Skip to content

Existing vpc #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crazyoyo wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Existing vpc #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
c1a04ba
new feature for existing-vpc deploy.
crazyoyo Nov 11, 2025
f829ed2
new feature for existing-vpc deploy.
crazyoyo Nov 11, 2025
85ef0e8
new feature for existing-vpc deploy.
crazyoyo Nov 11, 2025
ae53d0e
new feature for existing-vpc deploy.
crazyoyo Nov 11, 2025
28428f3
new feature for existing-vpc deploy.
crazyoyo Nov 12, 2025
4956aed
new feature for existing-vpc deploy.
crazyoyo Nov 12, 2025
7343624
new feature for existing-vpc deploy.
crazyoyo Nov 12, 2025
923d977
new feature for existing-vpc deploy.
crazyoyo Nov 13, 2025
7c40e1e
feat: minimize bastion host IAM permissions in existing VPC template
linnjia-aws Nov 13, 2025
0653b4e
minimize bastion host IAM permissions in existing VPC template
linnjia-aws Nov 13, 2025
95715b2
Merge branch 'existing-vpc' of https://github.com/aws-samples/sample-…
linnjia-aws Nov 13, 2025
832ed44
new feature for existing-vpc deploy.
crazyoyo Nov 14, 2025
87e6c74
Restrict IAM permissions with least privilege principle
linnjia-aws Nov 25, 2025
efbd1f5
Merge branch 'existing-vpc' of https://github.com/aws-samples/sample-…
crazyoyo Nov 26, 2025
be2fd9b
refactor.
crazyoyo Dec 24, 2025
ec2da8e
refactor.
crazyoyo Dec 24, 2025
2568c02
refactor.
crazyoyo Dec 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,008 changes: 1,008 additions & 0 deletions e2b-setup-env-existing-vpc.yml
View file
Open in desktop

Large diffs are not rendered by default.

281 changes: 257 additions & 24 deletions e2b-setup-env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Metadata:
- PublicSubnet2Block
- PrivateSubnet1Block
- PrivateSubnet2Block
- PublicAccess
- Label:
default: Security Configuration
Parameters:
Expand Down Expand Up @@ -49,7 +50,7 @@ Metadata:
# Parameters - Input values required for the E2B infrastructure deployment
# ===================================================================================================
Parameters:
# Architecture Configuration - Choose CPU architecture
# E2B Environment Configuration
Environment:
Description: "E2B Environment"
Type: String
Expand Down Expand Up @@ -101,6 +102,14 @@ Parameters:
Default: 10.0.48.0/20
Description: CIDR block for private subnet in Availability Zone 2 (provides 4,096 IP addresses for internal resources)

PublicAccess:
Type: String
Description: Specify whether public or private access to E2B
AllowedValues:
- Public
- Private
Default: Public

# Bastion Configuration - Settings for the deployment and management server
KeyName:
Description: EC2 Key Pair name for SSH access to the bastion host (deployment server)
Expand Down Expand Up @@ -378,9 +387,245 @@ Resources:
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/PowerUserAccess
- arn:aws:iam::aws:policy/IAMFullAccess
Description: IAM role granting EC2 instances permissions to manage E2B infrastructure resources
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- PolicyName: E2BDeploymentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: S3Access
Effect: Allow
Action:
- s3:CreateBucket
- s3:DeleteBucket
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
- s3:ListBucket
- s3:GetBucketLocation
- s3:GetBucketVersioning
- s3:PutBucketVersioning
- s3:PutBucketPolicy
- s3:GetBucketPolicy
- s3:PutBucketTagging
- s3:GetBucketTagging
- s3:PutEncryptionConfiguration
- s3:GetEncryptionConfiguration
- s3:PutBucketPublicAccessBlock
- s3:GetBucketPublicAccessBlock
- s3:GetBucketAcl
- s3:PutBucketAcl
- s3:GetBucketCors
- s3:PutBucketCors
- s3:GetBucketWebsite
- s3:PutBucketWebsite
- s3:GetAccelerateConfiguration
- s3:PutAccelerateConfiguration
- s3:GetBucketRequestPayment
- s3:PutBucketRequestPayment
- s3:GetBucketLogging
- s3:PutBucketLogging
- s3:GetLifecycleConfiguration
- s3:PutLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:PutReplicationConfiguration
- s3:GetBucketObjectLockConfiguration
- s3:PutBucketObjectLockConfiguration
- s3:GetObjectTagging
- s3:PutObjectTagging
Resource:
- "arn:aws:s3:::*e2b*"
- "arn:aws:s3:::*e2b*/*"
- "arn:aws:s3:::terraform-*"
- "arn:aws:s3:::terraform-*/*"
- "arn:aws:s3:::software-*"
- "arn:aws:s3:::software-*/*"
- Sid: SecretsManagerAccess
Effect: Allow
Action:
- secretsmanager:CreateSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
- secretsmanager:DeleteSecret
- secretsmanager:DescribeSecret
- secretsmanager:GetResourcePolicy
- secretsmanager:TagResource
- secretsmanager:UntagResource
- secretsmanager:UpdateSecret
Resource: !Sub "arn:aws:secretsmanager:*:${AWS::AccountId}:secret:*e2b*"
- Sid: EC2PackerAccess
Effect: Allow
Action:
- ec2:AttachVolume
- ec2:AuthorizeSecurityGroupIngress
- ec2:AuthorizeSecurityGroupEgress
- ec2:CopyImage
- ec2:CreateImage
- ec2:CreateKeypair
- ec2:CreateSecurityGroup
- ec2:CreateSnapshot
- ec2:CreateTags
- ec2:CreateVolume
- ec2:CreateLaunchTemplate
- ec2:CreateLaunchTemplateVersion
- ec2:CreateNetworkInterface
- ec2:DeleteKeyPair
- ec2:DeleteSecurityGroup
- ec2:DeleteSnapshot
- ec2:DeleteVolume
- ec2:DeleteLaunchTemplate
- ec2:DeleteNetworkInterface
- ec2:DeregisterImage
- ec2:DescribeImageAttribute
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:DescribeInstanceStatus
- ec2:DescribeRegions
- ec2:DescribeSecurityGroups
- ec2:DescribeSnapshots
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVolumes
- ec2:DescribeLaunchTemplates
- ec2:DescribeLaunchTemplateVersions
- ec2:DescribeVpcs
- ec2:DescribeAvailabilityZones
- ec2:DescribeKeyPairs
- ec2:DescribeNetworkInterfaces
- ec2:DetachVolume
- ec2:GetPasswordData
- ec2:ModifyImageAttribute
- ec2:ModifyInstanceAttribute
- ec2:ModifySnapshotAttribute
- ec2:ModifyLaunchTemplate
- ec2:RegisterImage
- ec2:RunInstances
- ec2:StopInstances
- ec2:TerminateInstances
- ec2:RevokeSecurityGroupIngress
- ec2:RevokeSecurityGroupEgress
Resource: "*"
- Sid: AutoScalingAndELB
Effect: Allow
Action:
- autoscaling:*
- elasticloadbalancing:*
Resource: "*"
- Sid: ECRAccess
Effect: Allow
Action:
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:PutImage
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:CreateRepository
- ecr:DeleteRepository
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:DescribeImages
- ecr:TagResource
Resource:
- "*"
- !Sub "arn:aws:ecr:*:${AWS::AccountId}:repository/e2b-*"
- Sid: IAMAccess
Effect: Allow
Action:
- iam:CreateRole
- iam:DeleteRole
- iam:GetRole
- iam:ListRoles
- iam:UpdateRole
- iam:TagRole
- iam:UntagRole
- iam:CreateInstanceProfile
- iam:DeleteInstanceProfile
- iam:GetInstanceProfile
- iam:ListInstanceProfiles
- iam:ListInstanceProfilesForRole
- iam:AddRoleToInstanceProfile
- iam:RemoveRoleFromInstanceProfile
- iam:CreatePolicy
- iam:DeletePolicy
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:ListPolicies
- iam:ListPolicyVersions
- iam:ListAttachedRolePolicies
- iam:AttachRolePolicy
- iam:DetachRolePolicy
- iam:PutRolePolicy
- iam:GetRolePolicy
- iam:DeleteRolePolicy
- iam:ListRolePolicies
- iam:TagPolicy
- iam:UntagPolicy
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:role/*e2b*"
- !Sub "arn:aws:iam::${AWS::AccountId}:instance-profile/*e2b*"
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/*e2b*"
- Sid: IAMAttachAWSManagedPolicy
Effect: Allow
Action:
- iam:AttachRolePolicy
- iam:DetachRolePolicy
Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/*e2b*"
Condition:
ArnEquals:
iam:PolicyARN:
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/SecretsManagerReadWrite
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
- Sid: IAMPassRole
Effect: Allow
Action:
- iam:PassRole
Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/*e2b*"
Condition:
StringEquals:
iam:PassedToService:
- ec2.amazonaws.com
- ecs-tasks.amazonaws.com
- Sid: LogsAndMonitoring
Effect: Allow
Action:
- logs:*
- cloudwatch:*
Resource: "*"
- Sid: ElastiCacheAccess
Effect: Allow
Action:
- elasticache:DescribeCacheClusters
- elasticache:DescribeServerlessCaches
Resource: "*"
- Sid: CloudFormation
Effect: Allow
Action:
- cloudformation:DescribeStacks
- cloudformation:ListStacks
Resource: "*"
- Sid: SSMAccess
Effect: Allow
Action:
- ssm:GetParameter*
- ssm:PutParameter
- ssm:DeleteParameter
- ssm:DescribeParameters
Resource: !Sub "arn:aws:ssm:*:${AWS::AccountId}:parameter/*e2b*"
- Sid: STSAccess
Effect: Allow
Action:
- sts:GetCallerIdentity
Resource: "*"
Description: IAM role with complete permissions for E2B infrastructure deployment including Packer and Terraform

EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Expand Down Expand Up @@ -550,7 +795,7 @@ Resources:
Properties:
InstanceType: !If
- IsX64
- c7i.xlarge
- c6i.xlarge
- c7g.xlarge
KeyName: !Ref KeyName
IamInstanceProfile: !Ref EC2InstanceProfile
Expand Down Expand Up @@ -697,25 +942,6 @@ Resources:
# Outputs - Values exported after stack creation for reference by other stacks
# ===================================================================================================
Outputs:
# Availability Zone outputs
CFNAZ1:
Description: First Availability Zone used for high availability deployment
Value: !Select
- "0"
- !GetAZs
Ref: AWS::Region
Export:
Name: CFNAZ1

CFNAZ2:
Description: Second Availability Zone used for high availability deployment
Value: !Select
- "1"
- !GetAZs
Ref: AWS::Region
Export:
Name: CFNAZ2

# Database outputs
DBEndpoint:
Description: Aurora PostgreSQL database connection endpoint address
Expand Down Expand Up @@ -745,6 +971,13 @@ Outputs:
Export:
Name: CFNVPCCIDR

# Public Access Configuration
CFNPUBLICACCESS:
Description: Public or Private access configuration
Value: !Ref PublicAccess
Export:
Name: CFNPUBLICACCESS

# Subnet outputs
CFNPRIVATESUBNET1:
Description: Private Subnet ID in first availability zone for secure resources
Expand Down
8 changes: 8 additions & 0 deletions infra-iac/init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,14 @@ setup_environment() {
REGION=$(aws configure get region)
echo "AWSREGION=$REGION" >> /opt/config.properties


SUBNET1=$(grep "^CFNPRIVATESUBNET1=" /opt/config.properties | cut -d= -f2)
SUBNET2=$(grep "^CFNPRIVATESUBNET2=" /opt/config.properties | cut -d= -f2)
AZ1=$(aws ec2 describe-subnets --subnet-ids $SUBNET1 --query 'Subnets[*].[AvailabilityZone]' --output text)
AZ2=$(aws ec2 describe-subnets --subnet-ids $SUBNET2 --query 'Subnets[*].[AvailabilityZone]' --output text)
echo "CFNAZ1=$AZ1" >> /opt/config.properties
echo "CFNAZ2=$AZ2" >> /opt/config.properties

# Verification output
echo "=== Exported Variables ==="
cat /opt/config.properties
Expand Down
2 changes: 2 additions & 0 deletions infra-iac/packer/main.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ source "amazon-ebs" "orch" {
ami_name = "e2b-ubuntu-ami-${formatdate("YYYY-MM-DD-hh-mm-ss", timestamp())}"
instance_type = var.architecture == "x86_64" ? "t3.xlarge" : "t4g.xlarge"
region = var.aws_region
vpc_id = var.vpc_id
subnet_id = var.subnet_id

source_ami_filter {
filters = {
Expand Down
6 changes: 5 additions & 1 deletion infra-iac/packer/packer.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,8 @@ sleep 10

echo "Starting Packer build with architecture: ${ARCHITECTURE}"

packer build -only=amazon-ebs.orch -var "aws_region=${AWS_REGION}" -var "architecture=${ARCHITECTURE}" .
VPC_ID=$(grep "^CFNVPCID=" "$CONFIG_FILE" | cut -d'=' -f2)
SUBNET_ID=$(grep "^CFNPRIVATESUBNET1=" "$CONFIG_FILE" | cut -d'=' -f2)
echo "Using VPC: ${VPC_ID}"
echo "Using Subnet: ${SUBNET_ID}"
packer build -only=amazon-ebs.orch -var "aws_region=${AWS_REGION}" -var "architecture=${ARCHITECTURE}" -var "vpc_id=${VPC_ID}" -var "subnet_id=${SUBNET_ID}" .
10 changes: 10 additions & 0 deletions infra-iac/packer/variables.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,16 @@ variable "image_family" {
default = "e2b-orch"
}

variable "vpc_id" {
type = string
default = ""
}

variable "subnet_id" {
type = string
default = ""
}

variable "consul_version" {
type = string
default = "1.16.2"
Expand Down
Loading