cloudformation/ec2imagebuilderpipeline.yaml

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
AWSTemplateFormatVersion: 2010-09-09
Description: Automated Image Builder for ec2 instances

Parameters:
  BuildInstanceType:
    Type: CommaDelimitedList
    Default: "t3.xlarge"
    Description: Instance Type
  S3AnsibleBucket:
    Type: String
    Description: Enter bucketname that contains ansible playbooks
    Default: ec2-compliance-dev-123456789
  S3BucketPrefix:
    Type: String
    Description: Enter bucket prefix
    Default: ec2
  PlaybookFileName:
    Type: String
    Description: Enter playbook filename
    Default: playbook.yml

Resources:

  ImageBuilderLogBucket:
    Type: AWS::S3::Bucket
  InstanceRole:
    Type: AWS::IAM::Role
    Metadata:
      Comment: Role to be used by instance during image build.
    Properties:
      ManagedPolicyArns:
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AWSImageBuilderFullAccess
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/EC2InstanceProfileForImageBuilder
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
        Version: "2012-10-17"
      Path: /executionServiceEC2Role/
  InstanceRoleLoggingPolicy:
    Type: AWS::IAM::Policy
    Metadata:
      Comment: Allows the instance to save log files to an S3 bucket.
    Properties:
      PolicyName: ImageBuilderLogBucketPolicy
      Roles:
        - Ref: InstanceRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - s3:PutObject
            Effect: Allow
            Resource:
              - Fn::Sub:
                  - arn:${AWS::Partition}:s3:::${BUCKET}/*
                  - BUCKET:
                      Ref: ImageBuilderLogBucket
  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /executionServiceEC2Role/
      Roles:
        - Ref: InstanceRole
  Amazon2ImageInfrastructureConfiguration:
    Type: AWS::ImageBuilder::InfrastructureConfiguration
    Properties:
      Name: Amazon2-Infrastructure-Configuration
      Description: Standard Intrastructure Configuration
      InstanceProfileName:
        Ref: InstanceProfile
      InstanceTypes:
        Ref: BuildInstanceType
      Logging:
        S3Logs:
          S3BucketName:
            Ref: ImageBuilderLogBucket
          S3KeyPrefix: !Join [ "-", [ 'imagebuilder', !Ref "AWS::StackName" ] ]
  InstallAnsibleComponent:
    Type: AWS::ImageBuilder::Component
    Properties:
      Name: Ansible
      Version: 0.0.1
      Description: Install Ansible Playbook
      ChangeDescription: First version
      Platform: Linux
      Data: !Sub |
        name: ‘CIS Hardening using Ansbile on Amazon Linux 2’
        description: ‘CIS Hardening Level 1 using Ansible.’
        schemaVersion: 1.0
        phases:
          - name: build
            steps:
              - name: InstallAnsible
                action: ExecuteBash
                inputs:
                  commands:
                  - sudo amazon-linux-extras install -y ansible2
                  - sudo yum install selinux-policy selinux-policy-targeted policycoreutils-python -y
              - name: DownloadPlaybook
                action: S3Download
                inputs:
                  - source: s3://${S3AnsibleBucket}/${S3BucketPrefix}/*
                    destination: /tmp/
              - name: InvokeAnsible
                action: ExecuteBash
                inputs:
                  commands:
                  - ansible-playbook /tmp/${PlaybookFileName}
  Amazon2AnsibleImageRecipe:
    Type: AWS::ImageBuilder::ImageRecipe
    Properties:
      Name: Ansible
      Version: 0.0.1
      ParentImage:
        Fn::Sub: arn:${AWS::Partition}:imagebuilder:${AWS::Region}:aws:image/amazon-linux-2-x86/x.x.x
      Components:
        - ComponentArn: 
            Fn::Sub: arn:aws:imagebuilder:${AWS::Region}:aws:component/amazon-cloudwatch-agent-linux/1.0.0
        - ComponentArn: 
            Fn::Sub: arn:aws:imagebuilder:${AWS::Region}:aws:component/reboot-linux/1.0.0
        - ComponentArn:
            Ref: InstallAnsibleComponent
  AnsibleDistributionConfiguration:
    Type: 'AWS::ImageBuilder::DistributionConfiguration'
    Properties:
      Name: Ansible-Distribution
      Description: 'Local region distribution'
      Distributions:
        - Region: 
            Fn::Sub: ${AWS::Region}
          AmiDistributionConfiguration:
            Name: 'ansible {{ imagebuilder:buildDate }}'
            Description: 'Ansible'
            AmiTags:
              AmiTagKey: 'ami-tag-key'
  AnsibleImagePipeline:
    Type: 'AWS::ImageBuilder::ImagePipeline'
    Properties:
      Name: 'CISHardenedAMI'
      Description: 'CIS Hardened image using Ansible'
      ImageRecipeArn: !Ref Amazon2AnsibleImageRecipe
      InfrastructureConfigurationArn: !Ref Amazon2ImageInfrastructureConfiguration
      DistributionConfigurationArn: !Ref AnsibleDistributionConfiguration
      Status: 'ENABLED'