JFrog-Cloud-Installers/Amazon/artifactory7/v7273/submodules/quickstart-linux-bastion/templates/linux-bastion.template

AWSTemplateFormatVersion: 2010-09-09
Description: LinuxBastion+VPC Jul,30,2020 (qs-1qup6ra99) (Please do not remove)
Metadata:
  QuickStartDocumentation:
    EntrypointName: Launch into an existing VPC
    Order: 2
  LICENSE: Apache License, Version 2.0
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Network configuration
        Parameters:
          - VPCID
          - PublicSubnet1ID
          - PublicSubnet2ID
          - RemoteAccessCIDR
      - Label:
          default: Amazon EC2 configuration
        Parameters:
          - KeyPairName
          - BastionAMIOS
          - BastionInstanceType
          - RootVolumeSize
      - Label:
          default: Linux bastion configuration
        Parameters:
          - NumBastionHosts
          - BastionHostName
          - BastionTenancy
          - EnableBanner
          - BastionBanner
          - EnableTCPForwarding
          - EnableX11Forwarding
      - Label:
          default: Alternative configurations
        Parameters:
          - AlternativeInitializationScript
          - OSImageOverride
          - AlternativeIAMRole
          - EnvironmentVariables
      - Label:
          default: AWS Quick Start configuration
        Parameters:
          - QSS3BucketName
          - QSS3KeyPrefix
          - QSS3BucketRegion
    ParameterLabels:
      AlternativeIAMRole:
        default: Alternative IAM role
      AlternativeInitializationScript:
        default: Alternative initialization script
      BastionAMIOS:
        default: Bastion AMI operating system
      BastionHostName:
        default: Bastion host Name
      BastionTenancy:
        default: Bastion tenancy
      BastionBanner:
        default: Banner text
      QSS3BucketRegion:
        default: Quick Start S3 bucket region
      BastionInstanceType:
        default: Bastion instance type
      EnableBanner:
        default: Bastion banner
      EnableTCPForwarding:
        default: TCP forwarding
      EnableX11Forwarding:
        default: X11 forwarding
      EnvironmentVariables:
        default: Environment variables
      KeyPairName:
        default: Key pair name
      NumBastionHosts:
        default: Number of bastion hosts
      OSImageOverride:
        default: Operating system override
      PublicSubnet1ID:
        default: Public subnet 1 ID
      PublicSubnet2ID:
        default: Public subnet 2 ID
      QSS3BucketName:
        default: Quick Start S3 bucket name
      QSS3KeyPrefix:
        default: Quick Start S3 key prefix
      RemoteAccessCIDR:
        default: Allowed bastion external access CIDR
      VPCID:
        default: VPC ID
      RootVolumeSize:
        default: Root volume size
  cfn-lint: { config: { ignore_checks: [E9007] } }
Parameters:
  BastionAMIOS:
    AllowedValues:
      - Amazon-Linux2-HVM
      - Amazon-Linux2-HVM-ARM
      - CentOS-7-HVM
      - Ubuntu-Server-20.04-LTS-HVM
      - SUSE-SLES-15-HVM
    Default: Amazon-Linux2-HVM
    Description: The Linux distribution for the AMI to be used for the bastion instances.
    Type: String
  BastionHostName:
    Default: 'LinuxBastion'
    Description: The value used for the name tag of the bastion host.
    Type: String
  BastionBanner:
    Default: ""
    Description: Banner text to display upon login.
    Type: String
  BastionTenancy:
    Description: Bastion VPC tenancy (dedicated or default).
    Type: String
    Default: default
    AllowedValues:
      - dedicated
      - default
  BastionInstanceType:
    AllowedValues:
      - t2.nano
      - t2.micro
      - t2.small
      - t2.medium
      - t2.large
      - t3.micro
      - t3.small
      - t3.medium
      - t3.large
      - t3.xlarge
      - t3.2xlarge
      - t4g.nano
      - t4g.micro
      - t4g.small
      - t4g.medium
      - t4g.large
      - t4g.xlarge
      - t4g.2xlarge
      - m4.large
      - m4.xlarge
      - m4.2xlarge
      - m4.4xlarge
    Default: t2.micro
    Description: Amazon EC2 instance type for the bastion instances.
    Type: String
  EnableBanner:
    AllowedValues:
      - 'true'
      - 'false'
    Default: 'false'
    Description: Choose *true* to display a banner when connecting via SSH to the bastion.
    Type: String
  EnableTCPForwarding:
    Type: String
    Description: To enable TCP forwarding, choose *true*.
    Default: 'false'
    AllowedValues:
      - 'true'
      - 'false'
  EnableX11Forwarding:
    Type: String
    Description: To enable X11 forwarding, choose *true*.
    Default: 'false'
    AllowedValues:
      - 'true'
      - 'false'
  KeyPairName:
    Description: Name of an existing public/private key pair. If you do not have one in this AWS Region,
      please create it before continuing.
    Type: 'AWS::EC2::KeyPair::KeyName'
  NumBastionHosts:
    AllowedValues:
      - '1'
      - '2'
      - '3'
      - '4'
    Default: '1'
    Description: The number of bastion hosts to create. The maximum number is four.
    Type: String
  PublicSubnet1ID:
    Description: ID of the public subnet 1 that you want to provision the first bastion into (e.g., subnet-a0246dcd).
    Type: 'AWS::EC2::Subnet::Id'
  PublicSubnet2ID:
    Description: ID of the public subnet 2 that you want to provision the second bastion into (e.g., subnet-e3246d8e).
    Type: 'AWS::EC2::Subnet::Id'
  QSS3BucketName:
    AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
    ConstraintDescription: The Quick Start bucket name can include numbers, lowercase
      letters, uppercase letters, and hyphens (-). It cannot start or end with a 
      hyphen (-).
    Default: aws-quickstart
    Description: Name of the S3 bucket for your copy of the Quick Start assets. 
      Keep the default name unless you are customizing the template. 
      Changing the name updates code references to point to a new Quick 
      Start location. This name can include numbers, lowercase letters, 
      uppercase letters, and hyphens, but do not start or end with a hyphen (-). 
      See https://aws-quickstart.github.io/option1.html.
    Type: String
  QSS3BucketRegion:
    Default: 'us-east-1'
    Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: ^([0-9a-zA-Z-.]+/)*$
    ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters,
      uppercase letters, hyphens (-), and forward slashes (/).
    Default: quickstart-linux-bastion/
    Description: S3 key prefix that is used to simulate a directory for your copy of the 
      Quick Start assets. Keep the default prefix unless you are customizing 
      the template. Changing this prefix updates code references to point to 
      a new Quick Start location. This prefix can include numbers, lowercase 
      letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. 
      See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html 
      and https://aws-quickstart.github.io/option1.html.
    Type: String
  RemoteAccessCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
    Description: Allowed CIDR block for external SSH access to the bastions.
    Type: String
  VPCID:
    Description: ID of the VPC (e.g., vpc-0343606e).
    Type: 'AWS::EC2::VPC::Id'
  AlternativeInitializationScript:
    AllowedPattern: ^https.*|^$
    ConstraintDescription: URL must begin with https.
    Description: An alternative initialization script to run during setup.
    Default: ''
    Type: String
  OSImageOverride:
    Description: The Region-specific image to use for the instance.
    Type: String
    Default: ''
  AlternativeIAMRole:
    Description: An existing IAM role name to attach to the bastion. If left blank,
      a new role will be created.
    Default: ''
    Type: String
  EnvironmentVariables:
    Description: A comma-separated list of environment variables for use in
      bootstrapping. Variables must be in the format `key=value`. `Value` cannot
      contain commas.
    Type: String
    Default: ''
  RootVolumeSize:
    Description: The size in GB for the root EBS volume.
    Type: Number
    Default: '10'
Rules:
  SubnetsInVPC:
    Assertions:
      - Assert:
          'Fn::EachMemberIn':
            - 'Fn::ValueOfAll':
                - 'AWS::EC2::Subnet::Id'
                - VpcId
            - 'Fn::RefAll': 'AWS::EC2::VPC::Id'
        AssertDescription: All subnets must exist in the VPC.
  ArmInstance:
    Assertions:
      - Assert: !Contains
          - - t4g.nano
            - t4g.medium
            - t4g.large
            - t4g.micro
            - t4g.small
            - t4g.2xlarge
            - t4g.xlarge
          - !Ref 'BastionInstanceType'
        AssertDescription: This instance type must use BastionAMIOS type of Amazon-Linux2-HVM-ARM.
    RuleCondition: !Equals
      - !Ref BastionAMIOS
      - Amazon-Linux2-HVM-ARM
Mappings:
  AWSAMIRegionMap:
    af-south-1:
      AMZNLINUX2: ami-0936d2754993c364e
      AMZNLINUX2ARM: ami-01d326fa7db123542
      US2004HVM: ami-022666956ad401a16
      CENTOS7HVM: ami-0a2be7731769e6cc1
#      SLES15HVM: ami-EXAMPLE
    ap-northeast-1:
      AMZNLINUX2: ami-0ca38c7440de1749a
      AMZNLINUX2ARM: ami-005322a6d5cecfe58
      US2004HVM: ami-015f1a68ce825a8d2
      CENTOS7HVM: ami-06a46da680048c8ae
      SLES15HVM: ami-056ac8ad44e6a7e1f
    ap-northeast-2:
      AMZNLINUX2: ami-0f2c95e9fe3f8f80e
      AMZNLINUX2ARM: ami-01b0796a552129792
      US2004HVM: ami-0be9734c9e68b99f4
      CENTOS7HVM: ami-06e83aceba2cb0907
      SLES15HVM: ami-0f81fff879bafe6b8
    ap-northeast-3:
      AMZNLINUX2: ami-06e9ad0943b200859
      AMZNLINUX2ARM: ami-02415340f44a47b93
      US2004HVM: ami-01cb3e73f8ef13fdc
      CENTOS7HVM: ami-02d6b455335e3af14
      SLES15HVM: ami-0d8518dd12d11dfc2
    ap-south-1:
      AMZNLINUX2: ami-010aff33ed5991201
      AMZNLINUX2ARM: ami-01ad94fdf8150776c
      US2004HVM: ami-00aaac1f2ef4ce965
      CENTOS7HVM: ami-026f33d38b6410e30
      SLES15HVM: ami-01be89269d32f2a16
    ap-southeast-1:
      AMZNLINUX2: ami-02f26adf094f51167
      AMZNLINUX2ARM: ami-006eccfc9e6f597af
      US2004HVM: ami-0012ffabeb7413479
      CENTOS7HVM: ami-07f65177cb990d65b
      SLES15HVM: ami-070356c21596ddc67
    ap-southeast-2:
      AMZNLINUX2: ami-0186908e2fdeea8f3
      AMZNLINUX2ARM: ami-00719b70b31680d14
      US2004HVM: ami-03ec1fe05b3849c74
      CENTOS7HVM: ami-0b2045146eb00b617
      SLES15HVM: ami-0c4245381c67efb39
    ca-central-1:
      AMZNLINUX2: ami-0101734ab73bd9e15
      AMZNLINUX2ARM: ami-039750f0a88733fff
      US2004HVM: ami-04c56d394d31cdeac
      CENTOS7HVM: ami-04a25c39dc7a8aebb
      SLES15HVM: ami-0c97d9b588207dad6
    eu-central-1:
      AMZNLINUX2: ami-043097594a7df80ec
      AMZNLINUX2ARM: ami-000cbb96a79217336
      US2004HVM: ami-0980c5102b5ef10cc
      CENTOS7HVM: ami-0e8286b71b81c3cc1
      SLES15HVM: ami-05dfd265ea534a3e9
    me-south-1:
      AMZNLINUX2: ami-0880769bc15eeec4f
      AMZNLINUX2ARM: ami-001dc219c441b922d
      US2004HVM: ami-03cc0b5db8321f2e5
      CENTOS7HVM: ami-011c71a894b10f35b
      SLES15HVM: ami-0252c6d3a59c7473b
    ap-east-1:
      AMZNLINUX2: ami-0aca22cb23f122f27
      AMZNLINUX2ARM: ami-01f5cec80321bd86e
      US2004HVM: ami-0c7e5903bee96ef81
      CENTOS7HVM: ami-0e5c29e6c87a9644f
      SLES15HVM: ami-0ad6e15bcbb2dbe38
    eu-north-1:
      AMZNLINUX2: ami-050fdc53cf6ba8f7f
      AMZNLINUX2ARM: ami-00a8ac2b5311cd613
      US2004HVM: ami-0663a4867a210287a
      CENTOS7HVM: ami-05788af9005ef9a93
      SLES15HVM: ami-0741fa1a008af40ad
    eu-south-1:
      AMZNLINUX2: ami-0f447354763f0eaac
      AMZNLINUX2ARM: ami-011d4067dedd119f5
      US2004HVM: ami-035e213233577516f
      CENTOS7HVM: ami-03014b98e9665115a
      SLES15HVM: ami-051cbea0e7660063d
    eu-west-1:
      AMZNLINUX2: ami-063d4ab14480ac177
      AMZNLINUX2ARM: ami-00552336fb4b81164
      US2004HVM: ami-0213344887e47003a
      CENTOS7HVM: ami-0b850cf02cc00fdc8
      SLES15HVM: ami-0a58a1b152ba55f1d
    eu-west-2:
      AMZNLINUX2: ami-06dc09bb8854cbde3
      AMZNLINUX2ARM: ami-03144ab666315a8a3
      US2004HVM: ami-0add0a5a0cf9afc6c
      CENTOS7HVM: ami-09e5afc68eed60ef4
      SLES15HVM: ami-01497522185aaa4ee
    eu-west-3:
      AMZNLINUX2: ami-0b3e57ee3b63dd76b
      AMZNLINUX2ARM: ami-009b1ed4d1f59029a
      US2004HVM: ami-01019e7343a5f361d
      CENTOS7HVM: ami-0cb72d2e599cffbf9
      SLES15HVM: ami-0f238bd4c6fdbefb0
    sa-east-1:
      AMZNLINUX2: ami-05373777d08895384
      AMZNLINUX2ARM: ami-0092271c8131fcde7
      US2004HVM: ami-0312c74c38dc7bae6
      CENTOS7HVM: ami-0b30f38d939dd4b54
      SLES15HVM: ami-0772af912976aa692
    us-east-1:
      AMZNLINUX2: ami-0d5eff06f840b45e9
      AMZNLINUX2ARM: ami-002cc39e7bf021a77
      US2004HVM: ami-0db6c6238a40c0681
      CENTOS7HVM: ami-0affd4508a5d2481b
      SLES15HVM: ami-0b1764f3d7d2e2316
    us-gov-west-1:
      AMZNLINUX2: ami-0bbf3595bb2fb39ec
      AMZNLINUX2ARM: ami-6bd0e80a
      SLES15HVM: ami-57c0ba36
    us-gov-east-1:
      AMZNLINUX2: ami-0cc17d57bec8c6017
      AMZNLINUX2ARM: ami-4a31d93b
      SLES15HVM: ami-05e4bedfad53425e9
    us-east-2:
      AMZNLINUX2: ami-077e31c4939f6a2f3
      AMZNLINUX2ARM: ami-0029d4ab5707ce922
      US2004HVM: ami-03b6c8bd55e00d5ed
      CENTOS7HVM: ami-01e36b7901e884a10
      SLES15HVM: ami-05ea824317ffc0c20
    us-west-1:
      AMZNLINUX2: ami-04468e03c37242e1e
      AMZNLINUX2ARM: ami-00872c48515f06ba0
      US2004HVM: ami-0f5868930cb63c89c
      CENTOS7HVM: ami-098f55b4287a885ba
      SLES15HVM: ami-00e34a7624e5a7107
    us-west-2:
      AMZNLINUX2: ami-0cf6f5c8a62fa5da6
      AMZNLINUX2ARM: ami-0043879194eb2ad40
      US2004HVM: ami-038a0ccaaedae6406
      CENTOS7HVM: ami-0bc06212a56393ee1
      SLES15HVM: ami-0f1e3b3fb0fec0361
    cn-north-1:
      AMZNLINUX2: ami-0c52e2685c7218558
      AMZNLINUX2ARM: ami-088cc0c104292da9c
      CENTOS7HVM: ami-08c16f7e830c0e393
      SLES15HVM: ami-021392849b6221a81
    cn-northwest-1:
      AMZNLINUX2: ami-05b9b6d6acf8ae9b6
      AMZNLINUX2ARM: ami-0b5c6ceb80eb57861
      CENTOS7HVM: ami-0f21aa96a61df8c44
      SLES15HVM: ami-00e1de3ee6d0d28ea
  LinuxAMINameMap:
    Amazon-Linux2-HVM:
      Code: AMZNLINUX2
      OS: Amazon
    Amazon-Linux2-HVM-ARM:
      Code: AMZNLINUX2ARM
      OS: Amazon
    CentOS-7-HVM:
      Code: CENTOS7HVM
      OS: CentOS
    Ubuntu-Server-18.04-LTS-HVM:
      Code: US1804HVM
      OS: Ubuntu
    Ubuntu-Server-20.04-LTS-HVM:
      Code: US2004HVM
      OS: Ubuntu
    SUSE-SLES-15-HVM:
      Code: SLES15HVM
      OS: SLES
Conditions:
  2BastionCondition: !Or
    - !Equals
      - !Ref NumBastionHosts
      - '2'
    - !Condition 3BastionCondition
    - !Condition 4BastionCondition
  3BastionCondition: !Or
    - !Equals
      - !Ref NumBastionHosts
      - '3'
    - !Condition 4BastionCondition
  4BastionCondition: !Equals
    - !Ref NumBastionHosts
    - '4'
  UseAlternativeInitialization: !Not
    - !Equals
      - !Ref AlternativeInitializationScript
      - ''
  CreateIAMRole: !Equals
    - !Ref AlternativeIAMRole
    - ''
  UseOSImageOverride: !Not
    - !Equals
      - !Ref OSImageOverride
      - ''
  UsingDefaultBucket: !Equals
    - !Ref QSS3BucketName
    - 'aws-quickstart'
  DefaultBanner: !Equals [!Ref BastionBanner, ""]
Resources:
  BastionMainLogGroup:
    Type: 'AWS::Logs::LogGroup'
  SSHMetricFilter:
    Type: 'AWS::Logs::MetricFilter'
    Properties:
      LogGroupName: !Ref BastionMainLogGroup
      FilterPattern: ON FROM USER PWD
      MetricTransformations:
        - MetricName: SSHCommandCount
          MetricValue: '1'
          MetricNamespace: !Sub "AWSQuickStart/${AWS::StackName}"
  BastionHostRole:
    Condition: CreateIAMRole
    Type: 'AWS::IAM::Role'
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - 'sts:AssumeRole'
            Principal:
              Service:
                - !Sub 'ec2.${AWS::URLSuffix}'
            Effect: Allow
        Version: 2012-10-17
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy'
  BastionHostPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: BastionPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:GetObject'
            Resource: !Sub
              - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}*
              - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
            Effect: Allow
          - Action:
              - 'logs:CreateLogStream'
              - 'logs:GetLogEvents'
              - 'logs:PutLogEvents'
              - 'logs:DescribeLogGroups'
              - 'logs:DescribeLogStreams'
              - 'logs:PutRetentionPolicy'
              - 'logs:PutMetricFilter'
              - 'logs:CreateLogGroup'
            Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*"
            Effect: Allow
          - Action:
              - 'ec2:DescribeAddresses'
            Resource: '*'
            Effect: Allow
          - Effect: Allow
            Action:
              - 'ec2:AssociateAddress'
            Resource: '*'
            Condition:
              StringEquals:
                ec2:ResourceTag/aws:cloudformation:stack-id: !Ref AWS::StackId
      Roles:
        - !If
          - CreateIAMRole
          - !Ref BastionHostRole
          - !Ref AlternativeIAMRole
  BastionHostProfile:
    DependsOn: BastionHostPolicy
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Roles:
        - !If
          - CreateIAMRole
          - !Ref BastionHostRole
          - !Ref AlternativeIAMRole
      Path: /
  EIP1:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
  EIP2:
    Type: 'AWS::EC2::EIP'
    Condition: 2BastionCondition
    Properties:
      Domain: vpc
  EIP3:
    Type: 'AWS::EC2::EIP'
    Condition: 3BastionCondition
    Properties:
      Domain: vpc
  EIP4:
    Type: 'AWS::EC2::EIP'
    Condition: 4BastionCondition
    Properties:
      Domain: vpc
  BastionAutoScalingGroup:
    Type: 'AWS::AutoScaling::AutoScalingGroup'
    Properties:
      LaunchConfigurationName: !Ref BastionLaunchConfiguration
      VPCZoneIdentifier:
        - !Ref PublicSubnet1ID
        - !Ref PublicSubnet2ID
      MinSize: !Ref NumBastionHosts
      MaxSize: !Ref NumBastionHosts
      Cooldown: '900'
      DesiredCapacity: !Ref NumBastionHosts
      Tags:
        - Key: Name
          Value: !Ref BastionHostName
          PropagateAtLaunch: true
    CreationPolicy:
      ResourceSignal:
        Count: !Ref NumBastionHosts
        Timeout: PT60M
      AutoScalingCreationPolicy:
        MinSuccessfulInstancesPercent: 100
    UpdatePolicy:
      AutoScalingReplacingUpdate:
        WillReplace: true
  BastionLaunchConfiguration:
    Type: 'AWS::AutoScaling::LaunchConfiguration'
    Metadata:
      'AWS::CloudFormation::Authentication':
        S3AccessCreds:
          type: S3
          roleName: !If
            - CreateIAMRole
            - !Ref BastionHostRole
            - !Ref AlternativeIAMRole
          buckets:
            - !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      'AWS::CloudFormation::Init':
        config:
          files:
            /tmp/auditd.rules:
              mode: '000550'
              owner: root
              group: root
              content: |
                -a exit,always -F arch=b64 -S execve
                -a exit,always -F arch=b32 -S execve
            /tmp/auditing_configure.sh:
              source: !Sub
                - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/auditing_configure.sh
                - S3Bucket: !If
                    - UsingDefaultBucket
                    - !Sub 'aws-quickstart-${AWS::Region}'
                    - !Ref 'QSS3BucketName'
                  S3Region: !If
                    - UsingDefaultBucket
                    - !Ref 'AWS::Region'
                    - !Ref 'QSS3BucketRegion'
              mode: '000550'
              owner: root
              group: root
              authentication: S3AccessCreds
            /tmp/bastion_bootstrap.sh:
              source: !If
                - UseAlternativeInitialization
                - !Ref AlternativeInitializationScript
                - !Sub
                  - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh
                  - S3Bucket: !If
                      - UsingDefaultBucket
                      - !Sub 'aws-quickstart-${AWS::Region}'
                      - !Ref 'QSS3BucketName'
                    S3Region: !If
                      - UsingDefaultBucket
                      - !Ref 'AWS::Region'
                      - !Ref 'QSS3BucketRegion'
              mode: '000550'
              owner: root
              group: root
              authentication: S3AccessCreds
          commands:
            a-add_auditd_rules:
              cwd: '/tmp/'
              env:
                BASTION_OS: !FindInMap [LinuxAMINameMap, !Ref BastionAMIOS, OS]
              command: "./auditing_configure.sh"
              # command:
              #   - !If [ ]
              #   - "cat /tmp/auditd.rules >> /etc/audit/rules.d/audit.rules && service auditd restart"
            b-bootstrap:
              cwd: '/tmp/'
              env:
                REGION: !Sub ${AWS::Region}
                URL_SUFFIX: !Sub ${AWS::URLSuffix}
                BANNER_REGION: !If [ UsingDefaultBucket, !Ref 'AWS::Region', !Ref 'QSS3BucketRegion' ]
              command: !Sub
                - "./bastion_bootstrap.sh --banner ${BannerUrl} --enable ${EnableBanner} --tcp-forwarding ${EnableTCPForwarding} --x11-forwarding ${EnableX11Forwarding}"
                - BannerUrl: !If
                  - DefaultBanner
                  - !Sub
                    - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/banner_message.txt
                    - S3Bucket: !If [ UsingDefaultBucket, !Sub 'aws-quickstart-${AWS::Region}', !Ref 'QSS3BucketName' ]
                  - !Ref BastionBanner
    Properties:
      AssociatePublicIpAddress: true
      PlacementTenancy: !Ref BastionTenancy
      KeyName: !Ref KeyPairName
      IamInstanceProfile: !Ref BastionHostProfile
      ImageId: !If
        - UseOSImageOverride
        - !Ref OSImageOverride
        - !FindInMap
          - AWSAMIRegionMap
          - !Ref 'AWS::Region'
          - !FindInMap
            - LinuxAMINameMap
            - !Ref BastionAMIOS
            - Code
      SecurityGroups:
        - !Ref BastionSecurityGroup
      InstanceType: !Ref BastionInstanceType
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize: !Ref RootVolumeSize
            VolumeType: gp2
            Encrypted: true
            DeleteOnTermination: true
      UserData:
        Fn::Base64: !Sub
          - |
            #!/bin/bash
            set -x
            for e in $(echo "${EnvironmentVariables}" | tr ',' ' '); do
              export $e
              echo "$e" >> /root/.bashrc
            done
            export PATH=$PATH:/usr/local/bin
            #cfn signaling functions
            yum install git -y || apt-get install -y git || zypper -n install git

            function cfn_fail
            {
              cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup
              exit 1
            }

            function cfn_success
            {
              cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup
              exit 0
            }

            until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done
            cd /quickstart-linux-utilities;
            source quickstart-cfn-tools.source;
            qs_update-os || qs_err;
            qs_bootstrap_pip || qs_err " pip bootstrap failed ";
            qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed ";

            EIP_LIST="${EIP1},${EIP2},${EIP3},${EIP4}"
            CLOUDWATCHGROUP=${BastionMainLogGroup}
            cfn-init -v --stack '${AWS::StackName}' --resource BastionLaunchConfiguration --region ${AWS::Region} || cfn_fail
            [ $(qs_status) == 0 ] && cfn_success || cfn_fail
          - EIP2:
              !If
              - 2BastionCondition
              - !Ref EIP2
              - 'Null'
            EIP3:
              !If
              - 3BastionCondition
              - !Ref EIP3
              - 'Null'
            EIP4:
              !If
              - 4BastionCondition
              - !Ref EIP4
              - 'Null'
  BastionSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enables SSH Access to Bastion Hosts
      VpcId: !Ref VPCID
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref RemoteAccessCIDR
        - IpProtocol: icmp
          FromPort: -1
          ToPort: -1
          CidrIp: !Ref RemoteAccessCIDR
Outputs:
  BastionAutoScalingGroup:
    Description: Auto Scaling group reference ID.
    Value: !Ref BastionAutoScalingGroup
    Export:
      Name: !Sub '${AWS::StackName}-BastionAutoScalingGroup'
  EIP1:
    Description: Elastic IP 1 for bastion.
    Value: !Ref EIP1
    Export:
      Name: !Sub '${AWS::StackName}-EIP1'
  EIP2:
    Condition: 2BastionCondition
    Description: Elastic IP 2 for bastion.
    Value: !Ref EIP2
    Export:
      Name: !Sub '${AWS::StackName}-EIP2'
  EIP3:
    Condition: 3BastionCondition
    Description: Elastic IP 3 for bastion.
    Value: !Ref EIP3
    Export:
      Name: !Sub '${AWS::StackName}-EIP3'
  EIP4:
    Condition: 4BastionCondition
    Description: Elastic IP 4 for bastion.
    Value: !Ref EIP4
    Export:
      Name: !Sub '${AWS::StackName}-EIP4'
  CloudWatchLogs:
    Description: CloudWatch Logs GroupName. Your SSH logs will be stored here.
    Value: !Ref BastionMainLogGroup
    Export:
      Name: !Sub '${AWS::StackName}-CloudWatchLogs'
  BastionSecurityGroupID:
    Description: Bastion security group ID.
    Value: !Ref BastionSecurityGroup
    Export:
      Name: !Sub '${AWS::StackName}-BastionSecurityGroupID'
  BastionHostRole:
    Description: Bastion IAM role name.
    Value: !If
      - CreateIAMRole
      - !Ref BastionHostRole
      - !Ref AlternativeIAMRole
    Export:
      Name: !Sub '${AWS::StackName}-BastionHostRole'
  Postdeployment:
    Description: See the deployment guide for post-deployment steps.
    Value: https://aws.amazon.com/quickstart/?quickstart-all.sort-by=item.additionalFields.sortDate&quickstart-all.sort-order=desc&awsm.page-quickstart-all=5