AWS Auto Scaling Group running a single EC2 instance based on Amazon Linux 2 with a fixed public IP address (Elastic IP), alerting, IAM user SSH access, following an immutable infrastructure approach (root volume can be replaced at any time)
npm install @cfn-modules/asg-singleton-amazon-linux2AWS Auto Scaling Group running a single EC2 instance based on Amazon Linux 2 with a fixed public IP address (Elastic IP), alerting, IAM user SSH access, following an immutable infrastructure approach (root volume can be replaced at any time).
> Install Node.js and npm first!
``
npm i @cfn-modules/asg-singleton-amazon-linux2
`
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
Asg:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required
AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
BastionModule: !GetAtt 'Bastion.Outputs.StackName' # optional
HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional
KeyName: '' # optional
IAMUserSSHAccess: false # optional
SystemsManagerAccess: true # optional
InstanceType: 't2.micro' # optional
Name: 'test' # optional
AZChar: 'A' # optional
SubnetReach: 'Public' # optional
LogGroupRetentionInDays: 14 # optional
SubDomainNameWithDot: 'test.' # optional
UserData: '' # optional
IngressTcpPort1: '' # optional
IngressTcpClientSgModule1: '' # optional
IngressTcpPort2: '' # optional
IngressTcpClientSgModule2: '' # optional
IngressTcpPort3: '' # optional
IngressTcpClientSgModule3: '' # optional
ClientSgModule1: '' # optional
ClientSgModule2: '' # optional
ClientSgModule3: '' # optional
FileSystemModule1: '' # optional
AmazonLinux2Version: '2.0.20180622.1' # set this to the latest available version!
ManagedPolicyArns: '' # optional
TemplateURL: './node_modules/@cfn-modules/asg-singleton-amazon-linux2/module.yml'
* ec2-instance-amazon-linux
* ec2-instance-amazon-linux2
| Name | Description | Default | Required? | Allowed values |
|---|---|---|---|---|
| VpcModule | Stack name of vpc module | yes | ||
| AlertingModule | Stack name of alerting module | no | ||
| BastionModule | Stack name of module implementing Bastion | no | ||
| HostedZoneModule | Stack name of module implementing HostedZone | no | ||
| KeyName | Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance | no | ||
| IAMUserSSHAccess | Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? | false | no | [true, false] |
| SystemsManagerAccess | Enable AWS Systems Manager agent and authorization | true | no | [true, false] |
| InstanceType | The instance type for the EC2 instance | t2.micro | no | |
| Name | The name for the EC2 instance | auto generated value | no | |
| AZChar | Availability zone char | A | no | [A, B, C] |
| SubnetReach | Subnet reach | Public | no | [Public, Private] |
| LogGroupRetentionInDays | Specifies the number of days you want to retain log events | 14 | no | [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] |
| SubDomainNameWithDot | Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! | test. | no | |
| UserData | Bash script executed on first instance launch | no | ||
| IngressTcpPort1 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule1 | Stack name of client-sg module that is required to access IngressTcpPort1 (if you leave this blank, IngressTcpPort1 is open to the world 0.0.0.0/0) | no | ||
| IngressTcpPort2 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule2 | Stack name of client-sg module that is required to access IngressTcpPort2 (if you leave this blank, IngressTcpPort2 is open to the world 0.0.0.0/0) | no | ||
| IngressTcpPort3 | Port allowing ingress TCP traffic | no | ||
| IngressTcpClientSgModule3 | Stack name of client-sg module that is required to access IngressTcpPort3 (if you leave this blank, IngressTcpPort3 is open to the world 0.0.0.0/0) | no | ||
| ClientSgModule1 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| ClientSgModule2 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| ClientSgModule3 | Stack name of client-sg module to mark traffic from EC2 instance | no | ||
| FileSystemModule1 | Stack name of efs-file-system module mounted to /mnt/efs1 | no | ||
| AmazonLinux2Version | Version of Amazon Linux 2 | 2.0.20180622.1 | no | ['2.0.20190508', '2.0.20181114', '2.0.20180622.1'] |
| ManagedPolicyArns | Comma-delimited list of IAM managed policy ARNs to attach to the instance's IAM role | no |
* Highly available: A single EC2 instance is running at a time (will be automatically replaced in case of failure)
* Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
* Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
* Secure: Root volume it not backed up
* Monitoring: Network In+Out is not monitored according to capacity of instance type
* If SystemsManagerAccess is set to true, we no longer attach the AWS managed policy AmazonEC2RoleforSSM` for security reasons. Instead we only allow the SSM agent to communicate with the backend and we enable Session Manager. If you need more permissions, checkout our SSM example.