AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation template for deploying Linux bastion hosts in an auto-scaling group in a new VPC. (qs-1qup6ra9p) Metadata: QuickStartDocumentation: EntrypointName: Launch into a new VPC Order: 1 LICENSE: Apache License, Version 2.0 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - RemoteAccessCIDR - VPCTenancy - Label: default: IAM configuration Parameters: - RolePath - PermissionsBoundaryArn - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - BastionAMIOS - BastionInstanceType - RootVolumeSize - Label: default: Linux bastion configuration Parameters: - NumBastionHosts - OndemandPercentage - BastionHostName - BastionTenancy - EnableBanner - BastionBanner - EnableTCPForwarding - EnableX11Forwarding - EC2MetadataPutResponseHopLimit - EC2MetadataHttpTokens - Label: default: Alternative configurations Parameters: - AlternativeInitializationScript - OSImageOverride - AlternativeIAMRole - EnvironmentVariables - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: AlternativeIAMRole: default: Alternative IAM role AlternativeInitializationScript: default: Alternative initialization script URL AvailabilityZones: default: Availability Zones BastionAMIOS: default: Bastion AMI operating system BastionHostName: default: Bastion host name BastionTenancy: default: Bastion tenancy BastionBanner: default: SSH banner content file URL BastionInstanceType: default: Bastion instance type EnableBanner: default: Bastion banner EnableTCPForwarding: default: TCP forwarding EnableX11Forwarding: default: X11 forwarding EnvironmentVariables: default: Environment variables KeyPairName: default: Key pair name NumBastionHosts: default: Number of bastion hosts OndemandPercentage: default: On-demand percentage OSImageOverride: default: Operating system override PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR VPCTenancy: default: VPC tenancy QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed bastion external access CIDR VPCCIDR: default: VPC CIDR RootVolumeSize: default: Root volume size PermissionsBoundaryArn: default: Permissions boundary ARN RolePath: default: Role path EC2MetadataPutResponseHopLimit: default: Amazon EC2 metadata put response hop limit EC2MetadataHttpTokens: default: Amazon EC2 metadata HTTP tokens Parameters: AvailabilityZones: Type: List Description: List of Availability Zones to use for the subnets in the VPC. BastionAMIOS: Type: String Description: The Linux distribution for the AMI to be used for the bastion host instances. AllowedValues: - Amazon-Linux2-HVM - Amazon-Linux2-HVM-ARM - Amazon-Linux2022 - Amazon-Linux2022-ARM - Ubuntu-Server-20.04-LTS-HVM - Ubuntu-Server-22.04-LTS-HVM - Ubuntu-Server-22.04-LTS-HVM-ARM Default: Amazon-Linux2-HVM BastionHostName: Type: String Description: The value used for the name tag of the bastion host. Default: LinuxBastion BastionBanner: Type: String Description: >- Amazon S3 object URL for the text file with the content to display upon SSH login. The bastion host must have permission to download the file from the S3 bucket. AllowedPattern: ^(s3:\/\/[0-9a-z]+([0-9a-z-]*[0-9a-z])*/.+)?$ ConstraintDescription: >- Must be either a valid Amazon S3 object URL (example: s3://bucket/key/file.txt) or empty. Default: '' BastionTenancy: Type: String Description: Bastion VPC tenancy (dedicated or default). AllowedValues: [dedicated, default] Default: default BastionInstanceType: Type: String Description: Amazon EC2 instance type for the bastion instances. Default: t3.micro EnableBanner: Type: String Description: Choose "true" to display a banner when connecting to the bastion using SSH. AllowedValues: ['true', 'false'] Default: 'false' EnableTCPForwarding: Type: String Description: Choose "true" to enable TCP forwarding. AllowedValues: ['true', 'false'] Default: 'false' EnableX11Forwarding: Type: String Description: Choose "true" to enable X11 forwarding. AllowedValues: ['true', 'false'] Default: 'false' KeyPairName: Type: String Description: Name of an existing public/private key pair, which allows you to securely connect to your instance after it launches. If left empty, AWS Systems Manager Session Manager can still be used to connect to the instance. Default: '' NumBastionHosts: Type: String Description: The number of bastion hosts to create. The maximum number is four. AllowedValues: [1, 2, 3, 4] Default: 1 OndemandPercentage: Type: Number Description: >- Percentage of on-demand instances versus spot instances. With the default of 100, the ratio will be 100% on-demand instances and 0% spot instances. Default: 100 PrivateSubnet1CIDR: Type: String Description: CIDR block for private subnet 1, located in Availability Zone 1. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 PrivateSubnet2CIDR: Type: String Description: CIDR block for private subnet 2, located in Availability Zone 2. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 PublicSubnet1CIDR: Type: String Description: CIDR block for the public DMZ subnet 1, located in Availability Zone 1. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 PublicSubnet2CIDR: Type: String Description: CIDR block for the public DMZ subnet 2, located in Availability Zone 2. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 VPCTenancy: Type: String Description: The allowed tenancy of instances launched into the VPC. AllowedValues: [default, dedicated] Default: default EC2MetadataPutResponseHopLimit: Type: String Description: >- The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Default: 2 EC2MetadataHttpTokens: Type: String Description: >- If set to "optional" instances will be able to use their IAM instance profile. If set to "required" amd "EC2MetadataPutResponseHopLimit" is set to 1, instances will not be able to access the IAM role. If set to "required" amd "EC2MetadataPutResponseHopLimit" is set greater than 1 instances must send a signed token header with any instance metadata retrieval requests. AllowedValues: [optional, required] Default: required QSS3BucketName: Type: String Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. MinLength: 3 MaxLength: 63 AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart QSS3KeyPrefix: Type: String Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-linux-bastion/ QSS3BucketRegion: Type: String Description: >- AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html. Default: us-east-1 RemoteAccessCIDR: Type: String Description: >- Allowed CIDR block or prefix list for external SSH access to the bastions. AllowedPattern: ^disabled-onlyssmaccess$|^pl-([0-9a-f]{8}|[0-9a-f]{17})$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be disabled-onlyssmaccess or in the format "x.x.x.x/x". Default: disabled-onlyssmaccess VPCCIDR: Type: String Description: CIDR block for the VPC. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the format "x.x.x.x/16-28". Default: 10.0.0.0/16 AlternativeInitializationScript: Type: String Description: >- HTTPS format Amazon S3 object URL for your custom initialization script to run during setup. The bastion host must have permission to download the file from the S3 bucket. AllowedPattern: ^https.*|^$ ConstraintDescription: >- Must be either a valid Amazon S3 object URL (example: https://bucket/key/file.txt) or empty. Default: '' OSImageOverride: Type: String Description: The Region-specific image to use for the instance. Default: '' AlternativeIAMRole: Type: String Description: An existing IAM role name to attach to the bastion. If left blank, a new role will be created. Default: '' EnvironmentVariables: Type: String Description: A comma-separated list of environment variables for use in bootstrapping. Variables must be in the format "key=value". "Value" cannot contain commas. Default: '' RootVolumeSize: Type: Number Description: The size in GB for the root EBS volume. Default: 10 PermissionsBoundaryArn: Type: String Description: Will be attached to all created IAM roles to satisfy security requirements. Default: '' RolePath: Type: String Description: Will be attached to all created IAM roles to satisfy security requirements. Default: '' Conditions: NeedsEip: !Not [!Equals [!Ref RemoteAccessCIDR, disabled-onlyssmaccess]] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR VPCTenancy: !Ref VPCTenancy BastionStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/linux-bastion-entrypoint-existing-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: BastionAMIOS: !Ref BastionAMIOS BastionHostName: !Ref BastionHostName BastionBanner: !Ref BastionBanner BastionInstanceType: !Ref BastionInstanceType BastionTenancy: !Ref BastionTenancy EnableBanner: !Ref EnableBanner EnableTCPForwarding: !Ref EnableTCPForwarding EnableX11Forwarding: !Ref EnableX11Forwarding KeyPairName: !Ref KeyPairName NumBastionHosts: !Ref NumBastionHosts OndemandPercentage: !Ref OndemandPercentage PublicSubnet1ID: !If [NeedsEip, !GetAtt VPCStack.Outputs.PublicSubnet1ID, !GetAtt VPCStack.Outputs.PrivateSubnet1AID] PublicSubnet2ID: !If [NeedsEip, !GetAtt VPCStack.Outputs.PublicSubnet2ID, !GetAtt VPCStack.Outputs.PrivateSubnet2AID] QSS3BucketRegion: !Ref QSS3BucketRegion QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix RemoteAccessCIDR: !Ref RemoteAccessCIDR VPCID: !GetAtt VPCStack.Outputs.VPCID AlternativeInitializationScript: !Ref AlternativeInitializationScript AlternativeIAMRole: !Ref AlternativeIAMRole OSImageOverride: !Ref OSImageOverride EnvironmentVariables: !Ref EnvironmentVariables RootVolumeSize: !Ref RootVolumeSize PermissionsBoundaryArn: !Ref PermissionsBoundaryArn RolePath: !Ref RolePath EC2MetadataPutResponseHopLimit: !Ref EC2MetadataPutResponseHopLimit EC2MetadataHttpTokens: !Ref EC2MetadataHttpTokens Outputs: Postdeployment: Description: See the deployment guide for post-deployment steps. Value: https://fwd.aws/YqpXk?