diff --git a/README.md b/README.md index 8240f420a..5c9560b0e 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,6 @@ # Free Templates for AWS CloudFormation -Using our Infrastructure as Code templates will help you to bootstrap common setups on Amazon Web Services (AWS) within minutes. Our templates are exclusively designed for AWS CloudFormation, the Infrastructure as Code services on AWS. -## Benefits -* Speed up development and migration: reuse our CloudFormation templates to create complex environments for common use cases with ease. -* Rely on high quality infrastructure templates: peer-reviewed by an expert (certified AWS solutions architect Professional) and verified with automated tests. -* All templates are production-ready. If no other limitations are documented, they are: - * Highly available: no single point of failure - * Scalable: increase or decrease the number of instances based on load - * Frictionless deployment: deliver new versions of your application automatically without downtime - * Secure: using the latest operating systems and software components, follow the least privilege principle in all areas - * Operations: provide tools like logging, monitoring and alerting to recognize and debug problems -* Premium Support available: Get help in case of small and big emergencies and submit feature request. - -## Templates -We are offering the following templates: - -* [Elastic Compute Cloud (EC2)](./ec2/) -* [EC2 Container Service (ECS)](./ecs/) -* [Jenkins ](./jenkins/) -* [Operations](./operations/) -* [Security](./security/) -* [Static website](./static-website/) -* [Virtual Private Cloud (VPC)](./vpc/) -* [WordPress](./wordpress/) - -We are interested in your requirements. [Please use the following survey to upvote and add templates you are impatiently waiting for](https://docs.google.com/forms/d/e/1FAIpQLSerhIuMuCWrHai639FoUOt8ffmMqWr0PWzLhCn3VN29VUi8TA/viewform?usp=send_form) - -## Releases -We host all versions starting with version 3.1.0 on the `widdix-aws-cf-templates-releases-eu-west-1` S3 bucket. -The file `vpc/vpc-2azs.yaml` becomes the S3 key `v3.1.0/vpc/vpc-2azs.yaml`. -The latest version can also be found at `latest/vpc/vpc-2azs.yaml`. - -The current master branch (work in progress) is hosted on the `widdix-aws-cf-templates` S3 bucket. +Find the documentation here: http://templates.cloudonaut.io/en/stable/ ## License All templates are published under Apache License Version 2.0. diff --git a/docs/ec2.md b/docs/ec2.md new file mode 100644 index 000000000..df0013d66 --- /dev/null +++ b/docs/ec2.md @@ -0,0 +1,24 @@ +# EC2 with auto-recovery +This template describes an EC2 instance with auto-recovery. If the instance fails it will be replaced automatically. All data stored on EBS volumes will still be available. The public and private IP address won't change. Auto-recovery does only work inside of a single availability zone (AZ). + +![Architecture](./img/ec2-auto-recovery.png) + +## Installation Guide +1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=ec2-auto-recovery&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/ec2/ec2-auto-recovery.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** +1. Grab the public `IPAddress` of the EC2 instance from the **Outputs** tab of your stack. + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `operations/alert.yaml` (recommended) + +## Limitations +* The EC2 instance only runs in a single AZ. In case of an AZ outage the instance will be unavailable. diff --git a/docs/ecs.md b/docs/ecs.md new file mode 100644 index 000000000..af440190c --- /dev/null +++ b/docs/ecs.md @@ -0,0 +1,79 @@ +[EC2 Container Service (ECS)](https://aws.amazon.com/ecs/) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon EC2 instances. To run an application on ECS you need the following components: + +* Docker image published to [Docker Hub](https://hub.docker.com/) or [EC2 Container Registry (ECR)](https://aws.amazon.com/ecr/) +* ECS cluster +* ECS service + +We provide you templates for the ECS cluster and the service. You need to publish the Docker image. + +# ECS cluster +This template describes a fault tolerant and scalable ECS cluster on AWS. The cluster scales the underlying EC2 instances based on memory and CPU reservation. In case of a scale down, the instance drains all containers before it is terminated. + +![Architecture](./img/ecs-cluster.png) + +## Installation Guide +1. This templates depends on our [`vpc-*azs.yaml`](../vpc/) template. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=ecs-cluster&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__/ecs/cluster.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `security/auth-proxy-*.yaml` +* `operations/alert.yaml` (recommended) + +# ECS service +This template describes a fault tolerant and scalable ECS service on AWS. The service scales based on CPU utilization. + +> The image needs to expose port 80 or the `AWS::ECS::TaskDefinition` needs to be adjusted! + +We provide two service templates: +* `service-cluster-alb.yaml` uses the cluster's load balancer and path and/or host based routing. +* `service-dedicated-alb.yaml` includes a dedicated load balancer (ALB). + +## Using the cluster's load balancer and path and/or host based routing +This template describes a fault tolerant and scalable ECS service that uses the cluster's load balancer and path and/or host based routing. + +![Architecture](./img/ecs-service-cluster-alb.png) + +### Installation Guide +1. This templates depends on our [`cluster.yaml`](../ecs/) template. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=ecs-cluster&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__ecs/cluster.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=ecs-service&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__ecs/service-cluster-alb.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +### Dependencies +* `ecs/cluster.yaml` (**required**) +* `operations/alert.yaml` (recommended) + +## Using a dedicated load balancer for the service +This template describes a fault tolerant and scalable ECS service that uses a dedicated load balancer for the service. + +![Architecture](./img/ecs-service-dedicated-alb.png) + +### Installation Guide +1. This templates depends on our [`cluster.yaml`](../ecs/) template. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=ecs-cluster&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__ecs/cluster.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=ecs-service&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__ecs/service-dedicated-alb.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +### Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `ecs/cluster.yaml` (**required**) +* `operations/alert.yaml` (recommended) diff --git a/ec2/ec2-auto-recovery.png b/docs/img/ec2-auto-recovery.png similarity index 100% rename from ec2/ec2-auto-recovery.png rename to docs/img/ec2-auto-recovery.png diff --git a/ecs/cluster.png b/docs/img/ecs-cluster.png similarity index 100% rename from ecs/cluster.png rename to docs/img/ecs-cluster.png diff --git a/ecs/service-cluster-alb.png b/docs/img/ecs-service-cluster-alb.png similarity index 100% rename from ecs/service-cluster-alb.png rename to docs/img/ecs-service-cluster-alb.png diff --git a/ecs/service-dedicated-alb.png b/docs/img/ecs-service-dedicated-alb.png similarity index 100% rename from ecs/service-dedicated-alb.png rename to docs/img/ecs-service-dedicated-alb.png diff --git a/jenkins/demo.gif b/docs/img/jenkins-demo.gif similarity index 100% rename from jenkins/demo.gif rename to docs/img/jenkins-demo.gif diff --git a/jenkins/jenkins2-ha-agents.png b/docs/img/jenkins2-ha-agents.png similarity index 100% rename from jenkins/jenkins2-ha-agents.png rename to docs/img/jenkins2-ha-agents.png diff --git a/jenkins/jenkins2-ha.png b/docs/img/jenkins2-ha.png similarity index 100% rename from jenkins/jenkins2-ha.png rename to docs/img/jenkins2-ha.png diff --git a/docs/img/launch-stack.png b/docs/img/launch-stack.png new file mode 100644 index 000000000..7c0b53b6f Binary files /dev/null and b/docs/img/launch-stack.png differ diff --git a/operations/alert.png b/docs/img/operations-alert.png similarity index 100% rename from operations/alert.png rename to docs/img/operations-alert.png diff --git a/security/auth-proxy-ha-github-orga.png b/docs/img/security-auth-proxy-ha-github-orga.png similarity index 100% rename from security/auth-proxy-ha-github-orga.png rename to docs/img/security-auth-proxy-ha-github-orga.png diff --git a/static-website/static-website.png b/docs/img/static-website.png similarity index 100% rename from static-website/static-website.png rename to docs/img/static-website.png diff --git a/vpc/vpc-2azs.png b/docs/img/vpc-2azs.png similarity index 100% rename from vpc/vpc-2azs.png rename to docs/img/vpc-2azs.png diff --git a/vpc/vpc-3azs.png b/docs/img/vpc-3azs.png similarity index 100% rename from vpc/vpc-3azs.png rename to docs/img/vpc-3azs.png diff --git a/vpc/vpc-endpoint-s3.png b/docs/img/vpc-endpoint-s3.png similarity index 100% rename from vpc/vpc-endpoint-s3.png rename to docs/img/vpc-endpoint-s3.png diff --git a/vpc/vpc-nat-gateway.png b/docs/img/vpc-nat-gateway.png similarity index 100% rename from vpc/vpc-nat-gateway.png rename to docs/img/vpc-nat-gateway.png diff --git a/vpc/vpc-nat-instance.png b/docs/img/vpc-nat-instance.png similarity index 100% rename from vpc/vpc-nat-instance.png rename to docs/img/vpc-nat-instance.png diff --git a/vpc/vpc-ssh-bastion.png b/docs/img/vpc-ssh-bastion.png similarity index 100% rename from vpc/vpc-ssh-bastion.png rename to docs/img/vpc-ssh-bastion.png diff --git a/wordpress/wordpress-ha.png b/docs/img/wordpress-ha.png similarity index 100% rename from wordpress/wordpress-ha.png rename to docs/img/wordpress-ha.png diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 000000000..aa3b010fb --- /dev/null +++ b/docs/index.md @@ -0,0 +1,45 @@ +Your source for free [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates. Bootstrap high quality AWS infrastructure within minutes. + +# Why Free AWS CloudFormation Templates + +* Speed up development and migration: reuse our templates to create complex environments for common use cases with ease. +* Rely on high quality infrastructure templates: peer-reviewed by an expert (certified AWS solutions architect Professional) and verified with automated tests. +* All templates are production-ready. If no other limitations are documented, they are: + * Highly available: no single point of failure + * Scalable: increase or decrease the number of instances based on load + * Frictionless deployment: deliver new versions of your application automatically without downtime + * Secure: using the latest operating systems and software components, follow the least privilege principle in all areas + * Operations: provide tools like logging, monitoring and alerting to recognize and debug problems +* Premium Support available: Get help in case of small and big emergencies and submit feature request. + +# Infrastructure Templates +Choose from our template catalog: + +* [Elastic Compute Cloud (EC2)](./ec2/) +* [EC2 Container Service (ECS)](./ecs/) +* [Jenkins ](./jenkins/) +* [Operations](./operations/) +* [Security](./security/) +* [Static website](./static-website/) +* [Virtual Private Cloud (VPC)](./vpc/) +* [WordPress](./wordpress/) + +We are interested in your requirements. [Please use the following survey to upvote and add templates you are impatiently waiting for](https://docs.google.com/forms/d/e/1FAIpQLSerhIuMuCWrHai639FoUOt8ffmMqWr0PWzLhCn3VN29VUi8TA/viewform?usp=send_form) + +# How does CloudFormation works + +CloudFormation turns a template (JSON or YAML) into a stack. You can apply updated to an existing stack with an updated template an CloudFormation will figure out what needs to be changed. + +**Never make manual changes to infrastructure managed by CloudFormation!** + +# License +All templates are published under Apache License Version 2.0. + +# Premium Support +We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) + +# Feedback +We are looking forward to your feedback. Mail to [hello@widdix.de](mailto:hello@widdix.de). + +# About +A [cloudonaut.io](https://cloudonaut.io/templates-for-aws-cloudformation/) project. Engineered by [widdix](https://widdix.net). diff --git a/docs/jenkins.md b/docs/jenkins.md new file mode 100644 index 000000000..68eebb60f --- /dev/null +++ b/docs/jenkins.md @@ -0,0 +1,53 @@ +![Demo](./img/jenkins-demo.gif) + +# Jenkins 2.0: highly available master +This template describes a Jenkins master in a highly available manner. If the master instance fails it will be replaced automatically. All data stored on EFS where it is replicated across AZs and the file system can grow without a limit. The Jenkins master sits behind a load balancer to provide a fixed endpoint. Logs from the operating system and Jenkins are pushed to CloudWatch Logs. + +![Architecture](./img/jenkins2-ha.png) + +## Installation Guide +1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=jenkins2-ha&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__jenkins/jenkins2-ha.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** +1. Grab the `URL` of the Jenkins master from the **Outputs** tab of your stack. + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `security/auth-proxy-*.yaml` +* `operations/alert.yaml` (recommended) + +## Limitations +* Jenkins will only run in two Availability Zones, even if your VPC stack has more. + +# Jenkins 2.0: highly available master and dynamic agents +This template describes a Jenkins master in a highly available manner. If the master instance fails it will be replaced automatically. All data stored on EFS where it is replicated across AZs and the file system can grow without a limit. The Jenkins master sits behind a load balancer to provide a fixed endpoint. A dynamic pool of agents will execute builds. If the build queue grows new agents are provisioned. Of the build queue is empty agents are taken offline (only if they have no build running). System and Jenkins logs are pushed to CloudWatch Logs. + +![Architecture](./img/jenkins2-ha-agents.png) + +## Installation Guide +1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=jenkins2-ha-agents&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__jenkins/jenkins2-ha-agents.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** +1. Grab the `URL` of the Jenkins master from the **Outputs** tab of your stack. + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `security/auth-proxy-*.yaml` +* `operations/alert.yaml` (recommended) + +## Limitations +* Jenkins will only run in two Availability Zones, even if your VPC stack has more. diff --git a/docs/operations.md b/docs/operations.md new file mode 100644 index 000000000..b4afc7c01 --- /dev/null +++ b/docs/operations.md @@ -0,0 +1,17 @@ +# Alert topic +This template describes a SNS topic that can be used by many other templates to receive alerts. You can add one or multiple subscribers to this topic and they will all receive the same alerts. Supported transports are: +* Email +* HTTP endpoint +* HTTPS endpoint (can be used by [marbot](https://marbot.io/)) + +![Architecture](./img/operations-alert.png) + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=operations-alert&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__operations/alert.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 000000000..83e8ff071 --- /dev/null +++ b/docs/security.md @@ -0,0 +1,170 @@ +# S3 VirusScan +This template creates a Antivirus cluster for S3 buckets. You can connect as many buckets as you like by using [S3 Event Notifications](http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html). The template has it's own repository: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan) + +## Features + +* Uses ClamAV to scan newly added files on S3 buckets +* Updates ClamAV database every 3 hours automatically +* Scales EC2 instance workers to distribute workload +* Publishes a message to SNS in case of a finding +* Can optionally delete compromised files automatically +* Logs to CloudWatch Logs + +## Installation Guide +Visit the template's repository for installation instructions: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan) + +# Account Password Policy +This template creates an account password policy for your IAM users. You can: + +* set IAM user passwords to be valid for only the specified number of days. +* prevent IAM users from reusing a specified number of previous passwords. +* specify the minimum number of characters allowed in an IAM user password. +* require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). +* require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). +* require that IAM user passwords contain at least one numeric character (0 to 9). +* require that IAM user passwords contain at least one nonalphanumeric character. +* permit all IAM users in your account to use the IAM console to change their own passwords. +* prevent IAM users from choosing a new password after their current password has expired. + +Or just use the suggested defaults. + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=security-account-password-policy&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__security/account-password-policy.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +# Authentication Proxy using your GitHub Organization +This template describes a **highly available** authentication proxy that forwards request to a upstream http(s) endpoint if the user is authenticated against your GitHub Organization. + +![Architecture](./img/security-auth-proxy-ha-github-orga.png) + +## Installation Guide +1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=security-auth-proxy-ha-github-orga&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__security/auth-proxy-ha-github-orga.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `operations/alert.yaml` (recommended) + +## Limitations +* By default, only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes. You can change this in the ASG configuration! + +# CloudTrail across all regions +This template enables CloudTrail to records AWS API calls across all regions in your AWS account. API calls are archived in S3 and also pushed CloudWatch Logs. If new API calls are available in S3 a SNS topic is notified. + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=security-cloudtrail&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__security/cloudtrail.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +If you want to use an external S3 bucket, the bucket needs to have the following S3 bucket policy: + +``` +{ + "Version": "2012-10-17", + "Statement": [{ + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::$ExternalTrailBucket" + }, { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": [ + "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[0]/*", + "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[1]/*", + "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[2]/*" + ], + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + }] +} + +``` + +Replace `$ExternalTrailBucket` with the name of your bucket, and add a row for every account you want to write from `$AccountId[*]`. + +# AWS Config setup +This template enables AWS Config to deliver a AWS resource inventory to S3. Allowing you to keep track of infrastructure changes for compliance and debugging of your cloud infrastructure. + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=security-config&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__security/config.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +If you want to use an external S3 bucket, the bucket needs to have the following S3 bucket policy: + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSConfigBucketPermissionsCheck", + "Effect": "Allow", + "Principal": { + "Service": [ + "config.amazonaws.com" + ] + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::$ExternalTrailBucket" + }, + { + "Sid": " AWSConfigBucketDelivery", + "Effect": "Allow", + "Principal": { + "Service": [ + "config.amazonaws.com" + ] + }, + "Action": "s3:PutObject", + "Resource": [ + "arn:aws:s3:::$ExternalConfigBucket/AWSLogs/$AccountId[0]/Config/*", + "arn:aws:s3:::$ExternalConfigBucket/AWSLogs/$AccountId[0]/Config/*", + "arn:aws:s3:::$ExternalConfigBucket/AWSLogs/$AccountId[2]/Config/*" + ], + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] +} + +``` + +Replace `$ExternalTrailBucket` with the name of your bucket, and add a row for every account you want to write from `$AccountId[*]`. diff --git a/docs/static-website.md b/docs/static-website.md new file mode 100644 index 000000000..e0f4add55 --- /dev/null +++ b/docs/static-website.md @@ -0,0 +1,14 @@ +# Static website with CDN +This template describes the infrastructure for hosting a static website over HTTPS behind a CDN. + +![Architecture](./img/static-website.png) + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=static-website&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__static-website/static-website.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** diff --git a/docs/vpc.md b/docs/vpc.md new file mode 100644 index 000000000..59bc4a33b --- /dev/null +++ b/docs/vpc.md @@ -0,0 +1,129 @@ +A VPC is a virtual network inside AWS where you can isolate your setup using private IP addresses. A VPC consists of several subnets. Each subnet is bound to an Availability Zone. A **public** subnet has a direct route to the Internet. As long as your EC2 instances have an public IP they can communicate (in and out) with the Internet. A **private** subnet does not have a route to the Internet. Instances in private subnets can not be accessed from the public Internet. If you want to access the Internet from a private subnet you need to create a NAT gateway/instance. You can deploy a bastion host/instance to reduce the attack surface of internal applications. + +# VPC with private and public subnets in two Availability Zones +This template describes a VPC with two private and two public subnets. + +![Architecture](./img/vpc-2azs.png) + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs-legacy.yaml) + +# VPC with private and public subnets in three Availability Zones +This template describes a VPC with three private and three public subnets. + +![Architecture](./img/vpc-3azs.png) + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-3azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-3azs.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-3azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-3azs-legacy.yaml) + +# VPC with private and public subnets in four Availability Zones +This template describes a VPC with four private and four public subnets. + +## Installation Guide +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-4azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-4azs.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-4azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-4azs-legacy.yaml) + +# NAT Gateway +This template describes a NAT Gateway that forwards HTTP, HTTPS and NTP traffic from private subnets to the Internet. + +![Architecture](./img/vpc-nat-gateway.png) + +## Installation Guide +1. This templates depends on one of our `vpc-*azs.yaml` templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-nat-gateway&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-nat-gateway.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) + +## Limitations +* The NAT Gateway is a single point of failure because it runs only in one Subnet (and therefore in one Availability Zone): https://github.com/widdix/aws-cf-templates/issues/65 + +# NAT instance +This template describes a **highly available** Network Address Translation (NAT) instance that forwards HTTP, HTTPS and NTP traffic from private subnets to the Internet. + +![Architecture](./img/vpc-nat-instance.png) +## Installation Guide +1. This templates depends on one of our `vpc-*azs.yaml` templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-nat-instance&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-nat-instance.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `operations/alert.yaml` (recommended) + +## Limitations +* Only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes. + +# SSH bastion host/instance +This template describes a **highly available** SSH bastion host/instance. SSH Port 22 is open to the world. You can enable the default ec2-user access protected by the referenced EC2 KeyPair. You can also enable personalized SSH access by using the IAM users and their configured public keys. Use `ssh -A user@ip` to enable forwarding of the authentication agent connection when connection to the bastion host. +**Users are not able to sudo on the bastion host/instance! That's very important for security. Why? SSH places a SSH_AUTH_SOCK file into the /tmp directoy only accessible by the user. If you have root you could use any of those files and jump to other machines as another user!** + +![Architecture](./img/vpc-ssh-bastion.png) +## Installation Guide +1. This templates depends on one of our `vpc-*azs.yaml` templates. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-ssh-bastion&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-ssh-bastion.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `operations/alert.yaml` (recommended) + +## Limitations +* Only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes. + +# VPC Endpoint to S3 +This template describes a VPC endpoint to securely route traffic within a VPC for private instances to access S3 without the need of a NAT Gateway, NAT instance, or public internet. Refer to [AWS VPC endpoint](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html) documentation if this is necessary for your stack. By default, access to all S3 actions and buckets is allowed, but may be constrained with a policy document. + +![Architecture](./img/vpc-endpoint-s3.png) +## Installation Guide +1. This templates depends on one of our `vpc-*azs.yaml` templates. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-endpoint-s3&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-endpoint-s3.yaml) for this VPC endpoint to S3. +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** diff --git a/docs/wordpress.md b/docs/wordpress.md new file mode 100644 index 000000000..5f54253a7 --- /dev/null +++ b/docs/wordpress.md @@ -0,0 +1,44 @@ +# WordPress: fault tolerant and scalable +Use this CloudFormation template to create a fault tolerant and scalable WordPress environment on AWS. + +## Features +* HTTPS only +* CDN caching static files +* Scalable file storage +* Fault tolerance due to multi-AZ setup + +## Services +This template combines the following services: +* CloudFront: CDN for dynamic and static content +* ELB: load balancer forwarding requests to EC2 instances and terminating SSL +* EC2: virtual machines running the web servers +* EFS: storage for WordPress files (WordPress core, plugins, themes, user uploads, ...) +* RDS: MySQL database + +![Architecture](./img/wordpress-ha.png) + +## Installation Guide +1. This templates depends on our [`vpc-*azs.yaml`](../vpc/) template. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__vpc/vpc-2azs.yaml) +1. Create an ACM certificate for your domain name within the region you want to launch your stack in. Copy the ARN of the certificate. This is for the ELB. +1. Create another ACM certificate for your domain in region `us-east-1`. Copy the ARN of the certificate. This is for CloudFront (note: [CloudFront only supports ACM certificates in us-east-1](https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html)) +1. [![Launch Stack](./img/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=wordpress-ha&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/__VERSION__wordpress/wordpress-ha.yaml) +1. Click **Next** to proceed with the next step of the wizard. +1. Specify a name and all parameters for the stack. +1. Click **Next** to proceed with the next step of the wizard. +1. Click **Next** to skip the **Options** step of the wizard. +1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. +1. Click **Create** to start the creation of the stack. +1. Wait until the stack reaches the state **CREATE_COMPLETE** +1. Grab the `URL` of the WordPress environment from the **Outputs** tab of your stack. + +## Dependencies +* `vpc/vpc-*azs.yaml` (**required**) +* `vpc/vpc-ssh-bastion.yaml` (recommended) +* `security/auth-proxy-*.yaml` +* `operations/alert.yaml` (recommended) + +## Limitations +* WordPress will only run in two Availability Zones, even if your VPC stack has more. +* PHP files are cached for 300 seconds on the web servers. +* Static files `wp-includes` and `wp-content` are cached for 15 minutes on the CDN. +* Pre-defined auto-scaling might not be able to cover your requirements and needs load and performance testing. diff --git a/ec2/DEV.md b/ec2/DEV.md deleted file mode 100644 index c51b7cea3..000000000 --- a/ec2/DEV.md +++ /dev/null @@ -1,9 +0,0 @@ -# Developer notes - -## RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done -``` diff --git a/ec2/README.md b/ec2/README.md index cda3267f7..bf343a818 100644 --- a/ec2/README.md +++ b/ec2/README.md @@ -1,29 +1,19 @@ # EC2 Templates for AWS CloudFormation -## EC2 with auto-recovery -This template describes an EC2 instance with auto-recovery. If the instance fails it will be replaced automatically. All data stored on EBS volumes will still be available. The public and private IP address won't change. Auto-recovery does only work inside of a single availability zone (AZ). - -![Architecture](./ec2-auto-recovery.png?raw=true "Architecture") - -### Installation Guide -1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** -1. Grab the public `IPAddress` of the EC2 instance from the **Outputs** tab of your stack. - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `operations/alert.yaml` (recommended) - -### Limitations -* The EC2 instance only runs in a single AZ. In case of an AZ outage the instance will be unavailable. +Find the documentation here: http://templates.cloudonaut.io/en/stable/ec2/ + +## Developer notes + +### RegionMap +To update the region map execute the following lines in your terminal: + +``` +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done +``` + +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/ecs/DEV.md b/ecs/DEV.md deleted file mode 100644 index 4757803a1..000000000 --- a/ecs/DEV.md +++ /dev/null @@ -1,9 +0,0 @@ -# Developer notes - -## ECS RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-2016.09.g-amazon-ecs-optimized" --query "Images[0].ImageId" --output "text"); printf "'$region':\n ECSAMI: '$ami'\n"; done -``` diff --git a/ecs/README.md b/ecs/README.md index edda549e1..96ec4ccfb 100644 --- a/ecs/README.md +++ b/ecs/README.md @@ -1,84 +1,19 @@ # ECS Templates for AWS CloudFormation -[EC2 Container Service (ECS)](https://aws.amazon.com/ecs/) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon EC2 instances. To run an application on ECS you need the following components: +Find the documentation here: http://templates.cloudonaut.io/en/stable/ecs/ -* Docker image published to [Docker Hub](https://hub.docker.com/) or [EC2 Container Registry (ECR)](https://aws.amazon.com/ecr/) -* ECS cluster -* ECS service +## Developer notes -We provide you templates for the ECS cluster and the service. You need to publish the Docker image. +### ECS RegionMap +To update the region map execute the following lines in your terminal: -## ECS cluster -This template describes a fault tolerant and scalable ECS cluster on AWS. The cluster scales the underlying EC2 instances based on memory and CPU reservation. In case of a scale down, the instance drains all containers before it is terminated. +``` +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-2016.09.g-amazon-ecs-optimized" --query "Images[0].ImageId" --output "text"); printf "'$region':\n ECSAMI: '$ami'\n"; done +``` -![Architecture](./cluster.png?raw=true "Architecture") - -### Installation Guide -1. This templates depends on our [`vpc-*azs.yaml`](../vpc/) template. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `security/auth-proxy-*.yaml` -* `operations/alert.yaml` (recommended) - -## ECS service -This template describes a fault tolerant and scalable ECS service on AWS. The service scales based on CPU utilization. - -> The image needs to expose port 80 or the `AWS::ECS::TaskDefinition` needs to be adjusted! - -We provide two service templates: -* `service-cluster-alb.yaml` uses the cluster's load balancer and path and/or host based routing. -* `service-dedicated-alb.yaml` includes a dedicated load balancer (ALB). - -### Using the cluster's load balancer and path and/or host based routing -This template describes a fault tolerant and scalable ECS service that uses the cluster's load balancer and path and/or host based routing. - -![Architecture](./service-cluster-alb.png?raw=true "Architecture") - -#### Installation Guide -1. This templates depends on our [`cluster.yaml`](../ecs/) template. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -#### Dependencies -* `ecs/cluster.yaml` (**required**) -* `operations/alert.yaml` (recommended) - -### Using a dedicated load balancer for the service -This template describes a fault tolerant and scalable ECS service that uses a dedicated load balancer for the service. - -![Architecture](./service-dedicated-alb.png?raw=true "Architecture") - -#### Installation Guide -1. This templates depends on our [`cluster.yaml`](../ecs/) template. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -#### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `ecs/cluster.yaml` (**required**) -* `operations/alert.yaml` (recommended) +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/jenkins/DEV.md b/jenkins/DEV.md deleted file mode 100644 index c51b7cea3..000000000 --- a/jenkins/DEV.md +++ /dev/null @@ -1,9 +0,0 @@ -# Developer notes - -## RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done -``` diff --git a/jenkins/README.md b/jenkins/README.md index b40b77727..fb3ff8623 100644 --- a/jenkins/README.md +++ b/jenkins/README.md @@ -1,58 +1,19 @@ # Jenkins Templates for AWS CloudFormation -![Demo](./demo.gif?raw=true "Demo") +Find the documentation here: http://templates.cloudonaut.io/en/stable/jenkins/ -## Jenkins 2.0: highly available master -This template describes a Jenkins master in a highly available manner. If the master instance fails it will be replaced automatically. All data stored on EFS where it is replicated across AZs and the file system can grow without a limit. The Jenkins master sits behind a load balancer to provide a fixed endpoint. Logs from the operating system and Jenkins are pushed to CloudWatch Logs. +## Developer notes -![Architecture](./jenkins2-ha.png?raw=true "Architecture") +### RegionMap +To update the region map execute the following lines in your terminal: -### Installation Guide -1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** -1. Grab the `URL` of the Jenkins master from the **Outputs** tab of your stack. +``` +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done +``` -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `security/auth-proxy-*.yaml` -* `operations/alert.yaml` (recommended) - -## Limitations -* Jenkins will only run in two Availability Zones, even if your VPC stack has more. - -## Jenkins 2.0: highly available master and dynamic agents -This template describes a Jenkins master in a highly available manner. If the master instance fails it will be replaced automatically. All data stored on EFS where it is replicated across AZs and the file system can grow without a limit. The Jenkins master sits behind a load balancer to provide a fixed endpoint. A dynamic pool of agents will execute builds. If the build queue grows new agents are provisioned. Of the build queue is empty agents are taken offline (only if they have no build running). System and Jenkins logs are pushed to CloudWatch Logs. - -![Architecture](./jenkins2-ha-agents.png?raw=true "Architecture") - -### Installation Guide -1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** -1. Grab the `URL` of the Jenkins master from the **Outputs** tab of your stack. - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `security/auth-proxy-*.yaml` -* `operations/alert.yaml` (recommended) - -## Limitations -* Jenkins will only run in two Availability Zones, even if your VPC stack has more. +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/operations/README.md b/operations/README.md index e8e223123..b3ea385de 100644 --- a/operations/README.md +++ b/operations/README.md @@ -1,22 +1,9 @@ # Operations Templates for AWS CloudFormation -## Alert topic -This template describes a SNS topic that can be used by many other templates to receive alerts. You can add one or multiple subscribers to this topic and they will all receive the same alerts. Supported transports are: -* Email -* HTTP endpoint -* HTTPS endpoint (can be used by [marbot](https://marbot.io/)) +Find the documentation here: http://templates.cloudonaut.io/en/stable/operations/ -![Architecture](./alert.png?raw=true "Architecture") - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/security/DEV.md b/security/DEV.md deleted file mode 100644 index c51b7cea3..000000000 --- a/security/DEV.md +++ /dev/null @@ -1,9 +0,0 @@ -# Developer notes - -## RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done -``` diff --git a/security/README.md b/security/README.md index 1093af3e9..fa1d6ee48 100644 --- a/security/README.md +++ b/security/README.md @@ -1,177 +1,19 @@ # Security Templates for AWS CloudFormation -## S3 VirusScan -This template creates a Antivirus cluster for S3 buckets. You can connect as many buckets as you like by using [S3 Event Notifications](http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html). The template has it's own repository: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan) +Find the documentation here: http://templates.cloudonaut.io/en/stable/security/ -### Features +## Developer notes -* Uses ClamAV to scan newly added files on S3 buckets -* Updates ClamAV database every 3 hours automatically -* Scales EC2 instance workers to distribute workload -* Publishes a message to SNS in case of a finding -* Can optionally delete compromised files automatically -* Logs to CloudWatch Logs - -### Installation Guide -Visit the template's repository for installation instructions: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan) - -## Account Password Policy -This template creates an account password policy for your IAM users. You can: - -* set IAM user passwords to be valid for only the specified number of days. -* prevent IAM users from reusing a specified number of previous passwords. -* specify the minimum number of characters allowed in an IAM user password. -* require that IAM user passwords contain at least one lowercase character from the ISO basic Latin alphabet (a to z). -* require that IAM user passwords contain at least one uppercase character from the ISO basic Latin alphabet (A to Z). -* require that IAM user passwords contain at least one numeric character (0 to 9). -* require that IAM user passwords contain at least one nonalphanumeric character. -* permit all IAM users in your account to use the IAM console to change their own passwords. -* prevent IAM users from choosing a new password after their current password has expired. - -Or just use the suggested defaults. - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -## Authentication Proxy using your GitHub Organization -This template describes a **highly available** authentication proxy that forwards request to a upstream http(s) endpoint if the user is authenticated against your GitHub Organization. - -![Architecture](./auth-proxy-ha-github-orga.png?raw=true "Architecture") - -### Installation Guide -1. This templates depends on one of our [`vpc-*azs.yaml`](../vpc/) templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `operations/alert.yaml` (recommended) - -### Limitations -* By default, only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes. You can change this in the ASG configuration! - -## CloudTrail across all regions -This template enables CloudTrail to records AWS API calls across all regions in your AWS account. API calls are archived in S3 and also pushed CloudWatch Logs. If new API calls are available in S3 a SNS topic is notified. - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -If you want to use an external S3 bucket, the bucket needs to have the following S3 bucket policy: - -``` -{ - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AWSCloudTrailAclCheck", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::$ExternalTrailBucket" - }, { - "Sid": "AWSCloudTrailWrite", - "Effect": "Allow", - "Principal": { - "Service": "cloudtrail.amazonaws.com" - }, - "Action": "s3:PutObject", - "Resource": [ - "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[0]/*", - "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[1]/*", - "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[2]/*" - ], - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - } - }] -} +### RegionMap +To update the region map execute the following lines in your terminal: ``` - -Replace `$ExternalTrailBucket` with the name of your bucket, and add a row for every account you want to write from `$AccountId[*]`. - -## AWS Config setup -This template enables AWS Config to deliver a AWS resource inventory to S3. Allowing you to keep track of infrastructure changes for compliance and debugging of your cloud infrastructure. - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** -## Support needed? -We offer support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. - -If you want to use an external S3 bucket, the bucket needs to have the following S3 bucket policy: - -``` -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AWSConfigBucketPermissionsCheck", - "Effect": "Allow", - "Principal": { - "Service": [ - "config.amazonaws.com" - ] - }, - "Action": "s3:GetBucketAcl", - "Resource": "arn:aws:s3:::$ExternalTrailBucket" - }, - { - "Sid": " AWSConfigBucketDelivery", - "Effect": "Allow", - "Principal": { - "Service": [ - "config.amazonaws.com" - ] - }, - "Action": "s3:PutObject", - "Resource": [ - "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[0]/Config/*", - "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[0]/Config/*", - "arn:aws:s3:::$ExternalTrailBucket/AWSLogs/$AccountId[2]/Config/*" - ], - "Condition": { - "StringEquals": { - "s3:x-amz-acl": "bucket-owner-full-control" - } - } - } - ] -} - +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done ``` -Replace `$ExternalTrailBucket` with the name of your bucket, and add a row for every account you want to write from `$AccountId[*]`. +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/setup.py b/setup.py new file mode 100644 index 000000000..1ddb001d3 --- /dev/null +++ b/setup.py @@ -0,0 +1,16 @@ +from setuptools import setup +from setuptools.command.install import install +import os + +# only needed for readthedocs.io + +class PreProcess(install): + def run(self): + install.run(self) + print("sed -i \"s/__VERSION__/" + os.environ['READTHEDOCS_VERSION'] + "/g\" docs/*.md") + os.system("sed -i \"s/__VERSION__/" + os.environ['READTHEDOCS_VERSION'] + "/g\" docs/*.md") + +setup( + name="docs", + cmdclass={'install': PreProcess}, +) diff --git a/static-website/README.md b/static-website/README.md index f29dfa1be..5fbfb7218 100644 --- a/static-website/README.md +++ b/static-website/README.md @@ -1,19 +1,9 @@ # Static Website Templates for AWS CloudFormation -## Static website with CDN -This template describes the infrastructure for hosting a static website over HTTPS behind a CDN. +Find the documentation here: http://templates.cloudonaut.io/en/stable/static-website/ -![Architecture](./static-website.png?raw=true "Architecture") - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/vpc/DEV.md b/vpc/DEV.md deleted file mode 100644 index 17f770cbf..000000000 --- a/vpc/DEV.md +++ /dev/null @@ -1,17 +0,0 @@ -# Developer notes - -## RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done -``` - -## NAT RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-vpc-nat-hvm-2017.03.0.20170417-x86_64-ebs" --query "Images[0].ImageId" --output "text"); printf "'$region':\n NATAMI: '$ami'\n"; done -``` diff --git a/vpc/README.md b/vpc/README.md index 739130ea9..08ca3f93e 100644 --- a/vpc/README.md +++ b/vpc/README.md @@ -1,133 +1,27 @@ # VPC Templates for AWS CloudFormation -A VPC is a virtual network inside AWS where you can isolate your setup using private IP addresses. A VPC consists of several subnets. Each subnet is bound to an Availability Zone. A **public** subnet has a direct route to the Internet. As long as your EC2 instances have an public IP they can communicate (in and out) with the Internet. A **private** subnet does not have a route to the Internet. Instances in private subnets can not be accessed from the public Internet. If you want to access the Internet from a private subnet you need to create a NAT gateway/instance. You can deploy a bastion host/instance to reduce the attack surface of internal applications. +Find the documentation here: http://templates.cloudonaut.io/en/stable/vpc/ -## VPC with private and public subnets in two Availability Zones -This template describes a VPC with two private and two public subnets. +## Developer notes -![Architecture](./vpc-2azs.png?raw=true "Architecture") +### RegionMap +To update the region map execute the following lines in your terminal: -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** +``` +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done +``` -If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: Launch Stack +### NAT RegionMap +To update the region map execute the following lines in your terminal: -## VPC with private and public subnets in three Availability Zones -This template describes a VPC with three private and three public subnets. +``` +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-vpc-nat-hvm-2017.03.0.20170417-x86_64-ebs" --query "Images[0].ImageId" --output "text"); printf "'$region':\n NATAMI: '$ami'\n"; done +``` -![Architecture](./vpc-3azs.png?raw=true "Architecture") - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: Launch Stack - -## VPC with private and public subnets in four Availability Zones -This template describes a VPC with four private and four public subnets. - -### Installation Guide -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: Launch Stack - -## NAT Gateway -This template describes a NAT Gateway that forwards HTTP, HTTPS and NTP traffic from private subnets to the Internet. - -![Architecture](./vpc-nat-gateway.png?raw=true "Architecture") - -### Installation Guide -1. This templates depends on one of our `vpc-*azs.yaml` templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) - -## Limitations -* The NAT Gateway is a single point of failure because it runs only in one Subnet (and therefore in one Availability Zone): https://github.com/widdix/aws-cf-templates/issues/65 - -## NAT instance -This template describes a **highly available** Network Address Translation (NAT) instance that forwards HTTP, HTTPS and NTP traffic from private subnets to the Internet. - -![Architecture](./vpc-nat-instance.png?raw=true "Architecture") -### Installation Guide -1. This templates depends on one of our `vpc-*azs.yaml` templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `operations/alert.yaml` (recommended) - -### Limitations -* Only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes. - -## SSH bastion host/instance -This template describes a **highly available** SSH bastion host/instance. SSH Port 22 is open to the world. You can enable the default ec2-user access protected by the referenced EC2 KeyPair. You can also enable personalized SSH access by using the IAM users and their configured public keys. Use `ssh -A user@ip` to enable forwarding of the authentication agent connection when connection to the bastion host. -**Users are not able to sudo on the bastion host/instance! That's very important for security. Why? SSH places a SSH_AUTH_SOCK file into the /tmp directoy only accessible by the user. If you have root you could use any of those files and jump to other machines as another user!** - -![Architecture](./vpc-ssh-bastion.png?raw=true "Architecture") -### Installation Guide -1. This templates depends on one of our `vpc-*azs.yaml` templates. Launch Stack -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** - -### Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `operations/alert.yaml` (recommended) - -### Limitations -* Only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes. - -## VPC Endpoint to S3 -This template describes a VPC endpoint to securely route traffic within a VPC for private instances to access S3 without the need of a NAT Gateway, NAT instance, or public internet. Refer to [AWS VPC endpoint](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html) documentation if this is necessary for your stack. By default, access to all S3 actions and buckets is allowed, but may be constrained with a policy document. - -1. This templates depends on one of our `vpc-*azs.yaml` templates. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-2azs&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates/vpc/vpc-2azs.yaml) -1. [Launch Stack](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=vpc-endpoint-s3&templateURL=https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates/vpc/vpc-endpoint-s3.yaml) for this VPC endpoint to S3. -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** -![Architecture](./vpc-endpoint-s3.png?raw=true "Architecture") +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/) diff --git a/wordpress/DEV.md b/wordpress/DEV.md deleted file mode 100644 index c51b7cea3..000000000 --- a/wordpress/DEV.md +++ /dev/null @@ -1,9 +0,0 @@ -# Developer notes - -## RegionMap -To update the region map execute the following lines in your terminal: - -``` -$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) -$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done -``` diff --git a/wordpress/README.md b/wordpress/README.md index 664c37872..fe2584aaf 100644 --- a/wordpress/README.md +++ b/wordpress/README.md @@ -1,49 +1,19 @@ # WordPress Templates for AWS CloudFormation -## WordPress: fault tolerant and scalable -Use this CloudFormation template to create a fault tolerant and scalable WordPress environment on AWS. - -### Features -* HTTPS only -* CDN caching static files -* Scalable file storage -* Fault tolerance due to multi-AZ setup - -### Services -This template combines the following services: -* CloudFront: CDN for dynamic and static content -* ELB: load balancer forwarding requests to EC2 instances and terminating SSL -* EC2: virtual machines running the web servers -* EFS: storage for WordPress files (WordPress core, plugins, themes, user uploads, ...) -* RDS: MySQL database - -![Architecture](./wordpress-ha.png?raw=true "Architecture") - -## Installation Guide -1. This templates depends on our [`vpc-*azs.yaml`](../vpc/) template. Launch Stack -1. Create an ACM certificate for your domain name within the region you want to launch your stack in. Copy the ARN of the certificate. This is for the ELB. -1. Create another ACM certificate for your domain in region `us-east-1`. Copy the ARN of the certificate. This is for CloudFront (note: [CloudFront only supports ACM certificates in us-east-1](https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html)) -1. Launch Stack -1. Click **Next** to proceed with the next step of the wizard. -1. Specify a name and all parameters for the stack. -1. Click **Next** to proceed with the next step of the wizard. -1. Click **Next** to skip the **Options** step of the wizard. -1. Check the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources.** checkbox. -1. Click **Create** to start the creation of the stack. -1. Wait until the stack reaches the state **CREATE_COMPLETE** -1. Grab the `URL` of the WordPress environment from the **Outputs** tab of your stack. - -## Dependencies -* `vpc/vpc-*azs.yaml` (**required**) -* `vpc/vpc-ssh-bastion.yaml` (recommended) -* `security/auth-proxy-*.yaml` -* `operations/alert.yaml` (recommended) - -## Limitations -* WordPress will only run in two Availability Zones, even if your VPC stack has more. -* PHP files are cached for 300 seconds on the web servers. -* Static files `wp-includes` and `wp-content` are cached for 15 minutes on the CDN. -* Pre-defined auto-scaling might not be able to cover your requirements and needs load and performance testing. +Find the documentation here: http://templates.cloudonaut.io/en/stable/wordpress/ + +## Developer notes + +### RegionMap +To update the region map execute the following lines in your terminal: + +``` +$ regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text) +$ for region in $regions; do ami=$(aws --region $region ec2 describe-images --filters "Name=name,Values=amzn-ami-hvm-2017.03.0.20170417-x86_64-gp2" --query "Images[0].ImageId" --output "text"); printf "'$region':\n AMI: '$ami'\n"; done +``` + +## License +All templates are published under Apache License Version 2.0. ## Premium Support We offer Premium Support for our CloudFormation templates: setting up environments based on our templates, adopting templates to specific use cases, resolving issues in production environments. [Hire us!](https://widdix.net/)