AWS Auto Scaling Group running a single EC2 instance based on Amazon Linux 2 with a fixed public IP address (Elastic IP), alerting, IAM user SSH access, following an immutable infrastructure approach (root volume can be replaced at any time).
Install Node.js and npm first!
npm i @cfn-modules/asg-singleton-amazon-linux2 --- AWSTemplateFormatVersion: '2010-09-09' Description: 'cfn-modules example' Resources: Asg: Type: 'AWS::CloudFormation::Stack' Properties: Parameters: VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional BastionModule: !GetAtt 'Bastion.Outputs.StackName' # optional HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional KeyName: '' # optional IAMUserSSHAccess: false # optional SystemsManagerAccess: true # optional InstanceType: 't2.micro' # optional Name: 'test' # optional AZChar: 'A' # optional SubnetReach: 'Public' # optional LogGroupRetentionInDays: 14 # optional SubDomainNameWithDot: 'test.' # optional UserData: '' # optional IngressTcpPort1: '' # optional IngressTcpClientSgModule1: '' # optional IngressTcpPort2: '' # optional IngressTcpClientSgModule2: '' # optional IngressTcpPort3: '' # optional IngressTcpClientSgModule3: '' # optional ClientSgModule1: '' # optional ClientSgModule2: '' # optional ClientSgModule3: '' # optional FileSystemModule1: '' # optional AmazonLinux2Version: '2.0.20180622.1' # set this to the latest available version! ManagedPolicyArns: '' # optional TemplateURL: './node_modules/@cfn-modules/asg-singleton-amazon-linux2/module.yml' | Name | Description | Default | Required? | Allowed values |
|---|---|---|---|---|
| VpcModule | Stack name of vpc module | yes | ||
| AlertingModule | Stack name of alerting module | no | ||
| BastionModule | Stack name of module implementing Bastion | no | ||
| HostedZoneModule | Stack name of module implementing HostedZone | no | ||
| KeyName | Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance | no | ||
| IAMUserSSHAccess | Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? | false | no | [true, false] |
| SystemsManagerAccess | Enable AWS Systems Manager agent and authorization | true | no | [true, false] |
| InstanceType | The instance type for the EC2 instance | t2.micro | no | |
| Name | The name for the EC2 instance | auto generated value | no | |
| AZChar | Availability zone char | A | no | [A, B, C] |
| SubnetReach | Subnet reach | Public | no | [Public, Private] |
| LogGroupRetentionInDays | Specifies the number of days you want to retain log events | 14 | no | [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] |
| SubDomainNameWithDot | Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! | test. | no | |
| UserData | Bash script executed on first instance launch | no | ||
| IngressTcpPort1 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule1 | Stack name of client-sg module that is required to access IngressTcpPort1 (if you leave this blank, IngressTcpPort1 is open to the world 0.0.0.0/0) | no | ||
| IngressTcpPort2 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule2 | Stack name of client-sg module that is required to access IngressTcpPort2 (if you leave this blank, IngressTcpPort2 is open to the world 0.0.0.0/0) | no | ||
| IngressTcpPort3 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule3 | Stack name of client-sg module that is required to access IngressTcpPort3 (if you leave this blank, IngressTcpPort3 is open to the world 0.0.0.0/0) | no | ||
| ClientSgModule1 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| ClientSgModule2 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| ClientSgModule3 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| FileSystemModule1 | Stack name of efs-file-system module mounted to /mnt/efs1 | no | ||
| AmazonLinux2Version | Version of Amazon Linux 2 | 2.0.20180622.1 | no | ['2.0.20190508', '2.0.20181114', '2.0.20180622.1'] |
| ManagedPolicyArns | Comma-delimited list of IAM managed policy ARNs to attach to the instance's IAM role | no |
- Highly available: A single EC2 instance is running at a time (will be automatically replaced in case of failure)
- Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
- Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
- Secure: Root volume it not backed up
- Monitoring: Network In+Out is not monitored according to capacity of instance type
- If
SystemsManagerAccessis set totrue, we no longer attach the AWS managed policyAmazonEC2RoleforSSMfor security reasons. Instead we only allow the SSM agent to communicate with the backend and we enable Session Manager. If you need more permissions, checkout our SSM example.