ipsec.yaml

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Type: 'AWS::EC2::KeyPair::KeyName'
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  InstanceType:
    Description: IpsecVPN EC2 instance type
    Type: String
    Default: t2.micro
    AllowedValues:
      - t2.micro
      - c4.large
    ConstraintDescription: must be a valid EC2 instance type.
  VpcId:
    Type: 'AWS::EC2::VPC::Id'
    Description: VpcId of your existing Virtual Private Cloud (VPC)
    ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.
  SubnetId:
    Type: 'AWS::EC2::Subnet::Id'
    Description: SubnetId of an existing public subnet in your Virtual Private Cloud (VPC)
    ConstraintDescription: must be an existing public subnet in the selected Virtual Private Cloud.



  PSK:
    Type: String
  RightPublicIp:
    Type: String
    Description: Peering public ip address
  LeftSubnet:
    Type: String
  RightSubnet:
    Type: String




Mappings:
  AWSInstanceType2Arch:
    t2.micro:
      Arch: HVM64
    c4.large:
      Arch: HVM64
    c5.large:
      Arch: HVM64
  AWSRegionMap:
    cn-north-1: # Beijing (China)
      HVM64: ami-03ae67ee227d997be
      AWSARN: aws-cn
      DownloadS3Region: cn-northwest-1
      S3Domain: amazonaws.com.cn
    cn-northwest-1: # Ningxia (China)
      HVM64: ami-00d2f9d34d345da04
      AWSARN: aws-cn
      DownloadS3Region: cn-northwest-1
      S3Domain: amazonaws.com.cn



Resources:

  SecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: !Ref VpcId
      GroupDescription: Enable tcp udp access
      SecurityGroupIngress:
        - IpProtocol: '-1'
          FromPort: '-1'
          ToPort: '-1'
          CidrIp: !Ref RightSubnet
        - IpProtocol: '50'
          FromPort: '-1'
          ToPort: '-1'
          CidrIp: 0.0.0.0/0
        - IpProtocol: udp
          FromPort: '4500'
          ToPort: '4500'
          CidrIp: 0.0.0.0/0
        - IpProtocol: icmp
          FromPort: '-1'
          ToPort: '-1'
          CidrIp: 0.0.0.0/0
        - IpProtocol: udp
          FromPort: '500'
          ToPort: '500'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: 0.0.0.0/0

  IpsecEIP:
    Type: AWS::EC2::EIP
  EC2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      ImageId: !FindInMap
        - AWSRegionMap
        - !Ref 'AWS::Region'
        - !FindInMap
          - AWSInstanceType2Arch
          - !Ref InstanceType
          - Arch
      InstanceType: !Ref InstanceType
      KeyName: !Ref KeyName
      SourceDestCheck: 'false'
      Tags:
        - Key: Name
          Value: IpsecInstance
      NetworkInterfaces:
        - AssociatePublicIpAddress: "true"
          DeviceIndex: "0"
          GroupSet:
            - Ref: "SecurityGroup"
          SubnetId:
            Ref: "SubnetId"
      UserData:
        Fn::Base64: !Sub
          - |
            #!/bin/bash -xe
            wget https://ipsecvpn.s3.cn-northwest-1.amazonaws.com.cn/vpnsetup.sh
            /bin/bash ./vpnsetup.sh ${PSK} ${LeftPublicIp} ${RightPublicIp}  ${LeftSubnet} ${RightSubnet}
          -
            PSK: !Ref PSK
            LeftPublicIp: !Ref IpsecEIP 
            RightPublicIp: !Ref RightPublicIp
            LeftSubnet:  !Ref LeftSubnet
            RightSubnet: !Ref RightSubnet