AWS EC2 instance based on Amazon Linux 2 with a fixed public IP address (Elastic IP), auto recovery, alerting, IAM user SSH access, following an mutable infrastructure approach (root volume is reused in case of auto recovery).
Install Node.js and npm first!
npm i @cfn-modules/ec2-instance-amazon-linux2 --- AWSTemplateFormatVersion: '2010-09-09' Description: 'cfn-modules example' Resources: Instance: Type: 'AWS::CloudFormation::Stack' Properties: Parameters: VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional BastionModule: !GetAtt 'Bastion.Outputs.StackName' # optional HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional KeyName: '' # optional IAMUserSSHAccess: 'false' # optional SystemsManagerAccess: 'true' # optional InstanceType: 't2.micro' # optional Name: 'test' # optional AZChar: 'A' # optional SubnetReach: 'Public' # optional LogGroupRetentionInDays: '14' # optional SubDomainNameWithDot: 'test.' # optional UserData: '' # optional IngressTcpPort1: '' # optional IngressTcpClientSgModule1: '' # optional IngressTcpPort2: '' # optional IngressTcpClientSgModule2: '' # optional IngressTcpPort3: '' # optional IngressTcpClientSgModule3: '' # optional ClientSgModule1: '' # optional ClientSgModule2: '' # optional ClientSgModule3: '' # optional FileSystemModule1: '' # optional VolumeModule1: '' # optional AmazonLinux2Version: '2.0.20180622.1' # set this to the latest available version! ManagedPolicyArns: '' # optional TemplateURL: './node_modules/@cfn-modules/ec2-instance-amazon-linux2/module.yml' | Name | Description | Default | Required? | Allowed values |
|---|---|---|---|---|
| VpcModule | Stack name of vpc module | yes | ||
| AlertingModule | Stack name of alerting module | no | ||
| BastionModule | Stack name of module implementing Bastion | no | ||
| HostedZoneModule | Stack name of module implementing HostedZone | no | ||
| KeyName | Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance (update requires replacement of root volume = data loss!) | no | ||
| IAMUserSSHAccess | Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? | false | no | [true, false] |
| SystemsManagerAccess | Enable AWS Systems Manager agent and authorization | true | no | [true, false] |
| InstanceType | The instance type for the EC2 instance | t2.micro | no | |
| Name | The name for the EC2 instance | auto generated value | no | |
| AZChar | Availability zone char (update requires replacement of root volume = data loss!) | A | no | [A, B, C] |
| SubnetReach | Subnet reach (update requires replacement of root volume = data loss!) | Public | no | [Public, Private] |
| LogGroupRetentionInDays | Specifies the number of days you want to retain log events | 14 | no | [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] |
| SubDomainNameWithDot | Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! | test. | no | |
| UserData | Bash script executed on first instance launch | no | ||
| IngressTcpPort1 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule1 | Stack name of client-sg module that is required to access IngressTcpPort1 (if you leave this blank, IngressTcpPort1 is open to the world 0.0.0.0/0) | no | ||
| IngressTcpPort2 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule2 | Stack name of client-sg module that is required to access IngressTcpPort2 (if you leave this blank, IngressTcpPort2 is open to the world 0.0.0.0/0) | no | ||
| IngressTcpPort3 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule3 | Stack name of client-sg module that is required to access IngressTcpPort3 (if you leave this blank, IngressTcpPort3 is open to the world 0.0.0.0/0) | no | ||
| ClientSgModule1 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| ClientSgModule2 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| ClientSgModule3 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| FileSystemModule1 | Stack name of efs-file-system module mounted to /mnt/efs1/ (update is not supported) | no | ||
| VolumeModule1 | Stack name of ebs-volume mounted to /mnt/volume1/ (update is not supported) | no | ||
| AmazonLinux2Version | Version of Amazon Linux 2 (update requires replacement of root volume = data loss!) | 2.0.20180622.1 | no | ['2.0.20190508', '2.0.20181114', '2.0.20180622.1'] |
| ManagedPolicyArns | Comma-delimited list of IAM managed policy ARNs to attach to the instance's IAM role | no |
- Highly available: EC2 instances only live in a single AZ by design
- Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
- Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
- Secure: Root volume it not backed up
- Monitoring: Network In+Out is not monitored according to capacity of instance type
- If
SystemsManagerAccessis set totrue, we no longer attach the AWS managed policyAmazonEC2RoleforSSMfor security reasons. Instead we only allow the SSM agent to communicate with the backend and we enable Session Manager. If you need more permissions, checkout our SSM example.