Skip to content

Commit

Permalink
Merge pull request #2 from subhamay-bhattacharyya/feature/SB-0001-ini…
Browse files Browse the repository at this point in the history 
…tial-release

Merge feature/SB-0001-initial-release with main
  • Loading branch information
@bsubhamay
bsubhamay authored Jan 9, 2025
2 parents 6c658ee + 118ec81 commit 802cf0c
Show file tree
Hide file tree
Showing 15 changed files with 1,945 additions and 2 deletions.
100 changes: 100 additions & 0 deletions .github/workflows/validate-upload-cfn-tmpl.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# This is a basic workflow to help you get started with Actions
name: Validate and upload CFN Templates to S3

on:
workflow_dispatch:
push:
branches:
- main
- 'feature**'
paths-ignore:
- '**/README.md'
- '**/.github/workflows/**.yaml'
- '**/CHANGELOG.md'
- '**/LICENSE'
- '**/VERSION'
- '.gitignore'

permissions:
id-token: write # This is required for aws oidc connection
contents: write # This is required for actions/checkout
pull-requests: write # This is required for gh bot to comment PR
issues: write # This is required for gh bot to comment issues

jobs:
start:
uses: subhamay-bhattacharyya/gh-action-reusable-aws-cfn-wf/.github/workflows/setup-repository.yaml@main
with:
deploy-reviewer-test: ${{ vars.ACTION_APPROVER_1}}
deploy-reviewer-prod: ${{ vars.ACTION_APPROVER_1 }}
pr-approver: ${{ vars.PR_APPROVER }}
test-env: false
prod-env: false
secrets:
git-token: ${{ secrets.GIT_TOKEN }}

validate-cfn-templates:
if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/feature')
needs: start
uses: subhamay-bhattacharyya/gh-action-reusable-aws-cfn-wf/.github/workflows/cfn-validate.yaml@main
with:
issue-number: ${{ github.run_id }}

checkov-scan:
if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/feature')
needs: validate-cfn-templates
uses: subhamay-bhattacharyya/gh-action-reusable-aws-cfn-wf/.github/workflows/checkov-scan.yaml@main

release:
if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/feature')
needs: checkov-scan
uses: subhamay-bhattacharyya/gh-action-reusable-aws-cfn-wf/.github/workflows/release.yaml@main

create-pr:
if: success()
needs: release
uses: subhamay-bhattacharyya/gh-action-reusable-aws-cfn-wf/.github/workflows/create-pr.yaml@main
secrets:
git-token: ${{ secrets.GIT_TOKEN }}

upload-to-s3:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs: [start]
uses: subhamay-bhattacharyya/gh-action-reusable-aws-cfn-wf/.github/workflows/cfn-templ-s3-upload.yaml@main
with:
aws-region: ${{ vars.AWS_REGION }}
aws-role-arn: ${{ vars.DEVL_AWS_ROLE_ARN }}
aws-cfn-template-bucket: ${{ vars.CFN_TEMPLATE_S3_BUCKET }}
kms-key-arn: ${{ vars.CFN_TEMPLATES_S3_KMS_KEY_ID }}
# name: "Upload CFN Templates to S3"
# runs-on: ubuntu-latest
# defaults:
# run:
# shell: bash
# working-directory: .

# steps:
# # Checkout the repository code
# - name: Checkout code
# id: git-checkout
# uses: actions/checkout@v4

# # Configure AWS credentials
# - name: Configure AWS credentials from AWS account
# id: aws-config
# uses: aws-actions/[email protected]
# with:
# role-to-assume: ${{ vars.DEVL_AWS_ROLE_ARN }}
# aws-region: ${{ vars.AWS_REGION }}
# role-session-name: github-aws-cfn-oidc

# # Upload the stack templates to S3
# - name: Upload the stack templates to S3
# run: |
# aws s3 sync ${{ github.workspace }}/cfn-templates/ s3://${{ vars.CFN_TEMPLATES_S3_BUCKET }} --sse "aws:kms" \
# --sse-kms-key-id ${{ vars.CFN_TEMPLATES_S3_KMS_KEY_ID }} --storage-class GLACIER_IR --exclude ".gitignore" \
# --exclude ".github/workflows/*.yaml" \
# --exclude "*.md" \
# --exclude "CODEOWNERS" \
# --exclude "LICENSE" \
# --exclude "VERSION"
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.DS_Store
15 changes: 15 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#### Change Log

START-LATEST
[1.0.0] - 2025-01-01
##### Added
- Initial release of the CloudFormation Nested Stack Repository
- Stack template to create VPC with specified CIDR block.
- Stack template to create SNS Topic.
- Stack template to create SNS Subscription.
- Stack template to create Internet Gateway and attach it to the VPC.
- Stack template to create Subnet within the specified VPC.
- Stack template to create Network ACL and associate it with the specified subnet.
- Stack template to create Security Group within the specified VPC.
- Stack template to create Security Group Ingress Rule for the specified Security Group.
END-LATEST
2 changes: 2 additions & 0 deletions CODEOWNERS
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Owners for all files in the repository
* @bsubhamay
22 changes: 22 additions & 0 deletions LICENSE
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@

MIT License

Copyright (c) 2024

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
229 changes: 227 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,227 @@
# aws-cfn-nested-stacks
🔳 🛫 AWS CloudFormation nested stack templates library. ☁️ Use Codespaces ☁️
![](https://img.shields.io/github/commit-activity/t/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/last-commit/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/release-date/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/repo-size/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/directory-file-count/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/issues/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/languages/top/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/github/commit-activity/m/subhamay-bhattacharyya/aws-cfn-nested-stacks) ![](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/bsubhamay/53535fe14b2a34adf2c58da3d4bc958b/raw/aws-cfn-nested-stacks.json?)

AWS CloudFormation nested stack templates.

## Overview

This repository contains AWS CloudFormation templates for creating nested stacks. These templates help in managing and deploying AWS resources in a structured and reusable manner.

## The CICD Pipeline
```mermaid
flowchart LR
%% Nodes
A("Setup Repository"):::green
B("Validate Template"):::yellow
C("Run Checkov Scan"):::purple
D("Create Release"):::blue
E("Create Pull Request"):::orange
F("Upload the templates to S3 Bucket"):::pink
%% Edges
A --> B --> C --> D --> E
A --> |Merge Pull Request|F
%% Styling
classDef green fill:#B2DFDB,stroke:#00897B,stroke-width:2px;
classDef orange fill:#FFE0B2,stroke:#FB8C00,stroke-width:2px;
classDef blue fill:#BBDEFB,stroke:#1976D2,stroke-width:2px;
classDef yellow fill:#FFF9C4,stroke:#FBC02D,stroke-width:2px;
classDef pink fill:#F8BBD0,stroke:#C2185B,stroke-width:2px;
classDef purple fill:#E1BEE7,stroke:#8E24AA,stroke-width:2px;
```
## Templates

### VPC
#### VPC Template

The VPC template ([vpc/vpc.yaml](vpc/vpc.yaml)) creates a Virtual Private Cloud (VPC) with optional IPv6 CIDR block support. It includes parameters for project name, environment, GitHub attributes, and VPC configuration.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **GitHubRef**: GitHub Ref name to be used as a resource tag value. Can contain alphanumeric characters, slashes, underscores, and hyphens.
- **GitHubURL**: GitHub URL to be used as a resource tag value. Must start with 'https://github.com/' and can contain alphanumeric characters, dots, underscores, and hyphens.
- **GitHubWFRunNumber**: The Workflow run number to be used as a resource tag value.
- **GitHubSHA**: The SHA value of the last commit to be used as a resource tag value. Must be a 40-character hexadecimal string.
- **GitHubRepository**: The GitHub Repository name to be used as a resource tag value. Must be 10-30 characters long, contain lowercase letters, numbers, dashes, and start with a letter.
- **CiBuild**: CI Build of the feature branch to be appended to a resource name.
- **VPCCidrBlock**: VPC CIDR Block. Must be in the form x.x.x.x/x.
- **EnableIPV6Cidr**: Boolean to enable IPv6 CIDR.

##### Resources

- **VPC**: Creates an AWS VPC with specified CIDR block, DNS support, and tags.
- **IPv6CidrBlock**: Adds an IPv6 CIDR block to the VPC if IPv6 is enabled.

##### Outputs

- **VpcId**: The ID of the created VPC.
- **VpcCidrBlock**: The CIDR block of the VPC.
- **VpcCidrBlockAssociations**: The CIDR block associations of the VPC.
- **VpcDefaultNetworkAcl**: The default network ACL of the VPC.
- **VpcDefaultSecurityGroup**: The default security group of the VPC.
- **VpcIpv6CidrBlocks**: The IPv6 CIDR blocks of the VPC if IPv6 is enabled.

#### Internet Gateway Template

The Internet Gateway template ([igw/igw.yaml](igw/igw.yaml)) creates an Internet Gateway and attaches it to the VPC. It includes parameters for project name, environment, and VPC ID.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **VpcId**: The ID of the VPC to which the Internet Gateway will be attached. Must be in the form 'vpc-' followed by alphanumeric characters.

##### Resources

- **InternetGateway**: Creates an Internet Gateway and attaches it to the specified VPC.

##### Outputs

- **InternetGatewayId**: The ID of the created Internet Gateway.

#### Subnet Template

The Subnet template ([subnet/subnet.yaml](subnet/subnet.yaml)) creates a Subnet within the specified VPC. It includes parameters for project name, environment, VPC ID, and subnet configuration.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **VpcId**: The ID of the VPC in which to create the subnet. Must be in the form 'vpc-' followed by alphanumeric characters.
- **SubnetCidrBlock**: The CIDR block for the subnet. Must be in the form x.x.x.x/x.
- **NetworkAclId**: The ID of the Network ACL to associate with the subnet. Must be in the form 'acl-' followed by alphanumeric characters.
- **SubnetSequence**: The sequence number of the subnet. Must be between 0 and 6.
- **InternetGatewayId**: The ID of the attached Internet Gateway. Must be in the form 'igw-' followed by alphanumeric characters.

##### Resources

- **Subnet**: Creates a subnet within the specified VPC.
- **RouteTable**: Creates a route table and associates it with the subnet.
- **NetworkAcl**: Associates the specified Network ACL with the subnet.

##### Outputs

- **SubnetId**: The ID of the created subnet.
- **RouteTableId**: The ID of the created route table.
- **NetworkAclId**: The ID of the associated Network ACL.

##### Network ACL Template

The Network ACL template ([nacl/nacl.yaml](nacl/nacl.yaml)) creates a Network ACL and associates it with the specified subnet. It includes parameters for project name, environment, VPC ID, and subnet ID.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **VpcId**: The ID of the VPC in which to create the Network ACL. Must be in the form 'vpc-' followed by alphanumeric characters.
- **SubnetId**: The ID of the subnet to associate with the Network ACL. Must be in the form 'subnet-' followed by alphanumeric characters.

##### Resources

- **NetworkAcl**: Creates a Network ACL within the specified VPC.
- **NetworkAclAssociation**: Associates the Network ACL with the specified subnet.

##### Outputs

- **NetworkAclId**: The ID of the created Network ACL.
- **NetworkAclAssociationId**: The ID of the Network ACL association.

#### Security Group Template

The Security Group template ([sg/sg.yaml](sg/sg.yaml)) creates a Security Group within the specified VPC. It includes parameters for project name, environment, VPC ID, and security group configuration.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **VpcId**: The ID of the VPC in which to create the Security Group. Must be in the form 'vpc-' followed by alphanumeric characters.
- **SecurityGroupBaseName**: The Security Group base name to be used as a resource name. Can contain alphanumeric characters, hyphens, and underscores.
- **SecurityGroupDescription**: The Security Group description to be used as a resource tag value. Can contain alphanumeric characters, spaces, hyphens, underscores, and punctuation.

##### Resources

- **SecurityGroup**: Creates a Security Group within the specified VPC.

##### Outputs

- **SecurityGroupId**: The ID of the created Security Group.

#### Security Group Ingress Rule Template

The Security Group Ingress Rule template ([sg-rule-ingress/sg-rule-ingress.yaml](sg-rule-ingress/sg-rule-ingress.yaml)) creates ingress rules for the specified Security Group. It includes parameters for project name, environment, Security Group ID, and ingress rule configuration.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **SecurityGroupId**: The ID of the Security Group to which the ingress rules will be added. Must be in the form 'sg-' followed by alphanumeric characters.
- **IPProtocol**: The IP protocol for the ingress rule (e.g., tcp, udp, icmp).
- **FromPort**: The starting port for the ingress rule.
- **ToPort**: The ending port for the ingress rule.
- **CidrIp**: The IPv4 CIDR block for the ingress rule.
- **CidrIpv6**: The IPv6 CIDR block for the ingress rule.
- **SourceSecurityGroupId**: The ID of the source Security Group for the ingress rule.
- **RuleDescription**: The description of the ingress rule.

##### Resources

- **SecurityGroupIngress**: Creates ingress rules for the specified Security Group.

##### Outputs

- **SecurityGroupIngressRuleId**: The ID of the created Security Group ingress rule.

### Application Integration

#### SNS Topic Template

The SNS Topic template ([sns/sns-topic.yaml](sns/sns-topic.yaml)) creates an SNS Topic with optional KMS encryption. It includes parameters for project name, environment, GitHub attributes, and SNS configuration.

##### Parameters

- **ProjectName**: The Project name to be used as a resource tag value. Must be 5-30 characters long and contain only lowercase alphabets.
- **Environment**: The Environment name to be used as a resource tag value. Allowed values are "devl", "test", "prod".
- **GitHubRef**: GitHub Ref name to be used as a resource tag value. Can contain alphanumeric characters, slashes, underscores, and hyphens.
- **GitHubURL**: GitHub URL to be used as a resource tag value. Must start with 'https://github.com/' and can contain alphanumeric characters, dots, underscores, and hyphens.
- **GitHubWFRunNumber**: The Workflow run number to be used as a resource tag value.
- **GitHubSHA**: The SHA value of the last commit to be used as a resource tag value. Must be a 40-character hexadecimal string.
- **GitHubRepository**: The GitHub Repository name to be used as a resource tag value. Must be 10-30 characters long, contain lowercase letters, numbers, dashes, and start with a letter.
- **CiBuild**: CI Build of the feature branch to be appended to a resource name.
- **KmsMasterKeyAlias**: The KMS master key alias to be used for server-side encryption.
- **TopicBaseName**: The base name of the SNS topic. The topic name will be created by appending the environment and region.
- **TopicDisplayName**: The SNS topic display name.

##### Resources

- **SNSTopic**: Creates an SNS Topic with the specified properties and tags.

##### Outputs

- **SNSTopicArn**: The Arn of the SNS Topic.

#### SNS Subscription Template

The SNS Subscription template ([sns/sns-subscription.yaml](sns/sns-subscription.yaml)) creates SNS Topic subscriptions for Email, SQS, Lambda, and HTTPS endpoints. It includes parameters for SNS topic ARN, email address, SQS queue ARN, Lambda function ARN, and HTTP endpoint.

##### Parameters

- **SNSTopicArn**: The ARN of the SNS Topic.
- **EmailAddress**: The email address to subscribe to the SNS topic.
- **SqsQueueArn**: The ARN of the SQS Queue to subscribe to the SNS topic.
- **LambdaFunctionArn**: The ARN of the Lambda function to subscribe to the SNS topic.
- **HttpEndpoint**: The HTTP endpoint to subscribe to the SNS topic.

##### Resources

- **EmailSubscription**: Creates an SNS subscription for the provided email address.
- **SqsSubscription**: Creates an SNS subscription for the provided SQS queue.
- **LambdaSubscription**: Creates an SNS subscription for the provided Lambda function.
- **HttpsSubscription**: Creates an SNS subscription for the provided HTTP endpoint with a delivery policy.

##### Outputs

- **EmailSubscriptionArn**: The ARN of the SNS Topic Email subscription.
- **SqsSubscriptionArn**: The ARN of the SNS Topic SQS subscription.
- **LambdaSubscriptionArn**: The ARN of the SNS Topic Lambda function subscription.
- **HttpsSubscriptionArn**: The ARN of the SNS Topic HTTP endpoint subscription.
10 changes: 10 additions & 0 deletions VERSION
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#### Version: 1.0.0
Initial release of the CloudFormation nested stack templates
Version: 1.0.0
Author: Subhamay Bhattacharyya
Created: 02-Jan-2025
Updated: 03-Jan-2025
Description: This repositoy contains the CloudFormation nested stack templates.

## Features
- This repository contains the CloudFormation nested stack templates.
Loading

0 comments on commit 802cf0c

Please sign in to comment.