mirror of
https://github.com/trailofbits/algo.git
synced 2025-04-19 07:37:10 +02:00
4464be8259
If new instance_market_type config.cfg variable specifies 'spot' instead of 'on-demand' then the stack.yml creates a LaunchTemplate resource using spot option. The create EC2 Instance command uses that LaunchTemplate.
221 lines
5.2 KiB
YAML
221 lines
5.2 KiB
YAML
---
|
|
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: 'Algo VPN stack'
|
|
Parameters:
|
|
InstanceTypeParameter:
|
|
Type: String
|
|
Default: t2.micro
|
|
PublicSSHKeyParameter:
|
|
Type: String
|
|
ImageIdParameter:
|
|
Type: String
|
|
WireGuardPort:
|
|
Type: String
|
|
UseThisElasticIP:
|
|
Type: String
|
|
Default: ''
|
|
EbsEncrypted:
|
|
Type: String
|
|
UserData:
|
|
Type: String
|
|
SshPort:
|
|
Type: String
|
|
InstanceMarketTypeParameter:
|
|
Description: Launch a Spot instance or standard on-demand instance
|
|
Type: String
|
|
Default: on-demand
|
|
AllowedValues:
|
|
- spot
|
|
- on-demand
|
|
Conditions:
|
|
AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
|
|
AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
|
|
InstanceIsSpot: !Equals [spot, !Ref InstanceMarketTypeParameter]
|
|
Resources:
|
|
VPC:
|
|
Type: AWS::EC2::VPC
|
|
Properties:
|
|
CidrBlock: 172.16.0.0/16
|
|
EnableDnsSupport: true
|
|
EnableDnsHostnames: true
|
|
InstanceTenancy: default
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
VPCIPv6:
|
|
Type: AWS::EC2::VPCCidrBlock
|
|
Properties:
|
|
AmazonProvidedIpv6CidrBlock: true
|
|
VpcId: !Ref VPC
|
|
|
|
InternetGateway:
|
|
Type: AWS::EC2::InternetGateway
|
|
Properties:
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
Subnet:
|
|
Type: AWS::EC2::Subnet
|
|
Properties:
|
|
CidrBlock: 172.16.254.0/23
|
|
MapPublicIpOnLaunch: false
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
VPCGatewayAttachment:
|
|
Type: AWS::EC2::VPCGatewayAttachment
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
InternetGatewayId: !Ref InternetGateway
|
|
|
|
RouteTable:
|
|
Type: AWS::EC2::RouteTable
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
Route:
|
|
Type: AWS::EC2::Route
|
|
DependsOn:
|
|
- InternetGateway
|
|
- RouteTable
|
|
- VPCGatewayAttachment
|
|
Properties:
|
|
RouteTableId: !Ref RouteTable
|
|
DestinationCidrBlock: 0.0.0.0/0
|
|
GatewayId: !Ref InternetGateway
|
|
|
|
RouteIPv6:
|
|
Type: AWS::EC2::Route
|
|
DependsOn:
|
|
- InternetGateway
|
|
- RouteTable
|
|
- VPCGatewayAttachment
|
|
Properties:
|
|
RouteTableId: !Ref RouteTable
|
|
DestinationIpv6CidrBlock: "::/0"
|
|
GatewayId: !Ref InternetGateway
|
|
|
|
SubnetIPv6:
|
|
Type: AWS::EC2::SubnetCidrBlock
|
|
DependsOn:
|
|
- RouteIPv6
|
|
- VPC
|
|
- VPCIPv6
|
|
Properties:
|
|
Ipv6CidrBlock:
|
|
"Fn::Join":
|
|
- ""
|
|
- - !Select [0, !Split [ "::", !Select [0, !GetAtt VPC.Ipv6CidrBlocks] ]]
|
|
- "::dead:beef/64"
|
|
SubnetId: !Ref Subnet
|
|
|
|
RouteSubnet:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
DependsOn:
|
|
- RouteTable
|
|
- Subnet
|
|
- Route
|
|
Properties:
|
|
RouteTableId: !Ref RouteTable
|
|
SubnetId: !Ref Subnet
|
|
|
|
InstanceSecurityGroup:
|
|
Type: AWS::EC2::SecurityGroup
|
|
DependsOn:
|
|
- Subnet
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
GroupDescription: Enable SSH and IPsec
|
|
SecurityGroupIngress:
|
|
- IpProtocol: tcp
|
|
FromPort: !Ref SshPort
|
|
ToPort: !Ref SshPort
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: udp
|
|
FromPort: '500'
|
|
ToPort: '500'
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: udp
|
|
FromPort: '4500'
|
|
ToPort: '4500'
|
|
CidrIp: 0.0.0.0/0
|
|
- IpProtocol: udp
|
|
FromPort: !Ref WireGuardPort
|
|
ToPort: !Ref WireGuardPort
|
|
CidrIp: 0.0.0.0/0
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
EC2LaunchTemplate:
|
|
Type: AWS::EC2::LaunchTemplate
|
|
Condition: InstanceIsSpot # Only create this template if requested
|
|
Properties: # a spot instance_market_type in config.cfg
|
|
LaunchTemplateName: !Ref AWS::StackName
|
|
LaunchTemplateData:
|
|
InstanceMarketOptions:
|
|
MarketType: spot
|
|
|
|
EC2Instance:
|
|
Type: AWS::EC2::Instance
|
|
DependsOn:
|
|
- SubnetIPv6
|
|
- Subnet
|
|
- InstanceSecurityGroup
|
|
Properties:
|
|
InstanceType:
|
|
Ref: InstanceTypeParameter
|
|
BlockDeviceMappings:
|
|
- DeviceName: /dev/sda1
|
|
Ebs:
|
|
DeleteOnTermination: true
|
|
VolumeSize: 8
|
|
Encrypted: !Ref EbsEncrypted
|
|
InstanceInitiatedShutdownBehavior: terminate
|
|
SecurityGroupIds:
|
|
- Ref: InstanceSecurityGroup
|
|
ImageId:
|
|
Ref: ImageIdParameter
|
|
SubnetId: !Ref Subnet
|
|
Ipv6AddressCount: 1
|
|
UserData: !Ref UserData
|
|
LaunchTemplate:
|
|
!If # Only if Conditions created "EC2LaunchTemplate"
|
|
- InstanceIsSpot
|
|
-
|
|
LaunchTemplateId:
|
|
!Ref EC2LaunchTemplate
|
|
Version: 1
|
|
- !Ref AWS::NoValue # Else this LaunchTemplate not set
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Ref AWS::StackName
|
|
|
|
ElasticIP:
|
|
Type: AWS::EC2::EIP
|
|
Condition: AllocateNewEIP
|
|
Properties:
|
|
Domain: vpc
|
|
InstanceId: !Ref EC2Instance
|
|
DependsOn:
|
|
- EC2Instance
|
|
- VPCGatewayAttachment
|
|
|
|
ElasticIPAssociation:
|
|
Type: AWS::EC2::EIPAssociation
|
|
Condition: AssociateExistingEIP
|
|
Properties:
|
|
AllocationId: !Ref UseThisElasticIP
|
|
InstanceId: !Ref EC2Instance
|
|
|
|
|
|
Outputs:
|
|
ElasticIP:
|
|
Value: !GetAtt [EC2Instance, PublicIp]
|