aws-shibboleth-idp-withvpc.yaml

---
AWSTemplateFormatVersion: 2010-09-09


Description: >
  This template utilizes AWS CodePipeline and AWS CodeBuild to build an
  automated continuous deployment pipeline to Amazon Elastic Container Service
  (Amazon ECS) using clusters powered by AWS Fargate or Amazon Elastic Compute
  Cloud (Amazon EC2).  The container that is deployed is the Shibboleth IdP 
  reference architecture.

  An Application Load Balancer is also provisioned as a front end service
  endpoint.  HTTPS is enabled so you must also populate the CertificateARN
  parameter with the ARN of the certificate that you wish to use on the load balancer.

  Use this template if you would like to provision a new VPC with your deployment.
  If you would like to use an existing VPC with this stack, please use the template
  aws-shibboleth-idp-vpc.yaml

Parameters:
  ShibbolethVersionTag:
    Type: String
    Default: latest
    Description: >
      The tag to use for the base tier/shib-idp docker image.  Common options would be 'latest', 'latest5', or 'latest4'.  Any valid tag from https://hub.docker.com/r/tier/shib-idp/tags should be valid.

  LaunchType:
    Type: String
    Default: Fargate
    AllowedValues:
      - Fargate
      - EC2
    Description: >
      The launch type for your service. Selecting EC2 will create an Auto
      Scaling group of t2.micro instances for your cluster. See
      https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html
      to learn more about launch types.

  TemplateBucket:
    Type: String
    Default: aws-shibboleth-reference-architecture
    Description: >
      The S3 bucket from which to fetch the templates used by this stack.
      We recommend that you store your CloudFormation templates in your own S3 bucket
      instead of using the one provided with this reference architecture.

  TemplateFolder:
    Type: String
    Default: ''
    Description: >
      The optional path to a folder in the TemplateBucket that concaints the CloudFormation templates. If not left blank, it must end with a '/'.

  CodeCommitRepoName:
    Description: >
      Name of the CodeCommit repository to create. Please verify Pattern and maxlength
    Type: String
    Default: 'shibboleth'
    MaxLength: 100
    AllowedPattern: '(^[A-Za-z0-9_\.-]+)'
    ConstraintDescription: >
      Must conform with the permitted CodeCommit repository name pattern.

  SealerKeyVersionCount:
    Type: Number
    Default: 10
    Description: The number of versions of the sealear key to support

  ParentDomain:
    Type: String
    Description: The base domain for the IdP such as 'example.com'

  FullyQualifiedDomainName:
    Type: String
    Description: The fully qualified domain name for the IdP such as 'sso.example.com'

  CertificateARN:
    Type: String
    Default: ''
    Description: >
      Specify the ARN of the SSL certificate to be used on HTTPS listener

  VpcCIDR:
    Type: String
    Default: '10.215.0.0/16'
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: >
      CIDR block of the VPC that will be created

  PublicSubnet1CIDR:
    Type: String
    Default: '10.215.1.0/24'
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: >
      CIDR block of public subnet 1

  PublicSubnet2CIDR:
    Type: String
    Default: '10.215.2.0/24'
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: >
      CIDR block of public subnet 2

  PrivateSubnet1CIDR:
    Type: String
    Default: '10.215.11.0/24'
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: >
      CIDR block of private subnet 1

  PrivateSubnet2CIDR:
    Type: String
    Default: '10.215.12.0/24'
    AllowedPattern: '((\d{1,3})\.){3}\d{1,3}/\d{1,2}'
    Description: >
      CIDR block of private subnet 2

  LDAPUrl:
    Type: String
    Default: ldaps://ad-ldap.example.com:636
    Description: >
      The URL of the LDAP server.

  LDAPBaseDN:
    Type: String
    Default: CN=Users,DC=example,DC=org
    Description: >
      The base DN of the LDAP server.

  LDAPReadOnlyUser:
    Type: String
    Default: readonlyuser@example.com
    Description: >
      The username of a read-only user for connecting to the LDAP server.

  LDAPReadOnlyPassword:
    Type: String
    NoEcho: true
    Default: EnterYourPasswordHere
    Description: >
      The password of a read-only user for connecting to the LDAP server.

Metadata:
  AWS::CloudFormation::Interface:
    ParameterLabels:
      LaunchType:
        default: "Launch Type"
      CodeCommitRepoName:
        default: "CodeCommit Repository Name"
      TemplateBucket:
        default: "Template Bucket"
      TemplateFolder:
        default: "Template Folder"
      ParentDomain:
        default: "Base Domain"
      FullyQualifiedDomainName:
        default: "Fully Qualified Domain Name"
      CertificateARN:
        default: "Certificate ARN for HTTPS Listener"
      SealerKeyVersionCount:
        default: "Sealer Key Version Count"
      LDAPUrl:
        default: "LDAP server URL"
      LDAPBaseDN:
        default: "LDAP base DN"
      LDAPReadOnlyUser:
        default: "LDAP user"
      LDAPReadOnlyPassword:
        default: "LDAP password"
    ParameterGroups:
      - Label:
          default: IdP Domain Information
        Parameters:
          - ParentDomain
          - FullyQualifiedDomainName
      - Label:
          default: ECS Cluster Configuration
        Parameters:
          - LaunchType
      - Label:
          default: CloudFormation Stack Configuration
        Parameters:
          - TemplateBucket
          - TemplateFolder
      - Label:
          default: CodeCommit Configuration
        Parameters:
          - CodeCommitRepoName
      - Label:
          default: Elastic Load Balancer Configuration
        Parameters:
          - CertificateARN
      - Label:
          default: Shibboleth Configuration
        Parameters:
          - ShibbolethVersionTag
          - SealerKeyVersionCount
      - Label:
          default: VPC Settings
        Parameters:
          - VpcCIDR
          - PublicSubnet1CIDR
          - PublicSubnet2CIDR
          - PrivateSubnet1CIDR
          - PrivateSubnet2CIDR
      - Label:
          default: LDAP Settings
        Parameters:
          - LDAPUrl
          - LDAPBaseDN
          - LDAPReadOnlyUser
          - LDAPReadOnlyPassword

Resources:
  Secrets:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/secrets.yml"
      Parameters:
        Name: !Ref AWS::StackName
        LambdaBucket: !Ref TemplateBucket
        LambdaFolder: !Ref TemplateFolder
        SealerKeyVersionCount: !Ref SealerKeyVersionCount
        LDAPUrl: !Ref LDAPUrl
        LDAPBaseDN: !Ref LDAPBaseDN
        LDAPReadOnlyUser: !Ref LDAPReadOnlyUser
        LDAPReadOnlyPassword: !Ref LDAPReadOnlyPassword
  
  SecurityGroups:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/security-groups.yml"
      Parameters:
        Name: !Ref AWS::StackName
        LaunchType: !Ref LaunchType
        VpcId: !GetAtt VPC.Outputs.VpcId

  Cluster:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/ecs-cluster.yaml"
      Parameters:
        Name: !Ref AWS::StackName
        LaunchType: !Ref LaunchType
        SecurityGroup: !GetAtt SecurityGroups.Outputs.ECSSecurityGroup
        Subnets: !GetAtt VPC.Outputs.PrivateSubnets
        VpcId: !GetAtt VPC.Outputs.VpcId

  DeploymentPipeline:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/deployment-pipeline.yaml"
      Parameters:
        Name: !Ref AWS::StackName
        Cluster: !GetAtt Cluster.Outputs.ClusterName
        Service: !GetAtt Service.Outputs.Service
        CodeCommitRepoName: !Ref CodeCommitRepoName
        ParentDomain: !Ref ParentDomain
        FullyQualifiedDomainName: !Ref FullyQualifiedDomainName
        SecretsManagerSigningARN: !GetAtt Secrets.Outputs.SigningArn
        SecretsManagerBackchannelARN: !GetAtt Secrets.Outputs.BackchannelArn
        SecretsManagerEncryptionARN: !GetAtt Secrets.Outputs.EncryptionArn
        SecretsManagerLDAPSettingsARN: !GetAtt Secrets.Outputs.LDAPSettingsArn
        SecretsManagerSealerKeyARN: !GetAtt Secrets.Outputs.SealerKeyArn
        RepoSourceBucket: !Ref TemplateBucket
        RepoSourceFolder: !Ref TemplateFolder
        TaskRoleARN: !GetAtt Service.Outputs.TaskRoleARN
        TaskExecutionRoleARN: !GetAtt Service.Outputs.TaskExecutionRoleARN

  LoadBalancer:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/load-balancer.yaml"
      Parameters:
        LaunchType: !Ref LaunchType
        Subnets: !GetAtt VPC.Outputs.Subnets
        VpcId: !GetAtt VPC.Outputs.VpcId
        CreateHTTPSListener: true
        CertificateARN: !Ref CertificateARN
        LoadBalancerSecurityGroup: !GetAtt SecurityGroups.Outputs.LoadBalancerSecurityGroup

  VPC:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/vpc.yaml"
      Parameters:
        Name: !Ref AWS::StackName
        VpcCIDR: !Ref VpcCIDR
        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
        PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR

  Service:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${TemplateBucket}.s3.amazonaws.com/${TemplateFolder}templates/service.yaml"
      Parameters:
        Name: !Ref AWS::StackName
        Cluster: !GetAtt Cluster.Outputs.ClusterName
        DesiredCount: 0
        LaunchType: !Ref LaunchType
        TargetGroup: !GetAtt LoadBalancer.Outputs.TargetGroup
        SecurityGroup: !GetAtt SecurityGroups.Outputs.ECSSecurityGroup
        Subnets: !GetAtt VPC.Outputs.PrivateSubnets
        ContainerImageURI: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${CodeCommitRepoName}
        SealerKeyArn: !GetAtt Secrets.Outputs.SealerKeyArn

Outputs:
  LoadBalancerCanonicalHostedZoneID:
    Description: The load balancer identifier
    Value: !GetAtt LoadBalancer.Outputs.CanonicalHostedZoneID

  LoadBalancerDNSName:
    Description: Value to set your fully qualified domain names CNAME entry to in you DNS provider
    Value: !GetAtt LoadBalancer.Outputs.DNSName

  ServiceUrl:
    Description: The URL of the IdP.
    Value: !Sub https://${FullyQualifiedDomainName}/idp/

  PipelineUrl:
    Description: The continuous deployment pipeline in the AWS Management Console.
    Value: !GetAtt DeploymentPipeline.Outputs.PipelineUrl