AWSTemplateFormatVersion: '2010-09-09' Description: >- This template deploys a Microsoft one-tier or two-tier PKI infrastructure deploying a VPC, Active Directory, and PKI CloudFormation stacks. **WARNING** This template creates Amazon EC2 Windows instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qtre0g7j) Metadata: cfn-lint: config: ignore_checks: - W9006 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - Label: default: Amazon EC2 Configuration Parameters: - KeyPairName - Label: default: Microsoft Active Directory Domain Services Configuration Parameters: - DomainDNSName - DomainNetBIOSName - ADServer1PrivateIP - ADServer2PrivateIP - DomainAdminPassword - Label: default: Microsoft Active Directory Certificate Services Configuration Parameters: - CADeploymentType - OrCaServerInstanceType - OrCaDataDriveSizeGiB - EntCaServerInstanceType - EntCaDataDriveSizeGiB - OrCaServerNetBIOSName - EntCaServerNetBIOSName - CaKeyLength - CaHashAlgorithm - OrCaValidityPeriodUnits - CaValidityPeriodUnits - UseS3ForCRL - S3CRLBucketName - EnableAdvancedAudtingandMetrics - Label: default: Microsoft Remote Desktop Gateway Configuration Parameters: - NumberOfRDGWHosts - RDGWInstanceType - RDGWCIDR - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: ADServer1PrivateIP: default: Domain Controller 1 Private IP Address ADServer2PrivateIP: default: Domain Controller 2 Private IP Address AvailabilityZones: default: Availability Zones CADeploymentType: default: Deploy PKI Infrastructure CaHashAlgorithm: default: CA Hash Algorithm CaKeyLength: default: CA Key Length CaValidityPeriodUnits: default: Enterprise Root or Subordinate CA Certificate Validity Period in Years DomainAdminPassword: default: Alternate Domain Admin Password DomainDNSName: default: Domain DNS Name DomainNetBIOSName: default: Domain NetBIOS namNamee EnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics EntCaDataDriveSizeGiB: default: Enterprise Root or Subordinate CA Data Drive Size EntCaServerInstanceType: default: Enterprise Root or Subordinate CA Instance Type EntCaServerNetBIOSName: default: Enterprise Root or Subordinate CA NetBIOS Name KeyPairName: default: Key Pair Name NumberOfRDGWHosts: default: Number of RDGW Hosts OrCaDataDriveSizeGiB: default: Offline Root CA Data Drive Size (Only Used For Two Tier PKI) OrCaServerInstanceType: default: Offline Root CA Instance Type (Only Used For Two Tier PKI) OrCaServerNetBIOSName: default: Offline Root CA NetBIOS Name (Only Used For Two Tier PKI) OrCaValidityPeriodUnits: default: Offline Root CA Certificate Validity Period in Years (Only Used For Two Tier PKI) PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR QSS3BucketName: default: Quick Start S3 Bucket Name QSS3BucketRegion: default: Quick Start S3 Bucket Region QSS3KeyPrefix: default: Quick Start S3 Key Prefix RDGWCIDR: default: Allowed Remote Desktop Gateway External Access CIDR RDGWInstanceType: default: RD Gateway Server Instance Type S3CRLBucketName: default: CA CRL S3 Bucket Name UseS3ForCRL: default: Use S3 for CA CRL Location VPCCIDR: default: VPC CIDR Parameters: ADServer1PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Default: 10.0.0.10 Description: Fixed private IP for the first Active Directory Domain Controller located in Availability Zone 1 Type: String ADServer2PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Default: 10.0.32.10 Description: Fixed private IP for the second Active Directory Domain Controller located in Availability Zone 2 Type: String AvailabilityZones: Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved and only 2 AZs are used for this deployment' Type: List CADeploymentType: AllowedValues: - One-Tier - Two-Tier Default: Two-Tier Description: Deploy Two Tier (Offline Root with Subordinate Enterprise CA) or One Tier (Enterprise Root CA) PKI Infrastructure Type: String CaHashAlgorithm: AllowedValues: - SHA256 - SHA384 - SHA512 Default: SHA256 Description: CA Hash Algorithm for Signing Certificates Type: String CaKeyLength: AllowedValues: - '2048' - '4096' Default: '2048' Description: CA Cryptographic Provider Key Length Type: String CaValidityPeriodUnits: Default: '5' Description: Store CA CRL(s) in an S3 bucket Type: String DomainAdminPassword: AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: User name for the account that will be added as a Domain Administrator. This is separate from the default "Administrator" account MaxLength: '32' MinLength: '8' NoEcho: 'true' Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Default: example.com Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com MaxLength: '25' MinLength: '2' Type: String DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9]+' Default: example Description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE MaxLength: '15' MinLength: '1' Type: String EnableAdvancedAudtingandMetrics: AllowedValues: - 'true' - 'false' Default: 'false' Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows Type: String EntCaDataDriveSizeGiB: Default: '2' Description: Size of the Data Drive in GiB for the Enterprise Root or Subordinate CA Type: Number EntCaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Enterprise Root or Subordinate CA instance Type: String EntCaServerNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: ENTCA1 Description: NetBIOS name of the Enterprise Root or Subordinate CA server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String KeyPairName: Description: Name of the key pair that you will use to securely connect to your EC2 instance after it launches Type: AWS::EC2::KeyPair::KeyName NumberOfRDGWHosts: AllowedValues: - '0' - '1' - '2' - '3' - '4' Default: '0' Description: Enter the number of Remote Desktop Gateway instances to create Type: String OrCaDataDriveSizeGiB: Default: '2' Description: Size of the Data Drive in GiB for the Offline Root CA (Only Used For Two Tier PKI) Type: Number OrCaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Offline Root CA instance (Only Used For Two Tier PKI) Type: String OrCaServerNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: ORCA1 Description: NetBIOS name of the Offline Root CA server (Only Used For Two Tier PKI) (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String OrCaValidityPeriodUnits: Default: '10' Description: Validity Period in Years (Only Used For Two Tier PKI) Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1 Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2 Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ Default: 10.0.64.0/20 Description: CIDR Block for the public subnet 1 located in Availability Zone 1 Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ Default: 10.0.96.0/20 Description: CIDR Block for the public subnet 2 located in Availability Zone 2 Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: us-east-1 Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Default: quickstart-microsoft-pki/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Type: String RDGWCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Default: 10.0.0.0/16 Description: Allowed CIDR Block for external access to the Remote Desktop Gateways Type: String RDGWInstanceType: AllowedValues: - t2.small - t2.medium - t2.large - t3.small - t3.medium - t3.large - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.large Description: Amazon EC2 instance type for the Remote Desktop Gateway instances Type: String S3CRLBucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ Default: examplebucket Description: S3 bucket name for CA CRL(s) storage. Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Type: String UseS3ForCRL: AllowedValues: - 'Yes' - 'No' Default: 'No' Description: Use S3 for CA(s) CRL location Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC. Type: String Rules: S3CRLBucketNameValidation: RuleCondition: !Equals - !Ref UseS3ForCRL - 'Yes' Assertions: - AssertDescription: CRL BucketName cannot must be valid BucketName Assert: !Not [!Equals [!Ref S3CRLBucketName, 'examplebucket']] Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] IncludeRDGW: !Not - !Equals - !Ref NumberOfRDGWHosts - '0' Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: !Join - ',' - !Ref AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR ADStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-activedirectory/templates/ad-1.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ADServer1PrivateIP: !Ref ADServer1PrivateIP ADServer2PrivateIP: !Ref ADServer2PrivateIP DomainAdminPassword: !Ref DomainAdminPassword DomainDNSName: !Ref DomainDNSName DomainNetBIOSName: !Ref DomainNetBIOSName KeyPairName: !Ref KeyPairName PrivateSubnet1ID: !GetAtt VPCStack.Outputs.PrivateSubnet1AID PrivateSubnet2ID: !GetAtt VPCStack.Outputs.PrivateSubnet2AID QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: quickstart-microsoft-activedirectory/ VPCCIDR: !GetAtt VPCStack.Outputs.VPCCIDR VPCID: !GetAtt VPCStack.Outputs.VPCID RDGWStack: Condition: IncludeRDGW Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-microsoft-rdgateway/templates/rdgw-domain.template' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: DomainAdminPassword: !Ref DomainAdminPassword DomainAdminUser: Admin DomainDNSName: !Ref DomainDNSName DomainMemberSGID: !GetAtt ADStack.Outputs.DomainMemberSGID DomainNetBIOSName: !Ref DomainNetBIOSName KeyPairName: !Ref KeyPairName NumberOfRDGWHosts: !Ref NumberOfRDGWHosts PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: quickstart-microsoft-rdgateway/ RDGWInstanceType: !Ref RDGWInstanceType RDGWCIDR: !Ref RDGWCIDR VPCID: !GetAtt VPCStack.Outputs.VPCID PKIStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/microsoft-pki.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AdministratorSecret: !GetAtt ADStack.Outputs.ADSecretsArn CADeploymentType: !Ref CADeploymentType CaHashAlgorithm: !Ref CaHashAlgorithm CaKeyLength: !Ref CaKeyLength CaServerSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1AID CaValidityPeriodUnits: !Ref CaValidityPeriodUnits DirectoryType: SelfManaged DomainController1IP: !Ref ADServer1PrivateIP DomainController2IP: !Ref ADServer2PrivateIP DomainDNSName: !Ref DomainDNSName DomainMembersSG: !GetAtt ADStack.Outputs.DomainMemberSGID DomainNetBIOSName: !Ref DomainNetBIOSName EnableAdvancedAudtingandMetrics: !Ref EnableAdvancedAudtingandMetrics EntCaDataDriveSizeGiB: !Ref EntCaDataDriveSizeGiB EntCaServerInstanceType: !Ref EntCaServerInstanceType EntCaServerNetBIOSName: !Ref EntCaServerNetBIOSName KeyPairName: !Ref KeyPairName OrCaDataDriveSizeGiB: !Ref OrCaDataDriveSizeGiB OrCaServerInstanceType: !Ref OrCaServerInstanceType OrCaServerNetBIOSName: !Ref OrCaServerNetBIOSName OrCaValidityPeriodUnits: !Ref OrCaValidityPeriodUnits QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix S3CRLBucketName: !Ref S3CRLBucketName UseS3ForCRL: !Ref UseS3ForCRL VPCCIDR: !GetAtt VPCStack.Outputs.VPCCIDR VPCID: !GetAtt VPCStack.Outputs.VPCID