[#_parameters_table]
.Availability Zone configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|Number of Availability Zones (`NumberOfAZs`)|`3`|The number of Availability Zones used for the deployment. Some Regions might be limited to two Availability Zones. For a single IBM Cloud Pak for Security cluster to be highly available, three Availability Zones are required to avoid a single point of failure when using three nodes. With fewer than three Availability Zones, one of the zones will have more master nodes.
|Availability Zones (`AvailabilityZones`)|`**__Requires input__**`|The list of Availability Zones to use for the subnets in the VPC. The Quick Start uses one or three Availability Zones and preserves the logical order that you specify.
|===

.Network configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|VPC CIDR (`VPCCIDR`)|`10.0.0.0/16`|CIDR block for the VPC
|Private subnet 1 CIDR (`PrivateSubnet1CIDR`)|`10.0.0.0/19`|The CIDR block for the private subnet located in Availability Zone 1.
|Private subnet 2 CIDR (`PrivateSubnet2CIDR`)|`10.0.32.0/19`|The CIDR block for the private subnet located in Availability Zone 2.
|Private subnet 3 CIDR (`PrivateSubnet3CIDR`)|`10.0.64.0/19`|The CIDR block for the private subnet located in Availability Zone 3.
|Public subnet 1 CIDR (`PublicSubnet1CIDR`)|`10.0.128.0/20`|The CIDR block for the public subnet located in Availability Zone 1.
|Public subnet 2 CIDR (`PublicSubnet2CIDR`)|`10.0.144.0/20`|The CIDR block for the public subnet located in Availability Zone 2.
|Public subnet 3 CIDR (`PublicSubnet3CIDR`)|`10.0.160.0/20`|The CIDR block for the public subnet located in Availability Zone 3.
|Boot node external access CIDR (`BootNodeAccessCIDR`)|`**__Requires input__**`|The CIDR IP range that is permitted to access the boot node instance. Set this value to a trusted IP range. The value `0.0.0.0/0` permits access to all IP addresses. Additional values can be added post-deployment from the Amazon EC2 console.
|===

[#_domain_name_parameter]
.DNS configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|Domain name (`DomainName`)|`**__Requires input__**`|Amazon Route 53 base domain configured for your Red Hat OpenShift Container Platform cluster. Must be a valid base domain (e.g., example.com). If you do not have a domain name, see the AWS documentation on how to register a new domain https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html[here^].
|===

.Amazon EC2 configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|Key pair name (`KeyPairName`)|`**__Requires input__**`|The name of an existing public/private key pair, which allows you to securely connect to your instance after it launches. If you do not have one in this AWS Region, please create it before continuing. See AWS documentation on how to create a key pair using Amazon EC2 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair[here^].
|===

.Red Hat subscription information
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|Red Hat OpenShift pull secret (`RedhatPullSecret`)|`**__Requires input__**`|S3 URI path of Red Hat OpenShift Installer Provisioned Infrastructure pull secret (e.g., s3://my-bucket/path/to/pull-secret). You can get your Red Hat pull secret from https://cloud.redhat.com/openshift/install/aws/installer-provisioned[here^].
|===

[#_cluster_name_parameter]
.Red Hat OpenShift hosts configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|Number of master nodes (`NumberOfMaster`)|`3`|The desired capacity for the Red Hat Openshift Container Platform master node instances. The required number of master nodes is 3.
|Number of compute nodes (`NumberOfCompute`)|`4`|The desired capacity for the Red Hat Openshift Container Platform compute node instances. The minimum value required is 4 nodes. Note: If the number of compute node instances exceeds your Red Hat entitlement limits or AWS instance limits, the stack will fail. Choose a number that is within your limits.
|Master instance type (`MasterInstanceType`)|`m5.xlarge`|The EC2 instance type for the Red Hat Openshift Container Platform master node instances. Instance must have 4 cores CPU, 16 GB RAM and 120 GB storage.
|Compute node instance type (`ComputeInstanceType`)|`m5.2xlarge`|The EC2 instance type for the Red Hat Openshift Container Platform compute node instances. Instance must have 8 cores CPU, 32 GB RAM and 120 GB storage.
|Cluster name (`ClusterName`)|`**__Requires input__**`|Name of your Red Hat Openshift Container Platform cluster. The name must start with a letter, can contain letters, numbers, periods (.), and hyphen (-). Use a name that is unique across Regions.
|===

[#_icp4s_parameters]
.IBM Cloud Pak for Security configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|License agreement (`LicenseAgreement`)|`-`|By accepting the https://ibm.biz/BdfWw8[License Agreement^], you confirm that you read the license and accept the terms for IBM Cloud Pak for Security.
|IBM Cloud Pak for Security version (`CP4SVersion`)|`1.9`|The version of IBM Cloud Pak for Security to be deployed. Currently only version 1.9 is available through AWS Quick Start.
|Red Hat OpenShift project (`Namespace`)|`cp4s`|The Red hat Openshift Container Platform project that will be created for deploying IBM Cloud Pak for Security. The namespace must contain only lowercase alphanumeric characters, must start and end with an alphanumeric character. It must be a dedicated namespace for IBM Cloud Pak for Security. Must not be default, kube-, or openshift-. The namespace is created automatically if it does not exist.
|CP4S admin user (`AdminUser`)|`**__Requires input__**`|The Admin user who will be given administrative privileges in the IBM Cloud Pak for Security default account. Specify a short name or an email ID for the administrator username. See more details on the {partner-product-name} Admin user https://ibm.biz/BdfWNz[here^].
|Repository password (`RepositoryPassword`)|`**__Requires input__**`|The password to access IBM Entitled Registry. You can acquire your IBM entitlement key from https://myibm.ibm.com/products-services/containerlibrary[here^].
|Output S3 bucket name (`CP4SDeploymentLogsBucketName`)|`**__Requires input__**`|The name of the S3 bucket where IBM Cloud Pak for Security deployment logs are to be exported. This S3 bucket will be created during the stack creation process. The deployment logs provide a record of the boot strap scripting actions and are useful for problem determination if the deployment fails in some way. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). Bucket names must be between 3 (min) and 63 (max) characters long.
|===

[#_icp4s_optional_parameters]
.(Optional) IBM Cloud Pak for Security configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|CP4S FQDN (`CP4SFQDN`)|`**__Blank string__**`|The fully qualified domain name (FQDN) created for IBM Cloud Pak for Security. When the domain is not specified, it will be generated as cp4s.<cluster_ingress_subdomain>. For more details on the {partner-product-name} FQDN requirements, see https://ibm.biz/BdfWNR[here^].
|TLS certificate (`DomainCertificate`)|`**__Blank string__**`|S3 URI path of the domain certificate file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/cert). Update only if you specified your own FQDN for IBM Cloud Pak for Security. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more details on TLS certificate, see https://ibm.biz/BdfWNR[here^].
|TLS key (`DomainCertificateKey`)|`**__Blank string__**`|S3 URI path of the domain certificate key file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/key). Update only if you specified your own FQDN for IBM Cloud Pak for Security. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more details on TLS key, see https://ibm.biz/BdfWNR[here^].
|Custom TLS certificate (`CustomCaFile`)|`**__Blank string__**`|S3 URI path of the custom ca certificate file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/custom-ca-cert). Update only if you are using a custom or self-signed certificate. For more details on custom TLS certificate, see https://ibm.biz/BdfWNR[here^].
|Storage class (`StorageClass`)|`**__Blank string__**`|The provisioned block or file storage class to be used for creating all the PVCs required by IBM Cloud Pak for Security. When it is not specified, the default storage class will be used. The storage class cannot be modified after installation. For more details on Storage class, see https://ibm.biz/BdfWN2[here^].
|Backup storage class (`BackupStorageClass`)|`**__Blank string__**`|Storage class used for creating the backup PVC. If this value is not set, IBM Cloud Pak for Security will use the same value set in StorageClass parameter. For more details on Backup storage class, see https://ibm.biz/BdfWN2[here^].
|Backup storage size (`BackupStorageSize`)|`**__Blank string__**`|Override the default backup storage PVC size. Default value is 500Gi. Update only if you need the storage size for the backup and restore pod to be greater than 500 Gi.
|Image pull policy (`ImagePullPolicy`)|`IfNotPresent`|The pull policy for the images. When Red Hat OpenShift creates containers, it uses the ImagePullPolicy to determine whether to pull the container image from the registry before starting the container.
|IBM Security Detection and Response Center Deployment (`DeployDRC`)|`True`|Choose false to skip deployment of IBM Security Detection and Response Center (Beta). For more details on IBM Security Detection and Response Center, see https://www.ibm.com/docs/en/SSTDPP_1.9/docs/drc/c_DRC_intro.html[here^].
|IBM Security Risk Manager Deployment (`DeployRiskManager`)|`True`|Choose false to skip deployment of IBM Security Risk Manager. For more details on IBM Security Risk Manager, see https://www.ibm.com/docs/en/SSTDPP_1.9/datariskmanager/welcome.html[here^].
|IBM Security Threat Investigator Deployment (`DeployThreatInvestigator`)|`True`|Choose false to skip deployment of IBM Security Threat Investigator. For more details on IBM Security Threat Investigator, see https://www.ibm.com/docs/en/SSTDPP_1.9/investigator/investigator_intro.html[here^].
|SOAR entitlement (`SOAREntitlement`)|`**__Blank string__**`|S3 URI path of SOAR entitlement for installing Orchestration & Automation license in IBM Cloud Pak for Security (e.g., s3://my-bucket/path/to/license-key). To know how to acquire your SOAR entitlement, see {partner-product-name} https://www.ibm.com/docs/en/cloud-paks/cp-security/1.9?topic=planning-licensing-entitlement[here^].
|===

.AWS Quick Start configuration
[width="100%",cols="2,1,3",options="header",]
|===
|Parameter label (name) |Default value|Description
|Quick Start S3 bucket name (`QSS3BucketName`)|`aws-quickstart`|Name of the S3 bucket for your copy of the Quick Start assets. Do not change the default value unless you are customizing the deployment. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). Bucket names must be between 3 (min) and 63 (max) characters long. To know how you can customize the deployment, see https://aws-quickstart.github.io/option1.html[here^].
|Quick Start S3 bucket Region (`QSS3BucketRegion`)|`us-east-1`|The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Do not change the default value unless you are customizing the deployment. To know how you can customize the deployment, see https://aws-quickstart.github.io/option1.html[here^].
|Quick Start S3 key prefix (`QSS3KeyPrefix`)|`quickstart-ibm-cloud-pak-for-security/`|S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Do not change the default value unless you are customizing the deployment. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Must end with a forward slash, see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html[here^]. To know how you can customize the deployment, see https://aws-quickstart.github.io/option1.html[here^].
|===