Skip to content

mhan8796/cloudformation

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CloudFormation Templates

AWS CloudFormation templates for provisioning EC2 instances, an RDS SQL Server database, and related networking resources.

Templates

File Description
electric-flow-dev.yml EC2 + RDS (SQL Server Express) stack for an Electric Flow installation
test-dev.yml Single Amazon Linux 2 EC2 instance for general testing
ubuntu-prod.yml Ubuntu 22.04 LTS EC2 instance for automation workloads

Prerequisites

  • AWS CLI installed and configured with appropriate credentials and permissions
  • An existing VPC with at least one private subnet
  • An EC2 key pair for SSH access
  • A Route 53 hosted zone (required for electric-flow-dev.yml only)
  • Permissions to create IAM roles and instance profiles (CAPABILITY_NAMED_IAM)

Usage

Deploy via AWS CLI

aws cloudformation deploy \
  --template-file <template>.yml \
  --stack-name <stack-name> \
  --parameter-overrides \
    VpcId=vpc-xxxxxxxx \
    PrivateSubnetId1=subnet-xxxxxxxx \
    EC2KeyName=my-key \
    CBCidrIp=10.0.0.0/8 \
    Owner=my-team \
  --capabilities CAPABILITY_NAMED_IAM

Deploy via AWS Console

Upload the template file directly through the CloudFormation Console and fill in the parameters when prompted.

Parameters

Common (all templates)

Parameter Required Description
VpcId Yes ID of the existing VPC
PrivateSubnetId1 Yes Private subnet for the EC2 instance
InstanceType No EC2 instance type (default: t3.micro / t3.large)
EC2AMI No AMI resolved automatically per-region via SSM — override only if needed
EC2KeyName Yes Name of an existing EC2 key pair
CBCidrIp Yes CIDR block allowed to reach the instance (e.g. 10.0.0.0/8)
EC2Name No Name tag for the EC2 instance
Environment No dev, staging, or prod (used for tagging)
Owner Yes Team or individual owner (used for tagging)
Project No Project name (used for tagging)

electric-flow-dev.yml additional parameters

Parameter Required Description
PrivateSubnetId2 Yes Second private subnet for the RDS subnet group
HZId Yes Route 53 hosted zone ID
EC2DNSName Yes DNS name for the EC2 instance (e.g. app.example.com)
DBIdentifier Yes RDS instance identifier
DBMasterPassword Yes RDS master password — 8–41 chars, input is hidden (NoEcho)
DBDNSName Yes DNS name for the RDS endpoint (e.g. db.example.com)
DBName No Initial database name (default: eflowdb)
DBInstanceClass No RDS instance class (default: db.t3.medium)
DBAllocatedStorage No Storage in GB, 20–1000 (default: 20)
DBEngineVersion No SQL Server Express version (default: 15.00)
DBBackupRetentionPeriod No Backup retention in days, 0–35 (default: 7)
DBMultiAZ No Enable Multi-AZ deployment (default: false)

AMI Resolution

All templates use SSM Parameter Store to resolve the latest AMI automatically, so they work in any AWS region without modification:

Template SSM Path
electric-flow-dev.yml, test-dev.yml /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
ubuntu-prod.yml /aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id

To pin to a specific AMI, pass the AMI ID as the EC2AMI parameter at deploy time.

IAM & SSM Session Manager

Each template creates an IAM role and instance profile attached to the EC2 instance with two AWS-managed policies:

  • AmazonSSMManagedInstanceCore — enables SSM Session Manager for shell access without opening port 22 or maintaining a bastion host
  • CloudWatchAgentServerPolicy — allows the CloudWatch agent to publish metrics and logs

If your security posture does not require SSH, you can remove port 22 from CBCidrIp or tighten it to 127.0.0.1/32 and rely entirely on Session Manager.

RDS Notes (electric-flow-dev.yml)

  • Engine: SQL Server Express (sqlserver-ex) with license-included
  • Storage encryption is enabled by default
  • 7-day automated backup retention is configured
  • The instance is not publicly accessible
  • On stack deletion the default policy is Snapshot — a final snapshot is taken before the instance is removed
  • The master password is passed via the DBMasterPassword parameter (NoEcho: true). Store it securely (e.g. AWS Secrets Manager) after deployment.

Validation

Lint templates locally before deploying:

# Install cfn-lint
pip install cfn-lint

# Lint all templates
cfn-lint electric-flow-dev.yml
cfn-lint test-dev.yml
cfn-lint ubuntu-prod.yml

Security Notes

  • No credentials, AMI IDs, CIDR blocks, or account-specific values are hardcoded in any template. All environment-specific values are supplied as parameters.
  • Security group ingress is restricted to CBCidrIp — use the tightest CIDR that covers your access requirements.
  • The RDS instance is placed in a private subnet with no public accessibility.
  • RDS ingress is limited to port 1433 from the EC2 security group only.

About

contains some cloudformation samples

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors