AWSTemplateFormatVersion: '2010-09-09' Description: 'Template for IBM Security Guardium Insights deployment into an existing VPC. *WARNING* This template creates EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1t8abe2qp)' Metadata: QuickStartDocumentation: EntrypointName: 'Launch IBM Security Guardium Insights into an existing VPC on AWS' Order: '2' cfn-lint: config: ignore_checks: - W2001 - W9006 - E9101 - E9010 AWSAMIRegionMap: Filters: RHEL79HVM: name: RHEL-7.9_HVM-20??????-x86_64-0-Hourly2-GP2 owner-id: '309956199498' architecture: x86_64 virtualization-type: hvm AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Availability Zone configuration Parameters: - NumberOfAZs - AvailabilityZones - Label: default: Network configuration Parameters: - VPCID - VPCCIDR - PrivateSubnet1ID - PublicSubnet1ID - BootNodeAccessCIDR - Label: default: DNS configuration Parameters: - DomainName - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - Label: default: Red Hat OpenShift hosts configuration Parameters: - GIProductionSize - NumberOfMaster - NumberOfGINodes - NumberOfDb2DataNodes - MasterInstanceType - GINodeInstanceType - Db2DataNodeInstanceType - ClusterName - Label: default: Red Hat subscription information Parameters: - RedhatPullSecret - Label: default: Storage Configuration Parameters: - StorageType - NumberOfOCS - OCSInstanceType - Label: default: IBM Security Guardium Insights configuration Parameters: - LicenseAgreement - LicenseType - GIVersion - AdminUsername - AdminPassword - Namespace - RepositoryPassword - HostName - IngressKeyFile - IngressCertFile - IngressCAFile - StorageClassRWO - StorageClassRWX - GIDeploymentLogsBucketName - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: NumberOfAZs: default: Number of Availability Zones AvailabilityZones: default: Availability Zones VPCID: default: VPC ID VPCCIDR: default: VPC CIDR PrivateSubnet1ID: default: Private subnet 1 ID PublicSubnet1ID: default: Public subnet 1 ID BootNodeAccessCIDR: default: Boot node external access CIDR DomainName: default: Domain name KeyPairName: default: Key pair name GIProductionSize: default: IBM Security Guardium Insights production size NumberOfMaster: default: Number of control plane nodes NumberOfGINodes: default: Number of Guardium Insights nodes NumberOfDb2DataNodes: default: Number of Db2 data nodes MasterInstanceType: default: Master node instance type GINodeInstanceType: default: Guardium Insights node instance type Db2DataNodeInstanceType: default: Db2 data node instance type ClusterName: default: Cluster name RedhatPullSecret: default: Red Hat OpenShift pull secret StorageType: default: Cluster storage type NumberOfOCS: default: Number of OCS nodes OCSInstanceType: default: OCS instance type LicenseAgreement: default: License agreement LicenseType: default: License type GIVersion: default: IBM Security Guardium Insights version Namespace: default: IBM Security Guardium Insights namespace AdminUsername: default: Administrator username AdminPassword: default: Administrator password RepositoryPassword: default: Repository password HostName: default: IBM Security Guardium Insights host name IngressKeyFile: default: TLS certificate IngressCertFile: default: TLS key IngressCAFile: default: Custom TLS certificate StorageClassRWO: default: Storage classes read-write-only (RWO) for IBM Security Guardium Insights StorageClassRWX: default: Storage classes read-write-many (RWX) for IBM Security Guardium Insights GIDeploymentLogsBucketName: default: Output S3 bucket name QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: NumberOfAZs: AllowedValues: - '1' Default: '1' Description: >- The number of Availability Zone used for the deployment of IBM Security Guardium Insights. Type: String AvailabilityZones: Description: The list of Availability Zones to use for the subnet in the VPC. The Quick Start uses one Availability Zone. Type: List VPCID: Description: The ID of your existing VPC for deployment. Type: AWS::EC2::VPC::Id VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block notation must follow the format "x.x.x.x/16–28". Default: '10.0.0.0/16' Description: CIDR block for existing VPC. Type: String PrivateSubnet1ID: Description: The ID of the private subnet in Availability Zone 1 for the workload (for example, "subnet-a0246dcd"). Type: String PublicSubnet1ID: Description: The ID of the public subnet in Availability Zone 1 for the Elastic Load Balancing (ELB) load balancer (for example, "subnet-9bc642ac"). Type: String BootNodeAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block notation must follow the format "x.x.x.x/x". Description: CIDR IP range that is permitted to access the boot node instance. Set this value to a trusted IP range. The value "0.0.0.0/0" permits access to all IP addresses. Additional values can be added from the Amazon EC2 console after deployment. Type: String DomainName: AllowedPattern: ^(\S+)$ ConstraintDescription: Must contain a valid base domain. Description: Amazon Route 53 base domain configured for your Red Hat OpenShift Container Platform cluster. Must be a valid base domain (for example, "example.com"). Type: String KeyPairName: Description: Name of an existing public/private key pair, which allows you to securely connect to your instance after it launches. If you do not have a key pair in this AWS Region, create one before continuing. Type: AWS::EC2::KeyPair::KeyName GIProductionSize: AllowedValues: - xsmall - small - med - large - xlarge Default: small Description: >- Size of your IBM Security Guardium Insights production. Type: String NumberOfMaster: AllowedValues: - 3 Default: 3 Description: Desired number of control plane node instances. Type: Number NumberOfGINodes: AllowedValues: - 2 - 3 - 4 - 5 Default: 3 Description: >- Desired number of Guardium Insights node instances. Choose "2" if the Guardium Insights production size is extra small. Choose "3" if the production size is small. Choose "4" if the production size is medium. Choose "5" if the production size is large. Note: If the number of compute node instances exceeds your Red Hat entitlement limits or AWS instance limits, the stack will fail. Choose a number that is within your limits. Type: Number NumberOfDb2DataNodes: AllowedValues: - 1 - 2 - 3 - 5 Default: 2 Description: >- Desired number of IBM Db2 data node instances. Choose "1" if the Guardium Insights production size is extra small. Choose "2" if the production size is small. Choose "3" if the production size is medium or large. Note: If the number of compute node instances exceeds your Red Hat entitlement limits or AWS instance limits, the stack will fail. Choose a number that is within your limits. Type: Number MasterInstanceType: AllowedValues: - m5.2xlarge Default: m5.2xlarge Description: EC2 instance type for the Red Hat OpenShift Container Platform control plane node instances. Instance must have 8 cores CPU, 16 GB RAM, and 120 GB storage. Type: String GINodeInstanceType: AllowedValues: - m5.4xlarge - m5.8xlarge Default: m5.4xlarge Description: >- EC2 instance type for the Guardium Insights node instances. Choose "m5.4xlarge" (16 cores CPU, 64 GB RAM, 120 GB storage) if the Guardium Insights production size is small, medium or large. Choose "m5.8xlarge" (32 cores CPU, 128 GB RAM, 120 GB storage) if the production size is extra small. Type: String Db2DataNodeInstanceType: AllowedValues: - m5.4xlarge - m5.8xlarge - m5.16xlarge Default: m5.4xlarge Description: >- EC2 instance type for the Db2 data node instances. Choose "m5.4xlarge" (16 cores CPU, 64 GB RAM, 120 GB storage) if the Guardium Insights production size is small. Choose "m5.8xlarge" (32 cores CPU, 128 GB RAM, 120 GB storage) if the production size is extra small or medium. Choose "m5.16xlarge" (64 cores CPU, 256 GB RAM, 120 GB storage) if the production size is large. Type: String ClusterName: AllowedPattern: ^[0-9a-z-.]*$ ConstraintDescription: Must contain valid cluster name. The name must start with a letter, and can contain letters, numbers, periods (.), and hyphen (-). Description: Red Hat OpenShift Container Platform cluster name. The name must start with a letter and can contain letters, numbers, periods (.), and hyphens (-). Use a name that is unique across Regions. Type: String RedhatPullSecret: AllowedPattern: ^s3:\/\/+[0-9a-z-.\/]*$ ConstraintDescription: Must contain a valid S3 URI path of Red Hat OpenShift Installer Provisioned Infrastructure pull secret (for example, "s3://my-bucket/path/to/pull-secret"). Description: S3 URI path of Red Hat OpenShift Installer Provisioned Infrastructure pull secret (for example, "s3://my-bucket/path/to/pull-secret"). Type: String StorageType: AllowedValues: - 'OCS' Default: 'OCS' Description: Openshift Container Storage (OCS) as default Storage class. Type: String NumberOfOCS: AllowedValues: - 3 - 5 Default: 3 Description: >- Desired number of OpenShift container storage node instances. Choose "3" for an extra small or small Guardium Insights production deployment. Choose "5" for a medium or large production deployment. Type: Number OCSInstanceType: AllowedValues: - m5.4xlarge ConstraintDescription: Must contain a valid instance type. Instance must have 8 cores CPU, 16 GB RAM, and 120 GB storage. Default: m5.4xlarge Description: The EC2 instance type for the OpenShift Container Storage instances. Type: String LicenseAgreement: AllowedValues: - 'I agree' - '-' ConstraintDescription: You must agree to the license terms for IBM Security Guardium Insights to continue. Default: '-' Description: Choose "I agree" to confirm that you have read the IBM Security Guardium Insights license and accept the terms. Type: String LicenseType: AllowedValues: - 'L-GBLK-CDVHGZ (IBM Security Guardium Package (Software))' - 'L-TESX-C86NC4 (IBM Security Guardium Insights for IBM Cloud Pak for Security (Gen 3))' - 'L-TESX-C86NPQ (IBM Security Guardium Insights for IBM Cloud Pak for Security)' Default: 'L-GBLK-CDVHGZ (IBM Security Guardium Package (Software))' Description: IBM Security Guardium Insights license types, confirm entitled part name in IBM-provided Proof of Entitlement. Type: String GIVersion: AllowedValues: - '3.2.3' - '3.2.4' Default: '3.2.4' Description: Version of IBM Security Guardium Insights to be deployed. Type: String Namespace: ConstraintDescription: IBM Security Guardium Insights namespace must be 3–10 characters in length. Description: The OpenShift project where IBM Security Guardium Insights is deployed. MaxLength: 10 MinLength: 3 Type: String RepositoryPassword: AllowedPattern: ^(\S+)$ ConstraintDescription: A IBM Entitled Registry password is required. Description: IBM Entitled Registry password. Type: String NoEcho: 'true' AdminUsername: Default: 'gi-admin' ConstraintDescription: The administrator username must be 3-32 characters in length. Description: User with administrator privileges in IBM Security Guardium Insights. The administrator username must be 3–32 characters in length. MaxLength: 32 MinLength: 3 Type: String AdminPassword: Default: '' Description: >- (Optional) Password for accessing the IBM Security Guardium Insights platform. If no password is provided, the default password generated during deployment can be retrieved from "GIAdminSecret" resource. Type: String NoEcho: 'true' HostName: Default: '' Description: Host name for the IBM Security Guardium Insights application. Type: String IngressKeyFile: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of the TLS certificate file that is associated with the IBM Security Guardium Insights application domain (for example, "s3://my-bucket/path/to/cert"). Default: '' Description: (Optional) S3 URI path of the TLS certificate file that is associated with the IBM Security Guardium Insights application domain (for example, "s3://my-bucket/path/to/cert"). Type: String IngressCertFile: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of the TLS key file that is associated with the IBM Security Guardium Insights application domain (for example, "s3://my-bucket/path/to/cert"). Default: '' Description: (Optional) S3 URI path of the TLS key file that is associated with the IBM Security Guardium Insights application domain (for example, "s3://my-bucket/path/to/cert"). Type: String IngressCAFile: AllowedPattern: ^(|s3:\/\/+[0-9a-z-.\/]*)$ ConstraintDescription: Must be a valid S3 URI path of the custom TLS certificate file that is associated with the IBM Security Guardium Insights application domain (for example, "s3://my-bucket/path/to/cert"). Default: '' Description: (Optional) S3 URI path of the custom TLS certificate file that is associated with the IBM Security Guardium Insights application domain (for example, "s3://my-bucket/path/to/cert"). Type: String StorageClassRWO: AllowedValues: - 'gp2' Default: 'gp2' Description: Read-write-only (RWO) storage class for using IBM Security Guardium Insights. Type: String StorageClassRWX: AllowedValues: - 'ocs-storagecluster-cephfs' Default: 'ocs-storagecluster-cephfs' Description: Read-write-many (RWX) storage class for using IBM Security Guardium Insights. Type: String GIDeploymentLogsBucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: S3 bucket name must be 3–63 characters. It can include numbers, lowercase letters, and hyphens (-), but cannot start or end with a hyphen (-). Description: >- Name of the S3 bucket for IBM Security Guardium Insights deployment logs. This S3 bucket is created with the stack. Deployment logs contain a record of bootstrap scripting actions and are useful for troubleshooting failed deployments. S3 bucket name must be 3–63 characters. It can include numbers, lowercase letters, uppercase letters, and hyphens (-), but cannot start or end with a hyphen (-). MaxLength: 63 MinLength: 3 Type: String QSS3BucketName: AllowedPattern: '[0-9a-z-]*$' ConstraintDescription: S3 bucket name must be 3–63 characters. It can include numbers, lowercase letters, and hyphens (-), but cannot start or end with a hyphen (-). Description: >- Name of the S3 bucket for your copy of the deployment assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new location. MaxLength: 63 MinLength: 3 Default: 'aws-quickstart' Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing the Region updates code references to point to a new location. When using your own bucket, specify the Region.' Type: String QSS3KeyPrefix: AllowedPattern: '^[0-9a-zA-Z-/]*$' ConstraintDescription: The S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End the prefix with a forward slash. Default: quickstart-ibm-security-guardium-insights/ Description: S3 key prefix that is used to simulate a folder for your copy of the deployment assets. Keep the default prefix unless you are customizing the template. Changing the prefix updates code references to point to a new location. Type: String Rules: AdminUsernameRule: Assertions: - Assert: Fn::Not : [{"Fn::Equals" : [{"Ref" : "AdminUsername"}, "admin"]}] AssertDescription: Value cannot be 'admin'. LicenseAgreementRule: Assertions: - Assert: Fn::Contains: - - I agree - Ref: LicenseAgreement AssertDescription: User must agree to the terms of the license agreement. SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must be in the VPC. XsmallProductionSizeRule: RuleCondition: Fn::Equals : [{"Ref" : "GIProductionSize"}, "xsmall"] Assertions: - Assert: Fn::Equals : [{"Ref" : "NumberOfGINodes"}, "2"] AssertDescription: Number of Guardium Insights nodes must be 2 for xsmall production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfDb2DataNodes"}, "1"] AssertDescription: Number of Db2 data nodes must be 1 for xsmall production size. - Assert: Fn::Equals : [{"Ref" : "GINodeInstanceType"}, "m5.8xlarge"] AssertDescription: Guardium Insights node instance type must be 'm5.8xlarge' for xsmall production size. - Assert: Fn::Equals : [{"Ref" : "Db2DataNodeInstanceType"}, "m5.8xlarge"] AssertDescription: Db2 data node instance type must be 'm5.8xlarge' for xsmall production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfOCS"}, "3"] AssertDescription: Number of OCS nodes must be 3 for xsmall production size. SmallProductionSizeRule: RuleCondition: Fn::Equals : [{"Ref" : "GIProductionSize"}, "small"] Assertions: - Assert: Fn::Equals : [{"Ref" : "NumberOfGINodes"}, "3"] AssertDescription: Number of Guardium Insights nodes must be 3 for small production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfDb2DataNodes"}, "2"] AssertDescription: Number of Db2 data nodes must be 2 for small production size. - Assert: Fn::Equals : [{"Ref" : "GINodeInstanceType"}, "m5.4xlarge"] AssertDescription: Guardium Insights node instance type must be 'm5.4xlarge' for small production size. - Assert: Fn::Equals : [{"Ref" : "Db2DataNodeInstanceType"}, "m5.4xlarge"] AssertDescription: Db2 data node instance type must be 'm5.4xlarge' for small production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfOCS"}, "3"] AssertDescription: Number of OCS nodes must be 3 for small production size. MediumProductionSizeRule: RuleCondition: Fn::Equals : [{"Ref" : "GIProductionSize"}, "med"] Assertions: - Assert: Fn::Equals : [{"Ref" : "NumberOfGINodes"}, "4"] AssertDescription: Number of Guardium Insights nodes must be 4 for med production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfDb2DataNodes"}, "3"] AssertDescription: Number of Db2 data nodes must be 3 for med production size. - Assert: Fn::Equals : [{"Ref" : "GINodeInstanceType"}, "m5.4xlarge"] AssertDescription: Guardium Insights node instance type must be 'm5.4xlarge' for med production size. - Assert: Fn::Equals : [{"Ref" : "Db2DataNodeInstanceType"}, "m5.8xlarge"] AssertDescription: Db2 data node instance type must be 'm5.8xlarge' for med production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfOCS"}, "5"] AssertDescription: Number of OCS nodes must be 5 for med production size. LargeProductionSizeRule: RuleCondition: Fn::Equals : [{"Ref" : "GIProductionSize"}, "large"] Assertions: - Assert: Fn::Equals : [{"Ref" : "NumberOfGINodes"}, "5"] AssertDescription: Number of Guardium Insights nodes must be 5 for large production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfDb2DataNodes"}, "3"] AssertDescription: Number of Db2 data nodes must be 3 for large production size. - Assert: Fn::Equals : [{"Ref" : "GINodeInstanceType"}, "m5.4xlarge"] AssertDescription: Guardium Insights node instance type must be 'm5.4xlarge' for large production size. - Assert: Fn::Equals : [{"Ref" : "Db2DataNodeInstanceType"}, "m5.16xlarge"] AssertDescription: Db2 data node instance type must be 'm5.16xlarge' for large production size. - Assert: Fn::Equals : [{"Ref" : "NumberOfOCS"}, "5"] AssertDescription: Number of OCS nodes must be 5 for large production size. XLargeProductionSizeRule: RuleCondition: Fn::Equals: [{ "Ref": "GIProductionSize" }, "xlarge"] Assertions: - Assert: Fn::Equals: [{ "Ref": "NumberOfGINodes" }, "5"] AssertDescription: Number of Guardium Insights nodes must be 5 for xlarge production size. - Assert: Fn::Equals: [{ "Ref": "NumberOfDb2DataNodes" }, "5"] AssertDescription: Number of Db2 data nodes must be 5 for xlarge production size. - Assert: Fn::Equals: [{ "Ref": "GINodeInstanceType" }, "m5.4xlarge"] AssertDescription: Guardium Insights node instance type must be 'm5.4xlarge' for xlarge production size. - Assert: Fn::Equals: [{ "Ref": "Db2DataNodeInstanceType" }, "m5.16xlarge"] AssertDescription: Db2 data node instance type must be 'm5.16xlarge' for xlarge production size. - Assert: Fn::Equals: [{ "Ref": "NumberOfOCS" }, "3"] AssertDescription: Number of OCS nodes must be 3 for xlarge production size. Mappings: AWSAMIRegionMap: ap-northeast-1: RHEL79HVM: ami-0073b6113281aa32e COREOS: ami-021e9f89e696e1d97 ap-northeast-2: RHEL79HVM: ami-04adf7ab262061270 COREOS: ami-02cc61557cf74d503 ap-northeast-3: RHEL79HVM: ami-0ea15419fc3544d6a COREOS: ami-058e08a0b401c73a4 ap-south-1: RHEL79HVM: ami-01dd6bbea8d062bf3 COREOS: ami-015a1f7b7ee92e58a ap-southeast-1: RHEL79HVM: ami-0ee6bfca4452064bc COREOS: ami-0124892edfd2f7e40 ap-southeast-2: RHEL79HVM: ami-0bf7d72cc0b127581 COREOS: ami-03710422fdfe57137 ca-central-1: RHEL79HVM: ami-0f1c453d5ca1059f0 COREOS: ami-091fb0c6997a904b6 eu-central-1: RHEL79HVM: ami-0a62e33b5dcf31c85 COREOS: ami-0ee576f17174d481b eu-north-1: RHEL79HVM: ami-0a32f8cdd314cf493 COREOS: ami-06746cb8416c35a5d eu-west-1: RHEL79HVM: ami-06211bde2f9c725e5 COREOS: ami-079eb028a24ce6d4a eu-west-2: RHEL79HVM: ami-0a8aebd46fb700315 COREOS: ami-0ef085042484cec5f eu-west-3: RHEL79HVM: ami-07185297899bb7755 COREOS: ami-04586e3357c6ea2c6 sa-east-1: RHEL79HVM: ami-08acb85e5164523d7 COREOS: ami-037d98ac73652fac8 us-east-1: RHEL79HVM: ami-09b40379115c82c17 COREOS: ami-0e6075c4736ca2c44 us-east-2: RHEL79HVM: ami-0bb2449c2217cb9b0 COREOS: ami-0b31da9d291c8b166 us-west-1: RHEL79HVM: ami-085733fd69e77a079 COREOS: ami-044a2582d07898b95 us-west-2: RHEL79HVM: ami-027da4fca766221c9 COREOS: ami-0c47fbbc8defcf370 Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: GIIAMUser: Type: 'AWS::IAM::User' Properties: ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess GIIAMUserAccessKey: Type: 'AWS::IAM::AccessKey' Properties: UserName: !Ref GIIAMUser GISecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: !Sub '{"repositoryPassword":"${RepositoryPassword}", "adminPassword":"${AdminPassword}"}' OpenShiftSecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: '{"ocpPassword": null}' GIAdminSecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: '{"adminPassword": null}' LambdaExecutionRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyWildcardResource: "Wildcard resource for SendCommand action allowed by design" Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMDirectoryServiceAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' Path: / Policies: - PolicyName: lambda-cleanUpLambda PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ssm:SendCommand Resource: "*" - Effect: Allow Action: - ssm:PutParameter - ssm:GetParameter - ssm:DeleteParameter Resource: - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/* - Effect: Allow Action: - logs:FilterLogEvents Resource: - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:* BootNodeIamRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard - EIAMPolicyWildcardResource ignore_reasons: - EIAMPolicyActionWildcard: "Describe* actions permitted by design" - EIAMPolicyWildcardResource: "Wildcard resource allowed by design" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMDirectoryServiceAccess' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSCloudFormationReadOnlyAccess' Policies: - PolicyName: bootnode-policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "ec2:Describe*" Resource: "*" - Effect: "Allow" Action: "ec2:AttachVolume" Resource: "*" - Effect: "Allow" Action: "ec2:DetachVolume" Resource: "*" - Effect: "Allow" Action: "s3:GetObject" Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}', !Ref QSS3BucketName] - Effect: "Allow" Action: - "secretsmanager:GetSecretValue" - "secretsmanager:UpdateSecret" Resource: - !Ref GISecret - !Ref AWSCredentialSecret - !Ref OpenShiftSecret - !Ref GIAdminSecret - Effect: "Allow" Action: "s3:ListBucket" Resource: !Sub arn:${AWS::Partition}:s3:::${GIDeploymentLogsBucketName} - Effect: "Allow" Action: "s3:PutObject" Resource: !Sub arn:${AWS::Partition}:s3:::${GIDeploymentLogsBucketName}/* - Effect: Allow Action: - ssm:SendCommand - ssm:PutParameter - ssm:GetParameter Resource: - '*' OpenShiftURL: Type: AWS::SSM::Parameter Properties: Name: !Sub "${AWS::StackName}-OpenShiftURL" Type: String Value: "PlaceHolder" GuaridumInsightsURL: Type: AWS::SSM::Parameter Properties: Name: !Sub "${AWS::StackName}-GuaridumInsightsURL" Type: String Value: "PlaceHolder" AdminUser: Type: AWS::SSM::Parameter Properties: Name: !Sub "${AWS::StackName}-AdminUser" Type: String Value: "PlaceHolder" BootnodeInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: "BootNodeIamRole" BootnodeSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Cluster Bootnode Security Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref BootNodeAccessCIDR SecurityGroupEgress: - IpProtocol: "-1" CidrIp: 0.0.0.0/0 VpcId: !Ref VPCID AWSCredentialSecret: Type: "AWS::SecretsManager::Secret" Properties: SecretString: !Sub - '{"aws_secret_access_key":"${GIIAMUserAccessKey}, "aws_access_key_id":"${GIIAMUserSecret}"}' - {GIIAMUserAccessKey: !Ref GIIAMUserAccessKey, GIIAMUserSecret: !GetAtt [GIIAMUserAccessKey, SecretAccessKey]} BootnodeInstance: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Init: configSets: Required: - StackPropertiesFile StackPropertiesFile: files: /root/mystack.props: content: !Sub | AWS_REGION=${AWS::Region} AWS_STACKID="${AWS::StackId}" AWS_STACKNAME="${AWS::StackName}" /root/.aws/config: content: !Sub | [default] region=${AWS::Region} /root/.aws/credentials: content: !Sub - | [default] aws_access_key_id=${GIIAMUserAccessKey} aws_secret_access_key=${GIIAMUserSecret} - GIIAMUserAccessKey: !Ref GIIAMUserAccessKey GIIAMUserSecret: !GetAtt [GIIAMUserAccessKey, SecretAccessKey] Properties: KeyName: !Ref 'KeyPairName' ImageId: !FindInMap [AWSAMIRegionMap, !Ref "AWS::Region", RHEL79HVM] BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 500 VolumeType: gp2 IamInstanceProfile: !Ref BootnodeInstanceProfile Tags: - Key: Name Value: BootNode InstanceType: i3.large NetworkInterfaces: - GroupSet: - !Ref BootnodeSecurityGroup AssociatePublicIpAddress: true DeviceIndex: '0' DeleteOnTermination: true SubnetId: !Ref PublicSubnet1ID UserData: Fn::Base64: !Sub - | #!/bin/bash -x yum install -y git yum install -y wget yum install -y unzip yum install -y python3 yum install -y jq git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git #file to set up system-wide environment variables touch /etc/profile.d/gi_install.sh echo "export P=/quickstart-linux-utilities/quickstart-cfn-tools.source" >> /etc/profile.d/gi_install.sh #load the environment variables into the current shell session source /etc/profile.d/gi_install.sh source $P qs_bootstrap_pip || qs_err " pip bootstrap failed " qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed " pip3 install awscli &> /var/log/userdata.awscli_install.log || qs_err " awscli install failed " /usr/bin/cfn-init -v --stack ${AWS::StackName} --resource BootnodeInstance --configsets Required --region ${AWS::Region} # Signal the status from cfn-init /usr/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource BootnodeInstance --region ${AWS::Region} echo -e "export GI_QS_S3URI=s3://${QSS3BucketName}/${QSS3KeyPrefix}\nexport INGRESS_KEYFILE_S3URI=${IngressKeyFile}\nexport INGRESS_CERTFILE_S3URI=${IngressCertFile}\nexport INGRESS_CAFILE_S3URI=${IngressCAFile}\nexport AWS_REGION=${AWS::Region}\nexport AWS_STACKID=${AWS::StackId}\nexport AWS_STACKNAME=${AWS::StackName}\nexport AMI_ID='${AMI_ID}'\nexport GI_SECRET='${GISecret}'\nexport OCP_SECRET='${OpenShiftSecret}'\nexport GI_ADMIN_SECRET='${GIAdminSecret}'\nexport GIInstallationCompletedURL='${GIInstallationCompletedHandle}'" >> /etc/profile.d/gi_install.sh source /etc/profile.d/gi_install.sh mkdir -p /quickstart mkdir -p /ibm chmod -R 755 /ibm aws s3 cp ${!GI_QS_S3URI}scripts/bootstrap.sh /quickstart/ chmod +x /quickstart/bootstrap.sh ./quickstart/bootstrap.sh - AMI_ID: !FindInMap [AWSAMIRegionMap, !Ref "AWS::Region", COREOS] CleanUpLambda: Type: AWS::Lambda::Function Properties: Code: ZipFile: | import boto3 import json import cfnresponse import os import traceback import time def handler(event, context): responseData = {} try: print("event_obj:",json.dumps(event)) print(event['RequestType']) if event['RequestType'] == 'Delete': print("Run unsubscribe script") ssm = boto3.client('ssm',region_name=os.environ['Region']) instanceID = os.environ['BootNode'] stackname = os.environ['StackName'] print(instanceID) response = ssm.send_command(Targets=[{"Key":"instanceids","Values":[instanceID]}], DocumentName="AWS-RunShellScript", Parameters={"commands":["/ibm/destroy.sh %s" %(stackname)], "executionTimeout":["1200"], "workingDirectory":["/ibm"]}, Comment="Execute script in uninstall openshift", TimeoutSeconds=120) print(response) current_status = "WAIT" final_status = "READY" parameterName = stackname+"_CleanupStatus" response = ssm.put_parameter(Name=parameterName, Description="Waiting for CleanupStatus to be READY", Value=current_status, Type='String', Overwrite=True) print(response) while(current_status!=final_status): time.sleep(30) response = ssm.get_parameter(Name=parameterName) parameter = response.get('Parameter') current_status = parameter.get('Value') print(current_status) ssm.delete_parameter(Name=parameterName) except Exception as e: print(e) traceback.print_exc() cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, '') Environment: Variables: Region: !Ref AWS::Region BootNode: !Ref BootnodeInstance StackName: !Ref AWS::StackName Handler: index.handler Role: !GetAtt 'LambdaExecutionRole.Arn' Runtime: python3.7 Timeout: 600 Cleanup: Type: Custom::Cleanup Properties: DependsOn: BootnodeInstance ServiceToken: !GetAtt 'CleanUpLambda.Arn' GIInstallationCompletedHandle: Type: AWS::CloudFormation::WaitConditionHandle GIInstallationCompleted: Type: AWS::CloudFormation::WaitCondition Properties: Count: 1 Handle: !Ref GIInstallationCompletedHandle Timeout: '30000' Outputs: BootnodePublicIp: Description: Boot node public IP address. Value: !GetAtt BootnodeInstance.PublicIp AdminUsername: Description: The username to access the IBM Security Guardium Insights platform. Value: !GetAtt AdminUser.Value OpenShiftWebConsoleURL: Description: Red Hat OpenShift Container platform web console URL. Value: !GetAtt OpenShiftURL.Value GIWebClientURL: Description: IBM Security Guardium Insights platform URL. Value: !GetAtt GuaridumInsightsURL.Value Postdeployment: Description: See the deployment guide for postdeployment steps. Value: https://fwd.aws/4zzGq?