AWSTemplateFormatVersion: '2010-09-09' Description: >- This template configures Duo RADIUS servers for use in directory service MFA (can be used for AWS SSO, WorkSpaces, and other SAML service providers). It deploys a new VPC and AWS managed Active Directory environment. (qs-1s5bn1dk6) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Duo account settings Parameters: - DuoIntegrationKey - DuoSecretKey - DuoApiHostName - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - Label: default: Active Directory configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainAdminPassword - Label: default: Directory Sync (optional) Parameters: - AdSync - adReadOnlyUser - adReadOnlyPassword - DirectoryIntegrationKey - DirectorySecretKey - Label: default: Fargate Deployment Configuration Parameters: - FargateDeployment - AdminArn - EcrRepoName - EcrImageRetention - EcrCronExpression - CodeCommitRepoName - CodeCommitBranchName - NotificationEmail - DuoMaxCapacity - Label: default: Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: EcrCronExpression: default: ECR Rebuild Cron DuoMaxCapacity: default: Duo Maximum Tasks AvailabilityZones: default: Availability Zones DomainAdminPassword: default: Domain admin password DomainDNSName: default: Domain DNS name DomainNetBIOSName: default: Domain NetBIOS name DuoIntegrationKey: default: Duo integration key DuoSecretKey: default: Duo secret key DuoApiHostName: default: Duo hostname KeyPairName: default: Key pair name PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix RadiusProxyServerCount: default: RADIUS servers RadiusPortNumber: default: RADIUS port number DuoFailMode: default: Duo fail mode VPCCIDR: default: VPC CIDR AdSync: default: Sync AD adReadOnlyUser: default: AD Read Only User adReadOnlyPassword: default: AD Read Only Password DirectoryIntegrationKey: default: Duo Directory integration key DirectorySecretKey: default: Duo Directory secret key FargateDeployment: default: Use Fargate AdminArn: default: KMS Admin Role EcrRepoName: default: ECR Repo Name EcrImageRetention: default: ECR Retention Period CodeCommitRepoName: default: CodeCommit Repo Name CodeCommitBranchName: default: CodeCommit Branch Name NotificationEmail: default: Duo Administrator Email Parameters: AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved and 2 zones must be provided Type: List DomainAdminPassword: AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: Password for the domain admin user. Must be at least 8 characters containing letters, numbers, and symbols. MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: Fully qualified domain name (FQDN) of the forest root domain. MaxLength: '255' MinLength: '2' Type: String DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: example Description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows. MaxLength: '15' MinLength: '1' Type: String DuoIntegrationKey: Type: String Description: Integration key retrieved from Duo RADIUS application configuration DuoSecretKey: Type: String NoEcho: true Description: Secret key retrieved from Duo RADIUS application configuration DuoApiHostName: Type: String Description: API host name retrieved from Duo RADIUS application configuration AllowedPattern: ^api\-[a-zA-Z0-9]*.duosecurity.com$ ConstraintDescription: API hostname must match pattern api-12345678.duosecurity.com KeyPairName: Description: Public/private key pairs allow you to securely connect to your instance after it launches. Type: AWS::EC2::KeyPair::KeyName PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PublicSubnet1CIDR: Default: 10.0.128.0/20 Description: CIDR block for the public subnet 2 located in Availability Zone 2. Type: String PublicSubnet2CIDR: Default: 10.0.144.0/20 Description: CIDR block for the optional public subnet 3 located in Availability Zone 3. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. This name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-duo-mfa/ Description: S3 key prefix for the Quick Start assets. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String RadiusProxyServerCount: Type: Number AllowedValues: - 1 - 2 - 3 - 4 Default: 2 Description: The number of RADIUS proxy servers to create. RadiusPortNumber: Type: String Description: Port on which to listen for incoming RADIUS access requests Default: 1812 DuoFailMode: Type: String Description: Once primary authentication succeeds, Safe mode allows authentication attempts, if the Duo service cannot be contacted. Secure mode rejects authentication attempts, if the Duo service cannot be contacted. AllowedValues: - "safe" - "secure" Default: "safe" VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC. Type: String AdSync: Type: String Description: Choose whether AD sync is required or not Default: 'yes' AllowedValues: - 'yes' - 'no' adReadOnlyUser: Type: String Description: > AD UserName with Read-Only to the Directory for Duo Directory Sync configuration Default: '' adReadOnlyPassword: Type: String NoEcho: true Description: > AD UserName Password with Read-Only to the Directory for Duo Directory Sync configuration Default: '' DirectoryIntegrationKey: Type: String Description: > Integration key retrieved from Duo Directory Sync configuration Default: '' DirectorySecretKey: Type: String NoEcho: true Description: > Secret key retrieved from Duo Directory Sync configuration Default: '' FargateDeployment: Type: String Description: Choose whether AD sync is required or not Default: 'yes' AllowedValues: - 'yes' - 'no' AdminArn: Type: String Description: IAM Arn that will have admin rights to the KMS key. If left empty, KMS Key Policy will not have an admin role to administer it. Default: '' EcrRepoName: Type: String Description: Duo Authentication Proxy ECR repo name Default: duo-authproxy AllowedPattern: "(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*" MinLength: 2 MaxLength: 256 EcrImageRetention: Type: Number Description: Number of days to retain the ECR image ConstraintDescription: 'Must be in the range [30-600].' MinValue: 30 MaxValue: 600 CodeCommitRepoName: Type: String Description: CodeCommit Repo Name which will manage all the code base Default: duo-authproxy AllowedPattern: "^[0-9a-zA-Z-/]*$" CodeCommitBranchName: Type: String Description: CodeCommit Branch name where all the code base is located. This will act as a trigger to CodePipeline. Default: ecr AllowedPattern: "^[0-9a-zA-Z-/]*$" NotificationEmail: Type: String Description: Email of Duo Administrators to notify when pipeline fails or update to Directory fails AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: Provide a valid email address. DuoMaxCapacity: Type: String Description: > Maximum number of tasks that can be launched by ECS Application AutoScaling Default: 4 AllowedValues: - 4 - 5 - 6 - 7 - 8 - 9 - 10 EcrCronExpression: Type: String Description: Cron expression trigger at 0000 UTC every Saturday based on https://docs.aws.amazon.com/eventbridge/latest/userguide/scheduled-events.html Default: '0 0 ? * SAT *' Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] UseFargate: !Equals [!Ref FargateDeployment, 'yes'] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: !Join - ',' - !Ref 'AvailabilityZones' NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref 'PrivateSubnet1CIDR' PrivateSubnet2ACIDR: !Ref 'PrivateSubnet2CIDR' PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR' VPCCIDR: !Ref 'VPCCIDR' ADStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-activedirectory/templates/ad-3.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DomainAdminPassword: !Ref 'DomainAdminPassword' DomainDNSName: !Ref 'DomainDNSName' DomainNetBIOSName: !Ref 'DomainNetBIOSName' KeyPairName: !Ref 'KeyPairName' PrivateSubnet1CIDR: !Ref 'PrivateSubnet1CIDR' PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' PrivateSubnet2CIDR: !Ref 'PrivateSubnet2CIDR' PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR' QSS3BucketName: !Ref 'QSS3BucketName' QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-microsoft-activedirectory/' VPCCIDR: !Ref 'VPCCIDR' VPCID: !GetAtt 'VPCStack.Outputs.VPCID' DuoStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-duo-mfa.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DuoIntegrationKey: !Ref 'DuoIntegrationKey' DuoSecretKey: !Ref 'DuoSecretKey' DuoApiHostName: !Ref 'DuoApiHostName' DirectoryServiceId: !GetAtt 'ADStack.Outputs.DirectoryID' RadiusProxyServerCount: !Ref 'RadiusProxyServerCount' RadiusPortNumber: !Ref 'RadiusPortNumber' DuoFailMode: !Ref 'DuoFailMode' QSS3BucketName: !Ref 'QSS3BucketName' QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref 'QSS3KeyPrefix' DuoFargateStack: Condition: UseFargate Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/DuoAuthProxyFargate.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DuoIntegrationKey: !Ref 'DuoIntegrationKey' DuoSecretKey: !Ref 'DuoSecretKey' DuoApiHostName: !Ref 'DuoApiHostName' DirectoryServiceId: !GetAtt 'ADStack.Outputs.DirectoryID' RadiusProxyServerCount: !Ref 'RadiusProxyServerCount' RadiusPortNumber: !Ref 'RadiusPortNumber' DuoFailMode: !Ref 'DuoFailMode' AdSync: !Ref AdSync adReadOnlyUser: !Ref adReadOnlyUser adReadOnlyPassword: !Ref adReadOnlyPassword DirectoryIntegrationKey: !Ref DirectoryIntegrationKey DirectorySecretKey: !Ref DirectorySecretKey NotificationEmail: !Ref NotificationEmail QSS3BucketName: !Ref 'QSS3BucketName' QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref 'QSS3KeyPrefix' EcrCronExpression: !Ref EcrCronExpression AdminArn: !Ref AdminArn EcrRepoName: !Ref EcrRepoName EcrImageRetention: !Ref EcrImageRetention CodeCommitRepoName: !Ref CodeCommitRepoName CodeCommitBranchName: !Ref CodeCommitBranchName DuoMaxCapacity: !Ref DuoMaxCapacity