-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathtgw-attach.yaml
148 lines (142 loc) · 4.71 KB
/
tgw-attach.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# (c) 2019 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This AWS Content is provided subject to the terms of the AWS Customer
# Agreement available at https://aws.amazon.com/agreement/ or other written agreement between Customer and Amazon Web Services, Inc.
AWSTemplateFormatVersion: '2010-09-09'
Description: Deploys an AWS Lambda Function that performs a Transit Gateway Attachment and Route creation to a centralized AWS Transit Gateway (RCS-1463)
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: 'Parameter Settings'
Parameters:
- pVpcTag
- pTransitGatewayId
- pRoute
- pSecVpcId
- pInetVpdId
- pSecTgwAttachSubnets
- pInetTgwAttachSubnets
- Label:
default: 'S3 tempalte and Lambda storage'
Parameters:
- 3Bucket
- LambdaS3Key
ParameterLabels:
pVpcTag:
default: VPC Tag
pTransitGatewayId:
default: Transit Gateway Id
pRoute:
default: Route Destination CIDR
pSecVpcId:
default: Security VPC Id
pInetVpcId:
default: Internet VPC Id
pSecTgwAttachSubnets:
default: List of TGW Attach Subnets for Security VPC
pInetTgwAttachSubnets:
default: List of TGW Attach Subnets for Internet VPC
S3Bucket:
default: S3 Bucket
LambdaS3Key:
default: S3 Key
Parameters:
pVpcTag:
Description: VPC Tags that you would like to associate with the Transit Gateway (Comma Separated)
Type: String
Default: 'test-tag'
pTransitGatewayId:
Description: The ID of the Central Account Transit Gateway
Type: String
pRoute:
Description: Destination Route for traffic to the Central Account Transit Gateway
Type: String
Default: '0.0.0.0/0'
pSecVpcId:
Description: Security VPC Id
Type: String
pInetVpcId:
Description: Internet VPC Id
Type: String
pSecTgwAttachSubnets:
Description : Select at least 2 TGW Attach Subnets for Security VPC
Type: List<AWS::EC2::Subnet::Id>
MinLength: 2
pInetTgwAttachSubnets:
Description: Select at least 2 TGW Attach Subnets for Internet VPC
Type: List<AWS::EC2::Subnet::Id>
MinLength: 2
S3Bucket:
Description: S3 Bucket for Transit Gateway Attachment Lambda Code
Type: String
AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
LambdaS3Key:
Description: The Key location of the Lambda zip for Transit Gateway Attachment.
Type: String
AllowedPattern: ^[a-zA-Z0-9[\\].\/()!:=?#,@+&;{}$-_]*
Resources:
rGetVpcLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: TransitGatewayAttachments
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*
- Effect: Allow
Action:
- ec2:*
- iam:ListRoles
- iam:CreateServiceLinkedRole
Resource: "*"
rGetVpcLambda:
Type: AWS::Lambda::Function
DependsOn:
- rGetVpcLambdaRole
Properties:
FunctionName: !Sub TransitGatewayAttachmentsAndRoute
Role: !GetAtt rGetVpcLambdaRole.Arn
Description: Captures VPC metadata for Transit Gateway Attachments
Handler: index.lambda_handler
Runtime: python3.8
Timeout: 900
Code:
S3Bucket: !Ref S3Bucket
S3Key: !Ref LambdaS3Key
rGetVpcLambdaCustomInvoke:
Type: Custom::GetVPCLambdaInvoke
DependsOn: rGetVpcLambda
Properties:
ServiceToken: !GetAtt [ rGetVpcLambda, Arn ]
Vpc_Tags: !Ref pVpcTag
Account: !Sub ${AWS::AccountId}
Region: !Sub ${AWS::Region}
CIDR: !Ref pRoute
tgw_id: !Ref pTransitGatewayId
sec_vpc_id: !Ref pSecVpcId
inet_vpc_id: !Ref pInetVpcId
sec_subnets: !Ref pSecTgwAttachSubnets
inet_subnets: !Ref pInetTgwAttachSubnets
# Lambda permission - event rule can trigger evaluation
rLambdaPermission:
Type: AWS::Lambda::Permission
DependsOn: rGetVpcLambda
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt 'rGetVpcLambda.Arn'
Principal: events.amazonaws.com