--- AWSTemplateFormatVersion: 2010-09-09 Description: "This template sets up Discngine 3decision infrastructure. (qs-1snm79fb4)." Metadata: QuickStartDocumentation: EntrypointName: "Launch into an existing EKS cluster" LintSpellExclude: - Discngine - 3decision AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Basic configuration Parameters: - EKSClusterName - VPCID - ConfigureEKS - NodeGroupArn - NodeSecurityGroup - Label: default: Discngine 3decision network configuration Parameters: - DomainName - MainSubdomain - ApiSubdomain - HelpSubdomain - HostedZoneId - CertificateArn - LoadBalancerType - LoadBalancerClass - Label: default : Discngine 3decision database configuration Parameters: - DBSnapshotIdentifier - DBInstanceIdentifier - DBName - DBSubnets - DBInstanceClass - DBMultiZone - Label: default: Discngine 3decision kube configuration Parameters: - TNamespace - JWTSecretName - Label: default: Discngine 3decision authentication configuration Parameters: - AzureClientId - AzureTenant - AzureSecret - AzureRedirectUri - OktaClientId - OktaSecret - OktaDomain - OktaServerId - OktaRedirectUri - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: EKSClusterName: default: Name of EKS Cluster VPCID: default: ID of the VPC QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix DBSnapshotIdentifier: default: Identifier of the database snapshot DBInstanceIdentifier: default: Identifier of the database DBName: default: Name of the database DBSubnets: default: Subnets in the db subnet group DBInstanceClass: default: Instance type of the database DBMultiZone: default: Whether the DB is highly available TNamespace: default: 3decision Helm chart namespace JWTSecretName: default: Secret Name ConfigureEKS: default: Boolean determining whether to configure EKS HostedZoneId: default: Route 53 hosted zone Id DomainName: default: Domain name used for load balancing MainSubdomain: default: Subdomain name for app landing page ApiSubdomain: default: Subdomain of the api HelpSubdomain: default: Subdomain of the help page CertificateArn: default: Arn of a certificate LoadBalancerType: default: Type of loadbalancer created LoadBalancerClass: default: Loadbalancer class AzureClientId: default: Azure app client id AzureSecret: default: Azure app secret AzureTenant: default: Azure tenant AzureRedirectUri: default: Azure app redirect uri OktaClientId: default: Okta app client id OktaSecret: default: Okta app secret OktaDomain: default: Okta domain OktaServerId: default: Okta server id OktaRedirectUri: default: Okta app redirect uri NodeGroupArn: default: Arn of the default node group NodeSecurityGroup: default: Security group of the default node group Parameters: EKSClusterName: Description: "Required: The name of the EKS cluster in which the stacks will be deployed" Type: String VPCID: Type: String Description: "Required: The id of the VPC in which the EKS cluster is deployed" QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'eu-central-1' Description: "The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value." Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-discngine-3decision/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String DBSnapshotIdentifier: Default: "" Description: "Optionnal: the snapshot arn used for the database. If left empty, the default snapshot will be used. But if you wish to have an encrypted database, you will have to copy the public snapshot locally and select encryption and use that arn" Type: String DBInstanceIdentifier: Default: db3dec Description: "Optional: The database instance name. This defaults to db3dec." Type: String MinLength: '1' MaxLength: '8' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBName: Default: ORCL Description: "Optional: The name given to the RDS Oracle database. This defaults to ORCL." Type: String MinLength: '1' MaxLength: '8' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBSubnets: Description: 'Required: Subnets to use for the creation of the db subnet group. These need to be the same subnets as the ones containing your eks nodes' Type: CommaDelimitedList DBInstanceClass: AllowedValues: - db.t3.medium - db.t3.large - db.t3.xlarge - db.t3.2xlarge - db.m5.large - db.m5.xlarge - db.m5.2xlarge - db.m5.4xlarge Default: db.t3.xlarge Description: Amazon RDS instance type for the Oracle Database instance. We recommend t3.xlarge for production use as a lower shape will be rather slow. Type: String DBMultiZone: Description: High Availability (Multi-AZ) for Oracle RDS. More informtion is available here - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html Type: String AllowedValues: [ 'true', 'false' ] Default: 'true' TNamespace: Default: tdecision Description: "Optional: The name of the kubernetes namespace in which the 3decision helm chart will be deployed. This will default to tdecision if not given. The namespace will be created if it doesn't already exists." Type: String JWTSecretName: Default: "3dec-JWT-ssh" Description: "Name of the secret created in secrets manager that will contain an ssh key fed to the application." Type: String ConfigureEKS: Description: "Optionnal: Set to true to create EKS quickstart specific resources for your EKS cluster" Default: 'false' Type: String AllowedValues: ['true', 'false'] NodeGroupArn: Type: String Description: "Required: Arn of the default NodeGroup used" NodeSecurityGroup: Description: "Required: Id of the EKS SecurityGroup in which we will add the RDS ingress" Type: String HostedZoneId: Default: "" Description: "Optional: Creates dns records for the given route 53 hosted zone if given." Type: String DomainName: Description: "Required: Root domain name used for load balancer rules This is only the root domain name not the fqdn, eg: example.com" Type: String MainSubdomain: Default: "3decision" Description: "Required: Name used for the main app subdomain" Type: String ApiSubdomain: Default: "3decision-api" Description: "Required: Name used for the api subdomain" Type: String HelpSubdomain: Default: "3decision-help" Description: "Required: Name used for the help subdomain" Type: String CertificateArn: Default: "" Description: "Optional: Arn of a certificate of the associated domain you want added to the load balancer" Type: String LoadBalancerType: AllowedValues: - internet-facing - internal Default: "internal" Description: "Type of loadbalancer created. This can either be equal to internet-facing for public loadbalancer or internal for private loadbalancers" Type: String LoadBalancerClass: AllowedValues: - alb - nginx Default: "alb" Description: "Type of loadbalancer created. This will create an application loadBalancer by default and should generally not be changed. By selecting nginx you will have a classic load balancer with a self signed certificate." Type: String AzureClientId: Type: String Default: "" Description: "Optional: Will enable azure authentication if set. Client id of azure app" AzureTenant: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. Tenant id of the azure app" AzureSecret: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. Secret of the azure app" AzureRedirectUri: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. This is the redirect_uri set in the azure app, by default should be https://./auth/azure/callback" OktaClientId: Type: String Default: "" Description: "Optional: Will enable okta authentication if set. Client ID of the okta app" OktaSecret: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Secret of the okta app" OktaDomain: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Domain of the okta environment" OktaServerId: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Server Id of the okta environment" OktaRedirectUri: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. This is the redirect_uri set in the okta app, by default should be https://./auth/okta/callback" Rules: DiscngineSupportedRegionRule: Assertions: - Assert: Fn::Contains: - - us-east-1 - eu-central-1 - !Ref AWS::Region AssertDescription: The Quick Start is supported only in us-east-1 and eu-central-1 AWS Regions. Please contact Discngine to request support for other Regions. Mappings: Config: Prefix: { Value: 'eks-quickstart' } Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] ConfigureEKS: !Equals ['true', !Ref ConfigureEKS] ConfigureDNS: !Not [ !Equals [ "", !Ref HostedZoneId ] ] UseDBSnapshotIdentifier: !Not [ !Equals ["", !Ref DBSnapshotIdentifier ] ] Resources: EKSCluster: Type: AWS::CloudFormation::Stack Condition: ConfigureEKS UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-cluster.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: VPCID: !Ref VPCID KubeClusterName: !Ref EKSClusterName QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix JWTStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-jwt.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix SecretName: !Ref JWTSecretName EBSStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-ebs.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] RDSStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-oracle.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DBInstanceIdentifier: !Ref DBInstanceIdentifier DBName: !Ref DBName DBSubnets: !Join [ ",", !Ref DBSubnets ] DBInstanceClass: !Ref DBInstanceClass VpcId: !Ref VPCID NodeSecurityGroupId: !Ref NodeSecurityGroup DBMultiZone: !Ref DBMultiZone DBSnapshotIdentifier: !If [UseDBSnapshotIdentifier, !Ref DBSnapshotIdentifier, !Sub "arn:aws:rds:${AWS::Region}:751149478800:snapshot:db3dec2022-1"] EKSServiceCidr: Type: Custom::CliQuery UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: ServiceToken: !Sub ['arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${Prefix}-ResourceReader', {Prefix: !FindInMap [Config, Prefix, Value]}] AwsCliCommand: !Sub "eks describe-cluster --name ${EKSClusterName} --query 'cluster.kubernetesNetworkConfig.{serviceIpv4Cidr: serviceIpv4Cidr}'" IdField: 'serviceIpv4Cidr' 3decisionSecretStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-secret.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: Subnets: !Join - ',' - !Ref DBSubnets DatabaseName: !GetAtt RDSStack.Outputs.DbInstanceName VpcId: !Ref VPCID DBSecurityGroup: !GetAtt RDSStack.Outputs.DBSecurityGroup NodeGroupArn: !Ref NodeGroupArn 3decisionBucketStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-bucket.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: VPCID: !Ref VPCID NodeGroupArn: !Ref NodeGroupArn 3decisionKubeStack: Type: AWS::CloudFormation::Stack DependsOn: JWTStack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-kube.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: TNamespace: !Ref TNamespace JWTPrivateKey: !Sub '{{resolve:secretsmanager:${JWTSecretName}:SecretString:private_key}}' JWTPublicKey: !Sub '{{resolve:secretsmanager:${JWTSecretName}:SecretString:public_key}}' EKSClusterName: !Ref EKSClusterName DataPubVolumeID: !GetAtt EBSStack.Outputs.DataPubVolumeID DBConnectionString: !GetAtt RDSStack.Outputs.PrimaryConnectionString DomainName: !Ref DomainName CertificateArn: !Ref CertificateArn HostString: !GetAtt RDSStack.Outputs.PrimaryHostString DBName: !GetAtt RDSStack.Outputs.PrimaryDBName LoadBalancerType: !Ref LoadBalancerType LoadBalancerClass: !Ref LoadBalancerClass AzureClientId: !Ref AzureClientId AzureTenant: !Ref AzureTenant AzureSecret: !Ref AzureSecret AzureRedirectUri: !Ref AzureRedirectUri OktaClientId: !Ref OktaClientId OktaSecret: !Ref OktaSecret OktaDomain: !Ref OktaDomain OktaServerId: !Ref OktaServerId OktaRedirectUri: !Ref OktaRedirectUri MainSubdomain: !Ref MainSubdomain ApiSubdomain: !Ref ApiSubdomain HelpSubdomain: !Ref HelpSubdomain EKSServiceCidr: !Ref EKSServiceCidr SecretRoleArn: !GetAtt 3decisionSecretStack.Outputs.RoleArn 3decisionDNSStack: Type: AWS::CloudFormation::Stack Condition: ConfigureDNS DependsOn: 3decisionKubeStack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision-dns.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: HostedZoneId: !Ref HostedZoneId DomainName: !Ref DomainName MainSubdomain: !Ref MainSubdomain ApiSubdomain: !Ref ApiSubdomain HelpSubdomain: !Ref HelpSubdomain