AWSTemplateFormatVersion: '2010-09-09' Description: 'Deploys Active Directory Environment (qs-1s4u7q61n)' Metadata: cfn-lint: config: ignore_checks: - W9006 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - PrivateSubnet1CIDR - PrivateSubnet1ID - PrivateSubnet2CIDR - PrivateSubnet2ID - Label: default: Microsoft Active Directory Configuration Parameters: - DomainDNSName - DomainNetBIOSName - DomainAdminPassword - ADEdition ParameterLabels: DomainAdminPassword: default: Domain Admin Password DomainDNSName: default: Domain DNS Name DomainNetBIOSName: default: Domain NetBIOS Name ADEdition: default: AWS Microsoft AD edition PrivateSubnet1CIDR: default: Private Subnet 1 CIDR PrivateSubnet1ID: default: Private Subnet 1 ID PrivateSubnet2CIDR: default: Private Subnet 2 CIDR PrivateSubnet2ID: default: Private Subnet 2 ID VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Parameters: DomainAdminPassword: Description: Password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols Type: String MinLength: '8' MaxLength: '32' AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* NoEcho: 'true' DomainDNSName: Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com Type: String Default: example.com MinLength: '2' MaxLength: '25' AllowedPattern: '[a-zA-Z0-9\-]+\..+' DomainNetBIOSName: Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE Type: String Default: example MinLength: '1' MaxLength: '15' AllowedPattern: '[a-zA-Z0-9\-]+' PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet1ID: Description: ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PrivateSubnet2ID: Description: ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id ADEdition: AllowedValues: - Standard - Enterprise Default: Standard Description: The AWS Microsoft AD edition. Valid values include Standard and Enterprise. Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Resources: DHCPOptions: Type: AWS::EC2::DHCPOptions Properties: DomainName: !Ref 'DomainDNSName' DomainNameServers: !GetAtt 'MicrosoftAD.DnsIpAddresses' Tags: - Key: Domain Value: !Ref 'DomainDNSName' VPCDHCPOptionsAssociation: Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: VpcId: !Ref 'VPCID' DhcpOptionsId: !Ref 'DHCPOptions' MicrosoftAD: Type: AWS::DirectoryService::MicrosoftAD Properties: Name: !Ref 'DomainDNSName' ShortName: !Ref 'DomainNetBIOSName' Edition: !Ref 'ADEdition' Password: !Ref 'DomainAdminPassword' VpcSettings: SubnetIds: - !Ref 'PrivateSubnet1ID' - !Ref 'PrivateSubnet2ID' VpcId: !Ref 'VPCID' DomainMemberSGID: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Domain Members VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 0 ToPort: 65535 CidrIp: !Ref 'VPCCIDR' - IpProtocol: '-1' CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PrivateSubnet2CIDR' WorkerSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: 'Gridlink Helper Security Group ' VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 0 ToPort: 65535 CidrIp: !Ref 'VPCCIDR' - IpProtocol: '-1' CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 135 ToPort: 137 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 135 ToPort: 137 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 135 ToPort: 137 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 135 ToPort: 137 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 2382 ToPort: 2383 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 2382 ToPort: 2383 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 4022 ToPort: 4022 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 4022 ToPort: 4022 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 7022 ToPort: 7022 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 7022 ToPort: 7022 CidrIp: !Ref 'PrivateSubnet2CIDR' HeadNodeSGID: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: 'Head Node Security Group ' VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: udp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 1433 ToPort: 1434 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 2382 ToPort: 2383 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 2383 ToPort: 2383 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 4022 ToPort: 4022 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 4022 ToPort: 4022 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 7022 ToPort: 7022 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 7022 ToPort: 7022 CidrIp: !Ref 'PrivateSubnet2CIDR' Outputs: ADServer1PrivateIP: Value: !Select - '0' - !GetAtt 'MicrosoftAD.DnsIpAddresses' Description: AD Server 1 Private IP Address (this may vary based on Directory Service order of IP addresses) ADServer2PrivateIP: Value: !Select - '1' - !GetAtt 'MicrosoftAD.DnsIpAddresses' Description: AD Server 2 Private IP Address (this may vary based on Directory Service order of IP addresses) DomainAdminUser: Value: !Join - '' - - !Ref 'DomainNetBIOSName' - \admin Description: Domain administrator account DomainMemberSGID: Value: !Ref 'DomainMemberSGID' Description: Domain Member Security Group ID WorkerSGID: Value: !Ref 'WorkerSG' Description: Worker Security Group HeadNodeSGID: Value: !Ref 'HeadNodeSGID' Description: Head Node Security Group MicrosoftAD: Value: !Ref 'MicrosoftAD' Description: 'MicrosoftAD Directory ID '