AWS CloudFormation templates for provisioning EC2 instances, an RDS SQL Server database, and related networking resources.
| File | Description |
|---|---|
electric-flow-dev.yml |
EC2 + RDS (SQL Server Express) stack for an Electric Flow installation |
test-dev.yml |
Single Amazon Linux 2 EC2 instance for general testing |
ubuntu-prod.yml |
Ubuntu 22.04 LTS EC2 instance for automation workloads |
- AWS CLI installed and configured with appropriate credentials and permissions
- An existing VPC with at least one private subnet
- An EC2 key pair for SSH access
- A Route 53 hosted zone (required for
electric-flow-dev.ymlonly) - Permissions to create IAM roles and instance profiles (
CAPABILITY_NAMED_IAM)
aws cloudformation deploy \
--template-file <template>.yml \
--stack-name <stack-name> \
--parameter-overrides \
VpcId=vpc-xxxxxxxx \
PrivateSubnetId1=subnet-xxxxxxxx \
EC2KeyName=my-key \
CBCidrIp=10.0.0.0/8 \
Owner=my-team \
--capabilities CAPABILITY_NAMED_IAMUpload the template file directly through the CloudFormation Console and fill in the parameters when prompted.
| Parameter | Required | Description |
|---|---|---|
VpcId |
Yes | ID of the existing VPC |
PrivateSubnetId1 |
Yes | Private subnet for the EC2 instance |
InstanceType |
No | EC2 instance type (default: t3.micro / t3.large) |
EC2AMI |
No | AMI resolved automatically per-region via SSM — override only if needed |
EC2KeyName |
Yes | Name of an existing EC2 key pair |
CBCidrIp |
Yes | CIDR block allowed to reach the instance (e.g. 10.0.0.0/8) |
EC2Name |
No | Name tag for the EC2 instance |
Environment |
No | dev, staging, or prod (used for tagging) |
Owner |
Yes | Team or individual owner (used for tagging) |
Project |
No | Project name (used for tagging) |
| Parameter | Required | Description |
|---|---|---|
PrivateSubnetId2 |
Yes | Second private subnet for the RDS subnet group |
HZId |
Yes | Route 53 hosted zone ID |
EC2DNSName |
Yes | DNS name for the EC2 instance (e.g. app.example.com) |
DBIdentifier |
Yes | RDS instance identifier |
DBMasterPassword |
Yes | RDS master password — 8–41 chars, input is hidden (NoEcho) |
DBDNSName |
Yes | DNS name for the RDS endpoint (e.g. db.example.com) |
DBName |
No | Initial database name (default: eflowdb) |
DBInstanceClass |
No | RDS instance class (default: db.t3.medium) |
DBAllocatedStorage |
No | Storage in GB, 20–1000 (default: 20) |
DBEngineVersion |
No | SQL Server Express version (default: 15.00) |
DBBackupRetentionPeriod |
No | Backup retention in days, 0–35 (default: 7) |
DBMultiAZ |
No | Enable Multi-AZ deployment (default: false) |
All templates use SSM Parameter Store to resolve the latest AMI automatically, so they work in any AWS region without modification:
| Template | SSM Path |
|---|---|
electric-flow-dev.yml, test-dev.yml |
/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 |
ubuntu-prod.yml |
/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id |
To pin to a specific AMI, pass the AMI ID as the EC2AMI parameter at deploy time.
Each template creates an IAM role and instance profile attached to the EC2 instance with two AWS-managed policies:
AmazonSSMManagedInstanceCore— enables SSM Session Manager for shell access without opening port 22 or maintaining a bastion hostCloudWatchAgentServerPolicy— allows the CloudWatch agent to publish metrics and logs
If your security posture does not require SSH, you can remove port 22 from CBCidrIp
or tighten it to 127.0.0.1/32 and rely entirely on Session Manager.
- Engine: SQL Server Express (
sqlserver-ex) withlicense-included - Storage encryption is enabled by default
- 7-day automated backup retention is configured
- The instance is not publicly accessible
- On stack deletion the default policy is
Snapshot— a final snapshot is taken before the instance is removed - The master password is passed via the
DBMasterPasswordparameter (NoEcho: true). Store it securely (e.g. AWS Secrets Manager) after deployment.
Lint templates locally before deploying:
# Install cfn-lint
pip install cfn-lint
# Lint all templates
cfn-lint electric-flow-dev.yml
cfn-lint test-dev.yml
cfn-lint ubuntu-prod.yml- No credentials, AMI IDs, CIDR blocks, or account-specific values are hardcoded in any template. All environment-specific values are supplied as parameters.
- Security group ingress is restricted to
CBCidrIp— use the tightest CIDR that covers your access requirements. - The RDS instance is placed in a private subnet with no public accessibility.
- RDS ingress is limited to port 1433 from the EC2 security group only.