# © Copyright 2018 Micro Focus or one of its affiliates # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. AWSTemplateFormatVersion: 2010-09-09 Description: >- "This template deploys a single Micro Focus Enterprise Server instance as defined in the Micro Focus Enterprise Server Reference Architecture. **WARNING** This template creates EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. License: Apache 2.0 (Please do not remove) Sept,05,2018. Micro Focus Enterprise Server is licensed separately, please review the terms and conditions here (https://www.microfocus.com/about/legal/) for further details. (qs-1p6hinfje)" Metadata: cfn-lint: config: ignore_checks: - E9101 - W9004 - W4002 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Software License Agreement Parameters: - LicenseAgreement - ESLicenseFilename - Label: default: Network Configuration Parameters: - AvailabilityZones - SubnetID - Label: default: Microsoft Active Directory Configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainMemberSGID - DomainAdminPassword - Label: default: Enterprise Server Configuration Parameters: - ESInstanceType - KeyPairName - RegionsPerInstance - AdditionalESStorageinGiB - MFDSServiceAccountName - MFDSServiceAccountPassword - ESInstanceName - ESClientAccessSGID - ESS3BucketName - ESS3BucketRegion - EMailNotificationTopic - ESCWLogGroup - Label: default: PAC Configuration Parameters: - PACDBMasterUserPassword - Label: default: Database Configuration Parameters: - ESDatabaseEndpointAddress - Label: default: Enterprise Server Demo Apps Configuration Parameters: - InstallFSDemoApp - InstallSQLDemoApp - InstallPACDemoApp - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: AdditionalESStorageinGiB: default: Additional Enterprise Server instance storage AvailabilityZones: default: Availability Zones DomainAdminPassword: default: Domain Admin account password DomainDNSName: default: Domain DNS name DomainNetBIOSName: default: Domain NetBIOS name DomainMemberSGID: default: Domain member Security Group ID EMailNotificationTopic: default: EMail Notification Topic ESClientAccessSGID: default: Enterprise Server Application (Client) Access Security Group ID ESCWLogGroup: default: Amazon CloudWatch Log Group ESDatabaseEndpointAddress: default: Enterprise Server Database Endpoint Address ESInstanceName: default: Name of the Enterprise Server EC2 instance ESInstanceType: default: Enterprise Server instance type ESLicenseFilename: default: Enterprise Server license filename ESS3BucketName: default: Enterprise Server S3 bucket name ESS3BucketRegion: default: Enterprise Server S3 bucket region InstallFSDemoApp: default: Install Fileshare Demo App InstallSQLDemoApp: default: Install SQLServer Demo App InstallPACDemoApp: default: Install PAC Demo App KeyPairName: default: Key pair name LicenseAgreement: default: License agreement MFDSServiceAccountName: default: Micro Focus Directory Server service domain account name MFDSServiceAccountPassword: default: Micro Focus Directory Server service account password PACDBMasterUserPassword: default: Database Master password SubnetID: default: Subnet ID QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix RegionsPerInstance: default: Number of Enterprise Server regions per instance Parameters: AdditionalESStorageinGiB: Type: Number Description: >- Additional EBS storage capacity in gibibytes (GiBs) added to each Enterprise Server instance. Enter 0-16384 GiB. MinValue: 0 MaxValue: 16384 Default: 100 AvailabilityZones: Description: >- List of Availability Zones to use for the subnets in the VPC. Only two Availability Zones are used for this deployment, and the logical order of your selections is preserved. Type: 'List' DomainAdminPassword: AllowedPattern: >- (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: >- The password for the domain Admin account. Must be at least 8 characters containing letters, numbers, and symbols. MaxLength: '32' MinLength: '8' NoEcho: true Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: >- The fully qualified domain name (FQDN), e.g., example.com. Must be 2-255 characters. MaxLength: '255' MinLength: '2' Type: String DomainMemberSGID: Description: >- The ID of the Domain Member Security Group (e.g., sg-7f16e910). Type: 'AWS::EC2::SecurityGroup::Id' DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: example Description: >- The NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Microsoft Windows, e.g., example. MaxLength: '15' Type: String EMailNotificationTopic: Type: String Default: '' ESClientAccessSGID: Type: 'AWS::EC2::SecurityGroup::Id' Description: >- Security Group ID for application ingress into the Enterpriser Server instance (e.g., sg-1234abcd). ESCWLogGroup: Type: String Description: The logical ID of the Amazon CloudWatch Logs Log Group ESDatabaseEndpointAddress: Type: String Description: The connection endpoint for the database Default: '' ESInstanceName: Type: String Description: The name to assign to the Enterprise Server instance Windows Hostname ESInstanceType: AllowedValues: - c5.large - c5.xlarge - c5.2xlarge - c5.4xlarge Description: The type of Enterprise Server instance. Default: c5.large Type: String ESLicenseFilename: Description: >- Place the license file obtained from Micro Focus in the S3 bucket folder: s3:///license/ Type: String ESS3BucketName: AllowedPattern: '^[a-z0-9][a-z0-9-.]*$' Description: >- The name of the existing S3 bucket used to store/retrieve objects specific to this stack. A system integrator extending this Quick Start should use this bucket to store or retrieve items needed. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String ESS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Enterprise Server S3 bucket (ESS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String InstallFSDemoApp: Type: String AllowedValues: - true - false Default: true Description: >- Choose 'false' if you don't want to install the Enterprise Server Fileshare demo app. Requires selection of the 'Create-Remote-Fileshare-Server' Fileshare type. InstallSQLDemoApp: AllowedValues: - true - false Default: true Description: >- Choose 'false' if you don't want to install the Enterprise Server SQLServer demo app. Requires selection of the 'Create-RDS-Remote-Database' Database type. Type: String InstallPACDemoApp: Type: String AllowedValues: - true - false Default: true Description: >- Choose 'false' if you don't want to install the Enterprise Server PAC demo app. KeyPairName: Description: >- The name of an existing EC2 key pair. All instances will launch with this key pair. Type: 'AWS::EC2::KeyPair::KeyName' LicenseAgreement: Description: >- I have read and agree to the license terms for Micro Focus Enterprise Server (https://www.microfocus.com/documentation/enterprise-developer/ed-latest/ES-WIN/GUID-0562B3C9-2271-4CE8-AF64-93DE4940077F.html). Type: String Default: '-' AllowedValues: - I agree - '-' ConstraintDescription: must answer 'I agree'. MFDSServiceAccountName: Type: String AllowedPattern: '[a-zA-Z0-9]*' Default: 'MFDSServiceAccount' Description: >- The existing domain account name under which the service will run. If left as default, a domain account 'MFDSServiceAccount' is created. The name must be 5-25 characters. MaxLength: '25' MinLength: '5' MFDSServiceAccountPassword: Type: String AllowedPattern: >- (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: >- Enter a password for MFDSServiceAccount. Must be at least 8 characters containing letters, numbers, and symbols. MaxLength: '32' MinLength: '8' NoEcho: true PACDBMasterUserPassword: AllowedPattern: >- ^((?![\/"@])[^\x00-\x1F\x80-\x9F]){8,}$ ConstraintDescription: >- Must be at least eight characters long, as in "mypassword". Can be any printable ASCII character except "/", """, or "@". Description: >- The password for the DB master user. Must be at least eight characters long, as in "mypassword". Can be any printable ASCII character except "/", """, or "@". Type: String NoEcho: true SubnetID: Description: 'The ID of a private subnet in an Availability Zone (e.g., subnet-a0246dcd).' Type: 'AWS::EC2::Subnet::Id' QSS3BucketName: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: >- S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: '^[0-9a-zA-Z-/]*$' ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-microfocus-amc-es/ Description: >- S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String RegionsPerInstance: ConstraintDescription: Must be between 1 and 10 regions per instance. Description: >- The number of regions per Enterprise Server instance. Must be between 1 and 10 regions per instance. Default: 1 MaxValue: 10 MinValue: 1 Type: Number Rules: KeyPairsNotEmpty: Assertions: - Assert: !Not - 'Fn::EachMemberEquals': - 'Fn::RefAll': 'AWS::EC2::KeyPair::KeyName' - '' AssertDescription: All key pair parameters must not be empty. LicenseAgreementRule: Assertions: - Assert: 'Fn::Contains': - - I agree - !Ref LicenseAgreement AssertDescription: User must agree to the terms of the license agreement. Mappings: AWSAMIRegionMap: AMI: MFES40AMI: ES_60_PU01 ap-northeast-1: MFES40AMI: ami-0bae6d1d03ad5c38c ap-northeast-2: MFES40AMI: ami-080a4712b1e7350ed ap-south-1: MFES40AMI: ami-0f2b2823ac1d8f95d ap-southeast-1: MFES40AMI: ami-0065e05aaecced65a ap-southeast-2: MFES40AMI: ami-0de81adc57c6df12a ca-central-1: MFES40AMI: ami-0c4ea4d6fba07f0ee eu-central-1: MFES40AMI: ami-08dde1e820f9f5ef9 eu-north-1: MFES40AMI: ami-0e2813f8efc423d3f eu-west-1: MFES40AMI: ami-0be7439f5e8e1c577 eu-west-2: MFES40AMI: ami-001842da48968696d eu-west-3: MFES40AMI: ami-0c479b1af672abf62 sa-east-1: MFES40AMI: ami-08d30d58645251f63 us-east-1: MFES40AMI: ami-0f308ab79b6c2d1e8 us-east-2: MFES40AMI: ami-0b0fcb621219073d3 us-west-1: MFES40AMI: ami-01d36394b9ba7bc6b us-west-2: MFES40AMI: ami-0526b4845e872052b Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] GovCloudCondition: !Equals - !Ref 'AWS::Region' - us-gov-west-1 HaveESlicenseFilename: !Not - !Equals - !Ref ESLicenseFilename - '' InstallingFSDemoApp: !Equals - !Ref InstallFSDemoApp - 'true' InstallingSQLDemoApp: !Equals - !Ref InstallSQLDemoApp - 'true' InstallingPACDemoApp: !Equals - !Ref InstallPACDemoApp - 'true' HaveDatabaseEnvironment: !Not - !Equals - !Ref ESDatabaseEndpointAddress - '' HaveEMailNotificationTopic: !Not - !Equals - !Ref EMailNotificationTopic - '' Resources: ESInstanceRole: Type: 'AWS::IAM::Role' Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyActionWildcard: "Wildcard action for instance policy allowed by design" Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - ec2.amazonaws.com Path: / ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMDirectoryServiceAccess - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy Policies: - PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: - !Sub - arn:${AWS::Partition}:s3:::${S3Bucket} - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Version: 2012-10-17 PolicyName: aws-quick-start-s3-policy - PolicyDocument: Statement: - Action: - 's3:*' Effect: Allow Resource: - !Sub 'arn:${AWS::Partition}:s3:::${ESS3BucketName}' - !Sub 'arn:${AWS::Partition}:s3:::${ESS3BucketName}/*' - Action: - 'ds:Describe*' Effect: Allow Resource: '*' PolicyName: ESInstancePolicy - PolicyDocument: Statement: - Action: - 'logs:Create*' - 'logs:PutLogEvents' Effect: Allow Resource: - !Sub 'arn:${AWS::Partition}:logs:*:*:log-group:${ESCWLogGroup}*' PolicyName: ESInstanceLogPolicy ESInstanceRoleProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Path: / Roles: - !Ref ESInstanceRole LambdaExecutionRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' CalcPrimaryDataVolumeStorageSizeFunction: Type: 'AWS::Lambda::Function' Properties: Handler: index.handler Role: !GetAtt LambdaExecutionRole.Arn Code: ZipFile: | var response = require('cfn-response'); exports.handler = function(event, context) { var props = event.ResourceProperties; var result = (parseInt(props.RegionsPerInstance) * parseInt(props.RegionStorageOverheadInGiB)) + parseInt(props.AdditionalESStorageinGiB); response.send(event, context, response.SUCCESS, {Value: result}); }; Runtime: nodejs16.x ESPrimaryDataVolumeStorageSize: Type: 'Custom::CalcPrimaryDataVolumeStorageSizeFunction' Properties: ServiceToken: !GetAtt CalcPrimaryDataVolumeStorageSizeFunction.Arn RegionsPerInstance: !Ref RegionsPerInstance RegionStorageOverheadInGiB: 50 AdditionalESStorageinGiB: !Ref AdditionalESStorageinGiB Value: 0 ESPrimaryDataVolume: Type: 'AWS::EC2::Volume' Metadata: cfn-lint: config: ignore_checks: - EBSVolumeEncryption ignore_reasons: - EBSVolumeEncryption: "Ignore invalid check" Properties: VolumeType: gp2 Encrypted: true Size: !GetAtt ESPrimaryDataVolumeStorageSize.Value AvailabilityZone: !Select - 0 - !Ref AvailabilityZones Tags: - Key: Name Value: !Sub '${AWS::StackName}-${ESInstanceName} Data Volume' ESInstance: Type: 'AWS::EC2::Instance' CreationPolicy: ResourceSignal: Count: 1 Timeout: PT50M Metadata: 'AWS::CloudFormation::Authentication': S3AccessCreds: type: S3 roleName: !Ref ESInstanceRole buckets: - !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - !Ref ESS3BucketName 'AWS::CloudFormation::Init': configSets: config: - 010-InstallTools - 020-ConfigureCWLogs - 030-InitPowerShell - 040-ConfigureEnterpriseServer - !If - HaveESlicenseFilename - 050-ApplyESLicenseFile - 000-NoOperation - 060-RenameAndJoinDomain - !If - HaveDatabaseEnvironment - 070-Setup-Database-Client-Environment - 000-NoOperation - !If - InstallingPACDemoApp - 080-Setup-PAC-Database-Envrionment - 000-NoOperation - !If - InstallingFSDemoApp - 090-InstallBankDemoFS - 000-NoOperation - !If - InstallingSQLDemoApp - 100-InstallBankDemoSQL - 000-NoOperation - !If - InstallingPACDemoApp - 110-InstallBankDemoPAC - 000-NoOperation - 120-ChangeMFDSServiceStartName - !If - InstallingFSDemoApp - 130-Start-BNKDMFS - 000-NoOperation - !If - InstallingSQLDemoApp - 140-Start-BNKDMSQL - 000-NoOperation - !If - InstallingPACDemoApp - 150-Start-BNKDM - 000-NoOperation - 160-Finalize 000-NoOperation: commands: a-no-operation: command: echo "No-Operation" > nul waitAfterCompletion: '0' 010-InstallTools: files: 'c:\cfn\assets\AWSCLI64PY3.msi': source: 'https://s3.amazonaws.com/aws-cli/AWSCLI64PY3.msi' 'c:\cfn\assets\GoogleChromeStandaloneEnterprise64.msi': source: >- https://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise64.msi commands: a-install-aws-cli: command: 'start /wait c:\cfn\assets\AWSCLI64PY3.msi /quiet /passive /qn' waitAfterCompletion: '0' b-install-chrome: command: >- start /wait c:\cfn\assets\GoogleChromeStandaloneEnterprise64.msi /quiet /passive waitAfterCompletion: '0' 020-ConfigureCWLogs: files: "C:\\ProgramData\\Amazon\\AmazonCloudWatchAgent\\amazon-cloudwatch-agent.json": content: !Sub | { "logs": { "logs_collected": { "files": { "collect_list": [ { "file_path": "C:\\cfn\\log\\cfn-init.log", "log_group_name": "${ESCWLogGroup}", "log_stream_name": "ES/{instance_id}/cfn-init.log" }, { "file_path": "C:\\cfn\\log\\cfn-init-cmd.log", "log_group_name": "${ESCWLogGroup}", "log_stream_name": "ES/{instance_id}/cfn-init-cmd.log" } ] } } } } commands: a-stop-cwagent: command: powershell -Command "C:\\'Program Files'\\Amazon\\AmazonCloudWatchAgent\\amazon-cloudwatch-agent-ctl.ps1 -a stop" waitAfterCompletion: '30' b-start-cwagent: command: powershell -Command "C:\\'Program Files'\\Amazon\\AmazonCloudWatchAgent\\amazon-cloudwatch-agent-ctl.ps1 -a fetch-config -m ec2 -c file:C:\\ProgramData\\Amazon\\AmazonCloudWatchAgent\\amazon-cloudwatch-agent.json -s" waitAfterCompletion: '30' 030-InitPowerShell: files: 'C:\cfn\scripts\Unzip-Archive.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Unzip-Archive.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'C:\cfn\modules\AWSQuickStart.zip': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/modules/AWSQuickStart.zip - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'c:\cfn\cfn-hup.conf': content: !Sub | [main] stack=${AWS::StackName} region=${AWS::Region} 'c:\cfn\hooks.d\cfn-auto-reloader.conf': content: !Sub | [cfn-auto-reloader-hook] triggers=post.update path=Resources.ESInstance.Metadata.AWS::CloudFormation::Init action=cfn-init.exe -v -c config -s ${AWS::StackId} --resource ESInstance --region ${AWS::Region} 'c:\cfn\scripts\AddTo-SystemPath.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/AddTo-SystemPath.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'c:\cfn\scripts\Schedule-AD-PowershellTask.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/Schedule-AD-PowershellTask.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'C:\cfn\scripts\Join-Domain.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Join-Domain.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'C:\cfn\scripts\Rename-Computer.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-utilities/scripts/Rename-Computer.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds services: windows: cfn-hup: enabled: 'true' ensureRunning: 'true' files: - 'c:\cfn\cfn-hup.conf' - 'c:\cfn\hooks.d\cfn-auto-reloader.conf' commands: a-set-execution-policy: command: powershell.exe -Command "Set-ExecutionPolicy RemoteSigned" -Force waitAfterCompletion: '0' b-unpack-quickstart-module: command: powershell.exe -File C:\cfn\scripts\Unzip-Archive.ps1 -Source C:\cfn\modules\AWSQuickStart.zip -Destination C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ waitAfterCompletion: '0' c-init-quickstart-module: command: !Sub powershell.exe -Command New-AWSQuickStartResourceSignal -Stack ${AWS::StackName} -Resource ESInstance -Region ${AWS::Region} waitAfterCompletion: '0' 040-ConfigureEnterpriseServer: files: 'c:\cfn\scripts\StartESRegion.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/StartESRegion.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds commands: a-update-system-path: command: powershell.exe -File c:\cfn\scripts\AddTo-SystemPath.ps1 -PathToAdd "C:\Program Files (x86)\Micro Focus\Enterprise Server\bin" waitAfterCompletion: '0' b-configure-windows-firewall-es-admin-portal-rule: command: powershell.exe -Command New-NetFirewallRule -DisplayName 'Micro Focus Enterprise Server Admin Portal' -LocalPort 86 -Protocol tcp waitAfterCompletion: '0' c-configure-windows-firewall-fs-demoapp-tn3270-portal-rule: test: !Sub >- if /I "${InstallFSDemoApp}"=="true" (exit 0) else (exit 1) command: powershell.exe -Command New-NetFirewallRule -DisplayName 'FS Demo App TN3270 Ingress' -LocalPort 5555 -Protocol tcp waitAfterCompletion: '0' d-configure-windows-firewall-sql-demoapp-tn3270-portal-rule: test: !Sub >- if /I "${InstallSQLDemoApp}"=="true" (exit 0) else (exit 1) command: powershell.exe -Command New-NetFirewallRule -DisplayName 'SQLServer Demo App TN3270 Ingress' -LocalPort 5556 -Protocol tcp waitAfterCompletion: '0' e-configure-windows-firewall-pac-demoapp-tn3270-portal-rule: test: !Sub >- if /I "${InstallPACDemoApp}"=="true" (exit 0) else (exit 1) command: powershell.exe -Command New-NetFirewallRule -DisplayName 'SQLServer Demo App TN3270 Ingress' -LocalPort 5557 -Protocol tcp waitAfterCompletion: '0' f-configure-windows-firewall-fs-demoapp-esmac-portal-rule: test: !Sub >- if /I "${InstallFSDemoApp}"=="true" (exit 0) else (exit 1) command: powershell.exe -Command New-NetFirewallRule -DisplayName 'FS esmac Ingress' -LocalPort 5558 -Protocol tcp waitAfterCompletion: '0' g-configure-windows-firewall-sql-demoapp-esmac-portal-rule: test: !Sub >- if /I "${InstallSQLDemoApp}"=="true" (exit 0) else (exit 1) command: powershell.exe -Command New-NetFirewallRule -DisplayName 'SQLServer esmac Ingress' -LocalPort 5559 -Protocol tcp waitAfterCompletion: '0' h-configure-windows-firewall-pac-demoapp-esmac-portal-rule: test: !Sub >- if /I "${InstallPACDemoApp}"=="true" (exit 0) else (exit 1) command: powershell.exe -Command New-NetFirewallRule -DisplayName 'PAC esmac Ingress' -LocalPort 5560 -Protocol tcp waitAfterCompletion: '0' i-configure-windows-firewall-es-admin-portal-rule: command: powershell.exe -Command New-NetFirewallRule -DisplayName 'Micro Focus Enterprise Server Admin Portal' -LocalPort 86 -Protocol udp waitAfterCompletion: '0' j-configure-windows-firewall-es-escwa-portal-rule: command: powershell.exe -Command New-NetFirewallRule -DisplayName 'Micro Focus Enterprise Server Admin Portal' -LocalPort 10004 -Protocol tcp waitAfterCompletion: '0' 050-ApplyESLicenseFile: files: 'd:\esdir\Enterprise-Server.mflic': source: !Sub - >- https://${ESS3BucketName}.s3.${S3Region}.${AWS::URLSuffix}/license/${ESLicenseFilename} - S3Region: !Ref ESS3BucketRegion authentication: S3AccessCreds 'c:\cfn\scripts\MFDS-Listen-all.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/MFDS-Listen-all.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds commands: a-install-license: cwd: 'C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel RMS License Manager\WinNT\' command: start /wait cesadmintool -term install -f d:\esdir\Enterprise-Server.mflic waitAfterCompletion: '0' b-set-MFDS-listen-all: command: powershell.exe -File C:\cfn\scripts\MFDS-Listen-all.ps1 waitAfterCompletion: '0' 060-RenameAndJoinDomain: commands: a-rename-computer: command: !Sub powershell.exe -File C:\cfn\scripts\Rename-Computer.ps1 -NewName ${ESInstanceName} -Restart waitAfterCompletion: forever b-join-domain-and-restart: command: !Sub powershell.exe -File C:\cfn\scripts\Join-Domain.ps1 -DomainName ${DomainDNSName} -UserName ${DomainNetBIOSName}\Admin -Password ${DomainAdminPassword} waitAfterCompletion: forever # Add 'Domain Users' to local RDP Group to they can RDP into this instance # Install A/D Management Tools c-add-domain-users-rdp-users-group: command: !Sub powershell -Command "&{ try { $ErrorActionPreference = 'Stop'; $GroupObj = [ADSI]'WinNT://localhost/Remote Desktop Users'; $GroupObj.Add('WinNT://${DomainNetBIOSName}/Domain Users'); Install-WindowsFeature -Name GPMC,RSAT-AD-PowerShell,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,RSAT-DNS-Server; } catch { $_ | Write-AWSQuickStartException; } }" waitAfterCompletion: '0' 070-Setup-Database-Client-Environment: files: # Download Microsoft® ODBC Driver 13.1 for SQL Server® - Windows, Linux, & macOS # https://www.microsoft.com/en-us/download/details.aspx?id=53339 'c:\cfn\assets\msodbcsql.msi': source: https://download.microsoft.com/download/D/5/E/D5EEF288-A277-45C8-855B-8E2CB7E25B96/x64/msodbcsql.msi # Download Microsoft® Command Line Utilities 14.0.1000 for SQL Server® # https://www.microsoft.com/en-us/download/details.aspx?id=53591 'c:\cfn\assets\MsSqlCmdLnUtils.msi': source: https://download.microsoft.com/download/C/8/8/C88C2E51-8D23-4301-9F4B-64C8E2F163C5/x64/MsSqlCmdLnUtils.msi commands: a-install-mssqlserver-odbcdriver: command: start /wait msiexec /quiet /passive /qn /i c:\cfn\assets\msodbcsql.msi IACCEPTMSODBCSQLLICENSETERMS=YES ADDLOCAL=ALL waitAfterCompletion: '0' b-install-MsSql-CmdLn-Utils: command: start /wait msiexec /quiet /passive /qn /i c:\cfn\assets\MsSqlCmdLnUtils.msi IACCEPTMSSQLCMDLNUTILSLICENSETERMS=YES waitAfterCompletion: '0' c-add-mssql-cmdln-utils-to-system-path: command: powershell.exe -File c:\cfn\scripts\AddTo-SystemPath.ps1 -PathToAdd "c:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn" waitAfterCompletion: '0' 080-Setup-PAC-Database-Envrionment: files: 'c:\cfn\assets\psqlodbc1_11_x86.zip': source: http://ftp.postgresql.org/pub/odbc/versions/msi/psqlodbc_11_01_0000-x86.zip 'c:\cfn\assets\psqlodbc1_11_x64.zip': source: http://ftp.postgresql.org/pub/odbc/versions/msi/psqlodbc_11_01_0000-x64.zip commands: a-Unzip-PsqlODBC-Driver-x86: command: powershell.exe -File C:\cfn\scripts\Unzip-Archive.ps1 -Source C:\cfn\assets\psqlodbc1_11_x86.zip -Destination C:\cfn\assets\psqlodbc_11_x86 waitAfterCompletion: '0' b-Unzip-PsqlODBC-Driver-x64: command: powershell.exe -File C:\cfn\scripts\Unzip-Archive.ps1 -Source C:\cfn\assets\psqlodbc1_11_x64.zip -Destination C:\cfn\assets\psqlodbc_11_x64 waitAfterCompletion: '0' c-install-PsqlODBC-Driver-x86: command: start /wait msiexec /quiet /passive /qn /i c:\cfn\assets\psqlodbc_11_x86\psqlodbc_x86.msi waitAfterCompletion: '0' d-install-PsqlODBC-Driver-x64: command: start /wait msiexec /quiet /passive /qn /i c:\cfn\assets\psqlodbc_11_x64\psqlodbc_x64.msi waitAfterCompletion: '0' 090-InstallBankDemoFS: commands: a-import-region: cwd: C:\Program Files (x86)\Micro Focus\Enterprise Server\bin command: start /wait mfds /g 5 C:\BankDemo_FS\Repo\BNKDMFS.xml D waitAfterCompletion: '0' 100-InstallBankDemoSQL: files: 'c:\cfn\scripts\CreateDSN.ps1': content: | try{ # Create ODBC DNS to the BankDemo database Add-OdbcDsn ` -Name DBNASEDB ` -DriverName "ODBC Driver 13 for SQL Server" ` -DsnType "System" ` -Platform "32-bit" ` -SetPropertyValue @("Server=ESDatabase", "Trusted_Connection=Yes", "Database=BANKDEMO") } catch { $_ | Write-AWSQuickStartException } commands: a-CreateDSN: command: powershell.exe -File c:\cfn\scripts\CreateDSN.ps1 waitAfterCompletion: '0' b-import-region: cwd: C:\Program Files (x86)\Micro Focus\Enterprise Server\bin command: start /wait mfds /g 5 C:\BankDemo_SQL\BNKDMSQLRegionDefForImport\BNKDMSQL.xml D waitAfterCompletion: '0' 110-InstallBankDemoPAC: files: 'C:\cfn\scripts\deploy.bat': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/deploy.bat - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'C:\cfn\scripts\configure-and-import-pac-region.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/configure-and-import-pac-region.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'C:\cfn\scripts\Add-region-to-PAC.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/Add-region-to-PAC.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'c:\cfn\scripts\CreateDSN_PAC.ps1': content: !Sub | try{ # Create ODBC DNS to the BankDemo database Add-OdbcDsn ` -Name PG.VSAM ` -DriverName "PostgreSQL ANSI" ` -DsnType "System" ` -Platform "32-bit" ` -SetPropertyValue @("Server=ESPACDatabase", "UserName=esuser", 'Database=MicroFocus$SEE$Files$VSAM', "Password=${PACDBMasterUserPassword}") Add-OdbcDsn ` -Name PG.POSTGRES ` -DriverName "PostgreSQL ANSI" ` -DsnType "System" ` -Platform "32-bit" ` -SetPropertyValue @("Server=ESPACDatabase", "UserName=esuser", "Database=postgres", "Password=${PACDBMasterUserPassword}") Add-OdbcDsn ` -Name PG.REGION ` -DriverName "PostgreSQL ANSI" ` -DsnType "System" ` -Platform "32-bit" ` -SetPropertyValue @("Server=ESPACDatabase", "UserName=esuser", 'Database=MicroFocus$CAS$Region$DEMOPAC', "Password=${PACDBMasterUserPassword}") Add-OdbcDsn ` -Name PG.CROSSREGION ` -DriverName "PostgreSQL ANSI" ` -DsnType "System" ` -Platform "32-bit" ` -SetPropertyValue @("Server=ESPACDatabase", "UserName=esuser", 'Database=MicroFocus$CAS$CrossRegion', "Password=${PACDBMasterUserPassword}") } catch { $_ | Write-AWSQuickStartException } commands: a-CreateDSN: command: powershell.exe -File c:\cfn\scripts\CreateDSN_PAC.ps1 waitAfterCompletion: '0' b-configure-and-import-region1: test: !Sub >- if /I "${ESInstanceName}"=="ESSERVER1" (exit 0) else (exit 1) cwd: C:\Program Files (x86)\Micro Focus\Enterprise Server\bin command: powershell.exe -File c:\cfn\scripts\configure-and-import-pac-region.ps1 -Regionname BNKDM waitAfterCompletion: '0' c-configure-and-import-region2: test: !Sub >- if /I "${ESInstanceName}"=="ESSERVER2" (exit 0) else (exit 1) cwd: C:\Program Files (x86)\Micro Focus\Enterprise Server\bin command: powershell.exe -File c:\cfn\scripts\configure-and-import-pac-region.ps1 -Regionname BNKDM2 d-import-data-files: cwd: C:\Program Files (x86)\Micro Focus\Enterprise Server\bin test: !Sub >- if /I "${ESInstanceName}"=="ESSERVER1" (exit 0) else (exit 1) command: start /wait c:\cfn\scripts\deploy.bat waitAfterCompletion: '0' e-add-region-to-PAC: command: !Sub powershell.exe -File c:\cfn\scripts\Add-region-to-PAC.ps1 -ESInstanceName ${ESInstanceName} waitAfterCompletion: '0' 120-ChangeMFDSServiceStartName: files: 'c:\cfn\scripts\Configure-UserLogonPrivileges.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/Configure-UserLogonPrivileges.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'c:\cfn\scripts\Change-NTServiceStartName.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/Change-NTServiceStartName.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds 'C:\cfn\scripts\Configure-ESCWA.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/Configure-ESCWA.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds commands: a-grant-mfds-account-logon-as-a-service: command: !Sub powershell.exe -File c:\cfn\scripts\Configure-UserLogonPrivileges.ps1 -Username "${DomainNetBIOSName}\${MFDSServiceAccountName}" -PrivilegeName "SeServiceLogonRight" -Status Grant waitAfterCompletion: '0' b-grant-mfds-account-logon-as-batch-job: command: !Sub powershell.exe -File c:\cfn\scripts\Configure-UserLogonPrivileges.ps1 -Username "${DomainNetBIOSName}\${MFDSServiceAccountName}" -PrivilegeName "SeBatchLogonRight" -Status Grant waitAfterCompletion: '0' c-grant-mfds-account-permissions: cwd: C:\ProgramData command: !Sub icacls "C:\ProgramData\Micro Focus" /grant ${DomainNetBIOSName}\${MFDSServiceAccountName}:(OI)(CI)F /T waitAfterCompletion: '0' d-change-mfds-service-startname: command: !Sub powershell.exe -File c:\cfn\scripts\Change-NTServiceStartName.ps1 -ServiceName MF_CCITCP2 -StartName "${DomainNetBIOSName}\${MFDSServiceAccountName}" -StartPassword ${MFDSServiceAccountPassword} waitAfterCompletion: '0' e-configure-escwa: command: !Sub powershell.exe -File c:\cfn\scripts\Configure-ESCWA.ps1 -DomainNetBIOSName ${DomainNetBIOSName} -ServiceUser ${MFDSServiceAccountName} -ServicePassword ${MFDSServiceAccountPassword} waitAfterCompletion: '0' f-grant-ESDemouser-account-remote-logon: command: !Sub powershell.exe -File c:\cfn\scripts\Configure-UserLogonPrivileges.ps1 -Username "${DomainNetBIOSName}\ESDemoUser" -PrivilegeName "SeRemoteInteractiveLogonRight" -Status Grant waitAfterCompletion: '0' 130-Start-BNKDMFS: commands: a-start-BNKDMFS-region: command: !Sub powershell.exe -File c:\cfn\scripts\Schedule-AD-PowershellTask.ps1 -TaskName startBNKDMFS -TaskArguments "-File c:\cfn\scripts\StartESRegion.ps1 -RegionName BNKDMFS" -DomainUserName "${DomainNetBIOSName}\${MFDSServiceAccountName}" -DomainUserPassword "${MFDSServiceAccountPassword}" waitAfterCompletion: '0' 140-Start-BNKDMSQL: commands: a-start-BNKDMSQL-region: command: !Sub powershell.exe -File c:\cfn\scripts\Schedule-AD-PowershellTask.ps1 -TaskName startBNKDMSQL -TaskArguments "-File c:\cfn\scripts\StartESRegion.ps1 -RegionName BNKDMSQL" -DomainUserName "${DomainNetBIOSName}\${MFDSServiceAccountName}" -DomainUserPassword "${MFDSServiceAccountPassword}" waitAfterCompletion: '0' 150-Start-BNKDM: files: 'c:\cfn\scripts\StartESRegion-cold.ps1': source: !Sub - >- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/StartESRegion-cold.ps1 - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] authentication: S3AccessCreds commands: a-start-BNKDM-region: test: !Sub >- if /I "${ESInstanceName}"=="ESSERVER1" (exit 0) else (exit 1) command: !Sub powershell.exe -File c:\cfn\scripts\Schedule-AD-PowershellTask.ps1 -TaskName startBNKDM -TaskArguments "-File c:\cfn\scripts\StartESRegion-cold.ps1 -RegionName BNKDM" -DomainUserName "${DomainNetBIOSName}\${MFDSServiceAccountName}" -DomainUserPassword "${MFDSServiceAccountPassword}" waitAfterCompletion: '0' b-start-BNKDM2-region: test: !Sub >- if /I "${ESInstanceName}"=="ESSERVER2" (exit 0) else (exit 1) command: !Sub powershell.exe -File c:\cfn\scripts\Schedule-AD-PowershellTask.ps1 -TaskName startBNKDM -TaskArguments "-File c:\cfn\scripts\StartESRegion.ps1 -RegionName BNKDM2 -Delay yes" -DomainUserName "${DomainNetBIOSName}\${MFDSServiceAccountName}" -DomainUserPassword "${MFDSServiceAccountPassword}" waitAfterCompletion: '0' 160-Finalize: commands: a-finalize-init: command: powershell.exe -Command Write-AWSQuickStartStatus waitAfterCompletion: '0' Properties: AvailabilityZone: !Select - 0 - !Ref AvailabilityZones Volumes: - VolumeId: !Ref ESPrimaryDataVolume Device: xvdb SubnetId: !Ref SubnetID SecurityGroupIds: - !Ref DomainMemberSGID - !Ref ESClientAccessSGID IamInstanceProfile: !Ref ESInstanceRoleProfile KeyName: !Ref KeyPairName InstanceType: !Ref ESInstanceType ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - MFES40AMI Tags: - Key: Name Value: !Sub '${AWS::StackName}-${ESInstanceName}' UserData: !Base64 'Fn::Sub': - | - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 ESInstanceRecoveryAlarm: Type: 'AWS::CloudWatch::Alarm' Properties: AlarmDescription: !Sub | "${AWS::StackName} Stack instance auto-recovery alarm/trigger." Namespace: AWS/EC2 MetricName: StatusCheckFailed_System Statistic: Minimum Period: 60 EvaluationPeriods: 5 ComparisonOperator: GreaterThanThreshold Threshold: 0 AlarmActions: - !Sub 'arn:aws:automate:${AWS::Region}:ec2:recover' - !If - HaveEMailNotificationTopic - !Ref EMailNotificationTopic - !Ref 'AWS::NoValue' Dimensions: - Name: InstanceId Value: !Ref ESInstance Outputs: ESInstanceID: Description: The Enterprise Server EC2 Instance ID Value: !Ref ESInstance ESInstanceAZ: Description: >- The Availability Zone where the deployed Enterprise Server instance is launched. Value: !GetAtt ESInstance.AvailabilityZone ESInstancePrivateDnsName: Description: The private DNS name of the deployed Enterprise Server instance Value: !GetAtt ESInstance.PrivateDnsName ESInstancePrivateIp: Description: The private IP address of the deployed Enterprise Server instance Value: !GetAtt ESInstance.PrivateIp