Launch EC2 instance with CloudFormation

[khashf]

AWS CloudFormation to create an ec2 instance that has read permission to the existing s3 instance(s)

Small notes:
I accidentally branched out from a non-master branch and so pushed 2 unrelated files. The 2nd commit of this branch/PR fixes this issue. (Sorry Mike)

Upon:
Suggested by @DingoEatingFuzz in a discussion on PR #48
Requested by @MikeTheCanuck at assignment #61

[DingoEatingFuzz]

The existing policy is slightly different and limited to only one bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::hacko-data-archive/*"
            ]
        }
    ]
}

[khashf]

Thanks, @DingoEatingFuzz . Yes, I was aware of this. I wasn't sure which bucket to select so I left it a wildcard for easier testing. Patches incoming in a few mins

[khashf]

@DingoEatingFuzz : Updated.
Is it ok if I limit the allowed actions to the 2 following ones?

Action: 
   - "s3:GetObject"
   - "s3:ListBucket"

[DingoEatingFuzz]

Potentially. Depends on whether or not the box will also be writing back to the bucket. I defer to @MikeTheCanuck

[MikeTheCanuck]

For now let's just leave it as read-only, but be prepared to generate a similar policy for whatever strategy we happen to use for backups. I'm conflicted on whether backups would be appropriate to write to the hacko-data-archive bucket, otherwise no reason I can think of to open it for writes.

[MikeTheCanuck]

On Thursday I believe we discussed moving this template (and any others like it) under a parent folder called cloudformation. Otherwise I'm assuming this will work, though we don't have a decent place to test these things.

Next question is, how much of create-ec2-machine-database.sh does this replace? It appears to me that if we were to use this template on a completely new VPC, and then run create-ec2-machine-database.sh in that VPC, we'd end up with two machines.

Is it possible, or even practical, to have this template run first, then run a modified/reduced version of the script, to get the same result as we get with the script today?

[khashf]

@MikeTheCanuck These CloudFormation templates can replace create-ec2-machine-database.sh completely. Thus, there is no need to modify the sh version script to get the same result - it's already the same. Further, anything the create-ec2-machine-database.sh or related scripts can accomplish, these CloudFormation templates can also accomplish the same (and in an even more concise and maintainable way)

[MikeTheCanuck]

1. There's a lot of hard-coded parameters in here that could well inherit from what we have defined in hackoregon-aws-infrastructure, including

• AvailabilityZone
• SubnetId
• SecurityGroupId
• DBInstance > ImageId
• DBInstance > AvailabilityZone
• DBInstance > SubnetId

2. the InstanceType is now out of date - that's now a t2.large

3. I'm pretty sure we don't want to use create-stack to instantiate this as part of the larger ECS infrastructure - I imagine there's some kind of update-stack that would work better for us.

4. I am about 70% sure that many of the hard-coded values buried in the Resources > DBInstance section would be better off as items in the Parameters section, that are then just pulled in by !Ref in the Resources > DBInstance section.