AWSTemplateFormatVersion: 2010-09-09
Description: Deploy a Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group. (qs-1ofn34qmm)
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: General Settings
        Parameters:
          - VPC
          - KeyName
          - EnableVolumeEncryption
          - VolumeSize
          - VolumeType
          - EnableInstanceConnect
          - TerminationProtection
          - AllowUploadDownload
          - ProvisionTag
          - LoadBalancersType
          - ALBProtocol
          - NLBProtocol
          - Certificate
          - ServicePort
          - AdminEmail
          - ResourcesTagName
      - Label:
          default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
        Parameters:
          - GatewaysSubnets
          - GatewayInstanceType
          - GatewaysMinSize
          - GatewaysMaxSize
          - GatewayVersion
          - GatewayPasswordHash
          - GatewaySICKey
          - CloudWatch
      - Label:
          default: Check Point CloudGuard IaaS Security Management Server Configuration
        Parameters:
          - ManagementDeploy
          - ManagementInstanceType
          - ManagementVersion
          - ManagementPasswordHash
          - ManagementPermissions
          - ManagementPredefinedRole
          - GatewaysPolicy
          - GatewaysBlades
          - AdminCIDR
          - GatewaysAddresses
      - Label:
          default: Web Servers Auto Scaling Group Configuration
        Parameters:
          - ServersDeploy
          - ServersSubnets
          - ServerInstanceType
          - ServerAMI
    ParameterLabels:
      VPC:
        default: VPC
      KeyName:
        default: Key name
      EnableVolumeEncryption:
        default: Enable environment volume encryption
      VolumeSize:
        default: Root volume size (GB)
      VolumeType:
        default: Volume Type
      EnableInstanceConnect:
        default: Enable AWS Instance Connect
      TerminationProtection:
        default: Termination Protection
      AllowUploadDownload:
        default: Allow upload & download
      ProvisionTag:
        default: Auto Provision tag
      LoadBalancersType:
        default: Load Balancers
      ALBProtocol:
        default: ALB Protocol
      NLBProtocol:
        default: NLB Protocol
      Certificate:
        default: HTTPS certificate
      ServicePort:
        default: Custom service port
      AdminEmail:
        default: Email address
      ResourcesTagName:
        default: Resources prefix tag
      GatewaysSubnets:
        default: Gateways subnets
      GatewayInstanceType:
        default: Gateways instance type
      GatewaysMinSize:
        default: Minimum group size
      GatewaysMaxSize:
        default: Maximum group size
      GatewayVersion:
        default: Gateways version & license
      GatewayPasswordHash:
        default: Gateways Password hash
      GatewaySICKey:
        default: Gateways SIC key
      CloudWatch:
        default: CloudWatch metrics
      ManagementDeploy:
        default: Deploy Management Server
      ManagementInstanceType:
        default: Management instance type
      ManagementVersion:
        default: Management version & license
      ManagementPasswordHash:
        default: Management password hash
      ManagementPermissions:
        default: IAM role
      ManagementPredefinedRole:
        default: Existing IAM role name
      GatewaysPolicy:
        default: Security Policy
      GatewaysBlades:
        default: Default Blades
      AdminCIDR:
        default: Administrator addresses
      GatewaysAddresses:
        default: Gateways addresses
      ServersDeploy:
        default: Deploy servers
      ServersSubnets:
        default: Subnet IDs
      ServerInstanceType:
        default: Servers instance type
      ServerAMI:
        default: AMI ID
Parameters:
  VPC:
    Description: Select an existing VPC.
    Type: AWS::EC2::VPC::Id
    MinLength: 1
    ConstraintDescription: You must select a VPC.
  KeyName:
    Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
    Type: AWS::EC2::KeyPair::KeyName
    MinLength: 1
    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
  EnableVolumeEncryption:
    Description: Encrypt Environment instances volume with default AWS KMS key.
    Type: String
    Default: true
    AllowedValues:
      - true
      - false
  VolumeSize:
    Type: Number
    Default: 100
    MinValue: 100
  VolumeType:
    Description: General Purpose SSD Volume Type
    Type: String
    Default: gp3
    AllowedValues:
      - gp3
      - gp2
  EnableInstanceConnect:
    Description: Enable SSH connection over AWS web console.
    Type: String
    Default: false
    AllowedValues:
      - true
      - false
  TerminationProtection:
    Description: Prevents an instance from accidental termination.
    Type: String
    Default: false
    AllowedValues:
      - true
      - false
  AllowUploadDownload:
    Description: Automatically download updates and share statistical data for product improvement purpose.
    Type: String
    Default: true
    AllowedValues:
      - true
      - false
  ProvisionTag:
    Description: The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment.
    Type: String
    Default: quickstart
    AllowedPattern: '^[a-zA-Z0-9-]{1,12}$'
    ConstraintDescription: The tag must be up to 12 alphanumeric character.
  LoadBalancersType:
    Description: Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing.
    Default: Network Load Balancer
    Type: String
    AllowedValues:
      - Network Load Balancer
      - Application Load Balancer
  ALBProtocol:
    Description: The protocol to use on the Application Load Balancer. If Network Load Balancer was selected this section will be ignored.
    Type: String
    Default: HTTP
    AllowedValues:
      - HTTP
      - HTTPS
  NLBProtocol:
    Description: The protocol to use on the Network Load Balancer. If Application Load Balancer was selected this section will be ignored.
    Type: String
    Default: TCP
    AllowedValues:
      - TCP
      - TLS
      - UDP
      - TCP_UDP
  Certificate:
    Description: Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP.
    Type: String
    AllowedPattern: '^(arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*)?$'
    ConstraintDescription: 'Must be a valid Amazon Resource Name (ARN), for example: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012.'
  ServicePort:
    Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.'
    Type: String
    AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$'
    ConstraintDescription: Custom service port must be a number between 0 and 65535.
  AdminEmail:
    Description: Notifications about scaling events will be sent to this email address. (optional)
    Type: String
    Default: ''
    AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
    ConstraintDescription: Must be a valid email address.
  ResourcesTagName:
    Description: The name tag of the resources. (optional)
    Type: String
    Default: ''
  GatewaysSubnets:
    Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
    Type: List<AWS::EC2::Subnet::Id>
    AllowedPattern: '.+'
  GatewayInstanceType:
    Description: The EC2 instance type for the Security Gateways.
    Type: String
    Default: c5.xlarge
    AllowedValues:
      - c4.large
      - c4.xlarge
      - c5.large
      - c5.xlarge
      - c5.2xlarge
      - c5.4xlarge
      - c5.9xlarge
      - c5.18xlarge
      - c5n.large
      - c5n.xlarge
      - c5n.2xlarge
      - c5n.4xlarge
      - c5n.9xlarge
      - c5n.18xlarge
      - m5.large
      - m5.xlarge
      - m5.2xlarge
      - m5.4xlarge
      - m5.8xlarge
      - m5.12xlarge
      - m6i.large
      - m6i.xlarge
      - m6i.2xlarge
      - m6i.4xlarge
      - m6i.12xlarge
      - m6i.24xlarge
      - c6i.large
      - c6i.xlarge
      - c6i.2xlarge
      - c6i.4xlarge
      - c6i.12xlarge
      - c6i.24xlarge
      - r5.large
      - r5.xlarge
      - r5.2xlarge
      - r5.4xlarge
      - r5.12xlarge
      - r5.24xlarge
      - r5a.large
      - r5a.xlarge
      - r5a.2xlarge
      - r5a.4xlarge
      - r5a.12xlarge
      - r5a.24xlarge
      - r5b.large
      - r5b.xlarge
      - r5b.2xlarge
      - r5b.4xlarge
      - r5b.12xlarge
      - r5b.24xlarge
      - r5n.large
      - r5n.xlarge
      - r5n.2xlarge
      - r5n.4xlarge
      - r5n.12xlarge
      - r5n.24xlarge
      - m6a.large
      - m6a.xlarge
      - m6a.2xlarge
      - m6a.4xlarge
      - m6a.12xlarge
      - m6a.24xlarge
    ConstraintDescription: Must be a valid EC2 instance type
  GatewaysMinSize:
    Description: The minimal number of Security Gateways.
    Type: Number
    Default: 2
    MinValue: 1
  GatewaysMaxSize:
    Description: The maximal number of Security Gateways.
    Type: Number
    Default: 10
    MinValue: 1
  GatewayVersion:
    Description: The version and license to install on the Security Gateways.
    Type: String
    Default: R81.10-BYOL
    AllowedValues:
      - R80.40-BYOL
      - R80.40-PAYG-NGTP
      - R80.40-PAYG-NGTX
      - R81-BYOL
      - R81-PAYG-NGTP
      - R81-PAYG-NGTX
      - R81.10-BYOL
      - R81.10-PAYG-NGTP
      - R81.10-PAYG-NGTX
      - R81.20-BYOL
      - R81.20-PAYG-NGTP
      - R81.20-PAYG-NGTX
  GatewayPasswordHash:
    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
    Type: String
    Default: ''
    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
    NoEcho: true
  GatewaySICKey:
    Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
    Type: String
    AllowedPattern: '^[a-zA-Z0-9]{8,}$'
    ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
    NoEcho: true
  CloudWatch:
    Description: Report Check Point specific CloudWatch metrics.
    Type: String
    Default: false
    AllowedValues:
      - true
      - false
  ManagementDeploy:
    Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
    Type: String
    Default: true
    AllowedValues:
      - true
      - false
  ManagementInstanceType:
    Description: The EC2 instance type of the Security Management Server.
    Type: String
    Default: m5.xlarge
    AllowedValues:
      - c5.large
      - c5.xlarge
      - c5.2xlarge
      - c5.4xlarge
      - c5.9xlarge
      - c5.18xlarge
      - c5n.large
      - c5n.xlarge
      - c5n.2xlarge
      - c5n.4xlarge
      - c5n.9xlarge
      - c5n.18xlarge
      - m5.large
      - m5.xlarge
      - m5.2xlarge
      - m5.4xlarge
      - m5.8xlarge
      - m5.12xlarge
      - m5.24xlarge
      - m6i.large
      - m6i.xlarge
      - m6i.2xlarge
      - m6i.4xlarge
      - m6i.12xlarge
      - m6i.24xlarge
      - c6i.large
      - c6i.xlarge
      - c6i.2xlarge
      - c6i.4xlarge
      - c6i.12xlarge
      - c6i.24xlarge
      - r5.large
      - r5.xlarge
      - r5.2xlarge
      - r5.4xlarge
      - r5.12xlarge
      - r5.24xlarge
      - r5a.large
      - r5a.xlarge
      - r5a.2xlarge
      - r5a.4xlarge
      - r5a.12xlarge
      - r5a.24xlarge
      - r5b.large
      - r5b.xlarge
      - r5b.2xlarge
      - r5b.4xlarge
      - r5b.12xlarge
      - r5b.24xlarge
      - r5n.large
      - r5n.xlarge
      - r5n.2xlarge
      - r5n.4xlarge
      - r5n.12xlarge
      - r5n.24xlarge
      - m6a.large
      - m6a.xlarge
      - m6a.2xlarge
      - m6a.4xlarge
      - m6a.12xlarge
      - m6a.24xlarge
    ConstraintDescription: Must be a valid EC2 instance type
  ManagementVersion:
    Description: The license to install on the Security Management Server.
    Type: String
    Default: R81.10-BYOL
    AllowedValues:
      - R81-BYOL
      - R81-PAYG
      - R81.10-BYOL
      - R81.10-PAYG
      - R81.20-BYOL
      - R81.20-PAYG
  ManagementPasswordHash:
    Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
    Type: String
    Default: ''
    AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
    NoEcho: true
  ManagementPermissions:
    Description: IAM role to attach to the instance profile.
    Type: String
    Default: Create with read-write permissions
    AllowedValues:
      - None (configure later)
      - Use existing (specify an existing IAM role name)
      - Create with assume role permissions (specify an STS role ARN)
      - Create with read permissions
      - Create with read-write permissions
  ManagementPredefinedRole:
    Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
    Type: String
    Default: ''
  GatewaysPolicy:
    Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
    Type: String
    Default: Standard
    MinLength: 1
  GatewaysBlades:
    Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later).
    Type: String
    Default: true
    AllowedValues:
      - true
      - false
  AdminCIDR:
    Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
    Type: String
    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
  GatewaysAddresses:
    Description: Allow gateways only from this network to communicate with the Security Management Server.
    Type: String
    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
  ServersDeploy:
    Description: Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored.
    Type: String
    Default: false
    AllowedValues:
      - true
      - false
  ServersSubnets:
    Description: Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f).
    Type: List<AWS::EC2::Subnet::Id>
    AllowedPattern: '.+'
  ServerInstanceType:
    Description: The EC2 instance type for the web servers.
    Type: String
    Default: t3.micro
    AllowedValues:
      - t3.nano
      - t3.micro
      - t3.small
      - t3.medium
      - t3.large
      - t3.xlarge
      - t3.2xlarge
    ConstraintDescription: Must be a valid EC2 instance type.
  ServerAMI:
    Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63).
    Type: String
    AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$'
    ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx.
Conditions:
  VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
  DeployManagement: !Equals [!Ref ManagementDeploy, true]
  DeployServers: !Equals [!Ref ServersDeploy, true]
  ALB: !Equals [!Ref LoadBalancersType, Application Load Balancer]
  NLB: !Not [!Condition ALB]
  EncryptedProtocol: !Or
    - !And [!Condition ALB, !Equals [ALBProtocol, HTTPS]]
    - !And [!Condition NLB, !Equals [NLBProtocol, TLS]]
  ProvidedPort: !Not [!Equals [!Ref ServicePort, '']]
  ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
Resources:
  ExternalALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: ALB
    Properties:
      GroupDescription: External ALB security group.
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
          ToPort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value:
            !Join
            - _
            - - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
              - Exter_ALB_SecurityGroup
  ExternalLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Type: !If [ALB, application, network]
      Scheme: internet-facing
      Subnets: !Ref GatewaysSubnets
      SecurityGroups:
        - !If [ALB, !GetAtt ExternalALBSecurityGroup.GroupId, !Ref 'AWS::NoValue']
      Tags:
        - Key: Name
          Value:
            !Join
            - _
            - - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
              - Exter
              - !If [ALB, "ALB", "NLB"]
  ExternalLBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      VpcId: !Ref VPC
      Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
      Port: !If [EncryptedProtocol, 9443, 9080]
      Tags:
        - Key: Name
          Value:
            !Join
            - _
            - - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
              - Exter
              - !If [ALB, "ALB", "NLB"]
              - TargetGroup
  ExternalLBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    DependsOn: [ExternalLoadBalancer, ExternalLBTargetGroup]
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ExternalLBTargetGroup
      LoadBalancerArn: !Ref ExternalLoadBalancer
      Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
      Port: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
  SecurityGatewaysStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/cgi-cfts/autoscale/autoscale.yaml
      Parameters:
        VPC: !Ref VPC
        GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
        GatewayName: !Sub '${ResourcesTagName}-security-gateway'
        GatewayInstanceType: !Ref GatewayInstanceType
        KeyName: !Ref KeyName
        EnableVolumeEncryption: !Ref EnableVolumeEncryption
        VolumeSize: !Ref VolumeSize
        VolumeType: !Ref VolumeType
        EnableInstanceConnect: !Ref EnableInstanceConnect
        GatewaysMinSize: !Ref GatewaysMinSize
        GatewaysMaxSize: !Ref GatewaysMaxSize
        AdminEmail: !Ref AdminEmail
        GatewaysTargetGroups: !Ref ExternalLBTargetGroup
        GatewayVersion: !Ref GatewayVersion
        GatewayPasswordHash: !Ref GatewayPasswordHash
        GatewaySICKey: !Ref GatewaySICKey
        AllowUploadDownload: !Ref AllowUploadDownload
        CloudWatch: !Ref CloudWatch
        GatewayBootstrapScript: !Join
          - ';'
          - - 'echo -e "\nStarting Bootstrap script\n"'
            - 'echo "Adding quickstart identifier to cloud-version"'
            - 'template="autoscale_qs"'
            - 'cv_path="/etc/cloud-version"'
            - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
            - 'cv_json_path="/etc/cloud-version.json"'
            - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
            - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
            - 'echo -e "\nFinished Bootstrap script\n"'
        ManagementServer: !Sub '${ProvisionTag}-management'
        ConfigurationTemplate: !Sub '${ProvisionTag}-template'
  ManagementStack:
    Type: AWS::CloudFormation::Stack
    Condition: DeployManagement
    Properties:
      TemplateURL: https://s3.amazonaws.com/cgi-cfts/management/management.yaml
      Parameters:
        VPC: !Ref VPC
        ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
        ManagementName: !Sub '${ResourcesTagName}-management'
        ManagementInstanceType: !Ref ManagementInstanceType
        VolumeSize: !Ref VolumeSize
        VolumeType: !Ref VolumeType
        KeyName: !Ref KeyName
        VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
        EnableInstanceConnect: !Ref EnableInstanceConnect
        TerminationProtection: !Ref TerminationProtection
        ManagementVersion: !Ref ManagementVersion
        ManagementPasswordHash: !Ref ManagementPasswordHash
        ManagementPermissions: !Ref ManagementPermissions
        ManagementPredefinedRole: !Ref ManagementPredefinedRole
        AllowUploadDownload: !Ref AllowUploadDownload
        AdminCIDR: !Ref AdminCIDR
        GatewaysAddresses: !Ref GatewaysAddresses
        ManagementBootstrapScript: !Join
          - ';'
          - - 'echo -e "\nStarting Bootstrap script\n"'
            - 'echo "Setting up bootstrap parameters"'
            - !Sub 'tag=${ProvisionTag} ; policy=${GatewaysPolicy} ; region=${AWS::Region} ; blades=${GatewaysBlades}'
            - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
            - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
            - 'echo "Adding quickstart identifier to cloud-version"'
            - 'template="management_qs"'
            - 'cv_path="/etc/cloud-version"'
            - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
            - 'cv_json_path="/etc/cloud-version.json"'
            - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
            - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
            - 'template="${tag}-template"'
            - 'echo "Creating CME configuration"'
            - 'autoprov_cfg -f init AWS -mn "${tag}-management" -tn "${template}" -cn "${tag}-controller" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam'
            - '${blades} && autoprov_cfg -f set template -tn "${template}" -ips -appi -av -ab'
            - 'echo -e "\nFinished Bootstrap script\n"'
  InternalSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: DeployServers
    Properties:
      GroupDescription: Internal security group.
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !If [EncryptedProtocol, 443, 80]
          ToPort: !If [EncryptedProtocol, 443, 80]
          SourceSecurityGroupId: !GetAtt SecurityGatewaysStack.Outputs.SecurityGroup
        - IpProtocol: icmp
          FromPort: -1
          ToPort: -1
          SourceSecurityGroupId: !GetAtt SecurityGatewaysStack.Outputs.SecurityGroup
      Tags:
        - Key: Name
          Value:
            !Join
            - _
            - - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
              - Inter_SecurityGroup
  InternalLBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Condition: DeployServers
    Properties:
      VpcId: !Ref VPC
      Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
      Port: !If [EncryptedProtocol, 443, 80]
      Tags:
        - Key: Name
          Value:
            !Join
            - _
            - - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
              - Inter
              - !If [ALB, "ALB", "NLB"]
              - TargetGroup
  InternalLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Condition: DeployServers
    Properties:
      Type: !If [ALB, application, network]
      Scheme: internal
      Subnets: !Ref ServersSubnets
      SecurityGroups:
        - !If [ALB, !GetAtt InternalSecurityGroup.GroupId, !Ref 'AWS::NoValue']
      Tags:
        - Key: x-chkp-management
          Value: !Sub '${ProvisionTag}-management'
        - Key: x-chkp-template
          Value: !Sub '${ProvisionTag}-template'
        - Key: Name
          Value:
            !Join
            - _
            - - !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
              - Inter
              - !If [ ALB, "ALB", "NLB" ]
  InternalLBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Condition: DeployServers
    DependsOn: [InternalLoadBalancer, InternalLBTargetGroup]
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref InternalLBTargetGroup
      LoadBalancerArn: !Ref InternalLoadBalancer
      Protocol: !If [ALB, !Ref ALBProtocol, !Ref NLBProtocol]
      Port: !If [EncryptedProtocol, 443, 80]
      Certificates:
        - CertificateArn: !If [EncryptedProtocol, !Ref Certificate, !Ref 'AWS::NoValue']
  ServersStack:
    Type: AWS::CloudFormation::Stack
    Condition: DeployServers
    DependsOn: [InternalLBTargetGroup, InternalSecurityGroup]
    Properties:
      TemplateURL: https://s3.amazonaws.com/cgi-cfts/autoscale/custom-autoscale.yaml
      Parameters:
        VPC: !Ref VPC
        ServersSubnets: !Join [',', !Ref ServersSubnets]
        ServerAMI: !Ref ServerAMI
        ServerName: !Sub '${ResourcesTagName}-server'
        ServerInstanceType: !Ref ServerInstanceType
        KeyName: !Ref KeyName
        ServersMinSize: !Ref GatewaysMinSize
        ServersMaxSize: !Ref GatewaysMaxSize
        AdminEmail: !Ref AdminEmail
        ServersTargetGroups: !Ref InternalLBTargetGroup
        SourceSecurityGroup: !If [NLB, !Ref 'AWS::NoValue', !Ref InternalSecurityGroup]
Outputs:
  InternalPort:
    Description: The internal Load Balancer should listen to this port.
    Value: !If [EncryptedProtocol, 443, 80]
  ManagementName:
    Description: The name that represents the Security Management Server.
    Value: !Sub '${ProvisionTag}-management'
  ConfigurationTemplateName:
    Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
    Value: !Sub '${ProvisionTag}-template'
  ControllerName:
    Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
    Value: !Sub '${ProvisionTag}-controller'
  LBURL:
    Description: The URL of the external Load Balancer.
    Value: !GetAtt ExternalLoadBalancer.DNSName