AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates a Microsoft one-tier or two-tier PKI infrastructure. **WARNING** This template creates Amazon EC2 Windows instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qpclo7fi) Metadata: cfn-lint: config: ignore_checks: - W9006 QuickStartDocumentation: EntrypointName: "Parameters for deploying into an existing VPC" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - CaServerSubnet - DomainMembersSG - Label: default: Amazon EC2 Configuration Parameters: - OrCaServerInstanceType - OrCaDataDriveSizeGiB - EntCaServerInstanceType - EntCaDataDriveSizeGiB - KeyPairName - AMI - Label: default: Microsoft Active Directory Domain Services Configuration Parameters: - DirectoryType - DomainDNSName - DomainNetBIOSName - DomainController1IP - DomainController2IP - AdministratorSecret - Label: default: Microsoft Active Directory Certificate Services Configuration Parameters: - CADeploymentType - OrCaServerNetBIOSName - EntCaServerNetBIOSName - CaKeyLength - CaHashAlgorithm - OrCaValidityPeriodUnits - CaValidityPeriodUnits - UseS3ForCRL - S3CRLBucketName - EnableAdvancedAudtingandMetrics - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: AMI: default: SSM Parameter Value for latest AMI ID AdministratorSecret: default: Secret ARN Containing CA Install Credentials CADeploymentType: default: CA Deployment Type CaHashAlgorithm: default: CA Hash Algorithm CaKeyLength: default: CA Key Length CaServerSubnet: default: CA(s) Subnet ID CaValidityPeriodUnits: default: Enterprise Root or Subordinate CA Certificate Validity Period in Years DirectoryType: default: Active Directory Domain Services Type DomainController1IP: default: IP used for DNS (Must be accessible) DomainController2IP: default: IP used for DNS (Must be accessible) DomainDNSName: default: Domain FQDN DNS Name DomainMembersSG: default: Domain Members Security Group ID DomainNetBIOSName: default: Domain NetBIOS Name EnableAdvancedAudtingandMetrics: default: Advanced Auditing and Metrics EntCaDataDriveSizeGiB: default: Enterprise Root or Subordinate CA Data Drive Size EntCaServerInstanceType: default: Enterprise Root or Subordinate CA Instance Type EntCaServerNetBIOSName: default: Enterprise Root or Subordinate CA NetBIOS Name KeyPairName: default: Key Pair Name OrCaDataDriveSizeGiB: default: Offline Root CA Data Drive Size (Only Used For Two Tier PKI) OrCaServerInstanceType: default: Offline Root CA Instance Type (Only Used For Two Tier PKI) OrCaServerNetBIOSName: default: Offline Root CA NetBIOS Name (Only Used For Two Tier PKI) OrCaValidityPeriodUnits: default: Offline Root CA Certificate Validity Period in Years (Only Used For Two Tier PKI) QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix S3CRLBucketName: default: CA CRL S3 Bucket Name UseS3ForCRL: default: Use S3 for CA CRL Location VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Parameters: AMI: Default: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base Description: CA(s) SSM Parameter Value to grab the latest AMI ID Type: String AdministratorSecret: Description: ARN for the CA Install Credentials Secret used to to install the CA (Must be a member of Enterpise Admins or AWS Delegated Enterprise Certificate Authority Administrators) Type: String CADeploymentType: AllowedValues: - One-Tier - Two-Tier Default: Two-Tier Description: Deploy Two Tier (Offline Root with Subordinate Enterprise CA) or One Tier (Enterprise Root CA) PKI Infrastructure Type: String CaHashAlgorithm: AllowedValues: - SHA256 - SHA384 - SHA512 Default: SHA256 Description: CA(s) Hash Algorithm for Signing Certificates Type: String CaKeyLength: AllowedValues: - '2048' - '4096' Default: '2048' Description: CA(s) Cryptographic Provider Key Length Type: String CaServerSubnet: Description: ID of the CA(s) subnet (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id CaValidityPeriodUnits: Default: '5' Description: Validity Period in Years Type: String DirectoryType: AllowedValues: - AWSManaged - SelfManaged Description: Type of Active Directory the CA(s) will be integrated with, AWS Managed Microsoft AD or Self Managed AD Type: String DomainController1IP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Description: IP of DNS server that can resolve domain (Must be accessible) Type: String DomainController2IP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ Description: IP of DNS server that can resolve domain (Must be accessible) Type: String DomainDNSName: AllowedPattern: '[a-zA-Z0-9\-]+\..+' Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com MaxLength: '255' MinLength: '2' Type: String DomainMembersSG: Description: Security Group ID for Domain Members Security Group. Type: AWS::EC2::SecurityGroup::Id DomainNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Description: NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE MaxLength: '15' MinLength: '1' Type: String EnableAdvancedAudtingandMetrics: AllowedValues: - 'true' - 'false' Default: 'false' Description: Enable advanced auditing and metrics and upload them to CloudWatch using the Amazon Kinesis Agent for Microsoft Windows Type: String EntCaDataDriveSizeGiB: Default: '2' Description: Size of the Data Drive in GiB for the Enterprise Root or Subordinate CA Type: Number EntCaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Enterprise Root or Subordinate CA instance Type: String EntCaServerNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: ENTCA1 Description: NetBIOS name of the Enterprise Root or Subordinate CA server (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String KeyPairName: Description: Name of the key pair that you will use to securely connect to your EC2 instance after it launches. Type: AWS::EC2::KeyPair::KeyName OrCaDataDriveSizeGiB: Default: '2' Description: Size of the Data Drive in GiB for the Offline Root CA (Only Used For Two Tier PKI) Type: Number OrCaServerInstanceType: AllowedValues: - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge Default: t3.medium Description: Amazon EC2 instance type for the Offline Root CA instance (Only Used For Two Tier PKI) Type: String OrCaServerNetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: ORCA1 Description: NetBIOS name of the Offline Root CA server (Only Used For Two Tier PKI) (up to 15 characters) MaxLength: '15' MinLength: '1' Type: String OrCaValidityPeriodUnits: Default: '10' Description: Validity Period in Years (Only Used For Two Tier PKI) Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: us-east-1 Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Default: quickstart-microsoft-pki/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) Type: String S3CRLBucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ Default: examplebucket Description: S3 bucket name for CA CRL(s) storage. Bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) Type: String UseS3ForCRL: AllowedValues: - 'Yes' - 'No' Default: 'No' Description: Store CA CRL(s) in an S3 bucket Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Rules: SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must in the VPC S3CRLBucketNameValidation: RuleCondition: !Equals - !Ref UseS3ForCRL - 'Yes' Assertions: - AssertDescription: CRL BucketName cannot must be valid BucketName Assert: !Not [!Equals [!Ref S3CRLBucketName, 'examplebucket']] Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] ShouldCreateOneTierPkiResource: !Equals [!Ref CADeploymentType, 'One-Tier'] ShouldCreateTwoTierPkiResource: !Equals [!Ref CADeploymentType, 'Two-Tier'] Resources: OneTierCAStack: Type: AWS::CloudFormation::Stack Condition: ShouldCreateOneTierPkiResource Properties: TemplateURL: Fn::Sub: - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/one-tier.template' - S3Region: !If - UsingDefaultBucket - !Ref AWS::Region - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName Parameters: AdministratorSecret: !Ref AdministratorSecret AMI: !Ref AMI DirectoryType: !Ref DirectoryType DomainController1IP: !Ref DomainController1IP DomainController2IP: !Ref DomainController2IP DomainMembersSG: !Ref DomainMembersSG DomainDNSName: !Ref DomainDNSName DomainNetBIOSName: !Ref DomainNetBIOSName EnableAdvancedAudtingandMetrics: !Ref EnableAdvancedAudtingandMetrics EntCaDataDriveSizeGiB: !Ref EntCaDataDriveSizeGiB EntCaHashAlgorithm: !Ref CaHashAlgorithm EntCaKeyLength: !Ref CaKeyLength EntCaServerInstanceType: !Ref EntCaServerInstanceType EntCaServerNetBIOSName: !Ref EntCaServerNetBIOSName EntCaServerSubnet: !Ref CaServerSubnet EntCaValidityPeriodUnits: !Ref CaValidityPeriodUnits KeyPairName: !Ref KeyPairName QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix S3CRLBucketName: !Ref S3CRLBucketName UseS3ForCRL: !Ref UseS3ForCRL VPCCIDR: !Ref VPCCIDR VPCID: !Ref VPCID TwoTierCAStack: Type: AWS::CloudFormation::Stack Condition: ShouldCreateTwoTierPkiResource Properties: TemplateURL: Fn::Sub: - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/two-tier.template' - S3Region: !If - UsingDefaultBucket - !Ref AWS::Region - !Ref QSS3BucketRegion S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref QSS3BucketName Parameters: VPCCIDR: !Ref VPCCIDR VPCID: !Ref VPCID OrCaServerSubnet: !Ref CaServerSubnet SubCaServerSubnet: !Ref CaServerSubnet DomainMembersSG: !Ref DomainMembersSG OrCaServerInstanceType: !Ref OrCaServerInstanceType OrCaDataDriveSizeGiB: !Ref OrCaDataDriveSizeGiB SubCaServerInstanceType: !Ref EntCaServerInstanceType SubCaDataDriveSizeGiB: !Ref EntCaDataDriveSizeGiB EnableAdvancedAudtingandMetrics: !Ref EnableAdvancedAudtingandMetrics KeyPairName: !Ref KeyPairName AMI: !Ref AMI DomainDNSName: !Ref DomainDNSName DomainNetBIOSName: !Ref DomainNetBIOSName DomainController1IP: !Ref DomainController1IP DomainController2IP: !Ref DomainController2IP AdministratorSecret: !Ref AdministratorSecret DirectoryType: !Ref DirectoryType OrCaServerNetBIOSName: !Ref OrCaServerNetBIOSName SubCaServerNetBIOSName: !Ref EntCaServerNetBIOSName OrCaKeyLength: !Ref CaKeyLength SubCaKeyLength: !Ref CaKeyLength OrCaHashAlgorithm: !Ref CaHashAlgorithm SubCaHashAlgorithm: !Ref CaHashAlgorithm OrCaValidityPeriodUnits: !Ref OrCaValidityPeriodUnits SubCaValidityPeriodUnits: !Ref CaValidityPeriodUnits UseS3ForCRL: !Ref UseS3ForCRL S3CRLBucketName: !Ref S3CRLBucketName QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix