-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws-systemmanager-update.yml
288 lines (266 loc) · 10.7 KB
/
aws-systemmanager-update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
Description: Creates API Gateway as well as other required resources
Parameters:
CodeRepoBucket:
Type: String
Description: Code Repository S3 Bucket Name
LambdaFunctionFileName:
Type: String
Description: Name of Lambda Function Zip File
InstanceType:
Type: String
Default: t2.medium
Description: Windows Instance Size
AllowedValues:
- t2.micro
- t2.medium
LatestAMiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the web server
Type: String
MinLength: 1
MaxLength: 255
#AllowedPattern: '[\\x20-\\x7E]*'
#ConstraintDescription: 'Can contain only ASCII characters.'
# DevTopic:
# Type: String
# Description: Dev SNS Topic
Resources:
# Create Windows Instane that will be used for calling SSM Commands on
WindowsTestInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAMiId
KeyName:
Ref: "KeyName"
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref EC2InstanceProfile
SecurityGroups:
- !Ref Ec2SecurityGroup
UserData:
Fn::Base64: !Sub |
<powershell>
Set-ExecutionPolicy Unrestricted -Force
New-Item -ItemType directory -Path 'C:\temp'
# Install IIS and Web Management Tools.
Import-Module ServerManager
install-windowsfeature web-server, web-webserver -IncludeAllSubFeature
install-windowsfeature web-mgmt-tools
Start-Sleep -Second 30
# Create new directory and download PS script for updating webpage
New-Item C:\Scripts -ItemType directory
# Create powershell script file
Add-Content -Path 'C:\Scripts\updateWebPage.ps1' -Value "param ([string]`$DisplayText)
# Create Index.html file
`$file = 'C:\inetpub\wwwroot\index.html'
'<html>' > `$file
'<h1>' >> `$file
#Replace existing Heading with the text provided
`$DisplayText >> `$file
'</h1>' >> `$file
'</html>' >> `$file"
C:\Scripts\updateWebPage.ps1 'Hello World, Whats up Yo!!!'
#Signal to CF to confirm we have updated the instance
cfn-signal --stack ${AWS::StackName} --resource WindowsTestInstance --region ${AWS::Region}
</powershell>
CreationPolicy:
ResourceSignal:
Timeout : PT15M
# Create Instance Profile
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref EC2InstnaceRole
InstanceProfileName: 'DefaultEC2InstanceProfile'
# Security group for our instnace
Ec2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Default Group with no Access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
# Create Initial API Gateway, resource and deployment stage
APIGatewayRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: !Sub '${AWS::StackName}-RestApi'
EndpointConfiguration:
Types:
- REGIONAL
GatewayProxyResource:
Type: AWS::ApiGateway::Resource
Properties:
ParentId: !GetAtt APIGatewayRestApi.RootResourceId
RestApiId: !Ref APIGatewayRestApi
PathPart: 'UpdateServer'
ApiAnyMethod:
Type: AWS::ApiGateway::Method
Properties:
ApiKeyRequired: "true"
RestApiId: !Ref APIGatewayRestApi
ResourceId: !Ref GatewayProxyResource
HttpMethod: POST
AuthorizationType: NONE
# RequestParameters:
# method.request.path.proxy: true
MethodResponses:
- StatusCode: 200
ResponseModels: { "application/json": "Empty" }
Integration:
Type: "AWS"
IntegrationHttpMethod: "POST"
PassthroughBehavior: "WHEN_NO_TEMPLATES"
Uri:
Fn::Join:
- ""
-
- "arn:aws:apigateway:"
- !Ref AWS::Region
- ":lambda:path/2015-03-31/functions/"
- !GetAtt ServerUpdateLambdaFunction.Arn
- "/invocations"
IntegrationResponses:
- StatusCode: 200
RequestTemplates:
"application/json": "## See http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html\n## This template will pass through all parameters including path, querystring, header, stage variables, and context through to the integration endpoint via the body/payload\n#set($allParams = $input.params())\n{\n\"body-json\" : $input.json('$'),\n\"params\" : {\n#foreach($type in $allParams.keySet())\n #set($params = $allParams.get($type))\n\"$type\" : {\n #foreach($paramName in $params.keySet())\n \"$paramName\" : \"$util.escapeJavaScript($params.get($paramName))\"\n #if($foreach.hasNext),#end\n #end\n}\n #if($foreach.hasNext),#end\n#end\n},\n\"stage-variables\" : {\n#foreach($key in $stageVariables.keySet())\n\"$key\" : \"$util.escapeJavaScript($stageVariables.get($key))\"\n #if($foreach.hasNext),#end\n#end\n},\n\"context\" : {\n \"account-id\" : \"$context.identity.accountId\",\n \"api-id\" : \"$context.apiId\",\n \"api-key\" : \"$context.identity.apiKey\",\n \"authorizer-principal-id\" : \"$context.authorizer.principalId\",\n \"caller\" : \"$context.identity.caller\",\n \"cognito-authentication-provider\" : \"$context.identity.cognitoAuthenticationProvider\",\n \"cognito-authentication-type\" : \"$context.identity.cognitoAuthenticationType\",\n \"cognito-identity-id\" : \"$context.identity.cognitoIdentityId\",\n \"cognito-identity-pool-id\" : \"$context.identity.cognitoIdentityPoolId\",\n \"http-method\" : \"$context.httpMethod\",\n \"stage\" : \"$context.stage\",\n \"source-ip\" : \"$context.identity.sourceIp\",\n \"user\" : \"$context.identity.user\",\n \"user-agent\" : \"$context.identity.userAgent\",\n \"user-arn\" : \"$context.identity.userArn\",\n \"request-id\" : \"$context.requestId\",\n \"resource-id\" : \"$context.resourceId\",\n \"resource-path\" : \"$context.resourcePath\"\n }\n}\n"
ApiDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn:
- ApiAnyMethod
Properties:
RestApiId: !Ref APIGatewayRestApi
#Create API Key to secure our API Gateway Deployment
ApiStageKey:
Type: AWS::ApiGateway::ApiKey
DependsOn:
- ProdApiStage
Properties:
Name: "ProdStageKey"
Description: "Prod Stage API Key"
Enabled: "true"
StageKeys:
- RestApiId: !Ref APIGatewayRestApi
StageName: !Ref ProdApiStage
#Createa a API usage plan associate with API and the stage
ApiUsagePlan:
Type: AWS::ApiGateway::UsagePlan
Properties:
ApiStages:
- ApiId: !Ref APIGatewayRestApi
Stage: !Ref ProdApiStage
Description: Usage Plan for our API
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_API
#Create a usage plan api key
ApiusagePlanKey:
Type: AWS::ApiGateway::UsagePlanKey
Properties :
KeyId: !Ref ApiStageKey
KeyType: API_KEY
UsagePlanId: !Ref ApiUsagePlan
ProdApiStage:
Type: AWS::ApiGateway::Stage
Properties:
RestApiId: !Ref APIGatewayRestApi
StageName: prod
DeploymentId: !Ref ApiDeployment
# Variables:
# promptALB: '{{resolve:ssm:PROMPT_ALB_DNS:1}}'
#Outputs for the script
ServerUpdateLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: !Ref CodeRepoBucket
S3Key: !Ref LambdaFunctionFileName
Handler: "index.handler"
Role: !GetAtt LambdaFunctionRole.Arn
Runtime: nodejs8.10
Timeout: 25
Environment:
Variables:
ENV1: !Sub '{"instanceid": "${WindowsTestInstance}", "scriptlocation": "C:\\scripts\\updateWebPage.ps1"}'
# TracingConfig:
# Mode: Active
# Create Lambda Function Role to be Assumed by our Lambda
LambdaFunctionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: ssmacces-for-lambda
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ssm:sendCommand'
- 'ssm:Get*'
- 'ssm:List*'
Resource:
- !Sub 'arn:aws:ec2:*:*:instance/${WindowsTestInstance}'
- 'arn:aws:ssm:*:*:document/*'
# Create EC2 Instnace role so that it can update SSM
EC2InstnaceRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
Policies:
- PolicyName: access-s3-code-repo
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 's3:GetObject'
- 's3:ListBucket'
Resource:
- !Sub 'arn:aws:s3:::${CodeRepoBucket}'
- !Sub 'arn:aws:s3:::${CodeRepoBucket}/*'
# Create Lambda Invoke Permission for our API Gateway
LambdaInvokePermission:
Type: "AWS::Lambda::Permission"
Properties:
FunctionName: !GetAtt ServerUpdateLambdaFunction.Arn
Action: 'lambda:InvokeFunction'
Principal: 'apigateway.amazonaws.com'
SourceAccount: !Ref AWS::AccountId
SourceArn: !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${APIGatewayRestApi}/*/POST/UpdateServer'
# 'arn:aws:apigateway:${AWS::Region}:${AWS::AccountId}:/restapis/${APIGatewayRestApi}/stages/${ProdApiStage}'
Outputs:
APIGatewayURL:
Description: Returns API Gateway URL
Value: !Sub 'https://${APIGatewayRestApi}.execute-api.${AWS::Region}.amazonaws.com/prod/UpdateServer'
EC2InstanceIP:
Description: Returns Public IP Address of the instance
Value: !GetAtt WindowsTestInstance.PublicIp