diff --git a/cfngoat.yaml b/cfngoat.yaml index 2310f870..05fdf32d 100644 --- a/cfngoat.yaml +++ b/cfngoat.yaml @@ -43,6 +43,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-ec2" + - Key: yor_trace + Value: c47225c9-bf84-4bed-9adb-cb6d80eecee2 UserData: Fn::Base64: | #!/bin/bash @@ -54,7 +56,6 @@ Resources: export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY export AWS_DEFAULT_REGION=us-west-2 echo "

Deployed via CloudFormation

" | sudo tee /var/www/html/index.html - WebHostStorage: # Unencrypted Volume Type: AWS::EC2::Volume @@ -68,9 +69,10 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-ebs" + - Key: yor_trace + Value: bd629558-220b-4ef6-8538-5a10d1db3964 ### CFN Does not Support Volume Snapshot - EBSAttachment: Type: AWS::EC2::VolumeAttachment Properties: @@ -98,7 +100,9 @@ Resources: FromPort: 0 ToPort: 0 CidrIp: 0.0.0.0/0 - + Tags: + - Key: yor_trace + Value: f2b31b7c-8c22-4517-b3a5-87f40d223c4d WebVPC: Type: AWS::EC2::VPC Properties: @@ -108,7 +112,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-vpc" - + - Key: yor_trace + Value: a60f0d2b-e051-4069-a917-096b06d84a95 WebSubnet: Type: AWS::EC2::Subnet Properties: @@ -122,7 +127,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-subnet" - + - Key: yor_trace + Value: 573f2a1e-4f9e-4b3e-878d-a6e2e675fe30 WebSubnet2: Type: AWS::EC2::Subnet Properties: @@ -136,20 +142,21 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-subnet2" - + - Key: yor_trace + Value: 516b5515-04c6-40f5-96f2-ef01841c27a1 WebIGW: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-igw" - + - Key: yor_trace + Value: ba5209c1-d43e-4f51-a6c8-c37244cfd27d InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref WebIGW VpcId: !Ref WebVPC - WebRTB: Type: AWS::EC2::RouteTable Properties: @@ -157,7 +164,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-rtb" - + - Key: yor_trace + Value: a7e6c048-1a4c-44ef-a782-a5eaeea10e2b WebDefaultPublicRoute: Type: AWS::EC2::Route DependsOn: @@ -166,19 +174,16 @@ Resources: RouteTableId: !Ref WebRTB DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref WebIGW - RTBAssoc: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref WebSubnet RouteTableId: !Ref WebRTB - RTBAssoc2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref WebSubnet2 RouteTableId: !Ref WebRTB - WebENI: Type: AWS::EC2::NetworkInterface Properties: @@ -188,7 +193,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-primary_network_interface" - + - Key: yor_trace + Value: 40da8a60-3a34-4d9f-8465-a318225e5659 VpcFlowLogs: Type: AWS::EC2::FlowLog Properties: @@ -197,7 +203,9 @@ Resources: LogDestination: !GetAtt FlowBucket.Arn LogDestinationType: s3 TrafficType: ALL - + Tags: + - Key: yor_trace + Value: fb9e6d7f-37bb-4910-a267-b593dda84698 FlowBucket: Type: AWS::S3::Bucket DeletionPolicy: Delete @@ -206,11 +214,12 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-flowlogs" + - Key: yor_trace + Value: c617a7d1-371f-47bb-a1a5-c529670a81ca ############# ### IAM ### ############# - User: Type: AWS::IAM::User Properties: @@ -220,12 +229,12 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-user" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: 686436e9-8b66-4110-a9d6-a56667e57068 AccessKey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref User - UserPolicy: Type: AWS::IAM::Policy Properties: @@ -246,7 +255,6 @@ Resources: ############# ### KMS ### ############# - LogsKey: # Key does not have rotation enabled Type: AWS::KMS::Key @@ -263,7 +271,9 @@ Resources: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: kms:* Resource: '*' - + Tags: + - Key: yor_trace + Value: 9eddb142-15df-4c15-b787-b8bb671305b7 LogsKeyAlias: Type: AWS::KMS::Alias Properties: @@ -273,7 +283,6 @@ Resources: ################ ### DB App ### ################ - DefaultDB: Type: AWS::RDS::DBInstance DeletionPolicy: Delete @@ -302,7 +311,8 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-rds" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: e192157e-caf9-4a01-9c23-21bfaca49d8d DefaultDBOptionGroup: Type: AWS::RDS::OptionGroup Properties: @@ -315,7 +325,8 @@ Resources: Value: !Sub "og-${AWS::AccountId}-${CompanyName}-${Environment}" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: 542b758b-01e8-489e-834e-88d27fd972e3 DefaultDBParameterGroup: Type: AWS::RDS::DBParameterGroup Properties: @@ -329,7 +340,8 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-pg" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: d2067d38-e857-4d23-b8a7-fcb614423da0 DefaultSubnetGroup: Type: AWS::RDS::DBSubnetGroup Properties: @@ -343,7 +355,8 @@ Resources: Value: !Sub "sg-${AWS::AccountId}-${CompanyName}-${Environment}" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: 05b5d45a-f19a-4632-8345-0da43ebc7af1 DefaultSG: Type: AWS::EC2::SecurityGroup Properties: @@ -360,7 +373,8 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-rds-sg" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: aa0f98bc-9e66-4af1-99ee-8ecd47015e57 EC2Profile: Type: AWS::IAM::InstanceProfile Properties: @@ -368,7 +382,6 @@ Resources: Path: "/" Roles: - !Ref EC2Role - EC2Role: Type: AWS::IAM::Role Properties: @@ -389,7 +402,8 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-role" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: 80dea3d1-023b-456d-acde-cae62d7a0c3c EC2Policy: Type: AWS::IAM::Policy Properties: @@ -406,8 +420,6 @@ Resources: Resource: "*" Roles: - !Ref EC2Role - - DBAppInstance: # EC2 have plain text secrets in user data Type: AWS::EC2::Instance @@ -425,6 +437,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-dbapp" + - Key: yor_trace + Value: d32fb7e0-4c70-462d-be87-cb2b0984c948 UserData: Fn::Base64: !Sub | #!/bin/bash @@ -545,7 +559,6 @@ Resources: ################ ### Lambda ### ################ - IAM4Lambda: Type: "AWS::IAM::Role" Properties: @@ -566,7 +579,8 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-analysis-lambda" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: 52f3e84c-33b3-4120-a28b-200189d92e8e AnalysisLambda: Type: AWS::Lambda::Function Properties: @@ -586,11 +600,12 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-analysis" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" + - Key: yor_trace + Value: 96d4f72c-8d89-4571-92d6-7f5913d8e6d5 ############ ### S3 ### ############ - DataBucket: # Public, not encrypted, no access logs, no versioning Type: AWS::S3::Bucket @@ -601,9 +616,10 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-data" + - Key: yor_trace + Value: acb7e85e-1288-4eed-a32d-7058184b97af ### TODO - Custom Upload of insecure document - FinancialsBucket: # not encrypted, no access logs, no versioning Type: AWS::S3::Bucket @@ -614,7 +630,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-financials" - + - Key: yor_trace + Value: eb605c8e-aad7-472f-8f90-59d80039cfb0 OperationsBucket: # not encrypted, no access logs Type: AWS::S3::Bucket @@ -627,7 +644,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-operations" - + - Key: yor_trace + Value: 6f86402d-9bec-481f-af3c-9aaccfa0b264 DataScienceBucket: # not encrypted Type: AWS::S3::Bucket @@ -643,7 +661,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-data-science" - + - Key: yor_trace + Value: 3952f182-2909-4e20-88d5-73de11304d91 LogsBucket: # not encrypted Type: AWS::S3::Bucket @@ -661,6 +680,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-logs" + - Key: yor_trace + Value: 925b9bf9-fb57-4b86-9270-66d2c427ad0f ######################## ### Clean S3 Buckets ### @@ -697,7 +718,8 @@ Resources: Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-cleanup-role" - Key: Environment Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" - + - Key: yor_trace + Value: 179b6064-662f-4d30-8a1b-15e047516d00 CleanBucketFunction: Type: "AWS::Lambda::Function" DependsOn: @@ -835,37 +857,34 @@ Resources: request.write(responseBody); request.end(); } - + Tags: + - Key: yor_trace + Value: 78bd9067-d813-4d5c-a228-e746e70b9214 CleanFlowBucketOnDelete: Type: Custom::cleanupflowbucket Properties: ServiceToken: !GetAtt CleanBucketFunction.Arn BucketName: !Ref FlowBucket - CleanDataBucketOnDelete: Type: Custom::cleanupdatabucket Properties: ServiceToken: !GetAtt CleanBucketFunction.Arn BucketName: !Ref DataBucket - CleanFinancialsBucketOnDelete: Type: Custom::cleanupfinancialsbucket Properties: ServiceToken: !GetAtt CleanBucketFunction.Arn BucketName: !Ref FinancialsBucket - CleanOperationsBucketOnDelete: Type: Custom::cleanupoperationsbucket Properties: ServiceToken: !GetAtt CleanBucketFunction.Arn BucketName: !Ref OperationsBucket - CleanDataScienceBucketOnDelete: Type: Custom::cleanupdatasciencebucket Properties: ServiceToken: !GetAtt CleanBucketFunction.Arn BucketName: !Ref DataScienceBucket - CleanLogsBucketOnDelete: Type: Custom::cleanuplogsbucket Properties: diff --git a/eks.yaml b/eks.yaml index 6003fc25..bb2022e8 100644 --- a/eks.yaml +++ b/eks.yaml @@ -56,6 +56,9 @@ Resources: ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy - arn:aws:iam::aws:policy/AmazonEKSServicePolicy + Tags: + - Key: yor_trace + Value: d5d3c309-15ef-4142-950a-f8d753350698 VPC: Type: AWS::EC2::VPC Properties: @@ -65,12 +68,16 @@ Resources: Tags: - Key: Name Value: !Sub '${AWS::StackName}-VPC' + - Key: yor_trace + Value: f20f57c8-8f7f-4399-9f49-e7d81f676233 InternetGateway: Type: "AWS::EC2::InternetGateway" Properties: Tags: - Key: Name Value: !Sub '${AWS::StackName}-Internet Gateway' + - Key: yor_trace + Value: b253fcf3-66d9-4218-8b14-7e4be35514cc VPCGatewayAttachment: Type: "AWS::EC2::VPCGatewayAttachment" Properties: @@ -85,6 +92,8 @@ Resources: Value: Public Subnets - Key: Network Value: Public + - Key: yor_trace + Value: decce50a-82c5-4019-8493-b0a0af7cd3a4 PrivateRouteTable01: Type: AWS::EC2::RouteTable Properties: @@ -94,6 +103,8 @@ Resources: Value: Private Subnet AZ1 - Key: Network Value: Private01 + - Key: yor_trace + Value: 1823e2ba-5c7c-4153-89d8-81c13b65f5da PrivateRouteTable02: Type: AWS::EC2::RouteTable Properties: @@ -103,6 +114,8 @@ Resources: Value: Private Subnet AZ2 - Key: Network Value: Private02 + - Key: yor_trace + Value: 5e392fe3-8167-4338-af7f-9c930a1bb681 PublicRoute: DependsOn: - VPCGatewayAttachment @@ -141,6 +154,8 @@ Resources: Tags: - Key: Name Value: !Sub '${AWS::StackName}-NatGatewayAZ1' + - Key: yor_trace + Value: c069a0f5-5226-4123-92cf-729dc0df25d8 NatGateway02: DependsOn: - NatGatewayEIP2 @@ -153,18 +168,26 @@ Resources: Tags: - Key: Name Value: !Sub '${AWS::StackName}-NatGatewayAZ2' + - Key: yor_trace + Value: 482ef480-a15c-467f-a374-c693b0b5b27b NatGatewayEIP1: DependsOn: - VPCGatewayAttachment Type: 'AWS::EC2::EIP' Properties: Domain: vpc + Tags: + - Key: yor_trace + Value: d3e82396-ba71-4425-bd3c-a2e23d32e131 NatGatewayEIP2: DependsOn: - VPCGatewayAttachment Type: 'AWS::EC2::EIP' Properties: Domain: vpc + Tags: + - Key: yor_trace + Value: 46420d38-50cf-4938-9d12-efd38bda0b43 PublicSubnet01: Type: AWS::EC2::Subnet Metadata: @@ -182,6 +205,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::StackName}-PublicSubnet01" + - Key: yor_trace + Value: a9fb392d-59f9-4962-8363-53a0e7eebc74 PublicSubnet02: Type: AWS::EC2::Subnet Metadata: @@ -199,6 +224,8 @@ Resources: Tags: - Key: Name Value: !Sub "${AWS::StackName}-PublicSubnet02" + - Key: yor_trace + Value: 5bc442fd-775d-4297-9037-115d46ca7f1f PrivateSubnet01: Type: AWS::EC2::Subnet Metadata: @@ -218,6 +245,8 @@ Resources: Value: !Sub "${AWS::StackName}-PrivateSubnet01" - Key: "kubernetes.io/role/internal-elb" Value: "1" + - Key: yor_trace + Value: 4cbb6b6e-46e2-492b-8252-56b356529140 PrivateSubnet02: Type: AWS::EC2::Subnet Metadata: @@ -237,6 +266,8 @@ Resources: Value: !Sub "${AWS::StackName}-PrivateSubnet02" - Key: "kubernetes.io/role/internal-elb" Value: "1" + - Key: yor_trace + Value: 505e36fe-346a-473e-82df-51fdbd3735ab PublicSubnet01RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: @@ -262,6 +293,9 @@ Resources: Properties: GroupDescription: Cluster communication with worker nodes VpcId: !Ref VPC + Tags: + - Key: yor_trace + Value: 8f0216d9-5045-4b6e-a256-4327c3ccdee7 EKSCluster: Type: AWS::EKS::Cluster Properties: