--- AWSTemplateFormatVersion: 2010-09-09 Description: "AWS VPC + Bastion Host + Aurora MySql, Do Not Remove Apache License Version 2.0 (qs-1r51947bu) Jun,15,2019" Metadata: LICENSE: Apache License Version 2.0 cfn-lint: config: ignore_checks: - W9006 - E9101 ############################################################################### # Parameter groups ############################################################################### AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - Label: default: Linux Bastion Host configuration Parameters: - EnableBastion - KeyPairName - RemoteAccessCIDR - EnableTCPForwarding - Label: default: Database General configuration Parameters: - DBEngineVersion - DBInstanceClass - ServerlessMinCapacity - ServerlessMaxCapacity - DBPort - DBName - DBMasterUsername - ManageMasterUserPassword - DBMasterUserPassword - DBMultiAZ - DBAutoMinorVersionUpgrade - DBBackupRetentionPeriod - EnableIAMDBAuth - DBBackTrack - Label: default: Database Storage configuration Parameters: - DBStorageEncrypted - StorageType - Label: default: Database Monitoring configuration Parameters: - DBExportLogToCloudwatch - EnablePerformanceInsights - PerformanceInsightsRetentionPeriod - EnableEnhancedMonitoring - MonitoringInterval - EnableEventSubscription - NotificationList - Label: default: Database tags (optional) Parameters: - EnvironmentStage - Application - ApplicationVersion - ProjectCostCenter - Confidentiality - Compliance - Label: default: Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ############################################################################### # Parameter labels ############################################################################### ParameterLabels: #VPC stack related parameter labels AvailabilityZones: default: Availability Zones PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR VPCCIDR: default: VPC CIDR #Bastion host related parameter labels EnableBastion: default: Create bastion stack EnableTCPForwarding: default: Enable TCP Forwarding KeyPairName: default: Key Name RemoteAccessCIDR: default: Permitted IP range #Quickstart related parameter labels QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix #Aurora related parameter labels Application: default: Application name ApplicationVersion: default: Application version Compliance: default: Compliance classifier Confidentiality: default: Confidentiality classifier DBAutoMinorVersionUpgrade: default: Database auto minor version upgrade DBBackTrack: default: Backtrack window DBBackupRetentionPeriod: default: Database backup retention period DBEngineVersion: default: Database Engine Version DBExportLogToCloudwatch: default: Export database logs to CloudWatch DBInstanceClass: default: Database instance class DBMasterUsername: default: Database master username DBMasterUserPassword: default: Database master password DBMultiAZ: default: Aurora Multi-AZ DB Instance deployment DBName: default: Database name DBPort: default: Database port DBStorageEncrypted: default: Database encryption enabled EnableEnhancedMonitoring: default: Enable Enhanced Monitoring EnableEventSubscription: default: Enable Event Subscription EnableIAMDBAuth: default: Enable IAM Database Authentication EnablePerformanceInsights: default: Enable RDS Performance Insights EnvironmentStage: default: Environment stage ManageMasterUserPassword: default: Manage DB master user password with AWS Secrets Manager MonitoringInterval: default: Enhanced monitoring interval NotificationList: default: SNS notification email PerformanceInsightsRetentionPeriod: default: Number of days to retain Performance Insights data ProjectCostCenter: default: Project cost center ServerlessMinCapacity: default: Minimum ACUs ServerlessMaxCapacity: default: Maximum ACUs StorageType: default: Aurora Storage Type ############################################################################### # Parameters ############################################################################### Parameters: #VPC stack related parameters AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Only two Availability Zones are used for this deployment, and the logical order of your selections is preserved. Type: List PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-28" Default: 10.0.0.0/19 Description: "CIDR block for private subnet 1 located in Availability Zone 1." Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-28" Default: 10.0.32.0/19 Description: "CIDR block for private subnet 2 located in Availability Zone 2." Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-28" Default: 10.0.96.0/20 Description: "CIDR block for the public subnet 1 located in Availability Zone 1." Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-28" Default: 10.0.128.0/20 Description: "CIDR block for the public subnet 2 located in Availability Zone 2." Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/16-28" Default: 10.0.0.0/16 Description: "CIDR block for the VPC." Type: String #Bastion host related parameters EnableBastion: AllowedValues: - "true" - "false" Default: "true" Description: "If 'true', a bastion stack will be created." Type: String EnableTCPForwarding: Type: String Description: "Enable/Disable TCP Forwarding for the bastion host." Default: "false" AllowedValues: - "true" - "false" KeyPairName: ConstraintDescription: "Name of an existing EC2 key pair." Description: "Name of an existing public/private key pair, for connecting to the bastion host." Type: AWS::EC2::KeyPair::KeyName RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" Description: "Allowed CIDR block for external SSH access to the bastion host." Default: 10.0.0.0/16 Type: String #Quickstart related parameters QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." Default: aws-quickstart Description: "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." Type: String QSS3BucketRegion: Default: us-east-1 Description: "The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value." Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." Default: quickstart-amazon-aurora-mysql/ Description: "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." Type: String #Aurora related parameters Application: Type: String Default: "" Description: "[Optional] Name of the application for the associated AWS resource." ApplicationVersion: Type: String Description: "[Optional] Version of the application." Default: "" Compliance: Type: String Default: "" Description: "[Optional] Compliance level for the AWS resource." AllowedValues: - hipaa - sox - fips - other - "" Confidentiality: Type: String Default: "" Description: "[Optional] Confidentiality classification of the data that is associated with the AWS resource." AllowedValues: - public - private - confidential - pii/phi - none - "" DBStorageEncrypted: Default: "true" AllowedValues: - "true" - "false" Description: "To disable database encryption, choose 'false'." Type: String DBAutoMinorVersionUpgrade: AllowedValues: - "true" - "false" Default: "false" Description: "Select 'true' to set up auto minor version upgrade." Type: String DBBackTrack: Description: "The target backtrack window, in seconds. To disable backtracking, set this value to 0." Type: Number Default: 0 MinValue: 0 MaxValue: 259200 DBBackupRetentionPeriod: Default: 35 Description: "The number of days for which automatic database snapshots are retained." Type: Number MinValue: 0 MaxValue: 35 DBEngineVersion: Description: >- Select Database Engine Version. Aurora Serverless v2 with Aurora MySQL is supported for versions 3.02.0 and higher. Aurora I/O-Optimized configuration is available in Aurora MySQL version 3.03.1 and higher. For supported engines and Region availability for Aurora Serverless v2 with Aurora MySQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html Type: String Default: Aurora-MySQL-3.03.1-MySQL8.0.23 AllowedValues: - Aurora-MySQL5.7-2.07.9 - Aurora-MySQL5.7-2.11.1 - Aurora-MySQL5.7-2.11.2 - Aurora-MySQL5.7-2.11.3 - Aurora-MySQL-3.01.0-MySQL8.0.23 - Aurora-MySQL-3.01.1-MySQL8.0.23 - Aurora-MySQL-3.02.0-MySQL8.0.23 - Aurora-MySQL-3.02.1-MySQL8.0.23 - Aurora-MySQL-3.02.2-MySQL8.0.23 - Aurora-MySQL-3.02.3-MySQL8.0.23 - Aurora-MySQL-3.03.0-MySQL8.0.23 - Aurora-MySQL-3.03.1-MySQL8.0.23 DBExportLogToCloudwatch: Default: '' Description: "Specify the comma-delimited list of database logs (error, slowquery, audit, general) to export to CloudWatch Logs." Type: CommaDelimitedList DBInstanceClass: Default: db.r6g.2xlarge Description: "The database instance type. Please see supported instance types for the MySQL version selected https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.SupportAurora" Type: String AllowedValues: - db.r5.12xlarge - db.r5.16xlarge - db.r5.24xlarge - db.r5.2xlarge - db.r5.4xlarge - db.r5.8xlarge - db.r5.large - db.r5.xlarge - db.r6g.12xlarge - db.r6g.16xlarge - db.r6g.2xlarge - db.r6g.4xlarge - db.r6g.8xlarge - db.r6g.large - db.r6g.xlarge - db.r6i.12xlarge - db.r6i.16xlarge - db.r6i.24xlarge - db.r6i.2xlarge - db.r6i.32xlarge - db.r6i.4xlarge - db.r6i.8xlarge - db.r6i.large - db.r6i.xlarge - db.r7g.12xlarge - db.r7g.16xlarge - db.r7g.2xlarge - db.r7g.4xlarge - db.r7g.8xlarge - db.r7g.large - db.r7g.xlarge - db.serverless - db.t3.large - db.t3.medium - db.t3.small - db.t4g.large - db.t4g.medium - db.x2g.12xlarge - db.x2g.16xlarge - db.x2g.2xlarge - db.x2g.4xlarge - db.x2g.8xlarge - db.x2g.large - db.x2g.xlarge DBMasterUsername: AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." Default: admin Description: "The database master username." MaxLength: "16" MinLength: "1" Type: String DBMasterUserPassword: AllowedPattern: ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol Default: Gjht56Ft$ Description: "The database master user password. Required if _Manage DB master user password with AWS Secrets Manager_ option is set to 'false'." MaxLength: "64" MinLength: "8" NoEcho: "True" Type: String DBMultiAZ: AllowedValues: - "true" - "false" Default: "true" Description: "Select 'true' to deploy a read-replica." Type: String DBName: AllowedPattern: "[a-zA-Z0-9]*" Description: "Name of the initial Aurora MySQL database to create." MaxLength: "64" MinLength: "0" Default: sampleapp Type: String DBPort: Default: 3306 Description: "The port the instance will listen for connections on." Type: Number ConstraintDescription: "Must be in the range [1150-65535]." MinValue: 1150 MaxValue: 65535 EnableEnhancedMonitoring: AllowedValues: - "true" - "false" Default: "true" Description: "Set to 'true' to enable Enahanced Monitoring." Type: String EnableEventSubscription: AllowedValues: - "true" - "false" Default: "true" Description: "Enables event subscription to Notification List." Type: String EnableIAMDBAuth: AllowedValues: - "true" - "false" Default: "true" Description: "Enables IAM Database Authentication." Type: String EnablePerformanceInsights: AllowedValues: - "true" - "false" Default: "true" Description: "Enables RDS Performance Insights." Type: String EnvironmentStage: Type: String Description: "[Optional] Environment stage of the associated AWS resource." AllowedValues: - dev - test - pre-prod - prod - none Default: none ManageMasterUserPassword: AllowedValues: - "true" - "false" Default: "true" Description: "Set to 'true' to manage the master user password with AWS Secrets Manager." Type: String MonitoringInterval: Default: 10 Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." Type: Number AllowedValues: - 1 - 5 - 10 - 15 - 30 - 60 ConstraintDescription: "Valid values are 0, 1, 5, 10, 15, 30, 60 seconds." NotificationList: Type: String Default: db-ops@domain.com Description: "The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications." AllowedPattern: ^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$ ConstraintDescription: "Provide a valid email address." PerformanceInsightsRetentionPeriod: Default: 7 Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23" Type: Number MinValue: 7 MaxValue: 713 ProjectCostCenter: Type: String Default: "" Description: "[Optional] Designates the cost center associated with the project of the given AWS resource." ServerlessMinCapacity: Default: 8 Description: >- Required if "db.serverless" is chosen as the database instance class. Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 1 ACU provides 2 GiB of memory and corresponding compute and networking. Type: String AllowedPattern: ([0-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) ConstraintDescription: "Only values from 0.5 to 128, in increments of 0.5" ServerlessMaxCapacity: Default: 64 Description: >- Required if "db.serverless" is chosen as the database instance class. Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 1 ACU provides 2 GiB of memory and corresponding compute and networking. Type: String AllowedPattern: ([1-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) ConstraintDescription: "Only values from 1 to 128, in increments of 0.5" StorageType: Type: String Description: >- Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type AllowedValues: - aurora - aurora-iopt1 Default: aurora ############################################################################### # Conditions ############################################################################### Conditions: EnableBastionAccess: !Equals - !Ref EnableBastion - "true" UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] ############################################################################### # Resources ############################################################################### Resources: VPCStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: Fn::Sub: - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If - UsingDefaultBucket - !Ref AWS::Region - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName Parameters: AvailabilityZones: !Join - ',' - !Ref AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR BastionStack: Condition: EnableBastionAccess Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion-entrypoint-existing-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: KeyPairName: !Ref KeyPairName PublicSubnet1ID: !GetAtt - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt - VPCStack - Outputs.PublicSubnet2ID EnableTCPForwarding: !Ref EnableTCPForwarding RemoteAccessCIDR: !Ref RemoteAccessCIDR VPCID: !GetAtt - VPCStack - Outputs.VPCID QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ AMSNS: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/aurora_mysql.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: #Database Network configuration VPCID: Fn::GetAtt: - VPCStack - Outputs.VPCID Subnet1ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet1AID Subnet2ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet2AID DBAccessCIDR: !Ref VPCCIDR #Database General configuration DBEngineVersion: !Ref DBEngineVersion DBInstanceClass: !Ref DBInstanceClass ServerlessMinCapacity: !Ref ServerlessMinCapacity ServerlessMaxCapacity: !Ref ServerlessMaxCapacity DBPort: !Ref DBPort DBName: !Ref DBName DBMasterUsername: !Ref DBMasterUsername ManageMasterUserPassword: !Ref ManageMasterUserPassword DBMasterUserPassword: !Ref DBMasterUserPassword DBMultiAZ: !Ref DBMultiAZ DBAutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade DBBackupRetentionPeriod: !Ref DBBackupRetentionPeriod EnableIAMDBAuth: !Ref EnableIAMDBAuth DBBackTrack: !Ref DBBackTrack #Database Storage configuration DBStorageEncrypted: !Ref DBStorageEncrypted StorageType: !Ref StorageType #Database Monitoring configuration DBExportLogToCloudwatch: !Join - ',' - !Ref DBExportLogToCloudwatch EnablePerformanceInsights: !Ref EnablePerformanceInsights PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod EnableEnhancedMonitoring: !Ref EnableEnhancedMonitoring MonitoringInterval: !Ref MonitoringInterval EnableEventSubscription: !Ref EnableEventSubscription NotificationList: !Ref NotificationList #Database tags (optional) EnvironmentStage: !Ref EnvironmentStage Application: !Ref Application ApplicationVersion: !Ref ApplicationVersion ProjectCostCenter: !Ref ProjectCostCenter Confidentiality: !Ref Confidentiality Compliance: !Ref Compliance