Description: Create a variable number of EC2 instance resources. Parameters: CustomIdentifier: Type: String FortiWebInstanceImage: Type: String FortiWebInstanceType: Type: String FortiWebInstancesCount: Type: Number FortiWebHAGroupName: Type: String FortiWebHAGroupID: Type: Number FortiWebHAOverride: Type: String FortiWebHAMode: Type: String FortiWebAdminPassword: Type: String NoEcho: true HAS3BucketName: Type: String HAS3KeyPrefix: Type: String FortiWebHACfName: Type: String FwbHASecurityGroup: Type: 'AWS::EC2::SecurityGroup::Id' PublicSubnet1: Type: 'AWS::EC2::Subnet::Id' PublicSubnet2: Type: 'AWS::EC2::Subnet::Id' PrivateSubnet1: Type: 'AWS::EC2::Subnet::Id' PrivateSubnet2: Type: 'AWS::EC2::Subnet::Id' # PrivateSubnet3: # Type: 'AWS::EC2::Subnet::Id' # PrivateSubnet4: # Type: 'AWS::EC2::Subnet::Id' KeyPairName: Type: 'AWS::EC2::KeyPair::KeyName' FwbEIPIP: Type: String FwbEIPId: Type: String ELBHTTPTargetGroup: Type: String Mappings: SourceCode: General: S3Bucket: "%%BUCKET_NAME%%" KeyPrefix: "%%SOLUTION_NAME%%/%%VERSION%%" App: ShortName: "FortiWebHAWAF" FullName: "FortiWeb HA WAF Solution" AWSAMIRegionMap: AMI: FWBPAYG611: FortiWeb-AWS-6.1.1_OnDemand_Release cn-north-1: FWBBYOL634: ami-0018086f102a145a9 cn-northwest-1: FWBBYOL634: ami-007a8377ccfed6e36 Resources: EC2Instances: Type: 'Custom::EC2Instances' Properties: ServiceToken: !GetAtt - EC2InstancesFunction - Arn ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - !Ref FortiWebInstanceImage FortiWebInstanceImage: !Ref FortiWebInstanceImage InstanceType: !Ref FortiWebInstanceType FortiWebInstancesCount: !Ref FortiWebInstancesCount FortiWebHAMode: !Ref FortiWebHAMode FortiWebHAGroupName: !Ref FortiWebHAGroupName FortiWebHAGroupID: !Ref FortiWebHAGroupID FortiWebHAOverride: !Ref FortiWebHAOverride FortiWebHACfName: !Ref FortiWebHACfName KeyName: !Ref KeyPairName FwbHASecurityGroup: !Ref FwbHASecurityGroup FortiWebAdminPassword: !Base64 Ref: FortiWebAdminPassword HAS3BucketName: !Ref HAS3BucketName HAS3KeyPrefix: !Ref HAS3KeyPrefix CustomIdentifier: !Ref CustomIdentifier PublicSubnet: - !Ref PublicSubnet1 - !Ref PublicSubnet2 IamFwbInstanceRoleArn: !GetAtt - IamInstanceProfileFwb - Arn IamInstanceProfileFwb: !Ref IamInstanceProfileFwb FwbEIPIP: !Ref FwbEIPIP FwbEIPId: !Ref FwbEIPId TargetGroupsHttp: !Ref ELBHTTPTargetGroup EC2InstancesFunction: Type: 'AWS::Lambda::Function' Metadata: cfn_nag: rules_to_suppress: - id: W58 reason: "Need not require permission to write CloudWatch Logs" Properties: Handler: index.handler Role: !GetAtt - IamInstanceRoleFwb - Arn Code: S3Bucket: !Join [ "-", [ !FindInMap ["SourceCode", "General", "S3Bucket"], Ref: "AWS::Region", ], ] S3Key: !Join [ "/", [ !FindInMap ["SourceCode", "General", "KeyPrefix"], "lambda/lambda-alb.zip", ], ] Runtime: python2.7 Timeout: 300 IamInstanceRoleFwb: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com - ec2.amazonaws.com.cn Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' - 'arn:aws-cn:iam::aws:policy/AmazonEC2FullAccess' - 'arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess' Policies: - PolicyName: EC2Policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'iam:PassRole' - 'iam:GetRole' Resource: !Sub 'arn:aws-cn:iam::${AWS::AccountId}:role/*' # - Effect: Allow # Action: # - 'logs:CreateLogGroup' # - 'logs.CreateLog' # Resource: 'arn:aws-cn:logs:*' - Effect: Allow Action: - 's3:GetObject' Resource: !Sub - 'arn:aws-cn:s3:::${HAS3BucketName}/${HAS3KeyPrefix}*' - HAS3BucketName: !Ref HAS3BucketName HAS3KeyPrefix: !Ref HAS3KeyPrefix IamInstanceProfileFwb: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref IamInstanceRoleFwb Outputs: InstancesId: Description: Instances list Value: !Join - ',' - !GetAtt - EC2Instances - InstancesId