AWSTemplateFormatVersion: 2010-09-09
Description: Deploy a Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group. (qs-1ofn34qmm)
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: General Settings
Parameters:
- VPC
- KeyName
- EnableVolumeEncryption
- VolumeSize
- VolumeType
- EnableInstanceConnect
- TerminationProtection
- AllowUploadDownload
- ProvisionTag
- LoadBalancersType
- ALBProtocol
- NLBProtocol
- Certificate
- ServicePort
- AdminEmail
- ResourcesTagName
- Label:
default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
Parameters:
- GatewaysSubnets
- GatewayInstanceType
- GatewaysMinSize
- GatewaysMaxSize
- GatewayVersion
- GatewayPasswordHash
- GatewaySICKey
- CloudWatch
- Label:
default: Check Point CloudGuard IaaS Security Management Server Configuration
Parameters:
- ManagementDeploy
- ManagementInstanceType
- ManagementVersion
- ManagementPasswordHash
- ManagementPermissions
- ManagementPredefinedRole
- GatewaysPolicy
- GatewaysBlades
- AdminCIDR
- GatewaysAddresses
- Label:
default: Web Servers Auto Scaling Group Configuration
Parameters:
- ServersDeploy
- ServersSubnets
- ServerInstanceType
- ServerAMI
ParameterLabels:
VPC:
default: VPC
KeyName:
default: Key name
EnableVolumeEncryption:
default: Enable environment volume encryption
VolumeSize:
default: Root volume size (GB)
VolumeType:
default: Volume Type
EnableInstanceConnect:
default: Enable AWS Instance Connect
TerminationProtection:
default: Termination Protection
AllowUploadDownload:
default: Allow upload & download
ProvisionTag:
default: Auto Provision tag
LoadBalancersType:
default: Load Balancers
ALBProtocol:
default: ALB Protocol
NLBProtocol:
default: NLB Protocol
Certificate:
default: HTTPS certificate
ServicePort:
default: Custom service port
AdminEmail:
default: Email address
ResourcesTagName:
default: Resources prefix tag
GatewaysSubnets:
default: Gateways subnets
GatewayInstanceType:
default: Gateways instance type
GatewaysMinSize:
default: Minimum group size
GatewaysMaxSize:
default: Maximum group size
GatewayVersion:
default: Gateways version & license
GatewayPasswordHash:
default: Gateways Password hash
GatewaySICKey:
default: Gateways SIC key
CloudWatch:
default: CloudWatch metrics
ManagementDeploy:
default: Deploy Management Server
ManagementInstanceType:
default: Management instance type
ManagementVersion:
default: Management version & license
ManagementPasswordHash:
default: Management password hash
ManagementPermissions:
default: IAM role
ManagementPredefinedRole:
default: Existing IAM role name
GatewaysPolicy:
default: Security Policy
GatewaysBlades:
default: Default Blades
AdminCIDR:
default: Administrator addresses
GatewaysAddresses:
default: Gateways addresses
ServersDeploy:
default: Deploy servers
ServersSubnets:
default: Subnet IDs
ServerInstanceType:
default: Servers instance type
ServerAMI:
default: AMI ID
Parameters:
VPC:
Description: Select an existing VPC.
Type: AWS::EC2::VPC::Id
MinLength: 1
ConstraintDescription: You must select a VPC.
KeyName:
Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
Type: AWS::EC2::KeyPair::KeyName
MinLength: 1
ConstraintDescription: Must be the name of an existing EC2 KeyPair.
EnableVolumeEncryption:
Description: Encrypt Environment instances volume with default AWS KMS key.
Type: String
Default: true
AllowedValues:
- true
- false
VolumeSize:
Type: Number
Default: 100
MinValue: 100
VolumeType:
Description: General Purpose SSD Volume Type
Type: String
Default: gp3
AllowedValues:
- gp3
- gp2
EnableInstanceConnect:
Description: Enable SSH connection over AWS web console.
Type: String
Default: false
AllowedValues:
- true
- false
TerminationProtection:
Description: Prevents an instance from accidental termination.
Type: String
Default: false
AllowedValues:
- true
- false
AllowUploadDownload:
Description: Automatically download updates and share statistical data for product improvement purpose.
Type: String
Default: true
AllowedValues:
- true
- false
ProvisionTag:
Description: The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment.
Type: String
Default: quickstart
AllowedPattern: '^[a-zA-Z0-9-]{1,12}$'
ConstraintDescription: The tag must be up to 12 alphanumeric character.
LoadBalancersType:
Description: Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing.
Default: Network Load Balancer
Type: String
AllowedValues:
- Network Load Balancer
- Application Load Balancer
ALBProtocol:
Description: The protocol to use on the Application Load Balancer. If Network Load Balancer was selected this section will be ignored.
Type: String
Default: HTTP
AllowedValues:
- HTTP
- HTTPS
NLBProtocol:
Description: The protocol to use on the Network Load Balancer. If Application Load Balancer was selected this section will be ignored.
Type: String
Default: TCP
AllowedValues:
- TCP
- TLS
- UDP
- TCP_UDP
Certificate:
Description: Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP.
Type: String
AllowedPattern: '^(arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*)?$'
ConstraintDescription: 'Must be a valid Amazon Resource Name (ARN), for example: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012.'
ServicePort:
Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.'
Type: String
AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$'
ConstraintDescription: Custom service port must be a number between 0 and 65535.
AdminEmail:
Description: Notifications about scaling events will be sent to this email address. (optional)
Type: String
Default: ''
AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
ConstraintDescription: Must be a valid email address.
ResourcesTagName:
Description: The name tag of the resources. (optional)
Type: String
Default: ''
GatewaysSubnets:
Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
Type: List<AWS::EC2::Subnet::Id>
AllowedPattern: '.+'
GatewayInstanceType:
Description: The EC2 instance type for the Security Gateways.
Type: String
Default: c5.xlarge
AllowedValues:
- c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.18xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.12xlarge
- m6i.24xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.12xlarge
- c6i.24xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.12xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.12xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.12xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.12xlarge
- r5n.24xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.12xlarge
- m6a.24xlarge
ConstraintDescription: Must be a valid EC2 instance type
GatewaysMinSize:
Description: The minimal number of Security Gateways.
Type: Number
Default: 2
MinValue: 1
GatewaysMaxSize:
Description: The maximal number of Security Gateways.
Type: Number
Default: 10
MinValue: 1
GatewayVersion:
Description: The version and license to install on the Security Gateways.
Type: String
Default: R81.10-BYOL
AllowedValues:
- R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
GatewayPasswordHash:
Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
Type: String
Default: ''
AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
NoEcho: true
GatewaySICKey:
Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
Type: String
AllowedPattern: '^[a-zA-Z0-9]{8,}$'
ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
NoEcho: true
CloudWatch:
Description: Report Check Point specific CloudWatch metrics.
Type: String
Default: false
AllowedValues:
- true
- false
ManagementDeploy:
Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
Type: String
Default: true
AllowedValues:
- true
- false
ManagementInstanceType:
Description: The EC2 instance type of the Security Management Server.
Type: String
Default: m5.xlarge
AllowedValues:
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.18xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.12xlarge
- m6i.24xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.12xlarge
- c6i.24xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.12xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.12xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.12xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.12xlarge
- r5n.24xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.12xlarge
- m6a.24xlarge
ConstraintDescription: Must be a valid EC2 instance type
ManagementVersion:
Description: The license to install on the Security Management Server.
Type: String
Default: R81.10-BYOL
AllowedValues:
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
ManagementPasswordHash:
Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
Type: String
Default: ''
AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
NoEcho: true
ManagementPermissions:
Description: IAM role to attach to the instance profile.
Type: String
Default: Create with read-write permissions
AllowedValues:
- None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions
ManagementPredefinedRole:
Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
Type: String
Default: ''
GatewaysPolicy:
Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
Type: String
Default: Standard
MinLength: 1
GatewaysBlades:
Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later).
Type: String
Default: true
AllowedValues:
- true
- false
AdminCIDR:
Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
Type: String
AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
GatewaysAddresses:
Description: Allow gateways only from this network to communicate with the Security Management Server.
Type: String
AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
ServersDeploy:
Description: Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored.
Type: String
Default: false
AllowedValues:
- true
- false
ServersSubnets:
Description: Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f).
Type: List<AWS::EC2::Subnet::Id>
AllowedPattern: '.+'
ServerInstanceType:
Description: The EC2 instance type for the web servers.
Type: String
Default: t3.micro
AllowedValues:
- t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge
ConstraintDescription: Must be a valid EC2 instance type.
ServerAMI:
Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63).
Type: String
AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$'
ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx.
Conditions:
VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
DeployManagement: !Equals [!Ref ManagementDeploy, true]
DeployServers: !Equals [!Ref ServersDeploy, true]
ALB: !Equals [!Ref LoadBalancersType, Application Load Balancer]
NLB: !Not [!Condition ALB]
EncryptedProtocol: !Or
- !And [!Condition ALB, !Equals [ALBProtocol, HTTPS]]
- !And [!Condition NLB, !Equals [NLBProtocol, TLS]]
ProvidedPort: !Not [!Equals [!Ref ServicePort, '']]
ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
Resources:
ExternalALBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Condition: ALB
Properties:
GroupDescription: External ALB security group.
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
ToPort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value:
!Join
- _
- - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
- Exter_ALB_SecurityGroup
ExternalLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Type: !If [ALB, application, network]
Scheme: internet-facing
Subnets: !Ref GatewaysSubnets
SecurityGroups:
- !If [ALB, !GetAtt ExternalALBSecurityGroup.GroupId, !Ref 'AWS::NoValue']
Tags:
- Key: Name
Value:
!Join
- _
- - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
- Exter
- !If [ALB, "ALB", "NLB"]
ExternalLBTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
VpcId: !Ref VPC
Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
Port: !If [EncryptedProtocol, 9443, 9080]
Tags:
- Key: Name
Value:
!Join
- _
- - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
- Exter
- !If [ALB, "ALB", "NLB"]
- TargetGroup
ExternalLBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn: [ExternalLoadBalancer, ExternalLBTargetGroup]
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref ExternalLBTargetGroup
LoadBalancerArn: !Ref ExternalLoadBalancer
Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
Port: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
SecurityGatewaysStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/cgi-cfts/autoscale/autoscale.yaml
Parameters:
VPC: !Ref VPC
GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
GatewayName: !Sub '${ResourcesTagName}-security-gateway'
GatewayInstanceType: !Ref GatewayInstanceType
KeyName: !Ref KeyName
EnableVolumeEncryption: !Ref EnableVolumeEncryption
VolumeSize: !Ref VolumeSize
VolumeType: !Ref VolumeType
EnableInstanceConnect: !Ref EnableInstanceConnect
GatewaysMinSize: !Ref GatewaysMinSize
GatewaysMaxSize: !Ref GatewaysMaxSize
AdminEmail: !Ref AdminEmail
GatewaysTargetGroups: !Ref ExternalLBTargetGroup
GatewayVersion: !Ref GatewayVersion
GatewayPasswordHash: !Ref GatewayPasswordHash
GatewaySICKey: !Ref GatewaySICKey
AllowUploadDownload: !Ref AllowUploadDownload
CloudWatch: !Ref CloudWatch
GatewayBootstrapScript: !Join
- ';'
- - 'echo -e "\nStarting Bootstrap script\n"'
- 'echo "Adding quickstart identifier to cloud-version"'
- 'template="autoscale_qs"'
- 'cv_path="/etc/cloud-version"'
- 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
- 'cv_json_path="/etc/cloud-version.json"'
- 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
- 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
- 'echo -e "\nFinished Bootstrap script\n"'
ManagementServer: !Sub '${ProvisionTag}-management'
ConfigurationTemplate: !Sub '${ProvisionTag}-template'
ManagementStack:
Type: AWS::CloudFormation::Stack
Condition: DeployManagement
Properties:
TemplateURL: https://s3.amazonaws.com/cgi-cfts/management/management.yaml
Parameters:
VPC: !Ref VPC
ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
ManagementName: !Sub '${ResourcesTagName}-management'
ManagementInstanceType: !Ref ManagementInstanceType
VolumeSize: !Ref VolumeSize
VolumeType: !Ref VolumeType
KeyName: !Ref KeyName
VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
EnableInstanceConnect: !Ref EnableInstanceConnect
TerminationProtection: !Ref TerminationProtection
ManagementVersion: !Ref ManagementVersion
ManagementPasswordHash: !Ref ManagementPasswordHash
ManagementPermissions: !Ref ManagementPermissions
ManagementPredefinedRole: !Ref ManagementPredefinedRole
AllowUploadDownload: !Ref AllowUploadDownload
AdminCIDR: !Ref AdminCIDR
GatewaysAddresses: !Ref GatewaysAddresses
ManagementBootstrapScript: !Join
- ';'
- - 'echo -e "\nStarting Bootstrap script\n"'
- 'echo "Setting up bootstrap parameters"'
- !Sub 'tag=${ProvisionTag} ; policy=${GatewaysPolicy} ; region=${AWS::Region} ; blades=${GatewaysBlades}'
- !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
- !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
- 'echo "Adding quickstart identifier to cloud-version"'
- 'template="management_qs"'
- 'cv_path="/etc/cloud-version"'
- 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
- 'cv_json_path="/etc/cloud-version.json"'
- 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
- 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
- 'template="${tag}-template"'
- 'echo "Creating CME configuration"'
- 'autoprov_cfg -f init AWS -mn "${tag}-management" -tn "${template}" -cn "${tag}-controller" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam'
- '${blades} && autoprov_cfg -f set template -tn "${template}" -ips -appi -av -ab'
- 'echo -e "\nFinished Bootstrap script\n"'
InternalSecurityGroup:
Type: AWS::EC2::SecurityGroup
Condition: DeployServers
Properties:
GroupDescription: Internal security group.
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: !If [EncryptedProtocol, 443, 80]
ToPort: !If [EncryptedProtocol, 443, 80]
SourceSecurityGroupId: !GetAtt SecurityGatewaysStack.Outputs.SecurityGroup
- IpProtocol: icmp
FromPort: -1
ToPort: -1
SourceSecurityGroupId: !GetAtt SecurityGatewaysStack.Outputs.SecurityGroup
Tags:
- Key: Name
Value:
!Join
- _
- - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
- Inter_SecurityGroup
InternalLBTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Condition: DeployServers
Properties:
VpcId: !Ref VPC
Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
Port: !If [EncryptedProtocol, 443, 80]
Tags:
- Key: Name
Value:
!Join
- _
- - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
- Inter
- !If [ALB, "ALB", "NLB"]
- TargetGroup
InternalLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Condition: DeployServers
Properties:
Type: !If [ALB, application, network]
Scheme: internal
Subnets: !Ref ServersSubnets
SecurityGroups:
- !If [ALB, !GetAtt InternalSecurityGroup.GroupId, !Ref 'AWS::NoValue']
Tags:
- Key: x-chkp-management
Value: !Sub '${ProvisionTag}-management'
- Key: x-chkp-template
Value: !Sub '${ProvisionTag}-template'
- Key: Name
Value:
!Join
- _
- - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
- Inter
- !If [ ALB, "ALB", "NLB" ]
InternalLBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Condition: DeployServers
DependsOn: [InternalLoadBalancer, InternalLBTargetGroup]
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref InternalLBTargetGroup
LoadBalancerArn: !Ref InternalLoadBalancer
Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
Port: !If [EncryptedProtocol, 443, 80]
Certificates:
- CertificateArn: !If [EncryptedProtocol, !Ref Certificate, !Ref 'AWS::NoValue']
ServersStack:
Type: AWS::CloudFormation::Stack
Condition: DeployServers
DependsOn: [InternalLBTargetGroup, InternalSecurityGroup]
Properties:
TemplateURL: https://s3.amazonaws.com/cgi-cfts/autoscale/custom-autoscale.yaml
Parameters:
VPC: !Ref VPC
ServersSubnets: !Join [',', !Ref ServersSubnets]
ServerAMI: !Ref ServerAMI
ServerName: !Sub '${ResourcesTagName}-server'
ServerInstanceType: !Ref ServerInstanceType
KeyName: !Ref KeyName
ServersMinSize: !Ref GatewaysMinSize
ServersMaxSize: !Ref GatewaysMaxSize
AdminEmail: !Ref AdminEmail
ServersTargetGroups: !Ref InternalLBTargetGroup
SourceSecurityGroup: !If [NLB, !Ref 'AWS::NoValue', !Ref InternalSecurityGroup]
Outputs:
InternalPort:
Description: The internal Load Balancer should listen to this port.
Value: !If [EncryptedProtocol, 443, 80]
ManagementName:
Description: The name that represents the Security Management Server.
Value: !Sub '${ProvisionTag}-management'
ConfigurationTemplateName:
Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
Value: !Sub '${ProvisionTag}-template'
ControllerName:
Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
Value: !Sub '${ProvisionTag}-controller'
LBURL:
Description: The URL of the external Load Balancer.
Value: !GetAtt ExternalLoadBalancer.DNSName