--- AWSTemplateFormatVersion: 2010-09-09 ###################################### ## Stack Description ###################################### Description: >- This template creates an HVR Bastion host environment in a specified VPC public subnet. The Bastion Host is based on the HVR 5.7 BYOL Marketplace Image. This will allow you to open the HVR GUI from the Bastion Host - connecting to the HVR HUB in the private subnet. **WARNING** This template creates EC2 instance a Network Load Balancer and related resources. You will be billed for the AWS resources used if you create a stack from this template.(qs-1roo3sq6e) ###################################### ## Stack Metadata ###################################### Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: End User License Agreement (EULA) - HVR CDC Parameters: - AcceptedEULA - Label: default: "VPC network configuration" Parameters: - VPCID - VPCCIDR - PublicSubnet1 - PublicSubnet2 - RemoteAccessCIDR - Label: default: "HVR EC2 Configuration" Parameters: - HVRInstanceTypeBastion - KeyName - Label: default: Tag identifiers Parameters: - TagEnvironment - Label: default: Public key for HVR communication Parameters: - HVRPubKeyBase64 ParameterLabels: AcceptedEULA: default: Accepted EULA from AWS Marketplace VPCID: default: VPCID ID VPCCIDR: default: CIDR Block for the VPC PublicSubnet1: default: Public subnet 1 ID PublicSubnet2: default: Public subnet 2 ID HVRInstanceTypeBastion: default: HVR EC2 instance type for HVR Bastion Host RemoteAccessCIDR: default: Allowed CIDR to Bastion Host KeyName: default: Key pair name TagEnvironment: default: Environment Tag HVRPubKeyBase64: default: HVR Public Key (base64) License: Apache-2.0 ###################################### ## Parameters ###################################### Parameters: AcceptedEULA: AllowedValues: - "yes" - "no" Default: "yes" Description: >- PLEASE READ THE HVR SOFTWARE LICENSE AGREEMENT (https://www.hvr-software.com/license-agreement/) CAREFULLY BEFORE USING THE SOFTWARE. The HVR stack can be created only if you have already accepted the EULA. To accept the EULA, see https://aws.amazon.com/marketplace/pp/B077YM8HPW. Type: String VPCID: Type: AWS::EC2::VPC::Id Description: The ID of the existing VPC that contains the subnets. VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC Type: String PublicSubnet1: Type: AWS::EC2::Subnet::Id Description: Select the first public subnet in your selected VPC. HVR will initially run here. PublicSubnet2: Type: AWS::EC2::Subnet::Id Description: Select the second public subnet in a second availibility zone in your selected VPC. HVR will run here in the event of a failure in the first AZ. HVRInstanceTypeBastion: Description: General Purpose EC2 instance Type: String Default: t3.medium AllowedValues: [ t3.medium, t3.large, c5.large, ] ConstraintDescription: Must be a valid EC2 instance type. TagEnvironment: Type: String AllowedValues: - dev - test - qa - prod Description: Designates the environment stage of the associated AWS resource. Default: "dev" RemoteAccessCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: The CIDR address from which you will connect to the Bastion Host. Type: String KeyName: Description: Name of an existing EC2 KeyPair to enable SSH access to the instance Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: must be the name of an existing EC2 KeyPair. # The HVR Public key to allow secure communication. This is set as a parameter, and will be obtained from the HVR Stack output # The HVRPubKeyBase64 value must be a Base64 encoded public key - see the HVRStack HVRPubKeyBase64: Description: | Specify HVR public key certificate (to be entered as a base64 string) to be used for secure HVR communication with the HVR Hub The default location is /opt/hvr/hvr_home/lib/cert and the file name used in this example is qshvr.pub_cert. A method to get this string from your public certificate, is using the base64 utility, example: "cat qshvr.pub_cert \| base64" The Quickstart does provide a sample default set of private/public keys (see hvrhub stack template) - this should be changed for production systems. Type: String NoEcho: true Default: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBd0lCQURBTkJna3Fo a2lHOXcwQkFRc0ZBREFvTVFzd0NRWURWUVFHRXdKT1RERVoKTUJjR0ExVUVBd3dRU0ZaU0lFVjRZ VzF3YkdVZ1MyVjVjekFlRncweU1ERXlNekV3TURVek1qSmFGdzAwTURFeQpNall3TURVek1qSmFN Q2d4Q3pBSkJnTlZCQVlUQWs1TU1Sa3dGd1lEVlFRRERCQklWbElnUlhoaGJYQnNaU0JMClpYbHpN SUlCSURBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVEwQU1JSUJDQUtDQVFFQXB4Q1hVUFN6cUJlVys5 ZFoKbkFTNndQRXJPWVZSYkxhRStleTZUTW84bWUzTldzY044aW1TQktjYnViVFA2ajFUNEd1VzhS QVlaK3pJZGh4TQpRZmswYzRqMUR0NElPRll5UURIOFdHLzlxU3Rmc1psNjJOV2FwNXhDNWxFU0Mx MmQ1dkRqOUp3LzRlV29oU3J4CnBsY3EveVh6SWNoVWdyaWkxbExKSlFEMHUyTWxDQmN3ZjVVQkIv ZWFHa1U4SGZLMHU3MHhWcmtOYnJqYTRweSsKZFNJOS85VnFMWnpRNWZ1aGNhb1Q0WU9WbGpaUUpq UTN1clpaTVVtUnRybWl1SEVpdGtqa3NTeXNkZDdaODI1LwpoNWI3bkMzdlJ0VTExVnk3N3VtT0FB d2htbXJ3bitXb2JqZ0ZyenlvYWVwOVphV1dZY09mMTFKYUlnYk1WdUY1CklKTEUxd0lCQTZNck1D a3dKd1lKWUlaSUFZYjRRZ0VOQkJvV0dFZGxibVZ5WVhSbFpDQmllU0JJVmxJZ05TNDMKTGpBdk9E QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFhckVVYjNxeUcya0dYM1VMNXJHSlo3eW1kTktUMTls eQpLWnBLeWVCMjcvU1hPWVg3RDBITWNESlhlSk9vaGkvcmRBdGR2dXBiU3ZLK1dqSVR6amlSZ0Nw em05ZmNyTlFyCi81RzdONVdKSDJOK3I4cStuZGNaVnhZTytBaHA0djBkVXdDcGlUeVI1dUhWZ1g1 VlpWSyttSFZjTllxalgxaG4KTUVqeW1yUVRwUHdWeEpSY2FKaE9peC9wcThadStmZzRqQ3FrNC9D OTQzMjVPQnZ0ZEhXMkZ6UGZ4TERPM1pUSgpmVE5pTnV0VEM1MDMxZEc0SEJGWGtWdnAxenk3bDRx U2ZVWG1YR0dSMkNETlhYaDVHeVJpWlpFQUlpSHBoR21LClMyUHZlREJPN1B1RDdCcWpqK1BkcE5x UFdzVTN5M3dabHZhcjBkT3NKYWZXSmlYb2x0ay9wZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0t LS0K ###################################### ## Condition definitions ###################################### Conditions: IsAcceptedEULA: !Equals - !Ref AcceptedEULA - "yes" ###################################### ## Mapping definitions ###################################### Mappings: RegionMap: eu-north-1: AMI: ami-09c028d029aa47c59 ap-south-1: AMI: ami-05b45cb4d48b27c2c eu-west-3: AMI: ami-0d5190aced2bf17ec eu-west-2: AMI: ami-04cf781936ce8f63d eu-west-1: AMI: ami-0e8d392b3ddf9659b ap-northeast-3: AMI: ami-0e7913085a4c9b509 ap-northeast-2: AMI: ami-0c0bae7a0dd8a5098 ap-northeast-1: AMI: ami-07d5ef58b1dbfdbeb sa-east-1: AMI: ami-02654fc04ad5454e5 ca-central-1: AMI: ami-049d7a3dfd3295ac1 ap-southeast-1: AMI: ami-0a23712d215e8963d ap-southeast-2: AMI: ami-01e9fcbbfa56e4c60 eu-central-1: AMI: ami-0a302ce05f1f03bc5 us-east-1: AMI: ami-05ceb67c8f00b6ae4 us-east-2: AMI: ami-0ed20b612db8061af us-west-1: AMI: ami-02dbdb6715defb628 us-west-2: AMI: ami-0ed596901365f3378 ###################################### ## Declaration of stack resources ###################################### Resources: ## ------------------------------------------------------------ # ## Create S3 Bucket to store NLB Access Logs ## - explicit block public access ## ------------------------------------------------------------ # NLBAccessLogsBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' ## ------------------------------------------------------------ # ## Create S3 Bucket Policy (NLB Access Logs) ## ------------------------------------------------------------ # NLBAccessLogsBucketPolicy: Type: AWS::S3::BucketPolicy Properties: PolicyDocument: Id: NLBAccessLogsBucketPolicy Version: 2012-10-17 Statement: - Sid: "AWSLogDeliveryWrite" Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: 's3:PutObject' Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref NLBAccessLogsBucket - /AWSLogs/ - !Ref AWS::AccountId - /* - Sid: "AWSLogDeliveryAclCheck" Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: 's3:GetBucketAcl' Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref NLBAccessLogsBucket Bucket: !Ref NLBAccessLogsBucket ## ------------------------------------------------------------ # ## Create Security Group for the HVR Bastion EC2 Instances ## - Allow SSH, and Webdesktop via Bastion host to Hub ## - Allow HVR port on internal subnet for communication with agents ## - Allow EFS Port for Mount ## ------------------------------------------------------------ # HVRSecurityGroupBastion: Condition: IsAcceptedEULA Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security Group for the HVR Bastion Host VpcId: Ref: VPCID Tags: - Key: Name Value: !Sub hvr-bastion-SG-${TagEnvironment} - Key: EnvironmentStage Value: !Sub ${TagEnvironment} SecurityGroupIngress: ## Allow SSH - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref RemoteAccessCIDR Description: Allow SSH ## Allow Webdesktop - IpProtocol: tcp FromPort: 8080 ToPort: 8080 CidrIp: !Ref RemoteAccessCIDR Description: Allow port 8080 for HTTPS to HVR Webdesktop ## Allow ICMP - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref RemoteAccessCIDR SecurityGroupEgress: ## Allow TCP outbound to VPC CIDR Range - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref VPCCIDR Description: Allow outbound TCP access port 22 in VPC ## Allow TCP outbound to VPC CIDR Range - IpProtocol: tcp FromPort: 8080 ToPort: 8080 CidrIp: !Ref VPCCIDR Description: Allow outbound TCP access port 8080 in VPC - IpProtocol: tcp FromPort: 4343 ToPort: 4343 CidrIp: !Ref VPCCIDR Description: Allow outbound HVR Port Access in VPC ## Allow HTTPS Outbound - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 Description: Allow outbound HTTPS ## ------------------------------------------------------------ # ## Create the Auto Scaling Group for the HVR Bastion Host ## - 1 EC2 Instance running at a time ## ------------------------------------------------------------ # HvrBastionAutoScalingGroup: Condition: IsAcceptedEULA Type: "AWS::AutoScaling::AutoScalingGroup" Properties: AutoScalingGroupName: !Sub hvr-bastion-ASG-${TagEnvironment} LaunchTemplate: LaunchTemplateId: !Ref HvrBastionLaunchTemplate Version: !GetAtt HvrBastionLaunchTemplate.LatestVersionNumber VPCZoneIdentifier: - !Ref PublicSubnet1 - !Ref PublicSubnet2 MinSize: "1" MaxSize: "1" Cooldown: "300" DesiredCapacity: "1" Tags: - Key: Name Value: !Sub HVRBastion-${TagEnvironment} PropagateAtLaunch: true - Key: EnvironmentStage Value: !Sub ${TagEnvironment} PropagateAtLaunch: true TargetGroupARNs: - !Ref HVRBastionNLBTargetGroup22 - !Ref HVRBastionNLBTargetGroup8080 CreationPolicy: ResourceSignal: Count: 1 Timeout: PT20M AutoScalingCreationPolicy: MinSuccessfulInstancesPercent: 100 UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: true ## ------------------------------------------------------------ # ## Create the Launch Template for the HVR Bastion EC2 Instances ## ------------------------------------------------------------ # HvrBastionLaunchTemplate: Condition: IsAcceptedEULA Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub hvr-bastion-LT-${TagEnvironment} LaunchTemplateData: KeyName: !Ref KeyName ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI SecurityGroupIds: - !Ref HVRSecurityGroupBastion InstanceType: !Ref HVRInstanceTypeBastion UserData: Fn::Base64: !Sub | #!/bin/bash -x systemctl stop hvr.socket systemctl disable hvr.socket echo "${HVRPubKeyBase64}" | sed 's/\ //g' | base64 -d > /opt/hvr/hvr_home/lib/cert/hvrqs.pub_cert chown hvr:hvr /opt/hvr/hvr_home/lib/cert/hvrqs.* chmod 600 /opt/hvr/hvr_home/lib/cert/hvrqs.* function cfn_fail { /opt/aws/bin/cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource HvrBastionAutoScalingGroup exit 1 } function cfn_success { /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource HvrBastionAutoScalingGroup exit 0 } # just run cfn-signal cfn_success || cfn_fail ## ------------------------------------------------------------ # ## Create the Network Load Balancer for the HVR Hub ## ------------------------------------------------------------ # HVRBastionNLB: Condition: IsAcceptedEULA Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing LoadBalancerAttributes: - Key: access_logs.s3.enabled Value: "true" - Key: access_logs.s3.bucket Value: !Ref NLBAccessLogsBucket Subnets: - Ref: PublicSubnet1 - Ref: PublicSubnet2 Type: network Tags: - Key: Name Value: !Sub hvr-bastion-nlb-${TagEnvironment} - Key: EnvironmentStage Value: !Sub ${TagEnvironment} ## ------------------------------------------------------------ # ## Create the Load Balancer Target Group for the Bastion Host port 22 ## ------------------------------------------------------------ # HVRBastionNLBTargetGroup22: Condition: IsAcceptedEULA DependsOn: HVRBastionNLB Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub hvr-bastion-nlbTG-22-${TagEnvironment} TargetType: instance Port: 22 Protocol: TCP VpcId: !Ref VPCID TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: "60" Tags: - Key: Name Value: !Sub hvr-bastion-nlb-target-port22-${TagEnvironment} - Key: EnvironmentStage Value: !Sub ${TagEnvironment} ## ------------------------------------------------------------ # ## Create the Load Balancer Target Group for the Bastion Host port 8080 ## ------------------------------------------------------------ # HVRBastionNLBTargetGroup8080: Condition: IsAcceptedEULA DependsOn: HVRBastionNLB Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub hvr-bastion-nlbTG-8080-${TagEnvironment} TargetType: instance Port: 8080 Protocol: TCP VpcId: !Ref VPCID TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: "60" Tags: - Key: Name Value: !Sub hvr-bastion-nlb-target-port8080-${TagEnvironment} - Key: EnvironmentStage Value: !Sub ${TagEnvironment} ## ------------------------------------------------------------ # ## Create the Network Load Balancer Listener for the HVR Hub ## ------------------------------------------------------------ # HVRBastionNLBListener22: Condition: IsAcceptedEULA Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref HVRBastionNLBTargetGroup22 LoadBalancerArn: !Ref HVRBastionNLB Port: 22 Protocol: TCP HVRBastionNLBListener8080: Condition: IsAcceptedEULA Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref HVRBastionNLBTargetGroup8080 LoadBalancerArn: !Ref HVRBastionNLB Port: 8080 Protocol: TCP ###################################### ## Define stack output values ###################################### Outputs: HVRBastionNLBDns: Condition: IsAcceptedEULA Description: HVR Bastion Host Access Point (Load Balancer DNS) Value: !GetAtt HVRBastionNLB.DNSName HVRBastionNLBAccessLogsBucket: Condition: IsAcceptedEULA Description: HVR Bastion Host NLB Access Logs Location Value: !Ref NLBAccessLogsBucket