AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates a VPC infrastructure for a multi-AZ, multi-tier deployment of a Windows based Application infrastructure. It deploys a managed Microsoft AD Directory Service into private subnets in separate Availability Zones inside a VPC, as well as Remote Desktop Gateway instances and managed NAT gateways into the public subnet for each Availability Zone. The default Domain Administrator user is 'admin'. For adding members to the domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1rtnidq31) Metadata: cfn-lint: config: ignore_checks: - W9006 - W9901 - E9902 QuickStartDocumentation: EntrypointName: Parameters for deploying AWS Managed Microsoft AD into a new VPC Order: '5' AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - NumberOfAZs - VPCCIDR - DHCPOptionSet - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PrivateSubnet3CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - PublicSubnet3CIDR - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - Label: default: Microsoft Active Directory configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainAdminPassword - NonWindowsDomainJoin - ADEdition - SetupAppInsightsMonitoring - Label: default: Microsoft Windows Server management instance Parameters: - MgmtServer - MgmtServerInstanceType - MgmtDataDriveSizeGiB - MgmtServerNetBIOSName - MgmtServerEnableAdvancedAudtingandMetrics - Label: default: Microsoft Active Directory Certificate Services configuration Parameters: - PKI - PKIEnableAdvancedAudtingandMetrics - CaServerInstanceType - CaDataDriveSizeGiB - OrCaServerNetBIOSName - EntCaServerNetBIOSName - CaKeyLength - CaHashAlgorithm - OrCaValidityPeriodUnits - CaValidityPeriodUnits - UseS3ForCRL - S3CRLBucketName - Label: default: Microsoft Remote Desktop Gateway Configuration Parameters: - NumberOfRDGWHosts - RDGWInstanceType - RDGWCIDR - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: ADEdition: default: AWS Managed Microsoft AD Edition AvailabilityZones: default: Availability Zones CaDataDriveSizeGiB: default: CA Data Drive Size CaHashAlgorithm: default: CA Hash Algorithm CaKeyLength: default: CA Key Length CaServerInstanceType: default: CA Instance Type CaValidityPeriodUnits: default: Enterprise Root or Subordinate CA Certificate Validity Period in Years DHCPOptionSet: default: Create a DHCP Options set DomainAdminPassword: default: Admin Account Password DomainDNSName: default: Domain DNS Name DomainNetBIOSName: default: Domain NetBIOS Name EntCaServerNetBIOSName: default: Enterprise Root or Subordinate CA NetBIOS Name KeyPairName: default: Key Pair Name MgmtDataDriveSizeGiB: default: Data Drive Size MgmtServer: default: Deploy Management Server MgmtServerEnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics for Management Instance MgmtServerInstanceType: default: Management Server Instance Type MgmtServerNetBIOSName: default: Management Server NetBIOS Name NonWindowsDomainJoin: default: Whether to create an AD user with minimum permissions that can be used by non-Windows instances to join the domain NumberOfAZs: default: Number of Availability Zones NumberOfRDGWHosts: default: Number of RDGW Hosts OrCaServerNetBIOSName: default: Offline Root CA NetBIOS Name (Only Used For Two Tier PKI) OrCaValidityPeriodUnits: default: Offline Root CA Certificate Validity Period in Years (Only Used For Two Tier PKI) PKI: default: Deploy PKI Infrastructure PKIEnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics for PKI Instance(s) PrivateSubnet1CIDR: default: Private Subnet 1 CIDR PrivateSubnet2CIDR: default: Private Subnet 2 CIDR PrivateSubnet3CIDR: default: (Optional) Private Subnet 3 CIDR PublicSubnet1CIDR: default: Public Subnet 1 CIDR PublicSubnet2CIDR: default: Public Subnet 2 CIDR PublicSubnet3CIDR: default: (Optional) Public Subnet 3 CIDR QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix RDGWCIDR: default: Allowed Remote Desktop Gateway External Access CIDR RDGWInstanceType: default: Remote Desktop Gateway Instance Type SetupAppInsightsMonitoring: default: Setup Application Insights monitoring S3CRLBucketName: default: CA CRL S3 Bucket Name UseS3ForCRL: default: Use S3 for CA CRL Location VPCCIDR: default: VPC CIDR Parameters: ADEdition: AllowedValues: - Standard - Enterprise Default: Enterprise Description: The AWS Managed Microsoft AD Edition you wish to deploy Type: String AvailabilityZones: Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved and only 2 AZs are used for this deployment' Type: List CaDataDriveSizeGiB: Default: '2' Description: Size of the data drive in GiB for the CA instance(s) Type: Number MinValue: '2' MaxValue: '16384' CaHashAlgorithm: AllowedValues: - SHA256 - SHA384 - SHA512 Default: SHA256 Description: CA(s) Hash Algorithm for Signing Certificates Type: String CaKeyLength: AllowedValues: - '2048' - '4096' Default: '2048' Description: CA(s) Cryptographic Provider Key Length Type: String CaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the CA instance(s) Type: String CaValidityPeriodUnits: Default: '5' Description: Validity Period in Years Type: Number MinValue: '1' DHCPOptionSet: AllowedValues: - 'Yes' - 'No' Default: 'Yes' Description: Do you want to create and apply a new DHCP Options Set Type: String DomainAdminPassword: AllowedPattern: '(?=^.{8,32}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*' Description: Password for the Admin user account. Must be at least 8 characters containing letters, numbers and symbols MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainDNSName: AllowedPattern: '^([a-zA-Z0-9]+[\.\-])+([a-zA-Z0-9])+$' Default: example.com Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com MaxLength: '64' MinLength: '2' Type: String DomainNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: example Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE MaxLength: '15' MinLength: '1' Type: String EntCaServerNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: ENTCA1 Description: NetBIOS name of the Enterprise Root or Subordinate CA server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String KeyPairName: Description: Public/private key pairs allow you to securely connect to your instance after it launches Type: AWS::EC2::KeyPair::KeyName MgmtDataDriveSizeGiB: Default: '2' Description: Size of the Managment Server Data Drive in GiB MinValue: '1' MaxValue: '16384' Type: Number MgmtServer: AllowedValues: - 'true' - 'false' Default: 'false' Description: Do you want to deploy a Management Server Type: String MgmtServerEnableAdvancedAudtingandMetrics: Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows AllowedValues: - 'true' - 'false' Type: String Default: 'false' MgmtServerInstanceType: AllowedValues: - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Management Server Type: String MgmtServerNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: MGMT1 Description: NetBIOS name of the Management Server server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String NonWindowsDomainJoin: AllowedValues: - 'true' - 'false' Default: 'false' Description: | Do you want to create an AD User with minimal permissions allowing non-Windows instances to join the domain? The username and password will be stored in Secrets Manager and a policy to access the secret will be created. Type: String NumberOfAZs: AllowedValues: - '2' - '3' Default: '2' Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter Type: String NumberOfRDGWHosts: AllowedValues: - '0' - '1' - '2' - '3' - '4' Default: '0' Description: Enter the number of Remote Desktop Gateway instances to create Type: String OrCaServerNetBIOSName: AllowedPattern: '^[a-zA-Z0-9]+$' Default: ORCA1 Description: NetBIOS name of the Offline Root CA server (Only Used For Two Tier PKI) (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String OrCaValidityPeriodUnits: Default: '10' Description: Validity Period in Years (Only Used For Two Tier PKI) MinValue: '1' Type: Number PKI: AllowedValues: - One-Tier - Two-Tier - 'No' Default: 'No' Description: Deploy Two Tier (Offline Root with Subordinate Enterprise CA) or One Tier (Enterprise Root CA) PKI Infrastructure Type: String PKIEnableAdvancedAudtingandMetrics: AllowedValues: - 'true' - 'false' Default: 'false' Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows Type: String PrivateSubnet1CIDR: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1 Type: String PrivateSubnet2CIDR: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2 Type: String PrivateSubnet3CIDR: AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' Default: 10.0.64.0/19 Description: CIDR block for private subnet 3 located in Availability Zone 3 Type: String PublicSubnet1CIDR: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: CIDR Block for the public subnet 1 located in Availability Zone 1 Type: String PublicSubnet2CIDR: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: CIDR Block for the public subnet 2 located in Availability Zone 2 Type: String PublicSubnet3CIDR: AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' Default: 10.0.64.0/19 Description: CIDR Block for the public subnet 3 located in Availability Zone 3 Type: String QSS3BucketName: AllowedPattern: '^[a-z0-9]+[a-z0-9\.\-]*[a-z0-9]+$' ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Type: String QSS3BucketRegion: AllowedPattern: '^[a-z]+\-[a-z\-]+\-[0-9]{1}$' Default: us-east-1 Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value Type: String QSS3KeyPrefix: AllowedPattern: '^[a-zA-Z0-9\-\/]+$' ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Default: quickstart-microsoft-activedirectory/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Type: String RDGWCIDR: AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Default: 10.0.0.0/16 Description: Allowed CIDR Block for external access to the Remote Desktop Gateways Type: String RDGWInstanceType: AllowedValues: - t2.small - t2.medium - t2.large - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - t3a.micro - t3a.small - t3a.medium - t3a.large - t3a.xlarge - t3a.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5a.large - m5a.xlarge - m5a.2xlarge Default: t3.large Description: Amazon EC2 instance type for the Remote Desktop Gateway instances Type: String SetupAppInsightsMonitoring: AllowedValues: - 'true' - 'false' ConstraintDescription: Can include either true or false. Default: 'false' Description: Setup Application Insights monitoring for Active Directory resources. This parameter can include either true or false. Type: String S3CRLBucketName: AllowedPattern: '^[a-z0-9]+[a-z0-9\.\-]*[a-z0-9]+$' Default: examplebucket Description: S3 bucket name for CA CRL(s) storage. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Type: String UseS3ForCRL: AllowedValues: - 'Yes' - 'No' Default: 'No' Description: Store CA CRL(s) in an S3 bucket Type: String VPCCIDR: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String Conditions: AppInsightsEnabled: !Equals [!Ref SetupAppInsightsMonitoring, true] IncludeRDGW: !Not [!Equals [!Ref NumberOfRDGWHosts, '0']] IsTwoAz: !Equals [!Ref NumberOfAZs, '2'] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Rules: NonWindowsDomainJoin: RuleCondition: !Equals [!Ref NonWindowsDomainJoin, 'true'] Assertions: - AssertDescription: To enable creation of an AD user for non-Windows Domain joins, you need to create a Management Server Instance Assert: !Equals [!Ref MgmtServer, 'true'] S3CRLBucketNameValidation: RuleCondition: !And - !Equals [!Ref UseS3ForCRL, 'Yes'] - !Not [!Equals [!Ref PKI, 'No']] Assertions: - AssertDescription: CRL BucketName cannot must be valid BucketName Assert: !Not [!Equals [!Ref S3CRLBucketName, 'examplebucket']] ValidateRdgw: RuleCondition: !Not - !Equals - !Ref NumberOfRDGWHosts - '0' Assertions: - Assert: !Not - !Equals - !Ref RDGWCIDR - '' AssertDescription: if condition IncludeRDGW is true, then RDGWCIDR cannot be left empty Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !If [IsTwoAz, '2', '3'] PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PrivateSubnet3ACIDR: !If [IsTwoAz, !Ref AWS::NoValue, !Ref PrivateSubnet3CIDR] PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR PublicSubnet3CIDR: !If [IsTwoAz, !Ref AWS::NoValue, !Ref PublicSubnet3CIDR] VPCCIDR: !Ref VPCCIDR ADStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/ad-3.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ADEdition: !Ref ADEdition CaDataDriveSizeGiB: !Ref CaDataDriveSizeGiB CaHashAlgorithm: !Ref CaHashAlgorithm CaKeyLength: !Ref CaKeyLength CaServerInstanceType: !Ref CaServerInstanceType CaValidityPeriodUnits: !Ref CaValidityPeriodUnits DHCPOptionSet: !Ref DHCPOptionSet DomainAdminPassword: !Ref DomainAdminPassword DomainDNSName: !Ref DomainDNSName DomainNetBIOSName: !Ref DomainNetBIOSName EntCaServerNetBIOSName: !Ref EntCaServerNetBIOSName KeyPairName: !Ref KeyPairName MgmtDataDriveSizeGiB: !Ref MgmtDataDriveSizeGiB MgmtServer: !Ref MgmtServer MgmtServerEnableAdvancedAudtingandMetrics: !Ref MgmtServerEnableAdvancedAudtingandMetrics MgmtServerInstanceType: !Ref MgmtServerInstanceType MgmtServerNetBIOSName: !Ref MgmtServerNetBIOSName NonWindowsDomainJoin: !Ref NonWindowsDomainJoin OrCaServerNetBIOSName: !Ref OrCaServerNetBIOSName OrCaValidityPeriodUnits: !Ref OrCaValidityPeriodUnits PKI: !Ref PKI PKIEnableAdvancedAudtingandMetrics: !Ref PKIEnableAdvancedAudtingandMetrics PrivateSubnet1ID: !GetAtt VPCStack.Outputs.PrivateSubnet1AID PrivateSubnet2ID: !GetAtt VPCStack.Outputs.PrivateSubnet2AID QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix SetupAppInsightsMonitoring: !Ref SetupAppInsightsMonitoring S3CRLBucketName: !Ref S3CRLBucketName UseS3ForCRL: !Ref UseS3ForCRL VPCCIDR: !Ref VPCCIDR VPCID: !GetAtt VPCStack.Outputs.VPCID RDGWStack: Condition: IncludeRDGW Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-rdgateway/templates/rdgw-domain.template' - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DomainAdminPassword: !Ref DomainAdminPassword DomainAdminUser: admin DomainDNSName: !Ref DomainDNSName DomainMemberSGID: !GetAtt ADStack.Outputs.DomainMemberSGID DomainNetBIOSName: !Ref DomainNetBIOSName KeyPairName: !Ref KeyPairName NumberOfRDGWHosts: !Ref NumberOfRDGWHosts PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-microsoft-rdgateway/ RDGWCIDR: !Ref RDGWCIDR RDGWInstanceType: !Ref RDGWInstanceType VPCID: !GetAtt VPCStack.Outputs.VPCID