AWSTemplateFormatVersion: '2010-09-09' Description: "This templates sets up an Ignition cluster in a new AWS VPC (qs-ign00lbf6)" Metadata: LICENSE: Apache License Version 2.0 cfn-lint: config: ignore_checks: - E9101 - W9002 - W9003 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - KeyPairName - AvailabilityZones - WebAccessCIDR - Label: default: Client VPN configuration Parameters: - EnableClientVPN - Label: default: Database configuration Parameters: - DBName - DBAutoMinorVersionUpgrade - DBBackupRetentionPeriod - DBEngineVersion - DBInstanceClass - DBMasterUsername - DBMasterUserPassword - DBMasterUserPassword2 - DBPort - DBMultiAZ - DBAllocatedStorageEncrypted - DBExportLogToCloudwatch - EnableEventSubscription - NotificationList - Label: default: Ignition configuration Parameters: - LicenseAgreement - IgnitionDomainName - IgnitionInstanceType - IgnitionRootUsername - IgnitionRootPassword - IgnitionRootPassword2 - Label: default: Partner Solution configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: AvailabilityZones: default: Availability Zones EnableClientVPN: default: Enable client VPN DBEngineVersion: default: Database engine version DBName: default: Database name DBAllocatedStorageEncrypted: default: Enable database encryption DBExportLogToCloudwatch: default: Export database logs to Amazon CloudWatch DBAutoMinorVersionUpgrade: default: Automatic minor database version upgrades DBBackupRetentionPeriod: default: Database backup retention period DBInstanceClass: default: Database instance class DBMasterUsername: default: Database administrator username DBMasterUserPassword: default: Database administrator password DBMasterUserPassword2: default: Database administrator password (verification) DBPort: default: Database port DBMultiAZ: default: Multi-AZ deployment QSS3BucketName: default: Partner Solution S3 bucket name QSS3BucketRegion: default: Partner Solution S3 bucket Region QSS3KeyPrefix: default: Partner Solution S3 key prefix EnableEventSubscription: default: Enable event subscription NotificationList: default: Amazon SNS notification email KeyPairName: default: Key name WebAccessCIDR: default: Web access CIDR LicenseAgreement: default: Inductive Automation Software License Agreement IgnitionDomainName: default: Ignition domain name IgnitionInstanceType: default: Ignition instance type IgnitionRootUsername: default: Ignition root account username IgnitionRootPassword: default: Ignition root account password IgnitionRootPassword2: default: Ignition root account password (verification) Parameters: AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Only two Availability Zones are used for this deployment, and the logical order of your selections is preserved. Type: 'List' KeyPairName: ConstraintDescription: Must be the name of an existing EC2 key pair. Description: A public/private key pair, which allows you to connect securely to your instance after it launches. Type: "AWS::EC2::KeyPair::KeyName" WebAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(0|1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form "x.x.x.x/x". Description: CIDR block to allow web access to the load balancer. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-z]+([0-9a-z-\.]*[0-9a-z])*$ ConstraintDescription: >- The S3 bucket name can include numbers, lowercase letters, and hyphens (-), but it cannot start or end with a hyphen. Default: aws-quickstart Description: >- Name of the S3 bucket for your copy of the deployment assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new location. MinLength: 3 MaxLength: 63 Type: String QSS3BucketRegion: Default: us-east-1 Description: >- AWS Region where the S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing the Region updates code references to point to a new location. When using your own bucket, specify the Region. Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z!-_\.\*'\(\)/]+/)*$ ConstraintDescription: >- The S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), underscores (_), periods (.), asterisks (*), single quotes ('), open parenthesis ((), close parenthesis ()), and forward slashes (/). End the prefix with a forward slash. Default: quickstart-inductive-automation-ignition/ Description: >- S3 key prefix that is used to simulate a folder for your copy of the deployment assets. Keep the default prefix unless you are customizing the template. Changing the prefix updates code references to point to a new location. Type: String EnableClientVPN: AllowedValues: - "true" - "false" Default: "true" Description: Choose "false" if you don't want to deploy the optional AWS Client VPN stack. Type: String DBAllocatedStorageEncrypted: Default: "true" AllowedValues: - "true" - "false" Description: Choose "false" if you don't want to encrypt the database. Type: String DBExportLogToCloudwatch: Default: "true" AllowedValues: - "true" - "false" Description: Choose "false" if you don't want to export database logs to Amazon CloudWatch. Type: String DBAutoMinorVersionUpgrade: AllowedValues: - "true" - "false" Default: "false" Description: Choose "true" to enable automatic minor database version upgrades. Type: String DBBackupRetentionPeriod: Default: "35" Description: Number of days to retain automatic database snapshots. Type: String DBEngineVersion: Description: Database engine version. Type: String Default: 14.5 AllowedValues: - 11.17 - 12.12 - 13.8 - 14.5 DBInstanceClass: AllowedPattern: "db\\.[a-z0-9]*\\.[a-z0-9]*" ConstraintDescription: "Must select a valid database instance type." Default: db.r5.large Description: Name of the class that determines the computation and memory capacity of the database instance. Type: String DBMasterUserPassword: AllowedPattern: "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*" ConstraintDescription: "Minimum 8 characters." Description: Database administrator account password. MaxLength: "64" MinLength: "8" NoEcho: "True" Type: String DBMasterUserPassword2: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: >- Must have a minimum of 8 characters. Must include 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol (not including / @ " '). Description: Verify the database administrator account password. MaxLength: "64" MinLength: "8" NoEcho: "True" Type: String DBMasterUsername: AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." Default: pgadmin Description: Database administrator account user name. MaxLength: "16" MinLength: "1" Type: String DBPort: Default: 5432 Description: Database instance listener port. Type: Number ConstraintDescription: Must be in the range 1150–65535. MinValue: 1150 MaxValue: 65535 DBMultiAZ: AllowedValues: - "true" - "false" Default: "true" Description: Choose "false" if you don't want the database instance deployed to multiple Availability Zones for high availability. Type: String DBName: AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" Default: 'AuroraPostgresDB' Description: Amazon Aurora database name. MaxLength: "64" MinLength: "5" Type: String EnableEventSubscription: AllowedValues: - "true" - "false" Default: "true" Description: Choose "false" if you don't want to enable SNS topic subscription. Type: String NotificationList: Type: String Description: Email address to subscribe to the SNS topic, to receive CloudWatch alarm and Amazon RDS event notifications. AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: provide a valid email address. LicenseAgreement: Description: I have read and accept the terms of the Inductive Automation Software License Agreement (https://inductiveautomation.com/ignition/license). Type: String Default: '-' AllowedValues: - I agree - '-' ConstraintDescription: You must choose "I agree" to complete the deployment. IgnitionDomainName: Description: Public domain name to generate a load balancer SSL certificate. Type: String IgnitionInstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - t2.xlarge - t2.2xlarge - t3.nano - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge ConstraintDescription: You must choose a valid instance type. Default: m5.large Description: Amazon EC2 instance type for Ignition instances. Type: String IgnitionRootUsername: Default: admin Description: Ignition root account user name. Type: String IgnitionRootPassword: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: >- Must have a minimum of 8 characters. Must include 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol (not including / @ " '). Description: Ignition root account password. MaxLength: 64 MinLength: 8 NoEcho: True Type: String IgnitionRootPassword2: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: >- Must have a minimum of 8 characters. Must include 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol (not including / @ " '). Description: Verify the Ignition root account password. MaxLength: 64 MinLength: 8 NoEcho: True Type: String Rules: LicenseAgreementRule: Assertions: - Assert: Fn::Contains: - - I agree - Ref: LicenseAgreement AssertDescription: User must agree to the terms of the license agreement. DBPasswordRule: Assertions: - Assert: Fn::Equals: - Ref: DBMasterUserPassword - Ref: DBMasterUserPassword2 AssertDescription: Database master user passwords do not match. IgnitionRootPasswordRule: Assertions: - Assert: Fn::Equals: - Ref: IgnitionRootPassword - Ref: IgnitionRootPassword2 AssertDescription: Ignition root user passwords do not match. Conditions: EnableClientVPNAccess: !Equals - !Ref EnableClientVPN - "true" UseDatabaseEncryption: !Equals - !Ref DBAllocatedStorageEncrypted - "true" UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: ServerCertificateARN: Type: AWS::SSM::Parameter Condition: EnableClientVPNAccess Properties: Name: !Sub /${AWS::StackName}/clientvpncerts/serverarn Description: Parameter to hold the server certificate ARN Type: String Value: '-' ClientCertificateARN: Type: AWS::SSM::Parameter Condition: EnableClientVPNAccess Properties: Name: !Sub /${AWS::StackName}/clientvpncerts/clientarn Description: Parameter to hold the client certificate ARN Type: String Value: '-' CACert: Type: AWS::SSM::Parameter Condition: EnableClientVPNAccess Properties: Name: !Sub /${AWS::StackName}/clientvpncerts/cacert Description: Parameter to hold the generated CA certificate Type: String Value: '-' ClientKey: Type: AWS::SSM::Parameter Condition: EnableClientVPNAccess Properties: Name: !Sub /${AWS::StackName}/clientvpncerts/clientkey Description: Parameter to hold the generated client key Type: String Value: '-' ClientCert: Type: AWS::SSM::Parameter Condition: EnableClientVPNAccess Properties: Name: !Sub /${AWS::StackName}/clientvpncerts/clientcert Description: Parameter to hold the generated client certificate Type: String Value: '-' VPCStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: !Join - ',' - !Ref AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: 10.0.0.0/19 PrivateSubnet2ACIDR: 10.0.32.0/19 PublicSubnet1CIDR: 10.0.128.0/20 PublicSubnet2CIDR: 10.0.144.0/20 VPCCIDR: 10.0.0.0/16 IgnitionStack: Type: 'AWS::CloudFormation::Stack' DependsOn: VPCStack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ignition-cluster.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ParentStackName: !Ref 'AWS::StackName' KeyPairName: !Ref KeyPairName VPCID: !GetAtt - VPCStack - Outputs.VPCID PrivateSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet1AID PrivateSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet2AID PublicSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet2ID VPCCIDR: !GetAtt - VPCStack - Outputs.VPCCIDR WebAccessCIDR: !Ref WebAccessCIDR BackendPrimaryPrivateIPAddress: 10.0.0.10 BackendBackupPrivateIPAddress: 10.0.32.10 Frontend1PrivateIPAddress: 10.0.0.11 Frontend2PrivateIPAddress: 10.0.32.11 GenerateClientVPNCerts: !Ref EnableClientVPN DBName: !Ref DBName DBAutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade DBAllocatedStorageEncrypted: !Ref DBAllocatedStorageEncrypted DBExportLogToCloudwatch: !Ref DBExportLogToCloudwatch DBBackupRetentionPeriod: !Ref DBBackupRetentionPeriod DBEngineVersion: !Ref DBEngineVersion DBInstanceClass: !Ref DBInstanceClass DBMasterUsername: !Ref DBMasterUsername DBMasterUserPassword: !Ref DBMasterUserPassword DBMasterUserPassword2: !Ref DBMasterUserPassword2 DBPort: !Ref DBPort DBMultiAZ: !Ref DBMultiAZ EnableEventSubscription: !Ref EnableEventSubscription NotificationList: !Ref NotificationList QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix LicenseAgreement: !Ref LicenseAgreement IgnitionDomainName: !Ref IgnitionDomainName IgnitionInstanceType: !Ref IgnitionInstanceType IgnitionRootUsername: !Ref IgnitionRootUsername IgnitionRootPassword: !Ref IgnitionRootPassword IgnitionRootPassword2: !Ref IgnitionRootPassword2 ClientVPNStack: Condition: EnableClientVPNAccess DependsOn: IgnitionStack Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ignition-vpn.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: VPCID: !GetAtt - VPCStack - Outputs.VPCID VPCCIDR: !GetAtt - VPCStack - Outputs.VPCCIDR PrivateSubnet1ID: !GetAtt - VPCStack - Outputs.PrivateSubnet1AID PrivateSubnet2ID: !GetAtt - VPCStack - Outputs.PrivateSubnet2AID ClientSubnetCIDR: 10.192.0.0/22 ServerCertificateARN: !GetAtt ServerCertificateARN.Value ClientCertificateARN: !GetAtt ClientCertificateARN.Value Outputs: DBName: Description: Amazon Aurora database name. Value: !Ref DBName DBMasterUsername: Description: "Amazon Aurora database administrator username." Value: !GetAtt IgnitionStack.Outputs.DBMasterUsername RDSEndPointAddress: Description: "Amazon Aurora write endpoint." Value: !GetAtt IgnitionStack.Outputs.RDSEndPointAddress RDSReadEndPointAddress: Description: "Amazon Aurora read endpoint." Value: !GetAtt IgnitionStack.Outputs.RDSReadEndPointAddress RDSEndPointPort: Description: "Amazon Aurora port." Value: !GetAtt IgnitionStack.Outputs.RDSEndPointPort RDSEndPoints: Description: "Full Amazon Aurora write endpoint." Value: !GetAtt IgnitionStack.Outputs.RDSEndPoints RDSEncryptionKey: Condition: UseDatabaseEncryption Description: Alias of the encryption key created for Amazon RDS. Value: !GetAtt IgnitionStack.Outputs.RDSEncryptionKey IgnitionBackendPrimaryPrivateDnsName: Description: Private DNS name for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionBackendPrimaryPrivateDnsName IgnitionBackendPrimaryPrivateIP: Description: Private IP address for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionBackendPrimaryPrivateIP IgnitionBackendBackupPrivateDnsName: Description: Private DNS name for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionBackendBackupPrivateDnsName IgnitionBackendBackupPrivateIP: Description: Private IP address for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionBackendBackupPrivateIP IgnitionFrontend1PrivateDnsName: Description: Private DNS name for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionFrontend1PrivateDnsName IgnitionFrontend1PrivateIP: Description: Private IP address for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionFrontend1PrivateIP IgnitionFrontend2PrivateDnsName: Description: Private DNS name for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionFrontend2PrivateDnsName IgnitionFrontend2PrivateIP: Description: Private IP address for the Ignition EC2 instance. Value: !GetAtt IgnitionStack.Outputs.IgnitionFrontend2PrivateIP IgnitionDomainName: Description: Ignition domain name. Value: !GetAtt IgnitionStack.Outputs.IgnitionDomainName IgnitionLoadBalancerARecord: Description: Load balancer A record. Value: !GetAtt IgnitionStack.Outputs.IgnitionLoadBalancerARecord