AWSTemplateFormatVersion: '2010-09-09' Description: This template creates Amazon FSx for Windows File Server into private subnets in separate Availability Zones inside a VPC and uses AWS Directory Service for Microsoft Active Directory. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qdmcdqji) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - NumberOfAZs - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PrivateSubnet3CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - Label: default: Microsoft Active Directory configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainAdminPassword - ADScenarioType - Label: default: Active Directory on Amazon EC2 options Parameters: - ADServer1InstanceType - ADServer1NetBIOSName - ADServer1PrivateIP - ADServer2InstanceType - ADServer2NetBIOSName - ADServer2PrivateIP - DomainAdminUser - KeyPairName - Label: default: FSx for Windows File Server configuration Parameters: - BackupRetention - DailyBackupTime - StorageCapacity - ThroughputCapacity - FSxEncryptionKey - FSxExistingKeyID - FSxAllowedCIDR - WeeklyMaintenanceTime - Label: default: RD Gateway configuration Parameters: - DeployRDGW - RDGWInstanceType - NumberOfRDGWHosts - RDGWCIDR - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: ADServer1InstanceType: default: Domain controller 1 instance type ADServer1NetBIOSName: default: Domain controller 1 NetBIOS name ADServer1PrivateIP: default: Domain controller 1 private IP address ADServer2InstanceType: default: Domain controller 2 instance type ADServer2NetBIOSName: default: Domain controller 2 NetBIOS name ADServer2PrivateIP: default: Domain controller 2 private IP address AvailabilityZones: default: Availability Zones ADScenarioType: default: Type of Active Directory deployment BackupRetention: default: Automated backup retention DeployRDGW: default: Deploy RD Gateway DailyBackupTime: default: Daily backup start time DomainAdminPassword: default: Domain admin password DomainAdminUser: default: Domain admin user name DomainDNSName: default: Domain DNS name DomainNetBIOSName: default: Domain NetBIOS name KeyPairName: default: Key pair name FSxEncryptionKey: default: Type of AWS KMS key used by Amazon FSx FSxExistingKeyID: default: AWS KMS key ID FSxAllowedCIDR: default: CIDR ranged allowed to connect to FSx file system NumberOfAZs: default: Number of Availability Zones NumberOfRDGWHosts: default: Number of RD Gateway hosts StorageCapacity: default: Storage size ThroughputCapacity: default: Throughput capacity of Amazon FSx file system PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PrivateSubnet3CIDR: default: (Optional) Private subnet 3 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR PublicSubnet3CIDR: default: (Optional) Public subnet 3 CIDR RDGWInstanceType: default: RD Gateway instance type RDGWCIDR: default: Allowed RD Gateway external access CIDR QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix VPCCIDR: default: VPC CIDR WeeklyMaintenanceTime: default: Weekly maintenance start time Parameters: ADServer1InstanceType: AllowedValues: - t2.large - t3.large - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: m5.xlarge Description: Specify the EC2 instance type for the first Active Directory instance. Type: String ADServer1NetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: DC1 Description: Specify the NetBIOS name of the first Active Directory server (up to 15 characters). MaxLength: '15' MinLength: '1' Type: String ADServer1PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Default: 10.0.0.10 Description: Specify the fixed private IP address for the first Active Directory server located in Availability Zone 1. Type: String ADServer2InstanceType: AllowedValues: - t2.large - t3.large - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: m5.xlarge Description: Specify the EC2 instance type for the second Active Directory instance. Type: String ADServer2NetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: DC2 Description: Specify the NetBIOS name of the second Active Directory server (up to 15 characters). MaxLength: '15' MinLength: '1' Type: String ADServer2PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Default: 10.0.32.10 Description: Specify the fixed private IP address for the second Active Directory server located in Availability Zone 2. Type: String AvailabilityZones: Description: 'Choose the Availability Zones to use for the subnets in the VPC. The default is two, but you can choose up to three Availability Zones.' Type: List ADScenarioType: AllowedValues: - AWS Managed Microsoft AD(Enterprise Edition) - AWS Managed Microsoft AD(Standard Edition) - Microsoft AD on Amazon EC2 Default: AWS Managed Microsoft AD(Enterprise Edition) Description: 'Select the type of Active Directory Domain Services (Active Directory DS) deployment to use: AWS Managed Microsoft AD (Enterprise or Standard edition) or self-managed Active Directory on EC2 instances.' Type: String BackupRetention: Description: Specify the number of days to retain automatic backups. Setting this value to 0 disables the creation of automatic backups. The maximum retention period for backups is 35 days. Default: 7 Type: Number DeployRDGW: Description: Deploy Remote Desktop Gateway Type: String AllowedValues: - 'Yes' - 'No' Default: 'Yes' DailyBackupTime: Description: Specify the preferred time to take daily automatic backups, formatted HH:MM in the UTC time zone. Default: '01:00' Type: String DomainAdminUser: AllowedPattern: '[a-zA-Z0-9]*' Default: Admin Description: Specify the user name for the account that will be added as Domain Administrator. This is separate from the default "Administrator" account MaxLength: '25' MinLength: '5' Type: String DomainAdminPassword: AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: Specify the password for the domain admin user. Must be at least 8 characters and contain letters, numbers, and symbols. MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: Specify the fully qualified domain name (FQDN) of the forest root domain. MaxLength: '255' MinLength: '2' Type: String DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: example Description: Specify the NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows. MaxLength: '15' MinLength: '1' Type: String StorageCapacity: Default: 32 Description: Specify the storage capacity of the file system being created, in gigabytes. Valid values are 32 GiB - 65,536 GiB. Consider choosing a higher value for greater capacity. Type: Number ThroughputCapacity: Default: 8 Description: Specify the throughput of the Amazon FSx file system. Valid values are 8 - 2048. Consider choosing a higher value for better performance. Type: Number FSxEncryptionKey: AllowedValues: - 'Default' - 'GenerateKey' - 'UseKey' Description: Use the default AWS Key Management Service (AWS KMS) key for Amazon FSx, choose GenerateKey to create a key, or choose UseKey to use an existing key for encryption at rest on the Amazon FSx for Windows File Server file system. Default: 'Default' Type: String FSxExistingKeyID: Description: If you chose the option to use an existing key, you must specify the AWS KMS key ID that you want to use. Default: '' Type: String FSxAllowedCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: Specify the CIDR block that is allowed access to FSx for Windows File Server Type: String NumberOfAZs: AllowedValues: - '2' - '3' Default: '2' Description: Specify the number of Availability Zones to use in the VPC. This must match your selections in the Availability Zones parameter. Type: String NumberOfRDGWHosts: AllowedValues: - '1' - '2' - '3' - '4' Default: '1' Description: Enter the number of Remote Desktop Gateway hosts to create. Type: String KeyPairName: Description: Enter the public/private key pair, which allows you to securely connect to your instance after it launches. Type: AWS::EC2::KeyPair::KeyName PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: Specify the CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: Specify the CIDR block for private subnet 2 located in Availability Zone 2. Type: String PrivateSubnet3CIDR: Default: '' Description: Specify the CIDR block for private subnet 3 located in Availability Zone 3. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: Specify the CIDR block for the public subnet 1 located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: Specify the CIDR block for the public subnet 2 located in Availability Zone 2. Type: String PublicSubnet3CIDR: Default: '' Description: Specify the CIDR block for the public subnet 3 located in Availability Zone 3. Type: String RDGWInstanceType: Description: Specify the EC2 instance type for the RD Gateway instances. Type: String Default: t2.large AllowedValues: - t2.small - t2.medium - t2.large - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge RDGWCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Description: Specify the allowed CIDR block that can access the RD Gateway instances. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Specify the S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-fsx-windows-file-server/ Description: Specify the S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: Specify the CIDR block for the VPC. Type: String WeeklyMaintenanceTime: Description: Specify the preferred start time to perform weekly maintenance, formatted d:HH:MM in the UTC time zone Default: '7:02:00' Type: String Conditions: UseSelfManagedAD: !Equals - !Ref 'ADScenarioType' - Microsoft AD on Amazon EC2 UseEnterpriseEdition: !Equals - !Ref 'ADScenarioType' - AWS Managed Microsoft AD(Enterprise Edition) IsThreeAz: !Equals - !Ref 'NumberOfAZs' - '3' HasKey: !Equals - 'UseKey' - !Ref 'FSxEncryptionKey' GovCloudCondition: !Equals - !Ref 'AWS::Region' - us-gov-west-1 UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] CreateRDGW: !Equals [!Ref DeployRDGW, 'Yes'] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: !Join - ',' - !Ref 'AvailabilityZones' NumberOfAZs: !Ref 'NumberOfAZs' PrivateSubnet1ACIDR: !Ref 'PrivateSubnet1CIDR' PrivateSubnet2ACIDR: !Ref 'PrivateSubnet2CIDR' PrivateSubnet3ACIDR: !If - IsThreeAz - !Ref 'PrivateSubnet3CIDR' - !Ref 'AWS::NoValue' PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR' PublicSubnet3CIDR: !If - IsThreeAz - !Ref 'PublicSubnet3CIDR' - !Ref 'AWS::NoValue' VPCCIDR: !Ref 'VPCCIDR' ADStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-activedirectory/templates/${QSADTemplate} - S3Region: !If - UsingDefaultBucket - !Ref AWS::Region - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName QSADTemplate: !If - UseSelfManagedAD - ad-1.template - ad-3.template Parameters: !If - UseSelfManagedAD - ADServer1InstanceType: !Ref 'ADServer1InstanceType' ADServer1NetBIOSName: !Ref 'ADServer1NetBIOSName' ADServer1PrivateIP: !Ref 'ADServer1PrivateIP' ADServer2InstanceType: !Ref 'ADServer2InstanceType' ADServer2NetBIOSName: !Ref 'ADServer2NetBIOSName' ADServer2PrivateIP: !Ref 'ADServer2PrivateIP' DomainAdminPassword: !Ref 'DomainAdminPassword' DomainAdminUser: !Ref 'DomainAdminUser' DomainDNSName: !Ref 'DomainDNSName' DomainNetBIOSName: !Ref 'DomainNetBIOSName' KeyPairName: !Ref 'KeyPairName' PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' QSS3BucketName: !Ref 'QSS3BucketName' QSS3BucketRegion: !Ref 'QSS3BucketRegion' QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-microsoft-activedirectory/' VPCCIDR: !Ref 'VPCCIDR' VPCID: !GetAtt 'VPCStack.Outputs.VPCID' - ADEdition: !If - UseEnterpriseEdition - 'Enterprise' - 'Standard' DomainAdminPassword: !Ref 'DomainAdminPassword' DomainDNSName: !Ref 'DomainDNSName' DomainNetBIOSName: !Ref 'DomainNetBIOSName' KeyPairName: !Ref 'KeyPairName' PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' QSS3BucketName: !Ref 'QSS3BucketName' QSS3BucketRegion: !Ref 'QSS3BucketRegion' QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-microsoft-activedirectory/' VPCCIDR: !Ref 'VPCCIDR' VPCID: !GetAtt 'VPCStack.Outputs.VPCID' FSxStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/fsx-windows.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: !If - UseSelfManagedAD - DNSIP1: !Ref 'ADServer1PrivateIP' DNSIP2: !Ref 'ADServer2PrivateIP' DomainDNSName: !Ref 'DomainDNSName' FSxUserSecretsArn: !GetAtt 'ADStack.Outputs.ADSecretsArn' DomainMembersSG: !GetAtt 'ADStack.Outputs.DomainMemberSGID' PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' BackupRetention: !Ref 'BackupRetention' DailyBackupTime: !Ref 'DailyBackupTime' StorageCapacity: !Ref 'StorageCapacity' ThroughputCapacity: !Ref 'ThroughputCapacity' FSxEncryptionKey: !Ref 'FSxEncryptionKey' FSxExistingKeyID: !If - HasKey - !Ref FSxExistingKeyID - !Ref 'AWS::NoValue' FSxAllowedCIDR: !Ref 'FSxAllowedCIDR' VPCID: !GetAtt 'VPCStack.Outputs.VPCID' WeeklyMaintenanceTime: !Ref 'WeeklyMaintenanceTime' - ActiveDirectoryId: !GetAtt 'ADStack.Outputs.DirectoryID' DomainMembersSG: !GetAtt 'ADStack.Outputs.DomainMemberSGID' PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' BackupRetention: !Ref 'BackupRetention' DailyBackupTime: !Ref 'DailyBackupTime' StorageCapacity: !Ref 'StorageCapacity' ThroughputCapacity: !Ref 'ThroughputCapacity' FSxEncryptionKey: !Ref 'FSxEncryptionKey' FSxExistingKeyID: !If - HasKey - !Ref 'FSxExistingKeyID' - !Ref 'AWS::NoValue' FSxAllowedCIDR: !Ref 'FSxAllowedCIDR' VPCID: !GetAtt 'VPCStack.Outputs.VPCID' WeeklyMaintenanceTime: !Ref 'WeeklyMaintenanceTime' RDGWStack: Type: AWS::CloudFormation::Stack Condition: CreateRDGW Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-rdgateway/templates/rdgw-domain.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DomainAdminPassword: !Ref 'DomainAdminPassword' DomainAdminUser: !Ref 'DomainAdminUser' DomainDNSName: !Ref 'DomainDNSName' DomainMemberSGID: !GetAtt 'ADStack.Outputs.DomainMemberSGID' DomainNetBIOSName: !Ref 'DomainNetBIOSName' KeyPairName: !Ref 'KeyPairName' NumberOfRDGWHosts: !Ref 'NumberOfRDGWHosts' PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID' PublicSubnet2ID: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID' QSS3BucketName: !Ref 'QSS3BucketName' QSS3BucketRegion: !Ref 'QSS3BucketRegion' QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-microsoft-rdgateway/' RDGWInstanceType: !Ref 'RDGWInstanceType' RDGWCIDR: !Ref 'RDGWCIDR' VPCID: !GetAtt 'VPCStack.Outputs.VPCID'