AWS Amazon EC2 Template
This page shows how to write Terraform and CloudFormation for Amazon EC2 Template and write them securely.
aws_launch_template (Terraform)
The Template in Amazon EC2 can be configured in Terraform with the resource name aws_launch_template
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_launch_template" "noncompliantawstemplate1" { # Noncompliant {{Make sure that using public IP address is safe here.}}
# ^^^^^^^^^^^^^^^^^^^^^
}
resource "aws_launch_template" "noncompliantawstemplate2" {
# ^^^^^^^^^^^^^^^^^^^^^> {{Related template}}
resource "aws_launch_template" "nf_lt_standard" {
name = "nextflow-launchtemplate-standard"
tags = var.default_tags
# ccdl-nextflow-base-v2.0 image
image_id = "ami-01c08d4de548477df"
block_device_mappings {
resource "aws_launch_template" "lt_basic" {
image_id = "fake_ami"
instance_type = "t2.medium"
block_device_mappings {
device_name = "xvdf"
resource "aws_launch_template" "k3s_server" {
name_prefix = "k3s_server_tpl"
image_id = var.AMIS[var.AWS_REGION]
instance_type = "t3.large"
user_data = data.template_cloudinit_config.k3s_server.rendered
resource "aws_launch_template" "bastion" {
name = "bastion-launch-template"
image_id = var.ami-bastion
instance_type = var.instance_type
Parameters
-
arn
optional computed - string -
default_version
optional computed - number -
description
optional - string -
disable_api_termination
optional - bool -
ebs_optimized
optional - string -
id
optional computed - string -
image_id
optional - string -
instance_initiated_shutdown_behavior
optional - string -
instance_type
optional - string -
kernel_id
optional - string -
key_name
optional - string -
latest_version
optional computed - number -
name
optional computed - string -
name_prefix
optional - string -
ram_disk_id
optional - string -
security_group_names
optional - set of string -
tags
optional - map from string to string -
update_default_version
optional - bool -
user_data
optional - string -
vpc_security_group_ids
optional - set of string -
block_device_mappings
list block-
device_name
optional - string -
no_device
optional - string -
virtual_name
optional - string -
ebs
list block-
delete_on_termination
optional - string -
encrypted
optional - string -
iops
optional computed - number -
kms_key_id
optional - string -
snapshot_id
optional - string -
throughput
optional computed - number -
volume_size
optional computed - number -
volume_type
optional computed - string
-
-
-
capacity_reservation_specification
list block-
capacity_reservation_preference
optional - string -
capacity_reservation_target
list block-
capacity_reservation_id
optional - string
-
-
-
cpu_options
list block-
core_count
optional - number -
threads_per_core
optional - number
-
-
credit_specification
list block-
cpu_credits
optional - string
-
-
elastic_gpu_specifications
list block-
type
required - string
-
-
elastic_inference_accelerator
list block-
type
required - string
-
-
enclave_options
list block-
enabled
optional - bool
-
-
hibernation_options
list block-
configured
required - bool
-
-
iam_instance_profile
list block -
instance_market_options
list block-
market_type
optional - string -
spot_options
list block-
block_duration_minutes
optional - number -
instance_interruption_behavior
optional - string -
max_price
optional - string -
spot_instance_type
optional - string -
valid_until
optional computed - string
-
-
-
license_specification
set block-
license_configuration_arn
required - string
-
-
metadata_options
list block-
http_endpoint
optional computed - string -
http_put_response_hop_limit
optional computed - number -
http_tokens
optional computed - string
-
-
monitoring
list block-
enabled
optional - bool
-
-
network_interfaces
list block-
associate_carrier_ip_address
optional - string -
associate_public_ip_address
optional - string -
delete_on_termination
optional - string -
description
optional - string -
device_index
optional - number -
ipv4_address_count
optional - number -
ipv4_addresses
optional - set of string -
ipv6_address_count
optional - number -
ipv6_addresses
optional - set of string -
network_interface_id
optional - string -
private_ip_address
optional - string -
security_groups
optional - set of string -
subnet_id
optional - string
-
-
placement
list block-
affinity
optional - string -
availability_zone
optional - string -
group_name
optional - string -
host_id
optional - string -
partition_number
optional - number -
spread_domain
optional - string -
tenancy
optional - string
-
-
tag_specifications
list block-
resource_type
optional - string -
tags
optional - map from string to string
-
Explanation in Terraform Registry
Provides an EC2 launch template resource. Can be used to create instances or auto scaling groups.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::LaunchTemplate (CloudFormation)
The LaunchTemplate in EC2 can be configured in CloudFormation with the resource name AWS::EC2::LaunchTemplate
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MetadataOptionsNone
LaunchTemplateData:
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MetadataOptionsNone
LaunchTemplateData:
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: IMDSv1Disabled
LaunchTemplateData:
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MetadataOptionsNone
LaunchTemplateData:
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: IMDSv1Disabled
LaunchTemplateData:
DisableApiTermination: true
ImageId: ami-04d5cc9b88example
"Type" : "AWS::EC2::LaunchTemplate",
"Properties" : {
"LaunchTemplateData" : {
"ImageId" : { "Fn::FindInMap" : [ "AmiMap", "ServerType01", "id" ] },
"InstanceType" : { "Ref" : "InstanceTypeParam" },
"KeyName" : { "Fn::FindInMap" : [ "KeyPair", "Key01", "key" ] },
"Type": "AWS::EC2::LaunchTemplate"
},
"NonCompliantEC2LaunchTemplate1": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateData": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateData": {
"ImageId": "ami-04169656fea786776"
}
}
"Type": "AWS::EC2::LaunchTemplate"
},
"NonCompliantEC2LaunchTemplate1": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateData": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateData": {
"ImageId": "ami-04169656fea786776"
}
}
Parameters
-
LaunchTemplateName
optional - String -
LaunchTemplateData
optional - LaunchTemplateData -
TagSpecifications
optional - List of LaunchTemplateTagSpecification
Explanation in CloudFormation Registry
Specifies a launch template for an Amazon EC2 instance. A launch template contains the parameters to launch an instance. For more information, see Launch an instance from a launch template in the Amazon EC2 User Guide.
Frequently asked questions
What is AWS Amazon EC2 Template?
AWS Amazon EC2 Template is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Template?
For Terraform, the SonarSource/sonar-iac, AlexsLemonade/alsf-scpca and gilyas/infracost source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the sprathod369/iac-example, melscoop-test/check and melscoop-test/check source code examples are useful. See the CloudFormation Example section for further details.