AWSTemplateFormatVersion: '2010-09-09' Description: 'CloudFormation stack for deploying a Zed Lake.' Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: 'Networking Configuration' Parameters: - VpcCidr - SubnetCidr - Label: default: 'EC2 Configuration' Parameters: - InstanceType - AmiId - Label: default: 'User Data' Parameters: - CloudConfig - Label: default: 'Unique Suffix' Parameters: - UniqueSuffix Parameters: VpcCidr: Type: String Default: 10.0.0.0/16 Description: CIDR block for the VPC. SubnetCidr: Type: String Default: 10.0.1.0/24 Description: CIDR block for the subnet. InstanceType: Type: String Default: t3.small Description: EC2 instance type. AmiId: Type: AWS::EC2::Image::Id Description: The ID of the AMI to use for the EC2 instance (e.g., latest Amazon Linux 2 or Ubuntu). CloudConfig: Type: String Description: Base64-encoded cloud-config script for EC2 user data, which will handle SSH key injection. UniqueSuffix: Type: String Description: User supplied unique alphanumeric suffix for resource uniqueness. Resources: # Networking VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsSupport: 'true' EnableDnsHostnames: 'true' Tags: - Key: use_case Value: zed_lake InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: use_case Value: zed_lake AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway PublicSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Ref SubnetCidr MapPublicIpOnLaunch: 'true' AvailabilityZone: !Select [ 0, !GetAZs ] Tags: - Key: use_case Value: zed_lake RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: use_case Value: zed_lake RouteToInternet: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway SubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnet RouteTableId: !Ref RouteTable EC2SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VPC GroupDescription: Enable SSH (22) and Zed Lake (9867) access from my IP. SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: x.x.x.x/32 Description: SSH from my IP - IpProtocol: tcp FromPort: 9867 ToPort: 9867 CidrIp: x.x.x.x/32 Description: Zed Lake access from my IP Tags: - Key: use_case Value: zed_lake # S3 Bucket Creation ZedLakeBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub 'zed-lake-${UniqueSuffix}' VersioningConfiguration: Status: Enabled Tags: - Key: use_case Value: zed_lake # Identity creation ZedLakeInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref ZedLakeEC2Role ZedLakeEC2Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: !Sub 'zed-lake-access-${UniqueSuffix}' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:ListBucket - s3:GetBucketLocation Resource: - !GetAtt ZedLakeBucket.Arn - !Sub '${ZedLakeBucket.Arn}/*' - Effect: Allow Action: - s3:ListAllMyBuckets Resource: '*' ZedLakeUploader: Type: AWS::IAM::User Properties: UserName: !Sub 'zed-lake-uploader-${UniqueSuffix}' Tags: - Key: use_case Value: zed_lake ZedLakeUploaderPolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub 'zed-lake-uploader-${UniqueSuffix}' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:ListBucket - s3:DeleteObject Resource: - !GetAtt ZedLakeBucket.Arn - !Sub '${ZedLakeBucket.Arn}/*' Users: - !Ref ZedLakeUploader ZedLakeUploaderAccessKey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref ZedLakeUploader Status: Active ZedLakeUploaderCreds: Type: AWS::SecretsManager::Secret Properties: Name: !Sub '/zed-lake/zed-lake-uploader-${UniqueSuffix}' Description: Credentials for the S3 Uploader IAM User. SecretString: !Sub | { "ACCESS_KEY": "${ZedLakeUploaderAccessKey}", "SECRET_KEY": "${ZedLakeUploaderAccessKey.SecretAccessKey}" } # EC2 Creation EC2Instance: Type: AWS::EC2::Instance DependsOn: - AttachGateway Properties: ImageId: !Ref AmiId InstanceType: !Ref InstanceType SubnetId: !Ref PublicSubnet SecurityGroupIds: - !Ref EC2SecurityGroup IamInstanceProfile: !Ref ZedLakeInstanceProfile UserData: !Ref CloudConfig Tags: - Key: use_case Value: zed_lake Outputs: VPCId: Description: The ID of the newly created VPC Value: !Ref VPC PublicSubnetId: Description: The ID of the public subnet Value: !Ref PublicSubnet EC2PublicIP: Description: Public IP address of the EC2 instance Value: !GetAtt EC2Instance.PublicIp ZedLakeBucket: Description: S3 bucket for data upload Value: !Ref ZedLakeBucket ZedLakeUploader: Description: Zed Lake IAM user to upload to the Zed Lake bucket Value: !Ref ZedLakeUploader ZedLakeUploaderCreds: Description: Secret ARN for ZedLakeUpload identity. Value: !Ref ZedLakeUploaderCreds