AWSTemplateFormatVersion: '2010-09-09' Description: Template for IBM Cloud Pak for Security deployment into an existing VPC. **WARNING** This template creates EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1r9m3n6hu) Metadata: QuickStartDocumentation: EntrypointName: 'Launch IBM Cloud Pak for Security into an existing VPC on AWS' Order: '2' cfn-lint: config: ignore_checks: - W2001 - W9006 - E9101 - E9010 AWSAMIRegionMap: Filters: RHEL79HVM: name: RHEL-7.9_HVM-20??????-x86_64-0-Hourly2-GP2 owner-id: '309956199498' architecture: x86_64 virtualization-type: hvm AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Availability Zone configuration Parameters: - NumberOfAZs - AvailabilityZones - Label: default: Network configuration Parameters: - VPCID - VPCCIDR - PrivateSubnet1ID - PrivateSubnet2ID - PrivateSubnet3ID - PublicSubnet1ID - PublicSubnet2ID - PublicSubnet3ID - BootNodeAccessCIDR - Label: default: DNS configuration Parameters: - DomainName - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - Label: default: Red Hat subscription information Parameters: - RedhatPullSecret - Label: default: Red Hat OpenShift hosts configuration Parameters: - NumberOfMaster - NumberOfCompute - MasterInstanceType - ComputeInstanceType - ClusterName - Label: default: IBM Cloud Pak for Security configuration Parameters: - LicenseAgreement - CP4SVersion - Namespace - AdminUser - RepositoryPassword - CP4SDeploymentLogsBucketName - Label: default: (Optional) IBM Cloud Pak for Security configuration Parameters: - CP4SFQDN - DomainCertificate - DomainCertificateKey - CustomCaFile - StorageClass - BackupStorageClass - BackupStorageSize - ImagePullPolicy - DeployDRC - DeployRiskManager - DeployThreatInvestigator - SOAREntitlement - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: NumberOfAZs: default: Number of Availability Zones AvailabilityZones: default: Availability Zones VPCID: default: VPC ID VPCCIDR: default: VPC CIDR PrivateSubnet1ID: default: Private subnet 1 ID PrivateSubnet2ID: default: Private subnet 2 ID PrivateSubnet3ID: default: Private subnet 3 ID PublicSubnet1ID: default: Public subnet 1 ID PublicSubnet2ID: default: Public subnet 2 ID PublicSubnet3ID: default: Public subnet 3 ID BootNodeAccessCIDR: default: Boot node external access CIDR DomainName: default: Domain name KeyPairName: default: Key pair name RedhatPullSecret: default: Red Hat OpenShift pull secret NumberOfMaster: default: Number of master nodes NumberOfCompute: default: Number of compute nodes MasterInstanceType: default: Master node instance type ComputeInstanceType: default: Compute node instance type ClusterName: default: Cluster name LicenseAgreement: default: License agreement CP4SVersion: default: IBM Cloud Pak for Security version Namespace: default: Red Hat OpenShift project AdminUser: default: CP4S admin user RepositoryPassword: default: Repository password CP4SDeploymentLogsBucketName: default: Output S3 Bucket Name CP4SFQDN: default: CP4S FQDN DomainCertificate: default: TLS certificate DomainCertificateKey: default: TLS key CustomCaFile: default: Custom TLS certificate StorageClass: default: Storage class BackupStorageClass: default: Backup storage class BackupStorageSize: default: Backup storage size ImagePullPolicy: default: Image pull policy DeployDRC: default: IBM Security Detection and Response Center Deployment DeployRiskManager: default: IBM Security Risk Manager Deployment DeployThreatInvestigator: default: IBM Security Threat Investigator Deployment SOAREntitlement: default: SOAR Entitlement QSS3BucketName: default: Quick Start S3 Bucket Name QSS3BucketRegion: default: Quick Start S3 Bucket Region QSS3KeyPrefix: default: Quick Start S3 Key Prefix Parameters: NumberOfAZs: AllowedValues: - '1' - '3' Default: '3' Description: >- The number of Availability Zones used for the deployment. Some Regions might be limited to two Availability Zones. For a single IBM Cloud Pak for Security cluster to be highly available, three Availability Zones are required to avoid a single point of failure when using three nodes. With fewer than three Availability Zones, one of the zones will have more master nodes. Type: String AvailabilityZones: Description: The list of Availability Zones to use for the subnets in the VPC. The Quick Start uses one or three Availability Zones and preserves the logical order that you specify. Type: List VPCID: Description: The ID of your existing VPC for deployment. Type: AWS::EC2::VPC::Id VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/16 Description: The CIDR block of the existing VPC. Type: String PrivateSubnet1ID: Description: The ID of the private subnet in Availability Zone 1 for the workload (e.g., subnet-a0246dcd). Type: String PrivateSubnet2ID: Description: The ID of the private subnet in Availability Zone 2 for the workload (e.g., subnet-b1f432cd). Type: String PrivateSubnet3ID: Description: The ID of the private subnet in Availability Zone 3 for the workload (e.g., subnet-m1fka1cl). Type: String PublicSubnet1ID: Description: The ID of the public subnet in Availability Zone 1 for the Elastic Load Balancing (ELB) load balancer (e.g., subnet-9bc642ac). Type: String PublicSubnet2ID: Description: The ID of the public subnet in Availability Zone 2 for the Elastic Load Balancing (ELB) load balancer (e.g., subnet-e3246d8e). Type: String PublicSubnet3ID: Description: The ID of the public subnet in Availability Zone 3 for the Elastic Load Balancing (ELB) load balancer (e.g., subnet-g724ae8n). Type: String BootNodeAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: The CIDR IP range that is permitted to access the boot node instance. Set this value to a trusted IP range. The value `0.0.0.0/0` permits access to all IP addresses. Additional values can be added post-deployment from the Amazon EC2 console. Type: String DomainName: AllowedPattern: ^(\S+)$ ConstraintDescription: Must contain a valid base domain. Description: Amazon Route 53 base domain configured for your Red Hat OpenShift Container Platform cluster. Must be a valid base domain (e.g., example.com). Type: String KeyPairName: Description: Name of an existing public/private key pair, which allows you to securely connect to your instance after it launches. If you do not have one in this AWS Region, please create it before continuing. Type: AWS::EC2::KeyPair::KeyName RedhatPullSecret: AllowedPattern: ^s3:\/\/+[0-9a-z-.\/]*$ ConstraintDescription: Must contain a valid S3 URI path of Red Hat OpenShift Installer Provisioned Infrastructure pull secret (e.g., s3://my-bucket/path/to/pull-secret). Description: S3 URI path of OpenShift Installer Provisioned Infrastructure pull secret (e.g., s3://my-bucket/path/to/pull-secret). Type: String NumberOfMaster: AllowedValues: - 3 Default: 3 Description: The desired capacity for the Red Hat Openshift Container Platform master node instances. The required number of master nodes is 3. Type: Number NumberOfCompute: ConstraintDescription: The minimum number of compute nodes must be 4. Default: 4 Description: 'The desired capacity for the Red Hat Openshift Container Platform compute node instances. The minimum value required is 4 nodes. Note: If the number of compute node instances exceeds your Red Hat entitlement limits or AWS instance limits, the stack will fail. Choose a number that is within your limits.' Type: Number MinValue: 4 MasterInstanceType: AllowedValues: - m5.xlarge ConstraintDescription: Must contain a valid instance type. Instance must have 4 cores CPU, 16 GB RAM and 120 GB storage. Default: m5.xlarge Description: The EC2 instance type for the Red Hat Openshift Container Platform master node instances. Instance must have 4 cores CPU, 16 GB RAM and 120 GB storage. Type: String ComputeInstanceType: AllowedValues: - m5.2xlarge ConstraintDescription: Must contain a valid instance type. Instance must have 8 cores CPU, 32 GB RAM and 120 GB storage. Default: m5.2xlarge Description: The EC2 instance type for the Red Hat Openshift Container Platform compute node instances. Instance must have 8 cores CPU, 32 GB RAM and 120 GB storage. Type: String ClusterName: AllowedPattern: ^[0-9a-z-.]*$ ConstraintDescription: Must contain valid cluster name. The name must start with a letter, can contain letters, numbers, periods (.), and hyphen (-). Description: Name of your Red Hat Openshift Container Platform cluster. The name must start with a letter, can contain letters, numbers, periods (.), and hyphen (-). Use a name that is unique across Regions. Type: String LicenseAgreement: AllowedValues: - 'I agree' - '-' ConstraintDescription: Agree to the license terms for IBM Cloud Pak for Security. Default: '-' Description: By accepting the license agreement (https://ibm.biz/BdPrag), you confirm that you read the license and accept the terms for IBM Cloud Pak for Security. Type: String CP4SVersion: AllowedValues: - '1.9' - '1.10' Default: '1.10' Description: The version of IBM Cloud Pak for Security to be deployed. Type: String Namespace: AllowedPattern: ^([0-9a-z]*(?- The Red hat Openshift Container Platform project that will be created for deploying IBM Cloud Pak for Security. The namespace must contain only lowercase alphanumeric characters, must start and end with an alphanumeric character. It must be a dedicated namespace for IBM Cloud Pak for Security. Must not be default, kube-*, or openshift-*. The namespace is created automatically if it does not exist. Type: String AdminUser: AllowedPattern: ^(\S+)$ ConstraintDescription: Must contain a CP4S admin username. Specify a short name or an email ID for the administrator username. Admin username must have minimum 3 characters and maximum 32 characters. Description: The Admin user who will be given administrative privileges in the IBM Cloud Pak for Security default account. Specify a short name or an email ID for the administrator username. MaxLength: 32 MinLength: 3 Type: String RepositoryPassword: AllowedPattern: ^(\S+)$ ConstraintDescription: Must contain password to access IBM Entitled Registry. Description: The password to access IBM Entitled Registry. Type: String NoEcho: 'true' CP4SDeploymentLogsBucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The IBM Cloud Pak for Security deployment logs bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-) and must be between 3 (min) and 63 (max) characters long. It cannot start or end with a hyphen (-). Description: >- The name of the S3 bucket where IBM Cloud Pak for Security deployment logs are to be exported. This S3 bucket will be created during the stack creation process. The deployment logs provide a record of the boot strap scripting actions and are useful for problem determination if the deployment fails in some way. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). Bucket names must be between 3 (min) and 63 (max) characters long. MaxLength: 63 MinLength: 3 Type: String CP4SFQDN: Default: '' Description: >- The fully qualified domain name (FQDN) created for IBM Cloud Pak for Security. When the domain is not specified, it will be generated as cp4s.. For more information on the IBM Cloud Pak for Security FQDN requirements, see https://ibm.biz/BdPrSe. Type: String DomainCertificate: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of the domain certificate file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/cert). Default: '' Description: >- S3 URI path of the domain certificate file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/cert). Update only if you specified your own FQDN for IBM Cloud Pak for Security. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information on TLS certificate, see https://ibm.biz/BdPrSe. Type: String DomainCertificateKey: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of the domain certificate key file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/key). Default: '' Description: >- S3 URI path of the domain certificate key file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/key). Update only if you specified your own FQDN for IBM Cloud Pak for Security. If the domain is not specified, the Red Hat OpenShift cluster certificates are used. For more information on TLS key, see https://ibm.biz/BdPrSe. Type: String CustomCaFile: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of the custom ca certificate file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/custom-ca-cert). Default: '' Description: >- S3 URI path of the custom ca certificate file that is associated with the IBM Cloud Pak for Security domain (e.g., s3://my-bucket/path/to/custom-ca-cert). Update only if you are using a custom or self-signed certificate. For more information on custom TLS certificate, see https://ibm.biz/BdPrSe. Type: String StorageClass: Default: '' Description: >- The provisioned block or file storage class to be used for creating all the PVCs required by IBM Cloud Pak for Security. When it is not specified, the default storage class will be used. The storage class cannot be modified after installation. For more details on Storage class, see https://ibm.biz/BdPrSp. Type: String BackupStorageClass: Default: '' Description: Storage class used for creating the backup PVC. If this value is not set, IBM Cloud Pak for Security will use the same value set in 'Storage class' parameter. For more details on Backup storage class, see https://ibm.biz/BdPrSp. Type: String BackupStorageSize: AllowedPattern: ^(([0-9]+[G]i)|)$ ConstraintDescription: Must be 500Gi or higher. Default: '' Description: Override the default backup storage PVC size. Default value is 500Gi. Update only if you need the storage size for the backup and restore pod to be greater than 500 Gi. Type: String ImagePullPolicy: AllowedValues: - 'Always' - 'IfNotPresent' Default: 'IfNotPresent' Description: The pull policy for the images. When Red Hat OpenShift creates containers, it uses the ImagePullPolicy to determine whether to pull the container image from the registry before starting the container. Type: String DeployDRC: AllowedValues: - 'true' - 'false' Default: 'true' Description: Choose false to skip deployment of IBM Security Detection and Response Center (Beta). For more details on IBM Security Detection Response Center, see https://ibm.biz/BdPrSg. Type: String DeployRiskManager: AllowedValues: - 'true' - 'false' Default: 'true' Description: Choose false to skip deployment of IBM Security Risk Manager. For more details on IBM Security Risk Manager, see https://ibm.biz/BdPrSh. Type: String DeployThreatInvestigator: AllowedValues: - 'true' - 'false' Default: 'true' Description: Choose false to skip deployment of IBM Security Threat Investigator. For more details on IBM Threat Investigator, see https://ibm.biz/BdPrSV. Type: String SOAREntitlement: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of SOAR Entitlement for installing Orchestration & Automation license in IBM Cloud Pak for Security (e.g., s3://my-bucket/path/to/license-key). Default: '' Description: S3 URI path of SOAR Entitlement for installing Orchestration & Automation license in IBM Cloud Pak for Security (e.g., s3://my-bucket/path/to/license-key). Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-) and must be between 3 (min) and 63 (max) characters long. It cannot start or end with a hyphen (-). Default: aws-quickstart Description: >- Name of the S3 bucket for your copy of the Quick Start assets. Do not change the default value unless you are customizing the deployment. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). Bucket names must be between 3 (min) and 63 (max) characters long. To know how you can customize the deployment, see https://aws-quickstart.github.io/option1.html MaxLength: 63 MinLength: 3 Type: String QSS3BucketRegion: Default: 'us-east-1' Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Do not change the default value unless you are customizing the deployment. To know how you can customize the deployment, see https://aws-quickstart.github.io/option1.html Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-ibm-cloud-pak-for-security/ Description: >- S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Do not change the default value unless you are customizing the deployment. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Must end with a forward slash, see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html. To know how you can customize the deployment, see https://aws-quickstart.github.io/option1.html. Type: String Rules: AdminUserRule: Assertions: - Assert: Fn::Not : [{"Fn::Equals" : [{"Ref" : "AdminUser"}, "admin"]}] AssertDescription: Value cannot be 'admin'. LicenseAgreementRule: Assertions: - Assert: Fn::Contains: - - I agree - Ref: LicenseAgreement AssertDescription: User must agree to the terms of the license agreement. SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must be in the VPC. Mappings: AWSAMIRegionMap: ap-northeast-1: RHEL79HVM: ami-00e3b125d72527ff6 COREOS: ami-0159c3da631f7abc9 ap-northeast-2: RHEL79HVM: ami-0f878d6caa1fa98f0 COREOS: ami-0a327101bd17fedc3 ap-northeast-3: RHEL79HVM: ami-00fa73edc900249b0 COREOS: ami-0ebee5ee43e099c1c ap-south-1: RHEL79HVM: ami-024685afee5678595 COREOS: ami-098ad850383af01cd ap-southeast-1: RHEL79HVM: ami-057fd2d861be8fb5e COREOS: ami-01daae022c7079463 ap-southeast-2: RHEL79HVM: ami-0343583dce592b33a COREOS: ami-0e3b15e8c8d955ea3 ca-central-1: RHEL79HVM: ami-02cc622b97f7e8d45 COREOS: ami-01fdade42c3c0b36c eu-central-1: RHEL79HVM: ami-0f0fc6bdd397422dd COREOS: ami-058c9c7fb624c24c2 eu-north-1: RHEL79HVM: ami-0b844bbd294a8e075 COREOS: ami-0235e319ee2d2a254 eu-west-1: RHEL79HVM: ami-002d3240b69a0ef4e COREOS: ami-0c923d97a016b88a9 eu-west-2: RHEL79HVM: ami-045151e990cd5bf35 COREOS: ami-04efa9f4f523f3600 eu-west-3: RHEL79HVM: ami-025295ed8743be8fd COREOS: ami-0104cfaccbca0477b sa-east-1: RHEL79HVM: ami-08d0639f173f8d91c COREOS: ami-046028ce60bec4564 us-east-1: RHEL79HVM: ami-0051b1b2c5a166c8c COREOS: ami-0128a46f170d44990 us-east-2: RHEL79HVM: ami-0c1c3220d0b1716d2 COREOS: ami-00abed14c6d086cc3 us-west-1: RHEL79HVM: ami-05ca2e876e4d5669a COREOS: ami-0a8732fa044a3ee12 us-west-2: RHEL79HVM: ami-068fd644a9270e323 COREOS: ami-0309beb7e5184ff83 Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: CP4SIAMUser: Type: 'AWS::IAM::User' Properties: ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess CP4SIAMUserAccessKey: Type: 'AWS::IAM::AccessKey' Properties: UserName: !Ref CP4SIAMUser CP4SSecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: !Sub '{"repositoryPassword":"${RepositoryPassword}"}' OpenshiftSecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: '{ "ocpPassword": null }' LambdaExecutionRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyWildcardResource: "Wildcard resource for SendCommand action allowed by design" Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMDirectoryServiceAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' Path: / Policies: - PolicyName: lambda-cleanUpLambda PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:SendCommand Resource: "*" - Effect: Allow Action: - ssm:PutParameter - ssm:GetParameter - ssm:DeleteParameter Resource: - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/* - Effect: Allow Action: - logs:FilterLogEvents Resource: - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:* BootNodeIamRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyActionWildcard: "Describe* actions permitted by design" - EIAMPolicyWildcardResource: "Wildcard resource allowed by design" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMDirectoryServiceAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCloudFormationReadOnlyAccess' Policies: - PolicyName: bootnode-policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "ec2:Describe*" Resource: "*" - Effect: "Allow" Action: "ec2:AttachVolume" Resource: "*" - Effect: "Allow" Action: "ec2:DetachVolume" Resource: "*" - Effect: "Allow" Action: "s3:GetObject" Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}', !Ref QSS3BucketName] - Effect: "Allow" Action: - "secretsmanager:GetSecretValue" - "secretsmanager:UpdateSecret" Resource: - !Ref CP4SSecret - !Ref AWSCredentialSecret - !Ref OpenshiftSecret - Effect: "Allow" Action: "s3:ListBucket" Resource: !Sub arn:${AWS::Partition}:s3:::${CP4SDeploymentLogsBucketName} - Effect: "Allow" Action: "s3:PutObject" Resource: !Sub arn:${AWS::Partition}:s3:::${CP4SDeploymentLogsBucketName}/* - Effect: Allow Action: - ssm:SendCommand - ssm:PutParameter - ssm:GetParameter Resource: - '*' OpenShiftURL: Type: AWS::SSM::Parameter Properties: Name: !Sub "${AWS::StackName}-OpenShiftURL" Type: String Value: "PlaceHolder" CP4SURL: Type: AWS::SSM::Parameter Properties: Name: !Sub "${AWS::StackName}-CP4SURL" Type: String Value: "PlaceHolder" BootnodeInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: "BootNodeIamRole" BootnodeSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Cluster Bootnode Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref BootNodeAccessCIDR SecurityGroupEgress: - IpProtocol: "-1" CidrIp: 0.0.0.0/0 VpcId: !Ref VPCID AWSCredentialSecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: !Sub - '{"aws_secret_access_key":"${CP4SIAMUserAccessKey}, "aws_access_key_id":"${CP4SIAMUserSecret}"}' - {CP4SIAMUserAccessKey: !Ref CP4SIAMUserAccessKey, CP4SIAMUserSecret: !GetAtt [CP4SIAMUserAccessKey, SecretAccessKey]} BootnodeInstance: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: Required: - StackPropertiesFile StackPropertiesFile: files: /root/mystack.props: content: !Sub | AWS_REGION=${AWS::Region} AWS_STACKID="${AWS::StackId}" AWS_STACKNAME="${AWS::StackName}" /root/.aws/config: content: !Sub | [default] region=${AWS::Region} /root/.aws/credentials: content: !Sub - | [default] aws_access_key_id=${CP4SIAMUserAccessKey} aws_secret_access_key=${CP4SIAMUserSecret} - CP4SIAMUserAccessKey: !Ref CP4SIAMUserAccessKey CP4SIAMUserSecret: !GetAtt [CP4SIAMUserAccessKey, SecretAccessKey] Properties: KeyName: !Ref 'KeyPairName' ImageId: !FindInMap [AWSAMIRegionMap, !Ref "AWS::Region", RHEL79HVM] BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 500 VolumeType: gp2 IamInstanceProfile: !Ref BootnodeInstanceProfile Tags: - Key: Name Value: BootNode InstanceType: i3.large NetworkInterfaces: - GroupSet: - !Ref BootnodeSecurityGroup AssociatePublicIpAddress: true DeviceIndex: '0' DeleteOnTermination: true SubnetId: !Ref PublicSubnet1ID UserData: Fn::Base64: !Sub - | #!/bin/bash -x yum install -y git yum install -y wget yum install -y unzip yum install -y python3 yum install -y jq git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git #file to set up system-wide environment variables touch /etc/profile.d/cp4s_install.sh echo "export P=/quickstart-linux-utilities/quickstart-cfn-tools.source" >> /etc/profile.d/cp4s_install.sh #load the environment variables into the current shell session source /etc/profile.d/cp4s_install.sh source $P qs_bootstrap_pip || qs_err " pip bootstrap failed " qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed " pip install awscli &> /var/log/userdata.awscli_install.log || qs_err " awscli install failed " /usr/bin/cfn-init -v --stack ${AWS::StackName} --resource BootnodeInstance --configsets Required --region ${AWS::Region} # Signal the status from cfn-init /usr/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource BootnodeInstance --region ${AWS::Region} echo -e "export CP4S_QS_S3URI=s3://${QSS3BucketName}/${QSS3KeyPrefix}\nexport DOMAIN_CERTIFICATE_S3URI=${DomainCertificate}\nexport DOMAIN_CERTIFICATE_KEY_S3URI=${DomainCertificateKey}\nexport CUSTOM_CA_FILE_S3URI=${CustomCaFile}\nexport SOAR_ENTITLEMENT=${SOAREntitlement}\nexport AWS_REGION=${AWS::Region}\nexport AWS_STACKID=${AWS::StackId}\nexport AWS_STACKNAME=${AWS::StackName}\nexport AMI_ID='${AMI_ID}'\nexport CP4S_SECRET='${CP4SSecret}'\nexport OCP_SECRET='${OpenshiftSecret}'\nexport ICP4SInstallationCompletedURL='${ICP4SInstallationCompletedHandle}'" >> /etc/profile.d/cp4s_install.sh source /etc/profile.d/cp4s_install.sh mkdir -p /quickstart mkdir -p /ibm chmod -R 755 /ibm aws s3 cp ${!CP4S_QS_S3URI}scripts/bootstrap.sh /quickstart/ chmod +x /quickstart/bootstrap.sh ./quickstart/bootstrap.sh - AMI_ID: !FindInMap [AWSAMIRegionMap, !Ref "AWS::Region", COREOS] CleanUpLambda: Type: AWS::Lambda::Function Properties: Code: ZipFile: | import boto3 import json import cfnresponse import os import traceback import time def handler(event, context): responseData = {} try: print("event_obj:",json.dumps(event)) print(event['RequestType']) if event['RequestType'] == 'Delete': print("Run unsubscribe script") ssm = boto3.client('ssm',region_name=os.environ['Region']) instanceID = os.environ['BootNode'] stackname = os.environ['StackName'] print(instanceID) response = ssm.send_command(Targets=[{"Key":"instanceids","Values":[instanceID]}], DocumentName="AWS-RunShellScript", Parameters={"commands":["/ibm/destroy.sh %s" %(stackname)], "executionTimeout":["1200"], "workingDirectory":["/ibm"]}, Comment="Execute script in uninstall openshift", TimeoutSeconds=120) print(response) current_status = "WAIT" final_status = "READY" parameterName = stackname+"_CleanupStatus" response = ssm.put_parameter(Name=parameterName, Description="Waiting for CleanupStatus to be READY", Value=current_status, Type='String', Overwrite=True) print(response) while(current_status!=final_status): time.sleep(30) response = ssm.get_parameter(Name=parameterName) parameter = response.get('Parameter') current_status = parameter.get('Value') print(current_status) ssm.delete_parameter(Name=parameterName) except Exception as e: print(e) traceback.print_exc() cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, '') Environment: Variables: Region: !Ref AWS::Region BootNode: !Ref BootnodeInstance StackName: !Ref AWS::StackName Handler: index.handler Role: !GetAtt 'LambdaExecutionRole.Arn' Runtime: python3.7 Timeout: 600 Cleanup: Type: Custom::Cleanup Properties: DependsOn: BootnodeInstance ServiceToken: !GetAtt 'CleanUpLambda.Arn' ICP4SInstallationCompletedHandle: Type: AWS::CloudFormation::WaitConditionHandle ICP4SInstallationCompleted: Type: AWS::CloudFormation::WaitCondition Properties: Count: 1 Handle: !Ref ICP4SInstallationCompletedHandle Timeout: '30000' Outputs: BootnodePublicIp: Description: Boot node public IP address. Value: !GetAtt BootnodeInstance.PublicIp CP4SAdminUser: Description: IBM Cloud Pak for Security initial user. Value: !Ref AdminUser CP4SWebClientURL: Description: IBM Cloud Pak for Security platform URL. Value: !GetAtt CP4SURL.Value OpenShiftWebConsoleURL: Description: Red Hat OpenShift Container platform web console URL. Value: !GetAtt OpenShiftURL.Value