AWSTemplateFormatVersion: 2010-09-09 Description: Configures an ELB and SSL Certificate (qs-1sflpub4e) Metadata: cfn-lint: config: ignore_checks: - W9002 - W9003 - W9006 Parameters: AWSHostedZoneID: Description: DNS Zone ID to contain the cluster's DNS entry (blank = no DNS) Type: String AWSPublicFQDN: Description: Website will be reachable at this address (blank = no DNS) Type: String LogBucket: Description: Bucket to write logs to Type: String PublicSubnetIds: Type: List Description: Public subnets in your VPC QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*$" ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-hitrust-csf/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String QSTagKey: Type: String Description: Tag key to identify resources from this Quick Start QSTagValue: Type: String Description: Tag value to identify resources from this Quick Start SourceCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. Description: IP address/range to allow access from Type: String SSLCertificateARN: Type: String Default: "" Description: The Amazon Resource Name for the existing SSL cert you wish to use; empty for none VpcCidr: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. Type: String Description: VPC CIDR VpcId: Type: AWS::EC2::VPC::Id Description: Amazon VPC ID Mappings: Defaults: Elb: HealthCheckGracePeriod: 300 LogLocation: hitrust-qs-elb-logs Conditions: NoSSLCertificate: !Equals [ '', !Ref SSLCertificateARN ] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: ConfigureSSLStack: Type: AWS::CloudFormation::Stack Condition: NoSSLCertificate Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ssl-acm.template - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix QSTagKey: !Ref QSTagKey QSTagValue: !Ref QSTagValue DomainName: !Ref AWSPublicFQDN HostedZoneID: !Ref AWSHostedZoneID LogBucket: !Ref LogBucket Tags: - Key: QSTagKey Value: QSTagValue Elb: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: LoadBalancerAttributes: - Key: access_logs.s3.enabled Value: 'true' - Key: access_logs.s3.bucket Value: !Ref LogBucket - Key: access_logs.s3.prefix Value: !FindInMap [ Defaults, Elb, LogLocation ] Scheme: internet-facing SecurityGroups: - !Ref ElbSecurityGroup Subnets: !Ref PublicSubnetIds Tags: - Key: !Ref QSTagKey Value: !Ref QSTagValue Type: application ElbSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ELB Security Group for HITRUST CSF Quick Start SecurityGroupEgress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref VpcCidr SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref SourceCIDR Tags: - Key: !Ref QSTagKey Value: !Ref QSTagValue VpcId: !Ref VpcId ElbListenerHTTPS: Type: AWS::ElasticLoadBalancingV2::Listener Properties: Certificates: - CertificateArn: !If [ NoSSLCertificate, !GetAtt ConfigureSSLStack.Outputs.ACMCertificate, !Ref SSLCertificateARN ] DefaultActions: - Type: forward TargetGroupArn: !Ref ElbTargetGroupHTTPS LoadBalancerArn: !Ref Elb Port: 443 Protocol: HTTPS ElbTargetGroupHTTPS: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckIntervalSeconds: 30 HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 5 HealthCheckPath: "/landing.html" Port: 443 Protocol: HTTPS Tags: - Key: !Ref QSTagKey Value: !Ref QSTagValue VpcId: !Ref VpcId RecordAlias: Type: AWS::Route53::RecordSet Properties: AliasTarget: DNSName: !GetAtt Elb.DNSName HostedZoneId: !GetAtt Elb.CanonicalHostedZoneID HostedZoneId: !Ref AWSHostedZoneID Name: !Ref AWSPublicFQDN Type: A Outputs: ElbTargetGroupHTTPS: Value: !Ref ElbTargetGroupHTTPS Description: ELB Target Group ElbDns: Value: !GetAtt Elb.DNSName Description: ELB DNS Name ElbSecurityGroup: Value: !Ref ElbSecurityGroup Description: The ID of the security group for the load balancer RecordSet: Value: !Ref RecordAlias Description: Domain Name of the Record Set