--- AWSTemplateFormatVersion: 2010-09-09 Description: 'v5.67: Deploys Deep Security Manager to AWS. This template is designed to be nested in a stack, and requires several passed parameters to launch. **WARNING** This template creates Amazon EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1ngr590jo)' Metadata: cfn-lint: config: ignore_checks: [W2001,W4002,E9010] ignore_reasons: W2001:'Parameters are referenced by other template' W4002:'Using NoEcho parameters as the scripte input' E9010:'Definition is used by another template' Parameters: AWSIKeyPairName: Description: Existing key pair to use for connecting to your Deep Security Manager Instance Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: Select an existing EC2 Key Pair. AWSIVPC: Description: Existing VPC to deploy Deep Security Manager Type: AWS::EC2::VPC::Id AllowedPattern: '[-_a-zA-Z0-9]*' DSCAdminName: Default: admin Description: The Deep Security Manager administrator account username for Web Console Access Type: String MinLength: 1 MaxLength: 16 AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DSCAdminPassword: NoEcho: true Description: The Deep Security Manager administrator account password Type: String MinLength: 8 MaxLength: 41 AllowedPattern: '[a-zA-Z0-9!^*\-_+]*' ConstraintDescription: Can only contain alphanumeric characters or the following special characters !^*-_+ Min length 8, max length 41 DSIPLicenseKey: Description: Deep Security License key including dashes (e.g. AP-E9RM-99WHE-B5UR5-BV8YB-HVYM8-HYYVG) Type: String MinLength: 37 MaxLength: 37 AllowedPattern: '[A-Z0-9]{2}-[A-Z0-9]{4}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}' ConstraintDescription: Key can only contain ASCII characters. Default: XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX DSIPHeartbeatPort: Description: The heartbeat port used by Deep Security Agents and appliances to communicate with the Deep Security Manager. Type: Number MinValue: 0 MaxValue: 65535 Default: '4120' ConstraintDescription: Must be a valid TCP port. DSIPGUIPort: Description: The Deep Security Manager application and GUI port. Type: Number MinValue: 0 MaxValue: 65535 Default: '4119' ConstraintDescription: Must be a valid TCP port. DSIPInstanceType: Description: Amazon EC2 instance type for the Deep Security Manager Node Instances Type: String Default: m5.large AllowedValues: - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.8xlarge - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c5.4xlarge - c5.9xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - i2.xlarge - i2.2xlarge - i2.4xlarge - i2.8xlarge - g2.2xlarge - r4.large - r4.xlarge DBICAdminName: Default: dsadmin Description: Admin account username to be used for the database instance Type: String MinLength: 1 MaxLength: 16 AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBICAdminPassword: NoEcho: true Description: Password to be used for the database admin account Type: String MinLength: 8 MaxLength: 41 AllowedPattern: '[a-zA-Z0-9!^*\-_+]*' ConstraintDescription: Can only contain alphanumeric characters or the following special characters !^*-_+ Min length 8, max length 41 DBPName: Default: dsm Description: Name to be assigned to the database Type: String MinLength: 1 MaxLength: 64 AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBPRDSEndpoint: Default: RDS.FQDN.domain Description: FQDN or IP of RDS Endpoint Type: String MinLength: '1' MaxLength: '254' DSMSG: Type: AWS::EC2::SecurityGroup::Id DBPEngine: Default: Embedded Type: String AllowedValues: - Embedded - Oracle - SQL - PostgreSQL - AuroraPostgreSQL DSISubnetID: Description: Existing Subnet for Deep Security Manager. Must be a public subnet contained the in VPC chosen above. Type: AWS::EC2::Subnet::Id AllowedPattern: '[-_a-zA-Z0-9]*' ConstraintDescription: Subnet ID must exist in the chosen VPC DSMPMNode: Description: Select whether this is an additional node to be added to an existing Deep Security Manager Infrastructure Type: String AllowedValues: - 'Yes' - 'No' Default: 'No' DSIPLicense: Description: Choose License Model. If choosing BYOL you may enter the license below Type: String AllowedValues: - PerHost - BYOL CreateEIP: Description: Allocate an EIP and associate it with this Deep Security Manager Instance. Recommend set to true unless deploying behind an ELB Type: String AllowedValues: - 'True' - 'False' Default: 'True' DSIELB: Type: String Default: '' DSIELBFQDN: Type: String Default: '' DSM1CompleteWaitHandle: Type: String Default: '' DSELBPosture: Description: Use internal or internet-facing ELB Type: String AllowedValues: - Internet-facing - Internal Default: Internet-facing QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-trendmicro-deepsecurity/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String DSCLicenseType: Type: String Default: Enterprise AllowedValues: - Enterprise - Network DSProxyUrl: Type: String Default: '' Mappings: DSMAMI: us-east-1: PerHost: ami-0b47cb4986393e47d BYOL: ami-0e9039d2bdfa29a59 us-east-2: PerHost: ami-06380def4cc307e23 BYOL: ami-0c3bc2af135c63996 us-west-1: PerHost: ami-09243f5ff516470ce BYOL: ami-0557fc36d3fbc88de us-west-2: PerHost: ami-03681f2d7f9e03129 BYOL: ami-03b48fc903cf64c01 ca-central-1: PerHost: ami-073e6ac5544f37805 BYOL: ami-08633b5565980d3df eu-central-1: PerHost: ami-0d40bd6cb6374e8dc BYOL: ami-0406821bc9de1c086 eu-west-1: PerHost: ami-02384bdf08e419ca8 BYOL: ami-052f75eb9a8988df9 eu-west-2: PerHost: ami-038237d5cc5485983 BYOL: ami-0175b3eac46269948 eu-west-3: PerHost: ami-0f3bc985a3e9aed01 BYOL: ami-083ca3bead6b6c955 ap-southeast-1: PerHost: ami-0ebdb5946cdad781c BYOL: ami-042c89116a3c7f471 ap-southeast-2: PerHost: ami-0f1126049179cb9c5 BYOL: ami-039a3bde773808d23 ap-southeast-3: PerHost: ami-094e4f04c1ed40362 BYOL: ami-0c56d73aca3e63c90 ap-south-1: PerHost: ami-0d22e86efec5f3237 BYOL: ami-0c961c4ad34b445cd ap-northeast-1: PerHost: ami-0dcf71cf77631d183 BYOL: ami-0f85ae65d3548a519 ap-northeast-2: PerHost: ami-0138a0bdc2ce996e5 BYOL: ami-04759f51bd04593c7 ap-northeast-3: PerHost: ami-0cd8d425602584bcb BYOL: ami-0b67db3acd356ee77 sa-east-1: PerHost: ami-075e9853df2f94580 BYOL: ami-0bea0c31740608b3b eu-north-1: PerHost: ami-0c8dd31439edd0035 BYOL: ami-038a616e2835b3020 me-south-1: PerHost: ami-0fff87eb5c9b36527 BYOL: ami-081d8694cf0eb11ff eu-south-1: PerHost: ami-0a48a09781d35e477 BYOL: ami-07988371b7e4dc492 us-gov-east-1: PerHost: ami-09a768f3e864df91a BYOL: ami-07fa4ff34e79b3989 us-gov-west-1: PerHost: ami-054b79186813ceb0f BYOL: ami-0bbaef1d5fb13d9f1 DSMSIZE: us-east-1: PerHost: m5.xlarge BYOL: m5.xlarge us-east-2: PerHost: m5.xlarge BYOL: m5.xlarge us-west-1: PerHost: m5.xlarge BYOL: m5.xlarge us-west-2: PerHost: m5.xlarge BYOL: m5.xlarge ca-central-1: PerHost: m5.xlarge BYOL: m5.xlarge ap-south-1: PerHost: m5.xlarge BYOL: m5.xlarge ap-northeast-2: PerHost: m5.xlarge BYOL: m5.xlarge ap-northeast-3: PerHost: m5.xlarge BYOL: m5.xlarge ap-southeast-1: PerHost: m5.xlarge BYOL: m5.xlarge ap-southeast-2: PerHost: m5.xlarge BYOL: m5.xlarge ap-southeast-3: PerHost: m5.xlarge BYOL: m5.xlarge ap-northeast-1: PerHost: m5.xlarge BYOL: m5.xlarge eu-north-1: PerHost: m5.xlarge BYOL: m5.xlarge eu-central-1: PerHost: m5.xlarge BYOL: m5.xlarge eu-west-1: PerHost: m5.xlarge BYOL: m5.xlarge eu-west-2: PerHost: m5.xlarge BYOL: m5.xlarge eu-west-3: PerHost: m5.xlarge BYOL: m5.xlarge eu-south-1: PerHost: m5.xlarge BYOL: m5.xlarge sa-east-1: PerHost: m5.xlarge BYOL: m5.xlarge us-gov-west-1: PerHost: m5.xlarge BYOL: m5.xlarge me-south-1: PerHost: m5.xlarge BYOL: m5.xlarge us-gov-east-1: PerHost: m5.xlarge BYOL: m5.xlarge DSMDBMap: SQL: DbTypeString: Microsoft SQL Server Oracle: DbTypeString: Oracle Embedded: DbTypeString: Embedded PostgreSQL: DbTypeString: PostgreSQL AuroraPostgreSQL: DbTypeString: PostgreSQL Resources: DSMRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: [EIAMPolicyWildcardResource] ignore_reasons: EIAMPolicyWildcardResource: 'Those actions of ec2, iam and elasticloadbalancing:DescribeLoadBalancers does not support resource-level permissions, it only supports the ”*” in the resource element.' Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: !If - UsePerHost - - arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess - !Ref AWS::NoValue Path: / Policies: - PolicyName: aws-quick-start-s3-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:GetObject Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - !If - AddToELB - PolicyName: DeepSecurityManagerInstancePolicy PolicyDocument: Statement: - Effect: Allow Action: - ec2:DescribeLicenses - ec2:DescribeInstances - ec2:DescribeImages - ec2:DescribeRegions - ec2:DescribeVpcs - ec2:DescribeSubnets - ec2:DescribeTags - ec2:DescribeAvailabilityZones - ec2:DescribeSecurityGroups - iam:ListAccountAliases - elasticloadbalancing:DescribeLoadBalancers Resource: '*' - Effect: Allow Action: - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:CreateLoadBalancerListeners - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:SetLoadBalancerPoliciesOfListener Resource: !Join - '' - - !If - GovCloudCondition - 'arn:aws-us-gov:elasticloadbalancing:' - 'arn:aws:elasticloadbalancing:' - !Ref AWS::Region - ':' - !Ref AWS::AccountId - :loadbalancer/ - !Ref DSIELB - Effect: Allow Action: - sts:AssumeRole Resource: !Join - '' - - !If - GovCloudCondition - 'arn:aws-us-gov:iam::' - 'arn:aws:iam::' - !Ref AWS::AccountId - :role/* - Effect: Allow Action: - iam:UploadServerCertificate - iam:GetServerCertificate Resource: !Join - '' - - !If - GovCloudCondition - 'arn:aws-us-gov:iam::' - 'arn:aws:iam::' - !Ref AWS::AccountId - :server-certificate/DeepSecurityElbCertificate- - !Ref AWS::StackName - PolicyName: DeepSecurityManagerInstancePolicy PolicyDocument: Statement: - Effect: Allow Action: - ec2:DescribeLicenses - ec2:DescribeImages - ec2:DescribeInstances - ec2:DescribeRegions - ec2:DescribeSubnets - ec2:DescribeTags - ec2:DescribeVpcs - iam:ListAccountAliases - ec2:DescribeAvailabilityZones - ec2:DescribeSecurityGroups - iam:ListAccountAliases Resource: '*' - Effect: Allow Action: - sts:AssumeRole Resource: !Join - '' - - !If - GovCloudCondition - 'arn:aws-us-gov:iam::' - 'arn:aws:iam::' - !Ref AWS::AccountId - :role/* DSMProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref DSMRole DSMLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateData: MetadataOptions: HttpTokens: 'required' DSM: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Authentication: S3AccessCreds: type: S3 roleName: !Ref DSMRole buckets: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] AWS::CloudFormation::Init: configSets: default: - setup - prepDSMInstall - installDSM - addCloudAccount - fixManagerHostObject doSqlSetup: - sqlSetup fixManagerLbSettings: - fixManagerLoadBalancerSettings fixManagerLocalLbAddress: - fixManagerLocalLoadBalancerHostsFile fixManagerHostObject: - fixManagerHostObject addDsmNode: - setup - prepDSMInstall - installDSM - fixManagerHostObject setupLocalELB: - addToELB - fixManagerLocalLoadBalancerHostsFile setupGlobalELB: - fixManagerLoadBalancerSettings setup: files: /etc/cfn/cfn-hup.conf: content: Fn::Sub: | [main] stack=${AWS::StackId} region=${AWS::Region} mode: '000400' owner: root group: root /etc/cfn/hooks.d/cfn-auto-reloader.conf: content: Fn::Sub: | [cfn-auto-reloader-hook] triggers=post.update path=Resources.DSM.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v -c updateDSM --stack ${AWS::StackId} --resource DSM1 --region ${AWS::Region} runas=root services: sysvinit: cfn-hup: enabled: 'true' ensureRunning: 'true' files: - /etc/cfn/cfn-hup.conf - /etc/cfn/hooks.d/cfn-auto-reloader.conf prepDSMInstall: files: /etc/cfn/dsmConfiguration.properties: content: Fn::Sub: - | ${LicenseConfig} CredentialsScreen.Administrator.Username=${DSCAdminName} CredentialsScreen.Administrator.Password=${DSCAdminPassword} CredentialsScreen.UseStrongPasswords=False Dinstall4j.language=en DatabaseScreen.DatabaseType=${DBTypeConfig} DatabaseScreen.Hostname=${DBPRDSEndpoint} DatabaseScreen.DatabaseName=${DBPName} DatabaseScreen.Transport=TCP DatabaseScreen.Username=${DBICAdminName} DatabaseScreen.Password=${DBICAdminPassword} AddressAndPortsScreen.ManagerPort=${DSIPGUIPort} AddressAndPortsScreen.HeartbeatPort=${DSIPHeartbeatPort} ${NodeConfig} SecurityUpdateScreen.UpdateComponents=true SoftwareUpdateScreen.UpdateSoftware=True SmartProtectionNetworkScreen.EnableFeedback=false SmartProtectionNetworkScreen.IndustryType=blank RelayScreen.Install=True ${softwareUpdateScreenProxyConfig} ${securityUpdateScreenProxyConfig} Override.Automation=True Cloudformation.QSS3BucketName=${QSS3BucketName} Cloudformation.QSS3BucketRegion=${QSS3BucketRegion} Cloudformation.QSS3KeyPrefix=${QSS3KeyPrefix} - LicenseConfig: !If - AddAcAnswer - !If - NetworkOnlyLicense - Fn::Sub: LicenseScreen.License.1=${DSIPLicenseKey} - Fn::Sub: LicenseScreen.License.-1=${DSIPLicenseKey} - '' DBTypeConfig: !FindInMap - DSMDBMap - !Ref DBPEngine - DbTypeString NodeConfig: !If - IsFirstNode - AddressAndPortsScreen.NewNode=false - | AddressAndPortsScreen.NewNode=true UpgradeVerificationScreen.Overwrite=False softwareUpdateScreenProxyConfig: !If - UseProxy - Fn::Sub: - | SoftwareUpdateScreen.Proxy=True SoftwareUpdateScreen.ProxyType=HTTP SoftwareUpdateScreen.ProxyAddress=${softwareUpdateScreenProxyHost} SoftwareUpdateScreen.ProxyPort=${softwareUpdateScreenProxyPort} SoftwareUpdateScreen.ProxyAuthentication="False" SoftwareUpdateScreen.ProxyUsername="" SoftwareUpdateScreen.ProxyPassword="" - softwareUpdateScreenProxyHost: !Select - 0 - Fn::Split: - ":" - Fn::Sub: "${DSProxyUrl}" softwareUpdateScreenProxyPort: !Select - 1 - Fn::Split: - ":" - Fn::Sub: "${DSProxyUrl}" - '' securityUpdateScreenProxyConfig: !If - UseProxy - Fn::Sub: - | SecurityUpdateScreen.Proxy=True SecurityUpdateScreen.ProxyType=HTTP SecurityUpdateScreen.ProxyAddress=${securityUpdateScreenProxyHost} SecurityUpdateScreen.ProxyPort=${securityUpdateScreenProxyPort} SecurityUpdateScreen.ProxyAuthentication="False" SecurityUpdateScreen.ProxyUsername="" SecurityUpdateScreen.ProxyPassword="" - securityUpdateScreenProxyHost: !Select - 0 - Fn::Split: - ":" - Fn::Sub: "${DSProxyUrl}" securityUpdateScreenProxyPort: !Select - 1 - Fn::Split: - ":" - Fn::Sub: "${DSProxyUrl}" - '' owner: root mode: '000600' installDSM: commands: 0-sethostnameinprops: command: | TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60"` managerAddress=`curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/local-ipv4/` echo "AddressAndPortsScreen.ManagerAddress=$managerAddress" >> /etc/cfn/dsmConfiguration.properties ignoreErrors: 'false' 1-install-DSM: command: cd /opt/trend/packages/dsm/default/; sh /opt/trend/packages/dsm/default/ManagerAWS.sh -q -console -varfile /etc/cfn/dsmConfiguration.properties >> /tmp/dsmInstallLog ignoreErrors: 'false' 6-install-xml_grep: command: yum -y install perl-XML-Twig addCloudAccount: files: /etc/cfn/set-aia-settings.sh: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/set-aia-settings.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000700' authentication: S3AccessCreds /etc/cfn/end-mp-web-installer.sh: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/end-mp-web-installer.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000700' authentication: S3AccessCreds /etc/cfn/add-aws-account-with-instance-role.sh: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/add-aws-account-with-instance-role.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000700' authentication: S3AccessCreds commands: 5-check-service: command: Fn::Sub: until curl -vk https://127.0.0.1:${DSIPGUIPort}/rest/status/manager/current/ping; do echo "manager not started yet" >> /tmp/4-check-service; service dsm_s start >> /tmp/4-check-service;sleep 30; done 7-set-aia-settings: command: Fn::Sub: /etc/cfn/set-aia-settings.sh ${DSCAdminName} ${DSCAdminPassword} - ${DSIPGUIPort} >> /tmp/set-aia-settings.log 8-addCloudAccount: command: Fn::Sub: /etc/cfn/add-aws-account-with-instance-role.sh ${DSCAdminName} ${DSCAdminPassword} localhost ${DSIPGUIPort} ${AWS::Region} ignoreErrors: 'False' 10-endWebInstaller: command: /etc/cfn/end-mp-web-installer.sh sqlSetup: files: /etc/cfn/rhel-scripts/create-dsm-db.py: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/create-dsm-db.py - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000755' authentication: S3AccessCreds commands: 1-create-db: command: Fn::Sub: cd /etc/cfn/rhel-scripts; python create-dsm-db.py --user ${DBICAdminName} --pass ${DBICAdminPassword} --endpoint ${DBPRDSEndpoint} --dbname ${DBPName} ignoreErrors: 'false' addToELB: commands: 0-add-instance-to-elb: command: Fn::Sub: | TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60"` aws elb register-instances-with-load-balancer --load-balancer ${DSIELB} --instances $(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id/) --region ${AWS::Region} ignoreErrors: 'false' fixManagerLoadBalancerSettings: files: /etc/cfn/create-console-listener.sh: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/create-console-listener.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000700' authentication: S3AccessCreds /etc/cfn/set-lb-settings.sh: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/set-lb-settings.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000700' authentication: S3AccessCreds commands: 1-setup-elb-listener: command: Fn::Sub: /etc/cfn/create-console-listener.sh ${DSIELB} ${DSIELBFQDN} ${DSIPGUIPort} ${AWS::StackName} 1 ${AWS::Region} >> /tmp/listener.log 4-set-load-balancer-settings: command: Fn::Sub: /etc/cfn/set-lb-settings.sh ${DSCAdminName} ${DSCAdminPassword} ${DSIELBFQDN} ${DSIPGUIPort} ${DSIPHeartbeatPort} >> /tmp/set-lb-settings.log fixManagerLocalLoadBalancerHostsFile: commands: 1-setHostsFileELB: command: Fn::Sub: | TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60"` echo "$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/local-ipv4/) ${DSIELBFQDN}" >> /etc/hosts fixManagerHostObject: files: /etc/cfn/reactivate-manager.sh: source: Fn::Sub: - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/reactivate-manager.sh - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] owner: root mode: '000700' authentication: S3AccessCreds commands: 1-reactivate-manager.sh: command: Fn::Sub: /etc/cfn/reactivate-manager.sh >> /etc/cfn/reactivate-manager.log ${DSCAdminName} ${DSCAdminPassword} ${DSIPGUIPort} Properties: IamInstanceProfile: !Ref DSMProfile LaunchTemplate: LaunchTemplateId: !Ref DSMLaunchTemplate Version: '1' ImageId: !FindInMap - DSMAMI - !Ref AWS::Region - !Ref DSIPLicense InstanceType: !If - PPUNotSelected - !Ref DSIPInstanceType - !FindInMap - DSMSIZE - !Ref AWS::Region - !Ref DSIPLicense NetworkInterfaces: - DeviceIndex: '0' SubnetId: !Ref DSISubnetID AssociatePublicIpAddress: !If - InternetFacingELB - true - false GroupSet: - !Ref DSMSG Tags: - Key: Name Value: Deep Security Manager KeyName: !Ref AWSIKeyPairName UserData: !Base64 Fn::Sub: - | #!/bin/bash -x # cloud-init ${ProxyConfig} /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource DSM --region ${AWS::Region}${ConfigSetOption1}${ConfigSetOption2}${ProxyOption1} /opt/aws/bin/cfn-signal ${CFNSignalOption}${ProxyOption2} - ProxyConfig: !If - UseProxy - Fn::Sub: | export HTTPS_PROXY="https://${DSProxyUrl}" export HTTP_PROXY="http://${DSProxyUrl}" export NO_PROXY="169.254.169.254,localhost,127.0.0.1" echo -e "proxy=http://${DSProxyUrl}" >> /etc/yum.conf - '' ConfigSetOption1: !If - SQLplusELB - ' -c doSqlSetup,default,setupLocalELB,setupGlobalELB' - !If - DoSQLSetup - ' -c doSqlSetup,default' - !If - IsFirstNodePlusELB - ' -c default,setupLocalELB,setupGlobalELB' - '' ConfigSetOption2: !If - AddNodePlusELB - ' -c fixManagerLocalLbAddress,addDsmNode,setupLocalELB' - !If - IsFirstNode - '' - ' -c addDsmNode' ProxyOption1: !If - UseProxy - Fn::Sub: ' --https-proxy https://${DSProxyUrl}' - '' CFNSignalOption: !If - WaitNotProvided - -e $? -r "Complete" - !Join - '' - - '-e $? -r "DSM Node configuration complete" ' - !Base64 Ref: DSM1CompleteWaitHandle ProxyOption2: !If - UseProxy - Fn::Sub: ' --https-proxy https://${DSProxyUrl}' - '' Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] DBTypeIsSQL: !Equals - !Ref DBPEngine - SQL IsFirstNode: !Equals - !Ref DSMPMNode - 'No' DoSQLSetup: !And - !Condition DBTypeIsSQL - !Condition IsFirstNode UseBYOL: !Equals - !Ref DSIPLicense - BYOL UsePerHost: !Equals - !Ref DSIPLicense - PerHost PPUNotSelected: !Or - !Condition UsePerHost - !Condition UseBYOL AddToELB: !Not - !Equals - !Ref DSIELB - '' WaitNotProvided: !Equals - DSM1CompleteWaitHandle - '' SQLplusELB: !And - !Condition AddToELB - !Condition DoSQLSetup AddNodePlusELB: !And - !Not - !Condition IsFirstNode - !Condition AddToELB KeyProvided: !Not - !Equals - !Ref DSIPLicenseKey - XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX IsFirstNodePlusELB: !And - !Condition IsFirstNode - !Condition AddToELB AddAcAnswer: !And - !Condition KeyProvided - !Condition PPUNotSelected InternetFacingELB: !Equals - !Ref DSELBPosture - Internet-facing NetworkOnlyLicense: !Equals - !Ref DSCLicenseType - Network UseProxy: !Not - !Equals - !Ref DSProxyUrl - '' GovCloudCondition: !Or - !Equals - !Ref AWS::Region - us-gov-west-1 - !Equals - !Ref AWS::Region - us-gov-east-1 Outputs: DSMFQDN: Value: !GetAtt DSM.PublicDnsName DSMURL: Value: Fn::Sub: https://${DSM.PublicDnsName}:${DSIPGUIPort} DSMInstanceId: Value: !Ref DSM ...