AWSTemplateFormatVersion: '2010-09-09' Description: This template creates Amazon FSx for Windows File Server into private subnets in separate Availability Zones inside a VPC and uses AWS Directory Service for Microsoft Active Directory or Self-Managed Active directory. **WARNING** This template creates Amazon resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qdmcdqlc) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - PrivateSubnet1ID - PrivateSubnet2ID - VPCID - Label: default: FSx for Windows File Server configuration Parameters: - BackupRetention - DailyBackupTime - StorageCapacity - ThroughputCapacity - DomainMembersSG - FSxAllowedCIDR - FSxEncryptionKey - FSxExistingKeyID - WeeklyMaintenanceTime - Label: default: AWS Managed Microsoft AD settings for Amazon FSx Parameters: - ActiveDirectoryId - Label: default: Self-managed Active Directory settings for Amazon FSx Parameters: - DNSIP1 - DNSIP2 - DomainDNSName - FSxUserSecretsArn - OrgUnitDN - FileSystemAdminGroup ParameterLabels: ActiveDirectoryId: default: AWS Managed Microsoft AD ID BackupRetention: default: Automated backup retention DailyBackupTime: default: Daily backup start time DNSIP1: default: IP address of DNS server DNSIP2: default: IP address of DNS server DomainDNSName: default: FQDN of your self-managed directory OrgUnitDN: default: (Optional) Organizational unit distinguished name FSxUserSecretsArn: default: AWS Secrets Manager secret ARN or name FileSystemAdminGroup: default: (Optional) Domain group name FSxEncryptionKey: default: Type of AWS KMS key used by FSx FSxExistingKeyID: default: AWS KMS key ID DomainMembersSG: default: Domain member security group ID PrivateSubnet1ID: default: Private subnet 1 ID PrivateSubnet2ID: default: Private subnet 2 ID StorageCapacity: default: Storage size ThroughputCapacity: default: Throughput capacity of Amazon FSx file system FSxAllowedCIDR: default: CIDR range allowed to connect to Amazon FSx file system VPCID: default: VPC ID WeeklyMaintenanceTime: default: Weekly maintenance start time Parameters: ActiveDirectoryId: Description: Enter the ID of the AWS Managed Microsoft AD. If you are using self-managed Active Directory, leave this blank. Default: '' Type: String BackupRetention: Description: Specify the number of days to retain automatic backups. Setting this value to 0 disables the creation of automatic backups. The maximum retention period for backups is 35 days. Default: 7 Type: Number DailyBackupTime: Description: Specify the preferred time to take daily automatic backups, formatted HH:MM in the UTC time zone. Default: '01:00' Type: String DNSIP1: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Description: Specify the first DNS IP address needed for the self-managed Active Directory scenario (e.g., 10.0.0.1). If using AWS Managed Microsoft AD, leave this blank. Default: '10.0.0.10' Type: String DNSIP2: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Description: Specify the second DNS IP address needed for the self-managed Active Directory scenario (e.g., 10.0.0.1). If using AWS Managed Microsoft AD, leave this blank. Default: '10.0.32.10' Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Description: Specify the fully qualified domain name (FQDN) of your self-managed directory. Domain name must not be in the Single Label Domain (SLD) format. This is required if you are using self-managed Active Directory. If using AWS Managed Microsoft AD, leave this blank. Default: example.com Type: String FSxEncryptionKey: AllowedValues: - 'Default' - 'GenerateKey' - 'UseKey' Description: Use the default AWS Key Management Service (AWS KMS) key for Amazon FSx, choose GenerateKey to create a key, or choose UseKey to use an existing key for encryption at rest on the Amazon FSx for Windows file system. Default: 'Default' Type: String FSxExistingKeyID: Description: If you chose the option to use an existing key, you must specify the KMS Key ID you want to use. Default: '' Type: String OrgUnitDN: Description: Specify the organizational unit (OU) distinguished name (DN) in your domain in which you want your file system to be joined (e.g., 'OU=FileSystems,DC=corp,DC=example,DC=com'). Default: '' Type: String FSxUserSecretsArn: Description: Specify the Amazon Resource Name (ARN) or secret name of the secret in AWS Secrets Manager for Amazon FSx to join your AD domain. Default: '' Type: String FileSystemAdminGroup: Description: Specify the domain group to which you want to delegate authority to perform administrative actions on your file system. If you don’t specify this group, Amazon FSx delegates this authority to the Domain Admins group in your AD domain by default. Default: '' Type: String DomainMembersSG: Description: Specify the ID of the security group that can exchange information with the domain controllers. Type: String PrivateSubnet1ID: Description: Choose the ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd). Type: AWS::EC2::Subnet::Id PrivateSubnet2ID: Description: Choose the ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd). Type: AWS::EC2::Subnet::Id StorageCapacity: Default: 32 Description: Specify the storage capacity of the file system being created, in gibibytes. Valid values are 32 GiB - 65,536 GiB. Consider choosing a higher value for greater capacity. Type: Number ThroughputCapacity: Default: 8 Description: Specify the throughput of the Amazon FSx file system. Valid values are 8 - 2048. Consider choosing a higher value for better performance. Type: Number FSxAllowedCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Description: Specify the CIDR block that is allowed access to FSx for Windows File Server. Type: String VPCID: Description: Choose the ID of the VPC (e.g., vpc-0343606e). Type: AWS::EC2::VPC::Id WeeklyMaintenanceTime: Description: Specify the preferred start time to perform weekly maintenance, formatted d:HH:MM in the UTC time zone Default: '7:02:00' Type: String Conditions: UseAWSDirectoryService: !Not - !Equals - '' - !Ref 'ActiveDirectoryId' HasGroup: !Not - !Equals - '' - !Ref 'FileSystemAdminGroup' HasOU: !Not - !Equals - '' - !Ref 'OrgUnitDN' HasKey: !Equals - 'UseKey' - !Ref 'FSxEncryptionKey' CreateKey: !Equals - 'GenerateKey' - !Ref 'FSxEncryptionKey' UseNonDefault: !Not - !Equals - 'Default' - !Ref 'FSxEncryptionKey' Resources: FSxKMSKey: Condition: CreateKey DeletionPolicy: Retain UpdateReplacePolicy: Retain Type: AWS::KMS::Key Properties: KeyPolicy: Version: 2012-10-17 Id: !Ref AWS::StackName Statement: - Effect: Allow Principal: AWS: - !Sub 'arn:aws:iam::${AWS::AccountId}:root' Action: 'kms:*' Resource: '*' - Effect: Allow Principal: AWS: '*' Action: - 'kms:Encrypt' - 'kms:Decrypt' - 'kms:ReEncrypt*' - 'kms:GenerateDataKey*' - 'kms:CreateGrant' - 'kms:ListGrants' - 'kms:DescribeKey' Resource: '*' Condition: StringEquals: kms:ViaService: !Sub 'fsx.${AWS::Region}.amazonaws.com' kms:CallerAccount: !Sub '${AWS::AccountId}' Tags: - Key: Name Value: !Ref AWS::StackName FSxKeyAlias: Condition: CreateKey Type: AWS::KMS::Alias Properties: AliasName: !Sub "alias/${AWS::StackName}" TargetKeyId: !Ref FSxKMSKey FSxSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: !Ref VPCID GroupDescription: Security Group for FSx for Windows File Storage Access SecurityGroupIngress: - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 88 ToPort: 88 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 88 ToPort: 88 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 123 ToPort: 123 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 135 ToPort: 135 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 389 ToPort: 389 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 389 ToPort: 389 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 445 ToPort: 445 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: udp FromPort: 464 ToPort: 464 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 464 ToPort: 464 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 636 ToPort: 636 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 3268 ToPort: 3268 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 3269 ToPort: 3269 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 9389 ToPort: 9389 CidrIp: !Ref FSxAllowedCIDR - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref FSxAllowedCIDR WindowsFSx: Type: 'AWS::FSx::FileSystem' Properties: FileSystemType: WINDOWS KmsKeyId: !If - UseNonDefault - !If - HasKey - !Ref 'FSxExistingKeyID' - !Ref 'FSxKMSKey' - !Ref 'AWS::NoValue' StorageCapacity: !Ref 'StorageCapacity' SubnetIds: - !Ref 'PrivateSubnet1ID' - !Ref 'PrivateSubnet2ID' SecurityGroupIds: - !Ref 'DomainMembersSG' - !Ref 'FSxSecurityGroup' Tags: - Key: Name Value: QSWINFSx WindowsConfiguration: !If - UseAWSDirectoryService - ActiveDirectoryId: !Ref 'ActiveDirectoryId' WeeklyMaintenanceStartTime: !Ref 'WeeklyMaintenanceTime' DailyAutomaticBackupStartTime: !Ref 'DailyBackupTime' AutomaticBackupRetentionDays: !Ref 'BackupRetention' DeploymentType: MULTI_AZ_1 PreferredSubnetId: !Ref 'PrivateSubnet1ID' ThroughputCapacity: !Ref 'ThroughputCapacity' - WeeklyMaintenanceStartTime: !Ref 'WeeklyMaintenanceTime' DailyAutomaticBackupStartTime: !Ref 'DailyBackupTime' AutomaticBackupRetentionDays: !Ref 'BackupRetention' DeploymentType: MULTI_AZ_1 PreferredSubnetId: !Ref 'PrivateSubnet1ID' ThroughputCapacity: !Ref 'ThroughputCapacity' SelfManagedActiveDirectoryConfiguration: DnsIps: - !Ref DNSIP1 - !Ref DNSIP2 DomainName: !Ref DomainDNSName FileSystemAdministratorsGroup: !If - HasGroup - !Ref 'FileSystemAdminGroup' - !Ref 'AWS::NoValue' OrganizationalUnitDistinguishedName: !If - HasOU - !Ref 'OrgUnitDN' - !Ref 'AWS::NoValue' UserName: !Join - '' - - '{{resolve:secretsmanager:' - !Ref FSxUserSecretsArn - ':SecretString:username}}' Password: !Join - '' - - '{{resolve:secretsmanager:' - !Ref FSxUserSecretsArn - ':SecretString:password}}' Outputs: FSxFileSystemID: Description: File System ID for FSx for Windows File Server Value: !Ref 'WindowsFSx' WindowsFSxSGID: Value: !Ref 'FSxSecurityGroup' Description: FSx for Windows File Server Security Group ID