[...]
Resources:
  FortiVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock:
        Ref: VPCNet
      Tags:
        - Key: Name
          Value:
            Ref: VPCName

  FortiVPCFrontNet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock:
        Ref: VPCSubnetFront
      MapPublicIpOnLaunch: true
      VpcId:
        Ref: FortiVPC

  FortiVPCBackNet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock:
        Ref: VPCSubnetBack
      MapPublicIpOnLaunch: false
      AvailabilityZone: !GetAtt FortiVPCFrontNet.AvailabilityZone
      VpcId:
        Ref: FortiVPC

  FortiSecGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Group for FG
      GroupName: fg
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
        - IpProtocol: udp
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
      VpcId:
        Ref: FortiVPC

  InstanceProfile:
    Properties:
      Path: /
      Roles:
        - Ref: InstanceRole
    Type: AWS::IAM::InstanceProfile
  InstanceRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
        Version: 2012-10-17
      Path: /
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - ec2:Describe*
                  - ec2:AssociateAddress
                  - ec2:AssignPrivateIpAddresses
                  - ec2:UnassignPrivateIpAddresses
                  - ec2:ReplaceRoute
                  - s3:GetObject
                Effect: Allow
                Resource: '*'
            Version: 2012-10-17
          PolicyName: ApplicationPolicy
    Type: AWS::IAM::Role