From bb34ac2cdd06fcb5abf4537e98da303a87dfd4c8 Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Tue, 11 Jun 2024 12:00:53 +1000 Subject: [PATCH 1/2] Added machine type and egress rule --- scripts/aws/UID_CloudFormation.template.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/aws/UID_CloudFormation.template.yml b/scripts/aws/UID_CloudFormation.template.yml index 3fca4d373..ea3f90145 100644 --- a/scripts/aws/UID_CloudFormation.template.yml +++ b/scripts/aws/UID_CloudFormation.template.yml @@ -31,6 +31,10 @@ Parameters: - m5a.4xlarge - m5n.2xlarge - m5n.4xlarge + - m6i.2xlarge + - m6i.4xlarge + - r6i.2xlarge + - r6i.4xlarge ConstraintDescription: must be a valid EC2 instance type. RootVolumeSize: Description: Instance root volume size @@ -83,7 +87,7 @@ Metadata: DeployToEnvironment: default: UID2 environment to deploy to. Prod - production; Integ - integration test. InstanceType: - default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n Instance types are tested. Choose 2xlarge or 4xlarge. + default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. SSHKeyName: default: Key Name for SSH to EC2 (required) RootVolumeSize: @@ -245,6 +249,11 @@ Resources: ToPort: '443' CidrIp: 0.0.0.0/0 Description: "Allow Outbound HTTPS" + - IpProtocol: udp + FromPort: '53' + ToPort: '53' + CidrIp: 0.0.0.0/0 + Description: "Allow Outbound DNS" VpcId: !Ref VpcId LaunchTemplate: Type: AWS::EC2::LaunchTemplate From c89806758fcde6a40974d1f6714e2bf61f4cde6d Mon Sep 17 00:00:00 2001 From: Thomas Manson Date: Tue, 11 Jun 2024 13:27:32 +1000 Subject: [PATCH 2/2] Updated EUID template --- scripts/aws/EUID_CloudFormation.template.yml | 11 ++++++++++- scripts/aws/UID_CloudFormation.template.yml | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/scripts/aws/EUID_CloudFormation.template.yml b/scripts/aws/EUID_CloudFormation.template.yml index 1eeb2f5c5..bc4e2f8cc 100644 --- a/scripts/aws/EUID_CloudFormation.template.yml +++ b/scripts/aws/EUID_CloudFormation.template.yml @@ -31,6 +31,10 @@ Parameters: - m5a.4xlarge - m5n.2xlarge - m5n.4xlarge + - m6i.2xlarge + - m6i.4xlarge + - r6i.2xlarge + - r6i.4xlarge ConstraintDescription: must be a valid EC2 instance type. RootVolumeSize: Description: Instance root volume size @@ -83,7 +87,7 @@ Metadata: DeployToEnvironment: default: EUID environment to deploy to. Prod - production; Integ - integration test. InstanceType: - default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n Instance types are tested. Choose 2xlarge or 4xlarge. + default: Instance Type for EC2. Minimum 4 vCPUs needed. M5, M5a, M5n, M6i and R6i Instance types are tested. Choose 2xlarge or 4xlarge. SSHKeyName: default: Key Name for SSH to EC2 (required) RootVolumeSize: @@ -217,6 +221,11 @@ Resources: ToPort: '443' CidrIp: 0.0.0.0/0 Description: "Allow Outbound HTTPS" + - IpProtocol: udp + FromPort: '53' + ToPort: '53' + CidrIp: 0.0.0.0/0 + Description: "Allow Outbound DNS" VpcId: !Ref VpcId LaunchTemplate: Type: AWS::EC2::LaunchTemplate diff --git a/scripts/aws/UID_CloudFormation.template.yml b/scripts/aws/UID_CloudFormation.template.yml index ea3f90145..985d1560a 100644 --- a/scripts/aws/UID_CloudFormation.template.yml +++ b/scripts/aws/UID_CloudFormation.template.yml @@ -149,7 +149,7 @@ Mappings: Resources: KMSKey: Type: AWS::KMS::Key - Properties: + Properties: Description: Key for Secret Encryption EnableKeyRotation: true KeyPolicy: @@ -173,12 +173,12 @@ Resources: Resource: '*' SSMKEYAlias: Type: AWS::KMS::Alias - Properties: + Properties: AliasName: !Sub 'alias/uid-secret-${AWS::StackName}' TargetKeyId: !Ref KMSKey TokenSecret: Type: AWS::SecretsManager::Secret - Properties: + Properties: Description: UID2 Token KmsKeyId: !GetAtt KMSKey.Arn Name: !Sub 'uid2-config-stack-${AWS::StackName}' @@ -215,7 +215,7 @@ Resources: - Effect: Allow Action: 'secretsmanager:GetSecretValue' Resource: !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:uid2-config-stack-${AWS::StackName}*' - ManagedPolicyArns: + ManagedPolicyArns: - 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy' WorkerInstanceProfile: Type: 'AWS::IAM::InstanceProfile' @@ -269,11 +269,11 @@ Resources: Name: !Ref WorkerInstanceProfile ImageId: !FindInMap [RegionMap, !Ref 'AWS::Region', AMI] InstanceType: !Ref InstanceType - EnclaveOptions: + EnclaveOptions: Enabled: true KeyName: !Ref SSHKeyName SecurityGroupIds: - - !Ref SecurityGroup + - !Ref SecurityGroup UserData: !Base64 Fn::Sub: | #!/bin/bash -ex @@ -291,12 +291,12 @@ Resources: LaunchTemplateId: !Ref LaunchTemplate Version: !GetAtt LaunchTemplate.LatestVersionNumber MetricsCollection: - - Granularity: 1Minute - Metrics: - - GroupTotalInstances + - Granularity: 1Minute + Metrics: + - GroupTotalInstances MaxSize: 1 MinSize: 1 - VPCZoneIdentifier: + VPCZoneIdentifier: - !Ref VpcSubnet1 - !Ref VpcSubnet2 Tags: