AWSTemplateFormatVersion: "2010-09-09" Description: "JFrog Artifactory Quick Start Deployment (qs-1qpmmjh61)" Metadata: cfn-lint: config: ignore_checks: - W9002 - W9003 - W9004 - W9006 Parameters: VpcId: Type: AWS::EC2::VPC::Id VpcCidr: Description: CIDR block for the VPC AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Type: String PrivateSubnet1Cidr: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Type: String PrivateSubnet2Cidr: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Type: String PrivateSubnet3Cidr: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.64.0/19 Type: String SubnetIds: Type: List DatabaseAllocatedStorage: Type: Number MultiAzDatabase: Type: String DatabaseUser: Type: String DatabasePassword: NoEcho: "true" Type: String XrayDatabaseUser: Type: String XrayDatabasePassword: NoEcho: "true" Type: String DatabaseInstance: Type: String DatabaseName: Type: String InstanceType: Default: m4.xlarge Type: String XrayEnabled: Default: "false" Type: String QSS3BucketName: Description: S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-). AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Type: String QSS3KeyPrefix: Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-jfrog-artifactory-eks/ Type: String Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, "aws-quickstart"] CreateXray: !Equals [!Ref XrayEnabled, "true"] Mappings: JavaOptionstoInstance: m4.large: Min: 4 Max: 4 DeploymentSize: xxSmall m4.xlarge: Min: 8 Max: 12 DeploymentSize: xSmall m4.2xlarge: Min: 16 Max: 24 DeploymentSize: Small m4.4xlarge: Min: 32 Max: 48 DeploymentSize: Medium m4.10xlarge: Min: 80 Max: 120 DeploymentSize: Large m4.16xlarge: Min: 128 Max: 192 DeploymentSize: xxLarge m5.large: Min: 4 Max: 4 DeploymentSize: xxSmall m5.xlarge: Min: 8 Max: 12 DeploymentSize: xSmall m5.2xlarge: Min: 16 Max: 24 DeploymentSize: Small m5.4xlarge: Min: 32 Max: 48 DeploymentSize: Medium m5.8xlarge: Min: 64 Max: 96 DeploymentSize: Large m5.12xlarge: Min: 96 Max: 144 DeploymentSize: xLarge m5.16xlarge: Min: 128 Max: 192 DeploymentSize: xxLarge m5.24xlarge: Min: 192 Max: 288 DeploymentSize: xxxLarge m5.metal: Min: 192 Max: 288 DeploymentSize: xxxLarge m5d.large: Min: 4 Max: 4 DeploymentSize: xxSmall m5d.xlarge: Min: 8 Max: 12 DeploymentSize: xSmall m5d.2xlarge: Min: 16 Max: 24 DeploymentSize: Small m5d.4xlarge: Min: 32 Max: 48 DeploymentSize: Medium m5d.8xlarge: Min: 64 Max: 96 DeploymentSize: Large m5d.12xlarge: Min: 96 Max: 144 DeploymentSize: xLarge m5d.16xlarge: Min: 128 Max: 192 DeploymentSize: xxLarge m5d.24xlarge: Min: 192 Max: 288 DeploymentSize: xxxLarge m5d.metal: Min: 192 Max: 288 DeploymentSize: xxxLarge m5a.large: Min: 4 Max: 4 DeploymentSize: xxSmall m5a.xlarge: Min: 8 Max: 12 DeploymentSize: xSmall m5a.2xlarge: Min: 16 Max: 24 DeploymentSize: Small m5a.4xlarge: Min: 32 Max: 48 DeploymentSize: Medium m5a.8xlarge: Min: 64 Max: 96 DeploymentSize: Large m5a.12xlarge: Min: 96 Max: 144 DeploymentSize: xLarge m5a.16xlarge: Min: 128 Max: 192 DeploymentSize: xxLarge m5a.24xlarge: Min: 192 Max: 288 DeploymentSize: xxxLarge m5ad.large: Min: 4 Max: 4 DeploymentSize: xxSmall m5ad.xlarge: Min: 8 Max: 12 DeploymentSize: xSmall m5ad.2xlarge: Min: 16 Max: 24 DeploymentSize: Small m5ad.4xlarge: Min: 32 Max: 48 DeploymentSize: Medium m5ad.12xlarge: Min: 96 Max: 144 DeploymentSize: xLarge m5ad.24xlarge: Min: 192 Max: 288 DeploymentSize: xxxLarge Resources: ArtifactoryDatabaseSubnetGroup: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: Private Subnets available to the RDS Instance(s) SubnetIds: !Ref SubnetIds ArtifactoryDatabase: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: !Ref DatabaseAllocatedStorage MultiAZ: !Ref MultiAzDatabase Engine: "Postgres" PubliclyAccessible: false EngineVersion: "11.14" MasterUsername: !Ref DatabaseUser MasterUserPassword: !Ref DatabasePassword DBInstanceClass: !Ref DatabaseInstance DBName: !Ref DatabaseName DBSubnetGroupName: !Ref ArtifactoryDatabaseSubnetGroup VPCSecurityGroups: - !Ref ArtifactoryDatabaseSG ArtifactoryDatabaseSG: Type: AWS::EC2::SecurityGroup Properties: Tags: - Key: Name Value: artifactory-rds-sg GroupDescription: SG for RDS Instance to allow communication from the Bastion and Artifactory servers. VpcId: !Ref VpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref VpcCidr - IpProtocol: tcp FromPort: 5432 ToPort: 5432 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: tcp FromPort: 5432 ToPort: 5432 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: tcp FromPort: 5432 ToPort: 5432 CidrIp: !Ref PrivateSubnet3Cidr SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 XrayLambdaSG: Type: AWS::EC2::SecurityGroup Condition: CreateXray Properties: Tags: - Key: Name Value: xray-lambda-sg GroupDescription: SG for Lambda to connect to RDS VpcId: !Ref VpcId SecurityGroupEgress: - IpProtocol: tcp FromPort: 5432 ToPort: 5432 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: tcp FromPort: 5432 ToPort: 5432 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: tcp FromPort: 5432 ToPort: 5432 CidrIp: !Ref PrivateSubnet3Cidr - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 XrayLambdaRole: Type: AWS::IAM::Role Condition: CreateXray Properties: ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com XrayLambda: Type: "AWS::Lambda::Function" Condition: CreateXray Properties: Description: Creates Xray database. Handler: lambda_function.handler Runtime: python3.7 Role: !GetAtt "XrayLambdaRole.Arn" Code: S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] S3Key: !Sub "${QSS3KeyPrefix}functions/packages/xray-db/lambda.zip" Timeout: 900 VpcConfig: SecurityGroupIds: - !Ref "XrayLambdaSG" SubnetIds: !Ref SubnetIds XrayDatabase: Type: "Custom::XrayDatabase" Condition: CreateXray Properties: ServiceToken: !GetAtt XrayLambda.Arn MasterDatabaseName: !Ref DatabaseName MasterDatabaseUser: !Ref DatabaseUser MasterDatabaseHost: !GetAtt ArtifactoryDatabase.Endpoint.Address MasterDatabasePassword: !Ref DatabasePassword XrayDatabaseUser: !Ref XrayDatabaseUser XrayDatabasePassword: !Ref XrayDatabasePassword ArtifactoryS3IAMUser: Type: AWS::IAM::User ArtifactoryIamAcessKey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref ArtifactoryS3IAMUser ArtifactoryS3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 ArtifactoryS3IAMPolicy: Type: AWS::IAM::Policy Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard ignore_reasons: EIAMPolicyActionWildcard: Cant list all the S3 permissions, due to size limits. s3 get*, put*, and list* not currently supported Properties: PolicyName: S3BucketPermissions PolicyDocument: Version: 2012-10-17 Statement: - Sid: S3BucketPermissions Effect: Allow Action: - s3:AbortMultipartUpload - s3:BypassGovernanceRetention - s3:CreateAccessPoint - s3:CreateAccessPointForObjectLambda - s3:CreateBucket - s3:CreateJob - s3:DeleteAccessPoint - s3:DeleteAccessPointForObjectLambda - s3:DeleteAccessPointPolicy - s3:DeleteAccessPointPolicyForObjectLambda - s3:DeleteBucket - s3:DeleteBucketOwnershipControls - s3:DeleteBucketPolicy - s3:DeleteBucketWebsite - s3:DeleteJobTagging - s3:DeleteObject - s3:DeleteObjectTagging - s3:DeleteObjectVersion - s3:DeleteObjectVersionTagging - s3:DeleteStorageLensConfiguration - s3:DeleteStorageLensConfigurationTagging - s3:DescribeJob - s3:Get* - s3:List* - s3:ObjectOwnerOverrideToBucketOwner - s3:Put* - s3:ReplicateDelete - s3:ReplicateObject - s3:ReplicateTags - s3:RestoreObject - s3:UpdateJobPriority - s3:UpdateJobStatus Resource: - Fn::Join: - "" - - !Sub "arn:${AWS::Partition}:s3:::" - !Ref ArtifactoryS3Bucket - Fn::Join: - "" - - !Sub "arn:${AWS::Partition}:s3:::" - !Ref ArtifactoryS3Bucket - "/*" Users: - !Ref ArtifactoryS3IAMUser Outputs: ArtifactoryIamAcessKey: Value: !Ref ArtifactoryIamAcessKey Description: IAM Access key for the S3 Bucket SecretAccessKey: Value: !GetAtt ArtifactoryIamAcessKey.SecretAccessKey Description: Secret Access key for S3 Bucket S3Bucket: Value: !Ref ArtifactoryS3Bucket Description: Actual S3 bucket created for Artifactory DatabaseDriver: Value: "org.postgresql.Driver" DatabasePlugin: Value: "postgresql-42.2.9.jar" DatabasePluginUrl: Value: "https://jdbc.postgresql.org/download/postgresql-42.2.9.jar" DatabaseType: Value: "postgresql" DatabaseHost: Value: !GetAtt ArtifactoryDatabase.Endpoint.Address DatabaseUrl: Value: !Sub - "jdbc:postgresql://${ArtifactoryDatabaseEndpointAddress}:5432/${DatabaseName}" - { ArtifactoryDatabaseEndpointAddress: !GetAtt ArtifactoryDatabase.Endpoint.Address, } XrayDatabaseUrl: Value: !Sub - "postgres://${ArtifactoryDatabaseEndpointAddress}:5432/xraydb?sslmode=disable" - ArtifactoryDatabaseEndpointAddress: !GetAtt ArtifactoryDatabase.Endpoint.Address JavaOpts: Value: !Sub - "-Xms${min}g -Xmx${max}g" - { min: !FindInMap [JavaOptionstoInstance, !Ref InstanceType, Min], max: !FindInMap [JavaOptionstoInstance, !Ref InstanceType, Max], } DeploymentSize: Value: !FindInMap [JavaOptionstoInstance, !Ref InstanceType, DeploymentSize]