cfhl-component-simple-instance/simple-instance.cfndsl.rb at master · toshke/cfhl-component-simple-instance · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
CloudFormation do

  user_data = external_parameters.fetch(:user_data, 'echo "Hello World!!"')
  create_role = external_parameters.fetch(:create_role, false)
  name = external_parameters.fetch(:name, 'EC2Server')
  public_ip = external_parameters.fetch(:public_ip, false)
  device_mappings = external_parameters.fetch(:device_mappings, nil)

  Condition(:KeyGiven, FnNot(FnEquals(Ref(:KeyName), '')))
  Condition(:InstanceProfileGiven, FnNot(FnEquals(Ref(:InstanceProfile), ''))) unless create_role

  ingress_rules = []
  allow_incoming.each do |it|
    rule = { CidrIp: it['range'], IpProtocol: it.fetch('protocol', 'tcp') }
    if it['port'].to_s.include? '-'
      rule[:FromPort] = it['port'].split('-')[0].to_i
      rule[:ToPort] = it['port'].split('-')[1].to_i
    else
      rule[:FromPort] = it['port'].to_i
      rule[:ToPort] = it['port'].to_i
    end
    ingress_rules << rule
  end

  device_mappings = [
      {
          DeviceName: '/dev/xvda', Ebs:
          {
              Encrypted: true,
              KmsKeyId: 'alias/aws/ebs',
              VolumeSize: Ref(:RootVolumeSpace),
              DeleteOnTermination: true,
          }
      }
  ] if device_mappings.nil?
  begin
    IAM_Role(:Role) do
      Path '/'
      AssumeRolePolicyDocument service_assume_role_policy('ec2')
      ManagedPolicyArns managed_policies unless managed_policies.empty?
      Policies policies unless policies.empty?
    end

    IAM_InstanceProfile(:InstanceProfile) do
      Path '/'
      Roles [Ref(:Role)]
    end
  end if create_role


  EC2_Instance(:Instance) do
    ImageId Ref(:Ami)
    Tags [{ Key: 'Name', Value: Ref(:Name) }]
    InstanceType Ref(:InstanceType)
    KeyName FnIf(:KeyGiven, Ref(:KeyName), Ref('AWS::NoValue'))
    DisableApiTermination Ref(:TerminationProtection)
    BlockDeviceMappings device_mappings
    IamInstanceProfile FnIf(:InstanceProfileGiven, Ref(:InstanceProfile), Ref('AWS::NoValue')) unless create_role
    IamInstanceProfile Ref(:InstanceProfile) if create_role
    UserData FnBase64(FnSub(File.read "#{template_dir}/user_data.sh")) if File.exist? "#{template_dir}/user_data.sh"
    UserData FnBase64(FnSub((user_data))) unless user_data.nil?
    if public_ip
      NetworkInterfaces([{
          "AssociatePublicIpAddress": "true",
          "DeviceIndex": "0",
          "GroupSet": [Ref(:InstanceSecurityGroup)],
          "SubnetId": Ref(:SubnetId)
      }])
    else
      SecurityGroupIds [Ref(:InstanceSecurityGroup)]
      SubnetId Ref(:SubnetId)
    end
  end

  EC2_SecurityGroup(:InstanceSecurityGroup) do
    VpcId Ref('VpcId')
    GroupDescription "#{name} - ASG SG"
    SecurityGroupIngress ingress_rules unless ingress_rules.empty?
  end

  Output(:SecurityGroup) do
    Value(Ref(:InstanceSecurityGroup))
  end
  Output(:InstanceId) do
    Value(Ref(:Instance))
  end
end