--- AWSTemplateFormatVersion: 2010-09-09 Description: Provides nesting for required stacks to deploy a baseline architecure to support Korean ISMS-P compliance. (qs-1r6f0fd9j) Metadata: QuickStartDocumentation: EntrypointName: "Parameters for launching into a new VPC" Order: 1 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZoneA - AvailabilityZoneB - Label: default: ISMS configuration Parameters: - EC2KeyPairBastion - EC2KeyPair - DBUsername - BastionCIDR - EnableGuardDuty - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: AvailabilityZoneA: default: The first Availability Zone AvailabilityZoneB: default: The second Availability Zone BastionCIDR: default: CIDR for accessing bastion host QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix EC2KeyPairBastion: default: Key pair name for bastion host EC2KeyPair: default: Key pair name for production instances EnableGuardDuty: default: Enable Amazon GuardDuty DBUsername: default: Database user name CloudWatchLogsGroupName: default: Amazon CloudWatch log group name for AWS CloudTrail Parameters: EC2KeyPairBastion: Description: The SSH key pair in your account to use for the bastion host login. This is one of the keys that you created in the pre-deployment steps. Type: AWS::EC2::KeyPair::KeyName EC2KeyPair: Description: The SSH key pair in your account to use for all other EC2 instance logins. This is one of the keys that you created in the pre-deployment steps. logins Type: AWS::EC2::KeyPair::KeyName BastionCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x." Description: "Allowed CIDR block for external access (use VPC CIDR)." Type: String Default: 0.0.0.0/0 AvailabilityZoneA: Description: The name of Availability Zone 1. Type: AWS::EC2::AvailabilityZone::Name AvailabilityZoneB: Description: The name of Availability Zone 2. Name must be different from the name of the first Availability Zone. Type: AWS::EC2::AvailabilityZone::Name QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-.]*[0-9a-zA-Z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-korea-isms-p/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String DBUsername: Default: 'admin' Description: User name for connecting to the database instance. Type: String NotificationList: Type: String Default: 'db-ops@domain.com' Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: Provide a valid email address. EnableGuardDuty: Type: String Default: enable AllowedValues: [ enable, disable ] Description: Enable GuardDuty, if it is currently diabled in your account. CloudWatchLogsGroupName: Type: String Default: 'CloudTrail/K-ISMS-Logs' Description: CloudWatch log group name for CloudTrail. LatestAmiId: Type: 'AWS::SSM::Parameter::Value' Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: SecBaselineTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/security_baseline.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] TimeoutInMinutes: 20 Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix EnableGuardDuty: !Ref EnableGuardDuty CloudWatchLogsGroupName: !Ref CloudWatchLogsGroupName ProductionVpcTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-compliance-common/templates/vpc-production.template - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] TimeoutInMinutes: 20 Parameters: pRegionAZ1Name: !Ref AvailabilityZoneA pRegionAZ2Name: !Ref AvailabilityZoneB pProductionVPCName: Production VPC pBastionSSHCIDR: !Ref BastionCIDR pDMZSubnetACIDR: 10.100.10.0/24 pDMZSubnetBCIDR: 10.100.20.0/24 pManagementCIDR: 10.10.0.0/16 pAppPrivateSubnetACIDR: 10.100.96.0/21 pAppPrivateSubnetBCIDR: 10.100.119.0/21 pDBPrivateSubnetACIDR: 10.100.194.0/21 pDBPrivateSubnetBCIDR: 10.100.212.0/21 QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-compliance-common/ ManagementVpcTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-compliance-common/templates/vpc-management.template - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] TimeoutInMinutes: 20 Parameters: pProductionVPC: !GetAtt - ProductionVpcTemplate - Outputs.rVPCProduction pRouteTableProdPrivate: !GetAtt - ProductionVpcTemplate - Outputs.rRouteTableProdPrivate pRouteTableProdPrivateB: !GetAtt - ProductionVpcTemplate - Outputs.rRouteTableProdPrivateB pRouteTableProdPublic: !GetAtt - ProductionVpcTemplate - Outputs.rRouteTableProdPublic pProductionCIDR: 10.100.0.0/16 pBastionSSHCIDR: !Ref BastionCIDR pManagementCIDR: 10.10.0.0/16 pManagementDMZSubnetACIDR: 10.10.1.0/24 pManagementDMZSubnetBCIDR: 10.10.2.0/24 pManagementPrivateSubnetACIDR: 10.10.20.0/24 pManagementPrivateSubnetBCIDR: 10.10.30.0/24 pManagementVPCName: Management VPC pEC2KeyPairBastion: !Ref EC2KeyPairBastion pEC2KeyPair: !Ref EC2KeyPair pBastionAmi: !Ref LatestAmiId pRegionAZ1Name: !Ref AvailabilityZoneA pRegionAZ2Name: !Ref AvailabilityZoneB pBastionInstanceType: t3.small QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-compliance-common/ DatabaseTemplate: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-aurora-mysql/templates/aurora_mysql.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: Subnet1ID: !GetAtt - ProductionVpcTemplate - Outputs.rAppPrivateSubnetA Subnet2ID: !GetAtt - ProductionVpcTemplate - Outputs.rAppPrivateSubnetB VPCID: !GetAtt - ProductionVpcTemplate - Outputs.rVPCProduction DBEngineVersion: 'Aurora-MySQL5.7-2.09.0' DBAccessCIDR: 10.100.0.0/16 DBName: examplewordpress DBMasterUsername: !Ref DBUsername DBMasterUserPassword: "DontUse12**ThisOne" RotateDBPassword: 'true' DBAutoMinorVersionUpgrade: 'true' NotificationList: !Ref NotificationList QSS3BucketName: aws-quickstart QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: quickstart-amazon-aurora-mysql/ ApplicationTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/application-ssl.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] TimeoutInMinutes: 30 Parameters: AvailabilityZoneA: !Ref AvailabilityZoneA AvailabilityZoneB: !Ref AvailabilityZoneB EC2KeyPair: !Ref EC2KeyPair ProductionCIDR: 10.100.0.0/16 ManagementCIDR: 10.10.0.0/16 ProductionVPC: !GetAtt ProductionVpcTemplate.Outputs.rVPCProduction DMZSubnetA: !GetAtt ProductionVpcTemplate.Outputs.rDMZSubnetA DMZSubnetB: !GetAtt ProductionVpcTemplate.Outputs.rDMZSubnetB AppPrivateSubnetA: !GetAtt ProductionVpcTemplate.Outputs.rAppPrivateSubnetA AppPrivateSubnetB: !GetAtt ProductionVpcTemplate.Outputs.rAppPrivateSubnetB QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix DBHost: !GetAtt DatabaseTemplate.Outputs.AuroraClusterEndpoint DBName: examplewordpress DBUser: !Ref DBUsername SecretKeyName: !GetAtt DatabaseTemplate.Outputs.AuroraMasterUserSecret Outputs: TemplateType: Value: Standard multi-tier web application TemplateVersion: Value: 1.0 BastionIP: Description: Use this IP via SSH to connect to bastion instance Value: !GetAtt - ManagementVpcTemplate - Outputs.rBastionInstanceIP LandingPageURL: Value: !GetAtt - ApplicationTemplate - Outputs.LandingPageURL WebsiteURL: Value: !GetAtt - ApplicationTemplate - Outputs.WebsiteURL