├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── components └── component.yml ├── java ├── Dockerfile ├── README.md ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── example │ └── aws │ └── containerdemo │ ├── App.java │ ├── HttpServerHandler.java │ └── HttpServerInitializer.java ├── parameters ├── docker-image-builder-params.json ├── kms-params.json ├── s3-iam-config.json └── vpc-params.json └── templates ├── docker-image-builder.yml ├── kms.yml ├── s3-iam-config.yml └── vpc.yml /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Build and Deploy Docker Images to AWS using EC2 Image Builder 2 | In this project, we walk through the process of building a Docker image and deploying the image to Amazon ECR, share some security best practices, and demonstrate deploying a Docker image to Amazon Elastic Container Service (Amazon ECS). Additionally, we dive deep into building Docker images following modern principles. The project we create in this post addresses a use case in which an organization needs an automated workflow for building, distributing, and deploying Docker images. With Image Builder, we build and deploy Docker images and test our image locally that we have created with our Image Builder pipeline. 3 | 4 | ## Motivation 5 | A common scenario you may face is how to build Docker images that can be utilized throughout your organization. You may already have existing processes that you’re looking to modernize. You may be looking for a streamlined, managed approach so you can reduce the overhead of operating your own workflows. Additionally, if you’re new to containers, you may be seeking an end-to-end process you can use to deploy containerized workloads. With either case, there is need for a modern, streamlined approach to centralize the configuration and distribution of Docker images. This post demonstrates how to build a secure end-to-end workflow for building secure Docker images. 6 | 7 | 8 | ## Tech/framework used 9 | For this post, we use the following services: 10 | 11 | - **EC2 Image Builder:** Image Builder is a fully managed AWS service that makes it easy to automate the creation, management, and deployment of customized, secure, and up-to-date server images that are pre-installed and pre-configured with software and settings to meet specific IT standards. 12 | 13 | - **Amazon ECR:** Amazon ECR is an AWS managed container image registry service that is secure, scalable, and reliable. 14 | 15 | - **CodeCommit:** AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. 16 | 17 | - **AWS KMS:** Amazon Key Management Service (AWS KMS) is a fully managed service for creating and managing cryptographic keys. These keys are natively integrated with most AWS services. You use a KMS key in this post to encrypt resources. 18 | 19 | - **Amazon S3:** Amazon Simple Storage Service (Amazon S3) is an object storage service utilized for storing and encrypting data. We use Amazon S3 to store our configuration files. 20 | 21 | - **AWS CloudFormation:** AWS CloudFormation allows you to use domain-specific languages or simple text files to model and provision, in an automated and secure manner, all the resources needed for your applications across all Regions and accounts. You can deploy AWS resources in a safe, repeatable manner, and automate the provisioning of infrastructure. 22 | 23 | 24 | ## Features 25 | You use the following CloudFormation templates to deploy several resources: 26 | 27 | - **vpc.yml:** Contains all the core networking configuration. It deploys the VPC, two private subnets, two public subnets, and the route tables. The private subnets utilize a NAT gateway to communicate to the internet. The public subnets have full outbound access to the internet gateway. 28 | 29 | - **kms.yml:** Contains the AWS Key Management Service (AWS KMS) configuration that we use for encrypting resources. The KMS key policy is also configured in this template. 30 | 31 | - **s3-iam-config.yml:** Contains the S3 bucket and IAM roles we use with our Image Builder pipeline. 32 | docker-image-builder.yml – Contains the configuration for the Image Builder pipeline that we use to build Docker images. 33 | 34 | 35 | ## How to use? 36 | To deploy this project follow the step by step instructions found here: https://aws.amazon.com/blogs/devops/build-and-deploy-docker-images-to-aws-using-ec2-image-builder/ 37 | 38 | ## Security 39 | 40 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 41 | 42 | ## License 43 | 44 | This library is licensed under the MIT-0 License. See the LICENSE file. -------------------------------------------------------------------------------- /components/component.yml: -------------------------------------------------------------------------------- 1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # SPDX-License-Identifier: MIT-0 3 | name: 'Component file' 4 | description: 'This is a sample component the different phases of the file.' 5 | schemaVersion: 1.0 6 | phases: 7 | - name: build 8 | steps: 9 | - name: BuildDebug 10 | action: ExecuteBash 11 | inputs: 12 | commands: 13 | - sudo echo "BuildDebug section" 14 | 15 | - name: validate 16 | steps: 17 | - name: ValidateDebug 18 | action: ExecuteBash 19 | inputs: 20 | commands: 21 | - sudo echo "ValidateDebug section" 22 | 23 | - name: test 24 | steps: 25 | - name: TestDebug 26 | action: ExecuteBash 27 | inputs: 28 | commands: 29 | - sudo echo "TestDebug section" -------------------------------------------------------------------------------- /java/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # Permission is hereby granted, free of charge, to any person obtaining a copy of this 3 | # software and associated documentation files (the "Software"), to deal in the Software 4 | # without restriction, including without limitation the rights to use, copy, modify, 5 | # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 6 | # permit persons to whom the Software is furnished to do so. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 9 | # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 10 | # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 11 | # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 12 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 13 | # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 14 | 15 | ARG GIT_REPO_DIR=DemoRepo 16 | 17 | FROM amazon/aws-cli:latest AS fetcher 18 | ARG GIT_URL=https://git-codecommit.us-east-1.amazonaws.com/v1/repos/DemoRepo 19 | 20 | RUN yum install -y git 21 | RUN mkdir -p /home/demo && \ 22 | cd /home/demo && \ 23 | git config --global credential.helper '!aws codecommit credential-helper $@' && \ 24 | git config --global credential.UseHttpPath true && \ 25 | git clone ${GIT_URL} 26 | 27 | 28 | FROM alpine:3.13.0@sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515 AS builder 29 | ENV JAVA_HOME /opt/jdk 30 | ENV PATH $JAVA_HOME/bin:$PATH 31 | ARG GIT_REPO_DIR 32 | 33 | ADD https://corretto.aws/downloads/latest/amazon-corretto-15-x64-alpine-jdk.tar.gz $JAVA_HOME/amazon-corretto-15-x64-alpine-jdk.tar.gz 34 | 35 | RUN tar --extract --file $JAVA_HOME/amazon-corretto-15-x64-alpine-jdk.tar.gz --directory "$JAVA_HOME" --strip-components 1; \ 36 | rm $JAVA_HOME/amazon-corretto-15-x64-alpine-jdk.tar.gz; 37 | 38 | RUN ["jlink", "--compress=2", \ 39 | "--module-path", "/opt/jdk/jmods/", \ 40 | "--add-modules", "java.base,java.logging", \ 41 | "--no-header-files", "--no-man-pages", \ 42 | "--output", "/netty-runtime"] 43 | 44 | RUN apk update && \ 45 | apk add maven && \ 46 | rm -rf /var/cache/apk/* 47 | 48 | RUN mkdir -p /home/demo && \ 49 | cd /home/demo 50 | 51 | COPY --from=fetcher /home/demo/${GIT_REPO_DIR} /home/demo/${GIT_REPO_DIR} 52 | 53 | RUN cd /home/demo/${GIT_REPO_DIR}/java && \ 54 | mvn clean package 55 | 56 | FROM alpine:3.13.0@sha256:d0710affa17fad5f466a70159cc458227bd25d4afb39514ef662ead3e6c99515 57 | ENV PATH=$PATH:/opt/jdk/bin 58 | ARG GIT_REPO_DIR 59 | 60 | RUN addgroup -S demogroup && \ 61 | adduser -S demouser -G demogroup 62 | 63 | USER demouser 64 | 65 | COPY --from=builder /netty-runtime /opt/jdk 66 | COPY --from=builder /home/demo/${GIT_REPO_DIR}/java/target/netty-example-1.0-SNAPSHOT.jar /opt/app/ 67 | EXPOSE 8090 68 | ENTRYPOINT ["java", "-showversion", "-jar", "/opt/app/netty-example-1.0-SNAPSHOT.jar"] 69 | -------------------------------------------------------------------------------- /java/README.md: -------------------------------------------------------------------------------- 1 | 17 | 18 | ### Notes: 19 | ``` 20 | Reference: https://github.com/aws/aws-lambda-java-libs/blob/master/aws-lambda-java-runtime-interface-client/README.md 21 | Replace with the final aws sample repo information. 22 | ``` 23 | 24 | #### Build Java Docker Image 25 | **RUN:** 26 | ``` 27 | docker build -t java_0.2 -f java/Dockerfile . 28 | ``` 29 | 30 | #### Run Java Docker Image default Capabilities 31 | **RUN:** 32 | ``` 33 | docker run -dp 8090:8090 --name java_hello_world -it sh 34 | ``` -------------------------------------------------------------------------------- /java/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 15 | 18 | 4.0.0 19 | 20 | com.example.aws.containerdemo 21 | netty-example 22 | 1.0-SNAPSHOT 23 | 24 | 25 | UTF-8 26 | UTF-8 27 | 1.8 28 | 1.8 29 | 4.1.65.Final 30 | 31 | 32 | 33 | 34 | 35 | io.netty 36 | netty-all 37 | ${netty.version} 38 | 39 | 40 | 41 | 42 | 43 | 44 | org.apache.maven.plugins 45 | maven-shade-plugin 46 | 47 | 48 | package 49 | 50 | shade 51 | 52 | 53 | 54 | 55 | 56 | org.apache.maven.plugins 57 | maven-jar-plugin 58 | 59 | 60 | 61 | com.example.aws.containerdemo.App 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | -------------------------------------------------------------------------------- /java/src/main/java/com/example/aws/containerdemo/App.java: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | */ 16 | 17 | package com.example.aws.containerdemo; 18 | 19 | import io.netty.bootstrap.ServerBootstrap; 20 | import io.netty.channel.Channel; 21 | import io.netty.channel.EventLoopGroup; 22 | import io.netty.channel.nio.NioEventLoopGroup; 23 | import io.netty.channel.socket.nio.NioServerSocketChannel; 24 | import io.netty.handler.logging.LogLevel; 25 | import io.netty.handler.logging.LoggingHandler; 26 | import io.netty.channel.ChannelOption; 27 | import io.netty.channel.ChannelFuture; 28 | 29 | public class App { 30 | 31 | private static final int HTTP_PORT = 8090; 32 | 33 | public void run() throws Exception { 34 | 35 | // Create the multithreaded event loops for the server 36 | EventLoopGroup bossGroup = new NioEventLoopGroup(); 37 | EventLoopGroup workerGroup = new NioEventLoopGroup(); 38 | 39 | try { 40 | // A helper class that simplifies server configuration 41 | ServerBootstrap httpBootstrap = new ServerBootstrap(); 42 | 43 | // Configure the server 44 | httpBootstrap.group(bossGroup, workerGroup) 45 | .channel(NioServerSocketChannel.class) 46 | .childHandler(new HttpServerInitializer()) // <-- Our handler created here 47 | .option(ChannelOption.SO_BACKLOG, 128) 48 | .childOption(ChannelOption.SO_KEEPALIVE, true); 49 | 50 | // Bind and start to accept incoming connections. 51 | ChannelFuture httpChannel = httpBootstrap.bind(HTTP_PORT).sync(); 52 | 53 | // Wait until server socket is closed 54 | httpChannel.channel().closeFuture().sync(); 55 | } 56 | finally { 57 | workerGroup.shutdownGracefully(); 58 | bossGroup.shutdownGracefully(); 59 | } 60 | } 61 | 62 | public static void main(String[] args) throws Exception { 63 | new App().run(); 64 | } 65 | 66 | } -------------------------------------------------------------------------------- /java/src/main/java/com/example/aws/containerdemo/HttpServerHandler.java: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | */ 16 | 17 | package com.example.aws.containerdemo; 18 | 19 | import io.netty.buffer.ByteBuf; 20 | import io.netty.buffer.Unpooled; 21 | import io.netty.channel.ChannelHandlerContext; 22 | import io.netty.channel.SimpleChannelInboundHandler; 23 | import io.netty.handler.codec.http.*; 24 | import io.netty.util.CharsetUtil; 25 | 26 | public class HttpServerHandler extends SimpleChannelInboundHandler { 27 | 28 | @Override 29 | protected void channelRead0(ChannelHandlerContext ctx, FullHttpRequest msg) throws Exception { 30 | if (msg instanceof LastHttpContent) { 31 | ByteBuf content = Unpooled.copiedBuffer("Hello World!", CharsetUtil.UTF_8); 32 | FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, content); 33 | response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/html"); 34 | response.headers().set(HttpHeaderNames.CONTENT_LENGTH, content.readableBytes()); 35 | ctx.write(response); 36 | ctx.flush(); 37 | } 38 | } 39 | } -------------------------------------------------------------------------------- /java/src/main/java/com/example/aws/containerdemo/HttpServerInitializer.java: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | */ 16 | 17 | package com.example.aws.containerdemo; 18 | 19 | import io.netty.channel.Channel; 20 | import io.netty.channel.ChannelInitializer; 21 | import io.netty.channel.ChannelPipeline; 22 | import io.netty.handler.codec.http.HttpObjectAggregator; 23 | import io.netty.handler.codec.http.HttpServerCodec; 24 | 25 | public class HttpServerInitializer extends ChannelInitializer { 26 | 27 | @Override 28 | protected void initChannel(Channel ch) throws Exception { 29 | ChannelPipeline pipeline = ch.pipeline(); 30 | 31 | pipeline.addLast(new HttpServerCodec()); 32 | pipeline.addLast(new HttpObjectAggregator(Integer.MAX_VALUE)); 33 | pipeline.addLast(new HttpServerHandler()); 34 | } 35 | } -------------------------------------------------------------------------------- /parameters/docker-image-builder-params.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "Environment", 4 | "ParameterValue": "dev" 5 | }, 6 | { 7 | "ParameterKey": "ImageBuilderBucketName", 8 | "ParameterValue": "" 9 | }, 10 | { 11 | "ParameterKey": "NetworkStackName", 12 | "ParameterValue": "vpc-config" 13 | }, 14 | { 15 | "ParameterKey": "KMSStackName", 16 | "ParameterValue": "kms-config" 17 | }, 18 | { 19 | "ParameterKey": "S3ConfigStackName", 20 | "ParameterValue": "s3-iam-config" 21 | }, 22 | { 23 | "ParameterKey": "ImageBuilderECRName", 24 | "ParameterValue": "demo-java-ib" 25 | } 26 | ] 27 | -------------------------------------------------------------------------------- /parameters/kms-params.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "KeyName", 4 | "ParameterValue": "DemoKey" 5 | }, 6 | { 7 | "ParameterKey": "UserARN", 8 | "ParameterValue": "arn:aws:iam:::root" 9 | } 10 | ] 11 | -------------------------------------------------------------------------------- /parameters/s3-iam-config.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey" : "Environment", 4 | "ParameterValue" : "dev" 5 | }, 6 | { 7 | "ParameterKey": "NetworkStackName", 8 | "ParameterValue" : "vpc-config" 9 | }, 10 | { 11 | "ParameterKey" : "DemoConfigS3BucketName", 12 | "ParameterValue" : "" 13 | }, 14 | { 15 | "ParameterKey" : "KMSStackName", 16 | "ParameterValue" : "kms-config" 17 | } 18 | ] 19 | -------------------------------------------------------------------------------- /parameters/vpc-params.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey" : "VPCCIDR", 4 | "ParameterValue" : "10.0.0.0/16" 5 | }, 6 | { 7 | "ParameterKey" : "Environment", 8 | "ParameterValue" : "dev" 9 | }, 10 | { 11 | "ParameterKey" : "AvailabilityZones", 12 | "ParameterValue" : "us-east-1a, us-east-1c" 13 | }, 14 | { 15 | "ParameterKey" : "PublicSubnet1ACIDR", 16 | "ParameterValue" : "10.0.1.0/24" 17 | }, 18 | { 19 | "ParameterKey" : "PublicSubnet2ACIDR", 20 | "ParameterValue" : "10.0.2.0/24" 21 | }, 22 | { 23 | "ParameterKey" : "PrivateSubnet2Z1CIDR", 24 | "ParameterValue" : "10.0.3.0/24" 25 | }, 26 | { 27 | "ParameterKey" : "PrivateSubnet2Z2CIDR", 28 | "ParameterValue" : "10.0.4.0/24" 29 | } 30 | ] 31 | -------------------------------------------------------------------------------- /templates/docker-image-builder.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # Permission is hereby granted, free of charge, to any person obtaining a copy of this 3 | # software and associated documentation files (the "Software"), to deal in the Software 4 | # without restriction, including without limitation the rights to use, copy, modify, 5 | # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 6 | # permit persons to whom the Software is furnished to do so. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 9 | # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 10 | # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 11 | # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 12 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 13 | # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 14 | 15 | AWSTemplateFormatVersion: "2010-09-09" 16 | Description: 'This template will deploy a sample EC2 ImageBuilder pipeline that will generate an Docker Container' 17 | 18 | Parameters: 19 | Environment: 20 | Type: String 21 | Description: >- 22 | The values allowed for demo 23 | AllowedValues: 24 | - 'dev' 25 | - 'sandbox' 26 | Default: sandbox 27 | 28 | ImageBuilderBucketName: 29 | Type: String 30 | Description: 'Enter the Name of the bucket where ImageBuilder Config lives' 31 | Default: 'demo1284149381' 32 | 33 | NetworkStackName: 34 | Description: 'Stack name which has all of the VPC configuration' 35 | Type: String 36 | Default: 'vpc-config' 37 | 38 | KMSStackName: 39 | Type: String 40 | Description: 'Stack name which has all of the KMS configuration' 41 | Default: 'kms-config' 42 | 43 | S3ConfigStackName: 44 | Type: String 45 | Description: 'Stack name which has all of the Nginx S3 configuration' 46 | Default: 's3-iam-config' 47 | 48 | ImageBuilderECRName: 49 | Type: String 50 | Description: 'Image Builder Elastic container registry.' 51 | Default: 'demo-java-ib000' 52 | 53 | Resources: 54 | InstanceProfile: 55 | Type: AWS::IAM::InstanceProfile 56 | Properties: 57 | InstanceProfileName: !Sub '${AWS::StackName}-EC2ImageBuilder-Profile' 58 | Path: / 59 | Roles: 60 | - Fn::ImportValue: !Sub "${S3ConfigStackName}-Image-Builder-Role-Name" 61 | 62 | ImageBuilderSG: 63 | Type: 'AWS::EC2::SecurityGroup' 64 | Properties: 65 | GroupDescription: 'Linux EC2 Security Group' 66 | SecurityGroupIngress: 67 | - IpProtocol: tcp 68 | CidrIp: 0.0.0.0/0 69 | FromPort: 443 70 | ToPort: 443 71 | SecurityGroupEgress: 72 | - IpProtocol: tcp 73 | FromPort: 0 74 | ToPort: 65535 75 | CidrIp: 0.0.0.0/0 76 | VpcId: 77 | Fn::ImportValue: !Sub "${NetworkStackName}-VPCID" 78 | 79 | ImageBuilderRepository: 80 | Type: AWS::ECR::Repository 81 | Properties: 82 | RepositoryName: !Ref ImageBuilderECRName 83 | 84 | ImageBuilderSNSTopic: 85 | Type: AWS::SNS::Topic 86 | Properties: 87 | KmsMasterKeyId: 88 | Fn::ImportValue: !Sub "${KMSStackName}-KeyId" 89 | TopicName: "ContainerImageBuilderTopic" 90 | 91 | Component: 92 | Type: AWS::ImageBuilder::Component 93 | Properties: 94 | Name: !Sub '${AWS::StackName}-Docker-Component' 95 | Platform: Linux 96 | Version: 1.0.3 97 | Description: 'This component is a required object.' 98 | ChangeDescription: 'Initial Version' 99 | KmsKeyId: 100 | Fn::ImportValue: !Sub "${KMSStackName}-KMS-ARN" 101 | Tags: 102 | build: helloworld 103 | Uri: !Sub 's3://${ImageBuilderBucketName}/component.yml' 104 | 105 | ContainerRecipe: 106 | Type: 'AWS::ImageBuilder::ContainerRecipe' 107 | DependsOn: ImageBuilderRepository 108 | Properties: 109 | Name: !Sub '${AWS::StackName}-Container-Recipe' 110 | Version: '1.0.3' 111 | ParentImage: 'amazonlinux:latest' 112 | Description: 'This recipe will create a container from an Alpine base and Java.' 113 | ContainerType: 'DOCKER' 114 | Components: 115 | - ComponentArn: !Ref Component 116 | TargetRepository: 117 | Service: 'ECR' 118 | RepositoryName: !Ref ImageBuilderRepository 119 | DockerfileTemplateUri: !Sub s3://${ImageBuilderBucketName}/Dockerfile 120 | # WorkingDirectory: "/app/DemoRepo/java" 121 | KmsKeyId: 122 | Fn::ImportValue: !Sub "${KMSStackName}-KMS-ARN" 123 | Tags: 124 | build: 'docker-java-container' 125 | 126 | Infrastructure: 127 | Type: AWS::ImageBuilder::InfrastructureConfiguration 128 | Properties: 129 | Name: !Sub '${AWS::StackName}-LinuxCis-Infrastructure' 130 | Description: 'This infrastructure configuration will launch into our custom ImageBuilder VPC' 131 | InstanceProfileName: !Ref InstanceProfile 132 | SecurityGroupIds: 133 | - !Ref ImageBuilderSG 134 | SubnetId: 135 | Fn::ImportValue: !Sub "${NetworkStackName}-PublicSubnet1AID" 136 | TerminateInstanceOnFailure: false 137 | SnsTopicArn: !Ref ImageBuilderSNSTopic 138 | InstanceTypes: 139 | - t3.medium 140 | - t3.large 141 | Logging: 142 | S3Logs: 143 | S3BucketName: !Ref ImageBuilderBucketName 144 | S3KeyPrefix: 'imagebuilder' 145 | 146 | ContainerDistribution: 147 | Type: AWS::ImageBuilder::DistributionConfiguration 148 | Properties: 149 | Name: !Sub '${AWS::StackName}-Container-Distribution' 150 | Description: 'This distribution configuration will deploy the demo Container to the current region' 151 | Distributions: 152 | - Region: !Ref 'AWS::Region' 153 | ContainerDistributionConfiguration: 154 | Description: 'This distribution configuration will upload the demo Container Image to a Repository' 155 | TargetRepository: 156 | Service: ECR 157 | RepositoryName: !Ref ImageBuilderRepository 158 | Tags: 159 | DistributionConfigurationDemoType: 'docker-java-container' 160 | DistributionConfigurationTest: 'latest' 161 | 162 | Pipeline: 163 | Type: AWS::ImageBuilder::ImagePipeline 164 | Properties: 165 | Name: !Sub '${AWS::StackName}-docker-java-container' 166 | Description: 'Deploys a sample Docker java container image to current region' 167 | Status: ENABLED 168 | ContainerRecipeArn: !Ref ContainerRecipe 169 | InfrastructureConfigurationArn: !Ref Infrastructure 170 | DistributionConfigurationArn: !Ref ContainerDistribution 171 | ImageTestsConfiguration: 172 | ImageTestsEnabled: false 173 | TimeoutMinutes: 60 174 | # Schedule: 175 | # ScheduleExpression: ‘cron(0 0 * * ? *)’ # every day at 12:00am UTC 176 | # PipelineExecutionStartCondition: 'EXPRESSION_MATCH_ONLY' 177 | 178 | ImageBuilderSSMParameter: 179 | Type: AWS::SSM::Parameter 180 | Properties: 181 | Name: /demo/imagebuilderarn 182 | Type: String 183 | Value: !Ref Pipeline 184 | Description: SSM Parameter for the Image Builder Pipeline ARN. 185 | 186 | ImageVersionSSMParameter: 187 | Type: AWS::SSM::Parameter 188 | Properties: 189 | Name: /demo/image/version 190 | Type: String 191 | Value: '1.0.0' 192 | Description: SSM Parameter for the Docker Image Version. 193 | 194 | Outputs: 195 | 196 | ImageBuilderPipelinearn: 197 | Description: Image Builder Pipeline Arn 198 | Value: !Ref Pipeline 199 | Export: 200 | Name: !Sub '${AWS::StackName}-IB-Pipeline-Arn' 201 | 202 | ImageBuilderRepositoryName: 203 | Description: Image Builder Pipeline Arn 204 | Value: !Ref ImageBuilderRepository 205 | Export: 206 | Name: !Sub '${AWS::StackName}-ECR-Name' 207 | 208 | ImageBuilderRepository: 209 | Description: Image Builder Pipeline Arn 210 | Value: !GetAtt ImageBuilderRepository.Arn 211 | Export: 212 | Name: !Sub '${AWS::StackName}-ECR-Arn' 213 | -------------------------------------------------------------------------------- /templates/kms.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # Permission is hereby granted, free of charge, to any person obtaining a copy of this 3 | # software and associated documentation files (the "Software"), to deal in the Software 4 | # without restriction, including without limitation the rights to use, copy, modify, 5 | # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 6 | # permit persons to whom the Software is furnished to do so. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 9 | # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 10 | # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 11 | # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 12 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 13 | # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 14 | 15 | AWSTemplateFormatVersion: '2010-09-09' 16 | Description: > 17 | This Template deloys a KMS customer managed CMK for AWS services. We also 18 | configure the KMS Key Policy and grant permissions use the key to our 19 | deployment roles. 20 | 21 | Parameters: 22 | Service: 23 | Type: String 24 | Description: 'Which AWS service is allowed to use this CMK?' 25 | Default: ALL_SERVICES 26 | 27 | KeyName: 28 | Type: String 29 | Description: 'Name of the KMS Key' 30 | 31 | UserARN: 32 | Type: CommaDelimitedList 33 | Description: 'ARN of User Role for this particular Key access. Provide comma delimited values for multiple roles.' 34 | 35 | Resources: 36 | KMSKey: 37 | Type: 'AWS::KMS::Key' 38 | Metadata: 39 | cfn_nag: 40 | rules_to_suppress: 41 | - id: F19 42 | reason: "Supressing requirement for logging warning for testing purposes" 43 | Properties: 44 | KeyPolicy: 45 | Version: '2012-10-17' 46 | Statement: 47 | - Sid: Allow cloudtrail use of the key 48 | Effect: Allow 49 | Principal: 50 | Service: 51 | "cloudtrail.amazonaws.com" 52 | Action: 53 | - "kms:Encrypt" 54 | - "kms:Decrypt" 55 | - "kms:GenerateDataKey*" 56 | - "kms:DescribeKey" 57 | Resource: '*' 58 | - Sid: Allow NLB use of the key 59 | Effect: Allow 60 | Principal: 61 | Service: 62 | "delivery.logs.amazonaws.com" 63 | Action: 64 | - "kms:EnableKeyRotation" 65 | - "kms:EnableKey" 66 | - "kms:Decrypt" 67 | - "kms:ListKeyPolicies" 68 | - "kms:PutKeyPolicy" 69 | - "kms:GetKeyPolicy" 70 | - "kms:DisableKey" 71 | - "kms:GenerateDataKeyPair" 72 | - "kms:DisableKeyRotation" 73 | - "kms:RetireGrant" 74 | - "kms:UpdateAlias" 75 | - "kms:ListKeys" 76 | - "kms:Encrypt" 77 | - "kms:GetKeyRotationStatus" 78 | - "kms:ScheduleKeyDeletion" 79 | - "kms:ListAliases" 80 | - "kms:RevokeGrant" 81 | - "kms:GenerateDataKey" 82 | - "kms:CreateAlias" 83 | - "kms:DescribeKey" 84 | - "kms:CreateKey" 85 | - "kms:DeleteAlias" 86 | - "kms:CreateGrant" 87 | Resource: '*' 88 | - Sid: Allow Management Roles use of the key 89 | Effect: Allow 90 | Principal: 91 | AWS: !Ref UserARN 92 | Action: 93 | - "kms:*" 94 | Resource: '*' 95 | 96 | 97 | KMSKeyAlias: 98 | Type: AWS::KMS::Alias 99 | Properties: 100 | AliasName: !Sub 'alias/${KeyName}' 101 | TargetKeyId: 102 | Ref: KMSKey 103 | 104 | Outputs: 105 | KMSKeyARN: 106 | Description: KMS Key ARN 107 | Value: !GetAtt KMSKey.Arn 108 | Export: 109 | Name: 110 | Fn::Sub: "${AWS::StackName}-KMS-ARN" 111 | 112 | KeyId: 113 | Description: 'Key id.' 114 | Value: !Ref KMSKey 115 | Export: 116 | Name: !Sub '${AWS::StackName}-KeyId' 117 | -------------------------------------------------------------------------------- /templates/s3-iam-config.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # Permission is hereby granted, free of charge, to any person obtaining a copy of this 3 | # software and associated documentation files (the "Software"), to deal in the Software 4 | # without restriction, including without limitation the rights to use, copy, modify, 5 | # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 6 | # permit persons to whom the Software is furnished to do so. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 9 | # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 10 | # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 11 | # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 12 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 13 | # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 14 | 15 | AWSTemplateFormatVersion: 2010-09-09 16 | Description: >- 17 | This template creates the roles utilized for setting up the 18 | Docker Image Builder Pipeline. 19 | 20 | Parameters: 21 | 22 | Environment: 23 | AllowedValues: 24 | - 'dev' 25 | - 'sandbox' 26 | Type: String 27 | Description: 'Set environment in which the VPC will be created' 28 | Default: sandbox 29 | 30 | DemoConfigS3BucketName: 31 | Type: String 32 | 33 | EC2ImageBuilderRoleName: 34 | Type: String 35 | Default: EC2ImageBuilderRole 36 | 37 | NetworkStackName: 38 | Type: String 39 | Description: Stack name which has all of the VPC configuration 40 | 41 | KMSStackName: 42 | Type: String 43 | Description: Stack name which has all of the KMS configuration 44 | 45 | Resources: 46 | 47 | # S3 Bucket where Nginx Config and Image Builder Config will live 48 | S3Bucket: 49 | Type: AWS::S3::Bucket 50 | Properties: 51 | BucketName: !Ref DemoConfigS3BucketName 52 | BucketEncryption: 53 | ServerSideEncryptionConfiguration: 54 | - ServerSideEncryptionByDefault: 55 | SSEAlgorithm: aws:kms 56 | KMSMasterKeyID: 57 | Fn::ImportValue: !Sub "${KMSStackName}-KeyId" 58 | PublicAccessBlockConfiguration: 59 | BlockPublicAcls: true 60 | IgnorePublicAcls: true 61 | BlockPublicPolicy: true 62 | RestrictPublicBuckets: true 63 | 64 | ImageBuilderIamRole: 65 | Type: AWS::IAM::Role 66 | Properties: 67 | RoleName: !Ref EC2ImageBuilderRoleName 68 | Description: 'This role will grant EC2 ImageBuilder minimum neccessary permissions to allow pipelines to execute' 69 | MaxSessionDuration: 3600 # in seconds 70 | Path: / 71 | AssumeRolePolicyDocument: 72 | Version: 2012-10-17 73 | Statement: 74 | - Effect: Allow 75 | Principal: 76 | Service: 77 | - ec2.amazonaws.com 78 | - ssm.amazonaws.com 79 | - imagebuilder.amazonaws.com 80 | AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' 81 | Action: 82 | - sts:AssumeRole 83 | ManagedPolicyArns: 84 | - 'arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder' 85 | - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore' 86 | Policies: 87 | - PolicyName: GrantS3Read 88 | PolicyDocument: 89 | Statement: 90 | - Sid: GrantS3Read 91 | Effect: Allow 92 | Action: 93 | - s3:List* 94 | - s3:Get* 95 | - s3:Put* 96 | Resource: !Sub 'arn:aws:s3:::${S3Bucket}*' 97 | - PolicyName: ListsAndDescribes 98 | PolicyDocument: 99 | Statement: 100 | - Sid: DescribesLists 101 | Effect: Allow 102 | Resource: '*' 103 | Action: 104 | - ec2:DescribeImages 105 | - codecommit:GitPush 106 | - codecommit:GitPull 107 | - PolicyName: DecryptKms 108 | PolicyDocument: 109 | Statement: 110 | - Sid: DecryptKms 111 | Effect: Allow 112 | Action: 113 | - kms:Decrypt 114 | - kms:Encrypt 115 | - kms:GenerateDataKey* 116 | - ec2:DescribeImages 117 | - ssm:PutParameter 118 | Resource: '*' 119 | - PolicyName: GrantSsm 120 | PolicyDocument: 121 | Statement: 122 | - Sid: GrantSsm 123 | Effect: Allow 124 | Action: 125 | - ssm:SendCommand 126 | Resource: 127 | - 'arn:aws:ssm:us-east-1::document/AmazonInspector-ManageAWSAgent' 128 | - !Sub 'arn:aws:ec2:us-east-1:${AWS::AccountId}:*/*' 129 | - PolicyName: Ec2Tags 130 | PolicyDocument: 131 | Statement: 132 | - Sid: TagOnCreate 133 | Effect: Allow 134 | Action: 135 | - ec2:CreateTags 136 | - ec2:RunInstances 137 | Resource: !Sub 'arn:aws:ec2:us-east-1:${AWS::AccountId}:*/*' 138 | - PolicyName: ImageBuilderPermissions 139 | PolicyDocument: 140 | Statement: 141 | - Sid: ImageBuilderPermissions 142 | Effect: Allow 143 | Action: 144 | - imagebuilder:GetContainerRecipe 145 | - ecr:GetAuthorizationToken 146 | Resource: '*' 147 | - PolicyName: ManageRepositoryContents 148 | PolicyDocument: 149 | Statement: 150 | - Sid: ManageRepositoryContents 151 | Effect: Allow 152 | Action: 153 | - ecr:BatchCheckLayerAvailability 154 | - ecr:GetDownloadUrlForLayer 155 | - ecr:GetRepositoryPolicy 156 | - ecr:DescribeRepositories 157 | - ecr:ListImages 158 | - ecr:DescribeImages 159 | - ecr:BatchGetImage 160 | - ecr:InitiateLayerUpload 161 | - ecr:UploadLayerPart 162 | - ecr:CompleteLayerUpload 163 | - ecr:PutImage 164 | Resource: !Sub 'arn:aws:ecr:us-east-1:${AWS::AccountId}:*/*' 165 | - PolicyName: RegisterContainerInstance 166 | PolicyDocument: 167 | Statement: 168 | - Sid: RegisterContainerInstance 169 | Effect: Allow 170 | Action: 171 | - ecs:RegisterContainerInstance 172 | - ecs:CreateCluster 173 | - ec2:DescribeTags 174 | - ecs:CreateCluster 175 | - ecs:DeregisterContainerInstance 176 | - ecs:DiscoverPollEndpoint 177 | - ecs:Poll 178 | - ecs:RegisterContainerInstance 179 | - ecs:StartTelemetrySession 180 | - ecs:UpdateContainerInstancesState 181 | - ecs:Submit* 182 | - logs:CreateLogStream 183 | - logs:PutLogEvents 184 | Resource: 185 | - !Sub 'arn:aws:ec2:us-east-1:${AWS::AccountId}:*/*' 186 | - !Sub 'arn:aws:ecs:us-east-1:${AWS::AccountId}:*/*' 187 | 188 | DemoRepo: 189 | Type: AWS::CodeCommit::Repository 190 | Properties: 191 | RepositoryName: DemoRepo 192 | RepositoryDescription: 'This is a repository for the docker image builder pipeline.' 193 | 194 | Outputs: 195 | 196 | DemoRepo: 197 | Value: !GetAtt DemoRepo.Arn 198 | Export: 199 | Name: !Sub "${AWS::StackName}-Demo-Repo-Name" 200 | 201 | ImageBuilderRoleArn: 202 | Value: !GetAtt ImageBuilderIamRole.Arn 203 | Export: 204 | Name: !Sub "${AWS::StackName}-Image-Builder-Role-ARN" 205 | 206 | ImageBuilderRoleName: 207 | Value: !Ref ImageBuilderIamRole 208 | Export: 209 | Name: !Sub "${AWS::StackName}-Image-Builder-Role-Name" 210 | 211 | S3BucketArn: 212 | Description: S3 Bucket ARN 213 | Value: !GetAtt S3Bucket.Arn 214 | Export: 215 | Name: 216 | Fn::Sub: "${AWS::StackName}-Bucket-ARN" 217 | 218 | S3BucketName: 219 | Description: S3 Bucket Name 220 | Value: !Ref S3Bucket 221 | Export: 222 | Name: 223 | Fn::Sub: "${AWS::StackName}-Bucket-Name" 224 | -------------------------------------------------------------------------------- /templates/vpc.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # Permission is hereby granted, free of charge, to any person obtaining a copy of this 3 | # software and associated documentation files (the "Software"), to deal in the Software 4 | # without restriction, including without limitation the rights to use, copy, modify, 5 | # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 6 | # permit persons to whom the Software is furnished to do so. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 9 | # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 10 | # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 11 | # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 12 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 13 | # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 14 | 15 | AWSTemplateFormatVersion: 2010-09-09 16 | Description: >- 17 | This template creates a Multi-AZ (two Availability Zones), multi-subnet VPC infrastructure and 18 | associates one Non RFC 1918 CIDR Block to the newly created VPC. 19 | **WARNING** This template creates AWS resources You will be billed for the AWS resources used if you 20 | create a stack from this template. 21 | Metadata: 22 | 'AWS::CloudFormation::Interface': 23 | ParameterGroups: 24 | - Label: 25 | default: Availability Zone Configuration 26 | # Specify the Availability Zones and how many should be used for the subnets 27 | Parameters: 28 | - AvailabilityZones 29 | - Label: 30 | default: Network Configuration 31 | # Specify VPC, Public, Private and Partner Subnets 32 | Parameters: 33 | - VPCCIDR 34 | - Environment 35 | - AvailabilityZones 36 | - PublicSubnet1ACIDR 37 | - PublicSubnet2ACIDR 38 | - PrivateSubnet2Z1CIDR 39 | - PrivateSubnet2Z2CIDR 40 | # Parameter Labels 41 | ParameterLabels: 42 | AvailabilityZones: 43 | default: Availability Zones 44 | PrivateSubnet2Z1CIDR: 45 | default: Private subnet 1 AZ 1 CIDR 46 | PrivateSubnet2Z2CIDR: 47 | default: Private subnet 2 AZ 2 CIDR 48 | PublicSubnet1ACIDR: 49 | default: Public subnet 1A CIDR 50 | PublicSubnet2ACIDR: 51 | default: Public subnet 2A CIDR 52 | Environment: 53 | default: Environment for the VPC 54 | VPCCIDR: 55 | default: VPC CIDR 56 | AmiId: 57 | default: AMI ID pointer in AWS Systems Manager Parameter Store 58 | InstanceType: 59 | default: Instance type to use to launch the Squid instances 60 | WhitelistDomains: 61 | default: List of whitelisted domains separated by a comma 62 | # This section outlines the allowed, default and types of values for each parameter. 63 | Parameters: 64 | AvailabilityZones: 65 | Description: >- 66 | Please specify two (2) or three (3 -optional) Availability Zones which will be used by the subnets in the VPC. Note: The 67 | logical order is preserved. 68 | Type: 'List' 69 | Default: us-east-1a,us-east-1c 70 | # The allowed list of environments that can be associated with the VPC creation 71 | Environment: 72 | Description: >- 73 | Set environment in which the VPC will be created. 74 | Type: String 75 | 76 | PrivateSubnet2Z1CIDR: 77 | AllowedPattern: >- 78 | ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ 79 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx 80 | Default: 10.0.10.0/25 81 | Description: CIDR block for Private subnet 1 AZ 1 located in Availability Zone 1 82 | Type: String 83 | 84 | PrivateSubnet2Z2CIDR: 85 | AllowedPattern: >- 86 | ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ 87 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx 88 | Default: 10.0.32.0/24 89 | Description: CIDR block for Private subnet 2 AZ 2 located in Availability Zone 2 90 | Type: String 91 | 92 | PublicSubnet1ACIDR: 93 | AllowedPattern: >- 94 | ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ 95 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx 96 | Default: 10.0.128.0/25 97 | Description: CIDR block for the public DMZ subnet 1A located in Availability Zone 1 98 | Type: String 99 | 100 | PublicSubnet2ACIDR: 101 | AllowedPattern: >- 102 | ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ 103 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx 104 | Default: 10.0.144.0/25 105 | Description: CIDR block for the public DMZ subnet 2A located in Availability Zone 2 106 | Type: String 107 | 108 | VPCCIDR: 109 | AllowedPattern: >- 110 | ^(\d{1,2})?\.(\d{1,3})?\.(\d{1,3})?\.(\d{1,3})?\/(\d{1,3}|\d{1,3})?$ 111 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/xx 112 | Description: CIDR block for the VPC 113 | Type: String 114 | 115 | # This section outlines the AWS resources that will be created as a result of running 116 | # this CloudFormation stack. 117 | Resources: 118 | # VPC 119 | VPC: 120 | Type: 'AWS::EC2::VPC' 121 | Properties: 122 | CidrBlock: !Ref VPCCIDR 123 | EnableDnsSupport: 'true' 124 | EnableDnsHostnames: 'true' 125 | Tags: 126 | - Key: Name 127 | Value: !Join [ "-", [ !Ref Environment, !Ref 'AWS::Region' ] ] 128 | 129 | # Internet Gateway 130 | InternetGateway: 131 | Type: 'AWS::EC2::InternetGateway' 132 | Properties: 133 | Tags: 134 | - Key: Name 135 | Value: !Join [ "-", [ !Ref Environment, igw ] ] 136 | - Key: Network 137 | Value: Public 138 | 139 | # Virtual Private Gateway 140 | VPCGWGatewayAttachment: 141 | Type: AWS::EC2::VPCGatewayAttachment 142 | Properties: 143 | VpcId: !Ref VPC 144 | InternetGatewayId: !Ref InternetGateway 145 | 146 | NAT: 147 | Type: AWS::EC2::NatGateway 148 | Properties: 149 | AllocationId: !GetAtt EIP.AllocationId 150 | SubnetId: 151 | Ref: PublicSubnet1A 152 | 153 | EIP: 154 | Type: AWS::EC2::EIP 155 | Properties: 156 | Domain: vpc 157 | 158 | Route: 159 | Type: AWS::EC2::Route 160 | Properties: 161 | RouteTableId: !Ref PrivateSubnetRouteTable1 162 | DestinationCidrBlock: 0.0.0.0/0 163 | NatGatewayId: 164 | Ref: NAT 165 | 166 | 167 | # All the subnet resources DependsOn the Non RFC 1918 VPC CIDR Block to be created. 168 | # This avoids the race/synchronization situation where the creation of 169 | # any subnet requiring that resource does not occur before that resource is created. 170 | PublicSubnet1A: 171 | Type: 'AWS::EC2::Subnet' 172 | DependsOn: 173 | - VPC 174 | Properties: 175 | VpcId: !Ref VPC 176 | CidrBlock: !Ref PublicSubnet1ACIDR 177 | AvailabilityZone: !Select 178 | - '0' 179 | - !Ref AvailabilityZones 180 | Tags: 181 | - Key: Name 182 | Value: !Join [ "-", [ !Ref Environment, public, subnet1 ] ] 183 | - Key: Network 184 | Value: Public 185 | MapPublicIpOnLaunch: true 186 | 187 | PublicSubnet2A: 188 | Type: 'AWS::EC2::Subnet' 189 | DependsOn: 190 | - VPC 191 | Properties: 192 | VpcId: !Ref VPC 193 | CidrBlock: !Ref PublicSubnet2ACIDR 194 | AvailabilityZone: !Select 195 | - '1' 196 | - !Ref AvailabilityZones 197 | Tags: 198 | - Key: Name 199 | Value: !Join [ "-", [ !Ref Environment, public, subnet2 ] ] 200 | - Key: Network 201 | Value: Public 202 | MapPublicIpOnLaunch: true 203 | 204 | PrivateSubnet2Z1: 205 | Type: 'AWS::EC2::Subnet' 206 | DependsOn: 207 | - VPC 208 | Properties: 209 | VpcId: !Ref VPC 210 | CidrBlock: !Ref PrivateSubnet2Z1CIDR 211 | AvailabilityZone: !Select 212 | - '0' 213 | - !Ref AvailabilityZones 214 | Tags: 215 | - Key: Name 216 | Value: !Join [ "-", [ !Ref Environment, private, subnet1 ] ] 217 | - Key: Network 218 | Value: Private 219 | 220 | PrivateSubnet2Z2: 221 | Type: 'AWS::EC2::Subnet' 222 | DependsOn: 223 | - VPC 224 | Properties: 225 | VpcId: !Ref VPC 226 | CidrBlock: !Ref PrivateSubnet2Z2CIDR 227 | AvailabilityZone: !Select 228 | - '1' 229 | - !Ref AvailabilityZones 230 | Tags: 231 | - Key: Name 232 | Value: !Join [ "-", [ !Ref Environment, private, subnet2 ] ] 233 | - Key: Network 234 | Value: Private 235 | 236 | PrivateSubnetRouteTable1: 237 | Type: 'AWS::EC2::RouteTable' 238 | Properties: 239 | VpcId: !Ref VPC 240 | Tags: 241 | - Key: Name 242 | Value: !Join [ "-", [ !Ref Environment, private, routetable ] ] 243 | - Key: Network 244 | Value: Private 245 | 246 | PrivateSubnet2Z1RouteTableAssociation: 247 | Type: 'AWS::EC2::SubnetRouteTableAssociation' 248 | Properties: 249 | SubnetId: !Ref PrivateSubnet2Z1 250 | RouteTableId: !Ref PrivateSubnetRouteTable1 251 | 252 | PrivateSubnet2Z2RouteTableAssociation: 253 | Type: 'AWS::EC2::SubnetRouteTableAssociation' 254 | Properties: 255 | SubnetId: !Ref PrivateSubnet2Z2 256 | RouteTableId: !Ref PrivateSubnetRouteTable1 257 | 258 | PublicSubnetRouteTable1: 259 | Type: 'AWS::EC2::RouteTable' 260 | Properties: 261 | VpcId: !Ref VPC 262 | Tags: 263 | - Key: Name 264 | Value: !Join [ "-", [ !Ref Environment, public, routetable ] ] 265 | - Key: Network 266 | Value: Public 267 | 268 | PublicSubnetRoute1: 269 | DependsOn: VPCGWGatewayAttachment 270 | Type: 'AWS::EC2::Route' 271 | Properties: 272 | RouteTableId: !Ref PublicSubnetRouteTable1 273 | DestinationCidrBlock: 0.0.0.0/0 274 | GatewayId: !Ref InternetGateway 275 | 276 | PublicSubnet1ARouteTableAssociation: 277 | Type: 'AWS::EC2::SubnetRouteTableAssociation' 278 | Properties: 279 | SubnetId: !Ref PublicSubnet1A 280 | RouteTableId: !Ref PublicSubnetRouteTable1 281 | 282 | PublicSubnet2ARouteTableAssociation: 283 | Type: 'AWS::EC2::SubnetRouteTableAssociation' 284 | Properties: 285 | SubnetId: !Ref PublicSubnet2A 286 | RouteTableId: !Ref PublicSubnetRouteTable1 287 | 288 | # Security Groups 289 | PublicSecurityGroup: 290 | Type: AWS::EC2::SecurityGroup 291 | Properties: 292 | GroupDescription: Security Group for Public Instances 293 | VpcId: !Ref VPC 294 | Tags: 295 | - Key: Name 296 | Value: !Join [ "-", [ sample, !Ref Environment, public, sg ] ] 297 | 298 | PrivateSecurityGroup: 299 | Type: AWS::EC2::SecurityGroup 300 | Properties: 301 | GroupDescription: Security Group for Private Instances 302 | VpcId: !Ref VPC 303 | Tags: 304 | - Key: Name 305 | Value: !Join [ "-", [ sample, !Ref Environment, private, sg ] ] 306 | 307 | # Network Access Lists 308 | PublicNetworkAcl: 309 | Type: AWS::EC2::NetworkAcl 310 | Properties: 311 | VpcId: !Ref VPC 312 | Tags: 313 | - Key: Name 314 | Value: !Join [ "-", [ !Ref Environment, public, nacl ] ] 315 | 316 | PublicNetworkAclIngressEntry: 317 | Type: AWS::EC2::NetworkAclEntry 318 | Properties: 319 | NetworkAclId: 320 | Ref: PublicNetworkAcl 321 | RuleNumber: '100' 322 | Protocol: "-1" 323 | RuleAction: allow 324 | CidrBlock: 0.0.0.0/0 325 | 326 | PublicNetworkAclEgressEntry: 327 | Type: AWS::EC2::NetworkAclEntry 328 | Properties: 329 | NetworkAclId: 330 | Ref: PublicNetworkAcl 331 | RuleNumber: '100' 332 | Protocol: "-1" 333 | RuleAction: allow 334 | Egress: 'true' 335 | CidrBlock: 0.0.0.0/0 336 | 337 | PublicSubnet1ANACLAssociation: 338 | Type: 'AWS::EC2::SubnetNetworkAclAssociation' 339 | Properties: 340 | SubnetId: !Ref PublicSubnet1A 341 | NetworkAclId: !Ref PublicNetworkAcl 342 | 343 | PublicSubnet2ANACLAssociation: 344 | Type: 'AWS::EC2::SubnetNetworkAclAssociation' 345 | Properties: 346 | SubnetId: !Ref PublicSubnet2A 347 | NetworkAclId: !Ref PublicNetworkAcl 348 | 349 | PrivateNetworkAcl: 350 | Type: AWS::EC2::NetworkAcl 351 | Properties: 352 | VpcId: !Ref VPC 353 | Tags: 354 | - Key: Name 355 | Value: !Join [ "-", [ !Ref Environment, private, nacl ] ] 356 | 357 | PrivateNetworkAclIngressEntry: 358 | Type: AWS::EC2::NetworkAclEntry 359 | Properties: 360 | NetworkAclId: 361 | Ref: PrivateNetworkAcl 362 | RuleNumber: '100' 363 | Protocol: "-1" 364 | RuleAction: allow 365 | CidrBlock: 0.0.0.0/0 366 | 367 | PrivateNetworkAclEgressEntry: 368 | Type: AWS::EC2::NetworkAclEntry 369 | Properties: 370 | NetworkAclId: 371 | Ref: PrivateNetworkAcl 372 | RuleNumber: '100' 373 | Protocol: "-1" 374 | RuleAction: allow 375 | Egress: 'true' 376 | CidrBlock: 0.0.0.0/0 377 | 378 | PrivateSubnet2Z1NACLAssociation: 379 | Type: 'AWS::EC2::SubnetNetworkAclAssociation' 380 | Properties: 381 | SubnetId: !Ref PrivateSubnet2Z1 382 | NetworkAclId: !Ref PrivateNetworkAcl 383 | 384 | PrivateSubnet2Z2NACLAssociation: 385 | Type: 'AWS::EC2::SubnetNetworkAclAssociation' 386 | Properties: 387 | SubnetId: !Ref PrivateSubnet2Z2 388 | NetworkAclId: !Ref PrivateNetworkAcl 389 | 390 | # This represents the outputs from from running the CloudFormation stack which typically 391 | # corresponds to the AWS resources being consumed. 392 | Outputs: 393 | PrivateSubnet2Z1CIDR: 394 | Description: Private subnet 1 AZ 1 CIDR in Availability Zone 1 395 | Value: !Ref PrivateSubnet2Z1CIDR 396 | Export: 397 | Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1CIDR' 398 | PrivateSubnet2Z1ID: 399 | Description: Private subnet 1 AZ 1 ID in Availability Zone 1 400 | Value: !Ref PrivateSubnet2Z1 401 | Export: 402 | Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1ID' 403 | PrivateSubnet2Z1CIDR: 404 | Description: Private subnet 1 AZ 1 CIDR in Availability Zone 1 405 | Value: !Ref PrivateSubnet2Z1CIDR 406 | Export: 407 | Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1CIDR' 408 | PrivateSubnet2Z1ID: 409 | Description: Private subnet 1 AZ 1 ID in Availability Zone 1 410 | Value: !Ref PrivateSubnet2Z1 411 | Export: 412 | Name: !Sub '${AWS::StackName}-PrivateSubnet2Z1ID' 413 | PrivateSubnet2Z2CIDR: 414 | Description: Private subnet 1 AZ 1 CIDR in Availability Zone 1 415 | Value: !Ref PrivateSubnet2Z2CIDR 416 | Export: 417 | Name: !Sub '${AWS::StackName}-PrivateSubnet2Z2CIDR' 418 | PrivateSubnet2Z2ID: 419 | Description: Private subnet 2 AZ 2 ID in Availability Zone 2 420 | Value: !Ref PrivateSubnet2Z2 421 | Export: 422 | Name: !Sub '${AWS::StackName}-PrivateSubnet2Z2ID' 423 | PublicSubnet1ACIDR: 424 | Description: Public subnet 1A CIDR in Availability Zone 1 425 | Value: !Ref PublicSubnet1ACIDR 426 | Export: 427 | Name: !Sub '${AWS::StackName}-PublicSubnet1ACIDR' 428 | PublicSubnet1AID: 429 | Description: Public subnet 1A ID in Availability Zone 1 430 | Value: !Ref PublicSubnet1A 431 | Export: 432 | Name: !Sub '${AWS::StackName}-PublicSubnet1AID' 433 | PublicSubnet2ACIDR: 434 | Description: Public subnet 2A CIDR in Availability Zone 2 435 | Value: !Ref PublicSubnet2ACIDR 436 | Export: 437 | Name: !Sub '${AWS::StackName}-PublicSubnet2ACIDR' 438 | PublicSubnet2AID: 439 | Description: Public subnet 2A ID in Availability Zone 2 440 | Value: !Ref PublicSubnet2A 441 | Export: 442 | Name: !Sub '${AWS::StackName}-PublicSubnet2AID' 443 | PrivateSubnetRouteTable1: 444 | Value: !Ref PrivateSubnetRouteTable1 445 | Description: Private subnet route table 446 | Export: 447 | Name: !Sub '${AWS::StackName}-PrivateSubnetRouteTable1' 448 | PublicSubnetRouteTable1: 449 | Value: !Ref PublicSubnetRouteTable1 450 | Description: Public subnet route table 451 | Export: 452 | Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable1' 453 | VPCCIDR: 454 | Value: !Ref VPCCIDR 455 | Description: VPC CIDR 456 | Export: 457 | Name: !Sub '${AWS::StackName}-VPCCIDR' 458 | VPCID: 459 | Value: !Ref VPC 460 | Description: VPC ID 461 | Export: 462 | Name: !Sub '${AWS::StackName}-VPCID' 463 | --------------------------------------------------------------------------------