Cloud Creation CloudFormation Template
This post-onboarding CloudFormation template (CFT) creates subsequent clouds in your project and sets up PrivateLink during the process. The template below is annotated to explain what each section does and why the permissions are required.
caution
This CFT is only a sample and cannot be copied and run. When adding a new cloud to your organization, use the CFT provided in the console.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Dremio Post Signup Cloud",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Dremio Configuration"
},
"Parameters": [
"DremioEC2VPC",
"DremioEC2Subnets"
]
}
],
"ParameterLabels": {
"DremioEC2VPC": {
"default": "VPC"
},
"DremioEC2Subnets": {
"default": "Subnets"
}
}
}
},
"Parameters": {
"DremioEC2VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "(Required) Select the EC2 VPC to run Dremio."
},
"DremioEC2Subnets": {
"Type": "List<AWS::EC2::Subnet::Id>",
"Description": "(Required) Select the EC2 subnets to run Dremio. This should be one or more subnet ids from the selected VPC."
}
},
"Mappings": {
"RegionMap": {
"us-east-1": {
"SNS": "${snsArn_us_east_1!''}",
"VPCEndpointServiceName": "${plServiceName_us_east_1!''}"
},
"us-east-2": {
"SNS": "${snsArn_us_east_2!''}",
"VPCEndpointServiceName": "${plServiceName_us_east_2!''}"
},
"us-west-1": {
"SNS": "${snsArn_us_west_1!''}",
"VPCEndpointServiceName": "${plServiceName_us_west_1!''}"
},
"us-west-2": {
"SNS": "${snsArn!''}",
"VPCEndpointServiceName": "${plServiceName_us_west_2!''}"
},
"eu-central-1": {
"SNS": "${snsArn_eu_central_1!''}",
"VPCEndpointServiceName": "${plServiceName_eu_central_1!''}"
},
"eu-west-1": {
"SNS": "${snsArn_eu_west_1!''}",
"VPCEndpointServiceName": "${plServiceName_eu_west_1!''}"
},
"eu-west-2": {
"SNS": "${snsArn_eu_west_2!''}",
"VPCEndpointServiceName": "${plServiceName_eu_west_2!''}"
},
"eu-west-3": {
"SNS": "${snsArn_eu_west_3!''}",
"VPCEndpointServiceName": "${plServiceName_eu_west_3!''}"
},
"ca-central-1": {
"SNS": "${snsArn_ca_central_1!''}",
"VPCEndpointServiceName": "${plServiceName_ca_central_1!''}"
}
}
},
"Rules": {
"SubnetsInVPC": {
"Assertions": [
{
"Assert": {
"Fn::EachMemberIn": [
{
"Fn::ValueOfAll": [
"AWS::EC2::Subnet::Id",
"VpcId"
]
},
{
"Fn::RefAll": "AWS::EC2::VPC::Id"
}
]
},
"AssertDescription": "The selected subnets must be in the VPC."
}
]
}
},
"Resources": {
"DremioCloudCFTBegin": {
"Type": "Custom::DremioCloudCFTBegin",
"Properties": {
"ServiceToken": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"SNS"
]
},
"Version": "1.0.0",
"Region": {
"Ref": "AWS::Region"
},
"VPC": {
"Ref": "DremioEC2VPC"
},
"Subnets": {
"Ref": "DremioEC2Subnets"
},
"SignupData": "${signupData}"
}
},
"DremioIAMCloudComputePolicyCreate": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Require the "dremio_managed" tag for instances/volumes when creating instances
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/dremio_managed": "true"
}
}
},
# Allow creating instances without the "dremio_managed" tag on resources other than instances/volumes.
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:fleet/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:placement-group/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateFleet",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/dremio_managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateFleet",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateLaunchTemplate",
"Resource": "arn:aws:ec2:*:*:launch-template/*"
},
# Allow Dremio to create a placement group
{
"Effect": "Allow",
"Action": "ec2:CreatePlacementGroup",
"Resource": "arn:aws:ec2:*:*:placement-group/*"
}
]
},
"PolicyName": "dremio-cloud-compute-policy-create",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputePolicyTagging": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Allow Dremio to create tags on instances/volumes only upon the initial creation of an instance
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateLaunchTemplate"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateFleet"
}
}
},
# Allow Dremio to create tags on placement groups (PG) upon the initial creation of a PG
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreatePlacementGroup"
}
}
}
]
},
"PolicyName": "dremio-cloud-compute-policy-tagging",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputePolicyDelete": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Allow Dremio to terminate instances with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Only allow Dremio to delete fleets with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:DeleteFleets",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Only allow Dremio to delete launch templates with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:DeleteLaunchTemplate",
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Only allow Dremio to delete placement groups with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:DeletePlacementGroup",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
}
]
},
"PolicyName": "dremio-cloud-compute-policy-delete",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputePolicyDescribe": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"Comment": "Dremio enumerates resources related to the operation of Dremio Cloud."
},
"DependsOn": [
"DremioIAMCloudComputeRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeFleets",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Allow Dremio to enumerate resources in the account
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
},
"PolicyName": "dremio-cloud-compute-policy-describe",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputeRole": {
"Type": "AWS::IAM::Role",
"DependsOn": [
"DremioCloudCFTBegin"
],
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${crossRoleTrustAccountId}:root"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "${stsExternalId}"
}
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": []
}
},
"DremioEC2VPCEndpointSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": [
"DremioCloudCFTBegin"
],
"Properties": {
"VpcId": {
"Ref": "DremioEC2VPC"
},
"GroupDescription": "Security group for Dremio VPC endpoint"
}
},
"DremioEC2VPCEndpointIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn": [
"DremioEC2VPCEndpointSecurityGroup",
"DremioEC2SecurityGroup"
],
"Properties": {
"Description": "Security group ingress for Dremio VPC endpoint",
"GroupId": {
"Ref": "DremioEC2VPCEndpointSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"SourceSecurityGroupId": {
"Ref": "DremioEC2SecurityGroup"
}
}
},
"DremioEC2SecurityGroupEgressVPCEndpoint": {
"Type": "AWS::EC2::SecurityGroupEgress",
"DependsOn": [
"DremioEC2SecurityGroup",
"DremioEC2VPCEndpointSecurityGroup"
],
"Properties": {
"Description": "Security group egress for Dremio VPC endpoint",
"GroupId": {
"Ref": "DremioEC2VPCEndpointSecurityGroup"
},
"IpProtocol": "-1",
"CidrIp": "127.0.0.1/32"
}
},
"DremioEC2VPCEndpoint": {
"Type": "AWS::EC2::VPCEndpoint",
"DependsOn": [
"DremioEC2VPCEndpointSecurityGroup"
],
"Properties": {
"SecurityGroupIds": [
{
"Ref": "DremioEC2VPCEndpointSecurityGroup"
}
],
"ServiceName": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"VPCEndpointServiceName"
]
},
"SubnetIds": {
"Ref": "DremioEC2Subnets"
},
"VpcId": {
"Ref": "DremioEC2VPC"
},
"VpcEndpointType": "Interface"
}
},
"DremioEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": [
"DremioCloudCFTBegin"
],
"Metadata": {
"Comment": "Dremio utilizes this security group to connect to supported sources which vary in IP and port range."
},
"Properties": {
"VpcId": {
"Ref": "DremioEC2VPC"
},
"GroupDescription": "Security group for Dremio."
}
},
"DremioEC2SecurityGroupIngressSelf": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn": [
"DremioEC2SecurityGroup"
],
"Properties": {
"Description": "Self ingress endpoint for Dremio EC2 Security Group",
"GroupId": {
"Ref": "DremioEC2SecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "45678",
"ToPort": "45678",
"SourceSecurityGroupId": {
"Ref": "DremioEC2SecurityGroup"
}
}
},
"DremioEC2SecurityGroupEgressAll": {
"Type": "AWS::EC2::SecurityGroupEgress",
"DependsOn": [
"DremioEC2SecurityGroup"
],
"Properties": {
"Description": "Egress endpoint for Dremio EC2 Security Group",
"GroupId": {
"Ref": "DremioEC2SecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "0",
"ToPort": "65535",
"CidrIp": "0.0.0.0/0"
}
},
"DremioCloudCFTCompletion": {
"Type": "Custom::DremioCloudCFTCompletion",
"Properties": {
"ServiceToken": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"SNS"
]
},
"Version": "1.0.0",
"Region": {
"Ref": "AWS::Region"
},
"VPC": {
"Ref": "DremioEC2VPC"
},
"Subnets": {
"Ref": "DremioEC2Subnets"
},
"SecurityGroup": {
"Fn::GetAtt": [
"DremioEC2SecurityGroup",
"GroupId"
]
},
"SignupData": "${signupData}",
"CloudComputeRoleARN": {
"Fn::GetAtt": [
"DremioIAMCloudComputeRole",
"Arn"
]
},
"VpcEndpointId": {
"Ref": "DremioEC2VPCEndpoint"
}
}
}
}
}