--- AWSTemplateFormatVersion: "2010-09-09" Description: (qs-1s6abjf8q) Metadata: QuickStartDocumentation: EntrypointName: "Parameters for deploying AMMOS SmallSat Toolkit" 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: AIT configuration Parameters: - ProjectName - FQDN - SSLCertificateArn - HostedZoneID - AITInstanceType - KeyPairName - CloudWatchLogsRetentionPeriod - Label: default: IAM configuration Parameters: - RolePath - PermissionsBoundaryArn - DeployIam - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PrivateSubnet3CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - RemoteAccessCIDR - VpcId - PublicSubnet1ID - PublicSubnet2ID - PrivateSubnet1AID - PrivateSubnet2AID - PrivateSubnet3AID - AccessSgID - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AITInstanceType: default: AIT instance type AvailabilityZones: default: Availability Zones CloudWatchLogsRetentionPeriod: default: CloudWatch Logs retention period FQDN: default: Fully qualified domain name HostedZoneID: default: Hosted-zone ID KeyPairName: default: Key-pair name PermissionsBoundaryArn: default: Permissions boundary ARN ProjectName: default: Project name RemoteAccessCIDR: default: Remote access CIDR RolePath: default: Role path DeployIam: default: Deploy IAM Roles on my behalf SSLCertificateArn: default: SSL certificate ARN VPCCIDR: default: VPC CIDR PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PrivateSubnet3CIDR: default: Private subnet 3 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR PublicSubnet3CIDR: default: Public subnet 3 CIDR QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix QSS3BucketRegion: default: Quick Start S3 bucket Region VpcId: default: ID for VPC in an existing VPC PublicSubnet1ID: default: ID for public subnet 1 in an existing VPC PublicSubnet2ID: default: ID for public subnet 2 in an existing VPC PrivateSubnet1AID: default: ID for private subnet 1 in an existing VPC PrivateSubnet2AID: default: ID for private subnet 2 in an existing VPC PrivateSubnet3AID: default: ID for private subnet 3 in an existing VPC AccessSgID: default: ID of preconfigured security group in an existing VPC Parameters: AITInstanceType: Description: Instance type to be used for AIT. See deployment guide for recommendations. Type: String Default: m5.large CloudWatchLogsRetentionPeriod: Description: Number of days to retain log events in CloudWatch Logs log groups. Increasing this number results in higher log-storage costs. Type: Number Default: 30 KeyPairName: Description: Name of the key pair that you will use to connect securely to your instance after it launches. Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: Must be the name of an existing key pair. VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/24 Description: CIDR block used for the public subnet located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.64.0/24 Description: CIDR block used for the public subnet located in Availability Zone 2. Type: String PublicSubnet3CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.70.0/24 Description: CIDR block used for the public subnet located in Availability Zone 3. Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/24 Description: CIDR block used for the private subnet located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.192.0/24 Description: CIDR block used for the private subnet located in Availability Zone 2. Type: String PrivateSubnet3CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.200.0/24 Description: CIDR block used for the private subnet located in Availability Zone 3. Type: String AvailabilityZones: Description: Availability Zones to use for the subnets in the VPC. This deployment uses three Availability Zones, and the logical order of your selections is preserved. Type: List QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). The prefix should end with a forward slash (/). Default: quickstart-ammos-smallsat-toolkit/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: CIDR IP range that is permitted to access the instances. Set this value to a trusted IP range. Type: String SSLCertificateArn: Description: (Optional) Amazon Resource Name of the SSL certificate to use for the load balancer. Use SSLCertificateArn if you are not using FQDN and HostedZoneID. Type: String Default: '' HostedZoneID: Description: (Optional) ID of the Route 53 hosted-zone domain. If you fill in both FQDN and HostedZoneID, this deployment generates an ACM certificate. Type: String MaxLength: 32 Default: '' FQDN: Description: URL to use for the project-resources root. Type: String PermissionsBoundaryArn: Description: (Optional) Amazon Resource Name of a managed policy in your account to be used as the permissions boundary. This ARN will be attached to all IAM roles created to satisfy your organization's security requirements. If you keep this blank, this attribute is not set. For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html. Type: String Default: '' RolePath: Description: (Optional) Path that will be attached to all IAM roles created to satisfy your organization's security requirements. If you keep this blank, this attribute is not set. For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names. Type: String Default: '' ProjectName: Description: Name of your project. Please use lowercase alphanumeric characters and hypens (-) only. Type: String AllowedPattern: ^[0-9a-z-]*$ ConstraintDescription: The ProjectName can include numbers, lowercase letters, and hyphens (-). VpcId: Description: (Optional) If you're deploying into an existing VPC, fill in the VPC ID. Type: String Default: '' PublicSubnet1ID: Description: (Optional) If you're deploying into an existing VPC, fill in the ID of the public subnet in Availability Zone 1. Type: String Default: '' PublicSubnet2ID: Description: (Optional) If you're deploying into an existing VPC, fill in the ID of the public subnet in Availability Zone 2. Type: String Default: '' PrivateSubnet1AID: Description: (Optional) If you're deploying into an existing VPC, fill in the ID of the private subnet in Availability Zone 1. Type: String Default: '' PrivateSubnet2AID: Description: (Optional) If you're deploying into an existing VPC, fill in the ID of the private subnet in Availability Zone 2. Type: String Default: '' PrivateSubnet3AID: Description: (Optional) If you're deploying into an existing VPC, fill in the ID of the private subnet in Availability Zone 3. Type: String Default: '' AccessSgID: Description: (Optional) If you're deploying into an existing VPC, fill in the ID of the preconfigured security group to control access to the Application Load Balancer. Type: String Default: '' DeployIam: Description: Allow the QuickStart to deploy the required IAM Roles on your behalf. Otherwise, you will need to pre-deploy these IAM resources before launching the QuickStart; see the Deployment Guide for more details Type: String Default: 'true' AllowedValues: - 'true' - 'false' Rules: DomainNamePresentWithHostedID: Assertions: - Assert: !Or - !Equals [!Ref HostedZoneID, ''] - !Not [!Equals [!Ref FQDN, '']] AssertDescription: "Please specify a 'Domain Name' if you specify 'Route 53 Hosted Zone ID'" GenerateOrProvideSSL: Assertions: - Assert: !Or - !Not [!Equals [!Ref SSLCertificateArn, '']] - !And - !Not [!Equals [!Ref HostedZoneID, '']] - !Not [!Equals [!Ref FQDN, '']] AssertDescription: "Using an SSL certificate is enforced. A CertificateArn or a HostedZoneID and FQDN must be provided." Conditions: DeployIam: !Equals [!Ref DeployIam, 'true'] InspectIam: !Not [Condition: DeployIam] GenerateSSL: !And - !Equals [!Ref SSLCertificateArn, ''] - !Not [!Equals [!Ref FQDN, '']] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] DeployVpc: !Equals [!Ref VpcId, ''] Resources: # AmmosConfigStack: # Type: AWS::CloudFormation::Stack # Properties: # TemplateURL: !Sub # - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ammos-config.template.yaml' # - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] # S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] # Parameters: # QSS3BucketName: !Ref QSS3BucketName # QSS3KeyPrefix: !Ref QSS3KeyPrefix # QSS3BucketRegion: !Ref QSS3BucketRegion # ProjectName: !Ref ProjectName # RolePath: !Ref RolePath # PermissionsBoundaryArn: !Ref PermissionsBoundaryArn # --- RoleChecker: Type: AWS::Lambda::Function Condition: InspectIam Properties: Description: Check the account for required IAM Roles so that they may be omitted from the QuickStart deployment if already present FunctionName: !Sub ${ProjectName}-RoleChecker Handler: role_checker.lambda_handler MemorySize: 128 Role: Fn::ImportValue: !Sub ${ProjectName}-DeploymentHelperRoleArn Runtime: python3.8 Code: S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName S3Key: !Sub '${QSS3KeyPrefix}functions/packages/RoleChecker/lambda.zip' RoleArns: Type: AWS::CloudFormation::CustomResource Condition: InspectIam Properties: ServiceToken: !GetAtt RoleChecker.Arn RoleNames: - !Sub ${ProjectName}-AitServerRole - !Sub ${ProjectName}-EditorServerRole - !Sub ${ProjectName}-LoggingLambdaRole - !Sub ${ProjectName}-CognitoInspectRole - !Sub ${ProjectName}-BastionHostRole IamStack: Type: AWS::CloudFormation::Stack Condition: DeployIam Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ast-iam-roles.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ProjectName: !Ref ProjectName PermissionsBoundaryArn: !Ref PermissionsBoundaryArn RolePath: !Ref RolePath QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix VPCStack: Condition: DeployVpc Type: AWS::CloudFormation::Stack Properties: TemplateURL: Fn::Sub: - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If - UsingDefaultBucket - !Ref AWS::Region - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName Parameters: AvailabilityZones: !Join [',', !Ref 'AvailabilityZones'] NumberOfAZs: '3' VPCCIDR: !Ref VPCCIDR PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR PublicSubnet3CIDR: !Ref PublicSubnet3CIDR BastionStack: # DependsOn: CFNEndpoint Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: BastionAMIOS: 'Amazon-Linux2-HVM' KeyPairName: !Ref 'KeyPairName' BastionHostName: !Sub "${ProjectName}/LinuxBastion" PublicSubnet1ID: !If [DeployVpc, !GetAtt VPCStack.Outputs.PublicSubnet1ID, !Ref PublicSubnet1ID] PublicSubnet2ID: !If [DeployVpc, !GetAtt VPCStack.Outputs.PublicSubnet2ID, !Ref PublicSubnet2ID] QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Sub "${QSS3KeyPrefix}submodules/quickstart-linux-bastion/" QSS3BucketRegion: !Ref QSS3BucketRegion RemoteAccessCIDR: !Ref RemoteAccessCIDR VPCID: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] AlternativeIAMRole: !If [DeployIam, !GetAtt IamStack.Outputs.BastionHostRoleName, !GetAtt RoleArns.BastionHostRoleName] PermissionsBoundaryArn: !Ref PermissionsBoundaryArn RolePath: !Ref RolePath AmmosCognitoStack: # DependsOn: CFNEndpoint Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ammos-cubs-cognito.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix ProjectName: !Ref ProjectName IamRoleArn: !If [DeployIam, !GetAtt IamStack.Outputs.CognitoInspectRoleArn, !GetAtt RoleArns.CognitoInspectRoleArn] AmmosCubsALBStack: # DependsOn: CFNEndpoint Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ammos-cubs-alb.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ProjectName: !Ref ProjectName VPCID: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] PublicSubnetIds: Fn::Join: - ',' - - !If [DeployVpc, !GetAtt VPCStack.Outputs.PublicSubnet1ID, !Ref PublicSubnet1ID] - !If [DeployVpc, !GetAtt VPCStack.Outputs.PublicSubnet2ID, !Ref PublicSubnet2ID] FQDN: !Ref FQDN HostedZoneID: !Ref HostedZoneID SSLCertificateArn: !If [GenerateSSL, !GetAtt ConfigureSSLStack.Outputs.ACMCertificate, !Ref SSLCertificateArn] CognitoInspectFunctionArn: !GetAtt AmmosCognitoStack.Outputs.CognitoInspectFunctionArn CognitoUserPoolID: !GetAtt AmmosCognitoStack.Outputs.CognitoUserPoolId AccessSgID: !If [DeployVpc, '', !Ref AccessSgID] AmmosCubsLoggingStack: # DependsOn: CFNEndpoint Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ammos-cubs-logging.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ProjectName: !Ref ProjectName CloudWatchLogsRetentionPeriod: !Ref CloudWatchLogsRetentionPeriod IamRoleArn: !If [DeployIam, !GetAtt IamStack.Outputs.LoggingLambdaRoleArn, !GetAtt RoleArns.LoggingLambdaRoleArn] VPCID: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] PrivateSubnet1ID: !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet1AID, !Ref PrivateSubnet1AID] PrivateSubnet2ID: !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet2AID, !Ref PrivateSubnet2AID] PrivateSubnet3ID: !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet3AID, !Ref PrivateSubnet3AID] QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix AmmosCubsEditorStack: # DependsOn: CFNEndpoint Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ammos-cubs-editor.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ProjectName: !Ref ProjectName ConfigBucketName: Fn::ImportValue: !Sub "${ProjectName}-ConfigBucketName" ALBHttpsListenerArn: !GetAtt AmmosCubsALBStack.Outputs.HttpsListenerArn ALBSecurityGroupID: !GetAtt AmmosCubsALBStack.Outputs.AlbSecurityGroupId CognitoClientID: !GetAtt AmmosCubsALBStack.Outputs.CognitoClientId CognitoClientSecret: !GetAtt AmmosCubsALBStack.Outputs.CognitoClientSecret CognitoDomainName: !GetAtt AmmosCognitoStack.Outputs.CognitoDomainName CognitoProviderUrl: !GetAtt AmmosCognitoStack.Outputs.CognitoUserPoolProviderUrl FQDN: !Ref FQDN KeyPairName: !Ref KeyPairName PrivateSubnetIds: Fn::Join: - ',' - - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet1AID, !Ref PrivateSubnet1AID] - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet2AID, !Ref PrivateSubnet2AID] IamRoleName: !If [DeployIam, !GetAtt IamStack.Outputs.EditorServerRoleName, !GetAtt RoleArns.EditorServerRoleName] VPCID: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] AmmosCubsAITStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ammos-cubs-ait.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ProjectName: !Ref ProjectName ConfigBucketName: Fn::ImportValue: !Sub "${ProjectName}-ConfigBucketName" FQDN: !Ref FQDN PrivateSubnetIds: Fn::Join: - ',' - - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet1AID, !Ref PrivateSubnet1AID] - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet2AID, !Ref PrivateSubnet2AID] VPCID: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] InstanceType: !Ref AITInstanceType KeyPairName: !Ref KeyPairName IamRoleName: !If [DeployIam, !GetAtt IamStack.Outputs.AitServerRoleName, !GetAtt RoleArns.AitServerRoleName] CognitoDomainName: !GetAtt AmmosCognitoStack.Outputs.CognitoDomainName ALBSecurityGroupID: !GetAtt AmmosCubsALBStack.Outputs.AlbSecurityGroupId CognitoClientID: !GetAtt AmmosCubsALBStack.Outputs.CognitoClientId CognitoClientSecret: !GetAtt AmmosCubsALBStack.Outputs.CognitoClientSecret CognitoProviderUrl: !GetAtt AmmosCognitoStack.Outputs.CognitoUserPoolProviderUrl ALBHttpsListenerArn: !GetAtt AmmosCubsALBStack.Outputs.HttpsListenerArn ListenerCertificateArn: !If - GenerateSSL - !GetAtt ConfigureSSLStack.Outputs.ACMCertificate - !Ref SSLCertificateArn ALBArn: !GetAtt AmmosCubsALBStack.Outputs.AlbArn ConfigureSSLStack: # DependsOn: CFNEndpoint Condition: GenerateSSL Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - "https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-acm-certificate/templates/quickstart-aws-acm-certificate.template.yml" - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub "${QSS3KeyPrefix}submodules/quickstart-aws-acm-certificate/" DomainName: !Ref FQDN HostedZoneID: !Ref HostedZoneID CFNEndpointSG: Type: AWS::EC2::SecurityGroup Condition: DeployVpc Properties: GroupDescription: Manage access to VPC Endpoint for CFN resources SecurityGroupIngress: - IpProtocol: '-1' FromPort: -1 ToPort: -1 CidrIp: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCCIDR, !Ref VPCCIDR] VpcId: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] CFNEndpoint: Type: AWS::EC2::VPCEndpoint Condition: DeployVpc Properties: VpcId: !If [DeployVpc, !GetAtt VPCStack.Outputs.VPCID, !Ref VpcId] ServiceName: !Sub "com.amazonaws.${AWS::Region}.cloudformation" VpcEndpointType: "Interface" PrivateDnsEnabled: true SubnetIds: - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet1AID, !Ref PrivateSubnet1AID] - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet2AID, !Ref PrivateSubnet2AID] - !If [DeployVpc, !GetAtt VPCStack.Outputs.PrivateSubnet3AID, !Ref PrivateSubnet3AID] SecurityGroupIds: - !Ref CFNEndpointSG