--- AWSTemplateFormatVersion: 2010-09-09 Description: This main template creates a VPC infrastructure for a multi-AZ, multi-tier deployment of SIOS Protection Suite for Linux on AWS EC2. It deploys a VPC with bastions and the SIOS Protection Suite for Linux solution. **WARNING** This template creates EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. SIOS Protection Suite for Linux is licensed separately. Please contact SIOS at support@us.sios.com or visit https://us.sios.com/demo-request/ for demo licenses. (qs-1oqirsqja) Metadata: QuickStartDocumentation: EntrypointName: Parameters for deploying into a new VPC Order: "1" cfn-lint: config: ignore_checks: - W9006 - W9901 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC and bastion host configuration Parameters: - AvailabilityZones - RemoteAccessCIDR - KeyPairName - BastionAMIOS - BastionInstanceType - NumBastionHosts - VPCCIDR - PrivateSubnet1CIDR - PrivateSubnet2CIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - Label: default: SIOS Protection Suite instance configuration Parameters: - SPSLInstanceNamePrefix - SPSLInstanceType - HomeVolumeType - HomeSize - HomeIops - HomeDeleteOnTermination - MirrorVolumeType - MirrorSize - MirrorIops - MirrorDeleteOnTermination - NewRootPassword - SIOSAMIType - Node1PrivateIP - Node2PrivateIP - WindowsJumpboxInstanceType - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: RemoteAccessCIDR: default: Allowed bastion host external access CIDR AvailabilityZones: default: Availability zones BastionAMIOS: default: Bastion host AMI operating system BastionInstanceType: default: Bastion host instance type NumBastionHosts: default: Number of bastion hosts. VPCCIDR: default: Global CIDR block for entire VPC PrivateSubnet1CIDR: default: CIDR block for private subnet 1A PrivateSubnet2CIDR: default: CIDR block for private subnet 2A PublicSubnet1CIDR: default: CIDR block for public subnet 1 PublicSubnet2CIDR: default: CIDR block for public subnet 2 SPSLInstanceNamePrefix: default: SIOS Protection Suite instance name SPSLInstanceType: default: SIOS Protection Suite instance type HomeDeleteOnTermination: default: Delete home on termination HomeIops: default: Home directory IOPS HomeVolumeType: default: Home directory volume type HomeSize: default: Home directory size MirrorDeleteOnTermination: default: Delete mirror on termination MirrorIops: default: Mirror directory IOPS MirrorVolumeType: default: Mirror directory volume type MirrorSize: default: Mirror directory size Node1PrivateIP: default: Node 1 private IP address Node2PrivateIP: default: Node 2 private IP address KeyPairName: default: Key pair name NewRootPassword: default: New root password SIOSAMIType: default: SIOS AMI license type WindowsJumpboxInstanceType: default: Optional Windows jump server instance type QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR IP range that is permitted to access the SIOS Protection Suite server through the bastion host. We recommend that you set this value to a trusted IP range. Type: String AvailabilityZones: Description: Availability Zones to use for the subnets in the VPC. Two Availability Zones are used for this deployment. Type: List BastionAMIOS: AllowedValues: - Amazon-Linux2-HVM - CentOS-7-HVM - Ubuntu-Server-20.04-LTS-HVM - SUSE-SLES-15-HVM Default: Amazon-Linux2-HVM Description: Linux distribution for the AMI to be used for the bastion host instances. Type: String BastionInstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: t2.micro Description: Amazon EC2 instance type for the bastion instances. Type: String WindowsJumpboxInstanceType: AllowedValues: - None - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: None Description: Amazon EC2 instance type for an optional Windows jump box. Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: Global CIDR IP range for entire VPC. Default: 10.0.0.0/16 Type: String PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR IP range for the private subnet, located in Availability Zone 1. Default: 10.0.0.0/19 Type: String PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR IP range for the private subnet, located in Availability Zone 2. Default: 10.0.32.0/19 Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR IP range for the public subnet, located in Availability Zone 1. Default: 10.0.128.0/20 Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR IP range for the public subnet, located in Availability Zone 2. Default: 10.0.144.0/20 Type: String SPSLInstanceType: Description: Amazon EC2 instance type for the SIOS Protection Suite servers. Type: String Default: t2.medium AllowedValues: - t2.medium - t2.large - t2.xlarge - t2.2xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.12xlarge - m5.24xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - x1.16xlarge - x1.32xlarge - x1e.xlarge - x1e.2xlarge - x1e.4xlarge - x1e.8xlarge - x1e.16xlarge - x1e.32xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - r4.large - r4.xlarge - r4.2xlarge - r4.4xlarge - r4.8xlarge - r4.16xlarge - p2.xlarge - p2.8xlarge - p2.16xlarge - p3.2xlarge - p3.8xlarge - p3.16xlarge - g2.2xlarge - g2.8xlarge - g3.4xlarge - g3.8xlarge - g3.16xlarge - h1.2xlarge - h1.4xlarge - h1.8xlarge - h1.16xlarge - i2.xlarge - i2.2xlarge - i2.4xlarge - i2.8xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - d2.xlarge - d2.2xlarge - d2.4xlarge - d2.8xlarge ConstraintDescription: Must be a valid EC2 instance type. HomeDeleteOnTermination: Description: Delete home directory volume when the SIOS Protection Suite server instance is terminated. Keep the default setting of `true` to delete the home directory when the instance is terminated. If `true`, you must back up your data before terminating your instance. Choose `false` to keep the home directory volume upon termination. Type: String Default: "true" AllowedValues: ["true", "false"] ConstraintDescription: Must be 'true' or 'false'. HomeIops: Description: IOPS for the home directory. This value is used only when the Home volume type parameter is set to `Provisioned IOPS`. Allowed range is 100–20000. The ratio of IOPS to volume size must be 50 or less. For example, if you set this parameter to 5000 IOPS, the home directory size must be at least 100 GiB. Type: Number Default: 1000 MinValue: 100 MaxValue: 20000 ConstraintDescription: Must be in the range 100–20000. HomeSize: Description: Storage size for the home directory, in GiB. Allowed range is 100–16384. Type: Number Default: 100 MinValue: 100 MaxValue: 16384 ConstraintDescription: Must be in the range 100–16384. HomeVolumeType: Description: Volume type for the home directory. Type: String Default: General Purpose (SSD) AllowedValues: ["General Purpose (SSD)", "Provisioned IOPS"] ConstraintDescription: Must be `General Purpose (SSD)` or `Provisioned IOPS`. MirrorDeleteOnTermination: Description: Delete the replicated volume when the SIOS Protection Suite server instance is terminated. Keep the default setting of `true` to delete the home directory when the instance is terminated. If `true`, you must back up your data before terminating your instance. Choose `false` to keep the replicated volume upon termination. Type: String Default: "true" AllowedValues: ["true", "false"] ConstraintDescription: Must be 'true' or 'false'. MirrorIops: Description: IOPS for the mirror volume. This value is used only when the Mirror volume type parameter is set to Provisioned IOPS. Allowed range is 100–20000. The ratio of IOPS to volume size must be 50 or less. For example, if you set this parameter to 5000 IOPS, the home directory size must be at least 100 GiB. Type: Number Default: 1000 MinValue: 100 MaxValue: 20000 ConstraintDescription: Must be in the range 100–20000. MirrorSize: Description: Storage size for the replicated volume, in GiB. Allowed range is 100–16384. Type: Number Default: 100 MinValue: 100 MaxValue: 16384 ConstraintDescription: Must be in the range 100–16384. MirrorVolumeType: Description: Volume type for the replicated data directory. Type: String Default: "General Purpose (SSD)" AllowedValues: ["General Purpose (SSD)", "Provisioned IOPS"] ConstraintDescription: Must be 'General Purpose (SSD)' or 'Provisioned IOPS'. Node1PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ ConstraintDescription: IPv4 address parameter must be in the form x.x.x.x Description: Primary private IP for the cluster node located in Availability Zone 1. Default: 10.0.0.100 Type: String Node2PrivateIP: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ ConstraintDescription: IPv4 address parameter must be in the form x.x.x.x Description: Primary private IP for the cluster node located in Availability Zone 2. Default: 10.0.32.100 Type: String KeyPairName: Description: Public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred Region. Type: AWS::EC2::KeyPair::KeyName NumBastionHosts: AllowedValues: - "1" - "2" - "3" - "4" Default: "1" Description: Enter the number of bastion hosts to create. Type: "String" NewRootPassword: Description: Password for predefined admin user used to administer SIOS Protection Suite (8–16 characters). Type: String MinLength: 8 MaxLength: 16 NoEcho: true SIOSAMIType: Description: SIOS Protection Suite AMI license model to use for cluster nodes. Type: String Default: PAYG AllowedValues: - BYOL - PAYG SPSLInstanceNamePrefix: Description: Name prefix for the SIOS Protection Suite servers. Type: String Default: SPSL QSS3BucketName: AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$' ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.' Type: String QSS3KeyPrefix: AllowedPattern: '^[0-9a-zA-Z-/]*$' ConstraintDescription: Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). The prefix should end with a forward slash (/). Default: quickstart-sios-protection-suite/ Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. Type: String Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AvailabilityZones: Fn::Join: - ',' - Ref: AvailabilityZones NumberOfAZs: '2' PrivateSubnet1ACIDR: Ref: PrivateSubnet1CIDR PrivateSubnet2ACIDR: Ref: PrivateSubnet2CIDR PublicSubnet1CIDR: Ref: PublicSubnet1CIDR PublicSubnet2CIDR: Ref: PublicSubnet2CIDR VPCCIDR: Ref: VPCCIDR BastionStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion-entrypoint-existing-vpc.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: BastionAMIOS: Ref: BastionAMIOS BastionInstanceType: Ref: BastionInstanceType EnableBanner: true EnableTCPForwarding: true EnableX11Forwarding: true KeyPairName: Ref: KeyPairName NumBastionHosts: Ref: NumBastionHosts PublicSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet1ID PublicSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet2ID QSS3BucketName: Ref: QSS3BucketName QSS3BucketRegion: Ref: QSS3BucketRegion QSS3KeyPrefix: Fn::Sub: ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ RemoteAccessCIDR: Ref: RemoteAccessCIDR VPCID: Fn::GetAtt: - VPCStack - Outputs.VPCID SPSStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/sios-protection-suite.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: RemoteAccessSecurityGroupID: Fn::GetAtt: - BastionStack - Outputs.BastionSecurityGroupID RemoteAccessCIDR: Ref: RemoteAccessCIDR SPSLInstanceNamePrefix: Ref: SPSLInstanceNamePrefix SPSLInstanceType: Ref: SPSLInstanceType KeyPairName: Ref: KeyPairName NewRootPassword: Ref: NewRootPassword SIOSAMIType: Ref: SIOSAMIType VPCID: Fn::GetAtt: - VPCStack - Outputs.VPCID PrivateSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet1AID PrivateSubnet1CIDR: Ref: PrivateSubnet1CIDR Node1PrivateIP: Ref: Node1PrivateIP Node2PrivateIP: Ref: Node2PrivateIP PrivateSubnet2ID: Fn::GetAtt: - VPCStack - Outputs.PrivateSubnet2AID PrivateSubnet2CIDR: Ref: PrivateSubnet2CIDR PublicSubnet1ID: Fn::GetAtt: - VPCStack - Outputs.PublicSubnet1ID HomeVolumeType: Ref: HomeVolumeType HomeIops: Ref: HomeIops HomeSize: Ref: HomeSize HomeDeleteOnTermination: Ref: HomeDeleteOnTermination MirrorVolumeType: Ref: MirrorVolumeType MirrorIops: Ref: MirrorIops MirrorSize: Ref: MirrorSize MirrorDeleteOnTermination: Ref: MirrorDeleteOnTermination WindowsJumpboxInstanceType: Ref: WindowsJumpboxInstanceType LatestWindowsAmiId: /aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base QSS3BucketName: Ref: QSS3BucketName QSS3BucketRegion: Ref: QSS3BucketRegion QSS3KeyPrefix: Ref: QSS3KeyPrefix Outputs: Postdeployment: Description: See the deployment guide for post-deployment steps. Value: https://aws.amazon.com/quickstart/?quickstart-all.sort-by=item.additionalFields.sortDate&quickstart-all.sort-order=desc&awsm.page-quickstart-all=5