--- AWSTemplateFormatVersion: 2010-09-09 Description: 'QS(0011) - v5.67: Quick Start that deploys Trend Micro Deep Security into an existing VPC with a Multi-AZ PostgreSQL RDS instance **WARNING** This template uses images from the AWS Marketplace and an active subscription is required - Please see the Quick Start documentation for more details. You will be billed for the AWS resources used if you create a stack from this template. (qs-1ngr590k4)' Metadata: cfn-lint: config: ignore_checks: [W8001,W1001] ignore_reasons: W1001:'The DSM console should be output whether the PerHostSupportedRegion is true or false' W8001:'Conditions are referenced by other template' AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Deep Security Manager Configuration Parameters: - DeepSecurityAdminName - DeepSecurityAdminPass - AWSKeyPairName - ProtectedInstances - Label: default: Network Configuration Parameters: - AWSVPC - DeepSecuritySubnet - DatabaseSubnet1 - DatabaseSubnet2 - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: AWSKeyPairName: default: EC2 Key Pair for SSH access AWSVPC: default: VPC for Deep Security Components DeepSecuritySubnet: default: Public Subnet for Deep Security Managers DeepSecurityAdminName: default: Administrator username for Deep Security DeepSecurityAdminPass: default: Administrator password for Deep Security DatabaseSubnet1: default: Primary private subnet for RDS DatabaseSubnet2: default: Secondary private subnet for RDS ProtectedInstances: default: Number of instances you expect to protect with Deep Security Agents QSS3BucketName: default: Quick Start S3 Bucket Name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 Key Prefix Parameters: AWSKeyPairName: Description: Select an existing key pair to use for connecting to your Deep Security Manager Instance. Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: Select an existing EC2 Key Pair. AWSVPC: Description: Select an existing VPC to deploy Deep Security Manager. Type: AWS::EC2::VPC::Id AllowedPattern: '[-_a-zA-Z0-9]*' DatabaseSubnet1: Description: Select a private subnet for the RDS database. Must be a private subnet contained in the VPC chosen above. Type: AWS::EC2::Subnet::Id ConstraintDescription: RDS Subnet Groups must be comprised of 2 subnets in seperate availability zones within the specified VPC for deploying this template DatabaseSubnet2: Description: Select a second private subnet for the RDS database. Must be a private subnet contained in the VPC chosen above. Type: AWS::EC2::Subnet::Id ConstraintDescription: RDS Subnet Groups must be comprised of 2 subnets in seperate availability zones within the specified VPC for deploying this template DeepSecuritySubnet: Description: Select an existing Subnet for Deep Security Manager. Must be a public subnet contained in the VPC chosen above. Type: AWS::EC2::Subnet::Id AllowedPattern: '[-_a-zA-Z0-9]*' ConstraintDescription: Subnet ID must exist in the chosen VPC DeepSecurityAdminName: Default: admin Description: The Deep Security Manager administrator username for Web Console Access. Type: String MinLength: 1 MaxLength: 16 AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. Min length 1, max length 16 DeepSecurityAdminPass: NoEcho: true Description: The Deep Security Manager administrator password. Must be 8-41 characters long and can only contain alphanumeric characters or the following special characters !^*-_+ Type: String MinLength: 8 MaxLength: 41 AllowedPattern: '[a-zA-Z0-9!^*\-_+]*' ConstraintDescription: Can only contain alphanumeric characters or the following special characters !^*-_+ Min length 8, max length 41 ProtectedInstances: Description: Select how many instances would you like to protect. Type: String AllowedValues: - 1-100 - 101-500 - 501-1000 - 1001-2000 QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'us-east-1' Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-trendmicro-deepsecurity/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Mappings: DSMSIZE: us-east-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge us-west-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge us-west-2: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge eu-west-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge eu-central-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge sa-east-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-northeast-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-southeast-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-southeast-2: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-northeast-2: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-southeast-3: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-northeast-3: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge us-east-2: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ca-central-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge ap-south-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge eu-north-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge eu-west-2: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge eu-west-3: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge eu-south-1: '1': m5.large '2': m5.large '3': m5.xlarge '4': m5.xlarge us-gov-west-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge me-south-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge us-gov-east-1: '1': m5.xlarge '2': m5.xlarge '3': m5.xlarge '4': m5.xlarge RDSStorageSize: 1-100: Size: '50' 101-500: Size: '150' 501-1000: Size: '200' 1001-2000: Size: '300' RDSInstanceSize: us-east-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge us-east-2: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge us-west-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge us-west-2: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ca-central-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-south-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-northeast-2: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-southeast-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-southeast-2: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-northeast-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-northeast-3: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge ap-southeast-3: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge eu-north-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge eu-central-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge eu-west-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge eu-west-2: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge sa-east-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge eu-west-3: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge eu-south-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge us-gov-west-1: '1': db.m4.large '2': db.m4.large '3': db.m4.xlarge '4': db.m4.xlarge me-south-1: '1': db.m5.large '2': db.m5.large '3': db.m5.xlarge '4': db.m5.xlarge us-gov-east-1: '1': db.r4.large '2': db.r4.large '3': db.r4.xlarge '4': db.r4.xlarge DeploymentSize: 1-100: Size: '1' 101-500: Size: '2' 501-1000: Size: '3' 1001-2000: Size: '4' Resources: MainMP: Type: AWS::CloudFormation::Stack Condition: PerHostSupportedRegion Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/marketplace/main-mp.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: AWSIKeyPairName: !Ref AWSKeyPairName AWSIVPC: !Ref AWSVPC DSISubnetID: !Ref DeepSecuritySubnet DBIRDSInstanceSize: !FindInMap - RDSInstanceSize - !Ref AWS::Region - !FindInMap - DeploymentSize - !Ref ProtectedInstances - Size DBIStorageAllocation: !FindInMap - RDSStorageSize - !Ref ProtectedInstances - Size DBPBackupDays: '5' DBPCreateDbInstance: 'Yes' DBICAdminName: dsmadmin DBICAdminPassword: !Ref DeepSecurityAdminPass DBPEngine: PostgreSQL DBPEndpoint: '' DBPName: dsm DSCAdminName: !Ref DeepSecurityAdminName DSCAdminPassword: !Ref DeepSecurityAdminPass DSIMultiNode: '2' DSIPLicenseKey: XX-XXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX DSIPHeartbeatPort: '4120' DSIPGUIPort: '443' DSIPInstanceType: !FindInMap - DSMSIZE - !Ref AWS::Region - !FindInMap - DeploymentSize - !Ref ProtectedInstances - Size DBISubnet1: !Ref DatabaseSubnet1 DBISubnet2: !Ref DatabaseSubnet2 DSIPLicense: PerHost DBPMultiAZ: 'true' QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] PerHostSupportedRegion: !Not - !Equals - !Ref AWS::Region - match-all-regions GovCloudCondition: !Or - !Equals - !Ref AWS::Region - us-gov-west-1 - !Equals - !Ref AWS::Region - us-gov-east-1 Outputs: DeepSecurityConsole: Value: !GetAtt MainMP.Outputs.DeepSecurityConsole ...