zware/JFrog-Cloud-Installers
1
0
Fork 0
mirror of https://github.com/ZwareBear/JFrog-Cloud-Installers.git synced 2026-01-21 12:06:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

Checking in code for rt 7.17.4 version

Browse Source
This commit is contained in:
Vinay Aggarwal
2021-04-01 21:15:28 -07:00
parent 00b1196e1b
commit c0dc59a972
318 changed files with 31530 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
.DS_Store
taskcat_outputs/*
packages/

4
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/.gitmodules vendored Normal file
View File

@@ -0,0 +1,4 @@
[submodule "submodules/quickstart-aws-vpc"]
path = submodules/quickstart-aws-vpc
url = https://github.com/aws-quickstart/quickstart-aws-vpc.git
branch = main

94
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/.taskcat.yml Normal file
View File

@@ -0,0 +1,94 @@
project:
name: quickstart-linux-bastion
owner: quickstart-eng@amazon.com
lambda_source_path: functions/source
lambda_zip_path: packages
s3_regional_buckets: true
regions:
- ap-northeast-1
- ap-northeast-2
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ap-east-1
- ca-central-1
- eu-central-1
- eu-west-1
- eu-west-2
- eu-west-3
- me-south-1
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- us-gov-east-1
- us-gov-west-1
template: templates/linux-bastion-master.template
parameters:
AvailabilityZones: $[taskcat_getaz_2]
BastionInstanceType: t3.medium
KeyPairName: $[taskcat_getkeypair]
PrivateSubnet1CIDR: 10.0.0.0/19
PrivateSubnet2CIDR: 10.0.32.0/19
PublicSubnet1CIDR: 10.0.128.0/20
PublicSubnet2CIDR: 10.0.144.0/20
QSS3BucketName: $[taskcat_autobucket]
RemoteAccessCIDR: 10.0.0.0/16
VPCCIDR: 10.0.0.0/16
QSS3BucketRegion: $[taskcat_current_region]
tests:
amznlinux2hvm:
parameters:
BastionAMIOS: Amazon-Linux2-HVM
regions:
- ap-northeast-1
- ap-northeast-2
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- eu-west-2
- eu-west-3
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- cn-north-1
- cn-northwest-1
- us-gov-east-1
- us-gov-west-1
centos7hvm:
parameters:
BastionAMIOS: CentOS-7-HVM
regions:
- ap-south-1
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- us-east-1
sles15hvm:
parameters:
BastionAMIOS: SUSE-SLES-15-HVM
regions:
- ap-south-1
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- us-east-1
us2004hvm:
parameters:
BastionAMIOS: Ubuntu-Server-20.04-LTS-HVM
regions:
- ap-south-1
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- us-east-1

202
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/LICENSE.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

7
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/NOTICE.txt Normal file
View File

@@ -0,0 +1,7 @@
Copyright 2016-2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

16
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/README.md Normal file
View File

@@ -0,0 +1,16 @@
# quickstart-linux-bastion
This Quick Start adds Linux bastion functionality to your AWS Cloud environment. It deploys Linux bastion hosts that provide secure access to your Linux instances in public or private subnets. Use this Quick Start as a building block for your Linux-based deployments on AWS. You can choose to create a new VPC environment for your Linux bastion hosts or deploy them into your existing VPC environment. After you deploy the Quick Start, you can add other AWS services, infrastructure components, and software layers to complete your test or production Linux environment on the AWS Cloud.
![Quick Start Linux Bastion Design Architecture](https://docs.aws.amazon.com/quickstart/latest/linux-bastion/images/linux-bastion-hosts-on-aws-architecture.png )
Deployment steps:
1. Sign up for an AWS account at https://aws.amazon.com, select a region, and create a key pair.
2. In the AWS CloudFormation console, launch one of the following templates to build a new stack:
* /templates/linux-bastion-master.template (to deploy bastion hosts into a new VPC)
* /templates/linux-bastion.template (to deploy bastion hosts into your existing VPC)
3. Add AWS services and other applications.
The Quick Start provides parameters that you can set to customize your deployment. For architectural details, best practices, step-by-step instructions, and customization options, see the [deployment guide](https://fwd.aws/R9NRw).

32
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/scripts/auditing_configure.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
function install_stuff_ubuntu(){
apt-get -y install auditd
}
function add_the_rules(){
cat /tmp/auditd.rules >> /etc/audit/rules.d/audit.rules
rm /tmp/auditd.rules
}
function restart_services(){
case "${BASTION_OS}" in
Amazon)
/usr/sbin/service auditd restart
;;
CentOS|SUSE)
/sbin/service auditd restart
;;
Ubuntu)
service auditd restart
;;
esac
}
case "${BASTION_OS}" in
Ubuntu)
install_stuff_ubuntu
;;
esac
add_the_rules
restart_services

12
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/scripts/banner_message.txt Normal file
View File

@@ -0,0 +1,12 @@
###############################################################################
# ___ ______ ___ _ _ ____ _ _ #
# / \ \ / / ___| / _ \ _ _(_) ___| | __ / ___|| |_ __ _ _ __| |_ #
# / _ \ \ /\ / /\___ \ | | | | | | | |/ __| |/ / \___ \| __/ _` | '__| __| #
# / ___ \ V V / ___) | | |_| | |_| | | (__| < ___) | || (_| | | | |_ #
# /_/ \_\_/\_/ |____/ \__\_\\__,_|_|\___|_|\_\ |____/ \__\__,_|_| \__| #
#-----------------------------------------------------------------------------#
# Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions will be monitored and recorded. #
###############################################################################

380
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/scripts/bastion_bootstrap.sh Normal file
View File

@@ -0,0 +1,380 @@
#!/bin/bash -e
# Bastion Bootstrapping
# authors: tonynv@amazon.com, sancard@amazon.com, ianhill@amazon.com
# NOTE: This requires GNU getopt. On Mac OS X and FreeBSD you must install GNU getopt and mod the checkos function so that it's supported
# Configuration
PROGRAM='Linux Bastion'
##################################### Functions Definitions
function checkos () {
platform='unknown'
unamestr=`uname`
if [[ "${unamestr}" == 'Linux' ]]; then
platform='linux'
else
echo "[WARNING] This script is not supported on MacOS or FreeBSD"
exit 1
fi
echo "${FUNCNAME[0]} Ended"
}
function setup_environment_variables() {
REGION=$(curl -sq http://169.254.169.254/latest/meta-data/placement/availability-zone/)
#ex: us-east-1a => us-east-1
REGION=${REGION: :-1}
ETH0_MAC=$(/sbin/ip link show dev eth0 | /bin/egrep -o -i 'link/ether\ ([0-9a-z]{2}:){5}[0-9a-z]{2}' | /bin/sed -e 's,link/ether\ ,,g')
_userdata_file="/var/lib/cloud/instance/user-data.txt"
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
EIP_LIST=$(grep EIP_LIST ${_userdata_file} | sed -e 's/EIP_LIST=//g' -e 's/\"//g')
LOCAL_IP_ADDRESS=$(curl -sq 169.254.169.254/latest/meta-data/network/interfaces/macs/${ETH0_MAC}/local-ipv4s/)
CWG=$(grep CLOUDWATCHGROUP ${_userdata_file} | sed 's/CLOUDWATCHGROUP=//g')
export REGION ETH0_MAC EIP_LIST CWG LOCAL_IP_ADDRESS INSTANCE_ID
}
function verify_dependencies(){
if [[ "a$(which aws)" == "a" ]]; then
pip install awscli
fi
echo "${FUNCNAME[0]} Ended"
}
function usage() {
echo "$0 <usage>"
echo " "
echo "options:"
echo -e "--help \t Show options for this script"
echo -e "--banner \t Enable or Disable Bastion Message"
echo -e "--enable \t SSH Banner"
echo -e "--tcp-forwarding \t Enable or Disable TCP Forwarding"
echo -e "--x11-forwarding \t Enable or Disable X11 Forwarding"
}
function chkstatus () {
if [[ $? -eq 0 ]]
then
echo "Script [PASS]"
else
echo "Script [FAILED]" >&2
exit 1
fi
}
function osrelease () {
OS=`cat /etc/os-release | grep '^NAME=' | tr -d \" | sed 's/\n//g' | sed 's/NAME=//g'`
if [[ "${OS}" == "Ubuntu" ]]; then
echo "Ubuntu"
elif [[ "${OS}" == "Amazon Linux AMI" ]] || [[ "${OS}" == "Amazon Linux" ]]; then
echo "AMZN"
elif [[ "${OS}" == "CentOS Linux" ]]; then
echo "CentOS"
elif [[ "${OS}" == "SLES" ]]; then
echo "SLES"
else
echo "Operating System Not Found"
fi
echo "${FUNCNAME[0]} Ended" >> /var/log/cfn-init.log
}
function setup_logs () {
echo "${FUNCNAME[0]} Started"
URL_SUFFIX="${URL_SUFFIX:-amazonaws.com}"
if [[ "${release}" == "SLES" ]]; then
curl "https://amazoncloudwatch-agent-${REGION}.s3.${REGION}.${URL_SUFFIX}/suse/amd64/latest/amazon-cloudwatch-agent.rpm" -O
zypper install --allow-unsigned-rpm -y ./amazon-cloudwatch-agent.rpm
rm ./amazon-cloudwatch-agent.rpm
elif [[ "${release}" == "CentOS" ]]; then
curl "https://amazoncloudwatch-agent-${REGION}.s3.${REGION}.${URL_SUFFIX}/centos/amd64/latest/amazon-cloudwatch-agent.rpm" -O
rpm -U ./amazon-cloudwatch-agent.rpm
rm ./amazon-cloudwatch-agent.rpm
elif [[ "${release}" == "Ubuntu" ]]; then
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
curl "https://amazoncloudwatch-agent-${REGION}.s3.${REGION}.${URL_SUFFIX}/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb" -O
dpkg -i -E ./amazon-cloudwatch-agent.deb
rm ./amazon-cloudwatch-agent.deb
elif [[ "${release}" == "AMZN" ]]; then
curl "https://amazoncloudwatch-agent-${REGION}.s3.${REGION}.${URL_SUFFIX}/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm" -O
rpm -U ./amazon-cloudwatch-agent.rpm
rm ./amazon-cloudwatch-agent.rpm
fi
cat <<EOF >> /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
{
"logs": {
"force_flush_interval": 5,
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/auditd/auditd.log",
"log_group_name": "${CWG}",
"log_stream_name": "{instance_id}",
"timestamp_format": "%Y-%m-%d %H:%M:%S",
"timezone": "UTC"
}
]
}
}
}
}
EOF
if [ -x /bin/systemctl ] || [ -x /usr/bin/systemctl ]; then
systemctl enable amazon-cloudwatch-agent.service
systemctl restart amazon-cloudwatch-agent.service
else
start amazon-cloudwatch-agent
fi
}
function setup_os () {
echo "${FUNCNAME[0]} Started"
echo "Defaults env_keep += \"SSH_CLIENT\"" >> /etc/sudoers
if [[ "${release}" == "Ubuntu" ]]; then
user_group="ubuntu"
elif [[ "${release}" == "CentOS" ]]; then
user_group="centos"
elif [[ "${release}" == "SLES" ]]; then
user_group="users"
else
user_group="ec2-user"
fi
if [[ "${release}" == "CentOS" ]]; then
/sbin/restorecon -v /etc/ssh/sshd_config
systemctl restart sshd
fi
if [[ "${release}" == "SLES" ]]; then
echo "0 0 * * * zypper patch --non-interactive" > ~/mycron
elif [[ "${release}" == "Ubuntu" ]]; then
apt-get install -y unattended-upgrades
echo "0 0 * * * unattended-upgrades -d" > ~/mycron
else
echo "0 0 * * * yum -y update --security" > ~/mycron
fi
crontab ~/mycron
rm ~/mycron
echo "${FUNCNAME[0]} Ended"
}
function request_eip() {
# Is the already-assigned Public IP an elastic IP?
_query_assigned_public_ip
set +e
_determine_eip_assc_status ${PUBLIC_IP_ADDRESS}
set -e
if [[ ${_eip_associated} -eq 0 ]]; then
echo "The Public IP address associated with eth0 (${PUBLIC_IP_ADDRESS}) is already an Elastic IP. Not proceeding further."
exit 1
fi
EIP_ARRAY=(${EIP_LIST//,/ })
_eip_assigned_count=0
for eip in "${EIP_ARRAY[@]}"; do
if [[ "${eip}" == "Null" ]]; then
echo "Detected a NULL Value, moving on."
continue
fi
# Determine if the EIP has already been assigned.
set +e
_determine_eip_assc_status ${eip}
set -e
if [[ ${_eip_associated} -eq 0 ]]; then
echo "Elastic IP [${eip}] already has an association. Moving on."
let _eip_assigned_count+=1
if [[ "${_eip_assigned_count}" -eq "${#EIP_ARRAY[@]}" ]]; then
echo "All of the stack EIPs have been assigned (${_eip_assigned_count}/${#EIP_ARRAY[@]}). I can't assign anything else. Exiting."
exit 1
fi
continue
fi
_determine_eip_allocation ${eip}
# Attempt to assign EIP to the ENI.
set +e
aws ec2 associate-address --instance-id ${INSTANCE_ID} --allocation-id ${eip_allocation} --region ${REGION}
rc=$?
set -e
if [[ ${rc} -ne 0 ]]; then
let _eip_assigned_count+=1
continue
else
echo "The newly-assigned EIP is ${eip}. It is mapped under EIP Allocation ${eip_allocation}"
break
fi
done
echo "${FUNCNAME[0]} Ended"
}
function _query_assigned_public_ip() {
# Note: ETH0 Only.
# - Does not distinguish between EIP and Standard IP. Need to cross-ref later.
echo "Querying the assigned public IP"
PUBLIC_IP_ADDRESS=$(curl -sq 169.254.169.254/latest/meta-data/public-ipv4/${ETH0_MAC}/public-ipv4s/)
}
function _determine_eip_assc_status(){
# Is the provided EIP associated?
# Also determines if an IP is an EIP.
# 0 => true
# 1 => false
echo "Determining EIP Association Status for [${1}]"
set +e
aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION} 2>/dev/null | grep -o -i eipassoc -q
rc=$?
set -e
if [[ ${rc} -eq 1 ]]; then
_eip_associated=1
else
_eip_associated=0
fi
}
function _determine_eip_allocation(){
echo "Determining EIP Allocation for [${1}]"
resource_id_length=$(aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION} | head -n 1 | awk {'print $2'} | sed 's/.*eipalloc-//')
if [[ "${#resource_id_length}" -eq 17 ]]; then
eip_allocation=$(aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION}| egrep 'eipalloc-([a-z0-9]{17})' -o)
else
eip_allocation=$(aws ec2 describe-addresses --public-ips ${1} --output text --region ${REGION}| egrep 'eipalloc-([a-z0-9]{8})' -o)
fi
}
function prevent_process_snooping() {
# Prevent bastion host users from viewing processes owned by other users.
mount -o remount,rw,hidepid=2 /proc
awk '!/proc/' /etc/fstab > temp && mv temp /etc/fstab
echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
echo "${FUNCNAME[0]} Ended"
}
##################################### End Function Definitions
# Call checkos to ensure platform is Linux
checkos
# Verify dependencies are installed.
verify_dependencies
# Assuming it is, setup environment variables.
setup_environment_variables
## set an initial value
SSH_BANNER="LINUX BASTION"
# Read the options from cli input
TEMP=`getopt -o h --longoptions help,banner:,enable:,tcp-forwarding:,x11-forwarding: -n $0 -- "$@"`
eval set -- "${TEMP}"
if [[ $# == 1 ]] ; then echo "No input provided! type ($0 --help) to see usage help" >&2 ; exit 1 ; fi
# extract options and their arguments into variables.
while true; do
case "$1" in
-h | --help)
usage
exit 1
;;
--banner)
BANNER_PATH="$2";
shift 2
;;
--enable)
ENABLE="$2";
shift 2
;;
--tcp-forwarding)
TCP_FORWARDING="$2";
shift 2
;;
--x11-forwarding)
X11_FORWARDING="$2";
shift 2
;;
--)
break
;;
*)
break
;;
esac
done
# BANNER CONFIGURATION
BANNER_FILE="/etc/ssh_banner"
if [[ ${ENABLE} == "true" ]];then
if [[ -z ${BANNER_PATH} ]];then
echo "BANNER_PATH is null skipping ..."
else
echo "BANNER_PATH = ${BANNER_PATH}"
echo "Creating Banner in ${BANNER_FILE}"
aws s3 cp "${BANNER_PATH}" "${BANNER_FILE}" --region ${BANNER_REGION}
if [[ -e ${BANNER_FILE} ]] ;then
echo "[INFO] Installing banner ... "
echo -e "\n Banner ${BANNER_FILE}" >>/etc/ssh/sshd_config
else
echo "[INFO] banner file is not accessible skipping ..."
exit 1;
fi
fi
else
echo "Banner message is not enabled!"
fi
#Enable/Disable TCP forwarding
TCP_FORWARDING=`echo "${TCP_FORWARDING}" | sed 's/\\n//g'`
#Enable/Disable X11 forwarding
X11_FORWARDING=`echo "${X11_FORWARDING}" | sed 's/\\n//g'`
echo "Value of TCP_FORWARDING - ${TCP_FORWARDING}"
echo "Value of X11_FORWARDING - ${X11_FORWARDING}"
if [[ ${TCP_FORWARDING} == "false" ]];then
awk '!/AllowTcpForwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
fi
if [[ ${X11_FORWARDING} == "false" ]];then
awk '!/X11Forwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "X11Forwarding no" >> /etc/ssh/sshd_config
fi
release=$(osrelease)
if [[ "${release}" == "Operating System Not Found" ]]; then
echo "[ERROR] Unsupported Linux Bastion OS"
exit 1
else
setup_os
setup_logs
fi
prevent_process_snooping
request_eip
echo "Bootstrap complete."

299
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/templates/linux-bastion-master.template Normal file
View File

@@ -0,0 +1,299 @@
AWSTemplateFormatVersion: 2010-09-09
Description: LinuxBastion+VPC Jul,30,2020 (qs-1qup6ra9p) (Please do not remove)
Metadata:
LICENSE: Apache License, Version 2.0
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Network configuration
Parameters:
- AvailabilityZones
- VPCCIDR
- PrivateSubnet1CIDR
- PrivateSubnet2CIDR
- PublicSubnet1CIDR
- PublicSubnet2CIDR
- RemoteAccessCIDR
- VPCTenancy
- Label:
default: Amazon EC2 configuration
Parameters:
- KeyPairName
- BastionAMIOS
- BastionInstanceType
- Label:
default: Linux bastion configuration
Parameters:
- NumBastionHosts
- BastionHostName
- BastionTenancy
- EnableBanner
- BastionBanner
- EnableTCPForwarding
- EnableX11Forwarding
- Label:
default: AWS Quick Start configuration
Parameters:
- QSS3BucketName
- QSS3KeyPrefix
- QSS3BucketRegion
ParameterLabels:
AvailabilityZones:
default: Availability Zones
BastionAMIOS:
default: Bastion AMI operating system
BastionHostName:
default: Bastion Host Name
BastionTenancy:
default: Bastion tenancy
BastionBanner:
default: Banner text
BastionInstanceType:
default: Bastion instance type
QSS3BucketRegion:
default: Quick Start S3 bucket region
EnableBanner:
default: Bastion banner
EnableTCPForwarding:
default: TCP forwarding
EnableX11Forwarding:
default: X11 forwarding
KeyPairName:
default: Key pair name
NumBastionHosts:
default: Number of bastion hosts
PrivateSubnet1CIDR:
default: Private subnet 1 CIDR
PrivateSubnet2CIDR:
default: Private subnet 2 CIDR
PublicSubnet1CIDR:
default: Public subnet 1 CIDR
PublicSubnet2CIDR:
default: Public subnet 2 CIDR
VPCTenancy:
default: VPC tenancy
QSS3BucketName:
default: Quick Start S3 bucket name
QSS3KeyPrefix:
default: Quick Start S3 key prefix
RemoteAccessCIDR:
default: Allowed bastion external access CIDR
VPCCIDR:
default: VPC CIDR
cfn-lint: { config: { ignore_checks: [E9007] } }
Parameters:
AvailabilityZones:
Description: 'List of Availability Zones to use for the subnets in the VPC. Note: ( The logical order is preserved and only 2 AZs are used for this deployment.'
Type: 'List<AWS::EC2::AvailabilityZone::Name>'
BastionAMIOS:
AllowedValues:
- Amazon-Linux2-HVM
- CentOS-7-HVM
- Ubuntu-Server-20.04-LTS-HVM
- SUSE-SLES-15-HVM
Default: Amazon-Linux2-HVM
Description: The Linux distribution for the AMI to be used for the bastion instances.
Type: String
BastionHostName:
Default: 'LinuxBastion'
Description: The value used for the name tag of the bastion host
Type: String
BastionBanner:
Default: ""
Description: Banner text to display upon login.
Type: String
BastionTenancy:
Description: 'VPC tenancy to launch the bastion in. Options: ''dedicated'' or ''default'''
Type: String
Default: default
AllowedValues:
- dedicated
- default
BastionInstanceType:
Description: Amazon EC2 instance type for the bastion instances.
Type: String
Default: t2.micro
AllowedValues:
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
EnableBanner:
AllowedValues:
- 'true'
- 'false'
Default: 'false'
Description: To include a banner to be displayed when connecting via SSH to the
bastion, choose true.
Type: String
EnableTCPForwarding:
Type: String
Description: To enable TCP forwarding, choose true.
Default: 'false'
AllowedValues:
- 'true'
- 'false'
EnableX11Forwarding:
Type: String
Description: To enable X11 forwarding, choose true.
Default: 'false'
AllowedValues:
- 'true'
- 'false'
KeyPairName:
Description: Name of an existing public/private key pair, which allows you to securely connect to your instance
after it launches.
Type: 'AWS::EC2::KeyPair::KeyName'
NumBastionHosts:
AllowedValues:
- '1'
- '2'
- '3'
- '4'
Default: '1'
Description: The number of bastion hosts to create. The maximum number is four.
Type: String
PrivateSubnet1CIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
Default: 10.0.0.0/19
Description: CIDR block for private subnet 1 located in Availability Zone 1.
Type: String
PrivateSubnet2CIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
Default: 10.0.32.0/19
Description: CIDR block for private subnet 2 located in Availability Zone 2.
Type: String
PublicSubnet1CIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
Default: 10.0.128.0/20
Description: CIDR Block for the public DMZ subnet 1 located in Availability Zone 1.
Type: String
PublicSubnet2CIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
Default: 10.0.144.0/20
Description: CIDR Block for the public DMZ subnet 2 located in Availability Zone 2.
Type: String
VPCTenancy:
AllowedValues:
- default
- dedicated
Default: default
Description: The allowed tenancy of instances launched into the VPC.
Type: String
QSS3BucketName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Default: aws-quickstart
Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can
include numbers, lowercase letters, uppercase letters, and hyphens (-). It
cannot start or end with a hyphen (-).
Type: String
QSS3KeyPrefix:
AllowedPattern: ^([0-9a-zA-Z-.]+/)*$
ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), dots (.) and forward slash (/). The prefix should end with a forward slash (/).
Default: quickstart-linux-bastion/
Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can
include numbers, lowercase letters, uppercase letters, hyphens (-), dots
(.) and forward slash (/) and it should end with a forward slash (/).
Type: String
QSS3BucketRegion:
Default: 'us-east-1'
Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
Type: String
RemoteAccessCIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
Description: Allowed CIDR block for external SSH access to the bastions
Type: String
VPCCIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
Default: 10.0.0.0/16
Description: CIDR Block for the VPC.
Type: String
Conditions:
UsingDefaultBucket: !Equals
- !Ref QSS3BucketName
- 'aws-quickstart'
Resources:
VPCStack:
Type: 'AWS::CloudFormation::Stack'
Properties:
TemplateURL: !Sub
- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template
- S3Bucket: !If
- UsingDefaultBucket
- !Sub 'aws-quickstart-${AWS::Region}'
- !Ref 'QSS3BucketName'
S3Region: !If
- UsingDefaultBucket
- !Ref 'AWS::Region'
- !Ref 'QSS3BucketRegion'
Parameters:
AvailabilityZones: !Join
- ','
- !Ref AvailabilityZones
KeyPairName: !Ref KeyPairName
NumberOfAZs: '2'
PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR
PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR
PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
VPCCIDR: !Ref VPCCIDR
VPCTenancy: !Ref VPCTenancy
BastionStack:
Type: 'AWS::CloudFormation::Stack'
Properties:
TemplateURL: !Sub
- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/linux-bastion.template
- S3Bucket: !If
- UsingDefaultBucket
- !Sub 'aws-quickstart-${AWS::Region}'
- !Ref 'QSS3BucketName'
S3Region: !If
- UsingDefaultBucket
- !Ref 'AWS::Region'
- !Ref 'QSS3BucketRegion'
Parameters:
BastionAMIOS: !Ref BastionAMIOS
BastionHostName: !Ref BastionHostName
BastionBanner: !Ref BastionBanner
BastionInstanceType: !Ref BastionInstanceType
BastionTenancy: !Ref BastionTenancy
EnableBanner: !Ref EnableBanner
EnableTCPForwarding: !Ref EnableTCPForwarding
EnableX11Forwarding: !Ref EnableX11Forwarding
KeyPairName: !Ref KeyPairName
NumBastionHosts: !Ref NumBastionHosts
PublicSubnet1ID: !GetAtt
- VPCStack
- Outputs.PublicSubnet1ID
PublicSubnet2ID: !GetAtt
- VPCStack
- Outputs.PublicSubnet2ID
QSS3BucketRegion: !Ref QSS3BucketRegion
QSS3BucketName: !Ref QSS3BucketName
QSS3KeyPrefix: !Ref QSS3KeyPrefix
RemoteAccessCIDR: !Ref RemoteAccessCIDR
VPCID: !GetAtt
- VPCStack
- Outputs.VPCID

725
Amazon/artifactory7/latest/submodules/quickstart-linux-bastion/templates/linux-bastion.template Normal file
View File

@@ -0,0 +1,725 @@
AWSTemplateFormatVersion: 2010-09-09
Description: LinuxBastion+VPC Jul,30,2020 (qs-1qup6ra99) (Please do not remove)
Metadata:
LICENSE: Apache License, Version 2.0
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: Network configuration
Parameters:
- VPCID
- PublicSubnet1ID
- PublicSubnet2ID
- RemoteAccessCIDR
- Label:
default: Amazon EC2 configuration
Parameters:
- KeyPairName
- BastionAMIOS
- BastionInstanceType
- RootVolumeSize
- Label:
default: Linux bastion configuration
Parameters:
- NumBastionHosts
- BastionHostName
- BastionTenancy
- EnableBanner
- BastionBanner
- EnableTCPForwarding
- EnableX11Forwarding
- Label:
default: Alternative configurations
Parameters:
- AlternativeInitializationScript
- OSImageOverride
- AlternativeIAMRole
- EnvironmentVariables
- Label:
default: AWS Quick Start configuration
Parameters:
- QSS3BucketName
- QSS3KeyPrefix
- QSS3BucketRegion
ParameterLabels:
AlternativeIAMRole:
default: Alternative IAM role
AlternativeInitializationScript:
default: Alternative initialization script
BastionAMIOS:
default: Bastion AMI operating system
BastionHostName:
default: Bastion Host Name
BastionTenancy:
default: Bastion tenancy
BastionBanner:
default: Banner text
QSS3BucketRegion:
default: Quick Start S3 bucket region
BastionInstanceType:
default: Bastion instance type
EnableBanner:
default: Bastion banner
EnableTCPForwarding:
default: TCP forwarding
EnableX11Forwarding:
default: X11 forwarding
EnvironmentVariables:
default: Environment variables
KeyPairName:
default: Key pair name
NumBastionHosts:
default: Number of bastion hosts
OSImageOverride:
default: Operating system override
PublicSubnet1ID:
default: Public subnet 1 ID
PublicSubnet2ID:
default: Public subnet 2 ID
QSS3BucketName:
default: Quick Start S3 bucket name
QSS3KeyPrefix:
default: Quick Start S3 key prefix
RemoteAccessCIDR:
default: Allowed bastion external access CIDR
VPCID:
default: VPC ID
RootVolumeSize:
default: Root volume size
cfn-lint: { config: { ignore_checks: [E9007] } }
Parameters:
BastionAMIOS:
AllowedValues:
- Amazon-Linux2-HVM
- CentOS-7-HVM
- Ubuntu-Server-20.04-LTS-HVM
- SUSE-SLES-15-HVM
Default: Amazon-Linux2-HVM
Description: The Linux distribution for the AMI to be used for the bastion instances.
Type: String
BastionHostName:
Default: 'LinuxBastion'
Description: The value used for the name tag of the bastion host
Type: String
BastionBanner:
Default: ""
Description: Banner text to display upon login.
Type: String
BastionTenancy:
Description: 'VPC tenancy to launch the bastion in. Options: ''dedicated'' or ''default'''
Type: String
Default: default
AllowedValues:
- dedicated
- default
BastionInstanceType:
AllowedValues:
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
Default: t2.micro
Description: Amazon EC2 instance type for the bastion instances.
Type: String
EnableBanner:
AllowedValues:
- 'true'
- 'false'
Default: 'false'
Description: To include a banner to be displayed when connecting via SSH to the
bastion, choose true.
Type: String
EnableTCPForwarding:
Type: String
Description: To enable TCP forwarding, choose true.
Default: 'false'
AllowedValues:
- 'true'
- 'false'
EnableX11Forwarding:
Type: String
Description: To enable X11 forwarding, choose true.
Default: 'false'
AllowedValues:
- 'true'
- 'false'
KeyPairName:
Description: Name of an existing public/private key pair. If you do not have one in this AWS Region,
please create it before continuing.
Type: 'AWS::EC2::KeyPair::KeyName'
NumBastionHosts:
AllowedValues:
- '1'
- '2'
- '3'
- '4'
Default: '1'
Description: The number of bastion hosts to create. The maximum number is four.
Type: String
PublicSubnet1ID:
Description: ID of the public subnet 1 that you want to provision the first bastion
into (e.g., subnet-a0246dcd).
Type: 'AWS::EC2::Subnet::Id'
PublicSubnet2ID:
Description: ID of the public subnet 2 that you want to provision the second bastion into
(e.g., subnet-e3246d8e).
Type: 'AWS::EC2::Subnet::Id'
QSS3BucketName:
AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase
letters, and hyphens (-). It cannot start or end with a hyphen (-).
Default: aws-quickstart
Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can
include numbers, lowercase letters, uppercase letters, and hyphens (-). It
cannot start or end with a hyphen (-).
Type: String
QSS3BucketRegion:
Default: 'us-east-1'
Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
Type: String
QSS3KeyPrefix:
AllowedPattern: '^([0-9a-zA-Z-.]+/)*$'
ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase
letters, hyphens (-), dots (.) and forward slash (/). The prefix should
end with a forward slash (/).
Default: quickstart-linux-bastion/
Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can
include numbers, lowercase letters, uppercase letters, hyphens (-), dots
(.) and forward slash (/) and it should end with a forward slash (/).
Type: String
RemoteAccessCIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
Description: Allowed CIDR block for external SSH access to the bastions.
Type: String
VPCID:
Description: 'ID of the VPC (e.g., vpc-0343606e).'
Type: 'AWS::EC2::VPC::Id'
AlternativeInitializationScript:
AllowedPattern: ^http.*|^$
ConstraintDescription: URL must begin with http
Description: An alternative initialization script to run during setup.
Default: ''
Type: String
OSImageOverride:
Description: The Region-specific image to use for the instance.
Type: String
Default: ''
AlternativeIAMRole:
Description: An existing IAM Role name to attach to the bastion. If left blank,
a new role will be created.
Default: ''
Type: String
EnvironmentVariables:
Description: A comma-separated list of environment variables for use in
bootstrapping. Variables must be in the format KEY=VALUE. VALUE cannot
contain commas.
Type: String
Default: ''
RootVolumeSize:
Description: The size in GB for the root EBS volume.
Type: Number
Default: '10'
Rules:
SubnetsInVPC:
Assertions:
- Assert:
'Fn::EachMemberIn':
- 'Fn::ValueOfAll':
- 'AWS::EC2::Subnet::Id'
- VpcId
- 'Fn::RefAll': 'AWS::EC2::VPC::Id'
AssertDescription: All subnets must exist in the VPC
Mappings:
AWSAMIRegionMap:
ap-northeast-1:
AMZNLINUX2: ami-0cc75a8978fbbc969
US2004HVM: ami-0461b11e2fad8c14a
CENTOS7HVM: ami-06a46da680048c8ae
SLES15HVM: ami-056ac8ad44e6a7e1f
ap-northeast-2:
AMZNLINUX2: ami-0bd7691bf6470fe9c
US2004HVM: ami-0dbad3c7f731477cb
CENTOS7HVM: ami-06e83aceba2cb0907
SLES15HVM: ami-0f81fff879bafe6b8
ap-south-1:
AMZNLINUX2: ami-0ebc1ac48dfd14136
US2004HVM: ami-0ebd654017556e025
CENTOS7HVM: ami-026f33d38b6410e30
SLES15HVM: ami-01be89269d32f2a16
ap-southeast-1:
AMZNLINUX2: ami-0cd31be676780afa7
US2004HVM: ami-0ba1d1f3433cd4c68
CENTOS7HVM: ami-07f65177cb990d65b
SLES15HVM: ami-070356c21596ddc67
ap-southeast-2:
AMZNLINUX2: ami-0ded330691a314693
US2004HVM: ami-02be36619a83e9a16
CENTOS7HVM: ami-0b2045146eb00b617
SLES15HVM: ami-0c4245381c67efb39
ca-central-1:
AMZNLINUX2: ami-013d1df4bcea6ba95
US2004HVM: ami-071c33c681c9d4a00
CENTOS7HVM: ami-04a25c39dc7a8aebb
SLES15HVM: ami-0c97d9b588207dad6
eu-central-1:
AMZNLINUX2: ami-0c115dbd34c69a004
US2004HVM: ami-0c2b1c303a2e4cb49
CENTOS7HVM: ami-0e8286b71b81c3cc1
SLES15HVM: ami-05dfd265ea534a3e9
me-south-1:
AMZNLINUX2: ami-01f41d49c363da2ad
US2004HVM: ami-07f9fe3f7a8c82448
CENTOS7HVM: ami-011c71a894b10f35b
SLES15HVM: ami-0252c6d3a59c7473b
ap-east-1:
AMZNLINUX2: ami-47317236
US2004HVM: ami-545b1825
CENTOS7HVM: ami-0e5c29e6c87a9644f
SLES15HVM: ami-0ad6e15bcbb2dbe38
eu-north-1:
AMZNLINUX2: ami-039609244d2810a6b
US2004HVM: ami-08baf9e3c347b7092
CENTOS7HVM: ami-05788af9005ef9a93
SLES15HVM: ami-0741fa1a008af40ad
eu-west-1:
AMZNLINUX2: ami-07d9160fa81ccffb5
US2004HVM: ami-0f1d11c92a9467c07
CENTOS7HVM: ami-0b850cf02cc00fdc8
SLES15HVM: ami-0a58a1b152ba55f1d
eu-west-2:
AMZNLINUX2: ami-0a13d44dccf1f5cf6
US2004HVM: ami-082335b69bcfdb15b
CENTOS7HVM: ami-09e5afc68eed60ef4
SLES15HVM: ami-01497522185aaa4ee
eu-west-3:
AMZNLINUX2: ami-093fa4c538885becf
US2004HVM: ami-00f6fb16625871821
CENTOS7HVM: ami-0cb72d2e599cffbf9
SLES15HVM: ami-0f238bd4c6fdbefb0
sa-east-1:
AMZNLINUX2: ami-018ccfb6b4745882a
US2004HVM: ami-083aa2af86ff2bd11
CENTOS7HVM: ami-0b30f38d939dd4b54
SLES15HVM: ami-0772af912976aa692
us-east-1:
AMZNLINUX2: ami-02354e95b39ca8dec
US2004HVM: ami-0758470213bdd23b1
CENTOS7HVM: ami-0affd4508a5d2481b
SLES15HVM: ami-0b1764f3d7d2e2316
us-gov-west-1:
AMZNLINUX2: ami-74c4f215
SLES15HVM: ami-57c0ba36
us-gov-east-1:
AMZNLINUX2: ami-30e00c41
SLES15HVM: ami-05e4bedfad53425e9
us-east-2:
AMZNLINUX2: ami-07c8bc5c1ce9598c3
US2004HVM: ami-07fb7bd53bacdfc16
CENTOS7HVM: ami-01e36b7901e884a10
SLES15HVM: ami-05ea824317ffc0c20
us-west-1:
AMZNLINUX2: ami-05655c267c89566dd
US2004HVM: ami-0cd230f950c3de5d8
CENTOS7HVM: ami-098f55b4287a885ba
SLES15HVM: ami-00e34a7624e5a7107
us-west-2:
AMZNLINUX2: ami-0873b46c45c11058d
US2004HVM: ami-056cb9ae6e2df09e8
CENTOS7HVM: ami-0bc06212a56393ee1
SLES15HVM: ami-0f1e3b3fb0fec0361
cn-north-1:
AMZNLINUX2: ami-010e92a33d9d1fc40
CENTOS7HVM: ami-0e02aaefeb74c3373
SLES15HVM: ami-021392849b6221a81
cn-northwest-1:
AMZNLINUX2: ami-0959f8e18a2aac0fb
CENTOS7HVM: ami-07183a7702633260b
SLES15HVM: ami-00e1de3ee6d0d28ea
LinuxAMINameMap:
Amazon-Linux2-HVM:
Code: AMZNLINUX2
OS: Amazon
CentOS-7-HVM:
Code: CENTOS7HVM
OS: CentOS
Ubuntu-Server-18.04-LTS-HVM:
Code: US1804HVM
OS: Ubuntu
Ubuntu-Server-20.04-LTS-HVM:
Code: US2004HVM
OS: Ubuntu
SUSE-SLES-15-HVM:
Code: SLES15HVM
OS: SLES
Conditions:
2BastionCondition: !Or
- !Equals
- !Ref NumBastionHosts
- '2'
- !Condition 3BastionCondition
- !Condition 4BastionCondition
3BastionCondition: !Or
- !Equals
- !Ref NumBastionHosts
- '3'
- !Condition 4BastionCondition
4BastionCondition: !Equals
- !Ref NumBastionHosts
- '4'
UseAlternativeInitialization: !Not
- !Equals
- !Ref AlternativeInitializationScript
- ''
CreateIAMRole: !Equals
- !Ref AlternativeIAMRole
- ''
UseOSImageOverride: !Not
- !Equals
- !Ref OSImageOverride
- ''
UsingDefaultBucket: !Equals
- !Ref QSS3BucketName
- 'aws-quickstart'
DefaultBanner: !Equals [!Ref BastionBanner, ""]
Resources:
BastionMainLogGroup:
Type: 'AWS::Logs::LogGroup'
SSHMetricFilter:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName: !Ref BastionMainLogGroup
FilterPattern: ON FROM USER PWD
MetricTransformations:
- MetricName: SSHCommandCount
MetricValue: '1'
MetricNamespace: !Sub "AWSQuickStart/${AWS::StackName}"
BastionHostRole:
Condition: CreateIAMRole
Type: 'AWS::IAM::Role'
Properties:
Path: /
AssumeRolePolicyDocument:
Statement:
- Action:
- 'sts:AssumeRole'
Principal:
Service:
- !Sub 'ec2.${AWS::URLSuffix}'
Effect: Allow
Version: 2012-10-17
ManagedPolicyArns:
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore'
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy'
BastionHostPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: BastionPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:GetObject'
Resource: !Sub
- arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}*
- S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
Effect: Allow
- Action:
- 'logs:CreateLogStream'
- 'logs:GetLogEvents'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:PutRetentionPolicy'
- 'logs:PutMetricFilter'
- 'logs:CreateLogGroup'
Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*"
Effect: Allow
- Action:
- 'ec2:AssociateAddress'
- 'ec2:DescribeAddresses'
Resource: '*'
Effect: Allow
Roles:
- !If
- CreateIAMRole
- !Ref BastionHostRole
- !Ref AlternativeIAMRole
BastionHostProfile:
DependsOn: BastionHostPolicy
Type: 'AWS::IAM::InstanceProfile'
Properties:
Roles:
- !If
- CreateIAMRole
- !Ref BastionHostRole
- !Ref AlternativeIAMRole
Path: /
EIP1:
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
EIP2:
Type: 'AWS::EC2::EIP'
Condition: 2BastionCondition
Properties:
Domain: vpc
EIP3:
Type: 'AWS::EC2::EIP'
Condition: 3BastionCondition
Properties:
Domain: vpc
EIP4:
Type: 'AWS::EC2::EIP'
Condition: 4BastionCondition
Properties:
Domain: vpc
BastionAutoScalingGroup:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
LaunchConfigurationName: !Ref BastionLaunchConfiguration
VPCZoneIdentifier:
- !Ref PublicSubnet1ID
- !Ref PublicSubnet2ID
MinSize: !Ref NumBastionHosts
MaxSize: !Ref NumBastionHosts
Cooldown: '900'
DesiredCapacity: !Ref NumBastionHosts
Tags:
- Key: Name
Value: !Ref BastionHostName
PropagateAtLaunch: true
CreationPolicy:
ResourceSignal:
Count: !Ref NumBastionHosts
Timeout: PT60M
AutoScalingCreationPolicy:
MinSuccessfulInstancesPercent: 100
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: true
BastionLaunchConfiguration:
Type: 'AWS::AutoScaling::LaunchConfiguration'
Metadata:
'AWS::CloudFormation::Authentication':
S3AccessCreds:
type: S3
roleName: !If
- CreateIAMRole
- !Ref BastionHostRole
- !Ref AlternativeIAMRole
buckets:
- !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
'AWS::CloudFormation::Init':
config:
files:
/tmp/auditd.rules:
mode: '000550'
owner: root
group: root
content: |
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
/tmp/auditing_configure.sh:
source: !Sub
- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/auditing_configure.sh
- S3Bucket: !If
- UsingDefaultBucket
- !Sub 'aws-quickstart-${AWS::Region}'
- !Ref 'QSS3BucketName'
S3Region: !If
- UsingDefaultBucket
- !Ref 'AWS::Region'
- !Ref 'QSS3BucketRegion'
mode: '000550'
owner: root
group: root
authentication: S3AccessCreds
/tmp/bastion_bootstrap.sh:
source: !If
- UseAlternativeInitialization
- !Ref AlternativeInitializationScript
- !Sub
- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh
- S3Bucket: !If
- UsingDefaultBucket
- !Sub 'aws-quickstart-${AWS::Region}'
- !Ref 'QSS3BucketName'
S3Region: !If
- UsingDefaultBucket
- !Ref 'AWS::Region'
- !Ref 'QSS3BucketRegion'
mode: '000550'
owner: root
group: root
authentication: S3AccessCreds
commands:
a-add_auditd_rules:
cwd: '/tmp/'
env:
BASTION_OS: !FindInMap [LinuxAMINameMap, !Ref BastionAMIOS, OS]
command: "./auditing_configure.sh"
# command:
# - !If [ ]
# - "cat /tmp/auditd.rules >> /etc/audit/rules.d/audit.rules && service auditd restart"
b-bootstrap:
cwd: '/tmp/'
env:
REGION: !Sub ${AWS::Region}
URL_SUFFIX: !Sub ${AWS::URLSuffix}
BANNER_REGION: !If [ UsingDefaultBucket, !Ref 'AWS::Region', !Ref 'QSS3BucketRegion' ]
command: !Sub
- "./bastion_bootstrap.sh --banner ${BannerUrl} --enable ${EnableBanner} --tcp-forwarding ${EnableTCPForwarding} --x11-forwarding ${EnableX11Forwarding}"
- BannerUrl: !If
- DefaultBanner
- !Sub
- s3://${S3Bucket}/${QSS3KeyPrefix}scripts/banner_message.txt
- S3Bucket: !If [ UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref 'QSS3BucketName' ]
- !Ref BastionBanner
Properties:
AssociatePublicIpAddress: true
PlacementTenancy: !Ref BastionTenancy
KeyName: !Ref KeyPairName
IamInstanceProfile: !Ref BastionHostProfile
ImageId: !If
- UseOSImageOverride
- !Ref OSImageOverride
- !FindInMap
- AWSAMIRegionMap
- !Ref 'AWS::Region'
- !FindInMap
- LinuxAMINameMap
- !Ref BastionAMIOS
- Code
SecurityGroups:
- !Ref BastionSecurityGroup
InstanceType: !Ref BastionInstanceType
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: !Ref RootVolumeSize
VolumeType: gp2
Encrypted: true
DeleteOnTermination: true
UserData:
Fn::Base64: !Sub
- |
#!/bin/bash
set -x
for e in $(echo "${EnvironmentVariables}" | tr ',' ' '); do
export $e
done
export PATH=$PATH:/usr/local/bin
#cfn signaling functions
yum install git -y || apt-get install -y git || zypper -n install git
function cfn_fail
{
cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup
exit 1
}
function cfn_success
{
cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup
exit 0
}
until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done
cd /quickstart-linux-utilities;
source quickstart-cfn-tools.source;
qs_update-os || qs_err;
qs_bootstrap_pip || qs_err " pip bootstrap failed ";
qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed ";
EIP_LIST="${EIP1},${EIP2},${EIP3},${EIP4}"
CLOUDWATCHGROUP=${BastionMainLogGroup}
cfn-init -v --stack '${AWS::StackName}' --resource BastionLaunchConfiguration --region ${AWS::Region} || cfn_fail
[ $(qs_status) == 0 ] && cfn_success || cfn_fail
- EIP2:
!If
- 2BastionCondition
- !Ref EIP2
- 'Null'
EIP3:
!If
- 3BastionCondition
- !Ref EIP3
- 'Null'
EIP4:
!If
- 4BastionCondition
- !Ref EIP4
- 'Null'
BastionSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enables SSH Access to Bastion Hosts
VpcId: !Ref VPCID
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref RemoteAccessCIDR
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: !Ref RemoteAccessCIDR
Outputs:
BastionAutoScalingGroup:
Description: Auto Scaling Group Reference ID
Value: !Ref BastionAutoScalingGroup
Export:
Name: !Sub '${AWS::StackName}-BastionAutoScalingGroup'
EIP1:
Description: Elastic IP 1 for Bastion
Value: !Ref EIP1
Export:
Name: !Sub '${AWS::StackName}-EIP1'
EIP2:
Condition: 2BastionCondition
Description: Elastic IP 2 for Bastion
Value: !Ref EIP2
Export:
Name: !Sub '${AWS::StackName}-EIP2'
EIP3:
Condition: 3BastionCondition
Description: Elastic IP 3 for Bastion
Value: !Ref EIP3
Export:
Name: !Sub '${AWS::StackName}-EIP3'
EIP4:
Condition: 4BastionCondition
Description: Elastic IP 4 for Bastion
Value: !Ref EIP4
Export:
Name: !Sub '${AWS::StackName}-EIP4'
CloudWatchLogs:
Description: CloudWatch Logs GroupName. Your SSH logs will be stored here.
Value: !Ref BastionMainLogGroup
Export:
Name: !Sub '${AWS::StackName}-CloudWatchLogs'
BastionSecurityGroupID:
Description: Bastion Security Group ID
Value: !Ref BastionSecurityGroup
Export:
Name: !Sub '${AWS::StackName}-BastionSecurityGroupID'
BastionHostRole:
Description: Bastion IAM Role name
Value: !If
- CreateIAMRole
- !Ref BastionHostRole
- !Ref AlternativeIAMRole
Export:
Name: !Sub '${AWS::StackName}-BastionHostRole'