AWSTemplateFormatVersion: '2010-09-09' Description: 'AWS CloudFormation Template: XQ Server running on Linux (qs-xxxxxx)' Parameters: PublicSubnetId: Description: The public subnet to use Type: AWS::EC2::Subnet::Id PublicSubnet1CIDR: Description: CIDR Block for the Public DMZ Subnet located in AZ2 Type: String KeyPairName: ConstraintDescription: must be the name of an existing EC2 KeyPair. Description: Name of an existing EC2 KeyPair to enable SSH access to the instances Type: AWS::EC2::KeyPair::KeyName InstanceType: Description: Amazon EC2 instance type Type: String SGID: Description: The ID of the security group Type: String # XQ Gateway QuantumEndpoint: Description: URL for Quantum service endpoint Type: String ValidationEndpoint: Description: URL for Validation service endpoint Type: String SubscriptionEndpoint: Description: URL for Subscription service endpoint Type: String ManageEndpoint: Description: URL for Management service endpoint Type: String XqApiKey: Description: General API key generated from https://manage.xqmsg.com/applications Type: String DashboardApiKey: Description: Dashboard API key generated from https://manage.xqmsg.com/applications Type: String TeamId: Description: XQ Team ID associated with Gateway Type: String GatewayConfigId: Description: ID from the Gateway configuration page Type: String TrustedRangeKey: Description: The gateway config secure key from the dashboard Type: String HeartBeatInterval: Description: Number of seconds between each client-server heartbeat Type: String MonitorSocket: Description: The port number that the monitor application will listen to for UDP updates from the gateway Type: String GatewaySocket: Description: The port number that the gateway will listen to for UDP requests for the monitor Type: String Mappings: AWSAMIRegionMap: AMI: XQSG: Amazon Linux 2.0.20220316.0 x86_64 us-east-1: XQSG: ami-0022f774911c1d690 us-east-2: XQSG: ami-0fa49cc9dc8d62c84 us-west-1: XQSG: ami-02541b8af977f6cdd us-west-2: XQSG: ami-0ca285d4c2cda3300 DefaultConfiguration: MachineConfiguration: SystemVolumeSize: 20 CentosVersion: XQSG Resources: XqsgRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" XqsgPolicy: Type: "AWS::IAM::Policy" Properties: PolicyName: !Sub '${AWS::StackName}-limited-access' PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Resource: [ !Sub "arn:${AWS::Partition}:ec2:*:*:instance/*", !Sub "arn:${AWS::Partition}:ec2:*:*:elastic-ip/*" ] Action: [ "ec2:AssociateAddress", "ec2:DisassociateAddress" ] Roles: - Ref: "XqsgRole" XqsgInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: "XqsgRole" EIP: Type: AWS::EC2::EIP Properties: # InstanceId: !Ref 'XQServer' Domain: 'vpc' LaunchConfiguration: Type: 'AWS::AutoScaling::LaunchConfiguration' Metadata: AWS::CloudFormation::Init: config: packages: yum: awscli: [] Properties: SecurityGroups: - !Ref 'SGID' InstanceType: !Ref 'InstanceType' IamInstanceProfile: !Ref XqsgInstanceProfile ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - !FindInMap - DefaultConfiguration - MachineConfiguration - CentosVersion BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeType: gp2 VolumeSize: !FindInMap - DefaultConfiguration - MachineConfiguration - SystemVolumeSize EbsOptimized: true KeyName: !Ref 'KeyPairName' UserData: Fn::Base64: !Sub | #!/bin/bash # Call Init # /opt/aws/bin/cfn-init --stack ${AWS::StackName} --resource XQServer --region ${AWS::Region} # Update all packages yum update -y yum clean all # Install dependencies and unpack gateway software yum install -y openssl11 curl curl-devel cmake3 gcc gcc-c++ kernel-devel libpcap-devel openssl11-devel nmap awscli mkdir -p /usr/local/xq/ wget https://xqmsg.com/download/xqsg-v2-rhel.tar -P /usr/local/xq/ tar -xvf /usr/local/xq/xqsg-v2-rhel.tar -C /usr/local/xq/ rm -rf /usr/local/xq/xqsg-v2-rhel.tar # Associate elastic IP with instance instanceid=`curl http://169.254.169.254/latest/meta-data/instance-id` aws ec2 associate-address --instance-id $instanceid --allocation-id ${EIP.AllocationId} --allow-reassociation --region ${AWS::Region} # Get instance metadata localip=`curl http://169.254.169.254/latest/meta-data/local-ipv4` publicip=`curl http://169.254.169.254/latest/meta-data/public-ipv4` gw=`awk -F"." '{print $1"."$2"."$3".1"}'<<<$localip` sftpe=`nmap -n -sn -T5 ${PublicSubnet1CIDR} --exclude $localip,$gw -oG - | awk '/Up$/{print $2}'` # Setup systemd for xqsg service echo "[Unit]" > /etc/systemd/system/xqmon.service echo "Description = XQ Secure Gateway Monitor" >> /etc/systemd/system/xqmon.service echo "After = network.target" >> /etc/systemd/system/xqmon.service echo "" >> /etc/systemd/system/xqmon.service echo "[Service]" >> /etc/systemd/system/xqmon.service echo "ExecStart = /usr/local/xq/xqsg/xqmon -c /usr/local/xq/xqsg/xq.ini -r /usr/local/xq/xqsg/routing.json -g /usr/local/xq/xqsg/xqsg" >> /etc/systemd/system/xqmon.service echo "Restart = always" >> /etc/systemd/system/xqmon.service echo "" >> /etc/systemd/system/xqmon.service echo "[Install]" >> /etc/systemd/system/xqmon.service echo "WantedBy = multi-user.target" >> /etc/systemd/system/xqmon.service echo "" >> /etc/systemd/system/xqmon.service # /usr/local/xq/xqsg/xq.ini echo "; XQ configuration file." > /usr/local/xq/xqsg/xq.ini echo "" >> /usr/local/xq/xqsg/xq.ini echo "[Connections]" >> /usr/local/xq/xqsg/xq.ini echo "Quantum = ${QuantumEndpoint}" >> /usr/local/xq/xqsg/xq.ini echo "Val = ${ValidationEndpoint}" >> /usr/local/xq/xqsg/xq.ini echo "Sub = ${SubscriptionEndpoint}" >> /usr/local/xq/xqsg/xq.ini echo "Saas = ${ManageEndpoint}" >> /usr/local/xq/xqsg/xq.ini echo "" >> /usr/local/xq/xqsg/xq.ini echo "[ApiKeys]" >> /usr/local/xq/xqsg/xq.ini echo "XQ=${XqApiKey}" >> /usr/local/xq/xqsg/xq.ini echo "Dashboard=${DashboardApiKey}" >> /usr/local/xq/xqsg/xq.ini echo "" >> /usr/local/xq/xqsg/xq.ini echo "[Monitor]" >> /usr/local/xq/xqsg/xq.ini echo "Team=${TeamId}" >> /usr/local/xq/xqsg/xq.ini echo "Gateway=${GatewayConfigId}" >> /usr/local/xq/xqsg/xq.ini echo "Interval=${HeartBeatInterval}" >> /usr/local/xq/xqsg/xq.ini echo "MonitorSock=${MonitorSocket}" >> /usr/local/xq/xqsg/xq.ini echo "GatewaySock=${GatewaySocket}" >> /usr/local/xq/xqsg/xq.ini echo "Key=${TrustedRangeKey}" >> /usr/local/xq/xqsg/xq.ini # start XQSG systemctl enable xqmon.service systemctl start xqmon.service # Signal the status from cfn-init # /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource XQServer --region ${AWS::Region} AutoScalingGroup: Type: 'AWS::AutoScaling::AutoScalingGroup' Properties: DesiredCapacity: '1' HealthCheckType: EC2 LaunchConfigurationName: !Ref LaunchConfiguration MaxSize: '1' MetricsCollection: - Granularity: 1Minute Metrics: - GroupMinSize - GroupMaxSize MinSize: '0' Tags: - Key: Name PropagateAtLaunch: true Value: !Sub '${AWS::StackName}-cfn-XQ-server-linux' # TargetGroupARNs: # - !Ref TargetGroupARN VPCZoneIdentifier: - !Ref 'PublicSubnetId' Outputs: ElasticIP: Description: Elastic IP attached to the XQ Server Value: !Ref EIP