【AWS】CloudFormation ~ VPC ~

AWS

■ はじめに

仕事で、ECR の VPC Endpoint が必要になった。
そこで、CloudFormation で VPC を作成する。

目次

【1】API
 1)AWS::EC2::VPC
 2)AWS::EC2::Subnet
 3)AWS::EC2::VPCEndpoint
【2】使用上の注意
 1)CloudFormation では VPC Endpoint の Tags は未対応
【3】サンプル
 1)VPC
 2)VPC Endpoint 

【1】API

1)AWS::EC2::VPC

* VPC 作成

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html

Type: AWS::EC2::VPC
Properties:
  CidrBlock: String
  EnableDnsHostnames: Boolean
  EnableDnsSupport: Boolean
  InstanceTenancy: String
  Ipv4IpamPoolId: String
  Ipv4NetmaskLength: Integer
  Tags: 
    - Tag

2)AWS::EC2::Subnet

* Subnet 作成

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html

Type: AWS::EC2::Subnet
Properties:
  AssignIpv6AddressOnCreation: Boolean
  AvailabilityZone: String
  AvailabilityZoneId: String
  CidrBlock: String
  EnableDns64: Boolean
  Ipv4IpamPoolId: String
  Ipv4NetmaskLength: Integer
  Ipv6CidrBlock: String
  Ipv6CidrBlocks: 
    - String
  Ipv6IpamPoolId: String
  Ipv6Native: Boolean
  Ipv6NetmaskLength: Integer
  MapPublicIpOnLaunch: Boolean
  OutpostArn: String
  PrivateDnsNameOptionsOnLaunch: 
    PrivateDnsNameOptionsOnLaunch
  Tags: 
    - Tag
  VpcId: String

3)AWS::EC2::VPCEndpoint

* VPC Endpoint 作成
 => Tags は未対応(【2】使用上の注意の1)を参照)

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html

Type: AWS::EC2::VPCEndpoint
Properties:
  PolicyDocument: Json
  PrivateDnsEnabled: Boolean
  RouteTableIds: 
    - String
  SecurityGroupIds: 
    - String
  ServiceName: String
  SubnetIds: 
    - String
  VpcEndpointType: String
  VpcId: String

【2】使用上の注意

1)CloudFormation では VPC Endpoint の Tags は未対応

* 「2)AWS::EC2::VPCEndpoint」をみてわかるように、
 Tagsは未対応(少なくとも、2024/03/03現在では)
 => 無理やりトライしたが、エラーになった
 => よって、Nameは付けられない、、、
 => どうも、2019年5月ごろに後付けでTags機能が追加されて模様(以下参照)

https://aws.amazon.com/jp/about-aws/whats-new/2019/05/amazon-vpc-endpoints-now-support-tagging-for-gateway-endpoints-interface-endpoints-and-endpoint-services/

【3】サンプル

1)VPC

Parameters:
  VpcCidr:
    Type: String
    Default: "10.0.0.0/16"
Resources:
  DemoVpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: demo-vpc

2)VPC Endpoint

https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/vpc-endpoints.html

Resources:
  # com.amazonaws.region.ecr.api
  EcrApiEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Principal: '*'
          Action:
            - '*'
          Resource:
            - '*'
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ecr.api"
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      VpcId:
        Fn: ImportValue: your-vpc-id
      SubnetIds:
        - Fn: ImportValue: your-subnet-id-a
        - Fn: ImportValue: your-subnet-id-b
      SecurityGroupIds:
        - !Ref InterfaceSecurityGroupId
  # For com.amazonaws.region.ecr.dkr
  EcrDkrEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
    PolicyDocument: '
        {
          "Version": "2012-10-17",
          "Statement": [ 
            {
               "Effect": "Allow",
               "Action": "*",
               "Resource": "*",
               "Principal": "*"
             }
          ]
        }
      '
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ecr.dkr"
      SubnetIds:
        - !Ref InterfaceSubnetId
      VpcId: !Ref 'DemoVpc'
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref InterfaceSecurityGroupId
      PrivateDnsEnabled: true

関連記事

CloudFormation ~ 基礎知識編 ~
https://dk521123.hatenablog.com/entry/2024/02/10/231900
CloudFormation ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2021/10/26/224812
CloudFormation ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2021/12/01/170326
CloudFormation ~ 開発環境 ~
https://dk521123.hatenablog.com/entry/2022/05/22/000000
CloudFormation ~ 組み込み関数 ~
https://dk521123.hatenablog.com/entry/2021/12/04/202519
CloudFormation ~ 条件分岐 ~
https://dk521123.hatenablog.com/entry/2022/07/02/214543
CloudFormation ~ 疑似パラメータ ~
https://dk521123.hatenablog.com/entry/2021/12/05/134313
CloudFormation ~ DeletionPolicy 属性 ~
https://dk521123.hatenablog.com/entry/2021/12/27/211328
CloudFormation ~ 認証情報の扱い ~
https://dk521123.hatenablog.com/entry/2021/12/28/224501
CloudFormation ~ Parameters ~
https://dk521123.hatenablog.com/entry/2024/02/29/220042
CloudFormation ~ Outputs ~
https://dk521123.hatenablog.com/entry/2024/04/04/112146
CloudFormation ~ S3 ~
https://dk521123.hatenablog.com/entry/2022/05/25/220037
CloudFormation ~ KMS ~
https://dk521123.hatenablog.com/entry/2022/05/26/112627
CloudFormation ~ IAM ~
https://dk521123.hatenablog.com/entry/2022/05/27/100820
CloudFormation ~ EC2 ~
https://dk521123.hatenablog.com/entry/2024/02/11/010935
CloudFormation で Github/CodePipeline/CodeBuild を構築する
https://dk521123.hatenablog.com/entry/2021/12/26/155956
CloudFormation でのトラブル
https://dk521123.hatenablog.com/entry/2022/05/30/191507
CloudFormationで変数を参照したら、エラー「Unresolved resource dependencies」が表示
https://dk521123.hatenablog.com/entry/2024/02/27/211050
シェル ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2014/10/23/005406
シェル ~ Shebang
https://dk521123.hatenablog.com/entry/2024/02/02/000000
ヒアドキュメント ~ 複数行の テキストをファイル出力する ~
https://dk521123.hatenablog.com/entry/2016/05/13/231535