AWSTemplateFormatVersion: 2010-09-09 Description: Cribl LogStream+VPC QuickStart Deployment x86_64 (qs-1skh1tk51) Metadata: QuickStartDocumentation: EntrypointName: Deploy into a new VPC with VPC Flow Logs enabled Order: 3 LICENSE: Apache License, Version 2.0 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - VPCTenancy - Label: default: Amazon EC2 configuration Parameters: - instanceType - webAccessCidr - Label: default: Flow Logs Parameters Parameters: - ExternalLogBucket - LogFilePrefix - TrafficType - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AvailabilityZones: default: Availability Zones PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR VPCTenancy: default: VPC tenancy VPCCIDR: default: VPC CIDR instanceType: default: EC2 instance type QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix cfn-lint: { config: { ignore_checks: [E9007] } } Parameters: AvailabilityZones: Description: List of Availability Zones to use for the subnets in the VPC. Type: 'List' instanceType: Description: EC2 instance type to provision the LogStream instance. If none specified, c5.2xlarge is used. Type: String Default: c5.xlarge AllowedValues: - c5.large - c5.xlarge - c5d.large - c5d.xlarge - c5a.large - c5a.xlarge - c5ad.large - c5ad.xlarge ConstraintDescription: Must contain valid instance type PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/19 Description: CIDR block for private subnet 1, located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.32.0/19 Description: CIDR block for private subnet 2, located in Availability Zone 2. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.128.0/20 Description: CIDR block for the public DMZ subnet 1, located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.144.0/20 Description: CIDR block for the public DMZ subnet 2, located in Availability Zone 2. Type: String VPCTenancy: AllowedValues: - default - dedicated Default: default Description: The allowed tenancy of instances launched into the VPC. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-cribl-logstream/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String webAccessCidr: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: "REQUIRED: The CIDR IP range permitted to access the LogStream web console. We recommend you set this value to a trusted IP range." Type: String Default: 0.0.0.0/0 VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC. Type: String ExternalLogBucket: Description: >- (Optional) The name of an S3 bucket where you want to store flow logs. If you leave this empty, an Amazon S3 bucket is created for you. Type: String Default: '' LogFilePrefix: Description: (Optional) The log file prefix. Type: String Default: '' TrafficType: Description: The type of traffic to log. Type: String Default: ALL AllowedValues: - ACCEPT - REJECT - ALL SQS: Description: Name of the SQS for VPC Flow Logs. Type: String Default: cribl-sqs-vpc Conditions: InternalBucket: !Equals - !Ref ExternalLogBucket - '' ExternalBucket: !Not - !Equals - !Ref ExternalLogBucket - '' HasLogFilePrefix: !Not - !Equals - Ref: LogFilePrefix - '' UsingDefaultBucket: !Equals - !Ref QSS3BucketName - 'aws-quickstart' Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml - S3Bucket: !If - UsingDefaultBucket - !Sub 'aws-quickstart-${AWS::Region}' - !Ref 'QSS3BucketName' S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref 'QSS3BucketRegion' Parameters: AvailabilityZones: !Join - ',' - !Ref AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR VPCTenancy: !Ref VPCTenancy CriblQueue: Type: 'AWS::SQS::Queue' Properties: QueueName: !Ref SQS CriblQueuePolicy: Type: 'AWS::SQS::QueuePolicy' Properties: PolicyDocument: Statement: - Effect: Allow Principal: Service: s3.amazonaws.com Action: - 'SQS:SendMessage' Resource: !GetAtt CriblQueue.Arn Condition: StringEquals: 'aws:SourceAccount': - !Ref "AWS::AccountId" Queues: - !Ref SQS LogBucket: Condition: InternalBucket Type: 'AWS::S3::Bucket' Properties: NotificationConfiguration: QueueConfigurations: - Event: 's3:ObjectCreated:Put' Queue: !GetAtt CriblQueue.Arn DependsOn: CriblQueuePolicy LogBucketPolicy: Condition: InternalBucket Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref LogBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: AWSLogDeliveryWrite Effect: Allow Principal: Service: delivery.logs.amazonaws.com Action: 's3:PutObject' Resource: !If - HasLogFilePrefix - !Sub '${LogBucket.Arn}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*' - !Sub '${LogBucket.Arn}/AWSLogs/${AWS::AccountId}/*' Condition: StringEquals: 's3:x-amz-acl': bucket-owner-full-control - Sid: AWSLogDeliveryAclCheck Effect: Allow Principal: Service: delivery.logs.amazonaws.com Action: 's3:GetBucketAcl' Resource: !GetAtt LogBucket.Arn - Sid: AllowSSLRequestsOnly Effect: Deny Principal: '*' Action: 's3:*' Resource: - !GetAtt LogBucket.Arn - !Sub '${LogBucket.Arn}/*' Condition: Bool: 'aws:SecureTransport': false FlowLogInternalBucket: Condition: InternalBucket # DependsOn: LogBucketPolicy Type: 'AWS::EC2::FlowLog' Properties: LogDestination: !If - HasLogFilePrefix - !Sub '${LogBucket.Arn}/${LogFilePrefix}/' - !GetAtt LogBucket.Arn LogDestinationType: s3 ResourceId: !GetAtt - VPCStack - Outputs.VPCID ResourceType: VPC TrafficType: !Ref TrafficType FlowLogExternalBucket: Condition: ExternalBucket # DependsOn: LogBucketPolicy Type: 'AWS::EC2::FlowLog' Properties: LogDestination: !If - HasLogFilePrefix - !Sub 'arn:aws:s3:::${ExternalLogBucket}/${LogFilePrefix}/' - !Sub 'arn:aws:s3:::${ExternalLogBucket}' LogDestinationType: s3 ResourceId: !GetAtt - VPCStack - Outputs.VPCID ResourceType: VPC TrafficType: !Ref TrafficType EmptyBucketLambda: Condition: InternalBucket Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/aws_lambda_emptybucket.template.yaml - S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref 'QSS3BucketName' S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref 'QSS3BucketRegion' Parameters: BucketArn2Empty: !GetAtt LogBucket.Arn Bucket2Empty: !Ref LogBucket CriblDeploy: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/cribl-single-x86.workload.template.yaml - S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref 'QSS3BucketName' S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref 'QSS3BucketRegion' Parameters: webAccessCidr: !Ref webAccessCidr vpcId: !GetAtt - VPCStack - Outputs.VPCID subnetIds: !Join - ',' - - !GetAtt VPCStack.Outputs.PublicSubnet1ID - !GetAtt VPCStack.Outputs.PublicSubnet2ID instanceType: !Ref instanceType Outputs: Postdeployment: Description: See the deployment guide for postdeployment steps. Value: https://fwd.aws/e6Jk3?