AWSTemplateFormatVersion: 2010-09-09 Parameters: VpcId: Type: AWS::EC2::VPC::Id Description: VpcId of your existing Virtual Private Cloud (VPC) ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud. SubnetId: Type: AWS::EC2::Subnet::Id Description: SubnetId of an existing public subnet (for the primary network) in selected Virtual Private Cloud (VPC) ConstraintDescription: must be an existing public subnet in the selected Virtual Private Cloud. EC2InstanceType: Description: Rapticore Server EC2 instance type Type: String Default: t3.large ConstraintDescription: must be a valid EC2 instance type. AllowedValues: [t3.medium, t3.large, t3.2xlarge, c3.large, c3.xlarge, c3.2xlarge, c3.4xlarge, c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge] Domain: Description: 'The domain name of your Rapticore instance.' Type: String ConstraintDescription: must be a valid domain name i.e., domain.ore.rapticore.cloud AzureIdentityLambdaArn: Description: 'ARN of existing Lambda function to use for Custom Resource to create identity for azure tenant in identity pool' Type: String Resources: ##### # Network resources ##### RapticoreSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Enable HTTP access VpcId: !Ref VpcId Tags: - Key: Name Value: Rapticore-Standard-Security-Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 6100 ToPort: 6100 CidrIp: 0.0.0.0/0 ##### # EC2 resources ##### EC2InstanceProfileRoleForRapticore: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Description: !Sub 'Rapticore Standard EC2 IAM Role Deployment' Policies: - PolicyDocument: Statement: - Action: - iam:ListRole* - ec2:DescribeRegions - iam:GetRole* Effect: Allow Resource: '*' Sid: AllowIamEc2ReadyOnly - Action: sts:AssumeRole Effect: Allow Resource: 'arn:aws:iam::*:role/rapticore*' Sid: EC2AssumeRole PolicyName: RapticoreEc2Policy - PolicyDocument: Statement: - Action: - sqs:ChangeMessageVisibility - sqs:DeleteMessage - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:ListDeadLetterSourceQueues - sqs:ListQueueTags - sqs:ListQueues - sqs:ReceiveMessage - sqs:SendMessage Effect: Allow Resource: arn:aws:sqs:us-west-2:343027753149:real-time-threat-alert-trigger Sid: AllowRapticoreRealtimeAlert PolicyName: RapticoreRealTimeAlertPolicy - PolicyDocument: Statement: - Action: 'cognito-identity:GetOpenIdTokenForDeveloperIdentity' Effect: Allow Resource: !Sub 'arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${AzureWorkloadIdentityPool}' Sid: AllowCognitoOpenIdToken PolicyName: CognitoOpenIdTokenPolicy RoleName: !Join [ "", [ 'RapticoreStandardEc2IAMRole', !Select [0, !Split [., !Ref Domain ]] ] ] EC2InstanceProfileForRapticore: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref EC2InstanceProfileRoleForRapticore EC2Instance: Type: AWS::EC2::Instance Properties: IamInstanceProfile: !Ref EC2InstanceProfileForRapticore ImageId: ami-09ca9451840476dc8 InstanceType: !Ref EC2InstanceType SecurityGroupIds: - !Ref RapticoreSecurityGroup SubnetId: !Ref SubnetId Tags: - Key: Name Value: !Join [ "", [!Ref Domain, 'Rapticore-standard' ] ] ##### # Azure Workload Identity Resources ##### AzureWorkloadIdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: !Join - '' - - 'azure_workload_identity_pool_' - !Select [ 0, !Split [ '.', !Ref Domain ] ] AllowUnauthenticatedIdentities: false DeveloperProviderName: !Join - '' - - 'azure_workload_identity_' - !Select [ 0, !Split [ '.', !Ref Domain ] ] LambdaPermission: Type: AWS::Lambda::Permission Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref AzureIdentityLambdaArn Principal: 'cloudformation.amazonaws.com' SourceAccount: !Ref 'AWS::AccountId' # Custom Resource that uses the existing Lambda function GetOpenIdTokenCustomResource: Type: Custom::GetOpenIdToken DependsOn: - LambdaPermission Properties: ServiceToken: !Ref AzureIdentityLambdaArn IdentityPoolId: !Ref AzureWorkloadIdentityPool ##### # Login Key should be same as developer provider name ##### LoginKey: !Join - '' - - 'azure_workload_identity_' - !Select [ 0, !Split [ '.', !Ref Domain ] ] LoginValue: !Select [ 0, !Split [ '.', !Ref Domain ] ] Outputs: RapticoreStandardURL: Value: !Join [ "", [ "https://", !GetAtt EC2Instance.PublicDnsName ] ] Description: Rapticore Standard URL RapticoreStandardInstanceId: Description: Instance ID of the launched EC2 instance Value: !Ref EC2Instance Export: Name: !Join [ "", [ "RapticoreStandardInstanceId-", !Select [0, !Split [., !Ref Domain ]] ] ] # Azure-related outputs AzureWorkloadIdentityPoolId: Description: The ID of the Cognito Identity Pool for Azure workload identity Value: !Ref AzureWorkloadIdentityPool CreatedIdentityId: Description: The ID of the created identity in the identity pool Value: Fn::GetAtt: - GetOpenIdTokenCustomResource - IdentityId