templates/aws-refarch-drupal-03-bastion.yaml

---
AWSTemplateFormatVersion: 2010-09-09

Description: Reference Architecture to host Drupal on AWS - Creates bastion (desired:0; min:0; max:1) Auto Scaling group

Metadata:

  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: AWS Parameters
      Parameters:
        - KeyName
        - BastionSecurityGroup
    ParameterLabels:
      BastionSecurityGroup:
        default: Bastion Security Group
      KeyName:
        default: Existing Key Pair
      PublicSubnet0:
        default: Public Subnet for AZ 0
      PublicSubnet1:
        default: Public Subnet for AZ 1
      PublicSubnet2:
        default: Public Subnet for AZ 2

Parameters:

  BastionSecurityGroup:
    Description: Select the bastion security group.
    Type: AWS::EC2::SecurityGroup::Id
  KeyName:
    AllowedPattern: ^([a-zA-Z0-9 @.`~!#$%^&*()_+,\\-])*$
    ConstraintDescription: Must be letters (upper or lower), numbers, and special characters.
    Description: Name of an EC2 KeyPair. Your bastion instances will launch with this KeyPair.
    Type: AWS::EC2::KeyPair::KeyName
  PublicSubnet0:
    Description: Select an existing public subnet for AZ 0.
    Type: AWS::EC2::Subnet::Id
  PublicSubnet1:
    Description: Select an existing public subnet for AZ 1.
    Type: AWS::EC2::Subnet::Id
  PublicSubnet2:
    Description: Select an existing public subnet for AZ 2.
    Type: AWS::EC2::Subnet::Id

Conditions:

  MoreThan2AZ:
    !Or [
      !Equals [ !Ref 'AWS::Region', us-east-1 ],
      !Equals [ !Ref 'AWS::Region', us-east-2 ],
      !Equals [ !Ref 'AWS::Region', us-west-2 ],
      !Equals [ !Ref 'AWS::Region', eu-west-1 ],
      !Equals [ !Ref 'AWS::Region', sa-east-1 ],
      !Equals [ !Ref 'AWS::Region', ap-northeast-1 ],
      !Equals [ !Ref 'AWS::Region', ap-southeast-2 ]
    ]

Mappings:

  RegionMap:
    ap-northeast-1:
      AMI: ami-56d4ad31
    ap-northeast-2:
      AMI: ami-dac312b4
    ap-south-1:
      AMI: ami-f9daac96
    ap-southeast-1:
      AMI: ami-dc9339bf
    ap-southeast-2:
      AMI: ami-1c47407f
    ca-central-1:
      AMI: ami-ebed508f
    eu-central-1:
      AMI: ami-af0fc0c0
    eu-west-1:
      AMI: ami-70edb016
    eu-west-2:
      AMI: ami-f1949e95
    sa-east-1:
      AMI: ami-80086dec
    us-east-1:
      AMI: ami-0b33d91d
    us-east-2:
      AMI: ami-c55673a0
    us-west-1:
      AMI: ami-165a0876
    us-west-2:
      AMI: ami-f173cc91

Resources:

  BastionAutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      Cooldown: 60
      HealthCheckGracePeriod: 120
      HealthCheckType: EC2
      LaunchConfigurationName: !Ref BastionLaunchConfiguration
      MaxSize: 1
      MinSize: 0
      Tags:
        - Key: Name
          Value: !Join [ '', [ 'Bastion / ', !Ref 'AWS::StackName' ] ]
          PropagateAtLaunch: true
      VPCZoneIdentifier:
        !If [
          MoreThan2AZ,
          [ !Ref PublicSubnet0, !Ref PublicSubnet1, !Ref PublicSubnet2 ],
          [ !Ref PublicSubnet0, !Ref PublicSubnet1 ]
        ]
  BastionLaunchConfiguration:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      IamInstanceProfile: !Ref BastionInstanceProfile
      ImageId: !FindInMap [ RegionMap, !Ref 'AWS::Region', AMI ]
      InstanceMonitoring: true
      InstanceType: t2.large
      KeyName: !Ref KeyName
      SecurityGroups:
        - !Ref BastionSecurityGroup
  BastionInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: '/'
      Roles:
      - !Ref BastionInstanceRole
  BastionInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: '/'
      Policies:
      - PolicyName: logs
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            - logs:DescribeLogStreams
            Resource:
            - arn:aws:logs:*:*:*