--- AWSTemplateFormatVersion: 2010-09-09 Description: "This template creates lambda function required to configure 2 ADCs in HA pair across Availability Zones" Parameters: PrimaryInstanceID: Description: Primary ADC Instance ID Type: String PrimaryManagementPrivateIP: Description: Primary Management Private IP Type: String ManagementSecurityGroupID: Type: String PrimaryManagementPrivateSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Private Subnet ID of an existing subnet dedicated for Primary Management ENI. SecondaryManagementPrivateSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Private Subnet ID of an existing subnet dedicated for Secondary Management ENI. QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: >- S3 bucket name for the Quick Start assets. This bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-), but should not start or end with a hyphen. You can specify your own bucket if you copy all of the assets and submodules into it, if you want to override the Quick Start behavior for your specific implementation. Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*/$" ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-citrix-adc-waf/ Description: >- [Note] The QSS3KeyPrefix should have to end with forward slash (/). S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Resources: WAFRole: Type: AWS::IAM::Role Properties: Tags: - Key: Name Value: !Sub ${AWS::StackName} LambdaRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - "sts:AssumeRole" Policies: - PolicyName: lambdalogtocloudwatch PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - "logs:CreateLogGroup" - "logs:CreateLogStream" - "logs:PutLogEvents" - "logs:CreateExportTask" - "logs:DescribeExportTask" Resource: "arn:aws:logs:*:*:*" - PolicyName: lambdaallowreadec2 PolicyDocument: Version: 2012-10-17 Statement: - Action: - "ec2:DescribeInstances" - "ec2:DescribeNetworkInterfaces" - "ec2:DescribeSubnets" - "ec2:DescribeVpcs" - "ec2:DescribeAvailabilityZones" - "ec2:DescribeInstanceStatus" Resource: "*" Effect: Allow - PolicyName: lambdaallowvpcaccessexecution PolicyDocument: Version: 2012-10-17 Statement: - Action: - "ec2:CreateNetworkInterface" - "ec2:DeleteNetworkInterface" - "ec2:AttachNetworkInterface" - "ec2:DetachNetworkInterface" - "ec2:ModifyNetworkInterfaceAttribute" - "ec2:ResetNetworkInterfaceAttribute" Resource: "*" Effect: Allow ConfigureWAFFunction: Type: AWS::Lambda::Function Properties: Tags: - Key: Name Value: !Sub ${AWS::StackName} LambdaFunction Code: S3Bucket: !Ref QSS3BucketName S3Key: !Sub ${QSS3KeyPrefix}functions/packages/waf/lambda-waf.zip Handler: lambda_waf.lambda_handler Runtime: python3.6 Timeout: 900 Role: !GetAtt WAFRole.Arn VpcConfig: SubnetIds: - !Ref PrimaryManagementPrivateSubnetID - !Ref SecondaryManagementPrivateSubnetID SecurityGroupIds: - !Ref ManagementSecurityGroupID ConfigureLambda: Type: Custom::LambdaWAF Properties: ServiceToken: !GetAtt ConfigureWAFFunction.Arn PrimaryADCInstanceID: !Ref PrimaryInstanceID PrimaryADCPrivateNSIP: !Ref PrimaryManagementPrivateIP