Description: 'AWS VPC + bastion host + Amazon Redshift Aug,19,2019 (qs-1psnj8ejo)' Metadata: LICENSE: Apache License Version 2.0 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC network configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - RemoteAccessCIDR - Label: default: Amazon Redshift configuration Parameters: - NodeType - NumberOfNodes - RedshiftClusterPort - DatabaseName - MasterUsername - MasterUserPassword - NotificationList - MakeRedshiftPubliclyAccessible - ConcurrencyScaling - Label: default: Amazon Redshift advanced configuration Parameters: - EnableLoggingToS3 - MaxConcurrentCluster - EncryptionAtRest - kmskey - SnapshotIdentifier - SnapshotAccountNumber - Maintenancewindow - S3BucketForRedshiftIAMRole - GlueCatalogDatabase - Label: default: Tag identifiers Parameters: - TagEnvironment - TagName - TagProjectCostCenter - TagConfidentiality - TagCompliance - Label: default: Linux Bastion configuration Parameters: - EnableBastion - KeyPairName - BastionInstanceType - BastionTenancy - EnableBanner - BastionBanner - EnableTCPForwarding - EnableX11Forwarding - AlternativeInitializationScript - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: DatabaseName: default: Redshift database name RedshiftClusterPort: default: Redshift cluster port NodeType: default: Node type for Redshift cluster NumberOfNodes: default: Number of nodes in Redshift cluster MasterUsername: default: Redshift master user name MasterUserPassword: default: Redshift master user password NotificationList: default: SNS Notification Email EnableLoggingToS3: default: Enable Redshift logging to S3 MaxConcurrentCluster: default: Max. number of concurrent clusters ConcurrencyScaling: default: Concurrency Scaling EncryptionAtRest: default: Encryption at rest kmskey: default: KMS key ID SnapshotIdentifier: default: Redshift snapshot identifier SnapshotAccountNumber: default: AWS account-ID of the Redshift Snapshot S3BucketForRedshiftIAMRole: default: Amazon S3 bucket for Redshift IAM role GlueCatalogDatabase: default: Glue catalog database name Maintenancewindow: default: Maintenance window EnableBastion: default: Do you want to create bastion stack? BastionTenancy: default: Bastion tenancy BastionBanner: default: Bastion banner BastionInstanceType: default: Bastion instance type EnableBanner: default: Enable banner EnableTCPForwarding: default: Enable TCP forwarding EnableX11Forwarding: default: Enable X11 forwarding KeyPairName: default: Key pair name RemoteAccessCIDR: default: Allowed external access CIDR AlternativeInitializationScript: default: Custom Bootstrap Script QSS3BucketName: default: Quick Start S3 Bucket Name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 Key Prefix TagEnvironment: default: Environment TagName: default: Unique friendly name TagCompliance: default: Compliance classifier TagConfidentiality: default: Confidentiality classifier TagProjectCostCenter: default: Project cost center VPCCIDR: default: VPC CIDR AvailabilityZones: default: Availability Zones PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR MakeRedshiftPubliclyAccessible: default: Make Redshift publicly accessible Parameters: AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Only two Availability Zones are used for this deployment, and the logical order of your selections is preserved. Type: 'List' VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC. Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: CIDR block for the public subnet 1 located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: CIDR block for the public subnet 2 located in Availability Zone 2. Type: String NotificationList: Type: String Description: The email notification list that is used to configure an SNS topic for sending CloudWatch alarm and event notifications. AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: provide a valid email address. Default: 'ops@company.com' BastionBanner: Default: https://aws-quickstart.s3.amazonaws.com/quickstart-linux-bastion/scripts/banner_message.txt Description: The banner text to display upon login. Use the default value or provide theS3 location for the file containing banner text. Type: String BastionTenancy: Description: 'VPC tenancy in which the bastion host will be launched. Options: dedicated or default' Type: String Default: default AllowedValues: - dedicated - default BastionInstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: t2.micro Description: Amazon EC2 instance type for the bastion instance. t2 instance types are not supported for dedicated VPC tenancy. Type: String EnableBanner: AllowedValues: - 'true' - 'false' Default: 'true' Description: To include a banner to be displayed when connecting via SSH to the bastion, set this parameter to true. Type: String EnableTCPForwarding: Type: String Description: Enables/disables TCP forwarding Default: 'false' AllowedValues: - 'true' - 'false' EnableX11Forwarding: Type: String Description: Enables/disables X11 forwarding. Default: 'false' AllowedValues: - 'true' - 'false' KeyPairName: Description: A public/private key pair, which allows you to connect securely to your instance after it launches. This is the key pair you created in your preferred AWS Region; see the Technical requirements section. If you do not have one in this AWS Region, create it before continuing. Type: 'AWS::EC2::KeyPair::KeyName' RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: Allowed CIDR block in the format x.x.x.x/x for external SSH access to the bastion host. Type: String AlternativeInitializationScript: AllowedPattern: ^http.*|^$ ConstraintDescription: URL must begin with http Description: Optional. Specify custom bootstrap script AWS S3 location to run during bastion host setup Default: '' Type: String QSS3BucketName: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: 'Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).' Default: aws-quickstart Description: 'S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).' Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: '^[0-9a-zA-Z-/]*$' ConstraintDescription: 'Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).' Default: quickstart-amazon-redshift/ Description: 'S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).' Type: String EnableBastion: AllowedValues: - 'true' - 'false' Default: 'true' Description: Enables or disables creation of a bastion stack. If true, a bastion stack will be created. Type: String MakeRedshiftPubliclyAccessible: AllowedValues: - 'true' - 'false' Default: 'false' Description: Specifies whether Amazon Redshift will be publicly accessible. Type: String DatabaseName: Description: The name of the first database to be created when the cluster is created. Type: String Default: rsdev01 AllowedPattern: '([a-z]|[0-9])+' RedshiftClusterPort: Description: The port number on which the cluster accepts incoming connections. Type: Number Default: '8200' NumberOfNodes: Description: The number of compute nodes in the cluster. For multi-node clusters, the NumberOfNodes parameter must be greater than 1 Type: Number Default: '2' NodeType: Description: The type of node to be provisioned. Type: String Default: dc2.large AllowedValues: - dc2.large - dc2.8xlarge - ra3.4xlarge - ra3.16xlarge - ds2.xlarge - ds2.8xlarge MasterUsername: Description: The user name that is associated with the master user account for the cluster that is being created. Type: String Default: rsadmin AllowedPattern: '([a-z])([a-z]|[0-9])*' ConstraintDescription: must start with a-z and contain only a-z or 0-9. MasterUserPassword: Description: >- The password that is associated with the master user account for the cluster that is being created. Must have at least 8 characters and no more than 64 characters, and must include 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol (excluding / @ \" '). NoEcho: true Type: String MinLength: '8' MaxLength: '64' AllowedPattern: '(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*' ConstraintDescription: >- Enter alphanumeric password for the master user. The password must contain 8 to 64 printable ASCII characters, excluding: /, ", \'', \ and @. It must contain one uppercase letter, one lowercase letter, and one number. Maintenancewindow: Description: The maintenance window for the Redshift cluster. Type: String Default: 'sat:05:00-sat:05:30' MaxConcurrentCluster: Description: The maximum number of concurrency scaling Redshift clusters. Type: String Default: '1' ConcurrencyScaling: Description: When the number of queries routed to a queue exceeds the queue's configured concurrency, eligible queries go to the scaling cluster. Default: 'auto' Type: String AllowedValues: - 'auto' - 'off' EncryptionAtRest: Description: Enables or disables encryption at rest of the Redshift database. Type: String Default: 'false' AllowedValues: - 'true' - 'false' ConstraintDescription: must be true or false. kmskey: Description: The existing KMS key ID for encrypting Redshift database at-rest. Type: String Default: '' SnapshotIdentifier: Description: The Redshift snapshot identifier. Leave this blank for a new cluster. Enter the snapshot identifier, only if you want to restore from a snapshot. Default: '' Type: String SnapshotAccountNumber: Description: The AWS account number where the Redshift snapshot was created. Leave this blank, if the snapshot was created in the current AWS account. Default: '' Type: String EnableLoggingToS3: Default: 'false' Type: String AllowedValues: - 'true' - 'false' Description: Enables or disables logging to an S3 bucket. To enable logging, select True. S3BucketForRedshiftIAMRole: Type: String Description: The existing Amazon S3 bucket. An IAM role will be created and associated to the Redshift cluster with GET and LIST access to this bucket. Default: '' GlueCatalogDatabase: Type: String Description: The name of your Glue Data Catalog database. AllowedPattern: '([ \t\n\x0B\f\r])*|([a-z])([\-]|[a-z]|[\-]|[0-9])*' Default: '' ConstraintDescription: must start with a-z and contain only a-z or 0-9 or hyphen (-). TagName: Type: String Description: The unique friendly name as required by your company’s tagging strategy document, and which will be added to the environment tag. Default: 'rs-quickstart' TagEnvironment: Type: String AllowedValues: - dev - test - pre-prod - prod - none Default: none Description: The environment tag that is used to designate the environment stage of the associated AWS resource. TagProjectCostCenter: Type: String Description: The cost center associated with the project of the given AWS resource. Default: '0000' TagConfidentiality: Type: String Description: The confidentiality classification of the data that is associated with the resource. AllowedValues: - public - private - confidential - pii/phi Default: 'private' TagCompliance: Type: String Description: The compliance level for the AWS resource. AllowedValues: - hipaa - sox - fips - other Default: 'other' Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] EnableBastionAccess: !Equals - !Ref EnableBastion - 'true' RedshiftPubliclyAccessible: !Equals - !Ref 'MakeRedshiftPubliclyAccessible' - 'true' Resources: VPCStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName, ] Parameters: AvailabilityZones: !Join - ',' - !Ref AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR BastionStack: Condition: EnableBastionAccess Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName, ] Parameters: KeyPairName: !Ref KeyPairName BastionBanner: !Ref BastionBanner EnableBanner: !Ref EnableBanner BastionTenancy: !Ref BastionTenancy BastionInstanceType: !Ref BastionInstanceType AlternativeInitializationScript: !Ref AlternativeInitializationScript EnableX11Forwarding: !Ref EnableX11Forwarding PublicSubnet1ID: !GetAtt - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt - VPCStack - Outputs.PublicSubnet2ID EnableTCPForwarding: !Ref EnableTCPForwarding RemoteAccessCIDR: !Ref RemoteAccessCIDR VPCID: !GetAtt - VPCStack - Outputs.VPCID QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ RedshiftStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/redshift.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName, ] Parameters: VPCID: !GetAtt - VPCStack - Outputs.VPCID RemoteAccessCIDR: !If - RedshiftPubliclyAccessible - !Ref RemoteAccessCIDR - !Ref VPCCIDR PubliclyAccessible: !If - RedshiftPubliclyAccessible - 'true' - 'false' Subnet1ID: !If - RedshiftPubliclyAccessible - Fn::GetAtt: - VPCStack - Outputs.PublicSubnet1ID - Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet1AID Subnet2ID: !If - RedshiftPubliclyAccessible - Fn::GetAtt: - VPCStack - Outputs.PublicSubnet2ID - Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet2AID DatabaseName: !Ref DatabaseName RedshiftClusterPort: !Ref RedshiftClusterPort NumberOfNodes: !Ref NumberOfNodes NodeType: !Ref NodeType MasterUsername: !Ref MasterUsername MasterUserPassword: !Ref MasterUserPassword Maintenancewindow: !Ref Maintenancewindow MaxConcurrentCluster: !Ref MaxConcurrentCluster ConcurrencyScaling: !Ref ConcurrencyScaling EncryptionAtRest: !Ref EncryptionAtRest kmskey: !Ref kmskey SnapshotIdentifier: !Ref SnapshotIdentifier SnapshotAccountNumber: !Ref SnapshotAccountNumber NotificationList: !Ref NotificationList EnableLoggingToS3: !Ref EnableLoggingToS3 S3BucketForRedshiftIAMRole: !Ref S3BucketForRedshiftIAMRole GlueCatalogDatabase: !Ref GlueCatalogDatabase QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix TagConfidentiality: !Ref TagConfidentiality TagName: !Ref TagName TagEnvironment: !Ref TagEnvironment TagProjectCostCenter: !Ref TagProjectCostCenter TagCompliance: !Ref TagCompliance Outputs: RedshiftClusterEndpoint: Description: Redshift Cluster endpoint Value: Fn::GetAtt: - RedshiftStack - Outputs.RedshiftClusterEndpoint PSQLCommandLine: Description: Name of the Redshift Database Value: Fn::GetAtt: - RedshiftStack - Outputs.PSQLCommandLine