AWSTemplateFormatVersion: "2010-09-09" Description: "JFrog SaaS log collector on AWS Partner Solution in existing VPC (qs-1t6cde8lg)" Metadata: cfn-lint: config: ignore_checks: - E9101 - W9006 ignore_reasons: - E9101: "'master' is part of the product naming conventions for now" QuickStartDocumentation: EntrypointName: "Parameters for launching into an existing VPC" Order: "1" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Security configuration Parameters: - KeyPairName - RemoteAccessCidr - Label: default: Network configuration Parameters: - VpcId - VpcCidr - PublicSubnetId - PrivateSubnetId # - PrivateSubnetCidr - Label: default: Bastion configuration Parameters: - ProvisionBastionHost - BastionInstanceType - BastionOs - BastionRootVolumeSize - BastionEnableTcpForwarding - NumBastionHosts - BastionEnableX11Forwarding - Label: default: Amazon EC2 configuration Parameters: - VolumeSize - InstanceType - Label: default: Jfrog SaaS instance configuration Parameters: - JpdUrl - JpdUserName - JpdAdminTokenSecretName - Label: default: Splunk configuration Parameters: # - SplunkEnabled - SplunkHECHost - SplunkHECPort - SplunkHECTokenSecretName - SplunkHECSSLInsecure - Label: default: AWS Partner Solution configuration (INTERNAL SETTINGS. DO NOT MODIFY.) Parameters: - QsS3BucketName - QsS3KeyPrefix - QsS3BucketRegion ParameterLabels: KeyPairName: default: SSH key name VpcId: default: VPC ID VpcCidr: default: VPC CIDR PublicSubnetId: default: Public subnet ID PrivateSubnetId: default: Private subnet ID # PrivateSubnetCidr: # default: Private subnet CIDR RemoteAccessCidr: default: Remote access CIDR ProvisionBastionHost: default: Bastion instance BastionInstanceType: default: Bastion instance type BastionRootVolumeSize: default: Bastion root volume size BastionEnableTcpForwarding: default: Bastion enable TCP forwarding BastionEnableX11Forwarding: default: Bastion enable X11 forwarding BastionOs: default: Bastion operating system NumBastionHosts: default: Number of bastion instances VolumeSize: default: EBS root volume size InstanceType: default: EC2 instance type JpdUrl: default: JFrog SaaS instance URL JpdUserName: default: JFrog admin user name JpdAdminTokenSecretName: default: JFrog admin token for AWS Secrets Manager # SplunkEnabled: # default: Is Splunk Enabled SplunkHECHost: default: Splunk HEC host name SplunkHECPort: default: Splunk HEC port SplunkHECTokenSecretName: default: Splunk HEC token for AWS Secrets Manager SplunkHECSSLInsecure: default: Splunk HEC SSL insecure connection QsS3BucketName: default: Partner Solution S3 bucket name (Do not modify) QsS3KeyPrefix: default: Partner Solution S3 key prefix (Do not modify) QsS3BucketRegion: default: Partner Solution S3 bucket Region (Do not modify) Parameters: KeyPairName: Description: Name of the key pair you created in your preferred Region. Key pairs allow you to connect securely to your instance after it launches. Type: AWS::EC2::KeyPair::KeyName VpcId: Description: ID of your existing VPC (e.g., vpc-0343606e). Type: "AWS::EC2::VPC::Id" VpcCidr: Description: CIDR block for the VPC. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. Default: 10.0.0.0/16 Type: String PublicSubnetId: Description: ID of the public subnet of your existing VPC (e.g., subnet-z0376dab). Type: "AWS::EC2::Subnet::Id" PrivateSubnetId: Description: ID of the private subnet of your existing VPC (e.g., subnet-a0246dcd). Type: "AWS::EC2::Subnet::Id" # PrivateSubnetCidr: # Description: CIDR of the private subnet of your existing VPC (e.g., 10.0.0.0/19). # AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ # ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 # Default: 10.0.0.0/19 # Type: String RemoteAccessCidr: Description: Remote CIDR range that allows you to connect to the bastion instance by using SSH. Set this value to a trusted IP range. For example, you might want to grant specific ranges inside your corporate network SSH access. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Type: String ProvisionBastionHost: Description: Choose Disabled to skip creating a bastion instance. However, due to the Artifactory nodes being created in private subnets, the default setting of Enabled is recommended. AllowedValues: - "Enabled" - "Disabled" Default: "Enabled" Type: String BastionInstanceType: Description: Size of the bastion instances. AllowedValues: - t3.nano - t3.micro - t3.small - t3.medium - t3.large - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: "t3.micro" Type: String BastionRootVolumeSize: Description: Size of the root volume on the bastion instances. Default: 10 Type: Number BastionEnableTcpForwarding: Description: Choose whether to enable TCPForwarding via the bootstrapping of the bastion instance. AllowedValues: - "true" - "false" Default: "true" Type: String BastionEnableX11Forwarding: Description: Choose true to enable X11 via the bootstrapping of the bastion host. Setting this value to true will enable X Windows over SSH. X11 forwarding can be useful, but it is also a security risk, so keeping the default setting of false is recommended. AllowedValues: - "true" - "false" Default: "false" Type: String BastionOs: Description: Linux distribution for the Amazon Machine Image (AMI) used for the bastion instances. AllowedValues: - "Amazon-Linux2-HVM" - "CentOS-7-HVM" - "Ubuntu-Server-20.04-LTS-HVM" - "SUSE-SLES-15-HVM" Default: "Amazon-Linux2-HVM" Type: String NumBastionHosts: Description: Number of bastion instances to create. AllowedValues: - "1" - "2" - "3" - "4" Default: "1" Type: String VolumeSize: Description: Size in gigabytes of the available storage (minimum 10GB). The Parter Solution creates Amazon Elastic Block Store (Amazon EBS) volumes of this size. Default: 50 Type: Number InstanceType: Description: EC2 type for the JFrog SaaS log instances. AllowedValues: - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.8xlarge - m5.12xlarge - m5.16xlarge - m5.24xlarge - m5.metal - m5d.large - m5d.xlarge - m5d.2xlarge - m5d.4xlarge - m5d.8xlarge - m5d.12xlarge - m5d.16xlarge - m5d.24xlarge - m5d.metal - m5a.large - m5a.xlarge - m5a.2xlarge - m5a.4xlarge - m5a.8xlarge - m5a.12xlarge - m5a.16xlarge - m5a.24xlarge - m6g.xlarge ConstraintDescription: Must contain valid instance type. Default: m5.xlarge Type: String JpdUrl: Description: JFrog SaaS instance URL. Type: String JpdUserName: Description: JFrog admin user name. Default: admin Type: String JpdAdminTokenSecretName: Description: JFrog admin token for AWS Secrets Manager. Type: String # SplunkEnabled: # Description: Is Splunk Enabled # AllowedValues: # - "true" # - "false" # Default: "true" # Type: String SplunkHECHost: Description: Splunk HEC host name. Type: String SplunkHECPort: Description: Splunk HEC port. Type: String SplunkHECTokenSecretName: Description: Splunk HEC token for AWS Secrets Manager. Type: String SplunkHECSSLInsecure: Description: Splunk HEC SSL insecure connection. AllowedValues: - "true" - "false" Default: "false" Type: String QsS3BucketName: Description: Name of the S3 bucket for your copy of the deployment assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new location. AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$ ConstraintDescription: The S3 bucket name can include numbers, lowercase letters, and hyphens (-), but it cannot start or end with a hyphen. Default: aws-quickstart Type: String QsS3KeyPrefix: Description: S3 key prefix that is used to simulate a folder for your copy of the deployment assets. Keep the default prefix unless you are customizing the template. Changing the prefix updates code references to point to a new location. Type: String AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: The S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), underscores (_), periods (.), asterisks (*), single quotes ('), open parenthesis ((), close parenthesis ()), and forward slashes (/). End the prefix with a forward slash. Default: quickstart-jfrog-artifactory/ QsS3BucketRegion: Default: "us-east-1" Description: AWS Region where the S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing the Region updates code references to point to a new location. When using your own bucket, specify the Region. Type: String Conditions: EnableBastion: !Equals [!Ref "ProvisionBastionHost", "Enabled"] UsingDefaultBucket: !Equals [!Ref QsS3BucketName, "aws-quickstart"] Resources: BastionRole: Condition: EnableBastion Type: "AWS::IAM::Role" Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyWildcardResource ignore_reasons: EIAMPolicyWildcardResource: EC2 ec2:Describe* , ec2:AssociateAddress API actions do not support resource-level permission Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: QSBucketAccess PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: s3:GetObject Resource: !Sub "arn:${AWS::Partition}:s3:::${QsS3BucketName}/*" - Effect: Allow Action: - logs:CreateLogStream - logs:GetLogEvents - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutRetentionPolicy - logs:PutMetricFilter - logs:CreateLogGroup Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*" - Effect: Allow Action: - ec2:AssociateAddress - ec2:DescribeAddresses Resource: "*" BastionStack: Condition: EnableBastion Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QsS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template - S3Bucket: !If [ UsingDefaultBucket, !Sub "${QsS3BucketName}-${AWS::Region}", !Ref "QsS3BucketName", ] S3Region: !If [ UsingDefaultBucket, !Ref "AWS::Region", !Ref "QsS3BucketRegion", ] Parameters: VPCID: !Ref VpcId PublicSubnet1ID: !Ref PublicSubnetId PublicSubnet2ID: !Ref PublicSubnetId KeyPairName: !Ref KeyPairName QSS3BucketName: !Ref QsS3BucketName QSS3KeyPrefix: !Sub "${QsS3KeyPrefix}submodules/quickstart-linux-bastion/" QSS3BucketRegion: !Ref QsS3BucketRegion RemoteAccessCIDR: !Ref RemoteAccessCidr BastionInstanceType: !Ref BastionInstanceType RootVolumeSize: !Ref BastionRootVolumeSize BastionAMIOS: !Ref BastionOs EnableTCPForwarding: !Ref BastionEnableTcpForwarding EnableX11Forwarding: !Ref BastionEnableX11Forwarding AlternativeIAMRole: !Ref BastionRole NumBastionHosts: !Ref NumBastionHosts JfrogSaasLogCollectorStack: Condition: EnableBastion Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QsS3KeyPrefix}templates/jfrog-saas-log-collector-ec2-instance.template.yaml - S3Bucket: !If [ UsingDefaultBucket, !Sub "${QsS3BucketName}-${AWS::Region}", !Ref "QsS3BucketName", ] S3Region: !If [ UsingDefaultBucket, !Ref "AWS::Region", !Ref "QsS3BucketRegion", ] Parameters: KeyPairName: !Ref KeyPairName VpcId: !Ref VpcId VpcCidr: !Ref VpcCidr PrivateSubnetId: !Ref PrivateSubnetId # PublicSubnetId: !Ref PublicSubnetId # RemoteAccessCidr: !Ref RemoteAccessCidr VolumeSize: !Ref VolumeSize InstanceType: !Ref InstanceType JpdUrl: !Ref JpdUrl JpdUserName: !Ref JpdUserName JpdAdminTokenSecretName: !Ref JpdAdminTokenSecretName SplunkHECHost: !Ref SplunkHECHost SplunkHECPort: !Ref SplunkHECPort SplunkHECTokenSecretName: !Ref SplunkHECTokenSecretName SplunkHECSSLInsecure: !Ref SplunkHECSSLInsecure QsS3Uri: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QsS3KeyPrefix} - S3Bucket: !If - UsingDefaultBucket - !Sub "aws-quickstart-${AWS::Region}" - !Ref "QsS3BucketName" S3Region: !If - UsingDefaultBucket - !Ref "AWS::Region" - !Ref "QsS3BucketRegion" QsS3BucketName: !Ref QsS3BucketName QsS3KeyPrefix: !Ref QsS3KeyPrefix Outputs: BastionIp: Value: !If - EnableBastion - !GetAtt BastionStack.Outputs.EIP1 - ""