avalanche-ops 0.6.8

avalanche-ops spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322

---
AWSTemplateFormatVersion: "2010-09-09"
Description: "VPC"

# takes about 6-minute

# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
Parameters:
  Id:
    Type: String
    Description: Unique identifier, prefix for all resources created below.

  VpcCidr:
    Type: String
    Default: 10.0.0.0/16
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: IP range (CIDR notation) for VPC, must be a valid (RFC 1918) CIDR range (from 10.0.0.0 to 10.0.255.255)

  PublicSubnetCidr1:
    Type: String
    Default: 10.0.64.0/19
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: CIDR block for public subnet 1 within the VPC (from 10.0.64.0 to 10.0.95.255)

  PublicSubnetCidr2:
    Type: String
    Default: 10.0.128.0/19
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: CIDR block for public subnet 2 within the VPC (from 10.0.128.0 to 10.0.159.255)

  PublicSubnetCidr3:
    Type: String
    Default: 10.0.192.0/19
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: CIDR block for public subnet 2 within the VPC (from 10.0.192.0 to 10.0.223.255)

  # limit this to your IP
  SshPortIngressIpv4Range:
    Type: String
    Default: 0.0.0.0/0
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: IP range for SSH inbound traffic

  # limit this to your IP
  HttpPortIngressIpv4Range:
    Type: String
    Default: 0.0.0.0/0
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: IP range for HTTP inbound traffic

  HttpPort:
    Type: Number
    Default: 9650
    Description: HTTP port

  StakingPortIngressIpv4Range:
    Type: String
    Default: 0.0.0.0/0
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: IP range for SSH/HTTP inbound traffic

  StakingPort:
    Type: Number
    Default: 9651
    Description: HTTP port

Conditions:
  Has2Azs:
    Fn::Or:
      - Fn::Equals:
          - { Ref: "AWS::Region" }
          - ap-south-1
      - Fn::Equals:
          - { Ref: "AWS::Region" }
          - ap-northeast-2
      - Fn::Equals:
          - { Ref: "AWS::Region" }
          - ca-central-1
      - Fn::Equals:
          - { Ref: "AWS::Region" }
          - cn-north-1
      - Fn::Equals:
          - { Ref: "AWS::Region" }
          - sa-east-1
      - Fn::Equals:
          - { Ref: "AWS::Region" }
          - us-west-1

  HasMoreThan2Azs:
    Fn::Not:
      - Condition: Has2Azs

Resources:
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Join ["-", [!Ref Id, "igw"]]

  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: !Join ["-", [!Ref Id, "vpc"]]

  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    DependsOn:
      - VPC
      - InternetGateway
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  # The instances must be in a subnet with outbound internet access.
  # Can be a public subnet with an auto-assigned public ipv4 address.
  # Or it can be a private subnet with a NAT Gateway.
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    DependsOn:
      - VPC
      - VPCGatewayAttachment
    Metadata:
      Comment: Public Subnet 1
    Properties:
      AvailabilityZone: !Select [0, !GetAZs ]
      CidrBlock: !Ref PublicSubnetCidr1
      MapPublicIpOnLaunch: true
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join ["-", [!Ref Id, "public-subnet-1"]]
        - Key: Network
          Value: Public

  PublicSubnet2:
    Type: AWS::EC2::Subnet
    DependsOn:
      - VPC
      - VPCGatewayAttachment
    Metadata:
      Comment: Public Subnet 2
    Properties:
      AvailabilityZone: !Select [1, !GetAZs ]
      CidrBlock: !Ref PublicSubnetCidr2
      MapPublicIpOnLaunch: true
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join ["-", [!Ref Id, "public-subnet-2"]]
        - Key: Network
          Value: Public

  PublicSubnet3:
    Condition: HasMoreThan2Azs
    Type: AWS::EC2::Subnet
    DependsOn:
      - VPC
      - VPCGatewayAttachment
    Metadata:
      Comment: Public Subnet 3
    Properties:
      AvailabilityZone: !Select [2, !GetAZs ]
      CidrBlock: !Ref PublicSubnetCidr3
      MapPublicIpOnLaunch: true
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join ["-", [!Ref Id, "public-subnet-3"]]
        - Key: Network
          Value: Public

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    DependsOn:
      - VPC
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join ["-", [!Ref Id, "public-round-table"]]
        - Key: Network
          Value: Public

  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn:
      - VPC
      - VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn:
      - VPC
      - VPCGatewayAttachment
      - PublicSubnet1
    Properties:
      SubnetId: !Ref PublicSubnet1
      RouteTableId: !Ref PublicRouteTable

  PublicSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn:
      - VPC
      - VPCGatewayAttachment
      - PublicSubnet2
    Properties:
      SubnetId: !Ref PublicSubnet2
      RouteTableId: !Ref PublicRouteTable

  PublicSubnet3RouteTableAssociation:
    Condition: HasMoreThan2Azs
    Type: AWS::EC2::SubnetRouteTableAssociation
    DependsOn:
      - VPC
      - VPCGatewayAttachment
      - PublicSubnet3
    Properties:
      SubnetId: !Ref PublicSubnet3
      RouteTableId: !Ref PublicRouteTable

  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    DependsOn:
      - VPC
      - VPCGatewayAttachment
    Properties:
      GroupName: !Join ["-", [!Ref Id, "security-group"]]
      GroupDescription: Secured communication
      VpcId: !Ref VPC

  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html
  SshIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref SecurityGroup
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: !Ref SshPortIngressIpv4Range

  HttpIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref SecurityGroup
      IpProtocol: tcp
      FromPort: !Ref HttpPort
      ToPort: !Ref HttpPort
      CidrIp: !Ref HttpPortIngressIpv4Range

  StakingIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref SecurityGroup
      IpProtocol: tcp
      FromPort: !Ref StakingPort
      ToPort: !Ref StakingPort
      CidrIp: !Ref StakingPortIngressIpv4Range

  # allow all outbound traffic
  Egress:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      GroupId: !Ref SecurityGroup
      IpProtocol: "-1"
      FromPort: "1"
      ToPort: "65535"
      CidrIp: "0.0.0.0/0"

Outputs:
  VpcId:
    Description: VPC ID
    Value: !Ref VPC

  SecurityGroupId:
    Description: Security group ID
    Value: !Ref SecurityGroup

  PublicSubnetIds:
    Description: All public subnet IDs in the VPC
    Value:
      Fn::If:
        - HasMoreThan2Azs
        - !Join [
            ",",
            [!Ref PublicSubnet1, !Ref PublicSubnet2, !Ref PublicSubnet3],
          ]
        - !Join [",", [!Ref PublicSubnet1, !Ref PublicSubnet2]]

  PublicSubnetId1Az:
    Description: AZ.
    Value:
      Fn::Select:
        - 0
        - Fn::GetAZs: ""

  PublicSubnetId2Az:
    Description: AZ.
    Value:
      Fn::Select:
        - 1
        - Fn::GetAZs: ""

  PublicSubnetId3Az:
    Description: AZ.
    Value:
      Fn::If:
        - HasMoreThan2Azs
        - Fn::Select:
            - 2
            - Fn::GetAZs: ""
        - ""