We Keep Coding

Fail to create AWS CloudFormation "Get Started" example stack

I am trying to learn CloudFormation and following the "Get Started" tutorial. But for some reason, I can't really finish the task of creating this example stack using the provided template in my AWS account.
During the test, I first got the error "No subnets found for the default VPC 'vpc-4f2acc28'. Please specify a subnet." and solved it by modifying the example template to add "SubnetId" in the Properties of "WebServer" under "Resource" section. Then I got the error "The parameter groupName cannot be used with the parameter subnet" and solved it by using "SecurityGroupIds" instead of "SecurityGroups".
And last, I got the error "Failed to receive 1 resource signal(s) within the specified duration". Since this error message doesn't give much information, I can't really figure out how to solve it.
This is just the basic tutorial and I guess many people have gone through it. Does anyone know what is the problem?
This is the template I am using(just small changes I mentioned above made on the original example template):
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template WordPress_Single_Instance: WordPress is web software you can use to create a beautiful website or blog. This template installs WordPress with a local MySQL database for storage. It demonstrates using the AWS CloudFormation bootstrap scripts to deploy WordPress. **WARNING** This template creates an Amazon EC2 instance. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters" : {
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription" : "must be the name of an existing EC2 KeyPair."
},
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.small",
"AllowedValues" : [ "t1.micro", "t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large", "c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge", "c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "g2.2xlarge", "g2.8xlarge", "r3.large", "r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge", "hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"]
,
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"DBName" : {
"Default": "wordpressdb",
"Description" : "The WordPress database name",
"Type": "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters."
},
"DBUser" : {
"NoEcho": "true",
"Description" : "The WordPress database admin account username",
"Type": "String",
"MinLength": "1",
"MaxLength": "16",
"AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*",
"ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters."
},
"DBPassword" : {
"NoEcho": "true",
"Description" : "The WordPress database admin account password",
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern" : "[a-zA-Z0-9]*",
"ConstraintDescription" : "must contain only alphanumeric characters."
},
"DBRootPassword" : {
"NoEcho": "true",
"Description" : "MySQL root password",
"Type": "String",
"MinLength": "8",
"MaxLength": "41",
"AllowedPattern" : "[a-zA-Z0-9]*",
"ConstraintDescription" : "must contain only alphanumeric characters."
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "PV64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.medium" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "PV64" },
"m1.medium" : { "Arch" : "PV64" },
"m1.large" : { "Arch" : "PV64" },
"m1.xlarge" : { "Arch" : "PV64" },
"m2.xlarge" : { "Arch" : "PV64" },
"m2.2xlarge" : { "Arch" : "PV64" },
"m2.4xlarge" : { "Arch" : "PV64" },
"m3.medium" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.xlarge" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.xlarge" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c1.medium" : { "Arch" : "PV64" },
"c1.xlarge" : { "Arch" : "PV64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.xlarge" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.xlarge" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"g2.2xlarge" : { "Arch" : "HVMG2" },
"g2.8xlarge" : { "Arch" : "HVMG2" },
"r3.large" : { "Arch" : "HVM64" },
"r3.xlarge" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
"hi1.4xlarge" : { "Arch" : "HVM64" },
"hs1.8xlarge" : { "Arch" : "HVM64" },
"cr1.8xlarge" : { "Arch" : "HVM64" },
"cc2.8xlarge" : { "Arch" : "HVM64" }
},
"AWSInstanceType2NATArch" : {
"t1.micro" : { "Arch" : "NATPV64" },
"t2.nano" : { "Arch" : "NATHVM64" },
"t2.micro" : { "Arch" : "NATHVM64" },
"t2.small" : { "Arch" : "NATHVM64" },
"t2.medium" : { "Arch" : "NATHVM64" },
"t2.large" : { "Arch" : "NATHVM64" },
"m1.small" : { "Arch" : "NATPV64" },
"m1.medium" : { "Arch" : "NATPV64" },
"m1.large" : { "Arch" : "NATPV64" },
"m1.xlarge" : { "Arch" : "NATPV64" },
"m2.xlarge" : { "Arch" : "NATPV64" },
"m2.2xlarge" : { "Arch" : "NATPV64" },
"m2.4xlarge" : { "Arch" : "NATPV64" },
"m3.medium" : { "Arch" : "NATHVM64" },
"m3.large" : { "Arch" : "NATHVM64" },
"m3.xlarge" : { "Arch" : "NATHVM64" },
"m3.2xlarge" : { "Arch" : "NATHVM64" },
"m4.large" : { "Arch" : "NATHVM64" },
"m4.xlarge" : { "Arch" : "NATHVM64" },
"m4.2xlarge" : { "Arch" : "NATHVM64" },
"m4.4xlarge" : { "Arch" : "NATHVM64" },
"m4.10xlarge" : { "Arch" : "NATHVM64" },
"c1.medium" : { "Arch" : "NATPV64" },
"c1.xlarge" : { "Arch" : "NATPV64" },
"c3.large" : { "Arch" : "NATHVM64" },
"c3.xlarge" : { "Arch" : "NATHVM64" },
"c3.2xlarge" : { "Arch" : "NATHVM64" },
"c3.4xlarge" : { "Arch" : "NATHVM64" },
"c3.8xlarge" : { "Arch" : "NATHVM64" },
"c4.large" : { "Arch" : "NATHVM64" },
"c4.xlarge" : { "Arch" : "NATHVM64" },
"c4.2xlarge" : { "Arch" : "NATHVM64" },
"c4.4xlarge" : { "Arch" : "NATHVM64" },
"c4.8xlarge" : { "Arch" : "NATHVM64" },
"g2.2xlarge" : { "Arch" : "NATHVMG2" },
"g2.8xlarge" : { "Arch" : "NATHVMG2" },
"r3.large" : { "Arch" : "NATHVM64" },
"r3.xlarge" : { "Arch" : "NATHVM64" },
"r3.2xlarge" : { "Arch" : "NATHVM64" },
"r3.4xlarge" : { "Arch" : "NATHVM64" },
"r3.8xlarge" : { "Arch" : "NATHVM64" },
"i2.xlarge" : { "Arch" : "NATHVM64" },
"i2.2xlarge" : { "Arch" : "NATHVM64" },
"i2.4xlarge" : { "Arch" : "NATHVM64" },
"i2.8xlarge" : { "Arch" : "NATHVM64" },
"d2.xlarge" : { "Arch" : "NATHVM64" },
"d2.2xlarge" : { "Arch" : "NATHVM64" },
"d2.4xlarge" : { "Arch" : "NATHVM64" },
"d2.8xlarge" : { "Arch" : "NATHVM64" },
"hi1.4xlarge" : { "Arch" : "NATHVM64" },
"hs1.8xlarge" : { "Arch" : "NATHVM64" },
"cr1.8xlarge" : { "Arch" : "NATHVM64" },
"cc2.8xlarge" : { "Arch" : "NATHVM64" }
}
,
"AWSRegionArch2AMI" : {
"us-east-1" : {"PV64" : "ami-2a69aa47", "HVM64" : "ami-97785bed", "HVMG2" : "ami-0a6e3770"},
"us-west-2" : {"PV64" : "ami-7f77b31f", "HVM64" : "ami-f2d3638a", "HVMG2" : "ami-ee15a196"},
"us-west-1" : {"PV64" : "ami-a2490dc2", "HVM64" : "ami-824c4ee2", "HVMG2" : "ami-0da4a46d"},
"eu-west-1" : {"PV64" : "ami-4cdd453f", "HVM64" : "ami-d834aba1", "HVMG2" : "ami-af8013d6"},
"eu-west-2" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-403e2524", "HVMG2" : "NOT_SUPPORTED"},
"eu-west-3" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-8ee056f3", "HVMG2" : "NOT_SUPPORTED"},
"eu-central-1" : {"PV64" : "ami-6527cf0a", "HVM64" : "ami-5652ce39", "HVMG2" : "ami-1d58ca72"},
"ap-northeast-1" : {"PV64" : "ami-3e42b65f", "HVM64" : "ami-ceafcba8", "HVMG2" : "ami-edfd658b"},
"ap-northeast-2" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-863090e8", "HVMG2" : "NOT_SUPPORTED"},
"ap-northeast-3" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-83444afe", "HVMG2" : "NOT_SUPPORTED"},
"ap-southeast-1" : {"PV64" : "ami-df9e4cbc", "HVM64" : "ami-68097514", "HVMG2" : "ami-c06013bc"},
"ap-southeast-2" : {"PV64" : "ami-63351d00", "HVM64" : "ami-942dd1f6", "HVMG2" : "ami-85ef12e7"},
"ap-south-1" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-531a4c3c", "HVMG2" : "ami-411e492e"},
"us-east-2" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-f63b1193", "HVMG2" : "NOT_SUPPORTED"},
"ca-central-1" : {"PV64" : "NOT_SUPPORTED", "HVM64" : "ami-a954d1cd", "HVMG2" : "NOT_SUPPORTED"},
"sa-east-1" : {"PV64" : "ami-1ad34676", "HVM64" : "ami-84175ae8", "HVMG2" : "NOT_SUPPORTED"},
"cn-north-1" : {"PV64" : "ami-77559f1a", "HVM64" : "ami-cb19c4a6", "HVMG2" : "NOT_SUPPORTED"},
"cn-northwest-1" : {"PV64" : "ami-80707be2", "HVM64" : "ami-3e60745c", "HVMG2" : "NOT_SUPPORTED"}
}
},
"Resources" : {
"WebServer": {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"configSets" : {
"wordpress_install" : ["install_cfn", "install_wordpress", "configure_wordpress" ]
},
"install_cfn" : {
"files": {
"/etc/cfn/cfn-hup.conf": {
"content": { "Fn::Join": [ "", [
"[main]\n",
"stack=", { "Ref": "AWS::StackId" }, "\n",
"region=", { "Ref": "AWS::Region" }, "\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": { "Fn::Join": [ "", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServer.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --configsets wordpress_install ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
}
},
"services" : {
"sysvinit" : {
"cfn-hup" : { "enabled" : "true", "ensureRunning" : "true",
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-auto-reloader.conf"] }
}
}
},
"install_wordpress" : {
"packages" : {
"yum" : {
"php" : [],
"php-mysql" : [],
"mysql" : [],
"mysql-server" : [],
"mysql-devel" : [],
"mysql-libs" : [],
"httpd" : []
}
},
"sources" : {
"/var/www/html" : "http://wordpress.org/latest.tar.gz"
},
"files" : {
"/tmp/setup.mysql" : {
"content" : { "Fn::Join" : ["", [
"CREATE DATABASE ", { "Ref" : "DBName" }, ";\n",
"CREATE USER '", { "Ref" : "DBUser" }, "'#'localhost' IDENTIFIED BY '", { "Ref" : "DBPassword" }, "';\n",
"GRANT ALL ON ", { "Ref" : "DBName" }, ".* TO '", { "Ref" : "DBUser" }, "'#'localhost';\n",
"FLUSH PRIVILEGES;\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/tmp/create-wp-config" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash -xe\n",
"cp /var/www/html/wordpress/wp-config-sample.php /var/www/html/wordpress/wp-config.php\n",
"sed -i \"s/'database_name_here'/'",{ "Ref" : "DBName" }, "'/g\" wp-config.php\n",
"sed -i \"s/'username_here'/'",{ "Ref" : "DBUser" }, "'/g\" wp-config.php\n",
"sed -i \"s/'password_here'/'",{ "Ref" : "DBPassword" }, "'/g\" wp-config.php\n"
]]},
"mode" : "000500",
"owner" : "root",
"group" : "root"
}
},
"services" : {
"sysvinit" : {
"httpd" : { "enabled" : "true", "ensureRunning" : "true" },
"mysqld" : { "enabled" : "true", "ensureRunning" : "true" }
}
}
},
"configure_wordpress" : {
"commands" : {
"01_set_mysql_root_password" : {
"command" : { "Fn::Join" : ["", ["mysqladmin -u root password '", { "Ref" : "DBRootPassword" }, "'"]]},
"test" : { "Fn::Join" : ["", ["$(mysql ", { "Ref" : "DBName" }, " -u root --password='", { "Ref" : "DBRootPassword" }, "' >/dev/null 2>&1 </dev/null); (( $? != 0 ))"]]}
},
"02_create_database" : {
"command" : { "Fn::Join" : ["", ["mysql -u root --password='", { "Ref" : "DBRootPassword" }, "' < /tmp/setup.mysql"]]},
"test" : { "Fn::Join" : ["", ["$(mysql ", { "Ref" : "DBName" }, " -u root --password='", { "Ref" : "DBRootPassword" }, "' >/dev/null 2>&1 </dev/null); (( $? != 0 ))"]]}
},
"03_configure_wordpress" : {
"command" : "/tmp/create-wp-config",
"cwd" : "/var/www/html/wordpress"
}
}
}
}
},
"Properties": {
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
"InstanceType" : { "Ref" : "InstanceType" },
"SubnetId": "subnet-3c0e8a5a",
"SecurityGroupIds" : ["sg-d04fe1a9"],
"KeyName" : { "Ref" : "KeyName" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --configsets wordpress_install ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}}
},
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M"
}
}
}
},
"Outputs" : {
"WebsiteURL" : {
"Value" : { "Fn::Join" : ["", ["http://", { "Fn::GetAtt" : [ "WebServer", "PublicDnsName" ]}, "/wordpress" ]]},
"Description" : "WordPress Website"
}
}
}

Your CloudFormation (CFN) stack is attempting to create an EC2 instance to run your Wordpress on, and there's a section in the template which instructs the CFN stack to wait for a signal from the newly created instance before proceeding.
"Failed to receive 1 resource signal(s) within the specified duration" indicates that your instance is failing to send the signal within the time limit. This can be because of a number of reasons.
Can you copy/paste or link to the CFN template you are using? Also, copy/paste your CFN stack's events log. It will give some additional information on what's happening.
Update:
Short answer:
It's more than likely your instance is failing to run through all of its startup scripts, which is preventing the signal back to the CFN stack. You'll need to SSH into your instance and inspect the logs to find out what's going on.
Instructions on where the logs are located can be found at Amazon's troubleshooting documentation.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html
Long answer:
So check out the following sections from your CFN template:
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --configsets wordpress_install ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}}
This section is a bash script that runs on the newly created instance after it first boots. It does the following:
Install/update aws-cfn-bootstrap. This is an AWS provided client that allows your instance to interact with the CFN template that created it.
"yum update -y aws-cfn-bootstrap\n",
Using the newly installed aws-cfn-bootstrap client, the instance looks at the CFN template and executes all of the tasks defined in the wordpress_install configset.
"/opt/aws/bin/cfn-init -v "
" --stack ", { "Ref" : "AWS::StackName" }
" --resource WebServer "
" --configsets wordpress_install "
" --region ", { "Ref" : "AWS::Region" }, "\n"
The configset is defined earlier in the template. A lot is going on here, so I can't explain it all. It'll be up to you to look at it and determine what it is doing.
"AWS::CloudFormation::Init" : {
"configSets" : {
"wordpress_install" : ["install_cfn", "install_wordpress", "configure_wordpress" ]
},
"install_cfn" : {
"files": {
"/etc/cfn/cfn-hup.conf": {
"content": { "Fn::Join": [ "", [
"[main]\n",
"stack=", { "Ref": "AWS::StackId" }, "\n",
"region=", { "Ref": "AWS::Region" }, "\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": { "Fn::Join": [ "", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServer.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --configsets wordpress_install ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
}
},
"services" : {
"sysvinit" : {
"cfn-hup" : { "enabled" : "true", "ensureRunning" : "true",
"files" : ["/etc/cfn/cfn-hup.conf", "/etc/cfn/hooks.d/cfn-auto-reloader.conf"] }
}
}
},
"install_wordpress" : {
"packages" : {
"yum" : {
"php" : [],
"php-mysql" : [],
"mysql" : [],
"mysql-server" : [],
"mysql-devel" : [],
"mysql-libs" : [],
"httpd" : []
}
},
"sources" : {
"/var/www/html" : "http://wordpress.org/latest.tar.gz"
},
"files" : {
"/tmp/setup.mysql" : {
"content" : { "Fn::Join" : ["", [
"CREATE DATABASE ", { "Ref" : "DBName" }, ";\n",
"CREATE USER '", { "Ref" : "DBUser" }, "'#'localhost' IDENTIFIED BY '", { "Ref" : "DBPassword" }, "';\n",
"GRANT ALL ON ", { "Ref" : "DBName" }, ".* TO '", { "Ref" : "DBUser" }, "'#'localhost';\n",
"FLUSH PRIVILEGES;\n"
]]},
"mode" : "000400",
"owner" : "root",
"group" : "root"
},
"/tmp/create-wp-config" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash -xe\n",
"cp /var/www/html/wordpress/wp-config-sample.php /var/www/html/wordpress/wp-config.php\n",
"sed -i \"s/'database_name_here'/'",{ "Ref" : "DBName" }, "'/g\" wp-config.php\n",
"sed -i \"s/'username_here'/'",{ "Ref" : "DBUser" }, "'/g\" wp-config.php\n",
"sed -i \"s/'password_here'/'",{ "Ref" : "DBPassword" }, "'/g\" wp-config.php\n"
]]},
"mode" : "000500",
"owner" : "root",
"group" : "root"
}
},
"services" : {
"sysvinit" : {
"httpd" : { "enabled" : "true", "ensureRunning" : "true" },
"mysqld" : { "enabled" : "true", "ensureRunning" : "true" }
}
}
},
"configure_wordpress" : {
"commands" : {
"01_set_mysql_root_password" : {
"command" : { "Fn::Join" : ["", ["mysqladmin -u root password '", { "Ref" : "DBRootPassword" }, "'"]]},
"test" : { "Fn::Join" : ["", ["$(mysql ", { "Ref" : "DBName" }, " -u root --password='", { "Ref" : "DBRootPassword" }, "' >/dev/null 2>&1 </dev/null); (( $? != 0 ))"]]}
},
"02_create_database" : {
"command" : { "Fn::Join" : ["", ["mysql -u root --password='", { "Ref" : "DBRootPassword" }, "' < /tmp/setup.mysql"]]},
"test" : { "Fn::Join" : ["", ["$(mysql ", { "Ref" : "DBName" }, " -u root --password='", { "Ref" : "DBRootPassword" }, "' >/dev/null 2>&1 </dev/null); (( $? != 0 ))"]]}
},
"03_configure_wordpress" : {
"command" : "/tmp/create-wp-config",
"cwd" : "/var/www/html/wordpress"
}
}
}
}
Lastly, the script signals the CFN stack to let it know that all tasks are complete and the CFN stack can then go to UPDATE_COMPLETE status.
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource WebServer ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
Since your CFN stack is not receiving the signal after 15 minutes, your instance is failing somewhere in the series of tasks I listed above. It could be any number of things causing this, and the best way to find out what's wrong is to SSH into the instance and inspect the logs. AWS documentation explains where the logs are, as well as some other troubleshooting tips: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html
Lastly, when you build your CFN stack, be sure stack rollback is disabled, or else your instance will get auto-terminated when the signal fails and you won't have a chance to look at the logs.
Hope this helps! Good luck.

Security group sg-xxxxx and subnet subnet-xxxxx belong to different networks

I'm trying to automate the launch of my instances with a Cloudformation template.
When the stack is being created I get the following error :
Security group sg-xxxxx and subnet subnet-xxxxx belong to different networks.
This is my current template :
{
"Description": "AWS Cloudformation template to launch a Docker Swarm cluster of two nodes.",
"Resources" : {
"TwitterappVPC": {
"Type": "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16",
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"InstanceTenancy" : "dedicated"
}
},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "TwitterappVPC" },
"CidrBlock" : "10.0.0.0/16",
"AvailabilityZone": {
"Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]
}
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "TwitterappVPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"TwitterappSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable all Swarm, Microservices and SSH traffic ports",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "2377", "ToPort" : "2377", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "4789", "ToPort" : "4789", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "udp", "FromPort" : "4789", "ToPort" : "4789", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "7946", "ToPort" : "7946", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "udp", "FromPort" : "7946", "ToPort" : "7946", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "3306", "ToPort" : "3306", "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : "8080", "ToPort" : "8095", "CidrIp" : "0.0.0.0/0"}
],
"VpcId" : {"Ref" : "TwitterappVPC"}
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {"Ref" : "TwitterappVPC"}
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "AttachGateway",
"Properties" : {
"RouteTableId" : { "Ref" : "PublicRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnet" },
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"TwitterappMasterNode": {
"Type": "AWS::EC2::Instance",
"Properties": {
"AvailabilityZone": {
"Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]
},
"InstanceType": "t2.medium",
"KeyName": "keypair-xxxx",
"ImageId": "ami-ac442ac3",
"SecurityGroupIds": [{"Ref" : "TwitterappSecurityGroup"}]
}
}
}
}
Which led me to the following stackoverflow question
The suggested solution was to add some Network interface properties to the EC2 instance properties:
"NetworkInterfaces": [
{
"SubnetId": {"Ref": "PublicSubnet"},
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "TwitterappSecurityGroup" }]
}
]
This gave me the following error:
Network interfaces and an instance-level security groups may not be specified on the same request
What am I doing wrong?

Rather stupid of me...
The issue was fixed after removing
"SecurityGroupIds": [{"Ref" : "TwitterappSecurityGroup"}]
From the EC2-instance properties.
And adding the the networkinterfaces properties
"NetworkInterfaces": [
{
"SubnetId": {"Ref": "PublicSubnet"},
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "TwitterappSecurityGroup" }]
}
]

HoztedZone error on cloudformation

I´m using cloudformation to create a ecs container and add this new container into route53 hostzone.
But when I run this script I´m having problems with the HostedZone tags
Here The error
A client error (ValidationError) occurred when calling the CreateStack operation: Invalid template parameter property 'Properties'
Here the json
"Parameters" : {
"InstanceType" : {
"Description" : "Container Instance type",
"Type" : "String",
"Default" : "t2.medium",
"AllowedValues" : [ "t2.micro", "t2.small", "t2.medium", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge" ],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"HostedZone" : {
"Type": "AWS::Route53::HostedZone",
"Properties": {
"HostedZoneConfig": {
"Comment": "My hosted zone for example.com"
},
"Name": "***.couchbase.com",
"VPCs": [
{
"VPCId": "*********",
"VPCRegion": "eu-west-1"
}
],
"HostedZoneTags": [
{
"Key": "Name",
"Value": "Couchbase DNS"
}
]
}
}
},
"Resources" : {
"ContainerInstance" : {
"Type": "AWS::EC2::Instance",
"Properties": {
"Tags": [{
"Key" : "Name",
"Value" : "Couchbase-1"
},
{
"Key" : "Type",
"Value" : "ECS-Couchbase"
}],
"IamInstanceProfile" : { "Ref" : "ECSIamInstanceProfile" },
"ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref" : "AWS::Region" },
{ "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
"InstanceType" : { "Ref" : "InstanceType" },
"SecurityGroups" : [ "ssh","default", "couchbase" ],
"KeyName" : { "Ref" : "KeyName" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"echo ECS_CLUSTER=", { "Ref" : "ClusterName" },
" >> /etc/ecs/ecs.config\n"
]]}}
}
},
"CouchbaseDNSRecord" : {
"Type" : "AWS::Route53::RecordSet",
"Properties" : {
"HostedZoneName" : {
"Fn::Join" : [ "", [
{ "Ref" : "HostedZone" }, "."
] ]
},
"Comment" : "DNS name for my instance.",
"Name" : {
"Fn::Join" : [ "", [
{"Ref" : "ContainerInstance"}, ".",
{"Ref" : "AWS::Region"}, ".",
{"Ref" : "HostedZone"} ,"."
] ]
},
"Type" : "A",
"TTL" : "900",
"ResourceRecords" : [
{ "Fn::GetAtt" : [ "ContainerInstance", "PublicIp" ] }
]
}
},

The HostedZone should be inside the Resources section.
"Parameters" : {
"InstanceType" : {
...
}
},
"Resources" : {
"HostedZone" : {
...
},
"ContainerInstance" : {
...
},
...
}

All the resources you want to create using Cloudformation should be within the resources section. This gives a better anatomy of the template, http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html

AWS CloudFormation identify IP of another instance - circular dependency

I'm provisioning two instances with CloudFormation template. "MASTER" and "SLAVE".
At the userdata script I need to pass slave's private IP to master and master's IP to slave.
Here is my template:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "",
"Parameters" : {
},
"Resources" : {
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Default Ports",
"SecurityGroupIngress" : [
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
]
}
},
"MASTER" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"Tags":[{"Key":"Name", "Value":"MASTER"}],
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"KeyName" : "mykey",
"ImageId" : "ami-a25415cb",
"InstanceType": "m1.large",
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -ex", "\n",
"wget https://s3.amazonaws.com/mybucket/bootstrap.sh","\n",
"ROLE=MASTER SLAVEIP=",?????," sh bootstrap.sh","\n"
] ] } }
}
},
"SLAVE" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"Tags":[{"Key":"Name", "Value":"SLAVE"}],
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"KeyName" : "mykey",
"ImageId" : "ami-a25415cb",
"InstanceType": "m1.large",
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -ex", "\n",
"wget https://s3.amazonaws.com/mybucket/bootstrap.sh","\n",
"ROLE=SLAVE MASTERIP=",?????," sh bootstrap.sh","\n"
] ] } }
}
},
},
"Outputs" : {
}
}
What would be right replacement for ????? if it's possible at all and if not - what alternative can I use?
UPD: found this: {"Fn::GetAtt": ["MASTER","PrivateIp"]}, it works fine on it's own, but fails with "Template validation error: Circular dependency between resources: [SLAVE, MASTER]" if I'm trying to do both master and slave IPs.

If you're using VPCs and Subnets, you can do this by creating an AWS::EC2::NetworkInterface for each instance. Then use { "Fn::GetAtt": [ "MyNetworkInterface", "PrimaryPrivateIpAddress" ] } in user data to reference the internal IP address of the network interface
You associate a network interface with an EC2 instance using the NetworkInterfaces property
...
"MasterNetInt" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId": { "Ref" : "MySubnet" }
}
},
"SlaveNetInt" : {
"Type" : "AWS::EC2::NetworkInterface",
"Properties" : {
"SubnetId": { "Ref" : "MySubnet" }
}
},
"Master" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"KeyName" : "mykey",
"ImageId" : "ami-a25415cb",
"InstanceType": "m1.large",
"SubnetId": { "Ref" : "MySubnet" },
"NetworkInterfaces": [ { "Ref" : "MasterNetInt" } ],
"UserData": { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -ex", "\n",
"wget https://s3.amazonaws.com/mybucket/bootstrap.sh","\n",
"ROLE=MASTER SLAVEIP=", { "Fn::GetAtt": [ "SlaveNetInt", "PrimaryPrivateIpAddress" ] }," sh bootstrap.sh","\n"
] ] } }
}
},
"Slave" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroups" : [ { "Ref" : "InstanceSecurityGroup" } ],
"KeyName" : "mykey",
"ImageId" : "ami-a25415cb",
"InstanceType": "m1.large",
"SubnetId": { "Ref" : "MySubnet" },
"NetworkInterfaces": [ { "Ref" : "SlaveNetInt" } ],
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -ex", "\n",
"wget https://s3.amazonaws.com/mybucket/bootstrap.sh","\n",
"ROLE=SLAVE MASTERIP=", { "Fn::GetAtt": [ "MasterNetInt", "PrimaryPrivateIpAddress" ] }," sh bootstrap.sh","\n"
] ] } }
}
}
...
If you're unfamiliar with setting up a VPC and Subnets, read the following documentation: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html
and reference these template examples: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html#d0e113371
The basic requirements are:
AWS::EC2::VPC
AWS::EC2::InternetGateway
AWS::EC2::VPCGatewayAttachment
AWS::EC2::RouteTable
AWS::EC2::Route
AWS::EC2::Subnet
AWS::EC2::SubnetRouteTableAssociation
AWS::EC2::NetworkAcl
AWS::EC2::SubnetNetworkAclAssociation
AWS::EC2::NetworkAclEntry
AWS::EC2::NetworkInterface
AWS::EC2::Instance

How are my ENIs being created?

I have the below code but I don't see where an actual ENI is being created "AWS::EC2::NetworkInterface". I assume this is being done within the UserData section of the script after the "UTMLaunchConfiguration" runs. I'm still learning so I'm sure this isn't a terribly difficult config but I'm still learning how to read it.
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Sophos UTM HA template",
"Mappings" : {
"RegionMap" : {
"us-gov-west-1" : { "BYOL" : "ami-09f7972a", "AZ1" : "us-gov-west-1a", "AZ2" : "us-gov-west-1b", "EC2API" : "ec2.us-gov-west-1.amazonaws.com" }
}
},
"Parameters" : {
"01LicenseType": {
"Description": "Hourly or BYOL",
"Type" : "String",
"Default" : "Hourly",
"AllowedValues" : [ "Hourly", "BYOL" ]
},
"02InstanceType" : {
"Description" : "Amazon EC2 instance type",
"Type" : "String",
"Default" : "m3.medium",
"AllowedValues" : [ "t1.micro", "m1.small", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "c3.large", "c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge"]
,
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"03Hostname" : {
"Description" : "The hostname field can have a maximum of 64 characters. Hostname can only contain lower and uppercase letters, numbers, dots(.), dashes(-) and needs to begin with a letter or a number.",
"Type" : "String",
"MaxLength" : "64",
"AllowedPattern" : "^[0-9A-Za-z]{1}([A-Za-z0-9.-]*)$",
"ConstraintDescription" : "Invalid hostname. The hostname field can have a maximum of 64 characters. Hostname can only contain lower- and uppercase letters, numbers, dots(.), dashes(-) and needs to begin with a letter or a number."
},
"04City" : {
"Description" : "City",
"Type" : "String"
},
"05Country" : {
"Description" : "Country",
"Type" : "String",
"AllowedValues" : ["Andorra","United Arab Emirates","Afghanistan","Antigua and Barbuda","Anguilla","Albania","Armenia","Netherlands Antilles", "Angola", "Antarctica","Argentina","American Samoa","Austria","Australia","Aland Islands","Aruba","Azerbaidjan","Bosnia and Herzegovina", "Barbados", "Bangladesh", "Belgium","Burkina Faso","Bulgaria","Bahrain","Burundi","Benin","Saint Barthelemey","Bermuda","Brunei Darussalam", "Bolivia", "Brazil", "Bahamas", "Bhutan","Bouvet Island","Botswana","Belarus","Belize","Canada","Cocos Islands","Congo, Democratic Rebpulic of the","Central African Republic", "Congo","Switzerland","Ivory Coast","Cook Islands","Chile","Cameroon","China","Colombia","Costa Rica","Cuba","Cape Verde","Christmas Island", "Cyprus","Czech Republic","Germany","Djibouti","Denmark","Dominica","Dominican Republic", "Algeria", "Ecuador", "Estonia", "Egypt", "Western Sahara", "Eritrea","Spain","Ethiopia","Finland","Fiji","Falkland Islands","Micronesia","Faroe Islands","France","Gabon","Great Britain", "Grenada", "Georgia", "French Guyana", "Guernsey", "Ghana", "Gibraltar", "Greenland"," Gambia", "Guinea", "Guadeloupe","Equatorial Guinea","Greece","S. Georgia & S. Sandwich Isls.", "Guatemala","Guam (USA)","Guinea Bissau","Guyana","Hong Kong","Heard and McDonald Islands", "Honduras", "Croatia", "Haiti", "Hungary", "Indonesia","Ireland","Israel","Isle of Man","India","British Indian Ocean Territory", "Iraq", "Iran", "Iceland", "Italy", "Jersey", "Jamaica", "Jordan","Japan","Kenya","Kyrgyz Republic (Kyrgyzstan)","Cambodia, Kingdom of","Kiribati","Comoros","Saint Kitts & Nevis Anguilla","North Korea", "South Korea","Kuwait","Cayman Islands","Kazakhstan","Laos","Lebanon","Saint Lucia","Liechtenstein","Sri Lanka", "Liberia", "Lesotho", "Lithuania", "Luxembourg","Latvia","Libya","Morocco","Monaco","Moldavia","Montenegro","Saint Martin (French)","Madagascar", "Marshall Islands", "Macedonia", "Mali","Myanmar","Mongolia","Macau","Northern Mariana Islands","Martinique (French)","Mauritania", "Montserrat", "Malta", "Mauritius", "Maldives", "Malawi","Mexico","Malaysia","Mozambique","Namibia","New Caledonia (French)","Niger","Norfolk Island", "Nigeria", "Nicaragua", "Netherlands", "Norway","Nepal","Nauru","Niue","New Zealand","Oman","Panama","Peru","Polynesia (French)","Papua New Guinea", "Philippines", "Pakistan", "Poland","Saint Pierre and Miquelon","Pitcairn Island","Puerto Rico","Palestinian Territory (Occupied)","Portugal", "Palau", "Paraguay", "Qatar", "Reunion (French)","Romania","Serbia","Russian Federation","Rwanda","Saudi Arabia","Solomon Islands", "Seychelles", "Sudan", "Sweden", "Singapore","Saint Helena","Slovenia","Svalbard Jan Mayen Islands","Slovak Republic","Sierra Leone","San Marino", "Senegal", "Somalia", "Suriname", "Saint Tome and Principe","El Salvador","Syria","Swaziland","Turks and Caicos Islands","Chad","French Southern Territories", "Togo", "Thailand", "Tadjikistan", "Tokelau","Timor-Leste","Turkmenistan","Tunisia","Tonga","Turkey","Trinidad and Tobago", "Tuvalu", "Taiwan", "Tanzania", "Ukraine", "Uganda", "United Kingdom","USA Minor Outlying Islands","United States","Uruguay","Uzbekistan","Holy See (Vatican City State)","Saint Vincent & Grenadines", "Venezuela","Virgin Islands (British)","Virgin Islands (USA)","Vietnam","Vanuatu","Wallis and Futuna Islands", "Samoa", "Yemen", "Mayotte","South Africa","Zambia","Zimbabwe"]
},
"06Email": {
"Default": "",
"Description": "UTM admin email",
"Type": "String"
},
"07Organization" : {
"Description" : "Name of your Organization",
"Type" : "String"
},
"08AdminPassword" : {
"Description" : "UTM admin password",
"Type" : "String",
"NoEcho" : "True"
},
"09KeyName" : {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access.",
"Type": "AWS::EC2::KeyPair::KeyName",
"Default" : ""
},
"10TrustedNetwork" : {
"Description" : "Trusted network. Only connections from this network are allowed to ports 22 and 8080. E.g 92.198.130.0/24",
"Type" : "String",
"Default" : "0.0.0.0/0"
},
"VPC" : {
"Description" : "VPC Id to deploy resources into",
"Type" : "String"
},
"Subnet1" : {
"Description" : "Public_Subnet_AZ1_Outside",
"Type" : "String"
},
"Subnet2" : {
"Description" : "Public_Subnet_AZ2_Outside",
"Type" : "String"
},
"ExistingS3Bucket" : {
"Description" : "Optional. The S3 Bucket to store and restore backups. If left empty a new bucket will be created automatically.",
"Type" : "String",
"Default": ""
},
"ExistingElasticIP" : {
"Description" : "Optional. The Elastic IP to assign in the UTM instance. If left empty a new Elastic IP will be allocated automatically.",
"Type" : "String",
"Default": ""
},
"LicensePool" : {
"Description" : "Optional. S3 bucket where the licenses are stored",
"Type" : "String",
"Default": ""
}
},
"Conditions" : {
"CreateS3Bucket" : { "Fn::Equals" : [{"Ref" : "ExistingS3Bucket"}, ""] },
"AllocateElasticIP" : { "Fn::Equals" : [{"Ref" : "ExistingElasticIP"}, ""] }
},
"Resources": {
"PublicNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} },
{"Key" : "Network", "Value" : "Public" }
]
}
},
"InboundHTTPPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "80", "To" : "80"}
}
},
"InboundDynamicPortsPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "200",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "1024", "To" : "65535"}
}
},
"InboundSSHPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "300",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "22", "To" : "22"}
}
},
"InboundRedUDPPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "400",
"Protocol" : "17",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "3410", "To" : "3410"}
}
},
"OutboundSSHPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "105",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "22", "To" : "22"}
}
},
"OutboundHTTPPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "205",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "80", "To" : "80"}
}
},
"OutBoundDynamicPortPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "305",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "1024", "To" : "65535"}
}
},
"OutboundHTTPSPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "405",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "443", "To" : "443"}
}
},
"OutboundRedPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "406",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "3000", "To" : "3000"}
}
},
"OutboundRedUDPPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : {"Ref" : "PublicNetworkAcl"},
"RuleNumber" : "407",
"Protocol" : "17",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : {"From" : "3410", "To" : "3410"}
}
},
"IPAddress" : {
"Type" : "AWS::EC2::EIP",
"Condition": "AllocateElasticIP",
"Properties" : {
"Domain": "vpc"
}
},
"S3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Condition" : "CreateS3Bucket",
"DeletionPolicy" : "Retain",
"Properties" : {
"LifecycleConfiguration" : {
"Rules" : [
{
"Prefix" : "confd_backup",
"ExpirationInDays" : "3",
"Status" : "Enabled"
},
{
"Prefix" : "postgres_basebackup",
"ExpirationInDays" : "3",
"Status" : "Enabled"
},
{
"Prefix" : "postgres_wal",
"ExpirationInDays" : "3",
"Status" : "Enabled"
}
]
}
}
},
"UTMRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
}]
},
"Path": "/",
"Policies": [{
"PolicyName" : "UTMPolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
},
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudformation:UpdateStack",
"Resource": "*"
}]
}
}]
}
},
"UTMInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{
"Ref": "UTMRole"
}]
}
},
"UTMSecurityGroup": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Identifying security group",
"VpcId" : { "Ref" : "VPC" }
}
},
"TrustedNetworkGroup": {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable TCP access from trusted network",
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "0",
"ToPort" : "65535",
"CidrIp" : { "Ref" : "10TrustedNetwork"}
} ],
"VpcId" : { "Ref" : "VPC" }
}
},
"UntrustedGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Untrusted network restricted from accessing port 22 and 8080.",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "12",
"ToPort" : "21",
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : "23",
"ToPort" : "8079",
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "tcp",
"FromPort" : "8081",
"ToPort" : "65535",
"CidrIp" : "0.0.0.0/0"
},
{
"IpProtocol" : "udp",
"FromPort" : "3410",
"ToPort" : "3410",
"CidrIp" : "0.0.0.0/0"
}
],
"VpcId" : { "Ref" : "VPC" }
}
},
"UTMScalingGroup": {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"UpdatePolicy" : {
"AutoScalingRollingUpdate" : {
"MinInstancesInService" : "1",
"MaxBatchSize" : "1",
"PauseTime" : "PT5M"
}
},
"Properties" : {
"DesiredCapacity" : "1",
"MaxSize" : "2",
"MinSize" : "1",
"TerminationPolicies" : [
"NewestInstance"
],
"VPCZoneIdentifier" : [
{ "Ref" : "Subnet1" },
{ "Ref" : "Subnet2" }
],
"LaunchConfigurationName" : {"Ref": "UTMLaunchConfiguration"},
"NotificationConfiguration" : {
"TopicARN" : { "Ref" : "UnhealthyTopic" },
"NotificationTypes" : [
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR"
]
},
"Tags" : [{
"Key" : "Name",
"Value" : "HA-UTM",
"PropagateAtLaunch" : "true"
}]
}
},
"UTMLaunchConfiguration": {
"Type" : "AWS::AutoScaling::LaunchConfiguration",
"Properties" : {
"AssociatePublicIpAddress" : true,
"IamInstanceProfile" : { "Ref" : "UTMInstanceProfile" },
"ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, {"Ref": "01LicenseType"} ]},
"InstanceType" : { "Ref" : "02InstanceType" },
"KeyName" : { "Ref" : "09KeyName" },
"BlockDeviceMappings" : [{
"DeviceName" : "/dev/sda",
"Ebs" : { "VolumeSize" : "100" }
}],
"SecurityGroups" : [
{ "Ref": "UTMSecurityGroup" },
{ "Ref": "TrustedNetworkGroup" },
{ "Ref": "UntrustedGroup" }
],
"UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [
"#!/bin/bash\n",
"echo AWS_REGION=",{ "Ref" : "AWS::Region" },">>/etc/environment\n",
"export AWS_REGION=",{ "Ref" : "AWS::Region" },"\n",
"echo EC2_URL=",{ "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "EC2API" ]},">>/etc/environment\n",
"export EC2_URL=",{ "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "EC2API" ]},"\n",
"date +'UserData start %c' > /tmp/user_data.log\n",
"echo 'version: \"0.1.0\"' >> /etc/cloud/user_data.yml\n",
"echo 'instance_role: \"ha_standalone\"' >> /etc/cloud/user_data.yml\n",
"echo 'deployment_type: \"ha_warm_standby\"' >> /etc/cloud/user_data.yml\n",
"echo 'license_pool: \"", { "Ref": "LicensePool" }, "\"' >> /etc/cloud/user_data.yml\n",
"cc=`/usr/local/bin/confd-client.plx country_name_to_code \"",{ "Ref": "05Country" },"\"`\n",
"echo \"{ hostname => '", { "Ref": "03Hostname" }, "', organization => '", { "Ref": "07Organization"}, "', city => '", { "Ref" : "04City" },"', country => '$cc', email => '", { "Ref": "06Email" }, "', password => '", { "Ref": "08AdminPassword" }, "' }\" > /var/confd/var/storage/setup.ph\n",
"/etc/init.d/confd restart\n",
"sleep 5\n",
"echo 'elastic_ip: \"",
{ "Fn::If" : [
"AllocateElasticIP",
{ "Ref" : "IPAddress" },
{ "Ref" : "ExistingElasticIP" }
]
},"\"' >> /etc/cloud/user_data.yml\n",
"echo 's3_bucket: \"",
{ "Fn::If" : [
"CreateS3Bucket",
{ "Ref" : "S3Bucket" },
{ "Ref" : "ExistingS3Bucket" }
]
},"\"' >> /etc/cloud/user_data.yml\n",
"echo 'stack_name: \"", { "Ref": "AWS::StackName"} ,"\"' >> /etc/cloud/user_data.yml\n",
"date +'UserData confd config start %c' >> /tmp/user_data.log\n",
"echo '{' > /tmp/user_data.config\n",
"echo '\"cloudwatch\" => { \"status\" => 1 },' >> /tmp/user_data.config\n",
"echo '\"confd\" => { \"backup\" => 1, \"backup_interval\" => 300, \"restore\" => 1, \"restore_done\" => 0 },' >> /tmp/user_data.config\n",
"echo '\"instance_role\" => \"ha_standalone\",' >> /tmp/user_data.config\n",
"echo '\"postgres\" => { \"archive_timeout\" => 300, \"backup\" => 1, \"base_backup_interval\" => 3600, \"restore\" => 1 },' >> /tmp/user_data.config\n",
"echo '\"syslog\" => { \"backup\" => 1, \"restore\" => 1, \"restore_period\" => 8 },' >> /tmp/user_data.config\n",
"echo '\"s3_bucket\" => \"",
{ "Fn::If" : [
"CreateS3Bucket",
{ "Ref" : "S3Bucket" },
{ "Ref" : "ExistingS3Bucket" }
]
},"\",' >> /tmp/user_data.config\n",
"echo '\"stack_name\" => \"", { "Ref": "AWS::StackName"},"\",' >> /tmp/user_data.config\n",
"echo '\"elastic_ip\" => \"",
{ "Fn::If" : [
"AllocateElasticIP",
{ "Ref" : "IPAddress" },
{ "Ref" : "ExistingElasticIP" }
]
}, "\",' >> /tmp/user_data.config\n",
"echo '\"trusted_network\" => \"", { "Ref": "10TrustedNetwork"},"\"' >> /tmp/user_data.config\n",
"echo '}' >> /tmp/user_data.config\n",
"/usr/local/bin/confd-client.plx -noquote -stdin set \\'ha\\' \\'aws\\' < /tmp/user_data.config >> /tmp/user_data.log\n",
"date +'UserData confd config end %c' >> /tmp/user_data.log\n",
"date +'UserData ha aws start %c' >> /tmp/user_data.log\n",
"/etc/init.d/ha_aws start\n",
"date +'UserData awslogs agent setup start %c' >> /tmp/user_data.log\n",
"/usr/local/bin/awslogs-agent-setup-v1.0.py -n -r ", { "Ref" : "AWS::Region" }, " -c /etc/cloud/awslogs.conf >> /tmp/user_data.log\n",
"date +'UserData awslogs agent setup end %c' >> /tmp/user_data.log\n",
"/usr/local/bin/confd-client.plx trigger ha_aws\n",
"exit 0\n"
] ] } }
}
},
"IngressTrafficMinimal": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Terminate if the incoming traffic is suspiciously low",
"MetricName": "NetworkIn",
"Namespace": "AWS/EC2",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "100",
"AlarmActions": [ { "Ref": "UnhealthyTopic" } ],
"Dimensions": [{
"Name": "AutoScalingGroupName",
"Value": { "Ref": "UTMScalingGroup" }
}],
"ComparisonOperator": "LessThanThreshold"
}
},
"EgressTrafficMinimal": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Terminate if the outgoing traffic is suspiciously low",
"MetricName": "NetworkOut",
"Namespace": "AWS/EC2",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "100",
"AlarmActions": [ { "Ref": "UnhealthyTopic" } ],
"Dimensions": [ {
"Name": "AutoScalingGroupName",
"Value": { "Ref": "UTMScalingGroup" }
}],
"ComparisonOperator": "LessThanThreshold"
}
},
"UnhealthyTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{
"Endpoint": { "Ref": "06Email" },
"Protocol": "email"
}]
}
}
},
"Outputs" : {
"PublicIPAddress" : {
"Value" : { "Ref" : "IPAddress" },
"Description" : "Use this IP to connect and to forward traffic to the UTM."
},
"ScalingGroup" : {
"Value" : { "Ref": "UTMScalingGroup" },
"Description" : "The HA Scaling group."
},
"S3Bucket" : {
"Value" : { "Ref": "S3Bucket" },
"Description" : "The S3 Bucket."
}
}
}

https://www.sophos.com/en-us/support/knowledgebase/122202.aspx
from the looks of it confd-client.plx does most of the magic (via the user_data.config that is builds as you've guessed in the user data portion).
The UTMRole has the permissions to basically bind the elastic ip to the instance.
as a side note, you cannot (easily) associate elastic IPs to autoscalling groups (because by their nature they are ephemeral). The autoscalling is basically associated with the LaunchConfig in the template.
also as a side note this is highly specific to the Sophos stuff and it's not how one would typically go about using Cloudformation on AWS.