-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathtemplate.yaml
147 lines (132 loc) · 4.19 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Example arch to deploy application in AWS.
Assumes us-east-1 AMI.
SAM template to create an EC2 instance, an ALB with a target group on port 5001,
and a security group to allow access over port 5001.
you will need to allow access to the ALB to certain ips in the security group.
Don't run this application publicly unless you a generous with your API bill.
Parameters:
CertificateArn:
Type: String
Description: The ARN of the certificate to attach to the ALB listener.
VPCId:
Type: AWS::EC2::VPC::Id
Description: The VPC ID where the resources will be deployed.
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: The list of Subnet IDs for the ALB.
KeyPairName:
Type: AWS::EC2::KeyPair::KeyName
Description: The name of the EC2 KeyPair to allow SSH access to the instance.
S3BucketName:
Type: String
Description: The name of the S3 bucket to which the instance will have read access.
Resources:
EC2InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instance
VpcId: !Ref VPCId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 5001
ToPort: 5001
SourceSecurityGroupId: !Ref ALBSecurityGroup
- IpProtocol: '-1' # Allows all traffic
CidrIp: 172.31.0.0/16
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: BedrockInvokeModelPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: "InvokeModel"
Effect: "Allow"
Action:
- "bedrock:InvokeModel"
Resource: "*"
- Sid: "InvokeModelWithResponseStream"
Effect: "Allow"
Action:
- "bedrock:InvokeModelWithResponseStream"
Resource: "*"
- PolicyName: S3BucketReadOnlyPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: "S3BucketRead"
Effect: "Allow"
Action:
- "s3:GetObject"
- "s3:ListBucket"
Resource:
- !Sub "arn:aws:s3:::${S3BucketName}"
- !Sub "arn:aws:s3:::${S3BucketName}/*"
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref ExecutionRole
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0fc5d935ebf8bc3bc
IamInstanceProfile: !Ref InstanceProfile
InstanceType: t3.small
KeyName: !Ref KeyPairName
SecurityGroupIds:
- !Ref EC2InstanceSecurityGroup
SubnetId: !Select [0, !Ref SubnetIds]
ALBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for ALB
VpcId: !Ref VPCId
SecurityGroupIngress:
- IpProtocol: '-1' # Allows all traffic
CidrIp: 172.31.0.0/16
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Subnets: !Ref SubnetIds
Scheme: internal
SecurityGroups:
- !Ref ALBSecurityGroup
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref TargetGroup
LoadBalancerArn: !Ref LoadBalancer
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn: !Ref CertificateArn
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Port: 5001
Protocol: HTTP
VpcId: !Ref VPCId
HealthCheckProtocol: HTTP
HealthCheckPort: '5001'
HealthCheckPath: '/'
Outputs:
EC2InstanceId:
Description: The Instance ID of the EC2 instance
Value: !Ref EC2Instance
LoadBalancerDNSName:
Description: The DNS name of the ALB
Value: !GetAtt LoadBalancer.DNSName