dw_server.yaml
---

This template will build out a base Windows 2016 system for Docuware This is just the base system and everything will need to be built out.

AWSTemplateFormatVersion: '2010-09-09' Description: CloudFormation Template for a Docuware Server. Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Environment Information Parameters: - Env - InstanceType - KeyPair - Label: default: EBS Volume Information Parameters: - RootVolumeSize - SqlVolumeSize - FileStoreVolumeSize - Label: default: Misc Parameters: - AppS3ResourceBucket - SSLCertARN - VPCStackName - WindowsAmiParamStore - Label: default: Tags Parameters: - TagContactNetID - TagEnvironment - TagService - TagAccountNumber - TagSubAccountNumber - TagTicketNumber Parameters: RootVolumeSize: Description: Volume size (GiB) for the root EBS volume (min 100, max 16384). Type: String Default: 500 ConstraintDescription: Value must be a number between 100 and 16384. FileStoreVolumeSize: Description: Volume size (GiB) for the root EBS volume (min 100, max 10485760). Type: String Default: 6000 ConstraintDescription: Value must be a number between 100 and 10485760. SqlVolumeSize: Description: Volume size (GiB) for the root EBS volume (min 100, max 16384). Type: String Default: 500 ConstraintDescription: Value must be a number between 100 and 16384. VPCStackName: Description: CF stack name Type: String Default: ua-uits-docuware-vpc SSLCertARN: Description: Application SSL Certificate ARN Type: String Default: arn:aws:acm:us-west-2:112168075136:certificate/e49212f3-5e5f-471c-b70f-db61b9407347 AppS3ResourceBucket: Description: S3 Bucket containing /security and /classes folders. Just the bucket name, not a full arn. Type: String Default: dw-sql-backups InstanceType: Description: Instance type to use for the EC2 instance. Type: String Default: m5.8xlarge KeyPair: Description: EC2 key pair to retrieve Windows administrator password. Type: String Default: docuware-keypair WindowsAmiParamStore: Description: SSM Parameter Store key for retrieving the latest latest Windows 2016. Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> Default: /aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base Env: Description: Environment - prd, tst, dev, etc. Type: String Default: prd

Required Tags

TagService: Description: Name of the service associated with this resource (as listed in the service catalog). Type: String Default: Docuware TagContactNetID: Description: NetID of the primary technical resource. Type: String Default: mhirst TagTicketNumber: Description: Resource identifier Type: String Default: DW-258 TagAccountNumber: Description: Docuware account number paying for the resource. Type: String Default: 1192623 TagSubAccountNumber: Description: Docuware sub account number Type: String Default: 11AWS TagEnvironment: Description: Environment type. Type: String Default: prd Resources:

Instance Role

This is the IAM role that will be applied to the OpsWorks EC2 Instances. Any AWS specific permissions that the node might need should be defined here.

EnvInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM Policies:

Access to the S3 Bucket which holds additional files

- PolicyName: !Sub "dw-${Env}-s3policy" PolicyDocument: Version: '2012-10-17' Statement: - Sid: Stmt1452033379000 Effect: Allow Action: - s3:GetObject - s3:ListBucket Resource: !Sub "arn:aws:s3:::${AppS3ResourceBucket}/*"

IAM Instance Profile.

IAMInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref EnvInstanceRole Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: !Ref WindowsAmiParamStore InstanceType: !Ref InstanceType IamInstanceProfile: !Ref IAMInstanceProfile KeyName: docuware-keypair NetworkInterfaces: - DeviceIndex: 0 GroupSet: - !Ref InstanceSecurityGroup SubnetId: Fn::ImportValue: !Sub "${VPCStackName}-private-subnet-a" BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: DeleteOnTermination: true VolumeSize: !Ref RootVolumeSize VolumeType: gp3 Encrypted: true - DeviceName: xvdd Ebs: DeleteOnTermination: true VolumeSize: !Ref FileStoreVolumeSize VolumeType: gp3 Encrypted: true - DeviceName: xvde Ebs: DeleteOnTermination: true VolumeSize: !Ref SqlVolumeSize VolumeType: gp3 Encrypted: true Tags: - Key: Name Value: Docuware-Windows-Server - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: RDP Security Group VpcId: !ImportValue ua-uits-docuware-vpc-vpcid SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "10.138.0.0/17" Description: "Mosaic VPN" ##### RDP only through mosaic VPN. ##### - IpProtocol: "tcp" FromPort: "3389" ToPort: "3389" CidrIp: "10.138.0.0/17" Description: "RDP through Mosaic VPN" ##### Below is the main campus network + VPN. ####

This should cover most of campus except for some remote offices which are added separately

- IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "10.0.0.0/8" Description: "main campus network + VPN" - IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "172.16.0.0/12" Description: "main campus network + VPN" - IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "150.135.0.0/16" Description: "main campus network + VPN" - IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "128.196.0.0/16" Description: "main campus network + VPN" - IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "208.68.28.0/22" Description: "COM Phoenix" ##### Main Campus VPN range ##### - IpProtocol: "tcp" FromPort: "443" ToPort: "443" CidrIp: "10.138.64.0/20" Description: "UASSL General/All UA VPN Group" ###### Control-m access ###### - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.220.176.128/25" Description: "Control-M Test agents" - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.220.177.0/25" Description: "Control-M Test agents" - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.221.119.0/25" Description: "Control-M Prod agents" - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.221.118.128/25" Description: "Control-M Prod agents" - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.138.129.128/26" Description: "UAIR VPN" - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.220.161.81/32" Description: "UAIR aws-ds-tst" - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.220.183.186/32" Description: "UAIR aws-ds-prd" Tags: - Key: Name Value: Docuware-Windows-SG - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService