Version 7 (widdix#178)

[Security] jenkins/* - Update Jenkins to 2.121.2 [Security] wordpress/* - Update WordPress to 4.9.6 [New Template] vpc/vpc-vpn-bastion - VPN bastion host [Improvement] static-website/static-website - use Lambda@Edge for redirects and Origin Access Identity [Improvement] * - Migrate to Amazon Linux 2 [Improvement] * - Added SSM support [Improvement] * - Using zone templates instead of zone ids and support for APEX domains [Improvement] wordpress/* - Tune php settings
jcruzcruz · Jul 19, 2018 · 3562fa5 · 3562fa5
1 parent 8b8e3f1
commit 3562fa5
Show file tree

Hide file tree

Showing 64 changed files with 2,705 additions and 918 deletions.
diff --git a/README.md b/README.md
@@ -1,11 +1,22 @@
 [![Build Status](https://travis-ci.org/widdix/aws-cf-templates.svg?branch=master)](https://travis-ci.org/widdix/aws-cf-templates)
 
 # Free Templates for AWS CloudFormation
-
 Find the documentation for the **latest stable release** here: http://templates.cloudonaut.io/en/stable/
 
 Find the documentation for the **unstable master branch** here: http://templates.cloudonaut.io/en/latest/
 
+## Related projects
+
+### widdix CLI
+widdix, a CLI tool to manage Free Templates for AWS CloudFormation.
+
+Learn more: https://github.com/widdix/aws-cf-templates-cli
+
+### cfn-modules
+Easy-going CloudFormation: Modular, production ready, open source.
+
+Learn more: https://github.com/cfn-modules/docs
+
 ## License
 All templates are published under Apache License Version 2.0.
 

diff --git a/docs/cli.md b/docs/cli.md
@@ -0,0 +1,150 @@
+# widdix CLI
+
+`widdix`, a CLI tool to manage Free Templates for AWS CloudFormation hosted on [GitHub](https://github.com/widdix/aws-cf-templates-cli).
+
+> The widdix CLI is compatible with templates >= v6.13.0
+
+## Install
+
+Download the latest binary for your operating system: https://github.com/widdix/aws-cf-templates-cli/releases
+
+### MacOS
+
+```
+chmod 755 widdix-macos
+mv widdix-macos /usr/local/bin/widdix
+widdix -v
+```
+
+### Linux
+
+```
+chmod 755 widdix-linux
+mv widdix-linux /usr/local/bin/widdix
+widdix -v
+```
+
+### Windows
+
+TODO
+
+## AWS Authorization & Authentication (IAM)
+
+### --env
+
+If you append the `--env` parameter, the following environment variables are used: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`
+
+### --profile=<name>
+
+If you append the `--profile=<name>` parameter, the profile is loaded from ` ~/.aws/credentials` (MFA is supported).
+
+### --all-profiles
+
+If you append the `--all-profiles` parameter, all profiles from ` ~/.aws/credentials` are loaded (MFA is supported).
+
+### default
+
+If nothing is specified, the [AWS SDK for Node.js default behavior](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html) applies.
+
+## Available Commands
+
+### List
+
+To list all your stacks in an AWS account, run:
+
+```
+widdix list
+```
+
+A sample output looks like this:
+
+```
+-----------------------------------------------------------------------------------------------------------------------------------------
+| Stack Account | Stack Region | Stack Name              | Template ID                        | Template Version       | Template Drift |
+-----------------------------------------------------------------------------------------------------------------------------------------
+| 123456789123  | eu-west-1    | operations-alert        | operations/alert                   | 6.14.0                 | false          |
+| 123456789123  | eu-west-1    | jenkins-vpc-auth-proxy  | security/auth-proxy-ha-github-orga | 6.14.0                 | false          |
+| 123456789123  | eu-west-1    | jenkins-ha-agents       | jenkins/jenkins2-ha-agents         | 6.13.0 (latest 6.14.0) | false          |
+| 123456789123  | eu-west-1    | jenkins-vpc-ssh-bastion | vpc/vpc-ssh-bastion                | 6.14.0                 | false          |
+| 123456789123  | eu-west-1    | jenkins-vpc-2azs        | vpc/vpc-2azs                       | 6.14.0                 | false          |
+-----------------------------------------------------------------------------------------------------------------------------------------
+```
+
+To filter a AWS single region, run:
+
+```
+widdix list --region=us-east-1
+```
+
+#### Columns
+
+| Column           | Description                                                                            |
+| ---------------- | -------------------------------------------------------------------------------------- |
+| Stack Account    | AWS account alias or ID.                                                               |
+| Stack Region     | AWS region, like `us-east-1`.                                                          |
+| Stack Name       | Name of AWS CloudFormation stack.                                                      |
+| Template ID      | Template id, like `vpc/vpc-2azs`.                                                      |
+| Template Version | Current version of the template. If an update is available it is added in parentheses. |
+| Template Drift   | If you modified the template drift is detected.                                        |
+
+### Graph
+
+![Graph](graph.png)
+
+To generate a graph in [DOT](https://graphviz.gitlab.io/_pages/doc/info/lang.html) format of your stacks in an AWS account, run:
+
+```
+widdix graph
+```
+
+To filter a single AWS region, run:
+
+```
+widdix graph --region=us-east-1
+```
+
+Do visualize the graph in a png file, pipe stdout to `dot`:
+
+```
+widdix graph | dot -Tpng > graph.png
+```
+
+If you don't have `dot` installed, you can also use Docker:
+
+```
+widdix graph | docker run -i robhaswell/dot-docker -Tpng > graph.png
+```
+
+### Update
+
+If a new version of the template is released, you can update your existing stacks. To update all stacks in interactive mode, run:
+
+```
+widdix update
+```
+
+The update behaves as follows:
+
+1. If no updates are available, an error is thrown.
+1. If template drift is detected we do not recommend to update! You have to confirm this potentially destructive action by typing `yes`.
+1. Planed changes (using AWS CloudFormation change sets) that are necessary to migrate to the new version are displayed. 
+1. You have to confirm the changes by typing `yes`.
+1. Changes are applied and CloudWatch events are streamed to your screen.
+
+You can filter AWS CloudFormation stacks based on region and/or AWS CloudFormation stack name like this:
+
+```
+widdix update --region=us-east-1 --stack-name=vpc
+```
+
+## Config
+
+### Proxy
+
+The `HTTPS_PROXY` environment variable is used if set.
+
+## Debug
+
+If something goes wrong, a log file (`widdix.log`) is written to the current working directory.
+
+If you append the `--debug` parameter the log will be more verbose.
diff --git a/docs/ec2.md b/docs/ec2.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 # EC2 with auto-recovery
 This template describes an EC2 instance with auto-recovery. If the instance fails it will be replaced automatically. All data stored on EBS volumes will still be available. The public and private IP address won't change. Auto-recovery does only work inside of a single availability zone (AZ).
 
@@ -19,7 +21,7 @@ This template describes an EC2 instance with auto-recovery. If the instance fail
 
 ## Dependencies
 * `vpc/vpc-*azs.yaml` (**required**)
-* `vpc/vpc-ssh-bastion.yaml` (recommended)
+* `vpc/vpc-*-bastion.yaml` (recommended)
 * `operations/alert.yaml` (recommended)
 
 ## Limitations

diff --git a/docs/ecs.md b/docs/ecs.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 [EC2 Container Service (ECS)](https://aws.amazon.com/ecs/) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon EC2 instances. To run an application on ECS you need the following components:
 
 * Docker image published to [Docker Hub](https://hub.docker.com/) or [EC2 Container Registry (ECR)](https://aws.amazon.com/ecr/)
@@ -26,7 +28,7 @@ This template describes a fault tolerant and scalable ECS cluster on AWS. The cl
 
 ## Dependencies
 * `vpc/vpc-*azs.yaml` (**required**)
-* `vpc/vpc-ssh-bastion.yaml` (recommended)
+* `vpc/vpc-*-bastion.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
 * `operations/alert.yaml` (recommended)
 

diff --git a/docs/img/static-website.png b/docs/img/static-website.png
diff --git a/docs/img/vpc-vpn-bastion-macos.png b/docs/img/vpc-vpn-bastion-macos.png
diff --git a/docs/img/vpc-vpn-bastion-windows1.png b/docs/img/vpc-vpn-bastion-windows1.png
diff --git a/docs/img/vpc-vpn-bastion-windows2.png b/docs/img/vpc-vpn-bastion-windows2.png
diff --git a/docs/index.md b/docs/index.md
@@ -14,6 +14,14 @@ Your source for free [AWS CloudFormation](https://aws.amazon.com/cloudformation/
     * Operations friendly: provide tools like logging, monitoring and alerting to recognize and debug problems
 * Premium Support available: Get help in case of small and big emergencies and submit a feature request.
 
+# Related projects
+
+## widdix CLI
+[widdix, a CLI tool to manage Free Templates for AWS CloudFormation](./cli/).
+
+## cfn-modules
+[Easy-going CloudFormation](https://github.com/cfn-modules/docs): Modular, production ready, open source.
+
 # Infrastructure Templates
 Choose from our template catalog:
 

diff --git a/docs/jenkins.md b/docs/jenkins.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 ![Demo](./img/jenkins-demo.gif)
 
 # Jenkins 2.0: highly available master
@@ -21,7 +23,7 @@ This template describes a Jenkins master in a highly available manner. If the ma
 
 ## Dependencies
 * `vpc/vpc-*azs.yaml` (**required**)
-* `vpc/vpc-ssh-bastion.yaml` (recommended)
+* `vpc/vpc-*-bastion.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
 * `operations/alert.yaml` (recommended)
 
@@ -48,10 +50,11 @@ This template describes a Jenkins master in a highly available manner. If the ma
 
 ## Dependencies
 * `vpc/vpc-*azs.yaml` (**required**)
-* `vpc/vpc-ssh-bastion.yaml` (recommended)
+* `vpc/vpc-*-bastion.yaml` (recommended)
 * `security/auth-proxy-*.yaml`
 * `operations/alert.yaml` (recommended)
 
 ## Limitations
 * Jenkins will only run in two Availability Zones, even if your VPC stack has more.
+* Stack updates only work if no agents are running. Scale to zero agents before you update the stack!
 * No backup
diff --git a/docs/migrate-v4.md b/docs/migrate-v4.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 # Migrate from v3 to v4
 
 There is a breaking change in the VPC layout going from v3 to v4. This change enables HA NAT Gateway/Instance (https://github.com/widdix/aws-cf-templates/issues/65). Updating your VPC will cause connectivity interruptions to the Internet in `SubnetBPrivate`, `SubnetCPrivate`, and `SubnetDPrivate` until you created new NAT Gateway/Instance for each `SubnetZone` in step 3b.

diff --git a/docs/migrate-v5.md b/docs/migrate-v5.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 # Migrate from v4 to v5
 
 There are two smaller breaking changes:

diff --git a/docs/migrate-v6.md b/docs/migrate-v6.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 # Migrate from v5 to v6
 
 There is one smaller breaking change that affects mostly all templates: The optional parameter `NewRelicLicenseKey` was removed.

diff --git a/docs/migrate-v7.md b/docs/migrate-v7.md
@@ -0,0 +1,56 @@
+<iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
+
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
+# Migrate from v6 to v7
+
+## ec2/ec2-auto-recovery, security/auth-proxy-ha-github-orga, vpc/vpc-ssh-bastion
+
+1. Amazon Linux is updated to Amazon Linux 2.
+2. The parameter `SubDomainName` was renamed to `SubDomainNameWithDot` and now expects that your name end with a dot. E.g., if the value of `SubDomainName` is `ssh.`, set `SubDomainNameWithDot` to `ssh.`.
+3. `SystemsManagerAccess` will be enabled by default.
+
+## ecs/service-cluster-alb, ecs/service-dedicated-alb, vpc/vpc-nat-instance
+
+1. The parameter `SubDomainName` was renamed to `SubDomainNameWithDot` and now expects that your name end with a dot. E.g., if the value of `SubDomainName` is `ssh.`, set `SubDomainNameWithDot` to `ssh.`.
+
+## jenkins/jenkins-*
+
+1. Amazon Linux is updated to Amazon Linux 2.
+2. The parameter `SubDomainName` was renamed to `SubDomainNameWithDot` and now expects that your name end with a dot. E.g., if the value of `SubDomainName` is `ssh.`, set `SubDomainNameWithDot` to `ssh.`.
+3. `SystemsManagerAccess` will be enabled by default.
+4. The parameter `JenkinsVersion` was removed to make updates possible.
+
+## static-website/static-website
+
+The new static website makes use of Lambda@Edge.
+
+1. For each `static-website/static-website` stack, you have to create an additional stack in `us-east-1` based on the new `static-website/lambdaedge-index-document.yaml` template. [Learn more](../static-website/)
+2. If you are using the `RedirectDomainName` parameter in `static-website/static-website`, update the stack with the new template version and remove the `RedirectDomainName` parameter value. After the stack is updated (usually takes 15-30 mins because of CloudFront!), continue with the next step.
+3. The optional parameter `LambdaEdgeSubdirectoriesVersionArn` was added. The value should be the `LambdaVersionArn` output of the `static-website/lambdaedge-index-document` stack.
+4. The `DefaultRootObject` parameter was added but is only used if `LambdaEdgeSubdirectoriesVersionArn` is not set. Usually you will set this to something like `index.html` which is the default as well.
+5. The following parameters have been removed:
+    1. `DomainName` is replaced by `SubDomainNameWithDot` and now expects that your name end with a dot. E.g., if the value of `SubDomainName` is `ssh.`, set `SubDomainNameWithDot` to `ssh.`.
+    2. `RedirectDomainName` is replaced by `EnableRedirectSubDomainName` and `RedirectSubDomainNameWithDot`. If you want to have a second domain to redirect to the primary domain, enable `EnableRedirectSubDomainName` and provide the `RedirectSubDomainNameWithDot` as well.
+    3. `HostedZoneId` is replaced by `ParentZoneStack`
+
+## vpc/vpc-*azs-legacy
+
+1. The parameter `CidrBlock` was added and will replace `ClassB` in v8. E.g., if the value of `CidrBlock` is `100`, set `CidrBlock` to `10.100.0.0/16`.
+
+## vpc/vpc-ssh-bastion
+
+1. Before you can update stacks based on `vpc/vpc-ssh-bastion` you have to set all `ParentSSHBastionStack` parameters of other stacks to an empty value, update the bastion host stack, and then set the `ParentSSHBastionStack` parameter values back to the previous value.
+
+## wordpress/wordpress-ha*
+
+1. Amazon Linux is updated to Amazon Linux 2.
+2. The parameter `DomainName` was renamed to `SubDomainNameWithDot` and `ParentZoneStack` is now required (was optional before). E.g., if the value of `DomainName` is `www.widdix.de`, set `SubDomainNameWithDot` to `www.` and the `ParentZoneStack` should have the `Name` parameter set to `widdix.de`.
+3. The parameter `SubDomainName` is replaced by `SubDomainNameWithDot`. E.g., if the value of `SubDomainName` is `ssh.`, set `SubDomainNameWithDot` to `ssh.`.
+4. The parameter `DBMasterUserPassword` was added (was hard coded to `wordpress` before).
+5. `SystemsManagerAccess` will be enabled by default.
+6. The parameter `BlogVersion` was removed to make updates possible.
+
+# Deprecation warnings
+
+* vpc/vpc-*azs-legacy: Paramater `ClassB` and output `ClassB` will be removed in the next version (v8).
diff --git a/docs/operations.md b/docs/operations.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 # Alert topic
 This template describes a SNS topic that can be used by many other templates to receive alerts. You can add one or multiple subscribers to this topic and they will all receive the same alerts. Supported transports are:
 * Email

diff --git a/docs/security.md b/docs/security.md
@@ -1,5 +1,7 @@
 <iframe src="https://ghbtns.com/github-btn.html?user=widdix&repo=aws-cf-templates&type=star&count=true&size=large" frameborder="0" scrolling="0" width="160px" height="30px"></iframe>
 
+> **New**: Manage Free Templates for AWS CloudFormation with the [widdix CLI](../cli/)
+
 # S3 VirusScan
 This template creates a Antivirus cluster for S3 buckets. You can connect as many buckets as you like by using [S3 Event Notifications](http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html). The template has it's own repository: [aws-s3-virusscan](https://github.com/widdix/aws-s3-virusscan)
 
@@ -58,7 +60,7 @@ This template describes a **highly available** authentication proxy that forward
 
 ## Dependencies
 * `vpc/vpc-*azs.yaml` (**required**)
-* `vpc/vpc-ssh-bastion.yaml` (recommended)
+* `vpc/vpc-*-bastion.yaml` (recommended)
 * `operations/alert.yaml` (recommended)
 
 ## Limitations