adding zed-lake project

2025-10-13 20:30:00 +00:00
parent e9467a170e
commit 1891145e03
5 changed files with 721 additions and 1 deletions
--- a/zed-lake/zed-iac/cloudformation/zed-instance-create
+++ b/zed-lake/zed-iac/cloudformation/zed-instance-create
@@ -0,0 +1,12 @@
+aws cloudformation create-stack \
+    --stack-name zed-lake-$(uuidgen) \
+    --template-body file://zed_stack.yaml \
+    --parameters \
+        ParameterKey=AmiId,ParameterValue=ami-0abcde123456 \
+        ParameterKey=CloudConfig,ParameterValue="$(cat ../../zed-lake.yaml | base64 -w 0)" \
+        ParameterKey=UniqueSuffix,ParameterValue=$(tr -dc 'a-z0-9' < /dev/urandom | head -c 10) \
+    --capabilities CAPABILITY_NAMED_IAM
+
+aws cloudformation describe-stacks \
+    --stack-name my-zed-lake-stack-<unique-id> \
+    --query 'Stacks[0].Outputs'
--- a/zed-lake/zed-iac/cloudformation/zed_stack.yaml
+++ b/zed-lake/zed-iac/cloudformation/zed_stack.yaml
@@ -0,0 +1,259 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'CloudFormation stack for deploying a Zed Lake.'
+
+Metadata:
+  'AWS::CloudFormation::Interface':
+    ParameterGroups:
+      - Label:
+          default: 'Networking Configuration'
+        Parameters:
+          - VpcCidr
+          - SubnetCidr
+      - Label:
+          default: 'EC2 Configuration'
+        Parameters:
+          - InstanceType
+          - AmiId
+      - Label:
+          default: 'User Data'
+        Parameters:
+          - CloudConfig
+      - Label:
+          default: 'Unique Suffix'
+        Parameters:
+          - UniqueSuffix
+
+
+Parameters:
+  VpcCidr:
+    Type: String
+    Default: 10.0.0.0/16
+    Description: CIDR block for the VPC.
+  SubnetCidr:
+    Type: String
+    Default: 10.0.1.0/24
+    Description: CIDR block for the subnet.
+  InstanceType:
+    Type: String
+    Default: t3.small
+    Description: EC2 instance type.
+  AmiId:
+    Type: AWS::EC2::Image::Id
+    Description: The ID of the AMI to use for the EC2 instance (e.g., latest Amazon Linux 2 or Ubuntu).
+  CloudConfig:
+    Type: String
+    Description: Base64-encoded cloud-config script for EC2 user data, which will handle SSH key injection.
+  UniqueSuffix:
+    Type: String
+    Description: User supplied unique alphanumeric suffix for resource uniqueness.
+
+
+Resources:
+# Networking
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: !Ref VpcCidr
+      EnableDnsSupport: 'true'
+      EnableDnsHostnames: 'true'
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+  AttachGateway:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      VpcId: !Ref VPC
+      InternetGatewayId: !Ref InternetGateway
+
+  PublicSubnet:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      CidrBlock: !Ref SubnetCidr
+      MapPublicIpOnLaunch: 'true'
+      AvailabilityZone: !Select [ 0, !GetAZs ]
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+  RouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+  RouteToInternet:
+    Type: AWS::EC2::Route
+    DependsOn: AttachGateway
+    Properties:
+      RouteTableId: !Ref RouteTable
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref InternetGateway
+
+  SubnetRouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId: !Ref PublicSubnet
+      RouteTableId: !Ref RouteTable
+
+  EC2SecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId: !Ref VPC
+      GroupDescription: Enable SSH (22) and Zed Lake (9867) access from my IP.
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+          CidrIp: x.x.x.x/32
+          Description: SSH from my IP
+
+        - IpProtocol: tcp
+          FromPort: 9867
+          ToPort: 9867
+          CidrIp: x.x.x.x/32
+          Description: Zed Lake access from my IP
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+# S3 Bucket Creation
+  ZedLakeBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub 'zed-lake-${UniqueSuffix}'
+      VersioningConfiguration:
+        Status: Enabled
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+# Identity creation
+  ZedLakeInstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Roles:
+        - !Ref ZedLakeEC2Role
+
+  ZedLakeEC2Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Path: /
+      Policies:
+        - PolicyName: !Sub 'zed-lake-access-${UniqueSuffix}'
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                  - s3:ListBucket
+                  - s3:GetBucketLocation
+                Resource:
+                  - !GetAtt ZedLakeBucket.Arn
+                  - !Sub '${ZedLakeBucket.Arn}/*'
+              - Effect: Allow
+                Action:
+                  - s3:ListAllMyBuckets
+                Resource: '*'
+
+  ZedLakeUploader:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Sub 'zed-lake-uploader-${UniqueSuffix}'
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+  ZedLakeUploaderPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub 'zed-lake-uploader-${UniqueSuffix}'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - s3:PutObject
+              - s3:GetObject
+              - s3:ListBucket
+              - s3:DeleteObject
+            Resource:
+              - !GetAtt ZedLakeBucket.Arn
+              - !Sub '${ZedLakeBucket.Arn}/*'
+      Users:
+        - !Ref ZedLakeUploader
+
+  ZedLakeUploaderAccessKey:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      UserName: !Ref ZedLakeUploader
+      Status: Active
+
+  ZedLakeUploaderCreds:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub '/zed-lake/zed-lake-uploader-${UniqueSuffix}'
+      Description: Credentials for the S3 Uploader IAM User.
+      SecretString: !Sub |
+        {
+          "ACCESS_KEY": "${ZedLakeUploaderAccessKey}",
+          "SECRET_KEY": "${ZedLakeUploaderAccessKey.SecretAccessKey}"
+        }
+
+# EC2 Creation
+  EC2Instance:
+    Type: AWS::EC2::Instance
+    DependsOn:
+      - AttachGateway
+    Properties:
+      ImageId: !Ref AmiId
+      InstanceType: !Ref InstanceType
+      SubnetId: !Ref PublicSubnet
+      SecurityGroupIds:
+        - !Ref EC2SecurityGroup
+      IamInstanceProfile: !Ref ZedLakeInstanceProfile
+      UserData: !Ref CloudConfig
+      Tags:
+        - Key: use_case
+          Value: zed_lake
+
+Outputs:
+  VPCId:
+    Description: The ID of the newly created VPC
+    Value: !Ref VPC
+  PublicSubnetId:
+    Description: The ID of the public subnet
+    Value: !Ref PublicSubnet
+  EC2PublicIP:
+    Description: Public IP address of the EC2 instance
+    Value: !GetAtt EC2Instance.PublicIp
+  ZedLakeBucket:
+    Description: S3 bucket for data upload
+    Value: !Ref ZedLakeBucket
+  ZedLakeUploader:
+    Description: Zed Lake IAM user to upload to the Zed Lake bucket
+    Value: !Ref ZedLakeUploader
+  ZedLakeUploaderCreds:
+    Description: Secret ARN for ZedLakeUpload identity.
+    Value: !Ref ZedLakeUploaderCreds
+