AWSTemplateFormatVersion: "2010-09-09" Description: vRX Redundant IPsec Template # ------------------------------------------------------------ # # パラメータのグループ化 # ------------------------------------------------------------ # Metadata: "AWS::CloudFormation::Interface": ParameterGroups: - Label: default: "Network" Parameters: - VPCAddressClass - Label: default: "EC2" Parameters: - KeyPair - InstanceType - Label: default: "S3" Parameters: - S3BucketName - Label: default: "vRX" Parameters: - LicenseUserName - LicensePassword - FirstLineIn1stLicenseFile - SecondLineIn1stLicenseFile - FirstLineIn2ndLicenseFile - SecondLineIn2ndLicenseFile - Networkaddress - IPsecIkeRemoteName - PreSharedKey ParameterLabels: VPCAddressClass: default: "VPC Network Address Class" KeyPair: default: "EC2 Key Pair" InstanceType: default: "EC2 Instance Type" S3BucketName: default: "S3 Bucket Name" LicenseUserName: default: "License User Name" LicensePassword: default: "License Password" FirstLineIn1stLicenseFile: default: "vRX1 Basic License" SecondLineIn1stLicenseFile: default: "vRX1 Option License" FirstLineIn2ndLicenseFile: default: "vRX2 Basic License" SecondLineIn2ndLicenseFile: default: "vRX2 Option License" Networkaddress: default: "Network Address" IPsecIkeRemoteName: default: "IPsec Ike Remote Name" PreSharedKey: default: "Pre-Shared Key" # ------------------------------------------------------------# # 入力パラメータ設定 # ------------------------------------------------------------# Parameters: VPCAddressClass: Type: String Description: "Select network-address Class for VPC (ClassA:10.0.0.0/16, ClassB:172.16.0.0/16, ClassC:192.168.0.0/16)" Default: ClassB AllowedValues: - ClassA - ClassB - ClassC KeyPair: Description: "Select SSH key-pair to vRX" Type: AWS::EC2::KeyPair::KeyName MinLength: 1 ConstraintDescription: "Select the SSH key-pair to vRX" InstanceType: Description: "Select EC2 Instance Type supported by vRX" Type: String Default: t3.medium AllowedValues: - t3.medium - c5.large - c5.xlarge ConstraintDescription: "Must be a valid EC2 instance type" S3BucketName: Description: "Copy S3 Bucket Name for Lambda script files and past here" Type: String LicenseUserName: Description: "Copy User ID of vRX license and paste here" Type: String LicensePassword: Description: "Copy Password of vRX license and paste here" NoEcho: true Type: String FirstLineIn1stLicenseFile: Description: "Copy First line in 1st license file and paste here" Type: String SecondLineIn1stLicenseFile: Description: "Copy Second line in 1st license file and paste here" Type: String FirstLineIn2ndLicenseFile: Description: "Copy First line in 2nd license file and paste here" Type: String SecondLineIn2ndLicenseFile: Description: "Copy Second line in 2nd license file and paste here" Type: String Networkaddress: Type: String Description: "Physical Yamaha router LAN network-address (xxx.xxx.xxx.xxx/xx)" MinLength: 9 MaxLength: 18 Default: "192.168.100.0/24" AllowedPattern: (([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])[\.]){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])/([1-9]|[1-2][0-9]|3[0-2]) ConstraintDescription: "Must be a valid IP CIDR range of the form x.x.x.x/x" IPsecIkeRemoteName: Description: "Must be same as Physical Yamaha router's parameter (Check command: ipsec_ike_remote_name NAME)" MinLength: 1 Type: String PreSharedKey: Description: "Must be same as Physical Yamaha router's parameter (Check command: ipsec_ike_pre-shared-key KEY)" NoEcho: true Type: String # ------------------------------------------------------------# # マッピング # ------------------------------------------------------------# Mappings: ClassMap: ClassA: VPCCidrBlock: 10.0.0.0/16 AZ1PrivateSubnetCidrBlock: 10.0.1.0/24 AZ1PublicSubnetCidrBlock: 10.0.2.0/24 AZ2PrivateSubnetCidrBlock: 10.0.3.0/24 AZ2PublicSubnetCidrBlock: 10.0.4.0/24 InternalSubnetCidrBlock: 10.0.5.0/24 AZ1PrivateSubnetVRXIPAddr: 10.0.1.254 AZ1PublicSubnetVRXIPAddr: 10.0.2.254 AZ2PrivateSubnetVRXIPAddr: 10.0.3.254 AZ2PublicSubnetVRXIPAddr: 10.0.4.254 ClassB: VPCCidrBlock: 172.16.0.0/16 AZ1PrivateSubnetCidrBlock: 172.16.1.0/24 AZ1PublicSubnetCidrBlock: 172.16.2.0/24 AZ2PrivateSubnetCidrBlock: 172.16.3.0/24 AZ2PublicSubnetCidrBlock: 172.16.4.0/24 InternalSubnetCidrBlock: 172.16.5.0/24 AZ1PrivateSubnetVRXIPAddr: 172.16.1.254 AZ1PublicSubnetVRXIPAddr: 172.16.2.254 AZ2PrivateSubnetVRXIPAddr: 172.16.3.254 AZ2PublicSubnetVRXIPAddr: 172.16.4.254 ClassC: VPCCidrBlock: 192.168.0.0/16 AZ1PrivateSubnetCidrBlock: 192.168.1.0/24 AZ1PublicSubnetCidrBlock: 192.168.2.0/24 AZ2PrivateSubnetCidrBlock: 192.168.3.0/24 AZ2PublicSubnetCidrBlock: 192.168.4.0/24 InternalSubnetCidrBlock: 192.168.5.0/24 AZ1PrivateSubnetVRXIPAddr: 192.168.1.254 AZ1PublicSubnetVRXIPAddr: 192.168.2.254 AZ2PrivateSubnetVRXIPAddr: 192.168.3.254 AZ2PublicSubnetVRXIPAddr: 192.168.4.254 Resources: # ------------------------------------------------------------# # VPC # ------------------------------------------------------------# # VPC 作成 VPC: Type: "AWS::EC2::VPC" Properties: CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] EnableDnsSupport: "true" EnableDnsHostnames: "true" InstanceTenancy: default Tags: - Key: Name Value: !Sub "${AWS::StackName}-vpc" # インターネットゲートウェイ作成 InternetGateway: Type: "AWS::EC2::InternetGateway" Properties: Tags: - Key: Name Value: !Sub "${AWS::StackName}-internet-gw" # インターネットゲートウェイをVPCにアタッチ InternetGatewayAttachment: Type: "AWS::EC2::VPCGatewayAttachment" Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC # ------------------------------------------------------------# # Subnet # ------------------------------------------------------------# # AZ1 Private Subnet の作成 AZ1PrivateSubnet: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PrivateSubnetCidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az1-private-subnet" # AZ1 Public Subnet の作成 AZ1PublicSubnet: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PublicSubnetCidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az1-public-subnet" # AZ2 Private Subnet の作成 AZ2PrivateSubnet: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PrivateSubnetCidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az2-private-subnet" # AZ2 Public Subnet の作成 AZ2PublicSubnet: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PublicSubnetCidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az2-public-subnet" # Internal Subnet の作成 InternalSubnet: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 2 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, InternalSubnetCidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-internal-subnet" # ------------------------------------------------------------# # ルートテーブル # ------------------------------------------------------------# # AZ1 Private Subnet 用ルートテーブルの作成 RouteTableAZ1PrivateSubnet: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az1-private-subnet-route-table" # AZ1 Public Subnet 用ルートテーブルの作成 RouteTableAZ1PublicSubnet: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az1-public-subnet-route-table" # AZ2 Private Subnet 用ルートテーブルの作成 RouteTableAZ2PrivateSubnet: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az2-private-subnet-route-table" # AZ2 Public Subnet 用ルートテーブルの作成 RouteTableAZ2PublicSubnet: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-az2-public-subnet-route-table" # Internal Subnet 用ルートテーブルの作成 RouteTableInternalSubnet: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${AWS::StackName}-internal-subnet-route-table" # ------------------------------------------------------------# # Routing # ------------------------------------------------------------# # AZ1 Public Subnet 用ルートテーブルへのルート追加 Lan2Route: Type: "AWS::EC2::Route" Properties: RouteTableId: !Ref RouteTableAZ1PublicSubnet DestinationCidrBlock: "0.0.0.0/0" GatewayId: !Ref InternetGateway DependsOn: InternetGatewayAttachment # AZ2 Public Subnet 用ルートテーブルへのルート追加 Lan4Route: Type: "AWS::EC2::Route" Properties: RouteTableId: !Ref RouteTableAZ2PublicSubnet DestinationCidrBlock: "0.0.0.0/0" GatewayId: !Ref InternetGateway DependsOn: InternetGatewayAttachment # Internal Subnet 用ルートテーブルへのルート追加 Lan5Route: Type: "AWS::EC2::Route" Properties: RouteTableId: !Ref RouteTableInternalSubnet DestinationCidrBlock: !Ref Networkaddress NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ1Lan1 DependsOn: NetworkInterfaceVRXAZ1Lan1 # ------------------------------------------------------------# # ルートテーブルのアタッチ # ------------------------------------------------------------# # AZ1 Private Subnet 用ルートテーブルのアタッチ RouteTableAZ1PrivateSubnetAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref AZ1PrivateSubnet RouteTableId: !Ref RouteTableAZ1PrivateSubnet # AZ1 Public Subnet 用ルートテーブルのアタッチ RouteTableAZ1PublicSubnetAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref AZ1PublicSubnet RouteTableId: !Ref RouteTableAZ1PublicSubnet # AZ2 Private Subnet 用ルートテーブルのアタッチ RouteTableAZ2PrivateSubnetAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref AZ2PrivateSubnet RouteTableId: !Ref RouteTableAZ2PrivateSubnet # AZ2 Public Subnet 用ルートテーブルのアタッチ RouteTableAZ2PublicSubnetAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref AZ2PublicSubnet RouteTableId: !Ref RouteTableAZ2PublicSubnet # Internal Subnet 用ルートテーブルのアタッチ RouteTableInternalSubnetAssociation: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref InternalSubnet RouteTableId: !Ref RouteTableInternalSubnet # ------------------------------------------------------------# # EC2 # ------------------------------------------------------------# # vRX EC2インスタンス作成 EC2VRXAZ1: Type: AWS::EC2::Instance Properties: ImageId: ami-xxxxxxxxxxxxxxxxx InstanceType: !Ref InstanceType KeyName: !Ref KeyPair NetworkInterfaces: - NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ1Lan1 DeviceIndex: 0 - NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ1Lan2 DeviceIndex: 1 UserData: Fn::Base64: !Sub - | vrx user ${licuser} ${licpass} import vrx license key ${lic1} y import vrx license key ${lic2} y ip route ${NetworkaddressRange} gateway tunnel 1 ip lan2 nat descriptor 1 tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on heartbeat ipsec ike local address 1 ${vrxip} ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text ${pskey} ipsec ike remote address 1 any ipsec ike remote name 1 ${gname} key-id tunnel select none tunnel enable 1 nat descriptor type 1 masquerade nat descriptor masquerade static 1 1 ${vrxip} udp 500 nat descriptor masquerade static 1 2 ${vrxip} udp 4500 nat descriptor masquerade static 1 3 ${vrxip} tcp 22 ipsec auto refresh on snmpv2c host any save - licuser: !Ref LicenseUserName licpass: !Ref LicensePassword lic1: !Ref FirstLineIn1stLicenseFile lic2: !Ref SecondLineIn1stLicenseFile NetworkaddressRange: !Ref Networkaddress pskey: !Ref PreSharedKey gname: !Ref IPsecIkeRemoteName vrxip: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PrivateSubnetVRXIPAddr ] Tags: - Key: Name Value: !Sub "${AWS::StackName}-vrx-az1" DependsOn: - NetworkInterfaceVRXAZ1Lan1 - NetworkInterfaceVRXAZ1Lan2 EC2VRXAZ2: Type: AWS::EC2::Instance Properties: ImageId: ami-xxxxxxxxxxxxxxxxx InstanceType: !Ref InstanceType KeyName: !Ref KeyPair NetworkInterfaces: - NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ2Lan1 DeviceIndex: 0 - NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ2Lan2 DeviceIndex: 1 UserData: Fn::Base64: !Sub - | vrx user ${licuser} ${licpass} import vrx license key ${lic1} y import vrx license key ${lic2} y ip route ${NetworkaddressRange} gateway tunnel 1 ip lan2 nat descriptor 1 tunnel select 1 ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 on heartbeat ipsec ike local address 1 ${vrxip} ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text ${pskey} ipsec ike remote address 1 any ipsec ike remote name 1 ${gname} key-id tunnel select none tunnel enable 1 nat descriptor type 1 masquerade nat descriptor masquerade static 1 1 ${vrxip} udp 500 nat descriptor masquerade static 1 2 ${vrxip} udp 4500 nat descriptor masquerade static 1 3 ${vrxip} tcp 22 ipsec auto refresh on snmpv2c host any save - licuser: !Ref LicenseUserName licpass: !Ref LicensePassword lic1: !Ref FirstLineIn2ndLicenseFile lic2: !Ref SecondLineIn2ndLicenseFile NetworkaddressRange: !Ref Networkaddress pskey: !Ref PreSharedKey gname: !Ref IPsecIkeRemoteName vrxip: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PrivateSubnetVRXIPAddr ] Tags: - Key: Name Value: !Sub "${AWS::StackName}-vrx-az2" DependsOn: - NetworkInterfaceVRXAZ2Lan1 - NetworkInterfaceVRXAZ2Lan2 # ------------------------------------------------------------# # ネットワークインターフェース # ------------------------------------------------------------# # vRX インスタンス (AZ1) 用 LAN1 NetworkInterface 作成 NetworkInterfaceVRXAZ1Lan1: Type: AWS::EC2::NetworkInterface Properties: SourceDestCheck: 'false' GroupSet: - !Ref SecurityGroupAZ1PrivateSubnet SubnetId: !Ref AZ1PrivateSubnet PrivateIpAddress: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PrivateSubnetVRXIPAddr ] # vRX インスタンス (AZ1) 用 LAN2 NetworkInterface 作成 NetworkInterfaceVRXAZ1Lan2: Type: AWS::EC2::NetworkInterface Properties: SourceDestCheck: 'false' GroupSet: - !Ref SecurityGroupAZ1PublicSubnet SubnetId: !Ref AZ1PublicSubnet PrivateIpAddress: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PublicSubnetVRXIPAddr ] # vRX インスタンス (AZ2) 用 LAN1 NetworkInterface 作成 NetworkInterfaceVRXAZ2Lan1: Type: AWS::EC2::NetworkInterface Properties: SourceDestCheck: 'false' GroupSet: - !Ref SecurityGroupAZ2PrivateSubnet SubnetId: !Ref AZ2PrivateSubnet PrivateIpAddress: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PrivateSubnetVRXIPAddr ] # vRX インスタンス (AZ2) 用 LAN2 NetworkInterface 作成 NetworkInterfaceVRXAZ2Lan2: Type: AWS::EC2::NetworkInterface Properties: SourceDestCheck: 'false' GroupSet: - !Ref SecurityGroupAZ2PublicSubnet SubnetId: !Ref AZ2PublicSubnet PrivateIpAddress: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PublicSubnetVRXIPAddr ] # ------------------------------------------------------------# # SecurityGroup # ------------------------------------------------------------# # AZ1 Private Subnet 用 SecurityGroup 作成 SecurityGroupAZ1PrivateSubnet: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-az1-private-subnet-sg GroupDescription: !Sub ${AWS::StackName}-az1-private-subnet-sg SecurityGroupIngress: - IpProtocol: -1 CidrIp: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Tags: - Key: Name Value: !Sub "${AWS::StackName}-az1-private-subnet-sg" VpcId: !Ref VPC # AZ1 Public Subnet 用 SecurityGroup 作成 SecurityGroupAZ1PublicSubnet: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-az1-public-subnet-sg GroupDescription: !Sub ${AWS::StackName}-az1-public-subnet-sg SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 500 ToPort: 500 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 4500 ToPort: 4500 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Sub "${AWS::StackName}-az1-public-subnet-sg" VpcId: !Ref VPC # AZ2 Private Subnet 用 SecurityGroup 作成 SecurityGroupAZ2PrivateSubnet: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-az2-private-subnet-sg GroupDescription: !Sub ${AWS::StackName}-az2-private-subnet-sg SecurityGroupIngress: - IpProtocol: -1 CidrIp: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Tags: - Key: Name Value: !Sub "${AWS::StackName}-az2-private-subnet-sg" VpcId: !Ref VPC # AZ2 Public Subnet 用 SecurityGroup 作成 SecurityGroupAZ2PublicSubnet: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-az2-public-subnet-sg GroupDescription: !Sub ${AWS::StackName}-az2-public-subnet-sg SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 500 ToPort: 500 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 4500 ToPort: 4500 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Sub "${AWS::StackName}-az2-public-subnet-sg" VpcId: !Ref VPC # Internal Subnet 用 SecurityGroup 作成 SecurityGroupInternalSubnet: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-internal-subnet-sg GroupDescription: !Sub ${AWS::StackName}-internal-subnet-sg SecurityGroupIngress: - IpProtocol: -1 CidrIp: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] - IpProtocol: -1 CidrIp: !Ref Networkaddress Tags: - Key: Name Value: !Sub "${AWS::StackName}-internal-subnet-sg" VpcId: !Ref VPC # ------------------------------------------------------------# # ElasticIp # ------------------------------------------------------------# # ElasticIp 作成 ElasticIP1: Type: AWS::EC2::EIP Properties: Domain: !Ref VPC ElasticIP2: Type: AWS::EC2::EIP Properties: Domain: !Ref VPC # ElasticIP1 を vRX インスタンス (AZ1) LAN2 ネットワークインターフェースに割当 AssociateElasticIp1: Type: AWS::EC2::EIPAssociation Properties: AllocationId: !GetAtt ElasticIP1.AllocationId NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ1Lan2 # ElasticIP2 を vRX インスタンス (AZ2) LAN2 ネットワークインターフェースに割当 AssociateElasticIp2: Type: AWS::EC2::EIPAssociation Properties: AllocationId: !GetAtt ElasticIP2.AllocationId NetworkInterfaceId: !Ref NetworkInterfaceVRXAZ2Lan2 # ------------------------------------------------------------# # Lambda Function # ------------------------------------------------------------# # Lambda Functionに適用するセキュリティグループ LambdaSecuritygroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-lambda-sg GroupDescription: !Sub ${AWS::StackName}-lambda-sg SecurityGroupIngress: - IpProtocol: -1 CidrIp: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Tags: - Key: Name Value: !Sub ${AWS::StackName}-lambda-sg VpcId: !Ref VPC # Lambda Function VPCRouteSwitcher: Type: AWS::Lambda::Function Properties: Code: S3Bucket: !Ref S3BucketName S3Key: vrx-ec2-route-switcher.zip Description: VPCRouteSwitcher FunctionName: !Sub ${AWS::StackName}-vpc-route-switcher Role: Fn::GetAtt: [ VPCRouteSwitcherRole, Arn ] Runtime: python3.9 Timeout: 30 VpcConfig: SecurityGroupIds: - !Ref LambdaSecuritygroup SubnetIds: - !Ref AZ1PrivateSubnet - !Ref AZ2PrivateSubnet Handler: lambda_function.lambda_handler Environment: Variables: MASTER_IP: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PrivateSubnetVRXIPAddr ] MASTER_ENI: !Ref NetworkInterfaceVRXAZ1Lan1 SLAVE_ENI: !Ref NetworkInterfaceVRXAZ2Lan1 ROUTE_TABLE: !Ref RouteTableInternalSubnet TARGET_CIDR: !Ref Networkaddress # Lambda Functionに適用するロール VPCRouteSwitcherRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: 'Allow' Principal: Service: - 'lambda.amazonaws.com' Action: - 'sts:AssumeRole' Policies: - PolicyName: YamahaEC2ReplaceRoute PolicyDocument: Version: '2012-10-17' Statement: - Sid: VisualEditor0 Effect: Allow Action: - ec2:ReplaceRoute Resource: "arn:aws:ec2:*:*:route-table/*" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole # ------------------------------------------------------------# # CloudWatch Event # ------------------------------------------------------------# # CloudWatchEvents ScheduleEvent: Type: AWS::Events::Rule Properties: Description: "ScheduleEvent" ScheduleExpression: "rate(1 minute)" State: ENABLED Targets: - Arn: !GetAtt VPCRouteSwitcher.Arn Id: ScheduleEvent1Target # CloudWatchEventsからのLambda関数の実行を許可 LambdaEventPermission: Type: "AWS::Lambda::Permission" Properties: Action: "lambda:InvokeFunction" FunctionName: !GetAtt VPCRouteSwitcher.Arn Principal: "events.amazonaws.com" SourceArn: !GetAtt ScheduleEvent.Arn # ------------------------------------------------------------# # End Point # ------------------------------------------------------------# YamahaFunctionEC2EndPoint: Type: AWS::EC2::VPCEndpoint Properties: SubnetIds: - !Ref AZ1PrivateSubnet - !Ref AZ2PrivateSubnet ServiceName: com.amazonaws.ap-northeast-1.ec2 VpcEndpointType: Interface VpcId: !Ref VPC PrivateDnsEnabled: true SecurityGroupIds: - !Ref EndPointSecuritygroup EndPointSecuritygroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${AWS::StackName}-endpoint-sg GroupDescription: !Sub ${AWS::StackName}-endpoint-sg SecurityGroupIngress: - IpProtocol: -1 CidrIp: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Tags: - Key: Name Value: !Sub ${AWS::StackName}-endpoint-sg VpcId: !Ref VPC # ------------------------------------------------------------# # Output Parameters # ------------------------------------------------------------# Outputs: # VPC VPC: Value: !Ref VPC Export: Name: !Sub "${AWS::StackName}-vpc" VPCCidr: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Export: Name: !Sub "${AWS::StackName}-vpc-cidr" # Subnet AZ1PrivateSubnetCidr: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PrivateSubnetCidrBlock ] Export: Name: !Sub "${AWS::StackName}-az1-private-subnet-cidr" AZ1PublicSubnetCidr: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PublicSubnetCidrBlock ] Export: Name: !Sub "${AWS::StackName}-az1-public-subnet-cidr" AZ2PrivateSubnetCidr: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PrivateSubnetCidrBlock ] Export: Name: !Sub "${AWS::StackName}-az2-private-subnet-cidr" AZ2PublicSubnetCidr: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PublicSubnetCidrBlock ] Export: Name: !Sub "${AWS::StackName}-az2-public-subnet-cidr" InternalSubnetCidr: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, InternalSubnetCidrBlock ] Export: Name: !Sub "${AWS::StackName}-internal-subnet-cidr" # EC2 VRXAZ1Lan1IP: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PrivateSubnetVRXIPAddr ] Export: Name: !Sub "${AWS::StackName}-vrx-az1-lan1-ip" VRXAZ1Lan2IP: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ1PublicSubnetVRXIPAddr ] Export: Name: !Sub "${AWS::StackName}-vrx-az1-lan2-ip" VRXAZ2Lan1IP: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PrivateSubnetVRXIPAddr ] Export: Name: !Sub "${AWS::StackName}-vrx-az2-lan1-ip" VRXAZ2Lan2IP: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, AZ2PublicSubnetVRXIPAddr ] Export: Name: !Sub "${AWS::StackName}-vrx-az2-lan2-ip" VRXAZ1ElasticIP: Value: !Ref ElasticIP1 Export: Name: !Sub "${AWS::StackName}-vrx-az1-elasticip" VRXAZ2ElasticIP: Value: !Ref ElasticIP2 Export: Name: !Sub "${AWS::StackName}-vrx-az2-elasticip"