AWSTemplateFormatVersion: 2010-09-09 Description: LinuxBastion+VPC Jul,30,2020 (qs-1qup6ra99) (Please do not remove) Metadata: QuickStartDocumentation: EntrypointName: Launch into an existing VPC Order: 2 LICENSE: Apache License, Version 2.0 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Network configuration Parameters: - VPCID - PublicSubnet1ID - PublicSubnet2ID - RemoteAccessCIDR - Label: default: IAM configuration Parameters: - RolePath - PermissionsBoundaryArn - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - BastionAMIOS - BastionInstanceType - RootVolumeSize - Label: default: Linux bastion configuration Parameters: - NumBastionHosts - BastionHostName - BastionTenancy - EnableBanner - BastionBanner - EnableTCPForwarding - EnableX11Forwarding - Label: default: Alternative configurations Parameters: - AlternativeInitializationScript - OSImageOverride - AlternativeIAMRole - EnvironmentVariables - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AlternativeIAMRole: default: Alternative IAM role AlternativeInitializationScript: default: Alternative initialization script BastionAMIOS: default: Bastion AMI operating system BastionHostName: default: Bastion host Name BastionTenancy: default: Bastion tenancy BastionBanner: default: Banner text QSS3BucketRegion: default: Quick Start S3 bucket region BastionInstanceType: default: Bastion instance type EnableBanner: default: Bastion banner EnableTCPForwarding: default: TCP forwarding EnableX11Forwarding: default: X11 forwarding EnvironmentVariables: default: Environment variables KeyPairName: default: Key pair name NumBastionHosts: default: Number of bastion hosts OSImageOverride: default: Operating system override PublicSubnet1ID: default: Public subnet 1 ID PublicSubnet2ID: default: Public subnet 2 ID QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed bastion external access CIDR VPCID: default: VPC ID RootVolumeSize: default: Root volume size PermissionsBoundaryArn: default: Permissions boundary ARN RolePath: default: Role path cfn-lint: { config: { ignore_checks: [E9007] } } Parameters: BastionAMIOS: AllowedValues: - Amazon-Linux2-HVM - Amazon-Linux2-HVM-ARM - CentOS-7-HVM - Ubuntu-Server-20.04-LTS-HVM - SUSE-SLES-15-HVM Default: Amazon-Linux2-HVM Description: The Linux distribution for the AMI to be used for the bastion instances. Type: String BastionHostName: Default: 'LinuxBastion' Description: The value used for the name tag of the bastion host. Type: String BastionBanner: Default: "" Description: Banner text to display upon login. Type: String BastionTenancy: Description: Bastion VPC tenancy (dedicated or default). Type: String Default: default AllowedValues: - dedicated - default BastionInstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - t4g.nano - t4g.micro - t4g.small - t4g.medium - t4g.large - t4g.xlarge - t4g.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: t2.micro Description: Amazon EC2 instance type for the bastion instances. Type: String EnableBanner: AllowedValues: - 'true' - 'false' Default: 'false' Description: Choose *true* to display a banner when connecting via SSH to the bastion. Type: String EnableTCPForwarding: Type: String Description: To enable TCP forwarding, choose *true*. Default: 'false' AllowedValues: - 'true' - 'false' EnableX11Forwarding: Type: String Description: To enable X11 forwarding, choose *true*. Default: 'false' AllowedValues: - 'true' - 'false' KeyPairName: Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, please create it before continuing. Type: 'AWS::EC2::KeyPair::KeyName' NumBastionHosts: AllowedValues: - '1' - '2' - '3' - '4' Default: '1' Description: The number of bastion hosts to create. The maximum number is four. Type: String PublicSubnet1ID: Description: ID of the public subnet 1 that you want to provision the first bastion into (e.g., subnet-a0246dcd). Type: 'AWS::EC2::Subnet::Id' PublicSubnet2ID: Description: ID of the public subnet 2 that you want to provision the second bastion into (e.g., subnet-e3246d8e). Type: 'AWS::EC2::Subnet::Id' QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-aerospike/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: Allowed CIDR block for external SSH access to the bastions. Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e). Type: 'AWS::EC2::VPC::Id' AlternativeInitializationScript: AllowedPattern: ^https.*|^$ ConstraintDescription: URL must begin with https. Description: An alternative initialization script to run during setup. Default: '' Type: String OSImageOverride: Description: The Region-specific image to use for the instance. Type: String Default: '' AlternativeIAMRole: Description: An existing IAM role name to attach to the bastion. If left blank, a new role will be created. Default: '' Type: String EnvironmentVariables: Description: A comma-separated list of environment variables for use in bootstrapping. Variables must be in the format `key=value`. `Value` cannot contain commas. Type: String Default: '' RootVolumeSize: Description: The size in GB for the root EBS volume. Type: Number Default: '10' PermissionsBoundaryArn: Description: Will be attached to all created IAM Roles to satisfy security requirements Type: String Default: '' RolePath: Description: Will be attached to all created IAM Roles to satisfy security requirements Type: String Default: '' AerospikeClusterAutoscalingGroup: Default: "" Description: Name of aerospike autoscaling group. Type: String Rules: SubnetsInVPC: Assertions: - Assert: 'Fn::EachMemberIn': - 'Fn::ValueOfAll': - 'AWS::EC2::Subnet::Id' - VpcId - 'Fn::RefAll': 'AWS::EC2::VPC::Id' AssertDescription: All subnets must exist in the VPC. ArmInstance: Assertions: - Assert: !Contains - - t4g.nano - t4g.medium - t4g.large - t4g.micro - t4g.small - t4g.2xlarge - t4g.xlarge - !Ref 'BastionInstanceType' AssertDescription: This instance type must use BastionAMIOS type of Amazon-Linux2-HVM-ARM. RuleCondition: !Equals - !Ref BastionAMIOS - Amazon-Linux2-HVM-ARM Mappings: AWSAMIRegionMap: af-south-1: AMZNLINUX2: ami-0936d2754993c364e AMZNLINUX2ARM: ami-01d326fa7db123542 US2004HVM: ami-022666956ad401a16 CENTOS7HVM: ami-0a2be7731769e6cc1 ap-northeast-1: AMZNLINUX2: ami-0f9a314ce79311c88 AMZNLINUX2ARM: ami-0d874cf52d89e1e4b US2004HVM: ami-098a3ed87d767edf9 CENTOS7HVM: ami-06a46da680048c8ae SLES15HVM: ami-056ac8ad44e6a7e1f ap-northeast-2: AMZNLINUX2: ami-0195322846474ddb9 AMZNLINUX2ARM: ami-06a997e23f0199d45 US2004HVM: ami-0f62054c960a1ed89 CENTOS7HVM: ami-06e83aceba2cb0907 SLES15HVM: ami-0f81fff879bafe6b8 ap-northeast-3: AMZNLINUX2: ami-0aaad057694fe2fe6 AMZNLINUX2ARM: ami-063f458e2f70f8951 US2004HVM: ami-027eb1b2453db16fd CENTOS7HVM: ami-02d6b455335e3af14 SLES15HVM: ami-0d8518dd12d11dfc2 ap-south-1: AMZNLINUX2: ami-08f3712c8ca5af75e AMZNLINUX2ARM: ami-0494f7473bf694265 US2004HVM: ami-03eb28f2d8e9e5448 CENTOS7HVM: ami-026f33d38b6410e30 SLES15HVM: ami-01be89269d32f2a16 ap-southeast-1: AMZNLINUX2: ami-08d3c6fdb83b512dc AMZNLINUX2ARM: ami-0b404894f3a1e6da0 US2004HVM: ami-04bdbc2d7a6c7c6dd CENTOS7HVM: ami-07f65177cb990d65b SLES15HVM: ami-070356c21596ddc67 ap-southeast-2: AMZNLINUX2: ami-0d06793241742e720 AMZNLINUX2ARM: ami-0c1c73154cfdcc852 US2004HVM: ami-0ca03d6e174a93774 CENTOS7HVM: ami-0b2045146eb00b617 SLES15HVM: ami-0c4245381c67efb39 ca-central-1: AMZNLINUX2: ami-0bb8b9131af2dcf58 AMZNLINUX2ARM: ami-045efbe545362bcfa US2004HVM: ami-02fffdf1e233d734c CENTOS7HVM: ami-04a25c39dc7a8aebb SLES15HVM: ami-0c97d9b588207dad6 eu-central-1: AMZNLINUX2: ami-05f5f4f906feab6a7 AMZNLINUX2ARM: ami-08b91e717872d4caf US2004HVM: ami-06acd502731e7718e CENTOS7HVM: ami-0e8286b71b81c3cc1 SLES15HVM: ami-05dfd265ea534a3e9 me-south-1: AMZNLINUX2: ami-0880769bc15eeec4f AMZNLINUX2ARM: ami-001dc219c441b922d US2004HVM: ami-03cc0b5db8321f2e5 CENTOS7HVM: ami-011c71a894b10f35b SLES15HVM: ami-0252c6d3a59c7473b ap-east-1: AMZNLINUX2: ami-0aca22cb23f122f27 AMZNLINUX2ARM: ami-01f5cec80321bd86e US2004HVM: ami-0c7e5903bee96ef81 CENTOS7HVM: ami-0e5c29e6c87a9644f SLES15HVM: ami-0ad6e15bcbb2dbe38 eu-north-1: AMZNLINUX2: ami-04e9e89793783442d AMZNLINUX2ARM: ami-06c417cf0d6b13d9c US2004HVM: ami-0d86b044a70ecfc6e CENTOS7HVM: ami-05788af9005ef9a93 SLES15HVM: ami-0741fa1a008af40ad eu-south-1: AMZNLINUX2: ami-0f447354763f0eaac AMZNLINUX2ARM: ami-011d4067dedd119f5 US2004HVM: ami-035e213233577516f CENTOS7HVM: ami-03014b98e9665115a SLES15HVM: ami-051cbea0e7660063d eu-west-1: AMZNLINUX2: ami-05489a3f80e532309 AMZNLINUX2ARM: ami-06055ab1b3dc70f03 US2004HVM: ami-0076b212fad243d9e CENTOS7HVM: ami-0b850cf02cc00fdc8 SLES15HVM: ami-0a58a1b152ba55f1d eu-west-2: AMZNLINUX2: ami-01bb5fb90f6e8dc9d AMZNLINUX2ARM: ami-08a5f51a19810bf69 US2004HVM: ami-0d0f12c129e9acd4f CENTOS7HVM: ami-09e5afc68eed60ef4 SLES15HVM: ami-01497522185aaa4ee eu-west-3: AMZNLINUX2: ami-0220e6e3ec3edb410 AMZNLINUX2ARM: ami-0958b74cb185c1beb US2004HVM: ami-06c781daa01c5c4d9 CENTOS7HVM: ami-0cb72d2e599cffbf9 SLES15HVM: ami-0f238bd4c6fdbefb0 sa-east-1: AMZNLINUX2: ami-00a928f066e0e354d AMZNLINUX2ARM: ami-04e03458901339bf1 US2004HVM: ami-09ee43e5c8d69b37e CENTOS7HVM: ami-0b30f38d939dd4b54 SLES15HVM: ami-0772af912976aa692 us-east-1: AMZNLINUX2: ami-06eecef118bbf9259 AMZNLINUX2ARM: ami-090230ed0c6b13c74 US2004HVM: ami-0708edb40a885c6ee CENTOS7HVM: ami-0affd4508a5d2481b SLES15HVM: ami-0b1764f3d7d2e2316 us-gov-west-1: AMZNLINUX2: ami-0281624483c624b77 AMZNLINUX2ARM: ami-08375cc8096939cac SLES15HVM: ami-57c0ba36 us-gov-east-1: AMZNLINUX2: ami-0860989603b7e0e11 AMZNLINUX2ARM: ami-07b3a284855ced8b2 SLES15HVM: ami-05e4bedfad53425e9 us-east-2: AMZNLINUX2: ami-0fe23c115c3ba9bac AMZNLINUX2ARM: ami-00b9738bf35b1d1de US2004HVM: ami-072e87c1b25ab0a8b CENTOS7HVM: ami-01e36b7901e884a10 SLES15HVM: ami-05ea824317ffc0c20 us-west-1: AMZNLINUX2: ami-088cd0732583ac947 AMZNLINUX2ARM: ami-0e48a188782d0412a US2004HVM: ami-0282af5c116b38803 CENTOS7HVM: ami-098f55b4287a885ba SLES15HVM: ami-00e34a7624e5a7107 us-west-2: AMZNLINUX2: ami-00af37d1144686454 AMZNLINUX2ARM: ami-0d3127dab514c6a1a US2004HVM: ami-0e623c4c77b6afcd1 CENTOS7HVM: ami-0bc06212a56393ee1 SLES15HVM: ami-0f1e3b3fb0fec0361 cn-north-1: AMZNLINUX2: ami-0b3a41626d881b1e8 AMZNLINUX2ARM: ami-0dce21d31b4d95cdf CENTOS7HVM: ami-08c16f7e830c0e393 SLES15HVM: ami-021392849b6221a81 cn-northwest-1: AMZNLINUX2: ami-093555c5cfc7bd553 AMZNLINUX2ARM: ami-098d8f81137f8fa0b CENTOS7HVM: ami-0f21aa96a61df8c44 SLES15HVM: ami-00e1de3ee6d0d28ea LinuxAMINameMap: Amazon-Linux2-HVM: Code: AMZNLINUX2 OS: Amazon Amazon-Linux2-HVM-ARM: Code: AMZNLINUX2ARM OS: Amazon CentOS-7-HVM: Code: CENTOS7HVM OS: CentOS Ubuntu-Server-18.04-LTS-HVM: Code: US1804HVM OS: Ubuntu Ubuntu-Server-20.04-LTS-HVM: Code: US2004HVM OS: Ubuntu SUSE-SLES-15-HVM: Code: SLES15HVM OS: SLES Conditions: RolePathProvided: !Not [!Equals ["", !Ref RolePath]] PermissionsBoundaryProvided: !Not [!Equals ["", !Ref PermissionsBoundaryArn]] 2BastionCondition: !Or - !Equals - !Ref NumBastionHosts - '2' - !Condition 3BastionCondition - !Condition 4BastionCondition 3BastionCondition: !Or - !Equals - !Ref NumBastionHosts - '3' - !Condition 4BastionCondition 4BastionCondition: !Equals - !Ref NumBastionHosts - '4' UseAlternativeInitialization: !Not - !Equals - !Ref AlternativeInitializationScript - '' CreateIAMRole: !Equals - !Ref AlternativeIAMRole - '' UseOSImageOverride: !Not - !Equals - !Ref OSImageOverride - '' UsingDefaultBucket: !Equals - !Ref QSS3BucketName - 'aws-quickstart' DefaultBanner: !Equals [!Ref BastionBanner, ""] Resources: BastionMainLogGroup: Type: 'AWS::Logs::LogGroup' SSHMetricFilter: Type: 'AWS::Logs::MetricFilter' Properties: LogGroupName: !Ref BastionMainLogGroup FilterPattern: ON FROM USER PWD MetricTransformations: - MetricName: SSHCommandCount MetricValue: '1' MetricNamespace: !Sub "AWSQuickStart/${AWS::StackName}" BastionHostRole: Condition: CreateIAMRole Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com - autoscaling.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: MonitoringStackClusterPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'ec2:DescribeInstances' - 'ec2:DescribeVpcAttribute' Resource: '*' - PolicyName: MonitoringStackCloudWatchPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'cloudwatch:PutMetricData' Resource: '*' - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Resource: - !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - Effect: Allow Resource: - '*' Action: - ssm:DescribeSessions - ssm:GetConnectionStatus - ssm:DescribeInstanceInformation - Effect: Allow Resource: - '*' Action: - autoscaling:DescribeAutoScalingGroups - Effect: Allow Resource: - '*' Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeAutoScalingInstances - autoscaling:DescribeLaunchConfigurations - Effect: Allow Action: - s3:GetObject Resource: !Sub "arn:aws:s3:::${QSS3BucketName}/*" - Effect: Allow Action: - ec2:DescribeInstances Resource: "*" - PolicyName: MonitoringStackAutoScalingPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups Resource: '*' - Effect: Allow Action: - ec2:DescribeInstances - ec2:DescribeVpcAttribute Resource: "*" BastionHostPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: BastionPolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Effect: Allow - Action: - 'logs:CreateLogStream' - 'logs:GetLogEvents' - 'logs:PutLogEvents' - 'logs:DescribeLogGroups' - 'logs:DescribeLogStreams' - 'logs:PutRetentionPolicy' - 'logs:PutMetricFilter' - 'logs:CreateLogGroup' Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*" Effect: Allow - Action: - 'ec2:DescribeAddresses' Resource: '*' Effect: Allow - Effect: Allow Action: - 'ec2:AssociateAddress' Resource: '*' Condition: StringEquals: ec2:ResourceTag/aws:cloudformation:stack-id: !Ref AWS::StackId Roles: - !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole BastionHostProfile: DependsOn: BastionHostPolicy Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole Path: / EIP1: Type: 'AWS::EC2::EIP' Properties: Domain: vpc EIP2: Type: 'AWS::EC2::EIP' Condition: 2BastionCondition Properties: Domain: vpc EIP3: Type: 'AWS::EC2::EIP' Condition: 3BastionCondition Properties: Domain: vpc EIP4: Type: 'AWS::EC2::EIP' Condition: 4BastionCondition Properties: Domain: vpc BastionAutoScalingGroup: Type: 'AWS::AutoScaling::AutoScalingGroup' Properties: LaunchConfigurationName: !Ref BastionLaunchConfiguration VPCZoneIdentifier: - !Ref PublicSubnet1ID - !Ref PublicSubnet2ID MinSize: !Ref NumBastionHosts MaxSize: !Ref NumBastionHosts Cooldown: '900' DesiredCapacity: !Ref NumBastionHosts Tags: - Key: Name Value: !Ref BastionHostName PropagateAtLaunch: true CreationPolicy: ResourceSignal: Count: !Ref NumBastionHosts Timeout: PT60M AutoScalingCreationPolicy: MinSuccessfulInstancesPercent: 100 UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: true BastionLaunchConfiguration: Type: 'AWS::AutoScaling::LaunchConfiguration' Metadata: 'AWS::CloudFormation::Authentication': S3AccessCreds: type: S3 roleName: !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole buckets: - !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 'AWS::CloudFormation::Init': config: files: /tmp/auditd.rules: mode: '000550' owner: root group: root content: | -a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve /tmp/auditing_configure.sh: source: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/scripts/auditing_configure.sh - S3Bucket: !If - UsingDefaultBucket - !Sub 'aws-quickstart-${AWS::Region}' - !Ref 'QSS3BucketName' S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref 'QSS3BucketRegion' mode: '000550' owner: root group: root authentication: S3AccessCreds /tmp/bastion_bootstrap.sh: source: !If - UseAlternativeInitialization - !Ref AlternativeInitializationScript - !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/scripts/bastion_bootstrap.sh - S3Bucket: !If - UsingDefaultBucket - !Sub 'aws-quickstart-${AWS::Region}' - !Ref 'QSS3BucketName' S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref 'QSS3BucketRegion' mode: '000550' owner: root group: root authentication: S3AccessCreds /tmp/aerospike_monitoring_stack_asbench_install.sh: content: !Sub - | #!/bin/bash # download monitoring stack binaries mkdir -p /home/ec2-user/monitoring_stack cd /home/ec2-user/monitoring_stack # Prometheus installation aws s3 cp s3://${S3Bucket}/${QSS3KeyPrefix}scripts/prometheus-2.30.3.linux-amd64.tar.gz . tar xvfz prometheus-*.tar.gz # Grafana installation wget https://dl.grafana.com/oss/release/grafana-8.2.1-1.x86_64.rpm sudo yum install -y grafana-8.2.1-1.x86_64.rpm sudo systemctl daemon-reload sudo systemctl start grafana-server sudo systemctl status grafana-server # asbench installation sudo yum install -y wget tar python3 gzip shadow-utils.x86_64 sudo wget -O aerospike-amazon_linux.tgz 'https://download.aerospike.com/download/tools/6.1.2/artifact/el7' sudo tar -xvzf aerospike-amazon_linux.tgz cd aerospike-tools* sudo ./asinstall > /dev/null 2>&1 & - REGION: !Sub "${AWS::Region}" S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] mode: '000744' owner: root group: root /tmp/create_sample_prometheus_config.sh: content: | #!/bin/bash # sample prometheus configuration, note aerospike_targets will be replaced by aerospike node IP:port PROMETHUS_CONFIG_TEMP_LOCATION=/home/ec2-user/monitoring_stack/prometheus-2.30.3.linux-amd64/prometheus.yml PROMETHUS_CONFIG=" global: scrape_interval: 15s evaluation_interval: 15s scrape_configs: - job_name: prometheus static_configs: - targets: ["localhost:9090"] - job_name: aerospike static_configs: - targets: aerospike_targets " echo -e "$PROMETHUS_CONFIG" > $PROMETHUS_CONFIG_TEMP_LOCATION mode: '000744' owner: root group: root /tmp/update_prometheus_configure.sh: content: !Sub - | #!/bin/bash export AWS_REGION=${AWS::Region} export ASG_NAME=${AerospikeClusterAutoscalingGroup} aws s3 cp s3://${S3Bucket}/${QSS3KeyPrefix}scripts/prometheus_configure.sh . chmod +x prometheus_configure.sh ./prometheus_configure.sh - REGION: !Sub "${AWS::Region}" S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] mode: '000755' owner: root group: root /tmp/grafana_configure.sh: content: !Sub - | #!/bin/bash aws s3 cp s3://${S3Bucket}/${QSS3KeyPrefix}scripts/grafana_configure.sh . chmod +x grafana_configure.sh ./grafana_configure.sh - REGION: !Sub "${AWS::Region}" S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] mode: '000755' owner: root group: root commands: a-add_auditd_rules: cwd: '/tmp/' env: BASTION_OS: !FindInMap [LinuxAMINameMap, !Ref BastionAMIOS, OS] command: "./auditing_configure.sh" # command: # - !If [ ] # - "cat /tmp/auditd.rules >> /etc/audit/rules.d/audit.rules && service auditd restart" b-bootstrap: cwd: '/tmp/' env: REGION: !Sub ${AWS::Region} URL_SUFFIX: !Sub ${AWS::URLSuffix} BANNER_REGION: !If [ UsingDefaultBucket, !Ref 'AWS::Region', !Ref 'QSS3BucketRegion' ] command: !Sub - "./bastion_bootstrap.sh --banner ${BannerUrl} --enable ${EnableBanner} --tcp-forwarding ${EnableTCPForwarding} --x11-forwarding ${EnableX11Forwarding}" - BannerUrl: !If - DefaultBanner - !Sub - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/monitoring_banner.txt - S3Bucket: !If [ UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref 'QSS3BucketName' ] - !Ref BastionBanner c-aerospike_monitoring: cwd: '/tmp/' command: "./aerospike_monitoring_stack_asbench_install.sh" d-create-prometheus_config: cwd: '/tmp/' env: REGION: !Sub ${AWS::Region} command: "./create_sample_prometheus_config.sh" e-update_prometheus_cluster: cwd: '/tmp/' command: "./update_prometheus_configure.sh" f-grafana_configure: cwd: '/tmp/' command: "./grafana_configure.sh" Properties: AssociatePublicIpAddress: true PlacementTenancy: !Ref BastionTenancy KeyName: !Ref KeyPairName IamInstanceProfile: !Ref BastionHostProfile ImageId: !If - UseOSImageOverride - !Ref OSImageOverride - !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - !FindInMap - LinuxAMINameMap - !Ref BastionAMIOS - Code SecurityGroups: - !Ref BastionSecurityGroup InstanceType: !Ref BastionInstanceType BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeSize: !Ref RootVolumeSize VolumeType: gp2 Encrypted: true DeleteOnTermination: true UserData: Fn::Base64: !Sub - | #!/bin/bash set -x for e in $(echo "${EnvironmentVariables}" | tr ',' ' '); do export $e echo "$e" >> /root/.bashrc done export PATH=$PATH:/usr/local/bin #cfn signaling functions yum install git -y || apt-get install -y git || zypper -n install git function cfn_fail { cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup exit 1 } function cfn_success { cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup exit 0 } until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done cd /quickstart-linux-utilities; source quickstart-cfn-tools.source; qs_update-os || qs_err; qs_bootstrap_pip || qs_err " pip bootstrap failed "; qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed "; EIP_LIST="${EIP1},${EIP2},${EIP3},${EIP4}" CLOUDWATCHGROUP=${BastionMainLogGroup} cfn-init -v --stack '${AWS::StackName}' --resource BastionLaunchConfiguration --region ${AWS::Region} || cfn_fail [ $(qs_status) == 0 ] && cfn_success || cfn_fail - EIP2: !If - 2BastionCondition - !Ref EIP2 - 'Null' EIP3: !If - 3BastionCondition - !Ref EIP3 - 'Null' EIP4: !If - 4BastionCondition - !Ref EIP4 - 'Null' BastionSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Enables SSH Access to Bastion Hosts VpcId: !Ref VPCID SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref RemoteAccessCIDR - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref RemoteAccessCIDR - IpProtocol: tcp FromPort: 9090 ToPort: 9090 CidrIp: !Ref RemoteAccessCIDR - IpProtocol: tcp FromPort: 3000 ToPort: 3000 CidrIp: !Ref RemoteAccessCIDR - IpProtocol: tcp FromPort: 3100 ToPort: 3100 CidrIp: !Ref RemoteAccessCIDR Outputs: BastionAutoScalingGroup: Description: Auto Scaling group reference ID. Value: !Ref BastionAutoScalingGroup Export: Name: !Sub '${AWS::StackName}-BastionAutoScalingGroup' EIP1: Description: Elastic IP 1 for bastion. Value: !Ref EIP1 Export: Name: !Sub '${AWS::StackName}-EIP1' EIP2: Condition: 2BastionCondition Description: Elastic IP 2 for bastion. Value: !Ref EIP2 Export: Name: !Sub '${AWS::StackName}-EIP2' EIP3: Condition: 3BastionCondition Description: Elastic IP 3 for bastion. Value: !Ref EIP3 Export: Name: !Sub '${AWS::StackName}-EIP3' EIP4: Condition: 4BastionCondition Description: Elastic IP 4 for bastion. Value: !Ref EIP4 Export: Name: !Sub '${AWS::StackName}-EIP4' CloudWatchLogs: Description: CloudWatch Logs GroupName. Your SSH logs will be stored here. Value: !Ref BastionMainLogGroup Export: Name: !Sub '${AWS::StackName}-CloudWatchLogs' BastionSecurityGroupID: Description: Bastion security group ID. Value: !Ref BastionSecurityGroup Export: Name: !Sub '${AWS::StackName}-BastionSecurityGroupID' BastionHostRole: Description: Bastion IAM role name. Value: !If - CreateIAMRole - !Ref BastionHostRole - !Ref AlternativeIAMRole Export: Name: !Sub '${AWS::StackName}-BastionHostRole' Postdeployment: Description: See the deployment guide for post-deployment steps. Value: https://aws.amazon.com/quickstart/?quickstart-all.sort-by=item.additionalFields.sortDate&quickstart-all.sort-order=desc&awsm.page-quickstart-all=5