{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "VpcCidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your VPC. The CIDR block size must have a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/16" }, "PrivateSubnet1Cidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your first private subnet. The CIDR block size must be within the ip range of VPC and a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.128.0/20" }, "PrivateSubnet2Cidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your second private subnet. The CIDR block size must be within the ip range of VPC, not overlapping with first subnet and a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.144.0/20" }, "PublicSubnet1Cidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) for your public subnet. The CIDR block size must be within the ip range of VPC, not overlapping with both private subnets and a size between /16 and /28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "Default": "10.0.0.0/20" }, "SourceCidr": { "Type": "String", "Description": "Specify an IPv4 CIDR block (or IP address range) of your source. This is the IP range from where you make RDP connection to EC2 instance. If left blank, RDP connection to EC2 instance won't be configured", "AllowedPattern": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|1[0-9]|2[0-9]|3[0-2]))$||^$)", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/0-32", "Default": "" }, "EnableRDPAccessToPrivateVPC": { "Type": "String", "Description": "Specify whether to open RDP access to private subnets from within the VPC", "AllowedValues": [ "Yes", "No" ], "Default": "No" }, "HighAvailabilityConfiguration": { "Type": "String", "Description": "Specify whether to setup prerequisites in single-az or multi-az configuration for RDS Custom instances", "AllowedValues": [ "Multi-AZ", "Single-AZ" ], "Default": "Multi-AZ" } }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [{ "Label": { "default": "Availability Configuration for RDS Custom SQL Server" }, "Parameters": ["HighAvailabilityConfiguration"] }, { "Label": { "default": "Network Configuration for RDS Custom SQL Server" }, "Parameters": ["VpcCidr", "PrivateSubnet1Cidr", "PrivateSubnet2Cidr", "PublicSubnet1Cidr"] }, { "Label": { "default": "RDP Access Configuration for RDS Custom SQL Server" }, "Parameters": ["SourceCidr", "EnableRDPAccessToPrivateVPC"] } ], "ParameterLabels": { "VpcCidr": { "default": "IPv4 CIDR block for VPC" }, "PrivateSubnet1Cidr": { "default": "IPv4 CIDR block for 1 of 2 private subents" }, "PrivateSubnet2Cidr": { "default": "IPv4 CIDR block for 2 of 2 private subents" }, "PublicSubnet1Cidr": { "default": "IPv4 CIDR block for public subent" }, "SourceCidr": { "default": "IPv4 CIDR block of your source" }, "EnableRDPAccessToPrivateVPC": { "default": "Setup RDP access to RDS Custom SQL Server Instance (private subnets) ?" }, "HighAvailabilityConfiguration": { "default": "Select an availability configuration for prerequisites setup" } } } }, "Mappings": { "S3VPCEndpointRegionalPrefixLists": { "af-south-1": { "prefixlistid": "pl-a3ac49ca", "prefixlistname": "com.amazonaws.af-south-1.s3" }, "ap-east-1": { "prefixlistid": "pl-64a5400d", "prefixlistname": "com.amazonaws.ap-east-1.s3" }, "ap-northeast-1": { "prefixlistid": "pl-61a54008", "prefixlistname": "com.amazonaws.ap-northeast-1.s3" }, "ap-northeast-2": { "prefixlistid": "pl-78a54011", "prefixlistname": "com.amazonaws.ap-northeast-2.s3" }, "ap-northeast-3": { "prefixlistid": "pl-a4a540cd", "prefixlistname": "com.amazonaws.ap-northeast-3.s3" }, "ap-south-1": { "prefixlistid": "pl-78a54011", "prefixlistname": "com.amazonaws.ap-south-1.s3" }, "ap-southeast-1": { "prefixlistid": "pl-6fa54006", "prefixlistname": "com.amazonaws.ap-southeast-1.s3" }, "ap-southeast-2": { "prefixlistid": "pl-6ca54005", "prefixlistname": "com.amazonaws.ap-southeast-2.s3" }, "ap-southeast-4": { "prefixlistid": "pl-d0a84db9", "prefixlistname": "com.amazonaws.ap-southeast-4.s3" }, "ca-central-1": { "prefixlistid": "pl-7da54014", "prefixlistname": "com.amazonaws.ca-central-1.s3" }, "cn-north-1": { "prefixlistid": "pl-62a5400b", "prefixlistname": "com.amazonaws.cn-north-1.s3" }, "cn-northwest-1": { "prefixlistid": "pl-79a54010", "prefixlistname": "com.amazonaws.cn-northwest-1.s3" }, "eu-central-1": { "prefixlistid": "pl-6ea54007", "prefixlistname": "com.amazonaws.eu-central-1.s3" }, "eu-central-2": { "prefixlistid": "pl-9fa045f6", "prefixlistname": "com.amazonaws.eu-central-2.s3" }, "eu-north-1": { "prefixlistid": "pl-c3aa4faa", "prefixlistname": "com.amazonaws.eu-north-1.s3" }, "eu-south-1": { "prefixlistid": "pl-daaa4fb3", "prefixlistname": "com.amazonaws.eu-south-1.s3" }, "eu-west-1": { "prefixlistid": "pl-6da54004", "prefixlistname": "com.amazonaws.eu-west-1.s3" }, "eu-west-2": { "prefixlistid": "pl-7ca54015", "prefixlistname": "com.amazonaws.eu-west-2.s3" }, "eu-west-3": { "prefixlistid": "pl-23ad484a", "prefixlistname": "com.amazonaws.eu-west-3.s3" }, "me-central-1": { "prefixlistid": "pl-1fbc5976", "prefixlistname": "com.amazonaws.me-central-1.s3" }, "me-south-1": { "prefixlistid": "pl-85a045ec", "prefixlistname": "com.amazonaws.me-south-1.s3" }, "sa-east-1": { "prefixlistid": "pl-6aa54003", "prefixlistname": "com.amazonaws.sa-east-1.s3" }, "us-east-1": { "prefixlistid": "pl-63a5400a", "prefixlistname": "com.amazonaws.us-east-1.s3" }, "us-east-2": { "prefixlistid": "pl-7ba54012", "prefixlistname": "com.amazonaws.us-east-2.s3" }, "us-west-1": { "prefixlistid": "pl-6ba54002", "prefixlistname": "com.amazonaws.us-west-1.s3" }, "us-west-2": { "prefixlistid": "pl-68a54001", "prefixlistname": "com.amazonaws.us-west-2.s3" } } }, "Conditions": { "NVirginiaRegionCondition": { "Fn::Equals": [{ "Ref": "AWS::Region" }, "us-east-1" ] }, "ConfigureSourceCondition": { "Fn::Not": [{ "Fn::Equals": [{ "Ref": "SourceCidr" }, "" ] }] }, "CreatePrivateSubnetRDPRulesCondition": { "Fn::Equals": [{ "Ref": "EnableRDPAccessToPrivateVPC" }, "Yes" ] }, "CreateMultiAzConfigurationCondition": { "Fn::Equals": [{ "Ref": "HighAvailabilityConfiguration" }, "Multi-AZ" ] } }, "Resources": { "RDSCustomKMSKey": { "Type": "AWS::KMS::Key", "Properties": { "Description": "KMS Key to encrypt RDS Custom Instances", "Enabled": true, "EnableKeyRotation": true, "PendingWindowInDays": 30, "KeyPolicy": { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [{ "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" } }, "Action": "kms:*", "Resource": "*" }] }, "KeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false } }, "RDSCustomKMSKeyAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": { "Fn::Sub": "alias/${AWS::StackName}-kms-key" }, "TargetKeyId": { "Ref": "RDSCustomKMSKey" } }, "DependsOn": "RDSCustomKMSKey" }, "RDSCustomSQLServerInstanceServiceRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "AWSRDSCustom-${AWS::StackName}-${AWS::Region}" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } }] }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonRDSCustomInstanceProfileRolePolicy" ] }, "DependsOn": "RDSCustomKMSKey" }, "RDSCustomSQLServerInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": { "Fn::Sub": "AWSRDSCustom-${AWS::StackName}-${AWS::Region}" }, "Path": "/", "Roles": [{ "Ref": "RDSCustomSQLServerInstanceServiceRole" }] }, "DependsOn": "RDSCustomSQLServerInstanceServiceRole" }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VpcCidr" }, "InstanceTenancy": "default", "EnableDnsSupport": "true", "EnableDnsHostnames": "true", "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-vpc" } }] } }, "DHCPOptions": { "Type": "AWS::EC2::DHCPOptions", "Properties": { "DomainName": { "Fn::If": [ "NVirginiaRegionCondition", "ec2.internal", { "Fn::Join": [ "", [{ "Ref": "AWS::Region" }, ".compute.internal" ] ] } ] }, "DomainNameServers": [ "AmazonProvidedDNS" ], "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-dhcp" } }] } }, "VPCDHCPOptionsAssociation": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "VPC" }, "DhcpOptionsId": { "Ref": "DHCPOptions" } }, "DependsOn": "DHCPOptions" }, "PrivateSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "AvailabilityZone": { "Fn::Select": ["0", { "Fn::GetAZs": { "Ref": "AWS::Region" } }] }, "MapPublicIpOnLaunch": false, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-subnet-1" } }] }, "DependsOn": "VPC" }, "PrivateSubnet2": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "AvailabilityZone": { "Fn::Select": ["1", { "Fn::GetAZs": { "Ref": "AWS::Region" } }] }, "MapPublicIpOnLaunch": false, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-subent-2" } }] }, "DependsOn": "VPC" }, "PublicSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "AvailabilityZone": { "Fn::Select": ["0", { "Fn::GetAZs": { "Ref": "AWS::Region" } }] }, "MapPublicIpOnLaunch": false, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-subnet-1" } }] }, "DependsOn": "VPC" }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-igw" } }] } }, "InternetGatewayVPCAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "VPC" }, "InternetGatewayId": { "Ref": "InternetGateway" } }, "DependsOn": ["VPC", "InternetGateway"] }, "PrivateRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-route-table" } }] }, "DependsOn": "VPC" }, "PublicRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-route-table" } }] }, "DependsOn": "VPC" }, "PrivateRouteTableSubent1Association": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet1" }, "RouteTableId": { "Ref": "PrivateRouteTable" } }, "DependsOn": ["PrivateSubnet1", "PrivateRouteTable"] }, "PrivateRouteTableSubent2Association": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet2" }, "RouteTableId": { "Ref": "PrivateRouteTable" } }, "DependsOn": ["PrivateSubnet2", "PrivateRouteTable"] }, "PublicRouteTableSubent1Association": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "PublicSubnet1" }, "RouteTableId": { "Ref": "PublicRouteTable" } }, "DependsOn": ["PublicSubnet1", "PublicRouteTable"] }, "InternetGatewayRoute": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "PublicRouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway" } }, "DependsOn": ["InternetGateway", "PublicRouteTable"] }, "PrivateNetworkACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-network-acl" } }] }, "DependsOn": "VPC" }, "PublicNetworkACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-network-acl" } }] }, "DependsOn": "VPC" }, "PrivateNetworkACLHttpsInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 32768, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLHttpsOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 443, "To": 443 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDenyAllInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 100, "Protocol": -1, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDenyAllOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 100, "Protocol": -1, "Egress": true, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDbPortInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 1433, "To": 1433 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLDbPortOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 32768, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLRDPInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 3389, "To": 3389 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLRDPOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "PortRange": { "From": 1024, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZInboundRule1": { "Condition": "CreateMultiAzConfigurationCondition", "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 18, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZInboundRule2": { "Condition": "CreateMultiAzConfigurationCondition", "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 19, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZOutboundRule1": { "Condition": "CreateMultiAzConfigurationCondition", "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 18, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PrivateNetworkACLMAZOutboundRule2": { "Condition": "CreateMultiAzConfigurationCondition", "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PrivateNetworkACL" }, "RuleNumber": 19, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "PortRange": { "From": 0, "To": 65535 } }, "DependsOn": "PrivateNetworkACL" }, "PublicNetworkACLDbPortInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 32768, "To": 65535 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "ConfigureSourceCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "SourceCidr" }, "PortRange": { "From": 3389, "To": 3389 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPInboundRule2": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 1024, "To": 65535 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLDbPortOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 10, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 1433, "To": 1433 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "ConfigureSourceCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 15, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "SourceCidr" }, "PortRange": { "From": 1024, "To": 65535 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLRDPOutboundRule2": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 17, "Protocol": 6, "Egress": true, "RuleAction": "allow", "CidrBlock": { "Ref": "VpcCidr" }, "PortRange": { "From": 3389, "To": 3389 } }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLDenyAllInboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 20, "Protocol": -1, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PublicNetworkACL" }, "PublicNetworkACLDenyAllOutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "PublicNetworkACL" }, "RuleNumber": 20, "Protocol": -1, "Egress": true, "RuleAction": "deny", "CidrBlock": "0.0.0.0/0" }, "DependsOn": "PublicNetworkACL" }, "PrivateNetworkAclSubent1Association": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet1" }, "NetworkAclId": { "Ref": "PrivateNetworkACL" } }, "DependsOn": ["PrivateSubnet1", "PrivateNetworkACL"] }, "PrivateNetworkAclSubent2Association": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "PrivateSubnet2" }, "NetworkAclId": { "Ref": "PrivateNetworkACL" } }, "DependsOn": ["PrivateSubnet2", "PrivateNetworkACL"] }, "PublicNetworkAclSubent1Association": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "PublicSubnet1" }, "NetworkAclId": { "Ref": "PublicNetworkACL" } }, "DependsOn": ["PublicSubnet1", "PublicNetworkACL"] }, "EC2InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-ec2-instance-sg" }, "GroupDescription": "Security group attached to EC2 Instance", "VpcId": { "Ref": "VPC" } }, "DependsOn": "VPC" }, "RDSCustomSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-rds-custom-instance-sg" }, "GroupDescription": "Security group attached to RDS Custom DB Instance", "VpcId": { "Ref": "VPC" } }, "DependsOn": "VPC" }, "VPCEndpointSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-vpc-endpoint-sg" }, "GroupDescription": "Security group attached to VPC Endpoints", "VpcId": { "Ref": "VPC" } }, "DependsOn": "VPC" }, "VPCEndpointSecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "VPCEndpointSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "SourceSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": ["VPCEndpointSecurityGroup", "RDSCustomSecurityGroup"] }, "VPCEndpointSecurityGroupEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "VPCEndpointSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": { "Ref": "VpcCidr" } }, "DependsOn": ["VPCEndpointSecurityGroup"] }, "RDSCustomSecurityGroupVpceEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "VPCEndpointSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "RDSCustomSecurityGroup" } }, "DependsOn": ["RDSCustomSecurityGroup", "VPCEndpointSecurityGroup"] }, "RDSCustomSecurityGroupS3Egress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "DestinationPrefixListId": { "Fn::FindInMap": [ "S3VPCEndpointRegionalPrefixLists", { "Ref": "AWS::Region" }, "prefixlistid" ] }, "GroupId": { "Ref": "RDSCustomSecurityGroup" } }, "DependsOn": "RDSCustomSecurityGroup" }, "RDSCustomSecurityGroupDbPortIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1433, "ToPort": 1433, "SourceSecurityGroupId": { "Fn::GetAtt": [ "EC2InstanceSecurityGroup", "GroupId" ] } }, "DependsOn": ["EC2InstanceSecurityGroup", "RDSCustomSecurityGroup"] }, "RDSCustomSecurityGroupRDPPortIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "SourceSecurityGroupId": { "Fn::GetAtt": [ "EC2InstanceSecurityGroup", "GroupId" ] } }, "DependsOn": ["EC2InstanceSecurityGroup", "RDSCustomSecurityGroup"] }, "RDSCustomSecurityGroupMAZIngress": { "Condition": "CreateMultiAzConfigurationCondition", "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1120, "ToPort": 1120, "SourceSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": ["RDSCustomSecurityGroup"] }, "RDSCustomSecurityGroupMAZEgress": { "Condition": "CreateMultiAzConfigurationCondition", "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "RDSCustomSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 1120, "ToPort": 1120, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] } }, "DependsOn": ["RDSCustomSecurityGroup"] }, "EC2InstanceSecurityGroupRDSCustomEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": "tcp", "FromPort": 1433, "ToPort": 1433, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "EC2InstanceSecurityGroup" } }, "DependsOn": ["EC2InstanceSecurityGroup", "RDSCustomSecurityGroup"] }, "EC2InstanceSecurityGroupRDPPortEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Condition": "CreatePrivateSubnetRDPRulesCondition", "Properties": { "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "RDSCustomSecurityGroup", "GroupId" ] }, "GroupId": { "Ref": "EC2InstanceSecurityGroup" } }, "DependsOn": ["EC2InstanceSecurityGroup", "RDSCustomSecurityGroup"] }, "EC2InstanceSecurityGroupRDPIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Condition": "ConfigureSourceCondition", "Properties": { "GroupId": { "Ref": "EC2InstanceSecurityGroup" }, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIp": { "Ref": "SourceCidr" } }, "DependsOn": ["EC2InstanceSecurityGroup"] }, "DBSubnetGroup": { "Type": "AWS::RDS::DBSubnetGroup", "Properties": { "DBSubnetGroupName": { "Fn::Sub": "${AWS::StackName}-db-subnet-group" }, "DBSubnetGroupDescription": "RDS Custom Private Network", "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ] }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2"] }, "vpceS3": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "RouteTableIds": [{ "Ref": "PrivateRouteTable" }], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateRouteTable"] }, "vpceEC2": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ec2" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceEC2Messages": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ec2messages" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceMonitoring": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.monitoring" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceSSM": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ssm" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceSSMMessages": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.ssmmessages" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceLogs": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.logs" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceEvents": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.events" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceSecretsManager": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.secretsmanager" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] }, "vpceSQS": { "Type": "AWS::EC2::VPCEndpoint", "Condition": "CreateMultiAzConfigurationCondition", "Properties": { "VpcEndpointType": "Interface", "PrivateDnsEnabled": true, "SecurityGroupIds": [{ "Ref": "VPCEndpointSecurityGroup" }], "SubnetIds": [{ "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ], "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.sqs" }, "VpcId": { "Ref": "VPC" } }, "DependsOn": ["PrivateSubnet1", "PrivateSubnet2", "VPCEndpointSecurityGroup"] } }, "Outputs": { "RDSCustomDBSubnetGroup": { "Description": "DB Subnet group i.e specified while creating a RDS Custom Instances by using the parameter --db-subnet-group-name.", "Value": { "Ref": "DBSubnetGroup" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-SubnetID" } } }, "VPC": { "Description": "VPC for which DB Subnet Group is created.", "Value": { "Fn::Sub": [ "${VPCId} [Name: ${VPCName}]", { "VPCId": { "Ref": "VPC" }, "VPCName": { "Fn::Sub": "${AWS::StackName}-vpc" } } ] }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-VPCID" } } }, "EC2InstancePublicSubnet": { "Description": "Public subnet for creating Ec2 instance to connect with RDS Custom instance.", "Value": { "Fn::Sub": [ "${SubnetId} [Name: ${SubnetName}]", { "SubnetId": { "Ref": "PublicSubnet1" }, "SubnetName": { "Fn::Sub": "${AWS::StackName}-public-subnet-1" } } ] } }, "RDSCustomSecurityGroup": { "Description": "Security Group i.e to be attached to the RDS Custom Instances while creating a RDS Custom Instances by using the parameter --vpc-security-group-ids.", "Value": { "Fn::GetAtt": ["RDSCustomSecurityGroup", "GroupId"] }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-RDSCustomSecurityGroup" } } }, "EC2InstanceSecurityGroup": { "Description": "Security group that we are going to attach to the EC2 instance , used to connect with RDS Custom instance.", "Value": { "Fn::Sub": [ "${SGId} [Name: ${SGName}]", { "SGId": { "Ref": "EC2InstanceSecurityGroup" }, "SGName": { "Fn::Sub": "${AWS::StackName}-ec2-instance-sg" } } ] } }, "RDSCustomIAMInstanceProfile": { "Description": "Instance IAM profile i.e specified while creating a RDS Custom Instances by using the parameter --custom-iam-instance-profile.", "Value": { "Ref": "RDSCustomSQLServerInstanceProfile" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-RDSCustomIAMInstanceProfile" } } }, "RDSCustomKMSKey": { "Description": "KMS key to encrypt data managed by RDS Custom Instances i.e specified while creating a RDS Custom Instances by using the parameter --kms-key-id.", "Value": { "Fn::GetAtt": ["RDSCustomKMSKey", "Arn"] }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-RDSCustomKMSKey" } } } } }