cloudmason 0.0.1 → 1.0.1

package/commands/helpers/stacks/asg.yaml

@@ -1,224 +1,420 @@
-AWSTemplateFormatVersion: '2010-09-09'
-Description: ASG Cloudformation Template
-
-
-Parameters:
-  InstanceRootDomain:
-    Type: AWS::Route53::HostedZone::Id
-    Description: Hosted Zone
-  InstanceDomain:
-    Type: String
-    Description: Full domain/subdomain name to associate with the ALB
-  ACMDomainCert:
-    Type: String
-    Description: ARN of AWS ACM Certificate
-  VpcId:
-    Type: AWS::EC2::VPC::Id
-    Description: Org VPC
-  InstanceSubnets:
-    Type: List<AWS::EC2::Subnet::Id>
-    Description: Subnets to deploy in
-  MaxEc2Instances:
-    Type: Number
-    Description: Max number of Ec2 instances
-  AmiId:
-    Type: AWS::EC2::Image::Id
-    Description: Max number of Ec2 instances
-  
-
-Resources:
-# ALB
-  AppALB:
-    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
-    Properties:
-      Scheme: internet-facing
-      Type: application
-      IpAddressType: ipv4
-      SecurityGroups: 
-        - !GetAtt AppALBSecurityGroup.GroupId
-      Subnets: !Ref InstanceSubnets
-  AppALBHTTPSListener:
-    Type: AWS::ElasticLoadBalancingV2::Listener
-    Properties:
-      Certificates:
-        - CertificateArn: !Ref ACMDomainCert
-      DefaultActions:
-        - Type: forward
-          ForwardConfig:
-            TargetGroups:
-              - TargetGroupArn: !Ref AppALBTargetGroup
-                Weight: 999
-            TargetGroupStickinessConfig:
-              DurationSeconds: 900
-              Enabled: false
-      LoadBalancerArn: !Ref AppALB
-      Port: 443
-      Protocol: HTTPS
-  AppALBHTTPRedirectListener:
-    Type: AWS::ElasticLoadBalancingV2::Listener
-    Properties:
-      DefaultActions:
-        - RedirectConfig:
-            Port: "443"
-            Protocol: HTTPS
-            StatusCode: HTTP_301
-          Type: redirect
-      LoadBalancerArn: !Ref AppALB
-      Port: 80
-      Protocol: HTTP
-  AppALBSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      VpcId: !Ref VpcId
-      GroupDescription: Allow http to client host
-      SecurityGroupIngress:
-        - IpProtocol: tcp
-          FromPort: 80
-          ToPort: 80
-          CidrIp: 0.0.0.0/0
-        - IpProtocol: tcp
-          FromPort: 443
-          ToPort: 443
-          CidrIp: 0.0.0.0/0
-  AppALBSecurityGroupEgress:
-    Type: AWS::EC2::SecurityGroupEgress
-    Properties:
-      GroupId: !Ref AppALBSecurityGroup
-      Description: Allow ALB to communicate with Ec2
-      IpProtocol: tcp
-      FromPort: 8080
-      ToPort: 8080
-      DestinationSecurityGroupId: !Ref AppEc2SecurityGroup
-  AppALBRouteRecord:
-    Type: AWS::Route53::RecordSet
-    Properties:
-      Type: A
-      Name: !Ref InstanceDomain
-      AliasTarget:
-        DNSName: !GetAtt AppALB.DNSName
-        EvaluateTargetHealth: true
-        HostedZoneId: !GetAtt AppALB.CanonicalHostedZoneID
-      HostedZoneId: !Ref InstanceRootDomain 
-      Region: !Ref AWS::Region
-      SetIdentifier: !Ref AWS::Region
-# Autoscaling Group
-  AppASG:
-    Type: AWS::AutoScaling::AutoScalingGroup
-    Properties:
-      AvailabilityZones:
-        Fn::GetAZs: ""
-      DesiredCapacity: '1'
-      MinSize: '1'
-      MaxSize: !Ref MaxEc2Instances
-      TargetGroupARNs: 
-        - !Ref AppALBTargetGroup
-      LaunchTemplate:
-        LaunchTemplateId: !Ref AppEc2LaunchTemplate
-        Version: !GetAtt AppEc2LaunchTemplate.LatestVersionNumber
-  AppALBTargetGroup:
-    Type: AWS::ElasticLoadBalancingV2::TargetGroup
-    Properties:
-      HealthCheckIntervalSeconds: 30
-      HealthCheckPath: /
-      HealthCheckTimeoutSeconds: 5
-      HealthyThresholdCount: 3
-      Matcher:
-        HttpCode: 200,300,302
-      Port: 8080
-      Protocol: HTTP
-      TargetType: instance
-      UnhealthyThresholdCount: 2
-      VpcId: !Ref VpcId
-  ASGCPUPolicy:
-    Type: AWS::AutoScaling::ScalingPolicy
-    Properties:
-      AutoScalingGroupName: !Ref AppASG
-      PolicyType: TargetTrackingScaling
-      TargetTrackingConfiguration:
-        PredefinedMetricSpecification:
-          PredefinedMetricType: ASGAverageCPUUtilization
-        TargetValue: '70'
-  AppEc2LaunchTemplate:
-    Type: AWS::EC2::LaunchTemplate
-    Properties:
-      LaunchTemplateName: !Sub '${AWS::StackName}_LaunchTemplate'
-      LaunchTemplateData:
-        IamInstanceProfile:
-          Name:
-            Ref: AppEc2Profile
-        UserData: {{user_data}}
-        ImageId: !Ref AmiId
-        DisableApiTermination: "true"
-        InstanceType: t2.small
-        SecurityGroupIds: 
-          - !Ref AppEc2SecurityGroup
-  AppEc2SecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      VpcId: !Ref VpcId
-      GroupDescription: Allow http to client host
-      SecurityGroupEgress:
-        - IpProtocol: "-1"
-          CidrIp: 0.0.0.0/0
-  AppEc2SecurityGroupIngress:
-    Type: AWS::EC2::SecurityGroupIngress
-    Properties:
-      GroupId: !Ref AppEc2SecurityGroup
-      Description: Allow 8080 from ALB
-      IpProtocol: "-1"
-      SourceSecurityGroupId: !Ref AppALBSecurityGroup
-# S3 App Bucket
-  AppBucket:
-    Type: AWS::S3::Bucket
-    Properties:
-      BucketName: !Ref InstanceDomain
-      VersioningConfiguration:
-        Status: Enabled
-  AppBucketPolicy:
-    Type: AWS::S3::BucketPolicy
-    Properties: 
-      Bucket: !Ref AppBucket
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS:
-                - !GetAtt AppEc2Role.Arn
-            Action:
-              - 's3:GetObject'
-            Resource: 
-              - !Sub arn:aws:s3:::${AppBucket}
-              - !Sub arn:aws:s3:::${AppBucket}/*
-# IAM
-  AppEc2Role:
-    Type: 'AWS::IAM::Role'
-    Properties:
-      AssumeRolePolicyDocument:
-        Version: "2012-10-17"
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service:
-                - ec2.amazonaws.com
-            Action:
-              - 'sts:AssumeRole'
-      Path: !Sub '/apps/${AWS::StackName}/'
-      Policies:
-        - PolicyName: root
-          PolicyDocument:
-            Version: "2012-10-17"
-            Statement:
-              - Effect: Allow
-                Action:
-                  - s3:GetObject
-                  - s3:ListBucket
-                Resource:
-                  - !Sub arn:aws:s3:::${AppBucket}
-                  - !Sub arn:aws:s3:::${AppBucket}/*
-  AppEc2Profile:
-    Type: AWS::IAM::InstanceProfile
-    Properties:
-      Path: !Sub '/apps/${AWS::StackName}/'
-      Roles: 
-        - !Ref AppEc2Role
+AWSTemplateFormatVersion: '2010-09-09'
+Description: ASG Cloudformation Template
+
+
+Parameters:
+  InstanceRootDomain:
+    Type: AWS::Route53::HostedZone::Id
+    Description: Hosted Zone
+  InstanceDomain:
+    Type: String
+    Description: Full domain/subdomain name to associate with the ALB
+    AllowedPattern: ^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$
+  VpcId:
+    Type: AWS::EC2::VPC::Id
+    Description: Org VPC
+  InstanceSubnets:
+    Type: List<AWS::EC2::Subnet::Id>
+    Description: Subnets to deploy in
+  MaxEc2Instances:
+    Type: Number
+    Description: Max number of Ec2 instances
+    Default: 2
+  EC2InstanceType:
+    Type: String
+    Description: EC2 Instance Type
+    Default: t2.small
+  AdminEmail:
+    Type: String
+    Description: Email for the first admin user
+  AmiId:
+    Type: AWS::EC2::Image::Id
+    Description: Max number of Ec2 instances
+  AppVersion:
+    Type: String
+    Description: Major.minor.build
+  InstanceEnvironment:
+    Type: String
+    Description: Instance enviroment (prod,dev). Setting prod will enable advanced security features.
+  
+
+Resources:
+# ACM Domain
+  ACMDomainCert:
+    Type: 'AWS::CertificateManager::Certificate'
+    Properties:
+      DomainName: !Ref InstanceDomain
+      ValidationMethod: DNS
+      DomainValidationOptions:
+        - DomainName: !Ref InstanceDomain
+          HostedZoneId: !Ref InstanceRootDomain
+# ALB
+  AppALB:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Scheme: internet-facing
+      Type: application
+      IpAddressType: ipv4
+      SecurityGroups: 
+        - !GetAtt AppALBSecurityGroup.GroupId
+      Subnets: !Ref InstanceSubnets
+  AppALBHTTPSListener:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      Certificates:
+        - CertificateArn: !Ref ACMDomainCert
+      DefaultActions:
+        - Type: authenticate-cognito
+          Order: 1
+          AuthenticateCognitoConfig:
+            UserPoolArn: !GetAtt CognitoUserPool.Arn
+            UserPoolClientId: !Ref CognitoUserPoolClient
+            # UserPoolDomain: !Sub '${CognitoUserPool}.auth.${AWS::Region}.amazoncognito.com'
+            # UserPoolDomain: !Ref CognitoUserPoolDomain
+            UserPoolDomain: !Ref CognitoUserPoolDomain
+            OnUnauthenticatedRequest:   "authenticate"
+        - Type: forward
+          Order: 2
+          ForwardConfig:
+            TargetGroups:
+              - TargetGroupArn: !Ref AppALBTargetGroup
+                Weight: 999
+            TargetGroupStickinessConfig:
+              DurationSeconds: 900
+              Enabled: false
+      LoadBalancerArn: !Ref AppALB
+      Port: 443
+      Protocol: HTTPS
+  AppALBHTTPRedirectListener:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - RedirectConfig:
+            Port: "443"
+            Protocol: HTTPS
+            StatusCode: HTTP_301
+          Type: redirect
+      LoadBalancerArn: !Ref AppALB
+      Port: 80
+      Protocol: HTTP
+  AppALBSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId: !Ref VpcId
+      GroupDescription: Allow http to client host
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: 0.0.0.0/0
+      SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: 0.0.0.0/0
+  AppALBSecurityGroupEgress:
+    Type: AWS::EC2::SecurityGroupEgress
+    Properties:
+      GroupId: !Ref AppALBSecurityGroup
+      Description: Allow ALB to communicate with Ec2
+      IpProtocol: tcp
+      FromPort: 8080
+      ToPort: 8080
+      DestinationSecurityGroupId: !Ref AppEc2SecurityGroup
+  AppALBRouteRecord:
+    Type: AWS::Route53::RecordSet
+    Properties:
+      Type: A
+      Name: !Ref InstanceDomain
+      AliasTarget:
+        DNSName: !GetAtt AppALB.DNSName
+        EvaluateTargetHealth: true
+        HostedZoneId: !GetAtt AppALB.CanonicalHostedZoneID
+      HostedZoneId: !Ref InstanceRootDomain 
+      Region: !Ref AWS::Region
+      SetIdentifier: !Ref AWS::Region
+# Autoscaling Group
+  AppASG:
+    Type: AWS::AutoScaling::AutoScalingGroup
+    UpdatePolicy:
+      AutoScalingReplacingUpdate:
+        WillReplace: true
+    Properties:
+      AvailabilityZones:
+        Fn::GetAZs: ""
+      DesiredCapacity: '1'
+      MinSize: '1'
+      MaxSize: !Ref MaxEc2Instances
+      TargetGroupARNs: 
+        - !Ref AppALBTargetGroup
+      LaunchTemplate:
+        LaunchTemplateId: !Ref AppEc2LaunchTemplate
+        Version: !GetAtt AppEc2LaunchTemplate.LatestVersionNumber
+  AppALBTargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      HealthCheckIntervalSeconds: 30
+      HealthCheckPath: /
+      HealthCheckTimeoutSeconds: 5
+      HealthyThresholdCount: 3
+      Matcher:
+        HttpCode: 200,300,302
+      Port: 8080
+      Protocol: HTTP
+      TargetType: instance
+      UnhealthyThresholdCount: 2
+      VpcId: !Ref VpcId
+  ASGCPUPolicy:
+    Type: AWS::AutoScaling::ScalingPolicy
+    Properties:
+      AutoScalingGroupName: !Ref AppASG
+      PolicyType: TargetTrackingScaling
+      TargetTrackingConfiguration:
+        PredefinedMetricSpecification:
+          PredefinedMetricType: ASGAverageCPUUtilization
+        TargetValue: '70'
+  AppEc2LaunchTemplate:
+    Type: AWS::EC2::LaunchTemplate
+    Properties:
+      LaunchTemplateName: !Sub '${AWS::StackName}_LaunchTemplate'
+      LaunchTemplateData:
+        IamInstanceProfile:
+          Name:
+            Ref: AppEc2Profile
+        UserData:
+          Fn::Base64: 
+            !Sub |
+              #!/bin/bash
+              echo "Running user data"
+              cd /home/ec2-user/app
+              echo "${AWS::Region},${AWS::StackName},${InstanceEnvironment}" > mason.txt
+              chmod +x start.sh
+              source start.sh
+        ImageId: !Ref AmiId
+        DisableApiTermination: "true"
+        InstanceType: !Ref EC2InstanceType
+        SecurityGroupIds: 
+          - !Ref AppEc2SecurityGroup
+  AppEc2SecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId: !Ref VpcId
+      GroupDescription: Allow http to client host
+      SecurityGroupEgress:
+        - IpProtocol: "-1"
+          CidrIp: 0.0.0.0/0
+  AppEc2SecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !Ref AppEc2SecurityGroup
+      Description: Allow 8080 from ALB
+      IpProtocol: "-1"
+      SourceSecurityGroupId: !Ref AppALBSecurityGroup
+# DynamoDB Table
+  DynamoDBTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      BillingMode: PAY_PER_REQUEST
+      AttributeDefinitions:
+        - AttributeName: pk
+          AttributeType: S
+        - AttributeName: sk
+          AttributeType: S
+      KeySchema:
+        - AttributeName: pk
+          KeyType: HASH
+        - AttributeName: sk
+          KeyType: RANGE
+# S3 App Bucket
+  AppBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      # BucketName: !Ref InstanceDomain
+      VersioningConfiguration:
+        Status: Enabled
+  AppBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties: 
+      Bucket: !Ref AppBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS:
+                - !GetAtt AppEc2Role.Arn
+            Action:
+              - 's3:GetObject'
+            Resource: 
+              - !Sub arn:aws:s3:::${AppBucket}
+              - !Sub arn:aws:s3:::${AppBucket}/*
+# Cognito
+  CognitoUserPool:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      AdminCreateUserConfig:
+        AllowAdminCreateUserOnly: True
+      AutoVerifiedAttributes:
+        - email
+      EmailConfiguration:
+        EmailSendingAccount: COGNITO_DEFAULT
+      UsernameAttributes:
+        - email
+      Policies:
+        PasswordPolicy:
+          MinimumLength: 8
+          RequireLowercase: True
+          RequireNumbers: True
+          RequireSymbols: True
+          RequireUppercase: True    
+  CognitoUserPoolClient:
+    Type: AWS::Cognito::UserPoolClient
+    Properties:
+      AllowedOAuthFlows: 
+        - code
+      AllowedOAuthScopes: 
+        - openid
+      AllowedOAuthFlowsUserPoolClient: True
+      UserPoolId: !Ref CognitoUserPool
+      GenerateSecret: true
+      CallbackURLs:
+        - !Sub 'https://${InstanceDomain}/oauth2/idpresponse'
+      SupportedIdentityProviders:
+        - COGNITO
+  CognitoIdentityPool:
+    Type: AWS::Cognito::IdentityPool
+    Properties:
+      AllowUnauthenticatedIdentities: false
+      CognitoIdentityProviders:
+        - ClientId: !Ref CognitoUserPoolClient
+          ProviderName: !GetAtt CognitoUserPool.ProviderName
+  CognitoUserPoolDomain:
+    Type: AWS::Cognito::UserPoolDomain
+    DependsOn: AppALBRouteRecord
+    Properties:
+      Domain: !Sub
+        - 'auth-${StackId}'
+        - StackId: !Select [2, !Split ['/', !Ref AWS::StackId]]
+      UserPoolId: !Ref CognitoUserPool
+  CognitoUsrAdminGroup:
+    Type: AWS::Cognito::UserPoolGroup
+    Properties:
+      GroupName: user-admin
+      UserPoolId: !Ref CognitoUserPool
+      Description: "Admin group for managing users and permissions"
+  CognitoUserAdmin:
+    Type: AWS::Cognito::UserPoolUser
+    Properties:
+      DesiredDeliveryMediums:
+        - EMAIL
+      UserPoolId: !Ref CognitoUserPool
+      Username: !Ref AdminEmail
+  CognitoUserAdminGroupAttachment:
+    Type: AWS::Cognito::UserPoolUserToGroupAttachment
+    Properties:
+      GroupName: !Ref CognitoUsrAdminGroup
+      UserPoolId: !Ref CognitoUserPool
+      Username: !Ref AdminEmail
+# IAM
+  AppEc2Role:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+            Action:
+              - 'sts:AssumeRole'
+      Path: !Sub '/apps/${AWS::StackName}/'
+      Policies:
+        - PolicyName: root
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: 'ssm:GetParametersByPath'
+                Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}*'
+                # Resource: '*'
+              - Effect: Allow
+                Action: 'ssm:GetParameters'
+                # Resource: '*'
+                Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}*'
+              - Effect: Allow
+                Action: 'ssm:GetParameter'
+                # Resource: '*'
+                Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}*'
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                  - s3:GetObjectAttributes
+                  - s3:ListBucket
+                  - s3:ListBucketVersions
+                  - s3:PutObject
+                  - s3:DeleteObject
+                  - s3:DeleteObjectVersion
+                Resource:
+                  - !Sub arn:aws:s3:::${AppBucket}
+                  - !Sub arn:aws:s3:::${AppBucket}/*
+              - Effect: Allow
+                Action:
+                  - dynamodb:BatchGetItem
+                  - dynamodb:BatchWriteItem
+                  - dynamodb:DeleteItem
+                  - dynamodb:GetItem
+                  - dynamodb:GetRecords
+                  - dynamodb:PutItem
+                  - dynamodb:Query
+                  - dynamodb:Scan
+                  - dynamodb:UpdateItem
+                Resource:
+                  - !GetAtt DynamoDBTable.Arn
+  AppEc2Profile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: !Sub '/apps/${AWS::StackName}/'
+      Roles: 
+        - !Ref AppEc2Role
+# Params
+  ParamRegion:
+    Type: 'AWS::SSM::Parameter'
+    Properties:
+      Name: !Sub '/${AWS::StackName}/region'
+      Type: 'String'
+      Value: !Sub '${AWS::Region}'
+  ParamS3BUcket:
+    Type: 'AWS::SSM::Parameter'
+    Properties:
+      Name: !Sub '/${AWS::StackName}/s3Bucket'
+      Type: 'String'
+      Value: !Ref AppBucket
+  ParamUserPoolId:
+    Type: 'AWS::SSM::Parameter'
+    Properties:
+      Name: !Sub '/${AWS::StackName}/userpoolid'
+      Type: 'String'
+      Value: !Ref CognitoUserPool
+  ParamDDTable:
+    Type: 'AWS::SSM::Parameter'
+    Properties:
+      Name: !Sub '/${AWS::StackName}/ddbtable'
+      Type: 'String'
+      Value: !Ref DynamoDBTable
+  ParamVersion:
+    Type: 'AWS::SSM::Parameter'
+    Properties:
+      Name: !Sub '/${AWS::StackName}/version'
+      Type: 'String'
+      Value: !Ref AppVersion
+  ParamEnvironment:
+    Type: 'AWS::SSM::Parameter'
+    Properties:
+      Name: !Sub '/${AWS::StackName}/env'
+      Type: 'String'
+      Value: !Ref InstanceEnvironment