labview.yaml
--- AWSTemplateFormatVersion: "2010-09-09" Description: "CloudFormation Template for NILabView-Jaws."

Author: Tommy Maynard; Last Edit: 08/16/2017 Editor: Jaime Cantu; Last Edit: 08/09/2017

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: Default: "UITS Cloud Tagging Policy" Parameters: - Service - Name - Environment - CreatedBy - NetID - AccountNumber - TicketNumber - SLANumber Parameters: ##### Parameters. VpcId: Description: Enter the Virtual Private Cloud (VPC). Type: AWS::EC2::VPC::Id SubnetID: Description: Select the Subnet ID. Type: AWS::EC2::Subnet::Id S3BucketName: Description: Enter the Name of the S3 bucket. Type: String Default: ua-uits-windows Service: # service Type: String Description: Cloud based National Instruments LabVIEW and Freedom Scientific JAWS Screen Reader server #Enter the service name defined in the service catalog (https://it.arizona.edu/services), or if there is no entry, use the name preferred by the application owner. Default: Software Licensing Services Name: # Name Type: String Description: NiLabView-Jaws Environment: # environment Type: String Description: "Select the environment type: dev, tst, rpt, trn, or prd." Default: tst AllowedValues: - dev - tst - rpt - trn - prd CreatedBy: # createdby Type: String Description: Enter the UA NetID of the user, or the service name that is creating these resources. Default: cantuj NetID: # contactnetid Type: String Description: Enter the UA NetID to contact about this CloudFormation template. Default: cantuj KeyName: Type: AWS::EC2::KeyPair::KeyName Description: "Enter a Key Pair" Default: JCM-key AccountNumber: # accountnumber Type: String Description: Enter the account number to identify the financial system account number. Default: '2433648' TicketNumber: # ticketnumber Type: String Description: (Optional) Enter a corresponding ticket number for Jira, Cherwell, or other ticketing system to link to more information. Default: CLOUD-82 SLANumber: # slanumber Type: String Description: (Optional) Enter a matching SLA number assigned by the financial services team. Default: None

ResourceFunction: # resourcefunction This is a per resource tag; therefore, it must be manually set within the CloudFormation document on per resource basis.

Resources: ##### Identity and Access Management (IAM).

IAM Role.

IAMNILabVIEWRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: /

IAM Instance Profile.

IAMNILabVIEWInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref IAMNILabVIEWRole

IAM Policy.

IAMNILabVIEWPolicy: Type: AWS::IAM::Policy Properties: PolicyName: IAMPolicyName PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:ListBucket - s3:GetBucketLocation Resource: - !Sub arn:aws:s3:::${S3BucketName} - Effect: Allow Action: - s3:GetObjectMetaData - s3:GetObject - s3:PutObject - s3:ListMultipartUploadParts - s3:AbortMultipartUpload Resource: - !Sub arn:aws:s3:::${S3BucketName}/* Roles: - !Ref IAMNILabVIEWRole #IAM SSM Decrypt Policy. IAMNILabVIEWDecryptKMSPolicy: Type: AWS::IAM::Policy Properties: PolicyName: NiLabVIEWPolicyForDomainJoining PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ssm:GetParameters Resource: "*" - Effect: Allow Action: - kms:Decrypt Resource: - !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/fd558dae-ff89-4807-b8d7-4b2a726f65a2 Roles: - !Ref IAMNILabVIEWRole

EC2 Instance.

NILabVIEWJAWS: Type: AWS::EC2::Instance Properties: BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeType: gp2 DeleteOnTermination: true VolumeSize: "40" ImageId: ami-09f47d69 InstanceType: t2.micro IamInstanceProfile: !Ref IAMNILabVIEWInstanceProfile KeyName: !Ref KeyName NetworkInterfaces: - AssociatePublicIpAddress: false DeviceIndex: "0" SubnetId: !Ref SubnetID GroupSet: - !Ref NILabVIEWJAWSSG - !Ref NILabVIEWSG - !Ref JAWSSG Tags: - Key: service Value: !Ref Service - Key: Name Value: !Ref Name - Key: environment Value: !Ref Environment - Key: createdby Value: !Ref CreatedBy - Key: contactnetid Value: !Ref NetID - Key: accountnumber Value: !Ref AccountNumber - Key: ticketnumber Value: !Ref TicketNumber - Key: slanumber Value: !Ref SLANumber UserData: Fn::Base64: !Sub | <powershell> Function Set-SystemForRestart { Param ( [string]$CreatePassFile, [switch]$EnableUserData, [switch]$Restart ) If ($CreatePassFile) {

Create pass file.

[System.Void](New-Item -Path "$env:SystemDrive\passfile$CreatePassFile.txt" -ItemType File) } If ($EnableUserData) {

Enable UserData for next service restart.

$Path = "$env:ProgramFiles\Amazon\Ec2ConfigService\Settings\config.xml" [xml]$ConfigXml = Get-Content -Path $Path ($ConfigXml.Ec2ConfigurationSettings.Plugins.Plugin | Where-Object -Property Name -eq 'Ec2HandleUserData').State = 'Enabled' $ConfigXml.Save($Path) } If ($Restart) {

Restart computer.

Restart-Computer -Force } } If (-Not(Test-Path -Path "$env:SystemDrive\passfile01.txt")) {

Download PowerShell Module(s) from S3.

$Params = @{ BucketName = 'ua-uits-windows' Keyprefix = 'WindowsPowerShell/Modules/NILabVIEW/' Folder = "$env:ProgramFiles\WindowsPowerShell\Modules" } Read-S3Object @Params | Out-Null

Invoke Set-UitsTimeZone function.

Set-UitsTimeZone -Verbose -Log Start-Sleep -Seconds 60 # otherwise it won't finish the install before reboot.

Invoke Set-SystemForRestart function.

Set-SystemForRestart -CreatePassFile '01' -EnableUserData -Restart } ElseIf (-Not(Test-Path -Path "$env:SystemDrive\passfile02.txt")) {

Download programs from S3.

$Params = @{ BucketName = 'ua-uits-windows' Keyprefix = 'Software/NILabVIEW/' Folder = 'C:\support\' } Read-S3Object @Params | Out-Null

Install NILabVIEW.

Set-Location -Path 'C:\support\NI31' .\setup.exe /q /AcceptLicenses yes /log "NILVInstall.log" /installcache:enable /disableNotificationCheck Start-Sleep -Seconds 260 # otherwise it won't finish the install before reboot.

Invoke Set-SystemForRestart function.

Set-SystemForRestart -CreatePassFile '02' -EnableUserData -Restart } ElseIf (-Not(Test-Path -Path "$env:SystemDrive\passfile03.txt")) {

Install JAWS.

Set-Location -Path C:\support\jaws\ .\J16.0.4468enu-x64.exe /type silent Start-Sleep -Seconds 300 # otherwise it won't finish the install before reboot.

Invoke Set-SystemForRestart function.

Set-SystemForRestart -CreatePassFile '03' -EnableUserData -Restart } ElseIf (-Not(Test-Path -Path "$env:SystemDrive\passfile04.txt")) {

Download PowerShell Module from S3 to the admin desktop to run a script as Admin to install the Jaws's' LM server modules.

$Params = @{ BucketName = 'ua-uits-windows' Keyprefix = 'Software/NILabVIEW/RUNME/' Folder = "$env:SystemDrive\Users\Administrator\Desktop" } Read-S3Object @Params | Out-Null Start-Sleep -Seconds 60 # otherwise it might not finish the download.

Invoke Set-SystemForRestart function.

Set-SystemForRestart -CreatePassFile '04' -EnableUserData -Restart } ElseIf (-Not(Test-Path -Path "$env:SystemDrive\passfile05.txt")) { #Join the CatNet Domain. $joinDomainDomainName = 'catnet.arizona.edu' $joinDomainDNofOU = 'OU=UITSTest,OU=Servers,OU=Enterprise,DC=catnet,DC=arizona,DC=edu' $joinDomainComputerName = 'NILABVIEW' $joinDomainParamNameUser = 'CatnetUserJoiner' #it has to be in cred store as catnet\username to be valid creds. User name alone won't work' $joinDomainParamNamePassword = 'NiLabCatnetJoinPwd'

Retrieve/decrypt credentials from SSM Parameter Store for user with delegated rights to create/delete computer objects in domain.

$joinDomainUser = (Get-SSMParameterValue -Name $joinDomainParamNameUser).Parameters.Value # changed in ssm as domain\user otherwise it won't work since it acts as a local account' $joinDomainPassword = (Get-SSMParameterValue -Name $joinDomainParamNamePassword -WithDecryption $True).Parameters.Value | ConvertTo-SecureString -AsPlainText -Force $joinDomainCred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $joinDomainUser, $joinDomainPassword

Join to the domain and restart.

Add-Computer -DomainName $joinDomainDomainName -NewName $joinDomainComputerName -Credential $joinDomainCred -OUPath $joinDomainDNofOU -Force Start-Sleep -Seconds 30 # otherwise it might not finish the task before restart.

Invoke Set-SystemForRestart function.

Set-SystemForRestart -CreatePassFile '05' -Restart } </powershell> ##### Security Groups:NI LabVIEW and JAWS RDP. NILabVIEWJAWSSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: TerminalHost Security Group VpcId: !Ref VpcId SecurityGroupIngress: - IpProtocol: tcp FromPort: "3389" ToPort: "3389" CidrIp: 150.135.112.64/27 # InfraDev VPN. - IpProtocol: tcp FromPort: "3389" ToPort: "3389" CidrIp: 128.196.135.64/26 # UITS Windows/Systems. Tags: - Key: service Value: !Ref Service - Key: Name Value: !Ref Name - Key: environment Value: !Ref Environment - Key: createdby Value: !Ref CreatedBy - Key: contactnetid Value: !Ref NetID - Key: accountnumber Value: !Ref AccountNumber - Key: ticketnumber Value: !Ref TicketNumber - Key: slanumber Value: !Ref SLANumber

Security Group: NI LabVIEW.

NILabVIEWSG: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "NI LabVIEW Security Group" VpcId: !Ref VpcId SecurityGroupIngress:

Port 10050

- IpProtocol: tcp FromPort: "10050" ToPort: "10050" CidrIp: 10.64.0.0/10 # Private space. - IpProtocol: tcp FromPort: "10050" ToPort: "10050" CidrIp: 10.128.0.0/9 # Private space. - IpProtocol: tcp FromPort: "10050" ToPort: "10050" CidrIp: 128.196.0.0/16 # Public space. - IpProtocol: tcp FromPort: "10050" ToPort: "10050" CidrIp: 150.135.0.0/16 # Public space. - IpProtocol: tcp FromPort: "10050" ToPort: "10050"

Port 3157

- IpProtocol: tcp FromPort: "3157" ToPort: "3157" CidrIp: 10.64.0.0/10 # Private space. - IpProtocol: tcp FromPort: "3157" ToPort: "3157" CidrIp: 10.128.0.0/9 # Private space. - IpProtocol: tcp FromPort: "3157" ToPort: "3157" CidrIp: 128.196.0.0/16 # Public space. - IpProtocol: tcp FromPort: "3157" ToPort: "3157" CidrIp: 150.135.0.0/16 # Public space. - IpProtocol: tcp FromPort: "3157" ToPort: "3157"

Port 27000

- IpProtocol: tcp FromPort: "27000" ToPort: "27000" CidrIp: 10.64.0.0/10 # Private space. - IpProtocol: tcp FromPort: "27000" ToPort: "27000" CidrIp: 10.128.0.0/9 # Private space. - IpProtocol: tcp FromPort: "27000" ToPort: "27000" CidrIp: 128.196.0.0/16 # Public space. - IpProtocol: tcp FromPort: "27000" ToPort: "27000" CidrIp: 150.135.0.0/16 # Public space. - IpProtocol: tcp FromPort: "27000" ToPort: "27000" Tags: - Key: service Value: !Ref Service - Key: Name Value: !Ref Name - Key: environment Value: !Ref Environment - Key: createdby Value: !Ref CreatedBy - Key: contactnetid Value: !Ref NetID - Key: accountnumber Value: !Ref AccountNumber - Key: ticketnumber Value: !Ref TicketNumber - Key: slanumber Value: !Ref SLANumber

Security Group: JAWS.

JAWSSG: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "JAWS Security Group" VpcId: !Ref VpcId SecurityGroupIngress:

Port 5093

- IpProtocol: udp FromPort: "5093" ToPort: "5093" CidrIp: 10.64.0.0/10 # Private space. - IpProtocol: udp FromPort: "5093" ToPort: "5093" CidrIp: 10.128.0.0/9 # Private space. - IpProtocol: udp FromPort: "5093" ToPort: "5093" CidrIp: 128.196.0.0/16 # Public space. - IpProtocol: udp FromPort: "5093" ToPort: "5093" CidrIp: 150.135.0.0/16 # Public space. - IpProtocol: udp FromPort: "5093" ToPort: "5093" Tags: - Key: service Value: !Ref Service - Key: Name Value: !Ref Name - Key: environment Value: !Ref Environment - Key: createdby Value: !Ref CreatedBy - Key: contactnetid Value: !Ref NetID - Key: accountnumber Value: !Ref AccountNumber - Key: ticketnumber Value: !Ref TicketNumber - Key: slanumber Value: !Ref SLANumber Outputs: ##### IP Addresses. TerminalHostPrivateIp: Description: NILabVIEWJAWS Private IP Address Value: !GetAtt NILabVIEWJAWS.PrivateIp