--- AWSTemplateFormatVersion: '2010-09-09' Description: 'CAT Baseline Layer7 HTTPS Load Balancer' Parameters: Name: Type: String Default: 'Baseline' Subnets: Type: List Default: 'subnet-bb2dbaf0,subnet-5a579807' Vpc: Type: AWS::EC2::VPC::Id Default: vpc-16cd5b6e Scheme: Type: String Default: internal AllowedValues: - internal - internet-facing TestParam: Type: String Default: TCP Type: Type: String AllowedValues: ['application', 'network'] Default: application Description: ALB type SecurityGroups: Type: CommaDelimitedList Description: Security group(s) for ALB Default: '' Conditions: TestCond: !Equals ['a', 'a'] IsTypeNetwork: !Equals [!Ref Type, 'network'] Resources: LoadBalancer: Type: "AWS::ElasticLoadBalancingV2::LoadBalancer" Properties: # access_logs.s3.enabled - [Application Load Balancers] Indicates whether access logs stored in Amazon S3 are enabled. The value is true or false. # access_logs.s3.bucket - [Application Load Balancers] The name of the S3 bucket for the access logs. This attribute is required if access logs in Amazon S3 are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permission to write to the bucket. # access_logs.s3.prefix - [Application Load Balancers] The prefix for the location in the S3 bucket. If you don't specify a prefix, the access logs are stored in the root of the bucket. # deletion_protection.enabled - Indicates whether deletion protection is enabled. The value is true or false. # idle_timeout.timeout_seconds - [Application Load Balancers] The idle timeout value, in seconds. The valid range is 1-4000. The default is 60 seconds. LoadBalancerAttributes: - Key: access_logs.s3.enabled Value: false # - Key: access_logs.s3.bucket # Value: # - Key: access_logs.s3.prefix # Value: - Key: deletion_protection.enabled Value: false - Key: idle_timeout.timeout_seconds Value: 60 Name: !Ref Name # application, network Type: network # internet-facing, internal Scheme: !Ref Scheme Subnets: !Ref Subnets SecurityGroups: - !Ref AlbSecurityGroup Tags: - Key: Name Value: !Ref Name AlbSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: !Sub "Frontend SG for ${Name}" SecurityGroupIngress: - Description: Default Allow rule for Public ALB CidrIp: 0.0.0.0/0 IpProtocol: tcp FromPort: 443 ToPort: 443 VpcId: !Ref Vpc BackendSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: # GroupName: String GroupDescription: !Sub "Backend SG for ${Name}" SecurityGroupIngress: - Description: Default HTTP allow rule from LoadBalancer SourceSecurityGroupId: !Ref AlbSecurityGroup IpProtocol: tcp FromPort: 80 ToPort: 80 - Description: Default HTTPS allow rule from LoadBalancer SourceSecurityGroupId: !Ref AlbSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 VpcId: !Ref Vpc Listener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - TargetGroupArn: !Ref HttpTargetGroup Type: forward LoadBalancerArn: !Ref LoadBalancer Port: 443 Protocol: HTTPS Listener1: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - TargetGroupArn: !Ref HttpTargetGroup Type: forward LoadBalancerArn: !Ref LoadBalancer Port: 443 Protocol: BadProtocol HttpTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckTimeoutSeconds: 1 Port: 80 Protocol: HTTP VpcId: !Ref Vpc WafAclAssociation: Type: "AWS::WAFRegional::WebACLAssociation" Properties: ResourceArn: !Ref LoadBalancer # Default WebAcl Created with OWASP Quick Start WebACLId: 45704a84-b53c-44d9-ad50-56cc79e8ea37 ElasticLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: SecurityGroups: Ref: SecurityGroups Scheme: internet-facing AvailabilityZones: Fn::GetAZs: '' Listeners: - InstancePort: '4' InstanceProtocol: !If [TestCond, TCP, SSL] LoadBalancerPort: '4' Protocol: [test] - InstancePort: '5' InstanceProtocol: !If [TestCond, TCP, SSL] LoadBalancerPort: '5' Protocol: ererere - InstancePort: '4' InstanceProtocol: !If [TestCond, TCP, SSL] LoadBalancerPort: '4' Protocol: {"arbKey": ""} - InstancePort: '4' InstanceProtocol: !If [TestCond, TCP, SSL] LoadBalancerPort: '4' Protocol: {"arbKey": "", "moreArb": ""} - LoadBalancerPort: '80' InstancePort: '80' Protocol: TCP InstanceProtocol: TCP - LoadBalancerPort: '443' InstancePort: '443' Protocol: HTTPS PolicyNames: - MySSLNegotiationPolicy - MyAppCookieStickinessPolicy Policies: - PolicyName: MySSLNegotiationPolicy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Protocol-TLSv1 Value: 'true' - Name: Protocol-SSLv2 Value: 'true' - Name: Protocol-SSLv3 Value: 'false' - Name: DHE-RSA-AES256-SHA Value: 'true' - PolicyName: MyAppCookieStickinessPolicy PolicyType: AppCookieStickinessPolicyType Attributes: - Name: CookieName Value: MyCookie - PolicyName: MyPublicKeyPolicy PolicyType: PublicKeyPolicyType Attributes: - Name: PublicKey Value: Fn::Join: - "\n" - - MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh/51Aohx5VrpmlfGHZCzciMBa - fkHve+MQYYJcxmNUKMdsWnz9WtVfKxxWUU7Cfor4lorYmENGCG8FWqCoLDMFs7pN - yGEtpsrlKhzZWtgY1d7eGrUrBil03bI90E2KW0j4qAwGYAC8xixOkNClicojeEz4 - f4rr3sUf+ZBSsuMEuwIDAQAB - PolicyName: MyBackendServerAuthenticationPolicy PolicyType: BackendServerAuthenticationPolicyType Attributes: - Name: PublicKeyPolicyName Value: MyPublicKeyPolicy InstancePorts: - '443' - PolicyName: EnableProxyProtocol PolicyType: ProxyProtocolPolicyType Attributes: - Name: ProxyProtocol Value: 'true' InstancePorts: - '80' ElasticLoadBalancerConditions: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing SecurityGroups: !If - IsTypeNetwork - !Ref SecurityGroups - !Ref 'AWS::NoValue' Subnets: - subnet-123456 Type: !If - IsTypeNetwork - network - application LoadBalancerAttributes: - Key: load_balancing.cross_zone.enabled Value: 'true' Outputs: Arn: Value: !Ref LoadBalancer DNSName: Value: !GetAtt LoadBalancer.DNSName CanonicalHostedZoneID: Value: !GetAtt LoadBalancer.CanonicalHostedZoneID LoadBalancerFullName: Value: !GetAtt LoadBalancer.LoadBalancerFullName LoadBalancerName: Value: !GetAtt LoadBalancer.LoadBalancerName SecurityGroups: Value: !Join [',' , !GetAtt LoadBalancer.SecurityGroups]