 696 | command: chown -R root:consul /opt/consul/config 697 | 698 | fetch_consul: 699 | sources: 700 | /usr/bin/: https://releases.hashicorp.com/consul/1.11.4/consul_1.11.4_linux_amd64.zip 701 | 702 | fetch_vault: 703 | sources: 704 | /usr/bin/: https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip 705 | 706 | fetch_consul_template: 707 | sources: 708 | /usr/bin/: https://releases.hashicorp.com/consul-template/0.28.0/consul-template_0.28.0_linux_amd64.zip 709 | 710 | enable_consul_service_mesh: 711 | files: 712 | /opt/consul/config/ports.hcl: 713 | content: | 714 | ports { 715 | grpc = 8502 716 | } 717 | connect { 718 | enabled = true 719 | } 720 | owner: root 721 | group: consul 722 | 723 | consul_install: 724 | files: 725 | /opt/consul/config/consul.hcl: 726 | content: !Sub | 727 | data_dir = "/opt/consul/data" 728 | client_addr = "0.0.0.0" 729 | bind_addr = "{{{InterfaceTemplate}}}" 730 | datacenter = "${ConsulDatacenter}" 731 | log_level = "WARN" 732 | ui_config { 733 | enabled = true 734 | } 735 | telemetry { 736 | disable_compat_1.9 = true 737 | } 738 | context: 739 | InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' 740 | owner: root 741 | group: consul 742 | /opt/consul/config/server.hcl: 743 | content: !Sub | 744 | server = true 745 | bootstrap_expect = ${ConsulServerNodeCount} 746 | retry_join = ["provider=aws region=${AWS::Region} tag_key=${ConsulEc2RetryTagKey} tag_value=${ConsulEc2RetryTagValue}"] 747 | owner: root 748 | group: consul 749 | /etc/systemd/system/consul.service: 750 | content: | 751 | [Unit] 752 | Description="HashiCorp Consul - A service mesh solution" 753 | Documentation=https://www.consul.io/ 754 | Requires=network-online.target 755 | After=network-online.target 756 | ConditionFileNotEmpty=/opt/consul/config/consul.hcl 757 | ConditionFileNotEmpty=/opt/consul/config/server.hcl 758 | 759 | [Service] 760 | Type=notify 761 | EnvironmentFile=-/opt/consul/config/consul.env 762 | User=consul 763 | Group=consul 764 | ExecStart=/usr/bin/consul agent -config-dir=/opt/consul/config 765 | ExecReload=/bin/kill --signal HUP $MAINPID 766 | KillMode=process 767 | KillSignal=SIGTERM 768 | Restart=on-failure 769 | LimitNOFILE=65536 770 | 771 | [Install] 772 | WantedBy=multi-user.target 773 | owner: root 774 | group: consul 775 | commands: 776 | 00_fill_consul_config_nodename: 777 | command: echo "node_name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/consul/config/nodename.hcl 778 | 01_change_data_dir_owner: 779 | command: chown -R consul:consul /opt/consul/data 780 | 02_change_config_dir_owner: 781 | command: chown -R root:consul /opt/consul/config 782 | 03_chmod_config_dir: 783 | command: chmod 755 /opt/consul/config 784 | 04_chmod_config_files: 785 | command: chmod 644 /opt/consul/config/*.hcl 786 | 05_reload_systemd: 787 | command: systemctl daemon-reload 788 | 06_enable_consul: 789 | command: systemctl enable consul 790 | 07_start_consul: 791 | command: systemctl start consul 792 | 793 | setup_dnsmasq: 794 | files: 795 | /etc/dnsmasq.d/consul: 796 | content: | 797 | server=/consul/127.0.0.1#8600 798 | listen-address=127.0.0.1 799 | bind-interfaces 800 | /usr/local/etc/dnsmasq.conf: 801 | content: | 802 | no-resolv 803 | packages: 804 | apt: 805 | dnsmasq-base: [] 806 | dnsmasq: [] 807 | jq: [] 808 | commands: 809 | 01_start_dnsmasq: 810 | command: service dnsmasq restart 811 | 812 | setup_coredns: 813 | users: 814 | coredns: 815 | homeDir: /srv/coredns 816 | sources: 817 | /usr/bin: https://github.com/coredns/coredns/releases/download/v1.8.4/coredns_1.8.4_linux_amd64.tgz 818 | files: 819 | /etc/systemd/system/coredns.service: 820 | content: | 821 | [Unit] 822 | Description=CoreDNS DNS server 823 | Documentation=https://coredns.io 824 | After=network.target 825 | 826 | [Service] 827 | PermissionsStartOnly=true 828 | LimitNOFILE=1048576 829 | LimitNPROC=512 830 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE 831 | AmbientCapabilities=CAP_NET_BIND_SERVICE 832 | NoNewPrivileges=true 833 | User=coredns 834 | WorkingDirectory=~ 835 | ExecStart=/usr/bin/coredns -conf=/etc/coredns/Corefile 836 | ExecReload=/bin/kill -SIGUSR1 $MAINPID 837 | Restart=on-failure 838 | 839 | [Install] 840 | WantedBy=multi-user.target 841 | /etc/coredns/Corefile: 842 | content: | 843 | . { 844 | forward . /run/systemd/resolve/resolv.conf 845 | } 846 | consul { 847 | forward . dns://127.0.0.1:8600 848 | } 849 | user: root 850 | group: root 851 | mode: "000644" 852 | /etc/resolv.conf: 853 | content: | 854 | nameserver 127.0.0.1 855 | options edns0 trust-ad 856 | search ec2.internal 857 | user: root 858 | group: root 859 | mode: "000644" 860 | commands: 861 | 00_make_homedir: 862 | command: mkdir -p /srv/coredns 863 | 01_change_owner: 864 | command: chown -R coredns:coredns /srv/coredns 865 | 02_reload_systemd: 866 | command: systemctl daemon-reload 867 | 03_disable_resolved_DNSStubListener: 868 | command: echo "DNSStubListener=no" >> /etc/systemd/resolved.conf 869 | 04_restart_resolved: 870 | command: systemctl restart systemd-resolved.service 871 | 05_start_service: 872 | command: systemctl start coredns 873 | 06_enable_service: 874 | command: systemctl enable coredns 875 | 876 | 877 | Properties: 878 | InstanceType: !Ref ConsulServerInstanceType 879 | AssociatePublicIpAddress: false 880 | SecurityGroups: 881 | - !Ref ConsulServerSecurityGroup 882 | KeyName: !Ref KeyPairName 883 | ImageId: !FindInMap 884 | - AWSAMIRegionMap 885 | - !Ref 'AWS::Region' 886 | - !FindInMap [LinuxAMINameMap, !Ref ConsulServerAMIOS, Code] 887 | IamInstanceProfile: !Ref ConsulServerProfile 888 | UserData: 889 | Fn::Base64: !Sub 890 | - | 891 | #!/bin/bash -x 892 | #CFN Functions 893 | function cfn_fail 894 | { 895 | cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource ConsulServerASG 896 | exit 1 897 | } 898 | function cfn_success 899 | { 900 | cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource ConsulServerASG 901 | exit 0 902 | } 903 | S3URI=https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} 904 | apt-get -y update 905 | # Install git 906 | apt-get install -y git jq 907 | #Load Linux utils 908 | until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done 909 | cd /quickstart-linux-utilities && source quickstart-cfn-tools.source 910 | # Prep operating systems 911 | qs_update-os || qs_err 912 | qs_bootstrap_pip || qs_err 913 | qs_aws-cfn-bootstrap || qs_err 914 | #cfn-init 915 | echo "Executing config-sets" 916 | cfn-init -v --stack ${AWS::StackName} --resource ConsulServerLC --configsets ${ConfigSet} --region ${AWS::Region} || (cfn_fail || (journalctl -b --no-pager -u consul && cat /opt/consul/config/server.json)) 917 | # Signal cfn-init (final check) 918 | [ $(qs_status) == 0 ] && cfn_success || cfn_fail 919 | - ConfigSet: !If [gRPCCondition, cs-consul-service-mesh, cs-consul] 920 | S3Region: !If [GovCloudCondition, s3-us-gov-west-1, s3] 921 | 922 | ConsulServerRole: 923 | Type: AWS::IAM::Role 924 | Properties: 925 | AssumeRolePolicyDocument: 926 | Statement: 927 | - Action: "sts:AssumeRole" 928 | Principal: 929 | Service: ec2.amazonaws.com 930 | Effect: Allow 931 | Sid: "" 932 | Policies: 933 | - PolicyDocument: 934 | Version: 2012-10-17 935 | Statement: 936 | - Action: 937 | - "s3:GetObject" 938 | Resource: !Sub "arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*" 939 | Effect: Allow 940 | PolicyName: AuthenticatedS3GetObjects 941 | 942 | ConsulServerPolicy: 943 | Type: AWS::IAM::Policy 944 | Properties: 945 | PolicyName: consul-server 946 | PolicyDocument: 947 | Statement: 948 | - Effect: Allow 949 | Action: 950 | - "ec2:DescribeInstances" 951 | Resource: "*" 952 | Roles: 953 | - !Ref ConsulServerRole 954 | 955 | ConsulServerProfile: 956 | Type: AWS::IAM::InstanceProfile 957 | Properties: 958 | Path: / 959 | Roles: 960 | - !Ref ConsulServerRole 961 | 962 | Outputs: 963 | ConsulEc2RetryTagKey: 964 | Value: !Ref ConsulEc2RetryTagKey 965 | Description: 966 | The EC2 instance tag key to filter on when joining to Consul server nodes. 967 | 968 | ConsulEc2RetryTagValue: 969 | Value: !Ref ConsulEc2RetryTagValue 970 | Description: 971 | The EC2 instance tag value to filter on when joining to Consul server nodes. 972 | 973 | ConsulServerSecurityGroup: 974 | Value: !Ref ConsulServerSecurityGroup 975 | Description: 976 | The security group ID of the Consul servers. 977 | 978 | ConsulServerASG: 979 | Value: !Ref ConsulServerASG 980 | Description: 'The Consul server autoscaling group.' 981 | 982 | ConsulServerLogsBucket: 983 | Value: !Ref ConsulServerLogsBucket 984 | Description: 985 | The S3 bucket name for the Consul server logs. 986 | 987 | ConsulALBDNSName: 988 | Value: !GetAtt ConsulServerALB.DNSName 989 | Description: 990 | The DNS name of the Consul server ALB. 991 | 992 | ConsulALBCanonicalHostedZoneID: 993 | Value: !GetAtt ConsulServerALB.CanonicalHostedZoneID 994 | Description: 995 | The CanonicalHostedZoneId of the Consul server ALB. 996 | -------------------------------------------------------------------------------- /templates/quickstart-hashicorp-nomad-clients.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: "HashiCorp Nomad Client ASG(Please do not remove) Aug,28,2019 (qs-1nae6brn2)" 3 | Metadata: 4 | LintSpellExclude: 5 | - datacenter 6 | - xxxxxxxx 7 | - plugin 8 | SentenceCaseExclude: 9 | - Nomad 10 | - Consul 11 | QuickStartDocumentation: 12 | EntrypointName: "Launch into an existing VPC" 13 | LICENSE: "Apache License, Version 2.0" 14 | 'AWS::CloudFormation::Interface': 15 | ParameterGroups: 16 | - Label: {default: "VPC network configuration"} 17 | Parameters: 18 | - PrivateSubnet1ID 19 | - PrivateSubnet2ID 20 | - PrivateSubnet3ID 21 | - Label: {default: "Nomad client setup"} 22 | Parameters: 23 | - NomadClientSecurityGroup 24 | - NomadClientInstanceType 25 | - NomadClientNodeCount 26 | - NomadClientAMIOS 27 | - KeyPairName 28 | - NomadEc2RetryTagKey 29 | - NomadEc2RetryTagValue 30 | - NomadDatacenter 31 | - EnableRawExec 32 | - Label: {default: "Consul agent configuration"} 33 | Parameters: 34 | - ConsulEc2RetryTagKey 35 | - ConsulEc2RetryTagValue 36 | - ConsulDatacenter 37 | - EnableConsulServiceMesh 38 | - Label: {default: "AWS Quick Start configuration"} 39 | Parameters: 40 | - QSS3BucketName 41 | - QSS3KeyPrefix 42 | ParameterLabels: 43 | KeyPairName: 44 | default: Key name 45 | PrivateSubnet1ID: 46 | default: Private Subnet 1 ID 47 | PrivateSubnet2ID: 48 | default: Private Subnet 2 ID 49 | PrivateSubnet3ID: 50 | default: Private Subnet 3 ID 51 | 52 | NomadClientSecurityGroup: 53 | default: Nomad client node security group ID 54 | NomadClientInstanceType: 55 | default: Nomad client node instance type 56 | NomadClientNodeCount: 57 | default: Number of Nomad client nodes 58 | NomadClientAMIOS: 59 | default: Operating system for Nomad client nodes 60 | NomadEc2RetryTagKey: 61 | default: Tag key for Nomad cluster nodes 62 | NomadEc2RetryTagValue: 63 | default: Tag value for Nomad cluster nodes 64 | NomadDatacenter: 65 | default: "Nomad Config: datacenter" 66 | EnableRawExec: 67 | default: Enable raw_exec plugin on Nomad clients 68 | 69 | ConsulEc2RetryTagKey: 70 | default: Tag key for Consul server nodes 71 | ConsulEc2RetryTagValue: 72 | default: Tag value for Consul server nodes 73 | ConsulDatacenter: 74 | default: "Consul Config: datacenter" 75 | EnableConsulServiceMesh: 76 | default: Enable Consul service mesh for Nomad cluster 77 | 78 | QSS3BucketName: 79 | default: Quick Start S3 bucket name 80 | QSS3KeyPrefix: 81 | default: Quick Start S3 key prefix 82 | 83 | Parameters: 84 | # VPC network configuration 85 | PrivateSubnet1ID: 86 | Description: "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)." 87 | Type: "AWS::EC2::Subnet::Id" 88 | PrivateSubnet2ID: 89 | Description: "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)." 90 | Type: "AWS::EC2::Subnet::Id" 91 | PrivateSubnet3ID: 92 | Description: "ID of the private subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)." 93 | Type: "AWS::EC2::Subnet::Id" 94 | 95 | # Nomad cluster setup 96 | # -- Nomad Instance Configuration -- 97 | NomadClientSecurityGroup: 98 | Description: The security group to apply to client nodes at startup (e.g., sg-7f16e910). 99 | Type: "AWS::EC2::SecurityGroup::Id" 100 | NomadClientInstanceType: 101 | Type: String 102 | Description: The EC2 instance type for the Nomad instances. 103 | AllowedValues: 104 | - t2.micro 105 | - t2.small 106 | - t2.medium 107 | - t2.large 108 | - t3.micro 109 | - t3.small 110 | - t3.medium 111 | - t3.large 112 | - m5.large 113 | - m5.xlarge 114 | - m5.2xlarge 115 | - m4.large 116 | - m4.xlarge 117 | - m3.medium 118 | - m3.large 119 | - m3.xlarge 120 | - m3.2xlarge 121 | - c4.large 122 | - c4.xlarge 123 | - c4.2xlarge 124 | - c4.4xlarge 125 | - c4.8xlarge 126 | - c3.large 127 | - c3.xlarge 128 | - c3.2xlarge 129 | - c3.4xlarge 130 | - c3.8xlarge 131 | - r3.large 132 | - r3.xlarge 133 | - r3.2xlarge 134 | - r3.4xlarge 135 | - r3.8xlarge 136 | - i2.xlarge 137 | - i2.2xlarge 138 | - i2.4xlarge 139 | - i2.8xlarge 140 | ConstraintDescription: Choose an instance type. 141 | Default: m5.large 142 | NomadClientNodeCount: 143 | Type: String 144 | Description: The number of Nomad server nodes that will be created. You can choose 3, 5, or 7 nodes. 145 | Default: "3" 146 | NomadClientAMIOS: 147 | AllowedValues: 148 | - Amazon-Linux2-HVM 149 | - Amazon-Linux2-HVM-ARM 150 | - CentOS-7-HVM 151 | - Ubuntu-Server-20.04-LTS-HVM 152 | - SUSE-SLES-15-HVM 153 | Default: Ubuntu-Server-20.04-LTS-HVM 154 | Description: The Linux distribution for the AMI to be used for the Nomad server instances. 155 | Type: String 156 | KeyPairName: 157 | Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. 158 | Type: "AWS::EC2::KeyPair::KeyName" 159 | # MinLength: 1 160 | ConstraintDescription: Must be the name of an existing EC2 KeyPair. 161 | # -- Nomad Application Configuration -- 162 | NomadEc2RetryTagKey: 163 | Description: 164 | The EC2 instance tag key to filter on when joining to other Nomad 165 | nodes. 166 | Type: String 167 | Default: "quickstart-nomad-cluster" 168 | ConstraintDescription: Must match EC2 Tag Name requirements. 169 | NomadEc2RetryTagValue: 170 | Description: 171 | The EC2 instance tag value to filter on when joining to other Nomad 172 | nodes. 173 | Type: String 174 | Default: "nomad-member-node" 175 | ConstraintDescription: Must match EC2 Tag Name requirements. 176 | NomadDatacenter: 177 | Description: 178 | The datacenter name to use for the Nomad cluster configuration. 179 | Type: String 180 | Default: "dc1" 181 | ConstraintDescription: Must be DNS-compatible. 182 | EnableRawExec: 183 | Description: Enable the raw_exec task driver on the Nomad clients. 184 | Type: String 185 | Default: "false" 186 | AllowedValues: 187 | - "true" 188 | - "false" 189 | 190 | # Consul agent configuration 191 | ConsulEc2RetryTagKey: 192 | Description: 193 | The EC2 instance tag key to filter on when joining a Consul cluster. 194 | Type: String 195 | Default: "" 196 | ConstraintDescription: Must match EC2 Tag Name requirements. 197 | ConsulEc2RetryTagValue: 198 | Description: 199 | The EC2 instance tag key to filter on when joining a Consul cluster. 200 | Type: String 201 | Default: "" 202 | ConstraintDescription: Must match EC2 Tag Name requirements. 203 | ConsulDatacenter: 204 | Description: 205 | The datacenter name to use for the Consul cluster configuration. 206 | Type: String 207 | Default: "dc1" 208 | ConstraintDescription: Must be DNS-compatible. 209 | EnableConsulServiceMesh: 210 | Description: Enable Consul service mesh on the Nomad clients. 211 | Type: String 212 | Default: "false" 213 | AllowedValues: 214 | - "true" 215 | - "false" 216 | 217 | # AWS Quick Start configuration 218 | QSS3BucketName: 219 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 220 | ConstraintDescription: >- 221 | Quick Start bucket name can include numbers, lowercase letters, uppercase 222 | letters, and hyphens (-). It cannot start or end with a hyphen (-). 223 | Default: "aws-quickstart" 224 | Description: >- 225 | S3 bucket name for the Quick Start assets. Quick Start bucket name can 226 | include numbers, lowercase letters, uppercase letters, and hyphens (-). It 227 | cannot start or end with a hyphen (-). 228 | Type: String 229 | QSS3KeyPrefix: 230 | AllowedPattern: "^[0-9a-zA-Z-/]*$" 231 | ConstraintDescription: >- 232 | Quick Start key prefix can include numbers, lowercase letters, uppercase 233 | letters, hyphens (-), and forward slash (/). 234 | Default: "quickstart-hashicorp-nomad/" 235 | Description: >- 236 | S3 key prefix for the Quick Start assets. Quick Start key prefix can 237 | include numbers, lowercase letters, uppercase letters, hyphens (-), and 238 | forward slash (/). 239 | Type: String 240 | 241 | Rules: 242 | ArmInstanceClient: 243 | RuleCondition: !Equals ["Amazon-Linux2-HVM-ARM", !Ref NomadClientAMIOS] 244 | Assertions: 245 | - Assert: !Contains 246 | - - t4g.nano 247 | - t4g.medium 248 | - t4g.large 249 | - t4g.micro 250 | - t4g.small 251 | - t4g.2xlarge 252 | - t4g.xlarge 253 | - !Ref 'NomadClientInstanceType' 254 | AssertDescription: This instance type must use NomadClientAMIOS type of Amazon-Linux2-HVM-ARM. 255 | 256 | Mappings: 257 | RegionELBAccountId: 258 | ap-east-1: 259 | AccountId: "754344448648" 260 | ap-northeast-1: 261 | AccountId: "582318560864" 262 | ap-northeast-2: 263 | AccountId: "600734575887" 264 | ap-northeast-3: 265 | AccountId: "383597477331" 266 | ap-southeast-1: 267 | AccountId: "114774131450" 268 | ap-southeast-2: 269 | AccountId: "783225319266" 270 | ap-south-1: 271 | AccountId: "718504428378" 272 | me-south-1: 273 | AccountId: "076674570225" 274 | ca-central-1: 275 | AccountId: "985666609251" 276 | eu-central-1: 277 | AccountId: "054676820928" 278 | eu-north-1: 279 | AccountId: "897822967062" 280 | eu-west-1: 281 | AccountId: "156460612806" 282 | eu-west-2: 283 | AccountId: "652711504416" 284 | eu-west-3: 285 | AccountId: "009996457667" 286 | sa-east-1: 287 | AccountId: "507241528517" 288 | us-east-1: 289 | AccountId: "127311923021" 290 | us-east-2: 291 | AccountId: "033677994240" 292 | us-west-1: 293 | AccountId: "027434742980" 294 | us-west-2: 295 | AccountId: "797873946194" 296 | 297 | AWSAMIRegionMap: 298 | af-south-1: 299 | AMZNLINUX2: ami-0936d2754993c364e 300 | AMZNLINUX2ARM: ami-01d326fa7db123542 301 | US2004HVM: ami-022666956ad401a16 302 | CENTOS7HVM: ami-0a2be7731769e6cc1 303 | # SLES15HVM: ami-EXAMPLE 304 | ap-northeast-1: 305 | AMZNLINUX2: ami-0b276ad63ba2d6009 306 | AMZNLINUX2ARM: ami-012d44a21cdc6962e 307 | US2004HVM: ami-0b0ccc06abc611fa0 308 | CENTOS7HVM: ami-06a46da680048c8ae 309 | SLES15HVM: ami-056ac8ad44e6a7e1f 310 | ap-northeast-2: 311 | AMZNLINUX2: ami-0b827f3319f7447c6 312 | AMZNLINUX2ARM: ami-065bbf792e2f70fd9 313 | US2004HVM: ami-0f49ee52a88cc2435 314 | CENTOS7HVM: ami-06e83aceba2cb0907 315 | SLES15HVM: ami-0f81fff879bafe6b8 316 | ap-northeast-3: 317 | AMZNLINUX2: ami-07420201371095f81 318 | AMZNLINUX2ARM: ami-01a34fdc39c8106e0 319 | US2004HVM: ami-01ae085ceefba2dbf 320 | CENTOS7HVM: ami-02d6b455335e3af14 321 | SLES15HVM: ami-0d8518dd12d11dfc2 322 | ap-south-1: 323 | AMZNLINUX2: ami-00bf4ae5a7909786c 324 | AMZNLINUX2ARM: ami-059d1007dcf297b22 325 | US2004HVM: ami-0443fb07ed652c341 326 | CENTOS7HVM: ami-026f33d38b6410e30 327 | SLES15HVM: ami-01be89269d32f2a16 328 | ap-southeast-1: 329 | AMZNLINUX2: ami-0e5182fad1edfaa68 330 | AMZNLINUX2ARM: ami-0390917f7df0de28c 331 | US2004HVM: ami-0f0b17182b1d50c14 332 | CENTOS7HVM: ami-07f65177cb990d65b 333 | SLES15HVM: ami-070356c21596ddc67 334 | ap-southeast-2: 335 | AMZNLINUX2: ami-0c9fe0dec6325a30c 336 | AMZNLINUX2ARM: ami-03b50165937737652 337 | US2004HVM: ami-04b1878ebf78f7370 338 | CENTOS7HVM: ami-0b2045146eb00b617 339 | SLES15HVM: ami-0c4245381c67efb39 340 | ca-central-1: 341 | AMZNLINUX2: ami-0db72f413fc1ddb2a 342 | AMZNLINUX2ARM: ami-0858cdfa55eb68636 343 | US2004HVM: ami-04673916e7c7aa985 344 | CENTOS7HVM: ami-04a25c39dc7a8aebb 345 | SLES15HVM: ami-0c97d9b588207dad6 346 | eu-central-1: 347 | AMZNLINUX2: ami-00f22f6155d6d92c5 348 | AMZNLINUX2ARM: ami-0d1745d072234b13f 349 | US2004HVM: ami-05e1e66d082e56118 350 | CENTOS7HVM: ami-0e8286b71b81c3cc1 351 | SLES15HVM: ami-05dfd265ea534a3e9 352 | me-south-1: 353 | AMZNLINUX2: ami-0880769bc15eeec4f 354 | AMZNLINUX2ARM: ami-001dc219c441b922d 355 | US2004HVM: ami-03cc0b5db8321f2e5 356 | CENTOS7HVM: ami-011c71a894b10f35b 357 | SLES15HVM: ami-0252c6d3a59c7473b 358 | ap-east-1: 359 | AMZNLINUX2: ami-0aca22cb23f122f27 360 | AMZNLINUX2ARM: ami-01f5cec80321bd86e 361 | US2004HVM: ami-0c7e5903bee96ef81 362 | CENTOS7HVM: ami-0e5c29e6c87a9644f 363 | SLES15HVM: ami-0ad6e15bcbb2dbe38 364 | eu-north-1: 365 | AMZNLINUX2: ami-00517306b63c4628c 366 | AMZNLINUX2ARM: ami-00ac6cda13789bb30 367 | US2004HVM: ami-00888f2a5f9be4390 368 | CENTOS7HVM: ami-05788af9005ef9a93 369 | SLES15HVM: ami-0741fa1a008af40ad 370 | eu-south-1: 371 | AMZNLINUX2: ami-0f447354763f0eaac 372 | AMZNLINUX2ARM: ami-011d4067dedd119f5 373 | US2004HVM: ami-035e213233577516f 374 | CENTOS7HVM: ami-03014b98e9665115a 375 | SLES15HVM: ami-051cbea0e7660063d 376 | eu-west-1: 377 | AMZNLINUX2: ami-058b1b7fe545997ae 378 | AMZNLINUX2ARM: ami-0f7de803d86d96283 379 | US2004HVM: ami-0298c9e0d2c86b0ed 380 | CENTOS7HVM: ami-0b850cf02cc00fdc8 381 | SLES15HVM: ami-0a58a1b152ba55f1d 382 | eu-west-2: 383 | AMZNLINUX2: ami-03ac5a9b225e99b02 384 | AMZNLINUX2ARM: ami-0c11e20ede9c2bac5 385 | US2004HVM: ami-0230a6736b38ae83e 386 | CENTOS7HVM: ami-09e5afc68eed60ef4 387 | SLES15HVM: ami-01497522185aaa4ee 388 | eu-west-3: 389 | AMZNLINUX2: ami-062fdd189639d3e93 390 | AMZNLINUX2ARM: ami-0e95ca4242883dbf3 391 | US2004HVM: ami-06d3fffafe8d48b35 392 | CENTOS7HVM: ami-0cb72d2e599cffbf9 393 | SLES15HVM: ami-0f238bd4c6fdbefb0 394 | sa-east-1: 395 | AMZNLINUX2: ami-05e809fbeee38dd5e 396 | AMZNLINUX2ARM: ami-06302d3edd8e2b804 397 | US2004HVM: ami-04e56ee48b28650b3 398 | CENTOS7HVM: ami-0b30f38d939dd4b54 399 | SLES15HVM: ami-0772af912976aa692 400 | us-east-1: 401 | AMZNLINUX2: ami-0dc2d3e4c0f9ebd18 402 | AMZNLINUX2ARM: ami-008a8487adc2b32ec 403 | US2004HVM: ami-019212a8baeffb0fa 404 | CENTOS7HVM: ami-0affd4508a5d2481b 405 | SLES15HVM: ami-0b1764f3d7d2e2316 406 | us-gov-west-1: 407 | AMZNLINUX2: ami-0bbf3595bb2fb39ec 408 | AMZNLINUX2ARM: ami-6bd0e80a 409 | SLES15HVM: ami-57c0ba36 410 | us-gov-east-1: 411 | AMZNLINUX2: ami-0cc17d57bec8c6017 412 | AMZNLINUX2ARM: ami-4a31d93b 413 | SLES15HVM: ami-05e4bedfad53425e9 414 | us-east-2: 415 | AMZNLINUX2: ami-0233c2d874b811deb 416 | AMZNLINUX2ARM: ami-02de934ca4f3289e0 417 | US2004HVM: ami-0117d177e96a8481c 418 | CENTOS7HVM: ami-01e36b7901e884a10 419 | SLES15HVM: ami-05ea824317ffc0c20 420 | us-west-1: 421 | AMZNLINUX2: ami-0ed05376b59b90e46 422 | AMZNLINUX2ARM: ami-09027338004f91eb5 423 | US2004HVM: ami-0b08e71a81ba4200f 424 | CENTOS7HVM: ami-098f55b4287a885ba 425 | SLES15HVM: ami-00e34a7624e5a7107 426 | us-west-2: 427 | AMZNLINUX2: ami-0dc8f589abe99f538 428 | AMZNLINUX2ARM: ami-01ee617c4327490d3 429 | US2004HVM: ami-02868af3c3df4b3aa 430 | CENTOS7HVM: ami-0bc06212a56393ee1 431 | SLES15HVM: ami-0f1e3b3fb0fec0361 432 | cn-north-1: 433 | AMZNLINUX2: ami-0c52e2685c7218558 434 | AMZNLINUX2ARM: ami-088cc0c104292da9c 435 | CENTOS7HVM: ami-08c16f7e830c0e393 436 | SLES15HVM: ami-021392849b6221a81 437 | cn-northwest-1: 438 | AMZNLINUX2: ami-05b9b6d6acf8ae9b6 439 | AMZNLINUX2ARM: ami-0b5c6ceb80eb57861 440 | CENTOS7HVM: ami-0f21aa96a61df8c44 441 | SLES15HVM: ami-00e1de3ee6d0d28ea 442 | 443 | LinuxAMINameMap: 444 | Amazon-Linux2-HVM: 445 | Code: AMZNLINUX2 446 | OS: Amazon 447 | Amazon-Linux2-HVM-ARM: 448 | Code: AMZNLINUX2ARM 449 | OS: Amazon 450 | CentOS-7-HVM: 451 | Code: CENTOS7HVM 452 | OS: CentOS 453 | Ubuntu-Server-18.04-LTS-HVM: 454 | Code: US1804HVM 455 | OS: Ubuntu 456 | Ubuntu-Server-20.04-LTS-HVM: 457 | Code: US2004HVM 458 | OS: Ubuntu 459 | SUSE-SLES-15-HVM: 460 | Code: SLES15HVM 461 | OS: SLES 462 | 463 | Conditions: 464 | GovCloudCondition: !Equals [!Ref AWS::Region, "us-gov-west-1"] 465 | ConfigureConsul: !And 466 | - !Not [!Equals [!Ref ConsulEc2RetryTagKey, ""]] 467 | - !Not [!Equals [!Ref ConsulEc2RetryTagValue, ""]] 468 | ConfigureConsulServiceMesh: !And 469 | - !Not [!Equals [!Ref ConsulEc2RetryTagKey, ""]] 470 | - !Not [!Equals [!Ref ConsulEc2RetryTagValue, ""]] 471 | - !Equals [!Ref EnableConsulServiceMesh, "true"] 472 | ConfigureRawExec: !Equals [!Ref EnableRawExec, "true"] 473 | 474 | Resources: 475 | NomadClientASG: 476 | Type: "AWS::AutoScaling::AutoScalingGroup" 477 | Properties: 478 | LaunchConfigurationName: !Ref NomadClientLC 479 | MinSize: !Ref NomadClientNodeCount 480 | MaxSize: !Ref NomadClientNodeCount 481 | DesiredCapacity: !Ref NomadClientNodeCount 482 | VPCZoneIdentifier: 483 | - !Ref PrivateSubnet1ID 484 | - !Ref PrivateSubnet2ID 485 | - !Ref PrivateSubnet3ID 486 | Tags: 487 | - Key: Name 488 | Value: !Sub "${AWS::StackName}-Nomad-Client" 489 | PropagateAtLaunch: true 490 | CreationPolicy: 491 | ResourceSignal: 492 | Count: !Ref NomadClientNodeCount 493 | Timeout: PT20M 494 | 495 | NomadClientLC: 496 | Type: AWS::AutoScaling::LaunchConfiguration 497 | Metadata: 498 | cfn-lint: 499 | config: 500 | ignore_checks: 501 | - E9101 #ignore warning about kill for Linux related command 502 | AWS::CloudFormation::Init: 503 | configSets: 504 | _base: 505 | - install_and_enable_cfn_hup 506 | - disable_motd 507 | - fetch_nomad 508 | - fetch_consul 509 | - fetch_vault 510 | - fetch_consul_template 511 | _consul: 512 | - consul_install 513 | - setup_coredns 514 | _nomad_client: 515 | - create_nomad_group_user_dir 516 | - fetch_cni_plugins 517 | - install_docker 518 | - nomad_install 519 | cs-nomad: 520 | - ConfigSet: _base 521 | - ConfigSet: _nomad_client 522 | cs-nomad-consul: 523 | - ConfigSet: _base 524 | - create_consul_group_user_dir 525 | - ConfigSet: _consul 526 | - ConfigSet: _nomad_client 527 | cs-nomad-consul-service-mesh: 528 | - ConfigSet: _base 529 | - create_consul_group_user_dir 530 | - enable_consul_service_mesh 531 | - ConfigSet: _consul 532 | - ConfigSet: _nomad_client 533 | cs-enable-rawexec: 534 | - enable_raw_exec 535 | 536 | install_and_enable_cfn_hup: 537 | files: 538 | /etc/cfn/cfn-hup.conf: 539 | content: !Sub | 540 | [main] 541 | stack=${AWS::StackId} 542 | region=${AWS::Region} 543 | mode: "000400" 544 | owner: root 545 | group: root 546 | /etc/cfn/hooks.d/cfn-auto-reloader.conf: 547 | content: !Sub 548 | "[cfn-auto-reloader-hook] 549 | 550 | triggers=post.update 551 | 552 | path=Resources.NomadClientLC.Metadata.AWS::CloudFormation::Init 553 | 554 | action=/usr/local/bin/cfn-init -v 555 | --stack ${AWS::StackName} 556 | --resource NomadClientLC 557 | --configsets cs_install 558 | --region ${AWS::Region} 559 | 560 | runas=root" 561 | /lib/systemd/system/cfn-hup.service: 562 | content: | 563 | [Unit] 564 | Description=cfn-hup daemon 565 | 566 | [Service] 567 | Type=simple 568 | ExecStart=/usr/local/bin/cfn-hup 569 | Restart=always 570 | 571 | [Install] 572 | WantedBy=multi-user.target 573 | commands: 574 | 01enable_cfn_hup: 575 | command: systemctl enable cfn-hup.service 576 | 02start_cfn_hup: 577 | command: systemctl start cfn-hup.service 578 | 579 | disable_motd: 580 | files: 581 | /home/ubuntu/.hushlogin: 582 | content: | 583 | # disable motd 584 | user: ubuntu 585 | group: ubuntu 586 | mode: "000400" 587 | 588 | create_nomad_group_user_dir: 589 | users: 590 | nomad: 591 | homeDir: /srv/nomad 592 | commands: 593 | 01_create_data_dir: 594 | command: mkdir -p /opt/nomad/data 595 | 02_set_data_dir_permissions: 596 | command: chown -R nomad:nomad /opt/nomad/data 597 | 03_create_config_dir: 598 | command: mkdir -p /opt/nomad/config 599 | 04_set_config_dir_permissions: 600 | command: chown -R root:nomad /opt/nomad/config 601 | 602 | create_consul_group_user_dir: 603 | users: 604 | consul: 605 | homeDir: /srv/consul 606 | commands: 607 | 01_create_data_dir: 608 | command: mkdir -p /opt/consul/data 609 | 02_set_data_dir_permissions: 610 | command: chown -R consul:consul /opt/consul/data 611 | 03_create_config_dir: 612 | command: mkdir -p /opt/consul/config 613 | 04_set_config_dir_permissions: 614 | command: chown -R root:consul /opt/consul/config 615 | 616 | fetch_nomad: 617 | sources: 618 | /usr/bin/: https://releases.hashicorp.com/nomad/1.2.6/nomad_1.2.6_linux_amd64.zip 619 | 620 | fetch_consul: 621 | sources: 622 | /usr/bin/: https://releases.hashicorp.com/consul/1.11.4/consul_1.11.4_linux_amd64.zip 623 | 624 | fetch_vault: 625 | sources: 626 | /usr/bin/: https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip 627 | 628 | fetch_consul_template: 629 | sources: 630 | /usr/bin/: https://releases.hashicorp.com/consul-template/0.28.0/consul-template_0.28.0_linux_amd64.zip 631 | 632 | nomad_install: 633 | files: 634 | /opt/nomad/config/nomad.hcl: 635 | content: !Sub | 636 | bind_addr = "0.0.0.0" 637 | data_dir = "/opt/nomad/data" 638 | datacenter = "${NomadDatacenter}" 639 | log_level = "WARN" 640 | advertise { 641 | http = "{{{InterfaceTemplate}}}" 642 | rpc = "{{{InterfaceTemplate}}}" 643 | serf = "{{{InterfaceTemplate}}}" 644 | } 645 | context: 646 | InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' 647 | user: root 648 | group: nomad 649 | /opt/nomad/config/client.hcl: 650 | content: !Sub | 651 | client { 652 | enabled = true 653 | 654 | server_join { 655 | retry_join = ["provider=aws region=${AWS::Region} tag_key=${NomadEc2RetryTagKey} tag_value=${NomadEc2RetryTagValue}"] 656 | } 657 | } 658 | user: root 659 | group: nomad 660 | /etc/systemd/system/nomad.service: 661 | content: | 662 | [Unit] 663 | Description=HashiCorp Nomad 664 | Documentation=https://nomadproject.io/docs/ 665 | Wants=network-online.target 666 | After=network-online.target 667 | ConditionFileNotEmpty=/opt/nomad/config/nomad.hcl 668 | ConditionFileNotEmpty=/opt/nomad/config/client.hcl 669 | 670 | # Start Consul before Nomad to avoid Nomad logging that Consul 671 | # is unavailable at startup. 672 | {{maybe_comment_consul}}Wants=consul.service 673 | {{maybe_comment_consul}}After=consul.service 674 | 675 | [Service] 676 | Type=simple 677 | User=root 678 | Group=root 679 | EnvironmentFile=-/opt/nomad/config/nomad.env 680 | ExecReload=/bin/kill -HUP $MAINPID 681 | ExecStart=/usr/bin/nomad agent -config /opt/nomad/config 682 | 683 | KillMode=process 684 | KillSignal=SIGINT 685 | LimitNOFILE=65536 686 | LimitNPROC=infinity 687 | Restart=on-failure 688 | TimeoutSec=300s 689 | RestartSec=2 690 | 691 | ## Configure unit start rate limiting. Units which are started more than 692 | ## *burst* times within an *interval* time span are not permitted to start any 693 | ## more. Use `StartLimitIntervalSec` or `StartLimitInterval` (depending on 694 | ## systemd version) to configure the checking interval and `StartLimitBurst` 695 | ## to configure how many starts per interval are allowed. The values in the 696 | ## commented lines are defaults. 697 | # StartLimitBurst = 5 698 | 699 | ## StartLimitIntervalSec is used for systemd versions >= 230 700 | # StartLimitIntervalSec = 10s 701 | 702 | ## StartLimitInterval is used for systemd versions < 230 703 | # StartLimitInterval = 10s 704 | 705 | TasksMax=infinity 706 | OOMScoreAdjust=-1000 707 | 708 | [Install] 709 | WantedBy=multi-user.target 710 | context: 711 | maybe_comment_consul: !If [ConfigureConsul, "", "#"] 712 | commands: 713 | 00_fill_nomad_config_nodename: 714 | command: echo "name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/nomad/config/nodename.hcl 715 | 01_change_data_dir_owner: 716 | command: chown -R root:root /opt/nomad/data 717 | 02_change_config_dir_owner: 718 | command: chown -R root:nomad /opt/nomad/config 719 | 03_chmod_config_dir: 720 | command: chmod 755 /opt/nomad/config 721 | 04_chmod_config_files: 722 | command: chmod 644 /opt/nomad/config/*.hcl 723 | 05_reload_systemd: 724 | command: systemctl daemon-reload 725 | 06_enable_service: 726 | command: systemctl enable nomad 727 | 07_start_service: 728 | command: systemctl start nomad 729 | 730 | enable_consul_service_mesh: 731 | files: 732 | /opt/consul/config/connect.hcl: 733 | content: | 734 | ports { 735 | grpc = 8502 736 | } 737 | connect { 738 | enabled = true 739 | } 740 | owner: root 741 | group: consul 742 | 743 | consul_install: 744 | files: 745 | /opt/consul/config/consul.hcl: 746 | content: !Sub | 747 | data_dir = "/opt/consul/data" 748 | client_addr = "0.0.0.0" 749 | bind_addr = "{{{InterfaceTemplate}}}" 750 | datacenter = "${ConsulDatacenter}" 751 | log_level = "WARN" 752 | ui_config { 753 | enabled = true 754 | } 755 | telemetry { 756 | disable_compat_1.9 = true 757 | } 758 | context: 759 | InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' 760 | owner: root 761 | group: consul 762 | /opt/consul/config/client.hcl: 763 | content: !Sub | 764 | retry_join = ["provider=aws region=${AWS::Region} tag_key=${ConsulEc2RetryTagKey} tag_value=${ConsulEc2RetryTagValue}"] 765 | owner: root 766 | group: consul 767 | /etc/systemd/system/consul.service: 768 | content: | 769 | [Unit] 770 | Description="HashiCorp Consul - A service mesh solution" 771 | Documentation=https://www.consul.io/ 772 | Requires=network-online.target 773 | After=network-online.target 774 | ConditionFileNotEmpty=/opt/consul/config/consul.hcl 775 | ConditionFileNotEmpty=/opt/consul/config/client.hcl 776 | 777 | [Service] 778 | Type=notify 779 | EnvironmentFile=-/opt/consul/config/consul.env 780 | User=consul 781 | Group=consul 782 | ExecStart=/usr/bin/consul agent -config-dir=/opt/consul/config 783 | ExecReload=/bin/kill --signal HUP $MAINPID 784 | KillMode=process 785 | KillSignal=SIGTERM 786 | Restart=on-failure 787 | LimitNOFILE=65536 788 | 789 | [Install] 790 | WantedBy=multi-user.target 791 | owner: root 792 | group: root 793 | commands: 794 | 00_fill_consul_config_nodename: 795 | command: echo "node_name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/consul/config/nodename.hcl 796 | 01_change_data_dir_owner: 797 | command: chown -R consul:consul /opt/consul/data 798 | 02_change_config_dir_owner: 799 | command: chown -R root:consul /opt/consul/config 800 | 03_chmod_config_dir: 801 | command: chmod 755 /opt/consul/config 802 | 04_chmod_config_files: 803 | command: chmod 644 /opt/consul/config/*.hcl 804 | 05_reload_systemd: 805 | command: systemctl daemon-reload 806 | 06_enable_consul: 807 | command: systemctl enable consul 808 | 07_start_consul: 809 | command: systemctl start consul 810 | 811 | setup_dnsmasq: 812 | files: 813 | /etc/dnsmasq.d/consul: 814 | content: | 815 | server=/consul/127.0.0.1#8600 816 | listen-address=127.0.0.1 817 | bind-interfaces 818 | /usr/local/etc/dnsmasq.conf: 819 | content: | 820 | no-resolv 821 | packages: 822 | apt: 823 | dnsmasq-base: [] 824 | dnsmasq: [] 825 | jq: [] 826 | commands: 827 | 01_start_dnsmasq: 828 | command: service dnsmasq restart 829 | 830 | setup_coredns: 831 | users: 832 | coredns: 833 | homeDir: /srv/coredns 834 | sources: 835 | /usr/bin: https://github.com/coredns/coredns/releases/download/v1.8.4/coredns_1.8.4_linux_amd64.tgz 836 | files: 837 | /etc/systemd/system/coredns.service: 838 | content: | 839 | [Unit] 840 | Description=CoreDNS DNS server 841 | Documentation=https://coredns.io 842 | After=network.target 843 | 844 | [Service] 845 | PermissionsStartOnly=true 846 | LimitNOFILE=1048576 847 | LimitNPROC=512 848 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE 849 | AmbientCapabilities=CAP_NET_BIND_SERVICE 850 | NoNewPrivileges=true 851 | User=coredns 852 | WorkingDirectory=~ 853 | ExecStart=/usr/bin/coredns -conf=/etc/coredns/Corefile 854 | ExecReload=/bin/kill -SIGUSR1 $MAINPID 855 | Restart=on-failure 856 | 857 | [Install] 858 | WantedBy=multi-user.target 859 | /etc/coredns/Corefile: 860 | content: | 861 | . { 862 | forward . /run/systemd/resolve/resolv.conf 863 | } 864 | consul { 865 | forward . dns://127.0.0.1:8600 866 | } 867 | user: root 868 | group: root 869 | mode: "000644" 870 | /etc/resolv.conf: 871 | content: | 872 | nameserver 127.0.0.1 873 | options edns0 trust-ad 874 | search ec2.internal 875 | user: root 876 | group: root 877 | mode: "000644" 878 | commands: 879 | 00_make_homedir: 880 | command: mkdir -p /srv/coredns 881 | 01_change_owner: 882 | command: chown -R coredns:coredns /srv/coredns 883 | 02_reload_systemd: 884 | command: systemctl daemon-reload 885 | 03_disable_resolved_DNSStubListener: 886 | command: echo "DNSStubListener=no" >> /etc/systemd/resolved.conf 887 | 04_restart_resolved: 888 | command: systemctl restart systemd-resolved.service 889 | 05_start_service: 890 | command: systemctl start coredns 891 | 06_enable_service: 892 | command: systemctl enable coredns 893 | 894 | install_docker: 895 | packages: 896 | apt: 897 | docker.io: [] 898 | 899 | fetch_cni_plugins: 900 | sources: 901 | /opt/cni/bin/: https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz 902 | 903 | enable_raw_exec: 904 | files: 905 | /opt/nomad/config/raw_exec.hcl: 906 | content: | 907 | plugin "raw_exec" { 908 | config { 909 | enabled = true 910 | } 911 | } 912 | user: root 913 | group: nomad 914 | mode: "000644" 915 | 916 | Properties: 917 | InstanceType: !Ref NomadClientInstanceType 918 | AssociatePublicIpAddress: false 919 | SecurityGroups: 920 | - !Ref NomadClientSecurityGroup 921 | KeyName: !Ref KeyPairName 922 | ImageId: !FindInMap 923 | - AWSAMIRegionMap 924 | - !Ref 'AWS::Region' 925 | - !FindInMap [LinuxAMINameMap, !Ref NomadClientAMIOS, Code] 926 | IamInstanceProfile: !Ref NomadClientProfile 927 | UserData: 928 | Fn::Base64: !Sub 929 | - | 930 | #!/bin/bash -x 931 | #CFN Functions 932 | function cfn_fail 933 | { 934 | cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource NomadClientASG 935 | } 936 | function cfn_success 937 | { 938 | cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource NomadClientASG 939 | exit 0 940 | } 941 | function cfn_fail_log 942 | { 943 | journalctl -b --no-pager -u nomad 944 | for I in /opt/nomad/config/*.hcl 945 | do 946 | echo "## $I" 947 | echo ""; echo '```' 948 | cat $I 949 | echo ""; echo '```'; echo "" 950 | done 951 | systemctl status nomad.service 952 | } 953 | S3URI=https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} 954 | apt-get -y update 955 | # Install git 956 | apt-get install -y git jq 957 | #Load Linux utils 958 | until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done 959 | cd /quickstart-linux-utilities && source quickstart-cfn-tools.source 960 | # Prep operating systems 961 | qs_update-os || qs_err 962 | qs_bootstrap_pip || qs_err 963 | qs_aws-cfn-bootstrap || qs_err 964 | #cfn-init 965 | echo "Executing config-sets" 966 | cfn-init -v --stack ${AWS::StackName} --resource NomadClientLC --configsets ${ConfigSets} --region ${AWS::Region} 967 | STATUS=$? 968 | echo signal cfn success/failure 969 | [ $STATUS == 0 ] || cfn_fail 970 | echo log info on failure 971 | [ $STATUS == 0 ] || cfn_fail_log 972 | 973 | # Signal cfn-init (final check) 974 | [ $(qs_status) == 0 ] && cfn_success || cfn_fail 975 | - ConfigSets: !Join 976 | - '' 977 | - - !If 978 | - ConfigureConsulServiceMesh 979 | - cs-nomad-consul-service-mesh 980 | - !If 981 | - ConfigureConsul 982 | - cs-nomad-consul 983 | - cs-nomad 984 | - !If [ConfigureRawExec, ',cs-enable-rawexec', ''] 985 | S3Region: !If [GovCloudCondition, s3-us-gov-west-1, s3] 986 | 987 | NomadClientRole: 988 | Type: AWS::IAM::Role 989 | Properties: 990 | AssumeRolePolicyDocument: 991 | Statement: 992 | - Action: "sts:AssumeRole" 993 | Principal: 994 | Service: ec2.amazonaws.com 995 | Effect: Allow 996 | Sid: "" 997 | Policies: 998 | - PolicyDocument: 999 | Version: 2012-10-17 1000 | Statement: 1001 | - Action: 1002 | - "s3:GetObject" 1003 | Resource: !Sub "arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*" 1004 | Effect: Allow 1005 | PolicyName: AuthenticatedS3GetObjects 1006 | 1007 | NomadClientPolicy: 1008 | Type: AWS::IAM::Policy 1009 | Properties: 1010 | PolicyName: nomad-client 1011 | PolicyDocument: 1012 | Statement: 1013 | - Effect: Allow 1014 | Action: "ec2:DescribeInstances" 1015 | Resource: "*" 1016 | Roles: 1017 | - !Ref NomadClientRole 1018 | 1019 | NomadClientProfile: 1020 | Type: AWS::IAM::InstanceProfile 1021 | Properties: 1022 | Path: / 1023 | Roles: 1024 | - !Ref NomadClientRole 1025 | 1026 | NomadClientLogsBucket: 1027 | Type: AWS::S3::Bucket 1028 | DeletionPolicy: Retain 1029 | UpdateReplacePolicy: Retain 1030 | 1031 | NomadClientLogsBucketPolicy: 1032 | Type: AWS::S3::BucketPolicy 1033 | Properties: 1034 | Bucket: !Ref NomadClientLogsBucket 1035 | PolicyDocument: 1036 | Version: 2012-10-17 1037 | Statement: 1038 | - Sid: NomadQSGALBAccessLogs 1039 | Action: 1040 | - "s3:PutObject" 1041 | Effect: Allow 1042 | Resource: !Sub "arn:${AWS::Partition}:s3:::${NomadClientLogsBucket}/NomadALBLogs/*" 1043 | Principal: 1044 | AWS: !Sub 1045 | - "arn:${AWS::Partition}:iam::${RegionELBAccountId}:root" 1046 | - RegionELBAccountId: !FindInMap 1047 | - RegionELBAccountId 1048 | - !Ref "AWS::Region" 1049 | - AccountId 1050 | 1051 | Outputs: 1052 | NomadEc2RetryTagKey: 1053 | Value: !Ref NomadEc2RetryTagKey 1054 | Description: 1055 | The EC2 instance tag key to filter on when joining to other Nomad nodes. 1056 | 1057 | NomadEc2RetryTagValue: 1058 | Value: !Ref NomadEc2RetryTagValue 1059 | Description: 1060 | The EC2 instance tag value to filter on when joining to other Nomad nodes. 1061 | 1062 | NomadClientASG: 1063 | Value: !Ref NomadClientASG 1064 | Description: 'The Nomad client autoscaling group.' 1065 | 1066 | 1067 | NomadClientLogsBucket: 1068 | Value: !Ref NomadClientLogsBucket 1069 | Description: 'The S3 Bucket created for Nomad client logs.' 1070 | -------------------------------------------------------------------------------- /templates/quickstart-hashicorp-nomad-servers.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: "HashiCorp Nomad (Please do not remove) Aug,28,2019 (qs-1nae6brn2)" 3 | Metadata: 4 | LintSpellExclude: 5 | - datacenter 6 | - xxxxxxxx 7 | SentenceCaseExclude: 8 | - Nomad 9 | - Consul 10 | QuickStartDocumentation: 11 | EntrypointName: "Launch into an existing VPC" 12 | LICENSE: "Apache License, Version 2.0" 13 | 'AWS::CloudFormation::Interface': 14 | ParameterGroups: 15 | - Label: {default: "VPC network configuration"} 16 | Parameters: 17 | - PrivateSubnet1ID 18 | - PrivateSubnet2ID 19 | - PrivateSubnet3ID 20 | - PublicSubnet1ID 21 | - PublicSubnet2ID 22 | - PublicSubnet3ID 23 | - VPCID 24 | - Label: {default: "Nomad cluster ALB configuration"} 25 | Parameters: 26 | - SSLCertificateId 27 | - Label: {default: "Nomad cluster setup"} 28 | Parameters: 29 | - NomadServerSecurityGroup 30 | - NomadServerInstanceType 31 | - NomadServerNodeCount 32 | - NomadServerAMIOS 33 | - KeyPairName 34 | 35 | - NomadEc2RetryTagKey 36 | - NomadEc2RetryTagValue 37 | - NomadDatacenter 38 | - Label: {default: "Consul agent configuration"} 39 | Parameters: 40 | - ConsulEc2RetryTagKey 41 | - ConsulEc2RetryTagValue 42 | - ConsulDatacenter 43 | - EnableConsulServiceMesh 44 | - Label: {default: "AWS Quick Start configuration"} 45 | Parameters: 46 | - QSS3BucketName 47 | - QSS3KeyPrefix 48 | ParameterLabels: 49 | # VPC network configuration 50 | PrivateSubnet1ID: 51 | default: Private Subnet 1 ID 52 | PrivateSubnet2ID: 53 | default: Private Subnet 2 ID 54 | PrivateSubnet3ID: 55 | default: Private Subnet 3 ID 56 | PublicSubnet1ID: 57 | default: Public Subnet 1 ID 58 | PublicSubnet2ID: 59 | default: Public Subnet 2 ID 60 | PublicSubnet3ID: 61 | default: Public Subnet 3 ID 62 | VPCID: 63 | default: VPC ID 64 | 65 | # Nomad cluster ALB configuration 66 | SSLCertificateId: 67 | default: SSL certificate ID 68 | 69 | # Nomad cluster setup 70 | # -- Nomad Instance Configuration -- 71 | NomadServerSecurityGroup: 72 | default: Nomad Server security group ID 73 | NomadServerInstanceType: 74 | default: Nomad server node instance type 75 | NomadServerNodeCount: 76 | default: Number of Nomad server nodes 77 | NomadServerAMIOS: 78 | default: Operating system for Nomad server nodes 79 | KeyPairName: 80 | default: Key name 81 | 82 | # -- Nomad Application Configuration -- 83 | NomadEc2RetryTagKey: 84 | default: Tag key for Nomad cluster nodes 85 | NomadEc2RetryTagValue: 86 | default: Tag value for Nomad cluster nodes 87 | NomadDatacenter: 88 | default: "Nomad Config: datacenter" 89 | 90 | # Consul agent configuration 91 | ConsulEc2RetryTagKey: 92 | default: Tag key for Consul server nodes 93 | ConsulEc2RetryTagValue: 94 | default: Tag value for Consul server nodes 95 | ConsulDatacenter: 96 | default: "Consul Config: datacenter" 97 | EnableConsulServiceMesh: 98 | default: Enable Consul service mesh for Nomad cluster 99 | 100 | # AWS Quick Start configuration 101 | QSS3BucketName: 102 | default: Quick Start S3 bucket name 103 | QSS3KeyPrefix: 104 | default: Quick Start S3 key prefix 105 | 106 | Parameters: 107 | # VPC network configuration 108 | PrivateSubnet1ID: 109 | Description: "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)." 110 | Type: "AWS::EC2::Subnet::Id" 111 | PrivateSubnet2ID: 112 | Description: "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)." 113 | Type: "AWS::EC2::Subnet::Id" 114 | PrivateSubnet3ID: 115 | Description: "ID of the private subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)." 116 | Type: "AWS::EC2::Subnet::Id" 117 | PublicSubnet1ID: 118 | Description: "ID of the public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)." 119 | Type: "AWS::EC2::Subnet::Id" 120 | PublicSubnet2ID: 121 | Description: "ID of the public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)." 122 | Type: "AWS::EC2::Subnet::Id" 123 | PublicSubnet3ID: 124 | Description: "ID of the public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)." 125 | Type: "AWS::EC2::Subnet::Id" 126 | VPCID: 127 | Description: VPC ID. 128 | Type: "AWS::EC2::VPC::Id" 129 | 130 | # Nomad cluster ALB configuration 131 | SSLCertificateId: 132 | Description: 'The SSL certificate to use for the Nomad server instances.' 133 | Type: 'String' 134 | 135 | # Nomad cluster setup 136 | # -- Nomad Instance Configuration -- 137 | NomadServerSecurityGroup: 138 | Description: 'The security group to apply to client nodes at startup (e.g., sg-7f16e910).' 139 | Type: 'AWS::EC2::SecurityGroup::Id' 140 | NomadServerInstanceType: 141 | Type: String 142 | Description: The EC2 instance type for the Nomad instances. 143 | AllowedValues: 144 | - t2.micro 145 | - t2.small 146 | - t2.medium 147 | - t2.large 148 | - t3.micro 149 | - t3.small 150 | - t3.medium 151 | - t3.large 152 | - m5.large 153 | - m5.xlarge 154 | - m5.2xlarge 155 | - m4.large 156 | - m4.xlarge 157 | - m3.medium 158 | - m3.large 159 | - m3.xlarge 160 | - m3.2xlarge 161 | - c4.large 162 | - c4.xlarge 163 | - c4.2xlarge 164 | - c4.4xlarge 165 | - c4.8xlarge 166 | - c3.large 167 | - c3.xlarge 168 | - c3.2xlarge 169 | - c3.4xlarge 170 | - c3.8xlarge 171 | - r3.large 172 | - r3.xlarge 173 | - r3.2xlarge 174 | - r3.4xlarge 175 | - r3.8xlarge 176 | - i2.xlarge 177 | - i2.2xlarge 178 | - i2.4xlarge 179 | - i2.8xlarge 180 | ConstraintDescription: Choose an instance type. 181 | Default: m5.large 182 | NomadServerNodeCount: 183 | Type: String 184 | Description: The number of Nomad server nodes that will be created. You can choose 3, 5, or 7 nodes. 185 | AllowedValues: 186 | - "1" 187 | - "3" 188 | - "5" 189 | - "7" 190 | Default: "3" 191 | NomadServerAMIOS: 192 | AllowedValues: 193 | - Amazon-Linux2-HVM 194 | - Amazon-Linux2-HVM-ARM 195 | - CentOS-7-HVM 196 | - Ubuntu-Server-20.04-LTS-HVM 197 | - SUSE-SLES-15-HVM 198 | Default: Ubuntu-Server-20.04-LTS-HVM 199 | Description: The Linux distribution for the AMI to be used for the Nomad server instances. 200 | Type: String 201 | KeyPairName: 202 | Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. 203 | Type: "AWS::EC2::KeyPair::KeyName" 204 | # MinLength: 1 205 | ConstraintDescription: Must be the name of an existing EC2 KeyPair. 206 | # -- Nomad Application Configuration -- 207 | NomadEc2RetryTagKey: 208 | Description: 209 | The EC2 instance tag key to filter on when joining to other Nomad 210 | nodes. 211 | Type: String 212 | Default: "quickstart-nomad-cluster" 213 | ConstraintDescription: Must match EC2 Tag Name requirements. 214 | NomadEc2RetryTagValue: 215 | Description: 216 | The EC2 instance tag value to filter on when joining to other Nomad 217 | nodes. 218 | Type: String 219 | Default: "nomad-member-node" 220 | ConstraintDescription: Must match EC2 Tag Name requirements. 221 | NomadDatacenter: 222 | Description: 223 | The datacenter name to use for the Nomad cluster configuration. 224 | Type: String 225 | Default: "dc1" 226 | ConstraintDescription: Must be DNS-compatible. 227 | 228 | # Consul agent configuration 229 | ConsulEc2RetryTagKey: 230 | Description: 231 | The EC2 instance tag key to filter on when joining a Consul cluster. 232 | Type: String 233 | Default: "" 234 | ConstraintDescription: Must match EC2 Tag Name requirements. 235 | ConsulEc2RetryTagValue: 236 | Description: 237 | The EC2 instance tag key to filter on when joining a Consul cluster. 238 | Type: String 239 | Default: "" 240 | ConstraintDescription: Must match EC2 Tag Name requirements. 241 | ConsulDatacenter: 242 | Description: 243 | The datacenter name to use for the Consul cluster configuration. 244 | Type: String 245 | Default: "dc1" 246 | ConstraintDescription: Must be DNS-compatible. 247 | EnableConsulServiceMesh: 248 | Description: Enable Consul service mesh on the Nomad clients. 249 | Type: String 250 | Default: "false" 251 | AllowedValues: 252 | - "true" 253 | - "false" 254 | 255 | # AWS Quick Start configuration 256 | QSS3BucketName: 257 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 258 | ConstraintDescription: >- 259 | Quick Start bucket name can include numbers, lowercase letters, uppercase 260 | letters, and hyphens (-). It cannot start or end with a hyphen (-). 261 | Default: "aws-quickstart" 262 | Description: >- 263 | S3 bucket name for the Quick Start assets. Quick Start bucket name can 264 | include numbers, lowercase letters, uppercase letters, and hyphens (-). It 265 | cannot start or end with a hyphen (-). 266 | Type: String 267 | QSS3KeyPrefix: 268 | AllowedPattern: "^[0-9a-zA-Z-/]*$" 269 | ConstraintDescription: >- 270 | Quick Start key prefix can include numbers, lowercase letters, uppercase 271 | letters, hyphens (-), and forward slash (/). 272 | Default: "quickstart-hashicorp-nomad/" 273 | Description: >- 274 | S3 key prefix for the Quick Start assets. Quick Start key prefix can 275 | include numbers, lowercase letters, uppercase letters, hyphens (-), and 276 | forward slash (/). 277 | Type: String 278 | 279 | Rules: 280 | ArmInstanceServer: 281 | RuleCondition: !Equals ["Amazon-Linux2-HVM-ARM", !Ref NomadServerAMIOS] 282 | Assertions: 283 | - Assert: !Contains 284 | - - t4g.nano 285 | - t4g.medium 286 | - t4g.large 287 | - t4g.micro 288 | - t4g.small 289 | - t4g.2xlarge 290 | - t4g.xlarge 291 | - !Ref 'NomadServerInstanceType' 292 | AssertDescription: This instance type must use NomadServerInstanceType type of Amazon-Linux2-HVM-ARM. 293 | 294 | Mappings: 295 | RegionELBAccountId: 296 | ap-east-1: 297 | AccountId: "754344448648" 298 | ap-northeast-1: 299 | AccountId: "582318560864" 300 | ap-northeast-2: 301 | AccountId: "600734575887" 302 | ap-northeast-3: 303 | AccountId: "383597477331" 304 | ap-southeast-1: 305 | AccountId: "114774131450" 306 | ap-southeast-2: 307 | AccountId: "783225319266" 308 | ap-south-1: 309 | AccountId: "718504428378" 310 | me-south-1: 311 | AccountId: "076674570225" 312 | ca-central-1: 313 | AccountId: "985666609251" 314 | eu-central-1: 315 | AccountId: "054676820928" 316 | eu-north-1: 317 | AccountId: "897822967062" 318 | eu-west-1: 319 | AccountId: "156460612806" 320 | eu-west-2: 321 | AccountId: "652711504416" 322 | eu-west-3: 323 | AccountId: "009996457667" 324 | sa-east-1: 325 | AccountId: "507241528517" 326 | us-east-1: 327 | AccountId: "127311923021" 328 | us-east-2: 329 | AccountId: "033677994240" 330 | us-west-1: 331 | AccountId: "027434742980" 332 | us-west-2: 333 | AccountId: "797873946194" 334 | 335 | AWSAMIRegionMap: 336 | af-south-1: 337 | AMZNLINUX2: ami-0936d2754993c364e 338 | AMZNLINUX2ARM: ami-01d326fa7db123542 339 | US2004HVM: ami-022666956ad401a16 340 | CENTOS7HVM: ami-0a2be7731769e6cc1 341 | # SLES15HVM: ami-EXAMPLE 342 | ap-northeast-1: 343 | AMZNLINUX2: ami-0b276ad63ba2d6009 344 | AMZNLINUX2ARM: ami-012d44a21cdc6962e 345 | US2004HVM: ami-0b0ccc06abc611fa0 346 | CENTOS7HVM: ami-06a46da680048c8ae 347 | SLES15HVM: ami-056ac8ad44e6a7e1f 348 | ap-northeast-2: 349 | AMZNLINUX2: ami-0b827f3319f7447c6 350 | AMZNLINUX2ARM: ami-065bbf792e2f70fd9 351 | US2004HVM: ami-0f49ee52a88cc2435 352 | CENTOS7HVM: ami-06e83aceba2cb0907 353 | SLES15HVM: ami-0f81fff879bafe6b8 354 | ap-northeast-3: 355 | AMZNLINUX2: ami-07420201371095f81 356 | AMZNLINUX2ARM: ami-01a34fdc39c8106e0 357 | US2004HVM: ami-01ae085ceefba2dbf 358 | CENTOS7HVM: ami-02d6b455335e3af14 359 | SLES15HVM: ami-0d8518dd12d11dfc2 360 | ap-south-1: 361 | AMZNLINUX2: ami-00bf4ae5a7909786c 362 | AMZNLINUX2ARM: ami-059d1007dcf297b22 363 | US2004HVM: ami-0443fb07ed652c341 364 | CENTOS7HVM: ami-026f33d38b6410e30 365 | SLES15HVM: ami-01be89269d32f2a16 366 | ap-southeast-1: 367 | AMZNLINUX2: ami-0e5182fad1edfaa68 368 | AMZNLINUX2ARM: ami-0390917f7df0de28c 369 | US2004HVM: ami-0f0b17182b1d50c14 370 | CENTOS7HVM: ami-07f65177cb990d65b 371 | SLES15HVM: ami-070356c21596ddc67 372 | ap-southeast-2: 373 | AMZNLINUX2: ami-0c9fe0dec6325a30c 374 | AMZNLINUX2ARM: ami-03b50165937737652 375 | US2004HVM: ami-04b1878ebf78f7370 376 | CENTOS7HVM: ami-0b2045146eb00b617 377 | SLES15HVM: ami-0c4245381c67efb39 378 | ca-central-1: 379 | AMZNLINUX2: ami-0db72f413fc1ddb2a 380 | AMZNLINUX2ARM: ami-0858cdfa55eb68636 381 | US2004HVM: ami-04673916e7c7aa985 382 | CENTOS7HVM: ami-04a25c39dc7a8aebb 383 | SLES15HVM: ami-0c97d9b588207dad6 384 | eu-central-1: 385 | AMZNLINUX2: ami-00f22f6155d6d92c5 386 | AMZNLINUX2ARM: ami-0d1745d072234b13f 387 | US2004HVM: ami-05e1e66d082e56118 388 | CENTOS7HVM: ami-0e8286b71b81c3cc1 389 | SLES15HVM: ami-05dfd265ea534a3e9 390 | me-south-1: 391 | AMZNLINUX2: ami-0880769bc15eeec4f 392 | AMZNLINUX2ARM: ami-001dc219c441b922d 393 | US2004HVM: ami-03cc0b5db8321f2e5 394 | CENTOS7HVM: ami-011c71a894b10f35b 395 | SLES15HVM: ami-0252c6d3a59c7473b 396 | ap-east-1: 397 | AMZNLINUX2: ami-0aca22cb23f122f27 398 | AMZNLINUX2ARM: ami-01f5cec80321bd86e 399 | US2004HVM: ami-0c7e5903bee96ef81 400 | CENTOS7HVM: ami-0e5c29e6c87a9644f 401 | SLES15HVM: ami-0ad6e15bcbb2dbe38 402 | eu-north-1: 403 | AMZNLINUX2: ami-00517306b63c4628c 404 | AMZNLINUX2ARM: ami-00ac6cda13789bb30 405 | US2004HVM: ami-00888f2a5f9be4390 406 | CENTOS7HVM: ami-05788af9005ef9a93 407 | SLES15HVM: ami-0741fa1a008af40ad 408 | eu-south-1: 409 | AMZNLINUX2: ami-0f447354763f0eaac 410 | AMZNLINUX2ARM: ami-011d4067dedd119f5 411 | US2004HVM: ami-035e213233577516f 412 | CENTOS7HVM: ami-03014b98e9665115a 413 | SLES15HVM: ami-051cbea0e7660063d 414 | eu-west-1: 415 | AMZNLINUX2: ami-058b1b7fe545997ae 416 | AMZNLINUX2ARM: ami-0f7de803d86d96283 417 | US2004HVM: ami-0298c9e0d2c86b0ed 418 | CENTOS7HVM: ami-0b850cf02cc00fdc8 419 | SLES15HVM: ami-0a58a1b152ba55f1d 420 | eu-west-2: 421 | AMZNLINUX2: ami-03ac5a9b225e99b02 422 | AMZNLINUX2ARM: ami-0c11e20ede9c2bac5 423 | US2004HVM: ami-0230a6736b38ae83e 424 | CENTOS7HVM: ami-09e5afc68eed60ef4 425 | SLES15HVM: ami-01497522185aaa4ee 426 | eu-west-3: 427 | AMZNLINUX2: ami-062fdd189639d3e93 428 | AMZNLINUX2ARM: ami-0e95ca4242883dbf3 429 | US2004HVM: ami-06d3fffafe8d48b35 430 | CENTOS7HVM: ami-0cb72d2e599cffbf9 431 | SLES15HVM: ami-0f238bd4c6fdbefb0 432 | sa-east-1: 433 | AMZNLINUX2: ami-05e809fbeee38dd5e 434 | AMZNLINUX2ARM: ami-06302d3edd8e2b804 435 | US2004HVM: ami-04e56ee48b28650b3 436 | CENTOS7HVM: ami-0b30f38d939dd4b54 437 | SLES15HVM: ami-0772af912976aa692 438 | us-east-1: 439 | AMZNLINUX2: ami-0dc2d3e4c0f9ebd18 440 | AMZNLINUX2ARM: ami-008a8487adc2b32ec 441 | US2004HVM: ami-019212a8baeffb0fa 442 | CENTOS7HVM: ami-0affd4508a5d2481b 443 | SLES15HVM: ami-0b1764f3d7d2e2316 444 | us-gov-west-1: 445 | AMZNLINUX2: ami-0bbf3595bb2fb39ec 446 | AMZNLINUX2ARM: ami-6bd0e80a 447 | SLES15HVM: ami-57c0ba36 448 | us-gov-east-1: 449 | AMZNLINUX2: ami-0cc17d57bec8c6017 450 | AMZNLINUX2ARM: ami-4a31d93b 451 | SLES15HVM: ami-05e4bedfad53425e9 452 | us-east-2: 453 | AMZNLINUX2: ami-0233c2d874b811deb 454 | AMZNLINUX2ARM: ami-02de934ca4f3289e0 455 | US2004HVM: ami-0117d177e96a8481c 456 | CENTOS7HVM: ami-01e36b7901e884a10 457 | SLES15HVM: ami-05ea824317ffc0c20 458 | us-west-1: 459 | AMZNLINUX2: ami-0ed05376b59b90e46 460 | AMZNLINUX2ARM: ami-09027338004f91eb5 461 | US2004HVM: ami-0b08e71a81ba4200f 462 | CENTOS7HVM: ami-098f55b4287a885ba 463 | SLES15HVM: ami-00e34a7624e5a7107 464 | us-west-2: 465 | AMZNLINUX2: ami-0dc8f589abe99f538 466 | AMZNLINUX2ARM: ami-01ee617c4327490d3 467 | US2004HVM: ami-02868af3c3df4b3aa 468 | CENTOS7HVM: ami-0bc06212a56393ee1 469 | SLES15HVM: ami-0f1e3b3fb0fec0361 470 | cn-north-1: 471 | AMZNLINUX2: ami-0c52e2685c7218558 472 | AMZNLINUX2ARM: ami-088cc0c104292da9c 473 | CENTOS7HVM: ami-08c16f7e830c0e393 474 | SLES15HVM: ami-021392849b6221a81 475 | cn-northwest-1: 476 | AMZNLINUX2: ami-05b9b6d6acf8ae9b6 477 | AMZNLINUX2ARM: ami-0b5c6ceb80eb57861 478 | CENTOS7HVM: ami-0f21aa96a61df8c44 479 | SLES15HVM: ami-00e1de3ee6d0d28ea 480 | 481 | LinuxAMINameMap: 482 | Amazon-Linux2-HVM: 483 | Code: AMZNLINUX2 484 | OS: Amazon 485 | Amazon-Linux2-HVM-ARM: 486 | Code: AMZNLINUX2ARM 487 | OS: Amazon 488 | CentOS-7-HVM: 489 | Code: CENTOS7HVM 490 | OS: CentOS 491 | Ubuntu-Server-18.04-LTS-HVM: 492 | Code: US1804HVM 493 | OS: Ubuntu 494 | Ubuntu-Server-20.04-LTS-HVM: 495 | Code: US2004HVM 496 | OS: Ubuntu 497 | SUSE-SLES-15-HVM: 498 | Code: SLES15HVM 499 | OS: SLES 500 | 501 | Conditions: 502 | GovCloudCondition: !Equals [!Ref AWS::Region, 'us-gov-west-1'] 503 | ConfigureConsul: !And 504 | - !Not [!Equals [!Ref 'ConsulEc2RetryTagKey', '']] 505 | - !Not [!Equals [!Ref 'ConsulEc2RetryTagValue', '']] 506 | ConfigureConsulServiceMesh: !And 507 | - !Not [!Equals [!Ref 'ConsulEc2RetryTagKey', '']] 508 | - !Not [!Equals [!Ref 'ConsulEc2RetryTagValue', '']] 509 | - !Equals [!Ref 'EnableConsulServiceMesh', 'true'] 510 | 511 | Resources: 512 | NomadServerASG: 513 | Type: "AWS::AutoScaling::AutoScalingGroup" 514 | Properties: 515 | LaunchConfigurationName: !Ref NomadServerLC 516 | MinSize: !Ref NomadServerNodeCount 517 | MaxSize: !Ref NomadServerNodeCount 518 | DesiredCapacity: !Ref NomadServerNodeCount 519 | TargetGroupARNs: 520 | - !Ref NomadServerTargetGroup 521 | HealthCheckType: "ELB" 522 | HealthCheckGracePeriod: "120" 523 | VPCZoneIdentifier: 524 | - !Ref PrivateSubnet1ID 525 | - !Ref PrivateSubnet2ID 526 | - !Ref PrivateSubnet3ID 527 | Tags: 528 | - Key: Name 529 | Value: !Sub "${AWS::StackName}-Nomad-Server" 530 | PropagateAtLaunch: true 531 | - Key: !Ref NomadEc2RetryTagKey 532 | Value: !Ref NomadEc2RetryTagValue 533 | PropagateAtLaunch: true 534 | CreationPolicy: 535 | ResourceSignal: 536 | Count: !Ref NomadServerNodeCount 537 | Timeout: PT20M 538 | 539 | NomadServerTargetGroup: 540 | Type: AWS::ElasticLoadBalancingV2::TargetGroup 541 | Properties: 542 | HealthCheckEnabled: true 543 | HealthCheckIntervalSeconds: 30 544 | HealthCheckPath: /v1/status/leader 545 | HealthCheckPort: 4646 546 | HealthCheckProtocol: "HTTP" 547 | HealthCheckTimeoutSeconds: 5 548 | HealthyThresholdCount: !Ref NomadServerNodeCount 549 | IpAddressType: ipv4 550 | Port: 4646 551 | Protocol: "HTTP" 552 | TargetGroupAttributes: 553 | - Key: stickiness.enabled 554 | Value: true 555 | - Key: stickiness.type 556 | Value: lb_cookie 557 | # default of one day stickiness 558 | # - Key: stickiness.lb_cookie.duration_seconds 559 | # Value: 86400 560 | VpcId: !Ref VPCID 561 | 562 | NomadServerALB: 563 | Type: AWS::ElasticLoadBalancingV2::LoadBalancer 564 | Properties: 565 | Type: application 566 | IpAddressType: ipv4 567 | Scheme: internet-facing 568 | SecurityGroups: 569 | - !Ref NomadServerALBSecGroup 570 | Subnets: 571 | - !Ref PublicSubnet1ID 572 | - !Ref PublicSubnet2ID 573 | - !Ref PublicSubnet3ID 574 | LoadBalancerAttributes: 575 | - Key: access_logs.s3.enabled 576 | Value: true 577 | - Key: access_logs.s3.bucket 578 | Value: !Ref NomadServerLogsBucket 579 | - Key: access_logs.s3.prefix 580 | Value: NomadALBLogs 581 | - Key: idle_timeout.timeout_seconds 582 | Value: 360 583 | 584 | NomadServerALBListener: 585 | Type: "AWS::ElasticLoadBalancingV2::Listener" 586 | Properties: 587 | DefaultActions: 588 | - Type: "forward" 589 | ForwardConfig: 590 | TargetGroups: 591 | - TargetGroupArn: !Ref NomadServerTargetGroup 592 | LoadBalancerArn: !Ref NomadServerALB 593 | Port: 443 594 | Protocol: "HTTPS" 595 | Certificates: 596 | - CertificateArn: !Ref SSLCertificateId 597 | 598 | NomadServerLogsBucket: 599 | Type: AWS::S3::Bucket 600 | DeletionPolicy: Retain 601 | UpdateReplacePolicy: Retain 602 | 603 | NomadServerLogsBucketPolicy: 604 | Type: AWS::S3::BucketPolicy 605 | Properties: 606 | Bucket: !Ref NomadServerLogsBucket 607 | PolicyDocument: 608 | Version: 2012-10-17 609 | Statement: 610 | - Sid: NomadQSGALBAccessLogs 611 | Action: 612 | - "s3:PutObject" 613 | Effect: Allow 614 | Resource: !Sub "arn:${AWS::Partition}:s3:::${NomadServerLogsBucket}/NomadALBLogs/*" 615 | Principal: 616 | AWS: !Sub 617 | - "arn:${AWS::Partition}:iam::${RegionELBAccountId}:root" 618 | - RegionELBAccountId: !FindInMap 619 | - RegionELBAccountId 620 | - !Ref "AWS::Region" 621 | - AccountId 622 | 623 | NomadServerALBSecGroup: 624 | Type: AWS::EC2::SecurityGroup 625 | Properties: 626 | GroupDescription: Enables ALB Access to cluster instances. 627 | VpcId: !Ref VPCID 628 | SecurityGroupIngress: 629 | # This is for the ALB 630 | - IpProtocol: tcp 631 | FromPort: 443 632 | ToPort: 443 633 | CidrIp: 0.0.0.0/0 634 | SecurityGroupEgress: 635 | - IpProtocol: "-1" 636 | CidrIp: 0.0.0.0/0 637 | Tags: 638 | - Key: Name 639 | Value: !Sub "${AWS::StackName}-NomadServerALBSecGroup" 640 | 641 | NomadServerLC: 642 | Type: AWS::AutoScaling::LaunchConfiguration 643 | Metadata: 644 | cfn-lint: 645 | config: 646 | ignore_checks: 647 | - E9101 #ignore warning about kill for Linux related command 648 | AWS::CloudFormation::Init: 649 | configSets: 650 | _base: 651 | - install_and_enable_cfn_hup 652 | - disable_motd 653 | - fetch_nomad 654 | - fetch_consul 655 | - fetch_vault 656 | - fetch_consul_template 657 | _consul: 658 | - consul_install 659 | - setup_coredns 660 | _nomad: 661 | - create_nomad_group_user_dir 662 | - nomad_install 663 | cs-nomad: 664 | - ConfigSet: _base 665 | - ConfigSet: _nomad 666 | cs-nomad-consul: 667 | - ConfigSet: _base 668 | - create_consul_group_user_dir 669 | - ConfigSet: _consul 670 | - ConfigSet: _nomad 671 | cs-nomad-consul-service-mesh: 672 | - ConfigSet: _base 673 | - create_consul_group_user_dir 674 | - enable_consul_service_mesh 675 | - ConfigSet: _consul 676 | - ConfigSet: _nomad 677 | 678 | install_and_enable_cfn_hup: 679 | files: 680 | /etc/cfn/cfn-hup.conf: 681 | content: !Sub | 682 | [main] 683 | stack=${AWS::StackId} 684 | region=${AWS::Region} 685 | mode: "000400" 686 | owner: root 687 | group: root 688 | /etc/cfn/hooks.d/cfn-auto-reloader.conf: 689 | content: !Sub 690 | "[cfn-auto-reloader-hook] 691 | 692 | triggers=post.update 693 | 694 | path=Resources.NomadServerLC.Metadata.AWS::CloudFormation::Init 695 | 696 | action=/usr/local/bin/cfn-init -v 697 | --stack ${AWS::StackName} 698 | --resource NomadServerLC 699 | --configsets cs_install 700 | --region ${AWS::Region} 701 | 702 | runas=root" 703 | /lib/systemd/system/cfn-hup.service: 704 | content: | 705 | [Unit] 706 | Description=cfn-hup daemon 707 | 708 | [Service] 709 | Type=simple 710 | ExecStart=/usr/local/bin/cfn-hup 711 | Restart=always 712 | 713 | [Install] 714 | WantedBy=multi-user.target 715 | commands: 716 | 01enable_cfn_hup: 717 | command: systemctl enable cfn-hup.service 718 | 02start_cfn_hup: 719 | command: systemctl start cfn-hup.service 720 | 721 | disable_motd: 722 | files: 723 | /home/ubuntu/.hushlogin: 724 | content: | 725 | # disable motd 726 | user: ubuntu 727 | group: ubuntu 728 | mode: "000400" 729 | 730 | create_nomad_group_user_dir: 731 | users: 732 | nomad: 733 | homeDir: /srv/nomad 734 | commands: 735 | 01_create_data_dir: 736 | command: mkdir -p /opt/nomad/data 737 | 02_set_data_dir_permissions: 738 | command: chown -R nomad:nomad /opt/nomad/data 739 | 03_create_config_dir: 740 | command: mkdir -p /opt/nomad/config 741 | 04_set_config_dir_permissions: 742 | command: chown -R root:nomad /opt/nomad/config 743 | 744 | create_consul_group_user_dir: 745 | users: 746 | consul: 747 | homeDir: /srv/consul 748 | commands: 749 | 01_create_data_dir: 750 | command: mkdir -p /opt/consul/data 751 | 02_set_data_dir_permissions: 752 | command: chown -R consul:consul /opt/consul/data 753 | 03_create_config_dir: 754 | command: mkdir -p /opt/consul/config 755 | 04_set_config_dir_permissions: 756 | command: chown -R root:consul /opt/consul/config 757 | 758 | fetch_nomad: 759 | sources: 760 | /usr/bin/: https://releases.hashicorp.com/nomad/1.2.6/nomad_1.2.6_linux_amd64.zip 761 | 762 | fetch_consul: 763 | sources: 764 | /usr/bin/: https://releases.hashicorp.com/consul/1.11.4/consul_1.11.4_linux_amd64.zip 765 | 766 | fetch_vault: 767 | sources: 768 | /usr/bin/: https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip 769 | 770 | fetch_consul_template: 771 | sources: 772 | /usr/bin/: https://releases.hashicorp.com/consul-template/0.28.0/consul-template_0.28.0_linux_amd64.zip 773 | 774 | nomad_install: 775 | files: 776 | /opt/nomad/config/nomad.hcl: 777 | content: !Sub | 778 | bind_addr = "0.0.0.0" 779 | data_dir = "/opt/nomad/data" 780 | datacenter = "${NomadDatacenter}" 781 | log_level = "WARN" 782 | advertise { 783 | http = "{{{InterfaceTemplate}}}" 784 | rpc = "{{{InterfaceTemplate}}}" 785 | serf = "{{{InterfaceTemplate}}}" 786 | } 787 | context: 788 | InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' 789 | mode: "000644" 790 | /opt/nomad/config/server.hcl: 791 | content: !Sub | 792 | server { 793 | enabled = true 794 | bootstrap_expect = ${NomadServerNodeCount} 795 | raft_protocol = 3 796 | server_join { 797 | retry_join = ["provider=aws region=${AWS::Region} tag_key=${NomadEc2RetryTagKey} tag_value=${NomadEc2RetryTagValue}"] 798 | } 799 | } 800 | mode: "000644" 801 | /etc/systemd/system/nomad.service: 802 | content: | 803 | [Unit] 804 | Description=Hashicorp Nomad 805 | Documentation=https://nomadproject.io/docs/ 806 | Wants=network-online.target 807 | After=network-online.target 808 | ConditionFileNotEmpty=/opt/nomad/config/nomad.hcl 809 | ConditionFileNotEmpty=/opt/nomad/config/server.hcl 810 | 811 | # When using Nomad with Consul it is not necessary to start Consul first. These 812 | # lines start Consul before Nomad as an optimization to avoid Nomad logging 813 | # that Consul is unavailable at startup. 814 | {{maybe_comment_consul}}Wants=consul.service 815 | {{maybe_comment_consul}}After=consul.service 816 | 817 | [Service] 818 | Type=simple 819 | User=nomad 820 | Group=nomad 821 | EnvironmentFile=-/opt/nomad/config/nomad.env 822 | ExecReload=/bin/kill -HUP $MAINPID 823 | ExecStart=/usr/bin/nomad agent -config /opt/nomad/config 824 | 825 | KillMode=process 826 | KillSignal=SIGINT 827 | LimitNOFILE=65536 828 | LimitNPROC=infinity 829 | Restart=on-failure 830 | TimeoutSec=300s 831 | RestartSec=2 832 | 833 | ## Configure unit start rate limiting. Units which are started more than 834 | ## *burst* times within an *interval* time span are not permitted to start any 835 | ## more. Use `StartLimitIntervalSec` or `StartLimitInterval` (depending on 836 | ## systemd version) to configure the checking interval and `StartLimitBurst` 837 | ## to configure how many starts per interval are allowed. The values in the 838 | ## commented lines are defaults. 839 | # StartLimitBurst = 5 840 | 841 | ## StartLimitIntervalSec is used for systemd versions >= 230 842 | # StartLimitIntervalSec = 10s 843 | 844 | ## StartLimitInterval is used for systemd versions < 230 845 | # StartLimitInterval = 10s 846 | 847 | TasksMax=infinity 848 | OOMScoreAdjust=-1000 849 | 850 | [Install] 851 | WantedBy=multi-user.target 852 | context: 853 | maybe_comment_consul: !If [ConfigureConsul, "", "#"] 854 | mode: "000644" 855 | commands: 856 | 00_fill_nomad_config_nodename: 857 | command: echo "name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/nomad/config/nodename.hcl 858 | 01_change_data_dir_owner: 859 | command: chown -R nomad:nomad /opt/nomad/data 860 | 02_change_config_dir_owner: 861 | command: chown -R root:nomad /opt/nomad/config 862 | 03_chmod_config_dir: 863 | command: chmod 755 /opt/nomad/config 864 | 04_chmod_config_files: 865 | command: chmod 644 /opt/nomad/config/*.hcl 866 | 05_reload_systemd: 867 | command: systemctl daemon-reload 868 | 06_enable_service: 869 | command: systemctl enable nomad 870 | 07_start_service: 871 | command: systemctl start nomad 872 | 873 | enable_consul_service_mesh: 874 | files: 875 | /opt/consul/config/connect.hcl: 876 | content: | 877 | ports { 878 | grpc = 8502 879 | } 880 | connect { 881 | enabled = true 882 | } 883 | owner: root 884 | group: consul 885 | mode: 000644 886 | 887 | consul_install: 888 | files: 889 | /opt/consul/config/consul.hcl: 890 | content: !Sub | 891 | data_dir = "/opt/consul/data" 892 | client_addr = "0.0.0.0" 893 | bind_addr = "{{{InterfaceTemplate}}}" 894 | datacenter = "${ConsulDatacenter}" 895 | log_level = "WARN" 896 | ui_config { 897 | enabled = true 898 | } 899 | telemetry { 900 | disable_compat_1.9 = true 901 | } 902 | context: 903 | InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' 904 | owner: root 905 | group: consul 906 | mode: "000644" 907 | /opt/consul/config/client.hcl: 908 | content: !Sub | 909 | retry_join = ["provider=aws region=${AWS::Region} tag_key=${ConsulEc2RetryTagKey} tag_value=${ConsulEc2RetryTagValue}"] 910 | owner: root 911 | group: consul 912 | mode: "000644" 913 | /etc/systemd/system/consul.service: 914 | content: | 915 | [Unit] 916 | Description="HashiCorp Consul - A service mesh solution" 917 | Documentation=https://www.consul.io/ 918 | Requires=network-online.target 919 | After=network-online.target 920 | ConditionFileNotEmpty=/opt/consul/config/consul.hcl 921 | ConditionFileNotEmpty=/opt/consul/config/client.hcl 922 | 923 | [Service] 924 | Type=notify 925 | EnvironmentFile=-/opt/consul/config/consul.env 926 | User=consul 927 | Group=consul 928 | ExecStart=/usr/bin/consul agent -config-dir=/opt/consul/config 929 | ExecReload=/bin/kill --signal HUP $MAINPID 930 | KillMode=process 931 | KillSignal=SIGTERM 932 | Restart=on-failure 933 | LimitNOFILE=65536 934 | 935 | [Install] 936 | WantedBy=multi-user.target 937 | owner: root 938 | group: root 939 | mode: "000644" 940 | commands: 941 | 00_fill_consul_config_nodename: 942 | command: echo "node_name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/consul/config/nodename.hcl 943 | 01_change_data_dir_owner: 944 | command: chown -R consul:consul /opt/consul/data 945 | 02_change_config_dir_owner: 946 | command: chown -R root:consul /opt/consul/config 947 | 03_chmod_config_dir: 948 | command: chmod 755 /opt/consul/config 949 | 04_chmod_config_files: 950 | command: chmod 644 /opt/consul/config/*.hcl 951 | 05_reload_systemd: 952 | command: systemctl daemon-reload 953 | 06_enable_consul: 954 | command: systemctl enable consul 955 | 07_start_consul: 956 | command: systemctl start consul 957 | 958 | setup_dnsmasq: 959 | files: 960 | /etc/dnsmasq.d/consul: 961 | content: | 962 | server=/consul/127.0.0.1#8600 963 | listen-address=127.0.0.1 964 | bind-interfaces 965 | /usr/local/etc/dnsmasq.conf: 966 | content: | 967 | no-resolv 968 | packages: 969 | apt: 970 | dnsmasq-base: [] 971 | dnsmasq: [] 972 | jq: [] 973 | commands: 974 | 01_start_dnsmasq: 975 | command: service dnsmasq restart 976 | 977 | setup_coredns: 978 | users: 979 | coredns: 980 | homeDir: /srv/coredns 981 | sources: 982 | /usr/bin: https://github.com/coredns/coredns/releases/download/v1.8.4/coredns_1.8.4_linux_amd64.tgz 983 | files: 984 | /etc/systemd/system/coredns.service: 985 | content: | 986 | [Unit] 987 | Description=CoreDNS DNS server 988 | Documentation=https://coredns.io 989 | After=network.target 990 | 991 | [Service] 992 | PermissionsStartOnly=true 993 | LimitNOFILE=1048576 994 | LimitNPROC=512 995 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE 996 | AmbientCapabilities=CAP_NET_BIND_SERVICE 997 | NoNewPrivileges=true 998 | User=coredns 999 | WorkingDirectory=~ 1000 | ExecStart=/usr/bin/coredns -conf=/etc/coredns/Corefile 1001 | ExecReload=/bin/kill -SIGUSR1 $MAINPID 1002 | Restart=on-failure 1003 | 1004 | [Install] 1005 | WantedBy=multi-user.target 1006 | /etc/coredns/Corefile: 1007 | content: | 1008 | . { 1009 | forward . /run/systemd/resolve/resolv.conf 1010 | } 1011 | consul { 1012 | forward . dns://127.0.0.1:8600 1013 | } 1014 | user: root 1015 | group: root 1016 | mode: "000644" 1017 | /etc/resolv.conf: 1018 | content: | 1019 | nameserver 127.0.0.1 1020 | options edns0 trust-ad 1021 | search ec2.internal 1022 | user: root 1023 | group: root 1024 | mode: "000644" 1025 | commands: 1026 | 00_make_homedir: 1027 | command: mkdir -p /srv/coredns 1028 | 01_change_owner: 1029 | command: chown -R coredns:coredns /srv/coredns 1030 | 02_reload_systemd: 1031 | command: systemctl daemon-reload 1032 | 03_disable_resolved_DNSStubListener: 1033 | command: echo "DNSStubListener=no" >> /etc/systemd/resolved.conf 1034 | 04_restart_resolved: 1035 | command: systemctl restart systemd-resolved.service 1036 | 05_start_service: 1037 | command: systemctl start coredns 1038 | 06_enable_service: 1039 | command: systemctl enable coredns 1040 | 1041 | 1042 | Properties: 1043 | InstanceType: !Ref NomadServerInstanceType 1044 | AssociatePublicIpAddress: false 1045 | SecurityGroups: 1046 | - !Ref NomadServerSecurityGroup 1047 | KeyName: !Ref KeyPairName 1048 | ImageId: !FindInMap 1049 | - AWSAMIRegionMap 1050 | - !Ref 'AWS::Region' 1051 | - !FindInMap [LinuxAMINameMap, !Ref NomadServerAMIOS, Code] 1052 | IamInstanceProfile: !Ref NomadServerProfile 1053 | UserData: 1054 | Fn::Base64: !Sub 1055 | - | 1056 | #!/bin/bash -x 1057 | #CFN Functions 1058 | function cfn_fail 1059 | { 1060 | cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource NomadServerASG 1061 | } 1062 | function cfn_success 1063 | { 1064 | cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource NomadServerASG 1065 | exit 0 1066 | } 1067 | function cfn_fail_log 1068 | { 1069 | journalctl -b --no-pager -u nomad 1070 | for I in /opt/nomad/config/*.hcl 1071 | do 1072 | echo "## $I" 1073 | echo ""; echo '```' 1074 | cat $I 1075 | echo ""; echo '```'; echo "" 1076 | done 1077 | systemctl status nomad.service 1078 | } 1079 | S3URI=https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} 1080 | apt-get -y update 1081 | # Install git 1082 | apt-get install -y git jq 1083 | #Load Linux utils 1084 | until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done 1085 | cd /quickstart-linux-utilities && source quickstart-cfn-tools.source 1086 | # Prep operating systems 1087 | qs_update-os || qs_err 1088 | qs_bootstrap_pip || qs_err 1089 | qs_aws-cfn-bootstrap || qs_err 1090 | #cfn-init 1091 | echo "Executing config-sets" 1092 | cfn-init -v --stack ${AWS::StackName} --resource NomadServerLC --configsets ${ConfigSet} --region ${AWS::Region} 1093 | STATUS=$? 1094 | echo signal cfn success/failure 1095 | [ $STATUS == 0 ] || cfn_fail 1096 | echo log info on failure 1097 | [ $STATUS == 0 ] || cfn_fail_log 1098 | 1099 | # Signal cfn-init (final check) 1100 | [ $(qs_status) == 0 ] && cfn_success || cfn_fail 1101 | - ConfigSet: !If 1102 | - ConfigureConsulServiceMesh 1103 | - cs-nomad-consul-service-mesh 1104 | - !If 1105 | - ConfigureConsul 1106 | - cs-nomad-consul 1107 | - cs-nomad 1108 | S3Region: !If [GovCloudCondition, s3-us-gov-west-1, s3] 1109 | 1110 | NomadServerRole: 1111 | Type: AWS::IAM::Role 1112 | Properties: 1113 | AssumeRolePolicyDocument: 1114 | Statement: 1115 | - Action: "sts:AssumeRole" 1116 | Principal: 1117 | Service: ec2.amazonaws.com 1118 | Effect: Allow 1119 | Sid: "" 1120 | Policies: 1121 | - PolicyDocument: 1122 | Version: 2012-10-17 1123 | Statement: 1124 | - Action: 1125 | - "s3:GetObject" 1126 | Resource: !Sub "arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*" 1127 | Effect: Allow 1128 | PolicyName: AuthenticatedS3GetObjects 1129 | 1130 | NomadServerPolicy: 1131 | Type: AWS::IAM::Policy 1132 | Properties: 1133 | PolicyName: nomad-server 1134 | PolicyDocument: 1135 | Statement: 1136 | - Effect: Allow 1137 | Action: 1138 | - "ec2:DescribeInstances" 1139 | Resource: "*" 1140 | Roles: 1141 | - !Ref NomadServerRole 1142 | 1143 | NomadServerProfile: 1144 | Type: AWS::IAM::InstanceProfile 1145 | Properties: 1146 | Path: / 1147 | Roles: 1148 | - !Ref NomadServerRole 1149 | 1150 | Outputs: 1151 | NomadEc2RetryTagKey: 1152 | Value: !Ref NomadEc2RetryTagKey 1153 | Description: 1154 | The EC2 instance tag key to filter on when joining to other Nomad nodes. 1155 | 1156 | NomadEc2RetryTagValue: 1157 | Value: !Ref NomadEc2RetryTagValue 1158 | Description: 1159 | The EC2 instance tag value to filter on when joining to other Nomad nodes. 1160 | 1161 | NomadServerASG: 1162 | Value: !Ref NomadServerASG 1163 | Description: 'The Nomad server autoscaling group.' 1164 | 1165 | NomadServerLogsBucket: 1166 | Value: !Ref NomadServerLogsBucket 1167 | Description: 1168 | The S3 Bucket created for Nomad server logs. 1169 | 1170 | NomadALBCanonicalHostedZoneID: 1171 | Value: !GetAtt NomadServerALB.CanonicalHostedZoneID 1172 | Description: 1173 | The name of the hosted zone for the Nomad server ALB. 1174 | 1175 | NomadALBDNSName: 1176 | Value: !GetAtt NomadServerALB.DNSName 1177 | Description: 1178 | The DNS name of the Nomad server ALB. 1179 | --------------------------------------------------------------------------------