AWSTemplateFormatVersion: 2010-09-09 Description: 'HashiCorp Consul + VPC Aug,28,2019 (qs-1qup6ra81)' Metadata: QuickStartDocumentation: EntrypointName: "Launch into a new VPC" LICENSE: 'Apache License, Version 2.0' 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: 'VPC network configuration' Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PrivateSubnet3CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - AccessCIDR - Label: default: Consul setup Parameters: - ConsulInstanceType - ConsulVersion - ConsulTemplateVersion - ConsulServerNodes - ConsulClientNodes - KeyPairName - EnablegRPC - Label: default: "DNS and SSL configuration" Parameters: - LoadBalancerFQDN - HostedZoneID - SSLCertificateArn - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AccessCIDR: default: Permitted IP range AvailabilityZones: default: Availability Zones KeyPairName: default: Key name PrivateSubnet1CIDR: default: Private Subnet 1 CIDR PrivateSubnet2CIDR: default: Private Subnet 2 CIDR PrivateSubnet3CIDR: default: Private Subnet 3 CIDR PublicSubnet1CIDR: default: Public Subnet 1 CIDR PublicSubnet2CIDR: default: Public Subnet 2 CIDR PublicSubnet3CIDR: default: Public Subnet 3 CIDR QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix QSS3BucketRegion: default: Quick Start S3 bucket Region VPCCIDR: default: VPC CIDR SSLCertificateArn: default: SSL certificate ARN HostedZoneID: default: Route 53 hosted zone ID LoadBalancerFQDN: default: Load Balancer FQDN ConsulInstanceType: default: Consul cluster node instance type ConsulVersion: default: Consul version ConsulTemplateVersion: default: Consul template version ConsulServerNodes: default: Number of Consul server nodes ConsulClientNodes: default: Number of Consul client nodes EnablegRPC: default: Enable gRPC Parameters: AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved. (3 Three Availability ZonesAZs are used for this deployment.) Type: 'List' AccessCIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Description: >- The CIDR IP range that is permitted to access Consul. Note: a value of 0.0.0.0/0 will allow access from ANY ip address Type: String ConsulVersion: Type: String Description: The version of Consul to be created. AllowedValues: - '1.7.0' - '1.12.0' Default: '1.12.0' ConsulTemplateVersion: Type: String Description: The version of Consul template to be used. AllowedValues: - '0.24.0' - '0.29.0' Default: '0.29.0' ConsulServerNodes: Type: String Description: The number of Consul server nodes that will be created. You can choose 3, 5, or 7 nodes. AllowedValues: - '3' - '5' - '7' Default: '3' ConsulClientNodes: Type: String Description: The number of Consul client nodes that will be created. Default: '0' ConsulInstanceType: Type: String Default: m5.large Description: The EC2 instance type for the Consul instances. AllowedValues: - t2.micro - t2.small - t2.medium - t2.large - m5.large - m5.xlarge - m4.xlarge - m4.large - m4.xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - i2.xlarge - i2.2xlarge - i2.4xlarge - i2.8xlarge ConstraintDescription: Choose an instance type. m3.medium or larger recommended. KeyPairName: Description: >- Public/private key pairs allow you to securely connect to your instance after it launches Type: 'AWS::EC2::KeyPair::KeyName' #MinLength: 1 PrivateSubnet1CIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PrivateSubnet3CIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.64.0/19 Description: CIDR block for private subnet 3 located in Availability Zone 3. Type: String PublicSubnet1CIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.128.0/20 Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1 Type: String PublicSubnet2CIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.144.0/20 Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2 Type: String PublicSubnet3CIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.160.0/20 Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3 Type: String QSS3BucketName: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: >- S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: "Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. If you use your own bucket, specify the applicable Region." Type: String QSS3KeyPrefix: AllowedPattern: '^[0-9a-zA-Z-/]*$' ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-hashicorp-consul/ Description: >- S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String VPCCIDR: AllowedPattern: >- ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Default: 10.0.0.0/16 Description: CIDR block for the VPC Type: String SSLCertificateArn: Description: The Amazon resource Name(ARN) of the SSL certificate to use for the load balancer. Use 'SSLCertificateArn' if you are not using 'LoadBalancerFQDN' and 'HostedZoneID'. Type: String Default: '' HostedZoneID: Description: Route 53 Hosted Zone ID of the domain name. Used in conjunction with 'LoadBalancerFQDN'. Type: String MaxLength: 32 Default: '' LoadBalancerFQDN: Description: The fully qualified domain name for the load balancer. Use with 'HostedZoneID' if you are NOT using SSL. Type: String Default: '' EnablegRPC: Description: Enable gRPC on the Consul server cluster. Type: String Default: "false" AllowedValues: - "true" - "false" Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] GovCloudCondition: !Equals - !Ref AWS::Region - us-gov-west-1 SetupRoute53: !And - !Not - !Equals - !Ref 'HostedZoneID' - '' - !Not - !Equals - !Ref 'LoadBalancerFQDN' - '' # Rules: # DomainNamePresentWithHostedID: # Assertions: # - Assert: !Or # - !Equals [!Ref HostedZoneID, ''] # - !Not [!Equals [!Ref LoadBalancerFQDN, '']] # AssertDescription: "Please specify a 'Domain Name' if you specify 'Route 53 Hosted Zone ID'" # GenerateOrProvideSSL: # Assertions: # - Assert: !Or # - !Not [!Equals [!Ref SSLCertificateArn, '']] # - !And # - !Not [!Equals [!Ref HostedZoneID, '']] # - !Not [!Equals [!Ref LoadBalancerFQDN, '']] # - !And # - !Not [!Equals [!Ref LoadBalancerFQDN, '']] # - !Equals [!Ref SSLCertificateArn, ''] # AssertDescription: "Using an SSL certificate is enforced. A CertificateArn or a HostedZoneID and LoadBalancerFQDN must be provided." # ProvideSSHKey: # Assertions: # - Assert: !Not [!Equals [ !Ref KeyPairName, '']] # AssertDescription: "KeyPairName must be provided." Resources: VPCStack: Properties: Parameters: AvailabilityZones: Fn::Join: - "," - Ref: AvailabilityZones KeyPairName: Ref: KeyPairName NumberOfAZs: '3' PrivateSubnet1ACIDR: Ref: PrivateSubnet1CIDR PrivateSubnet2ACIDR: Ref: PrivateSubnet2CIDR PrivateSubnet3ACIDR: Ref: PrivateSubnet3CIDR PublicSubnet1CIDR: Ref: PublicSubnet1CIDR PublicSubnet2CIDR: Ref: PublicSubnet2CIDR PublicSubnet3CIDR: Ref: PublicSubnet3CIDR VPCCIDR: Ref: VPCCIDR TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Type: AWS::CloudFormation::Stack BastionStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub >- https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template Parameters: BastionAMIOS: Ubuntu-Server-20.04-LTS-HVM BastionInstanceType: 't3.medium' KeyPairName: !Ref KeyPairName PublicSubnet1ID: !GetAtt - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt - VPCStack - Outputs.PublicSubnet2ID QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Sub '${QSS3KeyPrefix}submodules/quickstart-linux-bastion/' RemoteAccessCIDR: !Ref AccessCIDR VPCID: !GetAtt - VPCStack - Outputs.VPCID HashiCorpConsulStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub >- https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/quickstart-hashicorp-consul.template Parameters: BastionSecurityGroupID: !GetAtt - BastionStack - Outputs.BastionSecurityGroupID PrivateSubnet1ID: !GetAtt - VPCStack - Outputs.PrivateSubnet1AID PrivateSubnet2ID: !GetAtt - VPCStack - Outputs.PrivateSubnet2AID PrivateSubnet3ID: !GetAtt - VPCStack - Outputs.PrivateSubnet3AID PublicSubnet1ID: !GetAtt - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt - VPCStack - Outputs.PublicSubnet2ID PublicSubnet3ID: !GetAtt - VPCStack - Outputs.PublicSubnet3ID VPCID: !GetAtt - VPCStack - Outputs.VPCID VPCCIDR: !Ref VPCCIDR ConsulVersion: !Ref ConsulVersion ConsulTemplateVersion: !Ref ConsulTemplateVersion ConsulServerNodes: !Ref ConsulServerNodes ConsulClientNodes: !Ref ConsulClientNodes ConsulInstanceType: !Ref ConsulInstanceType EnablegRPC: !Ref EnablegRPC KeyPair: !Ref KeyPairName ConsulEc2RetryTagKey: "quickstart-consul-cluster" ConsulEc2RetryTagValue: "consul-member-node" QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix SSLCertificateArn: !Ref SSLCertificateArn HostedZoneID: !Ref HostedZoneID LoadBalancerFQDN: !Ref LoadBalancerFQDN Outputs: ConsulEc2RetryTagKey: Value: !GetAtt "HashiCorpConsulStack.Outputs.ConsulEc2RetryTagKey" Description: The EC2 instance tag key to filter on when joining to other Consul nodes. ConsulEc2RetryTagValue: Value: !GetAtt "HashiCorpConsulStack.Outputs.ConsulEc2RetryTagValue" Description: The EC2 instance tag value to filter on when joining to other Consul nodes. ConsulServerELB: Description: The public URL of your Consul Load Balancer. Create a CNAME record pointing at this Load Balancer. Value: !GetAtt "HashiCorpConsulStack.Outputs.ConsulServerELB" ConsulServerFQDN: Condition: SetupRoute53 Description: The public CNAME pointing to your Consul Load Balancer. Value: !GetAtt "HashiCorpConsulStack.Outputs.ConsulServerFQDN"