AWSTemplateFormatVersion: '2010-09-09' Description: ElasticSearch Basic

Parameters: ServiceName: Description: "Name of this ElasticSeach Domain (Must be lowercase, no underscores: [a-z][a-z0-9-]+ )" Type: String Default: "elasticsearch" AllowedPattern: "[a-z][a-z0-9-]+" CognitoName: Description: "Name of the Cognito Pools (Underscores, no dashes: [a-z][a-z0-9_]+ )" Type: String Default: "elasticsearch" AllowedPattern: "[a-z][a-z0-9_]+" ElasticSearchVersion: Description: ElasticSearch Engien Version Type: String Default: "6.2" InstanceType: Description: ElasticSearch Engien Version Type: String Default: "t2.small.elasticsearch" AllowedValues: - "t2.small.elasticsearch" - "t2.medium.elasticsearch" - "m4.large.elasticsearch"

VPCID: Description: Target VPC Type: AWS::EC2::VPC::Id Default: "vpc-2b1ea94c"

ElasticSearchSubnets: Description: Subnet Group Members Type: AWS::EC2::Subnet::Id Default: "subnet-6288662b" TagService: Description: Refers to the application (Uaccess Learning, Uaccess Employee, Uaccess Student) Type: String Default: "UITS Data Center Services" TagEnvironment: Description: Type of environment that is using this resource, such as 'dev', 'tst', 'prd'. Type: String Default: "dev" TagContactNetid: Description: NetID of person most familiar with resource Type: String Default: "fischerm" TagAccountNumber: Description: Identifies the financial system account number Type: String Default: "1192660" TagTicketNumber: Description: Jira Ticket Number Type: String Default: "CLOUD-627"

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Service Settings Parameters: - ServiceName - CognitoName - ElasticSearchVersion - InstanceType - Label: default: VPC Settings Parameters: - VPCID - ElasticSearchSubnets - Label: default: Tags Parameters: - TagService - TagName - TagEnvironment - TagContactNetid - TagAccountNumber - TagSubAccount - TagTicketNumber

ElasticSearchDomain: Type: "AWS::Elasticsearch::Domain" Properties: DomainName: !Ref ServiceName ElasticsearchVersion: !Ref ElasticSearchVersion AccessPolicies: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub "arn:aws:iam::${AWS::AccountId}:role/${CognitoAllowedRole}" Action: es:* Resource: !Sub "arn:aws:es:us-west-2:${AWS::AccountId}:domain/${ServiceName}/*" AdvancedOptions: rest.action.multi.allow_explicit_index: true EBSOptions: EBSEnabled: true Iops: 0 VolumeSize: 20 VolumeType: standard ElasticsearchClusterConfig: InstanceCount: 3 InstanceType: !Ref InstanceType SnapshotOptions: AutomatedSnapshotStartHour: '0' VPCOptions: SubnetIds: - !Ref ElasticSearchSubnets SecurityGroupIds: - !Ref ElasticSearchSecurityGroup Tags: - Key: "Name" Value: !Ref "ServiceName" - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetid - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber ElasticSearchSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: !Sub "${ServiceName} Security Group" VpcId: !Ref VPCID SecurityGroupIngress: - FromPort: '443' IpProtocol: tcp ToPort: '443' CidrIp: 0.0.0.0/0 CognitoAllowedRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Federated: cognito-identity.amazonaws.com Action: sts:AssumeRoleWithWebIdentity Condition: StringEquals: cognito-identity.amazonaws.com:aud: !Ref CognitoIdentityPool ForAnyValue:StringLike: cognito-identity.amazonaws.com:amr: authenticated Policies: - PolicyName: !Sub "${ServiceName}-cognitoESAllow-role" PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - mobileanalytics:PutEvents - cognito-sync:* - cognito-identity:* Resource: - "*" CognitoDenyRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Federated: cognito-identity.amazonaws.com Action: sts:AssumeRoleWithWebIdentity Condition: StringEquals: cognito-identity.amazonaws.com:aud: !Ref CognitoIdentityPool ForAnyValue:StringLike: cognito-identity.amazonaws.com:amr: unauthenticated Policies: - PolicyName: !Sub "${ServiceName}-cognitoESDeny-role" PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - mobileanalytics:PutEvents - cognito-sync:* Resource: - "*" CognitoIdentityPool: Type: "AWS::Cognito::IdentityPool" Properties: IdentityPoolName: !Sub "${CognitoName}_UA_Shibboleth_IdP"

AllowUnauthenticatedIdentities: true DeveloperProviderName: "arizona.edu" CognitoIdentityProviders: - ClientId: !Ref CognitoElasticSearchAppClient ProviderName: !Sub "cognito-idp.${AWS::Region}.amazonaws.com/${CognitoUserPool}" SamlProviderARNs: - !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/UA_Shibboleth_IdP" CognitoIdentityAllowRoleAttachment: Type: "AWS::Cognito::IdentityPoolRoleAttachment" Properties: IdentityPoolId: !Ref CognitoIdentityPool Roles: authenticated: !GetAtt CognitoAllowedRole.Arn unauthenticated: !GetAtt CognitoDenyRole.Arn CognitoUserPool: Type: "AWS::Cognito::UserPool" Properties: UserPoolName: !Sub "${CognitoName}-userpool" AdminCreateUserConfig: AllowAdminCreateUserOnly: true UserPoolTags: Name: !Ref "ServiceName" service: !Ref TagService environment: !Ref TagEnvironment contactnetid: !Ref TagContactNetid accountnumber: !Ref TagAccountNumber ticketnumber: !Ref TagTicketNumber CognitoElasticSearchAppClient: Type: "AWS::Cognito::UserPoolClient" Properties: ClientName: !Sub "${CognitoName}-appclient" UserPoolId: !Ref CognitoUserPool GenerateSecret: 'true' RefreshTokenValidity: 30

Outputs: DomainEndpoint: Value: !GetAtt ElasticSearchDomain.DomainEndpoint KibanaEndpoint: Value: Fn::Sub: - "https://${DomainEndpoint}/_plugin/kibana/" - DomainEndpoint: !GetAtt ElasticSearchDomain.DomainEndpoint