AWSTemplateFormatVersion: 2010-09-09 Parameters: EC2InstanceType: Description: Rapticore Server EC2 instance type Type: String Default: t3.large ConstraintDescription: must be a valid EC2 instance type. AllowedValues: [t3.medium, t3.large, t3.2xlarge, c3.large, c3.xlarge, c3.2xlarge, c3.4xlarge, c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge] Domain: Description: 'The domain name of your Rapticore instance.' Type: String ConstraintDescription: must be a valid domain name i.e., domain.ore.rapticore.cloud AzureIdentityLambdaArn: Description: 'ARN of existing Lambda function to use for Custom Resource to create identity for azure tenant in identity pool' Type: String Resources: ##### # Network resources ##### VPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: Rapticore VPC InternetGateway: Type: 'AWS::EC2::InternetGateway' DependsOn: VPC AttachGateway: Type: 'AWS::EC2::VPCGatewayAttachment' Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway PublicSubnet1: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 MapPublicIpOnLaunch: true AvailabilityZone: !Select - '0' - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: Public Subnet 1 PublicRouteTable: Type: 'AWS::EC2::RouteTable' DependsOn: - AttachGateway Properties: VpcId: !Ref VPC Tags: - Key: Name Value: Public Route Table PublicRoute: Type: 'AWS::EC2::Route' DependsOn: - VPC - AttachGateway Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref PublicSubnet1 RouteTableId: !Ref PublicRouteTable RapticoreSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Enable HTTP access VpcId: !Ref VPC Tags: - Key: Name Value: Rapticore-Standard-Security-Group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 6100 ToPort: 6100 CidrIp: 0.0.0.0/0 ##### # EC2 resources ##### EC2InstanceProfileRoleForRapticore: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Description: !Sub 'Rapticore Standard EC2 IAM Role Deployment' Policies: - PolicyDocument: Statement: - Action: - iam:ListRole* - ec2:DescribeRegions - iam:GetRole* Effect: Allow Resource: '*' Sid: AllowIamEc2ReadyOnly - Action: sts:AssumeRole Effect: Allow Resource: 'arn:aws:iam::*:role/rapticore*' Sid: EC2AssumeRole PolicyName: RapticoreEc2Policy - PolicyDocument: Statement: - Action: - sqs:ChangeMessageVisibility - sqs:DeleteMessage - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:ListDeadLetterSourceQueues - sqs:ListQueueTags - sqs:ListQueues - sqs:ReceiveMessage - sqs:SendMessage Effect: Allow Resource: arn:aws:sqs:us-west-2:343027753149:real-time-threat-alert-trigger Sid: AllowRapticoreRealtimeAlert PolicyName: RapticoreRealTimeAlertPolicy - PolicyDocument: Statement: - Action: 'cognito-identity:GetOpenIdTokenForDeveloperIdentity' Effect: Allow Resource: !Sub 'arn:aws:cognito-identity:${AWS::Region}:${AWS::AccountId}:identitypool/${AzureWorkloadIdentityPool}' Sid: AllowCognitoOpenIdToken PolicyName: CognitoOpenIdTokenPolicy RoleName: !Sub 'RapticoreStandardEc2IAMRole' EC2InstanceProfileForRapticore: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref EC2InstanceProfileRoleForRapticore EC2Instance: Type: AWS::EC2::Instance Properties: IamInstanceProfile: !Ref EC2InstanceProfileForRapticore ImageId: ami-09ca9451840476dc8 InstanceType: !Ref EC2InstanceType SecurityGroupIds: - !Ref RapticoreSecurityGroup SubnetId: !Ref PublicSubnet1 Tags: - Key: Name Value: !Join [ "", [!Ref Domain,'Rapticore-standard' ] ] ##### # Azure Workload Identity Resources ##### AzureWorkloadIdentityPool: Type: AWS::Cognito::IdentityPool Properties: IdentityPoolName: !Join - '' - - 'azure_workload_identity_pool_' - !Select [ 0, !Split [ '.', !Ref Domain ] ] AllowUnauthenticatedIdentities: false DeveloperProviderName: !Join - '' - - 'azure_workload_identity_' - !Select [ 0, !Split [ '.', !Ref Domain ] ] LambdaPermission: Type: AWS::Lambda::Permission Properties: Action: 'lambda:InvokeFunction' FunctionName: !Ref AzureIdentityLambdaArn Principal: 'cloudformation.amazonaws.com' SourceAccount: !Ref 'AWS::AccountId' # Custom Resource that uses the existing Lambda function GetOpenIdTokenCustomResource: Type: Custom::GetOpenIdToken DependsOn: - LambdaPermission Properties: ServiceToken: !Ref AzureIdentityLambdaArn IdentityPoolId: !Ref AzureWorkloadIdentityPool ##### # Login Key should be same as developer provider name ##### LoginKey: !Join - '' - - 'azure_workload_identity_' - !Select [ 0, !Split [ '.', !Ref Domain ] ] LoginValue: !Select [ 0, !Split [ '.', !Ref Domain ] ] Outputs: RapticoreStandardURL: Value: !Join [ "", [ "https://", !GetAtt EC2Instance.PublicDnsName ] ] Description: Rapticore Standard URL RapticoreStandardInstanceId: Description: Instance ID of the launched EC2 instance Value: !Ref EC2Instance Export: Name: !Sub 'RapticoreStandardInstanceId' AzureWorkloadIdentityPoolId: Description: The ID of the Cognito Identity Pool for Azure workload identity Value: !Ref AzureWorkloadIdentityPool CreatedIdentityId: Description: The ID of the created identity in the identity pool Value: Fn::GetAtt: - GetOpenIdTokenCustomResource - IdentityId