--- AWSTemplateFormatVersion: "2010-09-09" Description: "This creates a VPC, Public Subnets and Private Subnets, EKS cluster, and sets up Discngine 3decision infrastructure. (qs-1snm79fes)." Metadata: QuickStartDocumentation: EntrypointName: "Launch into a new VPC" LintSpellExclude: - Discngine - 3decision - namespace AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Network configuration" Parameters: - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PrivateSubnet3CIDR - RemoteAccessCIDR - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - Label: default: Amazon EKS configuration Parameters: - ConfigSetName - KubernetesVersion - NodeVolumeSize - NodeInstanceType - NumberOfNodes - AdditionalEKSAdminUserArn - AdditionalEKSAdminRoleArn - ProvisionBastionHost - CustomAmiId - NodeGroupName - Label: default: Discngine 3decision network configuration Parameters: - DomainName - MainSubdomain - ApiSubdomain - HelpSubdomain - HostedZoneId - CertificateArn - LoadBalancerType - LoadBalancerClass - Label: default : Discngine 3decision database configuration Parameters: - DBSnapshotIdentifier - DBInstanceIdentifier - DBName - DBInstanceClass - DBMultiZone - Label: default: Discngine 3decision kube configuration Parameters: - TNamespace - JWTSecretName - Label: default: Discngine 3decision authentication configuration Parameters: - AzureClientId - AzureTenant - AzureSecret - AzureRedirectUri - OktaClientId - OktaSecret - OktaDomain - OktaServerId - OktaRedirectUri - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix - PerAccountSharedResources - PerRegionSharedResources ParameterLabels: KeyPairName: default: SSH key name PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PrivateSubnet3CIDR: default: Private subnet 3 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR PublicSubnet3CIDR: default: Public subnet 3 CIDR QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed external access CIDR VPCCIDR: default: VPC CIDR PerAccountSharedResources: default: Per account shared resources PerRegionSharedResources: default: Per region shared resources NodeInstanceType: default: Node instance type NumberOfNodes: default: Number of nodes AdditionalEKSAdminUserArn: default: Additional EKS admin ARN (IAM user) AdditionalEKSAdminRoleArn: default: Additional EKS admin ARN (IAM role) ConfigSetName: default: Config set name KubernetesVersion: default: Kubernetes version CustomAmiId: default: Custom AMI Id NodeVolumeSize: default: Size of worker nodes volumes NodeGroupName: default: Name of the node group DBSnapshotIdentifier: default: Identifier of the database snapshot DBInstanceIdentifier: default: Identifier of the database DBName: default: Name of the database DBInstanceClass: default: Instance type of the database DBMultiZone: default: Whether the DB is highly available TNamespace: default: 3decision Helm chart namespace JWTSecretName: default: Secret Name HostedZoneId: default: Route 53 hosted zone Id DomainName: default: Domain name used for load balancing MainSubdomain: default: Subdomain name for app landing page ApiSubdomain: default: Subdomain of the api HelpSubdomain: default: Subdomain of the help page CertificateArn: default: Arn of a certificate LoadBalancerType: default: Type of loadbalancer created LoadBalancerClass: default: Loadbalancer class ProvisionBastionHost: default: Whether to provision a bastion host AzureClientId: default: Azure app client id AzureSecret: default: Azure app secret AzureTenant: default: Azure tenant AzureRedirectUri: default: Azure app redirect uri OktaClientId: default: Okta app client id OktaSecret: default: Okta app secret OktaDomain: default: Okta domain OktaServerId: default: Okta server id OktaRedirectUri: default: Okta app redirect uri Parameters: KeyPairName: Description: A public/private key pair, which allows you to connect securely to your instance after it launches. Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: Must be the name of an existing Keyname NodeInstanceType: Type: String Default: t3.xlarge Description: EKS node instance type. We recommend using t3.xlarge as this is the minimal required node shape, but scaling is not noticeable by scaling this up. AllowedValues: - t3.xlarge - t3.2xlarge - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.12xlarge - m5.24xlarge - c5.2xlarge - c5.4xlarge - c5.9xlarge - c5.18xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - x1.16xlarge - x1.32xlarge - p3.2xlarge - p3.8xlarge - p3.16xlarge - r5.large - r5.xlarge - r5.2xlarge - r5.4xlarge - r5.12xlarge - r5.24xlarge - r5d.large - r5d.xlarge - r5d.2xlarge - r5d.4xlarge - r5d.12xlarge - r5d.24xlarge - z1d.large - z1d.xlarge - z1d.2xlarge - z1d.3xlarge - z1d.6xlarge - z1d.12xlarge VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: The CIDR block for the VPC. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: The CIDR block used for the public subnet located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: The CIDR block used for the public subnet located in Availability Zone 2. Type: String PublicSubnet3CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.160.0/20 Description: The CIDR block for the public (DMZ) subnet 3 located in Availability Zone 3. Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: The CIDR block used for the private subnet located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: The CIDR block used for the private subnet located in Availability Zone 2. Type: String PrivateSubnet3CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.64.0/19 Description: The CIDR block for private subnet 3 located in Availability Zone 3. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'eu-central-1' Description: "The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value." Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-discngine-3decision/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: The CIDR IP range that is permitted to access the bastion instance. This will have no effect if the bastion creation is set to false. Default: "127.0.0.1/32" Type: String ConfigSetName: Type: String Default: "dng-3decision" Description: "Required: SSM Name used to map advanced parameters to an EKS cluster." KubernetesVersion: # https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar Type: String Description: Kubernetes control plane version. AllowedValues: ['1.22'] Default: '1.22' NodeVolumeSize: Type: String Default: 100 Description: "Required: Size of EBS volumes attached to worker nodes. Increase this size if your pods are getting evicted with a disk pressure annotation." CustomAmiId: Type: String Default: "" Description: "Optional: If an AMI ID is specified, it is used instead of the default EKS images for cluster nodes." NodeGroupName: Type: String Default: "Default" Description: "Optional: Name of the NodeGroup created in EKS. This should usually not be changed" PerAccountSharedResources: Type: String AllowedValues: ['AutoDetect', 'Yes', 'No'] Default: 'AutoDetect' Description: You can set "Yes" or "No" according to whether another EKS quickstart has been deployed in your account. Setting "AutoDetect" will check that for you. However, this option should not be used if you have SCPs blocking all access in certain regions as all cloudformation stacks will be listed in all regions. PerRegionSharedResources: Type: String AllowedValues: ['AutoDetect', 'Yes', 'No'] Default: 'AutoDetect' Description: You can set "Yes" or "No" according to whether another EKS quickstart has been deployed in your region. Setting "AutoDetect" will check that for you. NumberOfNodes: Default: 3 Description: The number of Amazon EKS node instances. The default is one for each of the three Availability Zones. Type: Number DBSnapshotIdentifier: Default: "" Description: "Optionnal: the snapshot arn used for the database. If left empty, the default snapshot will be used. But if you wish to have an encrypted database, you will have to copy the public snapshot locally and select encryption and use that arn" Type: String DBInstanceIdentifier: Default: db3dec Description: "Required: The database instance name. This defaults to db3dec." Type: String MinLength: '1' MaxLength: '8' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBName: Default: ORCL Description: "Required: The name given to the RDS Oracle database. This defaults to ORCL." Type: String MinLength: '1' MaxLength: '8' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBInstanceClass: AllowedValues: - db.t3.medium - db.t3.large - db.t3.xlarge - db.t3.2xlarge - db.m5.large - db.m5.xlarge - db.m5.2xlarge - db.m5.4xlarge Default: db.t3.xlarge Description: Amazon RDS instance type for the Oracle Database instance. We recommend t3.xlarge for production use as a lower shape will be rather slow. Type: String DBMultiZone: Description: High Availability (Multi-AZ) for Oracle RDS. More informtion is available here - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html Type: String AllowedValues: [ 'true', 'false' ] Default: 'false' TNamespace: Default: tdecision Description: "Required: The name of the kubernetes namespace in which the 3decision helm chart will be deployed. This will default to tdecision if not given. The namespace will be created if it doesn't already exists." Type: String JWTSecretName: Default: "3dec-JWT-ssh" Description: "Name of the secret created in secrets manager that will contain an ssh key fed to the application." Type: String AdditionalEKSAdminUserArn: Default: "" Description: "Optional: IAM user Amazon Resource Name (ARN) to be granted administrative access to the EKS cluster." Type: String AdditionalEKSAdminRoleArn: Default: "" Description: "Optional: IAM role Amazon Resource Name (ARN) to be granted administrative access to the EKS cluster." Type: String HostedZoneId: Default: "" Description: "Optional: Creates dns records for the given route 53 hosted zone if given." Type: String DomainName: Description: "Required: Root domain name used for load balancer rules This is only the root domain name not the fqdn, eg: example.com" Type: String MainSubdomain: Default: "3decision" Description: "Required: Name used for the main app subdomain" Type: String ApiSubdomain: Default: "3decision-api" Description: "Required: Name used for the api subdomain" Type: String HelpSubdomain: Default: "3decision-help" Description: "Required: Name used for the help subdomain" Type: String CertificateArn: Default: "" Description: "Optional: Arn of a certificate of the associated domain you want added to the load balancer" Type: String LoadBalancerType: AllowedValues: - internet-facing - internal Default: "internet-facing" Description: "Type of loadbalancer created. This can either be equal to internet-facing for public loadbalancer or internal for private loadbalancers" Type: String LoadBalancerClass: AllowedValues: - alb - nginx Default: "alb" Description: "Type of loadbalancer created. This will create an application loadBalancer by default and should generally not be changed. By selecting nginx you will have a classic load balancer with a self signed certificate." Type: String ProvisionBastionHost: Type: String AllowedValues: [ "Enabled", "Disabled" ] Default: "Disabled" Description: Choose "Enabled" to create a bastion host. This could be used to debug EKS nodes. AzureClientId: Type: String Default: "" Description: "Optional: Will enable azure authentication if set. Client id of azure app" AzureTenant: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. Tenant id of the azure app" AzureSecret: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. Secret of the azure app" AzureRedirectUri: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. This is the redirect_uri set in the azure app, by default should be https://./auth/azure/callback" OktaClientId: Type: String Default: "" Description: "Optional: Will enable okta authentication if set. Client ID of the okta app" OktaSecret: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Secret of the okta app" OktaDomain: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Domain of the okta environment" OktaServerId: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Server Id of the okta environment" OktaRedirectUri: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. This is the redirect_uri set in the okta app, by default should be https://./auth/okta/callback" Rules: DiscngineSupportedRegionRule: Assertions: - Assert: Fn::Contains: - - us-east-1 - eu-central-1 - !Ref AWS::Region AssertDescription: The Quick Start is supported only in us-east-1 and eu-central-1 AWS Regions. Please contact Discngine to request support for other Regions. Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: VPCStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: Fn::Sub: - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If - UsingDefaultBucket - !Ref AWS::Region - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName Parameters: AvailabilityZones: !Join [',', Fn::GetAZs: !Ref 'AWS::Region'] NumberOfAZs: '3' VPCCIDR: !Ref VPCCIDR PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR PublicSubnet3CIDR: !Ref PublicSubnet3CIDR PrivateSubnetATag2: "kubernetes.io/role/internal-elb=" PublicSubnetTag2: "kubernetes.io/role/elb=" 3decisionEKSStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-existing-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix VPCID: !GetAtt VPCStack.Outputs.VPCID PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID PublicSubnet3ID: !GetAtt VPCStack.Outputs.PublicSubnet3ID PrivateSubnet1ID: !GetAtt VPCStack.Outputs.PrivateSubnet1AID PrivateSubnet2ID: !GetAtt VPCStack.Outputs.PrivateSubnet2AID PrivateSubnet3ID: !GetAtt VPCStack.Outputs.PrivateSubnet3AID DBInstanceIdentifier: !Ref DBInstanceIdentifier DBName: !Ref DBName DBInstanceClass: !Ref DBInstanceClass DBMultiZone: !Ref DBMultiZone TNamespace: !Ref TNamespace JWTSecretName: !Ref JWTSecretName HostedZoneId: !Ref HostedZoneId DomainName: !Ref DomainName CertificateArn: !Ref CertificateArn KeyPairName: !Ref KeyPairName NumberOfNodes: !Ref NumberOfNodes ConfigSetName: !Ref ConfigSetName KubernetesVersion: !Ref KubernetesVersion NodeInstanceType: !Ref NodeInstanceType RemoteAccessCIDR: !Ref RemoteAccessCIDR PerAccountSharedResources: !Ref PerAccountSharedResources PerRegionSharedResources: !Ref PerRegionSharedResources AdditionalEKSAdminUserArn: !Ref AdditionalEKSAdminUserArn AdditionalEKSAdminRoleArn: !Ref AdditionalEKSAdminRoleArn NodeVolumeSize: !Ref NodeVolumeSize LoadBalancerType: !Ref LoadBalancerType LoadBalancerClass: !Ref LoadBalancerClass ProvisionBastionHost: !Ref ProvisionBastionHost DBSnapshotIdentifier: !Ref DBSnapshotIdentifier CustomAmiId: !Ref CustomAmiId NodeGroupName: !Ref NodeGroupName AzureClientId: !Ref AzureClientId AzureTenant: !Ref AzureTenant AzureSecret: !Ref AzureSecret AzureRedirectUri: !Ref AzureRedirectUri OktaClientId: !Ref OktaClientId OktaSecret: !Ref OktaSecret OktaDomain: !Ref OktaDomain OktaServerId: !Ref OktaServerId OktaRedirectUri: !Ref OktaRedirectUri MainSubdomain: !Ref MainSubdomain ApiSubdomain: !Ref ApiSubdomain HelpSubdomain: !Ref HelpSubdomain