--- AWSTemplateFormatVersion: 2010-09-09 Description: Launches a Titian Mosaic application server and database with Biotech Blueprint parameter store defaults. (qs-1pjap3ssl) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Titian configuration Parameters: - pDNSName - Label: default: Network configuration Parameters: - pVpcId - pDmzSubnetA - pDmzSubnetB - pAppSubnetA - pAppSubnetB - pDBSubnetA - pDBSubnetB - pDnsHostedZoneID - pDnsHostedZoneApexDomain - pLoadBalancerType - pSecurityGroupForWebAccess - pWebAccessCIDR - Label: default: Amazon EC2 configuration Parameters: - pEC2KeyPair - pAppServerInstanceType - Label: default: Amazon RDS configuration Parameters: - pDBName - pDBTimezone - pDBUsername - pDBPassword - pDBInstanceType - pDBAllocatedStorage - pDBEngine - pDBEngineLicenseModel - pDBMultiAZ ParameterLabels: pAppServerInstanceType: default: App server instance type pAppSubnetA: default: Application subnet A pAppSubnetB: default: Application subnet B pDBAllocatedStorage: default: Database storage capacity pDBEngine: default: Database engine pDBEngineLicenseModel: default: Database license model pDBInstanceType: default: Database instance type pDBMultiAZ: default: Multi-AZ Amazon RDS pDBTimezone: default: Database time zone pDBName: default: Database name pDBPassword: default: Database password pDBSubnetA: default: Database subnet A pDBSubnetB: default: Database subnet B pDBUsername: default: Database user/owner pDmzSubnetA: default: Public subnet A pDmzSubnetB: default: Public subnet B pDnsHostedZoneApexDomain: default: Internal DNS apex domain pDnsHostedZoneID: default: Internal DNS hosted zone ID pDNSName: default: Mosaic server DNS name pEC2KeyPair: default: Key pair for mosaic server pLoadBalancerType: default: Load balancer type pSecurityGroupForWebAccess: default: Web access security group pVpcId: default: VPC for deployment pWebAccessCIDR: default: Web access CIDR Parameters: pDBTimezone: Description: The time zone to set the Mosaic FreezerManagement database to. Type: String AllowedValues: - Africa/Cairo - Africa/Casablanca - Africa/Harare - Africa/Lagos - Africa/Luanda - Africa/Monrovia - Africa/Nairobi - Africa/Tripoli - Africa/Windhoek - America/Araguaina - America/Argentina/Buenos_Aires - America/Asuncion - America/Bogota - America/Caracas - America/Chicago - America/Chihuahua - America/Cuiaba - America/Denver - America/Detroit - America/Fortaleza - America/Godthab - America/Guatemala - America/Halifax - America/Lima - America/Los_Angeles - America/Manaus - America/Matamoros - America/Mexico_City - America/Monterrey - America/Montevideo - America/New_York - America/Phoenix - America/Santiago - America/Sao_Paulo - America/Tijuana - America/Toronto - Asia/Amman - Asia/Ashgabat - Asia/Baghdad - Asia/Baku - Asia/Bangkok - Asia/Beirut - Asia/Calcutta - Asia/Damascus - Asia/Dhaka - Asia/Hong_Kong - Asia/Irkutsk - Asia/Jakarta - Asia/Jerusalem - Asia/Kabul - Asia/Karachi - Asia/Kathmandu - Asia/Kolkata - Asia/Krasnoyarsk - Asia/Magadan - Asia/Manila - Asia/Muscat - Asia/Novosibirsk - Asia/Rangoon - Asia/Riyadh - Asia/Seoul - Asia/Shanghai - Asia/Singapore - Asia/Taipei - Asia/Tehran - Asia/Tokyo - Asia/Ulaanbaatar - Asia/Vladivostok - Asia/Yakutsk - Asia/Yerevan - Atlantic/Azores - Atlantic/Cape_Verde - Australia/Adelaide - Australia/Brisbane - Australia/Darwin - Australia/Eucla - Australia/Hobart - Australia/Lord_Howe - Australia/Perth - Australia/Sydney - Brazil/DeNoronha - Brazil/East - Canada/Newfoundland - Canada/Saskatchewan - Europe/Amsterdam - Europe/Athens - Europe/Berlin - Europe/Dublin - Europe/Helsinki - Europe/Kaliningrad - Europe/London - Europe/Madrid - Europe/Moscow - Europe/Paris - Europe/Prague - Europe/Rome - Europe/Sarajevo - Pacific/Apia - Pacific/Auckland - Pacific/Chatham - Pacific/Fiji - Pacific/Guam - Pacific/Honolulu - Pacific/Kiritimati - Pacific/Marquesas - Pacific/Samoa - Pacific/Tongatapu - Pacific/Wake - US/Alaska - US/Central - US/East-Indiana - US/Eastern - US/Pacific pAppServerInstanceType: Description: The EC2 instance type for the Mosaic application server. Type: String Default: t2.large AllowedValues: - t2.medium - t2.large - t2.xlarge - m5.large - m5.xlarge - m5.2xlarge - m4.large - m4.xlarge - m4.2xlarge pAppSubnetA: Description: The ID of the first application subnet in your existing VPC for setting up the Mosaic application server. Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/Subnet/App/A pAppSubnetB: Description: The ID of the second application subnet in your existing VPC for setting up the Mosaic application server. Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/Subnet/App/B pDBEngine: Description: The Oracle Database version of the Mosaic FreezerManagement database. We recommend that you keep the default setting. Type: String Default: oracle-se2 AllowedValues: - oracle-se2 - oracle-ee pDBEngineLicenseModel: Description: The license model for the Oracle Database. The two options are license-included and bring your own license (BYOL). AllowedValues: - license-included - bring-your-own-license Type: String Default: license-included pDBAllocatedStorage: Description: The storage size of the Mosaic FreezerManagement database, in GiB. Type: String Default: 50 pDBInstanceType: Description: The database instance class for the Mosaic FreezerManagement database. Type: String Default: db.t3.large AllowedValues: - db.t3.medium - db.t3.large - db.t3.xlarge - db.t3.2xlarge - db.r4.large - db.r4.xlarge - db.r4.2xlarge - db.m4.large - db.m4.xlarge - db.m4.2xlarge pDBMultiAZ: Description: Set this parameter to true if you want to deploy the database in a Multi-AZ configuration. If true, Amazon RDS automatically creates a primary DB instance and synchronously replicates the datat to a standby DB instance in a different Availability Zone for high availability. For more information, see the Amazon RDS documentation. Type: String AllowedValues: - "true" - "false" Default: "false" pDBName: Description: The name of the Mosaic FreezerManagement database. This string has a maximum length of 8 characters. Type: String MaxLength: 8 Default: mosaic pDBPassword: Description: The password for the Mosaic FreezerManagement database owner. Type: String NoEcho: true pDBSubnetA: Description: The ID of the first database subnet in your existing VPC for setting up the Mosaic FreezerManagement database. Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/Subnet/DB/A pDBSubnetB: Description: The ID of the second database subnet in your existing VPC for setting up the Mosaic FreezerManagement database. Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/Subnet/DB/B pDBUsername: Description: The user name of the Mosaic FreezerManagement database owner. Type: String Default: mosaicowner pDmzSubnetA: Description: The ID of the first public subnet in your existing VPC to be used by the ALB (e.g., subnet-a0246dcd). Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/Subnet/DMZ/A pDmzSubnetB: Description: The ID of the second public subnet in your existing VPC to be used by the ALB (e.g., subnet-a0246dcd). Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/Subnet/DMZ/B pDnsHostedZoneApexDomain: Description: (Optional) The domain name associated with your DNS hosted zone ID. Leave this parameter blank if you deployed the Biotech Blueprint – Core Quick Start. Type: 'AWS::SSM::Parameter::Value' Default: /BB/QuickStart/DNS/DnsHostedZoneApexDomain pDnsHostedZoneID: Description: (Optional) The internal DNS hosted zone ID. Leave the default value if you deployed the Biotech Blueprint – Core Quick Start, which creates a private hosted zone for you. Type: 'AWS::SSM::Parameter::Value' Default: /BB/QuickStart/DNS/HostedZoneId pDNSName: Description: The internal DNS CNAME to be used for the Mosaic server. Leave the default if you are unsure of what this does. Type: String Default: mosaic pEC2KeyPair: Description: A public/private key pair, which allows you to connect securely to the Mosaic application server. Type: AWS::EC2::KeyPair::KeyName pLoadBalancerType: Description: The type (internet-facing or internal) of the load balancer. If you keep the default setting, the load balancer will be internet addressable and you don’t need VPN. If you choose internal, you must connect to your VPN solution after deployment, so that your DHCP options use the VPC DNS server in the VPC that your hosted zone is attached to. Default: internet-facing Type: String AllowedValues: - internet-facing - internal pSecurityGroupForWebAccess: Description: The security group ID for web access. Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research/InformaticsAccessSG pVpcId: Description: The ID of your existing VPC (e.g., vpc-0343606e) to use for the Mosaic deployment. Type: 'AWS::SSM::Parameter::Value' Default: /BB/Networking/VPC/Research pWebAccessCIDR: Description: The CIDR IP range that’s allowed web access. This is used only if you don’t specify a security group for the previous parameter. Type: String Default: "10.0.0.0/16" Mappings: AWSAMIRegionMap: us-east-1: mAppServerAMI: ami-0359f842ee5349d55 us-west-2: mAppServerAMI: ami-0669355b1258963d1 eu-west-1: mAppServerAMI: ami-04d2535efb54356e9 Conditions: cDNSRecord: !Not [ !Or [ !Equals [!Ref pDnsHostedZoneID, ""] , !Equals [!Ref pDnsHostedZoneApexDomain, ""] ] ] cWebAccessSG: !Not [ !Equals [ !Ref pSecurityGroupForWebAccess, "" ] ] cNoWebAccessSG: !Equals [ !Ref pSecurityGroupForWebAccess, "" ] Resources: # If a hosted zone is specified, create a DNS Record rDNSRecord: Type: AWS::Route53::RecordSet Condition: cDNSRecord Properties: HostedZoneId: !Ref pDnsHostedZoneID Comment: Internal DNS CNAME for Titian Mosaic. Name: !Sub ${pDNSName}.${pDnsHostedZoneApexDomain} Type: CNAME TTL: 60 ResourceRecords: - !GetAtt rApplicationLoadBalancer.DNSName rALBCertificate: Type: "AWS::CertificateManager::Certificate" Condition: cDNSRecord Properties: DomainName: !Sub ${pDNSName}.${pDnsHostedZoneApexDomain} DomainValidationOptions: - DomainName: !Sub ${pDNSName}.${pDnsHostedZoneApexDomain} ValidationDomain: !Ref pDnsHostedZoneApexDomain ### ### Security Groups ### rSecurityGroupAppServers: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow access to Titian Mosasic App Servers. VpcId: !Ref pVpcId Tags: - Key: Name Value: sg-titian-mosaic-appserver rSecurityGroupAppServersIngressHttp: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref rSecurityGroupAppServers IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !Ref rSecurityGroupAlbs rSecurityGroupAppServersIngressHttps: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref rSecurityGroupAppServers IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref rSecurityGroupAlbs rSecurityGroupAlbWithSG: Type: AWS::EC2::SecurityGroup Condition: cWebAccessSG Properties: GroupDescription: Allow access to Titian Mosaic ALBs. Open to SG. VpcId: !Ref pVpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !Ref pSecurityGroupForWebAccess - IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref pSecurityGroupForWebAccess Tags: - Key: Name Value: sg-titian-mosaic-access-ports-to-alb-bysg rSecurityGroupAlbNoSG: Type: AWS::EC2::SecurityGroup Condition: cNoWebAccessSG Properties: GroupDescription: Allow access to Titian Mosaic ALB. Open to CIDR. VpcId: !Ref pVpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref pWebAccessCIDR - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref pWebAccessCIDR Tags: - Key: Name Value: sg-titian-mosaic-access-ports-to-alb-bycidr rSecurityGroupAlbs: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow access to Titian Mosaic ALBs. VpcId: !Ref pVpcId Tags: - Key: Name Value: sg-titian-mosaic-alb rSecurityGroupDB: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow access to Titian Mosaic DB to Titian App Server or other integration points VpcId: !Ref pVpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: 1521 ToPort: 1521 SourceSecurityGroupId: !Ref rSecurityGroupAppServers ### ### Application Load Balancer ### rApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: !Ref pLoadBalancerType SecurityGroups: - !Ref rSecurityGroupAlbs - !If [ cWebAccessSG, !Ref rSecurityGroupAlbWithSG, !Ref rSecurityGroupAlbNoSG ] Subnets: - !Ref pDmzSubnetA - !Ref pDmzSubnetB Tags: - Key: Name Value: "Titian Mosiac ALB" Type: application rLoadBalancerListenerHTTP: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref rApplicationLoadBalancer Port: 80 Protocol: HTTP DefaultActions: - Type: forward TargetGroupArn: !Ref rLoadBalancerTargetGroupHTTP rLoadBalancerListenerHTTPS: Type: AWS::ElasticLoadBalancingV2::Listener Condition: cDNSRecord Properties: Certificates: - CertificateArn: !Ref rALBCertificate LoadBalancerArn: !Ref rApplicationLoadBalancer Port: 443 Protocol: HTTPS DefaultActions: - Type: forward TargetGroupArn: !Ref rLoadBalancerTargetGroupHTTPS rLoadBalancerTargetGroupHTTP: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: VpcId: !Ref pVpcId Port: 80 HealthCheckIntervalSeconds: 180 HealthCheckTimeoutSeconds: 30 HealthyThresholdCount: 2 HealthCheckPort: 80 UnhealthyThresholdCount: 10 Protocol: HTTP Matcher: HttpCode: '200,401,302' rLoadBalancerTargetGroupHTTPS: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: VpcId: !Ref pVpcId Port: 443 HealthCheckIntervalSeconds: 180 HealthCheckTimeoutSeconds: 30 HealthyThresholdCount: 2 HealthCheckPort: 443 UnhealthyThresholdCount: 10 Protocol: HTTPS Matcher: HttpCode: '200,401,302' ### ### Auto Scaling Group ### rAutoScalingGroupApp: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: rAutoScalingConfigApp Properties: AutoScalingGroupName: !Sub Titian-Mosaic-ASG-${AWS::StackName} TargetGroupARNs: - !Ref rLoadBalancerTargetGroupHTTPS - !Ref rLoadBalancerTargetGroupHTTP VPCZoneIdentifier: - !Ref pAppSubnetA - !Ref pAppSubnetB LaunchConfigurationName: !Ref rAutoScalingConfigApp MinSize: 1 MaxSize: 1 HealthCheckType: ELB HealthCheckGracePeriod: 900 Tags: - Key: Name Value: "Titian Mosaic AppServer" PropagateAtLaunch: true rAutoScalingConfigApp: Type: AWS::AutoScaling::LaunchConfiguration DependsOn: - rDBInstance Properties: ImageId: !FindInMap [ AWSAMIRegionMap, !Ref "AWS::Region", mAppServerAMI ] InstanceType: !Ref pAppServerInstanceType KeyName: !Ref pEC2KeyPair SecurityGroups: - !Ref rSecurityGroupAppServers UserData: Fn::Base64: !Sub | mkdir c:\cfn\installer mkdir c:\cfn\logs Invoke-WebRequest -OutFile c:\cfn\installer\aws-cfn-bootstrap-win64-latest.msi https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-win64-latest.msi msiexec.exe /i c:\cfn\installer\aws-cfn-bootstrap-win64-latest.msi /QN /L*V "C:\cfn\logs\cfn-bootstrap-install.log" & "C:\\Program Files\\Titian Software\\Bootstrap\\Main\\bootstrap-mosaic.cmd" ${rDBInstance.Endpoint.Address} ${pDBName} ${pDBUsername} ${pDBPassword} ${pDNSName} Administrator & "C:\\Program Files\\Amazon\\cfn-bootstrap\\cfn-signal.exe" -e $lastexitcode "${rAppServerInitWaitHandle}" true ### ### Wait Handle ### rAppServerInitWaitHandle: Type: AWS::CloudFormation::WaitConditionHandle Properties: {} rAppServerInitWaitCondition: Type: AWS::CloudFormation::WaitCondition DependsOn: rAutoScalingGroupApp Properties: Handle: !Ref rAppServerInitWaitHandle Timeout: '1800' ### ### RDS Instance ### rDBOptionGroup: Type: AWS::RDS::OptionGroup Properties: OptionGroupDescription : "Timezone option config for Titian database." EngineName: !Ref pDBEngine MajorEngineVersion: "19" OptionConfigurations: - OptionName: Timezone OptionSettings: - Name: TIME_ZONE Value: !Ref pDBTimezone rDBInstance: Type: AWS::RDS::DBInstance DependsOn: rSecurityGroupDB Properties: DBSubnetGroupName: !Ref rDBSubnetGroup VPCSecurityGroups: - !Ref rSecurityGroupDB StorageType: gp2 MultiAZ: !Ref pDBMultiAZ AllocatedStorage: !Ref pDBAllocatedStorage DBInstanceIdentifier: "titian-mosaic-db" PubliclyAccessible: false OptionGroupName: !Ref rDBOptionGroup DBName: !Ref pDBName DBInstanceClass: !Ref pDBInstanceType MasterUsername: !Ref pDBUsername MasterUserPassword: !Ref pDBPassword LicenseModel: !Ref pDBEngineLicenseModel Engine: !Ref pDBEngine Tags: - Key: Name Value: Titian Mosaic DB rDBSubnetGroup: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: Subnet group for Titian DB instances SubnetIds: - !Ref pDBSubnetA - !Ref pDBSubnetB Tags: - Key: Name Value: Titian Mosaic DB Subnet Group Outputs: oLoadBalancerDNS: Description: DNS of Load Balancer to access Titian Mosaic Value: !GetAtt rApplicationLoadBalancer.DNSName oInternalDNSUrl: Condition: cDNSRecord Description: URL to Load Balancer to access Titian Mosaic Value: !Sub http://mosaic.${pDnsHostedZoneApexDomain}