{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create AlertLogic Cloud Insight security scan appliance infrastructure inside a VPC. The artifacts created are: Route Table using the provided Internet Gateway as default route, Subnet inside the VPC using a user specified CIDR, a Network ACL attached to the Subnet giving it full access for all ingress traffic. Also a Security Group, a Launch Configuration for the security appliances that uses the Security Group and an Autoscaling Group that uses the Launch Configuration and the created Subnet.", "Parameters": { "AccountId": { "Description": "Enter your AlertLogic account ID.", "Type": "String", "AllowedPattern": "^[1-9][0-9]*$", "ConstraintDescription": "must be a valid AlertLogic account ID" }, "DeploymentId": { "Description": "Enter your AlertLogic deployment ID.", "Type": "String", "AllowedPattern": "^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$", "ConstraintDescription": "must be a valid UUID" }, "VpcId": { "Description": "Select a target VPC to deploy security infrastructure.", "Type": "AWS::EC2::VPC::Id", "ConstraintDescription": "must be a valid VPC ID" }, "VpcCidr": { "Description": "Enter CIDR of the selected VPC", "Type": "String", "AllowedPattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$", "ConstraintDescription": "must be a valid CIDR" }, "InternetGatewayId": { "Description": "Enter the internet gateway ID attached to the selected VPC.", "Type": "String", "AllowedPattern": "^igw-[a-f0-9]+$", "ConstraintDescription": "must be a valid internet gateway ID" }, "SubnetId": { "Description": "Select the target subnet ID (keep empty to create a new security subnet).", "Type": "String", "Default": "", "AllowedPattern": "(^subnet-[a-f0-9]+$){0,1}", "ConstraintDescription": "must be a valid subnet ID or empty" }, "SubnetCidr": { "Description": "Enter CIDR to assign to a new security subnet (ignored if an existing subnet is selected).", "Type": "String", "AllowedPattern": "(^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,2}$){0,1}", "ConstraintDescription": "must be a valid CIDR" }, "AssignPublicIp": { "Type": "String", "Description": "Enable to assign public IP addresses to security appliances", "Default": "true", "AllowedValues": [ "true", "false" ] }, "InstanceType": { "Description": "Select the instance type to launch security appliances", "Type": "String", "Default": "c5.large", "AllowedValues": [ "t3.medium", "t3.large", "m4.large", "m4.xlarge", "m5.large", "m5.xlarge", "c4.large", "c4.xlarge", "c5.large", "c5.xlarge" ], "ConstraintDescription": "must be a valid EC2 instance type" }, "NumAppliances": { "Description": "Enter a desired number of security appliances", "Type": "Number", "Default": "1", "MaxValue": "10", "ConstraintDescription": "must be an integer between 1 and 10" }, "DatacenterLocation": { "Description": "Select AlertLogic data center location", "Type": "String", "Default": "US", "AllowedValues": [ "US", "UK", "Integration" ], "ConstraintDescription": "must be a valid AlertLogic data center location" } }, "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Alert Logic configuration" }, "Parameters": [ "AccountId", "DeploymentId", "DatacenterLocation" ] }, { "Label": { "default": "Network configuration" }, "Parameters": [ "VpcId", "VpcCidr", "SubnetId", "SubnetCidr", "InternetGatewayId" ] }, { "Label": { "default": "Scan appliances configuration" }, "Parameters": [ "InstanceType", "NumAppliances", "AssignPublicIp" ] } ], "ParameterLabels": { "AccountId": { "default": "Alert Logic Account ID" }, "DeploymentId": { "default": "Alert Logic Deployment ID" }, "DatacenterLocation": { "default": "Alert Logic DC location" }, "VpcId": { "default": "Target VPC" }, "VpcCidr": { "default": "Target VPC CIDR" }, "SubnetId": { "default": "Target Subnet" }, "SubnetCidr": { "default": "Target Subnet CIDR" }, "InternetGatewayId": { "default": "Internet gateway ID" }, "InstanceType": { "default": "AWS instance type" }, "NumAppliances": { "default": "Number of instances to deploy" }, "AssignPublicIp": { "default": "Assign Public IP" } } } }, "Conditions": { "CreateSecuritySubnet": { "Fn::Equals": [ "", { "Ref": "SubnetId" } ] }, "AssignPublicIp": { "Fn::Equals": [ "true", { "Ref": "AssignPublicIp" } ] } }, "Mappings": { "Internal": { "Tags": { "Version": "v1.0.23" } }, "RegionSettings": { "af-south-1": { "ImageId": "ami-0a4979950cb37691e" }, "ap-east-1": { "ImageId": "ami-0a8bff24b3e55224b" }, "ap-northeast-1": { "ImageId": "ami-0e9664a9fcbf01220" }, "ap-northeast-2": { "ImageId": "ami-0c0adcc9d3bf64cad" }, "ap-northeast-3": { "ImageId": "ami-0ede4174a29f36f71" }, "ap-south-1": { "ImageId": "ami-0f4fb35dea6c310c1" }, "ap-southeast-1": { "ImageId": "ami-07c7a65a21c3ccd58" }, "ap-southeast-2": { "ImageId": "ami-0b324b4d4cc6753cb" }, "ap-southeast-3": { "ImageId": "ami-02c13c56c0e9d8c99" }, "ap-southeast-4": { "ImageId": "ami-095d6d1a718ca6098" }, "ca-central-1": { "ImageId": "ami-08c790ee5bad56836" }, "eu-central-1": { "ImageId": "ami-01fd7c1b7f4d969b4" }, "eu-central-2": { "ImageId": "ami-0c77ad1e182233176" }, "eu-north-1": { "ImageId": "ami-06847c2a54fab56cc" }, "eu-south-1": { "ImageId": "ami-02e8d8010af7072ac" }, "eu-south-2": { "ImageId": "ami-06f2f18633c07ac3d" }, "eu-west-1": { "ImageId": "ami-0c5f94fee8ca0e911" }, "eu-west-2": { "ImageId": "ami-06d203499484c5431" }, "eu-west-3": { "ImageId": "ami-0338227e0ab6ac5d1" }, "il-central-1": { "ImageId": "ami-070a2f6a25338b498" }, "me-central-1": { "ImageId": "ami-08203a5cc0a9e44d1" }, "me-south-1": { "ImageId": "ami-00716048f6f598b95" }, "sa-east-1": { "ImageId": "ami-0256e6e7d007627d0" }, "us-east-1": { "ImageId": "ami-02e38d2e4fdf655ad" }, "us-east-2": { "ImageId": "ami-062df8079ee0fb7f0" }, "us-west-1": { "ImageId": "ami-0183a32d7abcc1ec5" }, "us-west-2": { "ImageId": "ami-05cb3bacd3020afe6" } }, "Vaporators": { "US": { "host": "agentapi.cloudinsight.alertlogic.com", "port": "443" }, "UK": { "host": "agentapi.cloudinsight.alertlogic.co.uk", "port": "443" }, "Integration": { "host": "agentapi.product.dev.alertlogic.com", "port": "443" } } }, "Resources": { "AutoScalingGroup": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "AutoScalingGroupName": { "Fn::Join": [ "", [ "AlertLogic Security Autoscaling Group ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] }, "AvailabilityZones": [], "VPCZoneIdentifier": { "Fn::If": [ "CreateSecuritySubnet", [ { "Ref": "Subnet" } ], [ { "Ref": "SubnetId" } ] ] }, "LaunchConfigurationName": { "Ref": "LaunchConfiguration" }, "MinSize": { "Ref": "NumAppliances" }, "MaxSize": { "Ref": "NumAppliances" }, "DesiredCapacity": { "Ref": "NumAppliances" }, "Tags": [ { "Key": "Name", "Value": "AlertLogic Security Appliance", "PropagateAtLaunch": "true" }, { "Key": "AlertLogic-AccountID", "Value": { "Ref": "AccountId" }, "PropagateAtLaunch": "true" }, { "Key": "AlertLogic-EnvironmentID", "Value": { "Ref": "DeploymentId" }, "PropagateAtLaunch": "true" }, { "Key": "AlertLogic", "Value": "Security", "PropagateAtLaunch": "true" }, { "Key": "AlertLogic Scan Manual Mode Template Version", "Value": { "Fn::FindInMap": [ "Internal", "Tags", "Version" ] }, "PropagateAtLaunch": "true" } ] } }, "LaunchConfiguration": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Properties": { "LaunchConfigurationName": { "Fn::Join": [ "", [ "AlertLogic Security Launch Configuration ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] }, "ImageId": { "Fn::FindInMap": [ "RegionSettings", { "Ref": "AWS::Region" }, "ImageId" ] }, "SecurityGroups": [ { "Ref": "SecurityGroup" } ], "InstanceType": { "Ref": "InstanceType" }, "AssociatePublicIpAddress": { "Fn::If": [ "AssignPublicIp", "true", "false" ] }, "UserData": { "Fn::Base64": { "Fn::Sub": [ "{\n \"vaporator_host\": \"${VaporatorHost}\",\n \"vaporator_port\": ${VaporatorPort},\n \"account_id\": \"${AccountId}\",\n \"environment_id\": \"${DeploymentId}\"\n}", { "VaporatorHost": { "Fn::FindInMap": [ "Vaporators", { "Ref": "DatacenterLocation" }, "host" ] }, "VaporatorPort": { "Fn::FindInMap": [ "Vaporators", { "Ref": "DatacenterLocation" }, "port" ] }, "AccountId": { "Ref": "AccountId" }, "DeploymentId": { "Ref": "DeploymentId" } } ] } } } }, "SecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupName": { "Fn::Join": [ "", [ "AlertLogic Security Group ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] }, "GroupDescription": "AlertLogic Security Group", "SecurityGroupEgress": [ { "IpProtocol": "tcp", "FromPort": "53", "ToPort": "53", "CidrIp": "0.0.0.0/0" }, { "IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "0.0.0.0/0" }, { "IpProtocol": "udp", "FromPort": "53", "ToPort": "53", "CidrIp": "0.0.0.0/0" }, { "IpProtocol": "-1", "FromPort": "0", "ToPort": "0", "CidrIp": { "Ref": "VpcCidr" } } ], "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ "AlertLogic Security Group ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] } }, { "Key": "AlertLogic-AccountID", "Value": { "Ref": "AccountId" } }, { "Key": "AlertLogic-EnvironmentID", "Value": { "Ref": "DeploymentId" } }, { "Key": "AlertLogic", "Value": "Security" }, { "Key": "AlertLogic Scan Manual Mode Template Version", "Value": { "Fn::FindInMap": [ "Internal", "Tags", "Version" ] } } ] } }, "NetworkAcl": { "Type": "AWS::EC2::NetworkAcl", "Condition": "CreateSecuritySubnet", "Properties": { "VpcId": { "Ref": "VpcId" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ "AlertLogic Security Network ACL ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] } }, { "Key": "AlertLogic-AccountID", "Value": { "Ref": "AccountId" } }, { "Key": "AlertLogic-EnvironmentID", "Value": { "Ref": "DeploymentId" } }, { "Key": "AlertLogic", "Value": "Security" }, { "Key": "AlertLogic Scan Manual Mode Template Version", "Value": { "Fn::FindInMap": [ "Internal", "Tags", "Version" ] } } ] } }, "NetworkAclEntryIngress": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreateSecuritySubnet", "Properties": { "NetworkAclId": { "Ref": "NetworkAcl" }, "RuleNumber": "100", "Protocol": "-1", "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryEgress": { "Type": "AWS::EC2::NetworkAclEntry", "Condition": "CreateSecuritySubnet", "Properties": { "NetworkAclId": { "Ref": "NetworkAcl" }, "RuleNumber": "100", "Protocol": "-1", "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "SubnetNetworkAclAssociation": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Condition": "CreateSecuritySubnet", "Properties": { "SubnetId": { "Fn::If": [ "CreateSecuritySubnet", { "Ref": "Subnet" }, { "Ref": "SubnetId" } ] }, "NetworkAclId": { "Ref": "NetworkAcl" } } }, "Subnet": { "Type": "AWS::EC2::Subnet", "Condition": "CreateSecuritySubnet", "Properties": { "VpcId": { "Ref": "VpcId" }, "CidrBlock": { "Ref": "SubnetCidr" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ "AlertLogic Security Subnet ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] } }, { "Key": "AlertLogic-AccountID", "Value": { "Ref": "AccountId" } }, { "Key": "AlertLogic-EnvironmentID", "Value": { "Ref": "DeploymentId" } }, { "Key": "AlertLogic", "Value": "Security" }, { "Key": "AlertLogic Scan Manual Mode Template Version", "Value": { "Fn::FindInMap": [ "Internal", "Tags", "Version" ] } } ] } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Condition": "CreateSecuritySubnet", "Properties": { "VpcId": { "Ref": "VpcId" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ "AlertLogic Security Route Table ", { "Ref": "AccountId" }, "/", { "Ref": "DeploymentId" }, "/", { "Ref": "VpcId" } ] ] } }, { "Key": "AlertLogic-AccountID", "Value": { "Ref": "AccountId" } }, { "Key": "AlertLogic-EnvironmentID", "Value": { "Ref": "DeploymentId" } }, { "Key": "AlertLogic", "Value": "Security" }, { "Key": "AlertLogic Scan Manual Mode Template Version", "Value": { "Fn::FindInMap": [ "Internal", "Tags", "Version" ] } } ] } }, "Route": { "Type": "AWS::EC2::Route", "Condition": "CreateSecuritySubnet", "Properties": { "RouteTableId": { "Ref": "RouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGatewayId" } } }, "SubnetRouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Condition": "CreateSecuritySubnet", "Properties": { "SubnetId": { "Fn::If": [ "CreateSecuritySubnet", { "Ref": "Subnet" }, { "Ref": "SubnetId" } ] }, "RouteTableId": { "Ref": "RouteTable" } } } }, "Outputs": { "AccountId": { "Description": "AlertLogic account ID", "Value": { "Ref": "AccountId" } }, "DeploymentId": { "Description": "AlertLogic deployment ID", "Value": { "Ref": "DeploymentId" } }, "VpcId": { "Description": "ID of the protected VPC", "Value": { "Ref": "VpcId" } }, "InternetGatewayId": { "Description": "ID of the internet gateway attached to the protected VPC", "Value": { "Ref": "InternetGatewayId" } }, "NumAppliances": { "Description": "The number of created security appliances", "Value": { "Ref": "NumAppliances" } }, "RouteTableId": { "Description": "ID of the route table created for the security subnet", "Value": { "Fn::If": [ "CreateSecuritySubnet", { "Ref": "RouteTable" }, "" ] } }, "SubnetId": { "Description": "ID of the security subnet", "Value": { "Fn::If": [ "CreateSecuritySubnet", { "Ref": "Subnet" }, { "Ref": "SubnetId" } ] } }, "SecurityGroupId": { "Description": "ID of the security group assigned to the security appliances", "Value": { "Fn::GetAtt": [ "SecurityGroup", "GroupId" ] } }, "VaporatorHost": { "Description": "A vaporator host name for the selected AlertLogic data center", "Value": { "Fn::FindInMap": [ "Vaporators", { "Ref": "DatacenterLocation" }, "host" ] } }, "VaporatorPort": { "Description": "A vaporator port for the selected AlertLogic data center", "Value": { "Fn::FindInMap": [ "Vaporators", { "Ref": "DatacenterLocation" }, "port" ] } } } }