Projects/zed-lake/zed-iac/cloudformation/zed_stack.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation stack for deploying a Zed Lake.'

Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: 'Networking Configuration'
        Parameters:
          - VpcCidr
          - SubnetCidr
      - Label:
          default: 'EC2 Configuration'
        Parameters:
          - InstanceType
          - AmiId
      - Label:
          default: 'User Data'
        Parameters:
          - CloudConfig
      - Label:
          default: 'Unique Suffix'
        Parameters:
          - UniqueSuffix


Parameters:
  VpcCidr:
    Type: String
    Default: 10.0.0.0/16
    Description: CIDR block for the VPC.
  SubnetCidr:
    Type: String
    Default: 10.0.1.0/24
    Description: CIDR block for the subnet.
  InstanceType:
    Type: String
    Default: t3.small
    Description: EC2 instance type.
  AmiId:
    Type: AWS::EC2::Image::Id
    Description: The ID of the AMI to use for the EC2 instance (e.g., latest Amazon Linux 2 or Ubuntu).
  CloudConfig:
    Type: String
    Description: Base64-encoded cloud-config script for EC2 user data, which will handle SSH key injection.
  UniqueSuffix:
    Type: String
    Description: User supplied unique alphanumeric suffix for resource uniqueness.


Resources:
# Networking
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
        - Key: use_case
          Value: zed_lake

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: use_case
          Value: zed_lake

  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Ref SubnetCidr
      MapPublicIpOnLaunch: 'true'
      AvailabilityZone: !Select [ 0, !GetAZs ]
      Tags:
        - Key: use_case
          Value: zed_lake

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: use_case
          Value: zed_lake

  RouteToInternet:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  SubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref RouteTable

  EC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Enable SSH (22) and Zed Lake (9867) access from my IP.
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: x.x.x.x/32
          Description: SSH from my IP

        - IpProtocol: tcp
          FromPort: 9867
          ToPort: 9867
          CidrIp: x.x.x.x/32
          Description: Zed Lake access from my IP
      Tags:
        - Key: use_case
          Value: zed_lake

# S3 Bucket Creation
  ZedLakeBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub 'zed-lake-${UniqueSuffix}'
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: use_case
          Value: zed_lake

# Identity creation
  ZedLakeInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref ZedLakeEC2Role

  ZedLakeEC2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: !Sub 'zed-lake-access-${UniqueSuffix}'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                  - s3:GetBucketLocation
                Resource:
                  - !GetAtt ZedLakeBucket.Arn
                  - !Sub '${ZedLakeBucket.Arn}/*'
              - Effect: Allow
                Action:
                  - s3:ListAllMyBuckets
                Resource: '*'

  ZedLakeUploader:
    Type: AWS::IAM::User
    Properties:
      UserName: !Sub 'zed-lake-uploader-${UniqueSuffix}'
      Tags:
        - Key: use_case
          Value: zed_lake

  ZedLakeUploaderPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: !Sub 'zed-lake-uploader-${UniqueSuffix}'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - s3:PutObject
              - s3:GetObject
              - s3:ListBucket
              - s3:DeleteObject
            Resource:
              - !GetAtt ZedLakeBucket.Arn
              - !Sub '${ZedLakeBucket.Arn}/*'
      Users:
        - !Ref ZedLakeUploader

  ZedLakeUploaderAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref ZedLakeUploader
      Status: Active

  ZedLakeUploaderCreds:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub '/zed-lake/zed-lake-uploader-${UniqueSuffix}'
      Description: Credentials for the S3 Uploader IAM User.
      SecretString: !Sub |
        {
          "ACCESS_KEY": "${ZedLakeUploaderAccessKey}",
          "SECRET_KEY": "${ZedLakeUploaderAccessKey.SecretAccessKey}"
        }

# EC2 Creation
  EC2Instance:
    Type: AWS::EC2::Instance
    DependsOn:
      - AttachGateway
    Properties:
      ImageId: !Ref AmiId
      InstanceType: !Ref InstanceType
      SubnetId: !Ref PublicSubnet
      SecurityGroupIds:
        - !Ref EC2SecurityGroup
      IamInstanceProfile: !Ref ZedLakeInstanceProfile
      UserData: !Ref CloudConfig
      Tags:
        - Key: use_case
          Value: zed_lake

Outputs:
  VPCId:
    Description: The ID of the newly created VPC
    Value: !Ref VPC
  PublicSubnetId:
    Description: The ID of the public subnet
    Value: !Ref PublicSubnet
  EC2PublicIP:
    Description: Public IP address of the EC2 instance
    Value: !GetAtt EC2Instance.PublicIp
  ZedLakeBucket:
    Description: S3 bucket for data upload
    Value: !Ref ZedLakeBucket
  ZedLakeUploader:
    Description: Zed Lake IAM user to upload to the Zed Lake bucket
    Value: !Ref ZedLakeUploader
  ZedLakeUploaderCreds:
    Description: Secret ARN for ZedLakeUpload identity.
    Value: !Ref ZedLakeUploaderCreds