AWSTemplateFormatVersion: '2010-09-09' Description: EUC SSM - VPC Endpoints Setup. This stack creates/updates VPC endpoints for S3/SSM/API-Gateway within the shared VPC Parameters: paVPCId: Description: Target VPC for API Gateway VPC Endpoint Type: String Default: "vpc-" pbSubnetIds: Description: Comma separated list of Subnet IDs for VPC Endpoint Interfaces in the Target VPC Type: String Default: "subnet-,subnet-" pcCIDR: Description: Target VPC CIDR range Type: String Default: "" Resources: EUCSSMVPCEpSGRoupAPI: Type: AWS::EC2::SecurityGroup Properties: GroupName: sgroup-euc-apig-vpcendpoint GroupDescription: This security group will permit access to the VPC Endpoint for API Gateway SecurityGroupEgress: - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: Ref: pcCIDR VpcId: Ref: paVPCId EUCVPCEndpointAPI: Type: AWS::EC2::VPCEndpoint Properties: VpcId: Ref: paVPCId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.execute-api' VpcEndpointType: Interface PrivateDnsEnabled: true SubnetIds: Fn::Split: - "," - Ref: pbSubnetIds SecurityGroupIds: - Ref: EUCSSMVPCEpSGRoupAPI EUCSSMVPCEpSGRoupSSM: Type: AWS::EC2::SecurityGroup Properties: GroupName: sgroup-euc-ssm-vpcendpoint GroupDescription: This security group will permit access to the VPC Endpoints for SSM SecurityGroupEgress: - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: Ref: pcCIDR VpcId: Ref: paVPCId EUCVPCEndpointSSM: Type: AWS::EC2::VPCEndpoint Properties: VpcId: Ref: paVPCId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm' VpcEndpointType: Interface PrivateDnsEnabled: true SubnetIds: Fn::Split: - "," - Ref: pbSubnetIds SecurityGroupIds: - Ref: EUCSSMVPCEpSGRoupSSM EUCVPCEndpointSSMm: Type: AWS::EC2::VPCEndpoint Properties: VpcId: Ref: paVPCId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages' VpcEndpointType: Interface PrivateDnsEnabled: true SubnetIds: Fn::Split: - "," - Ref: pbSubnetIds SecurityGroupIds: - Ref: EUCSSMVPCEpSGRoupSSM EUCSSMVPCEpSGRoupS3: Type: AWS::EC2::SecurityGroup Properties: GroupName: sgroup-euc-s3-vpcendpoint GroupDescription: This security group will permit access to the VPC Endpoints for S3 SecurityGroupEgress: - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: Ref: pcCIDR VpcId: Ref: paVPCId EUCVPCEndpointS3: Type: AWS::EC2::VPCEndpoint Properties: VpcId: Ref: paVPCId ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3' VpcEndpointType: Interface SubnetIds: Fn::Split: - "," - Ref: pbSubnetIds SecurityGroupIds: - Ref: EUCSSMVPCEpSGRoupS3 Outputs: oEucAPIEPId: Value: Ref: EUCVPCEndpointAPI Description: This VPC Endpoint ID is referenced by the API Gateway Export: Name: EUCVPCEndpointAPI oEucS3EPId: Value: Ref: EUCVPCEndpointS3 Description: This VPC Endpoint ID is used to grant access to the S3 inventory bucket Export: Name: EUCVPCS3EndpointId