AWSTemplateFormatVersion: '2010-09-09' Description: This template creates Amazon FSx for NetApp ONTAP file system into private subnets in separate Availability Zones inside a VPC *WARNING** This template creates Amazon resources. You will be billed for the AWS resources used if you create a stack from this template. Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - Subnet1ID - Subnet2ID - myVpc - FSxONTAPRouteTable - Label: default: Configurations for FSx ONTAP File System Parameters: - FileSystemName - StorageCapacity - ThroughputCapacity - FSxAllowedCIDR - WeeklyMaintenanceTime - FsxAdminPassword - WeeklyMaintenanceTime - Label: default: Storage Virtual Machine configurations Parameters: - RootVolumeSecurityStyle - SvmAdminPassword ParameterLabels: myVpc: default: VPC ID Subnet1ID: default: Private Subent 1 ID Subnet2ID: default: Private Subent 2 ID FSxONTAPRouteTable: default: Route Table for FSxONTAP FileSystemName: default: Name of your File System StorageCapacity: default: Storage size ThroughputCapacity: default: Throughput capacity of Amazon FSx file system FSxAllowedCIDR: default: CIDR range allowed to connect to Amazon FSx file system WeeklyMaintenanceTime: default: Weekly Maintenance Time FsxAdminPassword: default: Admin password for managing FSx file system RootVolumeSecurityStyle: default: The security style of the root volume of the SVM SvmAdminPassword: default: Password for managing SVM in your FSxONTAP File System Parameters: FileSystemName: Description: Specify a name for your file system to make it easier to find and manage. Type: String myVpc: Description: Choose the VPC to which you want to deploy the FSxONTAP cluster Type: AWS::EC2::VPC::Id Subnet1ID: Description: Choose the first Subnet where FSxONTAP file system's network interface will be created Type: AWS::EC2::Subnet::Id Subnet2ID: Description: Choose the standby Subnet where FSxONTAP file system's network interface will be created Type: AWS::EC2::Subnet::Id FSxONTAPRouteTable: Description: Choose your preferred route table for FSxONTAP file system, please key in all the route tables that your compute nodes sit, separated by comma (no space) for multiple entries Type: String StorageCapacity: Default: 1024 Description: Specify the storage capacity of the file system being created, in gibibytes. Minimum 1024 GiB; Maximum 192 TiB. Type: Number FSxAllowedCIDR: #AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ #ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: Specify the CIDR block that is allowed access to FSx for Windows File Server. Type: String ThroughputCapacity: Description: Sets the throughput capacity for the file system that you're creating. Valid values are 512, 1024, and 2048 MBps. ConstraintDescription: Valid values are 512, 1024, and 2048 MBps. AllowedValues: [512, 1024, 2048] Type: Number WeeklyMaintenanceTime: Description: Specify the preferred start time to perform weekly maintenance, formatted d:HH:MM in the UTC time zone Default: '7:01:00' Type: String FsxAdminPassword: NoEcho: true Description: Password for this file system's “fsxadmin“ user, which you can use to access the ONTAP CLI or REST API. Type: String MinLength: 5 MaxLength: 40 AllowedPattern: ^[a-zA-Z0-9]*$ RootVolumeSecurityStyle: Description: The security style of the root volume of the SVM. Specify one of the following values, UNIX, NTFS or MIXED. Type: String Default: UNIX AllowedValues: ["UNIX", "NTFS", "MIXED"] SvmAdminPassword: NoEcho: true Description: The password to use when managing the SVM using the NetApp ONTAP CLI or REST API. If you do not specify a password, you can still use the file system's vsadmin user to manage the SVM. Type: String MinLength: 5 MaxLength: 40 AllowedPattern: ^[a-zA-Z0-9]*$ #EndpointIpAddressRange: #Description: Specifies the IP address range in which the endpoints to access your file system will be created. By default, Amazon FSx selects an unused IP address range for you from the 198.19.* range. Resources: # Uncomment the following section if you would like to create a new Route Table for the FSxONTAP file system #FSxONTAPRouteTable: #Type: AWS::EC2::RouteTable #Properties: #VpcId: !Ref myVpc FSxONTAPSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref myVpc GroupDescription: Security Group for FSx for Windows File Storage Access SecurityGroupIngress: - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 111 ToPort: 111 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 135 ToPort: 135 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 139 ToPort: 139 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 161 ToPort: 161 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 162 ToPort: 162 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 635 ToPort: 635 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 749 ToPort: 749 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 2049 ToPort: 2049 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 3260 ToPort: 3260 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 4045 ToPort: 4045 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 4046 ToPort: 4046 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 11104 ToPort: 11104 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 11105 ToPort: 11105 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 111 ToPort: 111 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 135 ToPort: 135 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 137 ToPort: 137 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 139 ToPort: 139 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 161 ToPort: 161 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 162 ToPort: 162 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 635 ToPort: 635 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 2049 ToPort: 2049 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 4045 ToPort: 4045 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 4046 ToPort: 4046 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 4049 ToPort: 4049 CidrIp: !Ref FSxAllowedCIDR FSxONTAP: Type: AWS::FSx::FileSystem Properties: FileSystemType: ONTAP StorageCapacity: !Ref StorageCapacity StorageType: SSD SecurityGroupIds: - !GetAtt FSxONTAPSecurityGroup.GroupId SubnetIds: - !Ref Subnet1ID - !Ref Subnet2ID OntapConfiguration: AutomaticBackupRetentionDays: 3 DailyAutomaticBackupStartTime: "01:00" DeploymentType: MULTI_AZ_1 DiskIopsConfiguration: Mode: AUTOMATIC PreferredSubnetId: !Ref Subnet1ID RouteTableIds: !Split #- !GetAtt FSxONTAPRouteTable.RouteTableId - "," - !Ref FSxONTAPRouteTable ThroughputCapacity: !Ref ThroughputCapacity WeeklyMaintenanceStartTime: !Ref WeeklyMaintenanceTime FsxAdminPassword: !Ref FsxAdminPassword Tags: - Key: "Name" Value: "OntapFileSystem_MAZ" SVM1: Type: AWS::FSx::StorageVirtualMachine DependsOn: FSxONTAP Properties: FileSystemId: !Ref FSxONTAP Name: SVM1 RootVolumeSecurityStyle: !Ref RootVolumeSecurityStyle SvmAdminPassword: !Ref SvmAdminPassword ## Secret Manager SMFsxAdminPassword: Type: AWS::SecretsManager::Secret Properties: Description: FsxAdminPassword Name: !Sub "${AWS::StackName}-FsxAdminPassword" SecretString: !Sub '{"username":"fsxadmin","password":${FsxAdminPassword}}' Tags: - Key: "Name" Value: "OntapFileSystem_MAZ" SMSVMAdminPassword: Type: AWS::SecretsManager::Secret Properties: Description: SVMAdminPassword Name: !Sub "${AWS::StackName}-SVMAdminPassword" SecretString: !Sub '{"username":"vsadmin","password": ${SvmAdminPassword}}' Tags: - Key: "Name" Value: "OntapFileSystem_MAZ" ## Create IAM Role and Policy to be able to retrieve Secrets Manager SecretsManagerIAMPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: 'TridentIAMPolicy' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - 'secretsmanager:GetSecretValue' - 'secretsmanager:DescribeSecret' Resource: - !Ref SMFsxAdminPassword - !Ref SMSVMAdminPassword Outputs: FSxFileSystemID: Description: File System ID for FSx for NetAPP ONTAP Value: !Ref FSxONTAP SMFSxSecretManager: Description: Secret Manager ARN for FSx for NetAPP ONTAP Value: !Ref SMFsxAdminPassword SMSVMSecretManager: Description: Secret Manager ARN for FSx for NetAPP ONTAP Storage Virtual Machine (SVM) Value: !Ref SMSVMAdminPassword SecretsManagerIAMPolicyARN: Description: Trident IAM Policy ARN for Trident Backend Configuration IAM Role for Service Account Value: !Ref SecretsManagerIAMPolicy