Skip to content

Commit

Permalink
userdata call for cpm
Browse files Browse the repository at this point in the history
  • Loading branch information
@pelegor
pelegor committed Sep 6, 2024
1 parent 00695cc commit ec372e5
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 187 deletions.
94 changes: 21 additions & 73 deletions aws/Full-PAS-Deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -915,7 +915,6 @@ Resources:
"VaultAdminUser" = "Administrator"
"SSMAdminPassParameterID" = "${StoreAdminPassword.SsmId}"
"VaultPrivateIP" = "${VaultIpAddress}"
"ComponentInstancesRole" = "${ComponentInstancesRole}"
"ComponentHostname" = "${PVWAHostname}"
"StackName" = "${AWS::StackName}"
}
Expand Down Expand Up @@ -944,82 +943,31 @@ Resources:
- !Ref CPMAmi
- !Ref CPMCustomAmi
InstanceType: !Ref CPMInstanceType
UserData: !Base64
'Fn::Sub': >-
<script>
cfn-init.exe -v -s ${AWS::StackId} -r CPMMachine --configsets ascending --region ${AWS::Region}
</script>
UserData:
Fn::Base64: !Sub
- |
<powershell>
$UserDataParams = @{
"Region" = "${AWS::Region}"
"LogGroup" = "${LogGroup}"
"UserDataLogStream" = "${CPMUserDataLogStream}"
"CPMConfigurationsLogStream" = "${CPMConfigurationsLogStream}"
"CPMRegistrationLogStream" = "${CPMRegistrationLogStream}"
"CPMSetLocalServiceLogStream" = "${CPMSetLocalServiceLogStream}"
"VaultAdminUser" = "Administrator"
"SSMAdminPassParameterID" = "${StoreAdminPassword.SsmId}"
"VaultPrivateIP" = "${VaultIpAddress}"
"ComponentHostname" = "${CPMHostname}"
"StackName" = "${AWS::StackName}"
}
C:\CyberArk\Deployment\UserDataScript.ps1 @UserDataParams
</powershell>
- VaultIpAddress: !Sub '${VaultMachine.PrivateIp},${VaultDRMachine.PrivateIp}'
KeyName: !Ref KeyName
IamInstanceProfile: !Ref ComponentInstanceProfile
Metadata:
'AWS::CloudFormation::Init':
configSets:
ascending:
- configSSMAndHostname
- configServices
- configSignal
configSSMAndHostname:
services:
windows:
AmazonSSMAgent:
enabled: true
ensureRunning: true
files:
- C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json
commands:
1-cloudwatch:
command: !Sub >
powershell.exe -File C:\CyberArk\Deployment\CloudWatch.ps1
-LogGroup ${LogGroup} -CPMCfnInitLogStream
${CPMCfnInitLogStream} -CPMConfiguration ${CPMConfigurationsLog}
-CPMRegistration ${CPMRegistrationLog} -CPMSetLocalService
${CPMSetLocalServiceLog} -Region ${AWS::Region}
2-restartSSM:
command: powershell.exe -Command "Restart-Service AmazonSSMAgent"
waitAfterCompletion: 60
ignoreErrors: true
3-addDNSSuffix:
command: powershell.exe -Command "Set-DnsClientGlobalSetting -SuffixSearchList ((Get-DnsClientGlobalSetting).SuffixSearchList += 'pas.local')"
configServices:
commands:
1-configuration:
command: !Sub
- >-
powershell.exe -File
C:\CyberArk\Deployment\CPMConfiguration.ps1 -VaultIpAddress
${VaultIpAddress} -VaultAdminUser Administrator -VaultPort 1858
- VaultIpAddress: !Sub '${VaultMachine.PrivateIp},${VaultDRMachine.PrivateIp}'
waitAfterCompletion: 0
2-registration:
command: !Sub >
powershell.exe -File C:\CyberArk\Deployment\CPMRegistration.ps1
-VaultAdminUser Administrator -SSMAdminPassParameterID ${StoreAdminPassword.SsmId}
waitAfterCompletion: 0
3-configureCPMService:
command: powershell.exe -File C:\CyberArk\Deployment\Set-LocalService.ps1 -Username "PasswordManagerUser" -Services "CyberArk Central Policy Manager Scanner"
waitAfterCompletion: 0
4-configureCPMService:
command: powershell.exe -File C:\CyberArk\Deployment\Set-LocalService.ps1 -Username "PasswordManagerUser" -Services "CyberArk Password Manager"
waitAfterCompletion: 0
5-CPMserviceConfig:
command: sc config "CyberArk Password Manager" start=auto
waitAfterCompletion: 0
6-CPMSserviceConfig:
command: sc config "CyberArk Central Policy Manager Scanner" start=auto
waitAfterCompletion: 0
7-ChangeHostname:
command: !Sub >
powershell.exe -Command Rename-Computer -NewName ${CPMHostname} -Force -Restart
waitAfterCompletion: forever
configSignal:
commands:
0-signalCompletion:
command: !Sub >
"C:\Program Files\Amazon\cfn-bootstrap\cfn-signal.exe" -e %ERRORLEVEL% --stack ${AWS::StackId} --resource CPMMachine --region ${AWS::Region}
waitAfterCompletion: 0
CreationPolicy:
ResourceSignal:
Timeout: PT25M
Timeout: PT10M
DeletionPolicy: Retain
DependsOn:
- PVWAMachine
Expand Down
138 changes: 24 additions & 114 deletions aws/PAS-Component-Single-Deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,6 @@ Resources:
"VaultAdminUser" = "${VaultAdminUser}"
"SSMAdminPassParameterID" = "${StoreAdminPassword.SsmId}"
"VaultPrivateIP" = "${VaultIpAddress}"
"ComponentInstancesRole" = "${ComponentInstancesRole}"
"ComponentHostname" = "${ComponentHostname}"
"StackName" = "${AWS::StackName}"
}
Expand Down Expand Up @@ -427,124 +426,35 @@ Resources:
- !Ref CPMAmi
- !Ref ComponentCustomAmi
InstanceType: !Ref ComponentInstanceType
UserData: !Base64
'Fn::Sub': >-
<script>

cfn-init.exe -v -s ${AWS::StackId} -r CPMMachine --configsets
ascending --region ${AWS::Region}

</script>
UserData:
Fn::Base64: !Sub
- |
<powershell>
$UserDataParams = @{
"Region" = "${AWS::Region}"
"LogGroup" = "${LogGroup}"
"UserDataLogStream" = "${CPMUserDataLogStream}"
"CPMConfigurationsLogStream" = "${CPMConfigurationsLogStream}"
"CPMRegistrationLogStream" = "${CPMRegistrationLogStream}"
"CPMSetLocalServiceLogStream" = "${CPMSetLocalServiceLogStream}"
"VaultAdminUser" = "${VaultAdminUser}"
"SSMAdminPassParameterID" = "${StoreAdminPassword.SsmId}"
"VaultPrivateIP" = "${VaultIpAddress}"
"ComponentHostname" = "${ComponentHostname}"
"StackName" = "${AWS::StackName}"
}
C:\CyberArk\Deployment\UserDataScript.ps1 @UserDataParams
</powershell>
- VaultIpAddress: !If
- DRValueEmpty
- !Sub '${VaultPrivateIP}'
- !Sub '${VaultPrivateIP},${DRPrivateIP}'
KeyName: !Ref KeyName
IamInstanceProfile: !Ref ComponentInstanceProfile
Metadata:
'AWS::CloudFormation::Init':
configSets:
ascending:
- configSSMAndHostname
- configServices
- configSignal
configSSMAndHostname:
services:
windows:
AmazonSSMAgent:
enabled: true
ensureRunning: true
files:
- >-
C:\Program
Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json
commands:
1-cloudwatch:
command: !Sub >
powershell.exe -File C:\CyberArk\Deployment\CloudWatch.ps1
-LogGroup ${LogGroup} -CPMCfnInitLogStream
${CPMCfnInitLogStream} -CPMConfiguration
${CPMConfigurationsLog} -CPMRegistration ${CPMRegistrationLog}
-CPMSetLocalService ${CPMSetLocalServiceLog} -Region
${AWS::Region}
2-downloadLatestSSM:
command: >
powershell.exe -Command
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12; Invoke-WebRequest
"https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe"
-OutFile "$env:USERPROFILE\Desktop\SSMAgent_latest.exe"
-UseBasicParsing
waitAfterCompletion: 0
ignoreErrors: true
3-updateLatestSSM:
command: >
powershell.exe -Command Start-Process -FilePath
$env:USERPROFILE\Desktop\SSMAgent_latest.exe -ArgumentList "/S"
-Wait
waitAfterCompletion: 0
ignoreErrors: true
4-removeLatestSSM:
command: >
powershell.exe -Command rm -Force
$env:USERPROFILE\Desktop\SSMAgent_latest.exe
waitAfterCompletion: 0
ignoreErrors: true
5-restartSSM:
command: powershell.exe -Command "Restart-Service AmazonSSMAgent"
waitAfterCompletion: 60
ignoreErrors: true
6-addDNSSuffix:
command: powershell.exe -Command "Set-DnsClientGlobalSetting -SuffixSearchList ((Get-DnsClientGlobalSetting).SuffixSearchList += 'pas.local')"
configServices:
commands:
1-configuration:
command: !Sub
- >-
powershell.exe -File
C:\CyberArk\Deployment\CPMConfiguration.ps1 -VaultIpAddress
${VaultIpAddress} -VaultAdminUser ${VaultAdminUser} -VaultPort
1858
- VaultIpAddress: !If
- DRValueEmpty
- !Sub '${VaultPrivateIP}'
- !Sub '${VaultPrivateIP},${DRPrivateIP}'
waitAfterCompletion: 0
2-registration:
command: !Sub >
powershell.exe -File C:\CyberArk\Deployment\CPMRegistration.ps1
-VaultAdminUser ${VaultAdminUser} -SSMAdminPassParameterID
${StoreAdminPassword.SsmId}
waitAfterCompletion: 0
3-configureCPMService:
command: >
powershell.exe -File C:\CyberArk\Deployment\Set-LocalService.ps1
-Username "PasswordManagerUser" -Services "CyberArk Central
Policy Manager Scanner"
waitAfterCompletion: 0
4-configureCPMService:
command: >-
powershell.exe -File C:\CyberArk\Deployment\Set-LocalService.ps1
-Username "PasswordManagerUser" -Services "CyberArk Password
Manager"
waitAfterCompletion: 0
5-CPMserviceConfig:
command: sc config "CyberArk Password Manager" start=auto
waitAfterCompletion: 0
6-CPMSserviceConfig:
command: sc config "CyberArk Central Policy Manager Scanner" start=auto
waitAfterCompletion: 0
7-ChangeHostname:
command: !Sub >
powershell.exe -Command Rename-Computer -NewName
${ComponentHostname} -Force -Restart
waitAfterCompletion: forever
configSignal:
commands:
0-signalCompletion:
command: !Sub >
"C:\Program Files\Amazon\cfn-bootstrap\cfn-signal.exe" -e %ERRORLEVEL% --stack ${AWS::StackId} --resource CPMMachine --region ${AWS::Region}
waitAfterCompletion: 0
Condition: CreateCPMCondition
CreationPolicy:
ResourceSignal:
Timeout: PT25M
Timeout: PT10M
DeletionPolicy: Retain
PSMMachine:
Type: AWS::EC2::Instance
Expand Down

0 comments on commit ec372e5

Please sign in to comment.