AWSTemplateFormatVersion: 2010-09-09 Description: This AWS CloudFormation template deploys an environment – VPC, bastion, and target hosts – with Okta Advanced Server Access (qs-1rm280cig) Metadata: LICENSE: Apache License, Version 2.0 QuickStartDocumentation: EntrypointName: "Parameters for deploying Okta ASA into a new VPC" Order: "1" AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network configuration Parameters: - AvailabilityZones - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - RemoteAccessCIDR - VPCTenancy - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - EC2AMIOS - EC2InstanceType - Label: default: Linux bastion configuration Parameters: - NumEC2Hosts - BastionHostName - TargetHostName - EC2Tenancy - EnableBanner - EC2Banner - EnableTCPForwarding - EnableX11Forwarding - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion - Label: default: "Okta Advanced Server Access parameters" Parameters: - EnrollmentToken ParameterLabels: AvailabilityZones: default: Availability Zones EC2AMIOS: default: Bastion AMI operating system BastionHostName: default: Bastion host name TargetHostName: default: Target host name EC2Tenancy: default: Bastion tenancy EC2Banner: default: Banner text EC2InstanceType: default: Bastion instance type QSS3BucketRegion: default: Quick Start S3 bucket Region EnableBanner: default: Bastion banner EnableTCPForwarding: default: TCP forwarding EnableX11Forwarding: default: X11 forwarding KeyPairName: default: Key pair name NumEC2Hosts: default: Number of bastion hosts PrivateSubnet1CIDR: default: Private subnet 1 CIDR PrivateSubnet2CIDR: default: Private subnet 2 CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR VPCTenancy: default: VPC tenancy QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed bastion external access CIDR VPCCIDR: default: VPC CIDR EnrollmentToken: default: Okta Advanced Server Access enrollment token cfn-lint: { config: { ignore_checks: [E9007] } } Parameters: AvailabilityZones: Description: 'Availability Zones to use for the subnets in the VPC. The logical order is preserved. This deployment uses 2 Availability Zones.' Type: 'List' EC2AMIOS: AllowedValues: - Ubuntu-Server-20.04-LTS-HVM - CentOS-7-HVM - SUSE-SLES-15-HVM - Amazon-Linux2-HVM Default: Amazon-Linux2-HVM Description: Linux distribution for the AMI to be used for the bastion instances. Type: String BastionHostName: Default: 'LinuxBastion' Description: Value used for the name tag of the bastion host. Type: String TargetHostName: Default: 'LinuxTarget' Description: Value used for the name tag of the target host. Type: String EC2Banner: Default: "" Description: Banner text to display upon login. Type: String EC2Tenancy: Description: 'VPC tenancy to launch the bastion in. To change from "default," choose "dedicated."' Type: String Default: default AllowedValues: - dedicated - default EC2InstanceType: Description: Amazon EC2 instance type for the bastion instances. Type: String Default: t2.micro AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - t3.micro - t3.small - t3.medium - t3.large - t3.xlarge - t3.2xlarge - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge EnableBanner: AllowedValues: - 'true' - 'false' Default: 'false' Description: To display a banner when connecting to the bastion using SSH, choose "true." Type: String EnableTCPForwarding: Type: String Description: With TCP forwarding on a Linux bastion host, you can set up direct connections from outside of the VPC to services running in private subnets by routing the traffic through the bastion host. To disable TCP forwarding, choose "false." Default: 'true' AllowedValues: - 'true' - 'false' EnableX11Forwarding: Type: String Description: With X11 forwarding on a Linux bastion host, you can establish management connections to Linux instances using GUIs (as opposed to text-based SSH connections). To disable X11 forwarding, choose "false." Default: 'true' AllowedValues: - 'true' - 'false' KeyPairName: Description: Name of an existing public/private key pair. You use this name to securely connect to your instance after it launches. If you do not have one in this AWS Region, create one before continuing. # TODO: Rename this label to a backup key Type: 'AWS::EC2::KeyPair::KeyName' NumEC2Hosts: AllowedValues: - '1' - '2' - '3' - '4' Default: '1' Description: Number of bastion hosts to create. The maximum number is 4. Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1. Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2. Type: String VPCTenancy: AllowedValues: - default - dedicated Default: default Description: Allowed tenancy of instances launched into the VPC. Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). The prefix should end with a forward slash (/). Default: quickstart-okta-asa/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: Allowed CIDR block for external SSH access to the bastions. Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC. Type: String EnrollmentToken: Type: String Description: Okta Advanced Server Access enrollment token. MinLength: 24 ConstraintDescription: Must contain a valid ASA enrollment token. Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: VPCStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: !Join - ',' - !Ref AvailabilityZones KeyPairName: !Ref KeyPairName NumberOfAZs: '2' PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR PublicSubnet1CIDR: !Ref PublicSubnet1CIDR PublicSubnet2CIDR: !Ref PublicSubnet2CIDR VPCCIDR: !Ref VPCCIDR VPCTenancy: !Ref VPCTenancy BastionStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/okta-asa-bastion.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: EC2AMIOS: !Ref EC2AMIOS BastionHostName: !Ref BastionHostName EC2Banner: !Ref EC2Banner EC2InstanceType: !Ref EC2InstanceType EC2Tenancy: !Ref EC2Tenancy EnableBanner: !Ref EnableBanner EnableTCPForwarding: !Ref EnableTCPForwarding EnableX11Forwarding: !Ref EnableX11Forwarding KeyPairName: !Ref KeyPairName NumEC2Hosts: !Ref NumEC2Hosts PublicSubnet1ID: !GetAtt - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt - VPCStack - Outputs.PublicSubnet2ID QSS3BucketRegion: !Ref QSS3BucketRegion QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix RemoteAccessCIDR: !Ref RemoteAccessCIDR VPCID: !GetAtt - VPCStack - Outputs.VPCID EnrollmentToken: !Ref EnrollmentToken TargetStack: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/okta-asa-target.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: BastionSecurityGroupID: !GetAtt 'BastionStack.Outputs.BastionSecurityGroupID' EC2AMIOS: !Ref EC2AMIOS BastionHostName: !Ref BastionHostName TargetHostName: !Ref TargetHostName EC2Banner: !Ref EC2Banner EC2InstanceType: !Ref EC2InstanceType EC2Tenancy: !Ref EC2Tenancy EnableBanner: !Ref EnableBanner EnableTCPForwarding: !Ref EnableTCPForwarding EnableX11Forwarding: !Ref EnableX11Forwarding KeyPairName: !Ref KeyPairName NumEC2Hosts: !Ref NumEC2Hosts PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' QSS3BucketRegion: !Ref QSS3BucketRegion QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix VPCID: !GetAtt 'VPCStack.Outputs.VPCID' EnrollmentToken: !Ref EnrollmentToken Outputs: TargetAutoScalingGroup: Value: !GetAtt 'TargetStack.Outputs.TargetAutoScalingGroup' Description: Target Auto Scaling Group Reference ID BastionAutoScalingGroup: Value: !GetAtt 'BastionStack.Outputs.BastionAutoScalingGroup' Description: Bastion Auto Scaling Group Reference ID Postdeployment: Description: To test your deployment, see the procedure in the deployment guide. Value: https://fwd.aws/3EYzN