README
cfn-modules: AWS EC2 instance (Amazon Linux 2)
AWS EC2 instance based on Amazon Linux 2 with a fixed public IP address (Elastic IP), auto recovery, alerting, IAM user SSH access, following an mutable infrastructure approach (root volume is reused in case of auto recovery).
Install
Install Node.js and npm first!
npm i @cfn-modules/ec2-instance-amazon-linux2
Usage
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
Instance:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required
AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
BastionModule: !GetAtt 'Bastion.Outputs.StackName' # optional
HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional
KeyName: '' # optional
IAMUserSSHAccess: 'false' # optional
SystemsManagerAccess: 'true' # optional
InstanceType: 't2.micro' # optional
Name: 'test' # optional
AZChar: 'A' # optional
SubnetReach: 'Public' # optional
LogGroupRetentionInDays: '14' # optional
SubDomainNameWithDot: 'test.' # optional
UserData: '' # optional
IngressTcpPort1: '' # optional
IngressTcpClientSgModule1: '' # optional
IngressTcpPort2: '' # optional
IngressTcpClientSgModule2: '' # optional
IngressTcpPort3: '' # optional
IngressTcpClientSgModule3: '' # optional
ClientSgModule1: '' # optional
ClientSgModule2: '' # optional
ClientSgModule3: '' # optional
FileSystemModule1: '' # optional
VolumeModule1: '' # optional
AmazonLinux2Version: '2.0.20180622.1' # set this to the latest available version!
ManagedPolicyArns: '' # optional
TemplateURL: './node_modules/@cfn-modules/ec2-instance-amazon-linux2/module.yml'
Examples
Related modules
Parameters
Name | Description | Default | Required? | Allowed values |
---|---|---|---|---|
VpcModule | Stack name of vpc module | yes | ||
AlertingModule | Stack name of alerting module | no | ||
BastionModule | Stack name of module implementing Bastion | no | ||
HostedZoneModule | Stack name of module implementing HostedZone | no | ||
KeyName | Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance (update requires replacement of root volume = data loss!) | no | ||
IAMUserSSHAccess | Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? | false | no | [true, false] |
SystemsManagerAccess | Enable AWS Systems Manager agent and authorization | true | no | [true, false] |
InstanceType | The instance type for the EC2 instance | t2.micro | no | |
Name | The name for the EC2 instance | auto generated value | no | |
AZChar | Availability zone char (update requires replacement of root volume = data loss!) | A | no | [A, B, C] |
SubnetReach | Subnet reach (update requires replacement of root volume = data loss!) | Public | no | [Public, Private] |
LogGroupRetentionInDays | Specifies the number of days you want to retain log events | 14 | no | [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] |
SubDomainNameWithDot | Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! | test. | no | |
UserData | Bash script executed on first instance launch | no | ||
IngressTcpPort1 | Port allowing ingress TCP traffic | no | ||
IngressTcpClientSgModule1 | Stack name of client-sg module that is required to access IngressTcpPort1 (if you leave this blank, IngressTcpPort1 is open to the world 0.0.0.0/0) | no | ||
IngressTcpPort2 | Port allowing ingress TCP traffic | no | ||
IngressTcpClientSgModule2 | Stack name of client-sg module that is required to access IngressTcpPort2 (if you leave this blank, IngressTcpPort2 is open to the world 0.0.0.0/0) | no | ||
IngressTcpPort3 | Port allowing ingress TCP traffic | no | ||
IngressTcpClientSgModule3 | Stack name of client-sg module that is required to access IngressTcpPort3 (if you leave this blank, IngressTcpPort3 is open to the world 0.0.0.0/0) | no | ||
ClientSgModule1 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
ClientSgModule2 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
ClientSgModule3 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
FileSystemModule1 | Stack name of efs-file-system module mounted to /mnt/efs1/ (update is not supported) | no | ||
VolumeModule1 | Stack name of ebs-volume mounted to /mnt/volume1/ (update is not supported) | no | ||
AmazonLinux2Version | Version of Amazon Linux 2 (update requires replacement of root volume = data loss!) | 2.0.20180622.1 | no | ['2.0.20190508', '2.0.20181114', '2.0.20180622.1'] |
ManagedPolicyArns | Comma-delimited list of IAM managed policy ARNs to attach to the instance's IAM role | no |
Limitations
- Highly available: EC2 instances only live in a single AZ by design
- Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
- Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
- Secure: Root volume it not backed up
- Monitoring: Network In+Out is not monitored according to capacity of instance type
Migration Guides
Migrate to v2
- If
SystemsManagerAccess
is set totrue
, we no longer attach the AWS managed policyAmazonEC2RoleforSSM
for security reasons. Instead we only allow the SSM agent to communicate with the backend and we enable Session Manager. If you need more permissions, checkout our SSM example.