--- AWSTemplateFormatVersion: 2010-09-09 Description: 'v5.67: Deploys Elastic Load Balancers and Security Groups for Deep Security (qs-1ngr590je). Manager.' Metadata: cfn-lint: config: ignore_checks: [W3005,W8001] ignore_reasons: W8001:'Conditions are referenced by other template' W3005:'DSM needs to depend on resource ELBSG to make sure the stack will create not fail' Parameters: AWSIVPC: Description: Existing VPC to deploy Deep Security Manager Type: AWS::EC2::VPC::Id AllowedPattern: '[-_a-zA-Z0-9]*' DSIPHeartbeatPort: Description: The heartbeat port used by Deep Security Agents and appliances to communicate with the Deep Security Manager. Type: Number MinValue: 0 MaxValue: 65535 Default: '4120' ConstraintDescription: Must be a valid TCP port. DSIPGUIPort: Description: The Deep Security Manager application and GUI port. Type: Number MinValue: 0 MaxValue: 65535 Default: '4119' ConstraintDescription: Must be a valid TCP port. DSISubnetID: Description: Existing Subnet for Deep Security Manager. Must be a public subnet contained the in VPC chosen above. Type: String MinLength: '1' MaxLength: '255' AllowedPattern: '[-_a-zA-Z0-9]*' ConstraintDescription: Subnet ID must exist in the chosen VPC DSELBPosture: Description: Use internal or internet-facing ELB Type: String AllowedValues: - Internet-facing - Internal Default: Internet-facing QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-trendmicro-deepsecurity/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Resources: ELBSG: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/common/security-groups/ds-elb-sg.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AWSIVPC: !Ref AWSIVPC DSIPGUIPort: !Ref DSIPGUIPort DSIPHeartbeatPort: !Ref DSIPHeartbeatPort DSMELB: Type: AWS::ElasticLoadBalancing::LoadBalancer DependsOn: ELBSG Properties: Subnets: - !Ref DSISubnetID SecurityGroups: - !GetAtt - ELBSG - Outputs.ELBSG Scheme: !If - InternetFacingELB - internet-facing - internal Listeners: - LoadBalancerPort: !Ref DSIPHeartbeatPort InstancePort: !Ref DSIPHeartbeatPort Protocol: TCP - LoadBalancerPort: '4122' InstancePort: '4122' Protocol: TCP HealthCheck: Target: !Join - '' - - 'HTTPS:' - !Ref DSIPGUIPort - /rest/status/manager/ping HealthyThreshold: '3' UnhealthyThreshold: '5' Interval: '30' Timeout: '5' ConnectionSettings: IdleTimeout: 600 Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] InternetFacingELB: !Equals - !Ref DSELBPosture - Internet-facing GovCloudCondition: !Or - !Equals - !Ref AWS::Region - us-gov-west-1 - !Equals - !Ref AWS::Region - us-gov-east-1 Outputs: ELBFQDN: Value: !GetAtt DSMELB.DNSName ELBSourceSecurityGroup: Value: !GetAtt ELBSG.Outputs.ELBSG ELSBSourceSecurityGroupOnwerID: Value: !GetAtt DSMELB.SourceSecurityGroup.OwnerAlias DSIELB: Value: !Ref DSMELB ELBCanonicalHostedZoneNameID: Value: !GetAtt DSMELB.CanonicalHostedZoneNameID ELBDNSName: Value: !GetAtt DSMELB.DNSName ...