--- AWSTemplateFormatVersion: 2010-09-09 Description: Atlassian Crowd Data Center (qs-1r0baofad) Metadata: QuickStartDocumentation: EntrypointName: "Launch into an existing VPC" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Crowd setup Parameters: - CrowdVersion - Label: default: Cluster nodes Parameters: - CloudWatchIntegration - ClusterNodeInstanceType - ClusterNodeMax - ClusterNodeMin - ClusterNodeVolumeSize - DeploymentAutomationRepository - DeploymentAutomationBranch - DeploymentAutomationPlaybook - DeploymentAutomationCustomParams - DeploymentAutomationKeyName - Label: default: Database Parameters: - DBInstanceClass - DBEngineVersion - DBIops - DBMasterUserPassword - DBMultiAZ - DBPassword - DBStorage - DBStorageEncrypted - DBStorageType - Label: default: Bastion host utilization Parameters: - BastionHostRequired - KeyPairName - Label: default: Networking Parameters: - InternetFacingLoadBalancer - CidrBlock - SSLCertificateARN - Label: default: DNS Parameters: - CustomDnsName - HostedZone - Label: default: Application Tuning Parameters: - TomcatContextPath - CatalinaOpts - JvmHeapOverride - MailEnabled - TomcatAcceptCount - TomcatConnectionTimeout - TomcatDefaultConnectorPort - TomcatEnableLookups - TomcatMaxThreads - TomcatMinSpareThreads - TomcatProtocol - TomcatRedirectPort - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix - ExportPrefix ParameterLabels: CatalinaOpts: default: Catalina options CidrBlock: default: Permitted IP range CloudWatchIntegration: default: Enable CloudWatch integration ClusterNodeMax: default: Maximum number of cluster nodes ClusterNodeMin: default: Minimum number of cluster nodes ClusterNodeInstanceType: default: Cluster node instance type ClusterNodeVolumeSize: default: Cluster node instance volume size CustomDnsName: default: Existing DNS name DBEngineVersion: default: Database engine version DBInstanceClass: default: Database instance class DBIops: default: RDS Provisioned IOPS DBMasterUserPassword: default: Master (admin) password * DBMultiAZ: default: Enable RDS Multi-AZ deployment DBPassword: default: Application user database password * DBStorage: default: Database storage DBStorageEncrypted: default: Database encryption DBStorageType: default: Database storage type DeploymentAutomationRepository: default: Deployment automation Git repository URL DeploymentAutomationBranch: default: Deployment automation branch DeploymentAutomationPlaybook: default: The Ansible playbook to invoke to initialize the instance DeploymentAutomationKeyName: default: SSH key name to use with the repository DeploymentAutomationCustomParams: default: Custom command-line parameters for Ansible ExportPrefix: default: ASI identifier HostedZone: default: Route 53 hosted zone InternetFacingLoadBalancer: default: Make instance internet facing CrowdVersion: default: Version * JvmHeapOverride: default: JVM heap size override BastionHostRequired: default: Use bastion host KeyPairName: default: SSH key pair name MailEnabled: default: Enable app to process email SSLCertificateARN: default: SSL certificate ARN TomcatAcceptCount: default: Tomcat accept count TomcatConnectionTimeout: default: Tomcat connection timeout TomcatContextPath: default: Tomcat context path TomcatDefaultConnectorPort: default: Tomcat default connector port TomcatEnableLookups: default: Tomcat enable DNS lookups TomcatMaxThreads: default: Tomcat maximum threads TomcatMinSpareThreads: default: Tomcat minimum spare threads TomcatProtocol: default: Tomcat protocol TomcatRedirectPort: default: Tomcat redirect port QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: CatalinaOpts: Default: '' Description: Pass in any additional JVM options to tune Catalina. Type: String CidrBlock: AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. Description: CIDR block allowed to access the Atlassian product. This value should be set to a trusted IP range if you want to give public access use '0.0.0.0/0'. Type: String MinLength: 9 MaxLength: 18 CloudWatchIntegration: Default: "Metrics and Logs" Type: String Description: "Enables CloudWatch metrics with or without log gathering. If cost is an issue, you can disable this setting." AllowedValues: ["Off", "Metrics Only", "Metrics and Logs"] ConstraintDescription: "Must be 'Off', 'Metrics Only', or 'Metrics and Logs'" ClusterNodeInstanceType: Default: c5.xlarge AllowedValues: - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c5.large - c5.xlarge - c5.2xlarge - c5.4xlarge - c5.9xlarge - c5.18xlarge - c5d.large - c5d.xlarge - c5d.2xlarge - c5d.4xlarge - c5d.9xlarge - c5d.18xlarge - d2.xlarge - d2.2xlarge - d2.4xlarge - d2.8xlarge - h1.2xlarge - h1.4xlarge - h1.8xlarge - h1.16xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - i3.metal - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.12xlarge - m5.24xlarge - m5d.large - m5d.xlarge - m5d.2xlarge - m5d.4xlarge - m5d.12xlarge - m5d.24xlarge - r4.large - r4.xlarge - r4.2xlarge - r4.4xlarge - r4.8xlarge - r4.16xlarge - r5.large - r5.xlarge - r5.2xlarge - r5.4xlarge - r5.12xlarge - r5.24xlarge - r5d.large - r5d.xlarge - r5d.2xlarge - r5d.4xlarge - r5d.12xlarge - r5d.24xlarge - t2.medium - t2.large - t2.xlarge - t2.2xlarge - t3.medium - t3.large - t3.xlarge - t3.2xlarge - x1.16xlarge - x1.32xlarge - x1e.xlarge - x1e.2xlarge - x1e.4xlarge - x1e.8xlarge - x1e.16xlarge - x1e.32xlarge - z1d.large - z1d.xlarge - z1d.2xlarge - z1d.3xlarge - z1d.6xlarge - z1d.12xlarge ConstraintDescription: Must be an Amazon EC2 instance type from the selection list. Description: Instance type for the cluster application nodes. Type: String ClusterNodeMax: Description: Maximum number of nodes in the cluster. Default: 1 Type: Number ClusterNodeMin: Default: 1 Description: Set to 1 for new deployment. Can be updated post launch. Type: Number ClusterNodeVolumeSize: Default: 50 Description: Size of cluster node root volume in GB. Size based on application indexes x 4. Type: Number CustomDnsName: Default: "" Description: 'Use custom existing DNS name for your Crowd Data Center instance. This takes precedence over hosted zone. You must own the domain and configure it to point to the load balancer.' Type: String DBEngineVersion: Default: 10 AllowedValues: - 9 - 10 - 11 - 12 Description: "The database engine version to use. A suitable minor version is installed for your chosen engine. Make sure that the installed Crowd version supports the database engine selected. (Warning: Amazon RDS for PostgreSQL 9.6 will reach end of life on January 31st, 2022. Deployments after this date should not be made using this version. If you wish to upgrade to a major version from 9 see: https://confluence.atlassian.com/x/1IRlQQ)" Type: String DBInstanceClass: Default: db.m5.large AllowedValues: - db.m5.large - db.m5.xlarge - db.m5.2xlarge - db.m5.4xlarge - db.m5.12xlarge - db.m5.24xlarge - db.r5.large - db.r5.xlarge - db.r5.2xlarge - db.r5.4xlarge - db.r5.12xlarge - db.r5.24xlarge - db.r4.large - db.r4.xlarge - db.r4.2xlarge - db.r4.4xlarge - db.r4.8xlarge - db.r4.16xlarge - db.m4.large - db.m4.xlarge - db.m4.2xlarge - db.m4.4xlarge - db.m4.10xlarge - db.m4.16xlarge - db.t3.medium - db.t3.large - db.t3.xlarge - db.t3.2xlarge - db.t2.medium - db.t2.large - db.t2.xlarge - db.t2.2xlarge ConstraintDescription: Must be a valid Amazon RDS instance class from the selection list. Description: Amazon RDS instance type. Type: String DBIops: Default: 1000 ConstraintDescription: 'Must be in the range 1000 - 30000.' Description: 'Must be in the range of 1000 - 30000 and a multiple of 1000. This value is used only with Provisioned IOPS. The ratio of IOPS per allocated storage must be between 3.00 and 10.00.' MaxValue: 30000 MinValue: 1000 Type: Number DBMasterUserPassword: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9])(?!.*[@/"']).*$ ConstraintDescription: >- Must be at least eight characters and include one uppercase, one lowercase, one number, and one of the following symbols: ! # $ { * : [ = , ] - _ + % & Description: "Password for the master ('postgres') account. Must be at least eight characters and include one uppercase, one lowercase, one number, and one of the following symbols: ! # $ { * : [ = , ] - _ + % &" NoEcho: True MaxLength: 128 MinLength: 8 Type: String DBMultiAZ: Description: Whether to provision a Multi-AZ Amazon RDS instance. Default: "true" AllowedValues: - "true" - "false" ConstraintDescription: Must be 'true' or 'false'. Type: String DBPassword: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?!.*[\[\]\{\}]).*$ ConstraintDescription: >- Must be at least eight characters and include at least one uppercase, one lowercase, one number, and any symbol except for: [ ] { } Description: "Must be at least eight characters and include at least one uppercase, one lowercase, one number, and any symbol except for: [ ] { }." MinLength: 8 MaxLength: 128 NoEcho: true Type: String DBStorage: Default: 200 Description: Database allocated storage size, in gigabytes (GB). If you choose Provisioned IOPS, storage should be between 100 and 6144 GB. Type: Number DBStorageEncrypted: Default: "false" AllowedValues: - "true" - "false" Description: Whether or not to encrypt the database. Type: String DBStorageType: Default: General Purpose (SSD) AllowedValues: - General Purpose (SSD) - Provisioned IOPS ConstraintDescription: Must be 'General Purpose (SSD)' or 'Provisioned IOPS'. Description: Database storage type. Type: String DeploymentAutomationRepository: Default: "https://bitbucket.org/atlassian/dc-deployments-automation.git" Type: String Description: The deployment automation repository to use for per-node initialization. Leave the default value unless you have customizations. DeploymentAutomationBranch: Default: "master" Type: String Description: The deployment automation repository branch to pull from. DeploymentAutomationPlaybook: Default: "aws_crowd_dc_node.yml" Type: String Description: The Ansible playbook to invoke to initialize the Crowd node on first start. DeploymentAutomationCustomParams: Default: "" Type: String Description: (Optional) Additional command-line options for the `ansible-playbook` command. See https://bitbucket.org/atlassian/dc-deployments-automation/src/master/README.md for more information about overriding parameters. DeploymentAutomationKeyName: Default: "" Type: String Description: (Optional) Key pair name to use with this repository. The key should be imported into the AWS Systems Manager parameter store. ExportPrefix: Default: 'ATL-' Description: Each Atlassian Standard Infrastructure (ASI) uses a unique identifier. If you have multiple ASIs within the same AWS Region, use this field to specify where to deploy Crowd. Type: String HostedZone: Default: '' ConstraintDescription: Must be the name of an existing Amazon Route 53 hosted zone. Description: The domain name of the Amazon Route 53 private hosted zone in which to create CNAMES. Type: String InternetFacingLoadBalancer: Default: "true" AllowedValues: ["true", "false"] ConstraintDescription: Must be 'true' or 'false'. Description: Controls whether the load balancer should be visible to the internet (true) or only within the VPC (false). Type: String CrowdVersion: Default: 4.0.0 AllowedPattern: '(\d+\.\d+\.\d+(-?.*))|(latest)' ConstraintDescription: Must be a valid version number or 'latest' (for example, 4.0.0 for Crowd Software). Description: The version of Crowd Software to install. Find valid versions on the Crowd Release Notes page (https://confluence.atlassian.com/x/tgkD). Type: String JvmHeapOverride: Default: '' Description: Override the default amount of memory to allocate to the JVM for your instance type. Set size in MB or GB (e.g. 1024 MB or 1 GB). Type: String BastionHostRequired: Default: "true" AllowedValues: - "true" - "false" Description: Whether to grant access to Crowd's Amazon EC2 instances through the ASI's bastion host (if it exists). If 'true', remember to provide an EC2 key pair. If your ASI does not have a bastion host, set the value to 'false'. Type: String KeyPairName: ConstraintDescription: Must be the name of an existing EC2 Key Pair. Note the supplied value must not include the file extension. Description: Public/private EC2 Key Pairs (without file extension) to allow you to securely access the Bastion host. Type: String Default: '' MailEnabled: AllowedValues: - "true" - "false" ConstraintDescription: Must be 'true' or 'false'. Default: "true" Description: Enable mail processing and sending. Type: String SSLCertificateARN: Default: '' Description: "Amazon Resource Name (ARN) of your SSL certificate. Providing this value automatically enables HTTPS on the product and load balancer, configured to use the corresponding certificate. If you want to use a certificate that you generated outside of Amazon, first import it to AWS Certificate Manager (ACM). After a successful import, you'll receive the ARN. If you want to create a certificate with ACM, you will receive the ARN after it's successfully created." MinLength: 0 MaxLength: 90 Type: String TomcatAcceptCount: Default: 10 Description: The maximum queue length for incoming connection requests when all possible request processing threads are in use. Type: Number TomcatConnectionTimeout: Default: 20000 Description: The number of milliseconds this connector will wait, after accepting a connection, for the request URI line to be presented. Type: Number TomcatContextPath: Default: '' AllowedPattern: '^(\/[A-z_\-0-9\.]+)?$' Description: The context path of this web application, which is matched against the beginning of each request URI to select the appropriate web application for processing. If used, must include leading '/'. Type: String TomcatDefaultConnectorPort: Default: 8080 Description: The port on which to serve the application. Type: Number TomcatEnableLookups: Default: "false" AllowedValues: - "true" - "false" Description: Set to true if you want calls to request.getRemoteHost() to perform DNS lookups to return the actual host name of the remote client. Type: String TomcatMaxThreads: Default: 200 Description: The maximum number of request processing threads to be created by this connector, which determines the maximum number of simultaneous requests that can be handled. Type: Number TomcatMinSpareThreads: Default: 10 Description: The minimum number of threads always running. Type: Number TomcatProtocol: Default: 'HTTP/1.1' Description: Sets the protocol to handle incoming traffic. Type: String TomcatRedirectPort: Default: 8443 Description: The port number for Catalina to use when automatically redirecting a non-SSL connector actioning a redirect to an SSL URI. Type: Number QSS3BucketName: Default: 'aws-quickstart' AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' AllowedValues: - us-east-1 - us-east-2 - us-west-1 - us-west-2 - ca-central-1 - eu-west-1 - eu-central-1 - eu-west-2 - eu-west-3 - eu-north-1 - ap-northeast-1 - ap-northeast-2 - ap-southeast-1 - ap-southeast-2 - ap-south-1 - sa-east-1 - us-gov-west-1 - us-gov-east-1 Description: The AWS Region where the Quick Start S3 bucket is hosted. By default, this is set to us-east-1. Do not update the value unless using a custom Quick Start S3 bucket. Type: String QSS3KeyPrefix: Default: 'quickstart-atlassian-crowd/' AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Conditions: DisableMail: !Not [!Equals [!Ref MailEnabled, true]] EnableCloudWatch: !Not [!Equals [!Ref CloudWatchIntegration, 'Off']] EnableCloudWatchLogs: !Equals [!Ref CloudWatchIntegration, 'Metrics and Logs'] DoSSL: !Not [!Equals [!Ref SSLCertificateARN, '']] KeyProvided: !Not [!Equals [!Ref KeyPairName, '']] OverrideHeap: !Not [!Equals [!Ref JvmHeapOverride, '']] UseContextPath: !Not [!Equals [!Ref TomcatContextPath, '']] UseCustomDnsName: !Not [!Equals [!Ref CustomDnsName, '']] UseDatabaseEncryption: !Equals [!Ref DBStorageEncrypted, true] UseHostedZone: !Not [!Equals [!Ref HostedZone, '']] UsePublicIp: !Equals [!Ref InternetFacingLoadBalancer, 'true'] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] UseBastionHost: !And - !Equals [!Ref BastionHostRequired, true] - !Condition KeyProvided Mappings: AWSInstanceType2Arch: c4.large: Arch: HVM64 Jvmheap: 2304m c4.xlarge: Arch: HVM64 Jvmheap: 4608m c4.2xlarge: Arch: HVM64 Jvmheap: 12288m c4.4xlarge: Arch: HVM64 Jvmheap: 12288m c4.8xlarge: Arch: HVM64 Jvmheap: 12288m c5.large: Arch: HVM64 Jvmheap: 2048m c5.xlarge: Arch: HVM64 Jvmheap: 5120m c5.2xlarge: Arch: HVM64 Jvmheap: 12288m c5.4xlarge: Arch: HVM64 Jvmheap: 12288m c5.9xlarge: Arch: HVM64 Jvmheap: 12288m c5.18xlarge: Arch: HVM64 Jvmheap: 12288m c5d.large: Arch: HVM64 Jvmheap: 2048m c5d.xlarge: Arch: HVM64 Jvmheap: 5120m c5d.2xlarge: Arch: HVM64 Jvmheap: 12288m c5d.4xlarge: Arch: HVM64 Jvmheap: 12288m c5d.9xlarge: Arch: HVM64 Jvmheap: 12288m c5d.18xlarge: Arch: HVM64 Jvmheap: 12288m d2.xlarge: Arch: HVM64 Jvmheap: 12288m d2.2xlarge: Arch: HVM64 Jvmheap: 12288m d2.4xlarge: Arch: HVM64 Jvmheap: 12288m d2.8xlarge: Arch: HVM64 Jvmheap: 12288m h1.2xlarge: Arch: HVM64 Jvmheap: 12288m h1.4xlarge: Arch: HVM64 Jvmheap: 12288m h1.8xlarge: Arch: HVM64 Jvmheap: 12288m h1.16xlarge: Arch: HVM64 Jvmheap: 12288m i3.large: Arch: HVM64 Jvmheap: 12288m i3.xlarge: Arch: HVM64 Jvmheap: 12288m i3.2xlarge: Arch: HVM64 Jvmheap: 12288m i3.4xlarge: Arch: HVM64 Jvmheap: 12288m i3.8xlarge: Arch: HVM64 Jvmheap: 12288m i3.16xlarge: Arch: HVM64 Jvmheap: 12288m i3.metal: Arch: HVM64 Jvmheap: 12288m m4.large: Arch: HVM64 Jvmheap: 5120m m4.xlarge: Arch: HVM64 Jvmheap: 12288m m4.2xlarge: Arch: HVM64 Jvmheap: 12288m m4.4xlarge: Arch: HVM64 Jvmheap: 12288m m4.10xlarge: Arch: HVM64 Jvmheap: 12288m m4.16xlarge: Arch: HVM64 Jvmheap: 12288m m5.large: Arch: HVM64 Jvmheap: 5120m m5.xlarge: Arch: HVM64 Jvmheap: 12288m m5.2xlarge: Arch: HVM64 Jvmheap: 12288m m5.4xlarge: Arch: HVM64 Jvmheap: 12288m m5.12xlarge: Arch: HVM64 Jvmheap: 12288m m5.24xlarge: Arch: HVM64 Jvmheap: 12288m m5d.large: Arch: HVM64 Jvmheap: 5120m m5d.xlarge: Arch: HVM64 Jvmheap: 12288m m5d.2xlarge: Arch: HVM64 Jvmheap: 12288m m5d.4xlarge: Arch: HVM64 Jvmheap: 12288m m5d.12xlarge: Arch: HVM64 Jvmheap: 12288m m5d.24xlarge: Arch: HVM64 Jvmheap: 12288m r4.large: Arch: HVM64 Jvmheap: 12288m r4.xlarge: Arch: HVM64 Jvmheap: 12288m r4.2xlarge: Arch: HVM64 Jvmheap: 12288m r4.4xlarge: Arch: HVM64 Jvmheap: 12288m r4.8xlarge: Arch: HVM64 Jvmheap: 12288m r4.16xlarge: Arch: HVM64 Jvmheap: 12288m r5.large: Arch: HVM64 Jvmheap: 12288m r5.xlarge: Arch: HVM64 Jvmheap: 12288m r5.2xlarge: Arch: HVM64 Jvmheap: 12288m r5.4xlarge: Arch: HVM64 Jvmheap: 12288m r5.12xlarge: Arch: HVM64 Jvmheap: 12288m r5.24xlarge: Arch: HVM64 Jvmheap: 12288m r5d.large: Arch: HVM64 Jvmheap: 12288m r5d.xlarge: Arch: HVM64 Jvmheap: 12288m r5d.2xlarge: Arch: HVM64 Jvmheap: 12288m r5d.4xlarge: Arch: HVM64 Jvmheap: 12288m r5d.12xlarge: Arch: HVM64 Jvmheap: 12288m r5d.24xlarge: Arch: HVM64 Jvmheap: 12288m t2.medium: Arch: HVM64 Jvmheap: 2048m t2.large: Arch: HVM64 Jvmheap: 5120m t2.xlarge: Arch: HVM64 Jvmheap: 12288m t2.2xlarge: Arch: HVM64 Jvmheap: 12288m t3.medium: Arch: HVM64 Jvmheap: 2048m t3.large: Arch: HVM64 Jvmheap: 5120m t3.xlarge: Arch: HVM64 Jvmheap: 12288m t3.2xlarge: Arch: HVM64 Jvmheap: 12288m x1.16xlarge: Arch: HVM64 Jvmheap: 12288m x1.32xlarge: Arch: HVM64 Jvmheap: 12288m x1e.xlarge: Arch: HVM64 Jvmheap: 12288m x1e.2xlarge: Arch: HVM64 Jvmheap: 12288m x1e.4xlarge: Arch: HVM64 Jvmheap: 12288m x1e.8xlarge: Arch: HVM64 Jvmheap: 12288m x1e.16xlarge: Arch: HVM64 Jvmheap: 12288m x1e.32xlarge: Arch: HVM64 Jvmheap: 12288m z1d.large: Arch: HVM64 Jvmheap: 12288m z1d.xlarge: Arch: HVM64 Jvmheap: 12288m z1d.2xlarge: Arch: HVM64 Jvmheap: 12288m z1d.3xlarge: Arch: HVM64 Jvmheap: 12288m z1d.6xlarge: Arch: HVM64 Jvmheap: 12288m z1d.12xlarge: Arch: HVM64 Jvmheap: 12288m AWSRegionArch2AMI: ap-northeast-1: HVM64: ami-08d56ac42e2d4a08b ap-northeast-2: HVM64: ami-0eb7a369386789460 ap-south-1: HVM64: ami-0dafa01c8100180f8 ap-southeast-1: HVM64: ami-04fc979a55e14b094 ap-southeast-2: HVM64: ami-042c4533fa25c105a ca-central-1: HVM64: ami-040d8c460f4fc4a9f eu-central-1: HVM64: ami-00e232b942edaf8f9 eu-north-1: HVM64: ami-0e3f1570eb0a9bc7f eu-west-1: HVM64: ami-09d5dd12541e69077 eu-west-2: HVM64: ami-098a393b6fa6e700b eu-west-3: HVM64: ami-05cb6b584fc3c8ac8 sa-east-1: HVM64: ami-088911543b10876a4 us-east-1: HVM64: ami-038b3df3312ddf25d us-east-2: HVM64: ami-07b1d7739c91ed3fc us-west-1: HVM64: ami-0729cd65c1a99b0c9 us-west-2: HVM64: ami-090bc08d7ae1f3881 us-gov-west-1: HVM64: ami-0bbf3595bb2fb39ec us-gov-east-1: HVM64: ami-0cc17d57bec8c6017 Resources: ClusterNodeRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: [ec2.amazonaws.com] Action: ['sts:AssumeRole'] ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' Path: / Policies: - PolicyName: CrowdClusterNodePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: ec2:CreateTags Resource: - !Sub "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*" - !Sub "arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:vpc/*" - Effect: Allow Action: - autoscaling:CreateOrUpdateTags - route53:ListResourceRecordSets Resource: - !Sub "arn:${AWS::Partition}:route53:::hostedzone/*" - !Sub "arn:${AWS::Partition}:autoscaling:*:${AWS::AccountId}:autoScalingGroup:*:autoScalingGroupName/*" - Effect: Allow Action: - ec2:DescribeInstances - ec2:DescribeTags - autoscaling:DescribeTags - route53:ListHostedZones Resource: "*" - Effect: Allow Action: route53:ChangeResourceRecordSets Resource: - !Sub "arn:${AWS::Partition}:route53:::hostedzone/*" - !Sub "arn:${AWS::Partition}:route53:::change/*" - !Sub "arn:${AWS::Partition}:route53:::healthcheck/*" - !Sub "arn:${AWS::Partition}:route53:::delegationset/*" - PolicyName: SSMParameterPutAccess PolicyDocument: Version: 2012-10-17 Statement: - Action: - 'ssm:PutParameter' Effect: Allow Resource: !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${AWS::StackName}/pinned-ansible-sha" ClusterNodeInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: [!Ref ClusterNodeRole] # Crowd node config ClusterNodeGroup: Type: AWS::AutoScaling::AutoScalingGroup CreationPolicy: ResourceSignal: Count: !Ref ClusterNodeMin Timeout: PT15M Properties: DesiredCapacity: !Ref ClusterNodeMin LaunchConfigurationName: !Ref ClusterNodeLaunchConfig MaxSize: !Ref ClusterNodeMax MinSize: !Ref ClusterNodeMin TargetGroupARNs: [!Ref MainTargetGroup] VPCZoneIdentifier: !Split - "," - Fn::ImportValue: !Sub "${ExportPrefix}PriNets" Tags: - Key: Name Value: !Sub ["${StackName} Crowd Node", {StackName: !Ref 'AWS::StackName'}] PropagateAtLaunch: true - Key: Cluster Value: !Ref AWS::StackName PropagateAtLaunch: true # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py - Key: "atl:quickstart:commit-id" Value: "COMMIT: 628de71add242e3c3a3f5e018fb0cf74093e157c" PropagateAtLaunch: true - Key: "atl:quickstart:timestamp" Value: "TIMESTAMP: 2022-03-14T21:36:02Z" PropagateAtLaunch: true ClusterNodeLaunchConfig: Type: AWS::AutoScaling::LaunchConfiguration DependsOn: - EFSMountAz1 - EFSMountAz2 - AnsibleRepoPinSHA Metadata: Comment: '' AWS::CloudFormation::Init: config: files: /etc/atl: mode: "000640" owner: root group: root content: 'Fn::Join': - "\n" - - "ATL_PRODUCT_FAMILY=crowd" - "ATL_DB_DRIVER=org.postgresql.Driver" - "ATL_JDBC_DB_NAME=crowd" - "ATL_JDBC_USER=atlcrowd" - "ATL_JVM_OPTS='-XX:+ExplicitGCInvokesConcurrent -XX:ReservedCodeCacheSize=512M'" - "ATL_APP_DATA_MOUNT_ENABLED=false" - "ATL_ENABLED_PRODUCTS=Crowd" - "ATL_ENABLED_SHARED_HOMES=" - "ATL_NGINX_ENABLED=false" - "ATL_POSTGRES_ENABLED=false" - "ATL_RELEASE_S3_BUCKET=atlassian-software" - "ATL_RELEASE_S3_PATH=releases" - "ATL_SSL_SELF_CERT_ENABLED=false" - "" - !Sub ["ATL_PRODUCT_VERSION=${ProductVersion}", ProductVersion: !Ref CrowdVersion] - !Sub ["ATL_EFS_ID=${ElasticFileSystem}", ElasticFileSystem: !Ref ElasticFileSystem] - !If [DoSSL, "ATL_SSL_PROXY=true", !Ref "AWS::NoValue"] - !Sub ["ATL_AWS_STACK_NAME=${StackName}", StackName: !Ref "AWS::StackName"] - !Sub ["ATL_CATALINA_OPTS=\"${CatalinaOpts} ${MailOpts}\"", { CatalinaOpts: !Ref CatalinaOpts, MailOpts: !If [DisableMail, '-Datlassian.mail.senddisabled=true -Datlassian.mail.fetchdisabled=true -Datlassian.mail.popdisabled=true', ''] }] - !Sub ["ATL_DB_HOST=${DBEndpointAddress}", DBEndpointAddress: !GetAtt DB.Outputs.RDSEndPointAddress] - !Sub ["ATL_DB_ROOT_PASSWORD='${DBMasterUserPassword}'", DBMasterUserPassword: !Ref DBMasterUserPassword] - !Sub ["ATL_DB_PORT=${DBEndpointPort}", DBEndpointPort: !GetAtt DB.Outputs.RDSEndPointPort] - !Sub ["ATL_HOSTEDZONE=${HostedZone}", HostedZone: !Ref HostedZone] - !Sub ["ATL_JDBC_PASSWORD='${DBPassword}'", DBPassword: !Ref DBPassword] - !Sub ["ATL_JDBC_URL=jdbc:postgresql://${DBEndpointAddress}:${DBEndpointPort}/crowd?targetServerType=master", { DBEndpointAddress: !GetAtt DB.Outputs.RDSEndPointAddress, DBEndpointPort: !GetAtt DB.Outputs.RDSEndPointPort }] - !Sub ["ATL_JVM_HEAP=${AtlJvmHeap}", AtlJvmHeap: !If [OverrideHeap, !Ref 'JvmHeapOverride', !FindInMap [AWSInstanceType2Arch, !Ref ClusterNodeInstanceType, Jvmheap]]] - !Sub ["ATL_PROXY_NAME=${AtlProxyName}", AtlProxyName: !If [UseCustomDnsName, !Ref CustomDnsName, !If [UseHostedZone, !Ref LoadBalancerCname, !GetAtt LoadBalancer.DNSName]]] - !Sub ["ATL_TOMCAT_ACCEPTCOUNT=${TomcatAcceptCount}", TomcatAcceptCount: !Ref TomcatAcceptCount] - !Sub ["ATL_TOMCAT_CONNECTIONTIMEOUT=${TomcatConnectionTimeout}", TomcatConnectionTimeout: !Ref TomcatConnectionTimeout] - !Sub ["ATL_TOMCAT_CONTEXTPATH=${TomcatContextPath}", TomcatContextPath: !Ref TomcatContextPath] - !Sub ["ATL_TOMCAT_DEFAULTCONNECTORPORT=${TomcatDefaultConnectorPort}", TomcatDefaultConnectorPort: !Ref TomcatDefaultConnectorPort] - !Sub ["ATL_TOMCAT_ENABLELOOKUPS=${TomcatEnableLookups}", TomcatEnableLookups: !Ref TomcatEnableLookups] - !Sub ["ATL_TOMCAT_MAXTHREADS=${TomcatMaxThreads}", TomcatMaxThreads: !Ref TomcatMaxThreads] - !Sub ["ATL_TOMCAT_MINSPARETHREADS=${TomcatMinSpareThreads}", TomcatMinSpareThreads: !Ref TomcatMinSpareThreads] - !Sub ["ATL_TOMCAT_PROTOCOL=${TomcatProtocol}", TomcatProtocol: !Ref TomcatProtocol] - !Sub ["ATL_TOMCAT_PROXYPORT=${TomcatProxyPort}", TomcatProxyPort: !If [DoSSL, 443, 80]] - !Sub ["ATL_TOMCAT_REDIRECTPORT=${TomcatRedirectPort}", TomcatRedirectPort: !Ref TomcatRedirectPort] - !Sub ["ATL_TOMCAT_SCHEME=${TomcatScheme}", TomcatScheme: !If [DoSSL, https, http]] - !Sub ["ATL_TOMCAT_SECURE=${TomcatSecure}", TomcatSecure: !If [DoSSL, true, false]] - !Sub ["ATL_DEPLOYMENT_REPOSITORY=${DeployRepository}", DeployRepository: !Ref DeploymentAutomationRepository] - !Sub ["ATL_DEPLOYMENT_REPOSITORY_BRANCH=${DeployRepositoryBranch}", DeployRepositoryBranch: !Ref DeploymentAutomationBranch] - !Sub ["ATL_DEPLOYMENT_REPOSITORY_PLAYBOOK=${DeployRepositoryPlaybook}", DeployRepositoryPlaybook: !Ref DeploymentAutomationPlaybook] - !Sub ["ATL_DEPLOYMENT_REPOSITORY_KEYNAME=${DeployRepositoryKeyName}", DeployRepositoryKeyName: !Ref DeploymentAutomationKeyName] - !Sub ["ATL_DEPLOYMENT_REPOSITORY_CUSTOM_PARAMS='${DeployRepositoryCustomParams}'", DeployRepositoryCustomParams: !Ref DeploymentAutomationCustomParams] - !Sub ["ATL_AWS_ENABLE_CLOUDWATCH=${EnableCW}", EnableCW: !If [EnableCloudWatch, true, false]] - !Sub ["ATL_AWS_ENABLE_CLOUDWATCH_LOGS=${EnableCWLogs}", EnableCWLogs: !If [EnableCloudWatchLogs, true, false]] /opt/atlassian/bin/clone_deployment_repo: content: !Sub | #!/bin/bash key_location=/root/.ssh/deployment_repo_key key_name="${DeploymentAutomationKeyName}" ssm_pin=/${AWS::StackName}/pinned-ansible-sha yum install -y git awscli jq if [[ ! -z "$key_name" ]]; then # Ensure awscli is up to date key_val=$(aws --region=${AWS::Region} ssm get-parameters --names "$key_name" --with-decryption | jq --raw-output '.Parameters[0].Value') echo -e "$key_val" > $key_location chmod 600 $key_location export GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -i $key_location" else export GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no" fi ### Ansible repo pinning ### pinned_commit_id=$(aws --region=${AWS::Region} ssm get-parameters --names "$ssm_pin" | jq --raw-output '.Parameters[0].Value') git clone "${DeploymentAutomationRepository}" -b "${DeploymentAutomationBranch}" /opt/atlassian/dc-deployments-automation/ cd /opt/atlassian/dc-deployments-automation/ if [[ "$pinned_commit_id" == "latest" || -z "$pinned_commit_id" ]]; then head_id=$(git rev-parse HEAD) echo "SSM param [$ssm_pin] has been set to 'latest' - Using the HEAD SHA [$head_id] to build cluster [${AWS::StackName}]" echo "Updating SSM param [$ssm_pin] with current HEAD SHA: [$head_id]" aws --region=${AWS::Region} ssm put-parameter --name "$ssm_pin" --value "$head_id" --overwrite --type String else echo "Ansible repo has been pinned, checking out commit: [$pinned_commit_id]" git checkout -b "pinned-ansible-sha-$pinned_commit_id" "$pinned_commit_id" fi mode: "000750" owner: root group: root commands: 070_create_atl_dir: test: "test ! -d /opt/atlassian/" command: mkdir -p /opt/atlassian ignoreErrors: false 071_install_packages: command: yum install -y git python-virtualenv ignoreErrors: true 072_clone_atl_scripts: test: "test ! -d /opt/atlassian/dc-deployments-automation/" command: /opt/atlassian/bin/clone_deployment_repo ignoreErrors: true 080_run_atl_init_node: command: !Sub | cd /opt/atlassian/dc-deployments-automation/ && ./bin/install-ansible && ./bin/ansible-with-atl-env inv/aws_node_local ${DeploymentAutomationPlaybook} /var/log/ansible-bootstrap.log ignoreErrors: true Properties: AssociatePublicIpAddress: false BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeSize: !Ref ClusterNodeVolumeSize - DeviceName: /dev/xvdf NoDevice: true KeyName: !If - KeyProvided - !Ref KeyPairName - Ref: AWS::NoValue IamInstanceProfile: !Ref ClusterNodeInstanceProfile ImageId: !FindInMap - AWSRegionArch2AMI - !Ref AWS::Region - !FindInMap - AWSInstanceType2Arch - !Ref ClusterNodeInstanceType - Arch InstanceType: !Ref ClusterNodeInstanceType SecurityGroups: [!Ref SecurityGroup] UserData: Fn::Base64: !Join - "" - - "#!/bin/bash -xe\n" - "yum update -y aws-cfn-bootstrap\n" - !Sub ["/opt/aws/bin/cfn-init -v --stack ${StackName}", {StackName: !Ref "AWS::StackName"}] - !Sub [" --resource ClusterNodeLaunchConfig --region ${Region}\n", {Region: !Ref "AWS::Region"}] - !Sub ["/opt/aws/bin/cfn-signal -e $? --stack ${StackName}", {StackName: !Ref "AWS::StackName"}] - !Sub [" --resource ClusterNodeGroup --region ${Region}", {Region: !Ref "AWS::Region"}] # Elastic file system ElasticFileSystem: Type: AWS::EFS::FileSystem Properties: BackupPolicy: Status: ENABLED FileSystemTags: - Key: Name Value: !Join [' ', [!Ref 'AWS::StackName', 'cluster shared-files']] - Key: Application Value: !Ref AWS::StackId # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py - Key: "atl:quickstart:commit-id" Value: "COMMIT: 628de71add242e3c3a3f5e018fb0cf74093e157c" - Key: "atl:quickstart:timestamp" Value: "TIMESTAMP: 2022-03-14T21:36:02Z" EFSMountAz1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref ElasticFileSystem SecurityGroups: [!Ref SecurityGroup] SubnetId: !Select - 0 - !Split - "," - Fn::ImportValue: !Sub "${ExportPrefix}PriNets" EFSMountAz2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref ElasticFileSystem SecurityGroups: [!Ref SecurityGroup] SubnetId: !Select - 1 - !Split - "," - Fn::ImportValue: !Sub "${ExportPrefix}PriNets" EFSCname: Type: AWS::Route53::RecordSet Condition: UseHostedZone Properties: HostedZoneName: !Ref HostedZone Comment: Route53 cname for the efs Name: !If [ UseHostedZone, !Join ['.', [!Ref 'AWS::StackName', 'efs', !Ref 'HostedZone']], ''] Type: CNAME TTL: 900 ResourceRecords: - !Join ['.', [!Ref ElasticFileSystem, 'efs', !Ref 'AWS::Region', 'amazonaws.com.']] # Database DB: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-atlassian-services/templates/quickstart-database-for-atlassian-services.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] Parameters: DatabaseImplementation: "PostgreSQL" DBEngineVersion: !Ref DBEngineVersion DBAllocatedStorage: !Ref DBStorage DBAutoMinorVersionUpgrade: "true" DBBackupRetentionPeriod: "1" DBInstanceClass: !Ref DBInstanceClass DBIops: !Ref DBIops DBMasterUserPassword: !Ref DBMasterUserPassword DBMultiAZ: !Ref DBMultiAZ DBSecurityGroup: !Ref SecurityGroup DBStorageEncrypted: !Ref DBStorageEncrypted DBStorageType: !Ref DBStorageType ExportPrefix: !Ref ExportPrefix QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix DBCname: Condition: UseHostedZone Type: AWS::Route53::RecordSet Properties: HostedZoneName: !Ref HostedZone Comment: Route53 cname for the RDS Name: !Join ['.', [!Ref 'AWS::StackName', 'db', !Ref 'HostedZone']] Type: CNAME TTL: 900 ResourceRecords: - !GetAtt DB.Outputs.RDSEndPointAddress # Loadbalancer LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: '3600' Scheme: !If [UsePublicIp, 'internet-facing', 'internal'] SecurityGroups: [!Ref SecurityGroup] Subnets: !Split - "," - Fn::ImportValue: !Sub "${ExportPrefix}PubNets" Tags: - Key: Name Value: !Sub ["${StackName}-LoadBalancer", StackName: !Ref 'AWS::StackName'] - Key: Cluster Value: !Ref AWS::StackName # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py - Key: "atl:quickstart:commit-id" Value: "COMMIT: 628de71add242e3c3a3f5e018fb0cf74093e157c" - Key: "atl:quickstart:timestamp" Value: "TIMESTAMP: 2022-03-14T21:36:02Z" LoadBalancerHTTPListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - !If - DoSSL - Type: redirect RedirectConfig: Protocol: HTTPS Port: '443' Host: '#{host}' Path: '/#{path}' Query: '#{query}' StatusCode: HTTP_301 - Type: forward TargetGroupArn: !Ref MainTargetGroup LoadBalancerArn: !Ref LoadBalancer Port: 80 Protocol: HTTP LoadBalancerHTTPSListener: Condition: DoSSL Type: AWS::ElasticLoadBalancingV2::Listener Properties: Certificates: - CertificateArn: !Ref SSLCertificateARN DefaultActions: - Type: forward TargetGroupArn: !Ref MainTargetGroup LoadBalancerArn: !Ref LoadBalancer Port: 443 Protocol: HTTPS SslPolicy: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" MainTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Port: !Ref TomcatDefaultConnectorPort Protocol: HTTP VpcId: Fn::ImportValue: !Sub "${ExportPrefix}VPCID" HealthCheckIntervalSeconds: 20 HealthCheckTimeoutSeconds: 10 HealthyThresholdCount: 2 Matcher: HttpCode: '200' HealthCheckPath: !If [UseContextPath, !Join ['', [!Ref 'TomcatContextPath', '/status']], '/status'] HealthCheckPort: !Ref TomcatDefaultConnectorPort HealthCheckProtocol: HTTP TargetGroupAttributes: - Key: stickiness.enabled Value: 'true' - Key: stickiness.type Value: lb_cookie - Key: deregistration_delay.timeout_seconds Value: '30' Tags: - Key: Name Value: MainTargetGroup - Key: Cluster Value: !Ref AWS::StackName # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py - Key: "atl:quickstart:commit-id" Value: "COMMIT: 628de71add242e3c3a3f5e018fb0cf74093e157c" - Key: "atl:quickstart:timestamp" Value: "TIMESTAMP: 2022-03-14T21:36:02Z" DependsOn: - LoadBalancer LoadBalancerCname: Condition: UseHostedZone Type: AWS::Route53::RecordSet Properties: HostedZoneName: !Ref HostedZone Comment: Route53 cname for the ALB Name: !Join ['.', [!Ref "AWS::StackName", !Ref 'HostedZone']] Type: CNAME TTL: 900 ResourceRecords: - !GetAtt LoadBalancer.DNSName SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group allowing SSH and HTTP/HTTPS access SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref CidrBlock - !If - UseBastionHost - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Sub - "${BastionIp}/32" - BastionIp: Fn::ImportValue: !Sub '${ExportPrefix}BastionPrivIp' - Ref: AWS::NoValue - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref CidrBlock - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref CidrBlock - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Sub - "${NAT1IP}/32" - NAT1IP: Fn::ImportValue: !Sub '${ExportPrefix}NAT1EIP' - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Sub - "${NAT2IP}/32" - NAT2IP: Fn::ImportValue: !Sub '${ExportPrefix}NAT2EIP' - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Sub - "${NAT1IP}/32" - NAT1IP: Fn::ImportValue: !Sub '${ExportPrefix}NAT1EIP' - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Sub - "${NAT2IP}/32" - NAT2IP: Fn::ImportValue: !Sub '${ExportPrefix}NAT2EIP' Tags: - Key: Name Value: !Join [' ', [!Ref "AWS::StackName", 'sg']] # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py - Key: "atl:quickstart:commit-id" Value: "COMMIT: 628de71add242e3c3a3f5e018fb0cf74093e157c" - Key: "atl:quickstart:timestamp" Value: "TIMESTAMP: 2022-03-14T21:36:02Z" VpcId: Fn::ImportValue: !Sub "${ExportPrefix}VPCID" SecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref SecurityGroup IpProtocol: '-1' FromPort: -1 ToPort: -1 SourceSecurityGroupId: !Ref SecurityGroup EncryptionKey: Condition: UseDatabaseEncryption DeletionPolicy: Retain UpdateReplacePolicy: Retain Type: AWS::KMS::Key Properties: KeyPolicy: Version: 2012-10-17 Id: !Sub "${AWS::StackName}" Statement: - Effect: Allow Principal: AWS: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: - kms:CreateAlias - kms:CreateGrant - kms:CreateKey - kms:DeleteAlias - kms:DeleteImportedKeyMaterial - kms:DescribeKey - kms:DisableKey - kms:DisableKeyRotation - kms:EnableKey - kms:EnableKeyRotation - kms:GetKeyPolicy - kms:GetKeyRotationStatus - kms:GetParametersForImport - kms:GetPublicKey - kms:PutKeyPolicy Resource: '*' Tags: - Key: Name Value: !Sub ["${StackName} Encryption Key", {StackName: !Ref 'AWS::StackName'}] # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py - Key: "atl:quickstart:commit-id" Value: "COMMIT: 628de71add242e3c3a3f5e018fb0cf74093e157c" - Key: "atl:quickstart:timestamp" Value: "TIMESTAMP: 2022-03-14T21:36:02Z" EnableKeyRotation: true EncryptionKeyAlias: Condition: UseDatabaseEncryption Type: AWS::KMS::Alias Properties: AliasName: !Sub "alias/${AWS::StackName}" TargetKeyId: !Ref EncryptionKey AnsibleRepoPinSHA: Type: AWS::SSM::Parameter Properties: Description: "The dc-deployments-automation commit SHA that all nodes in the cluster will use" Name: !Sub "/${AWS::StackName}/pinned-ansible-sha" Type: String AllowedPattern: '^(latest)|([0-9a-f]{5,40})$' Value: "latest" # Optional: Cloudwatch dashboard to be created when CloudWatch is enabled CloudWatchDashboard: DependsOn: - DB Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-atlassian-services/templates/quickstart-cloudwatch-dashboard.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] Parameters: ProductStackName: !Sub "${AWS::StackName}" ProductFamilyName: "crowd" AsgToMonitor: !Ref ClusterNodeGroup Outputs: ServiceURL: Description: The URL to access this Atlassian service. Value: !If - UseCustomDnsName - !Sub - "${HTTP}://${CustomDNSName}${ContextPath}" - HTTP: !If [DoSSL, 'https', 'http'] CustomDNSName: !Ref CustomDnsName ContextPath: !Ref TomcatContextPath - !If - UseHostedZone - !Sub - "${HTTP}://${LBCName}${ContextPath}" - HTTP: !If [DoSSL, 'https', 'http'] LBCName: !Ref LoadBalancerCname ContextPath: !Ref TomcatContextPath - !Sub - "${HTTP}://${LoadBalancerDNSName}${ContextPath}" - HTTP: !If [DoSSL, 'https', 'http'] LoadBalancerDNSName: !GetAtt LoadBalancer.DNSName ContextPath: !Ref TomcatContextPath LoadBalancerURL: Description: The load balancer URL. Value: !Sub - "${HTTP}://${LoadBalancerDNSName}" - HTTP: !If [DoSSL, 'https', 'http'] LoadBalancerDNSName: !GetAtt LoadBalancer.DNSName SGname: Description: The name of the security group. Value: !Ref SecurityGroup Export: { Name: !Join ['', [!Ref 'AWS::StackName', '-SGname']] } DBEndpointAddress: Description: The database connection string. Value: !GetAtt DB.Outputs.RDSEndPointAddress DBEncryptionKey: Condition: UseDatabaseEncryption Description: The alias of the encryption key created for Amazon RDS. Value: !Ref EncryptionKeyAlias EFSCname: Description: The CNAME of the Amazon Elastic File System (Amazon EFS). Value: !If - UseHostedZone - !Ref EFSCname - !Ref ElasticFileSystem Export: { Name: !Join ['', [!Ref 'AWS::StackName', '-EFSCname']] } CloudWatchDashboardURL: Description: CloudWatch monitoring dashboard URL. Value: !GetAtt CloudWatchDashboard.Outputs.Dashboard Condition: EnableCloudWatch DBTemplateURL: Description: The URL used to source the database template. Value: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-atlassian-services/templates/quickstart-database-for-atlassian-services.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] CloudWatchDashboardTemplateURL: Description: The URL used to source the CloudWatch template. Value: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-atlassian-services/templates/quickstart-cloudwatch-dashboard.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]