apply to fullpas

cyberark · Aug 4, 2024 · 7c4ff01 · 7c4ff01
1 parent 0240616
commit 7c4ff01
Showing 1 changed file with 59 additions and 117 deletions.
diff --git a/aws/Full-PAS-Deployment.yaml b/aws/Full-PAS-Deployment.yaml
@@ -797,73 +797,40 @@ Resources:
           - !Ref VaultAmi
           - !Ref VaultCustomAmi
       InstanceType: !Ref 'VaultInstanceType'
-      UserData: !Base64
-        Fn::Sub: |-
-          <script>
-          cfn-init.exe -v -s ${AWS::StackId} -r VaultMachine --configsets ascending --region ${AWS::Region}
-          </script>
+      UserData:
+        Fn::Base64: !Sub
+          - |
+            <powershell>
+            $UserDataParams = @{
+              "IsPrimaryOrDR"             = "Primary"
+              "VaultFilesBucket"          = "${VaultFilesBucket}"
+              "LicenseFileKey"            = "${LicenseFile}"
+              "RecoveryPublicKey"         = "${RecoveryPublicKey}"
+              "Region"                    = "${AWS::Region}"
+              "LogGroup"                  = "${LogGroup}"
+              "UserDataLogStream"         = "${UserDataLogStream}"
+              "VaultInitLogStream"        = "${VaultInitLogStream}"
+              "VaultPostInstallLogStream" = "${VaultPostInstallLogStream}"
+              "SSMMasterPassParameterID"  = "${StoreMasterPassword.SsmId}"
+              "SSMAdminPassParameterID"   = "${StoreAdminPassword.SsmId}"
+              "SSMDRPassParameterID"      = "${StoreDRPassword.SsmId}"
+              "SSMSecretParameterID"      = "${SecretSsmId}"
+              "VaultInstancesRole"        = "${VaultInstancesRole}"
+              "VaultHostname"             = "${VaultHostname}"
+              "StackName"                 = "${AWS::StackName}"
+            }
+
+            C:\CyberArk\Deployment\UserDataScript.ps1 @UserDataParams
+            </powershell>
+          - SecretSsmId: !If
+              - SecretProvided
+              - !GetAtt StoreSecret.SsmId
+              - ''
       KeyName: !Ref 'KeyName'
       IamInstanceProfile: !Ref 'VaultInstancesProfile'
-    Metadata:
-      AWS::CloudFormation::Init:
-        configSets:
-          ascending:
-            - configSSMAndServerAndTagKMS
-            - configServices
-            - configSignal
-        configSSMAndServerAndTagKMS:
-          services:
-            windows:
-              AmazonSSMAgent:
-                enabled: true
-                ensureRunning: true
-                files:
-                  - C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json
-          commands:
-            1-configcw:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\CloudWatch.ps1 -LogGroup ${LogGroup} -CfnInitLogStream ${VaultCfnInitLogStream} -VaultInitLogStream ${VaultInitLogStream} -VaultPostInstallLogStream ${VaultPostInstallLogStream} -Region ${AWS::Region}
-              waitAfterCompletion: 10
-            2-restartSSM:
-              command: powershell.exe -Command "Restart-Service AmazonSSMAgent"
-              waitAfterCompletion: 60
-            3-addDNSSuffix:
-              command: powershell.exe -Command "Set-DnsClientGlobalSetting -SuffixSearchList ((Get-DnsClientGlobalSetting).SuffixSearchList += 'pas.local')"
-        configServices:
-          commands:
-            1-download:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\VaultInit.ps1 -VaultFilesBucket ${VaultFilesBucket} -LicenseFileKey ${LicenseFile} -RecoveryPublicKey ${RecoveryPublicKey} -Region ${AWS::Region}
-              waitAfterCompletion: 0
-            2-postInstallWithDR:
-              command: !Sub
-              - >-
-                powershell.exe -File C:\CyberArk\Deployment\VaultPostInstall.ps1 -IsPrimaryOrDR "Primary" -SSMMasterPassParameterID
-                ${StoreMasterPassword.SsmId} -SSMAdminPassParameterID ${StoreAdminPassword.SsmId} -SSMDRPassParameterID ${StoreDRPassword.SsmId}
-                -LicensePath "C:\CyberArk\Deployment\vaultLicense.xml" -RecoveryPublicKeyPath "C:\CyberArk\Deployment\recoveryPublic.key"
-                -Region ${AWS::Region} ${Secret}
-              - Secret: !If
-                  - SecretEmpty
-                  - ''
-                  - !Sub '-SSMSecretParameterID ${StoreSecret.SsmId}'
-              waitAfterCompletion: 0
-            3-changeKMSTag:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\VaultTagKMS.ps1 -Role ${VaultInstancesRole} -Region ${AWS::Region}
-              waitAfterCompletion: 0
-            4-ChangeHostname:
-              command: !Sub >
-                powershell.exe -Command Rename-Computer -NewName ${VaultHostname} -Force -Restart
-              waitAfterCompletion: forever
-        configSignal:
-          commands:
-            0-signalCompletion:
-              command: !Sub >
-                "C:\Program Files\Amazon\cfn-bootstrap\cfn-signal.exe" -e %ERRORLEVEL% --stack ${AWS::StackId} --resource VaultMachine --region ${AWS::Region}
-              waitAfterCompletion: 0
     CreationPolicy:
       ResourceSignal:
-        Timeout: PT20M
+        Timeout: PT10M
     DeletionPolicy: Retain
   VaultDRMachine:
     Type: AWS::EC2::Instance
@@ -888,61 +855,35 @@ Resources:
           - !Ref VaultAmi
           - !Ref VaultCustomAmi
       InstanceType: !Ref 'VaultInstanceType'
-      UserData: !Base64
-        Fn::Sub: |-
-          <script>
-          cfn-init.exe -v -s ${AWS::StackId} -r VaultDRMachine --configsets ascending --region ${AWS::Region}
-          </script>
+      UserData:
+        Fn::Base64: !Sub
+          - |
+            <powershell>
+            $UserDataParams = @{
+              "IsPrimaryOrDR"             = "DR"
+              "Region"                    = "${AWS::Region}"
+              "LogGroup"                  = "${LogGroup}"
+              "UserDataLogStream"         = "${UserDataLogStream}"
+              "VaultInitLogStream"        = "${VaultInitLogStream}"
+              "VaultPostInstallLogStream" = "${VaultPostInstallLogStream}"
+              "SSMDRPassParameterID"      = "${StoreDRPassword.SsmId}"
+              "SSMSecretParameterID"      = "${SecretSsmId}"
+              "VaultPrivateIP"            = "${VaultPrivateIP}"
+              "VaultInstancesRole"        = "${VaultDRInstancesProfile}"
+              "VaultHostname"             = "${VaultHostname}"
+              "StackName"                 = "${AWS::StackName}"
+            }
+            C:\CyberArk\Deployment\UserDataScript.ps1 @UserDataParams
+            </powershell>
+          - SecretSsmId: !If
+              - SecretProvided
+              - !GetAtt StoreSecret.SsmId
+              - ''
       KeyName: !Ref 'KeyName'
       IamInstanceProfile: !Ref 'VaultDRInstancesProfile'
-    Metadata:
-      AWS::CloudFormation::Init:
-        configSets:
-          ascending:
-            - configSSMAndHostnameAndTagKMS
-            - configServices
-            - configSignal
-        configSSMAndHostnameAndTagKMS:
-          services:
-            windows:
-              AmazonSSMAgent:
-                enabled: true
-                ensureRunning: true
-                files:
-                  - C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json
-          commands:
-            1-configCloudWatch:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\CloudWatch.ps1 -LogGroup ${LogGroup} -CfnInitLogStream ${VaultDRCfnInitLogStream} -VaultInitLogStream ${VaultDRInitLogStream} -VaultPostInstallLogStream ${VaultDRPostInstallLogStream} -Region ${AWS::Region}
-              waitAfterCompletion: 10
-            2-restartSSM:
-              command: powershell.exe -Command "Restart-Service AmazonSSMAgent"
-              waitAfterCompletion: 0
-            3-addDNSSuffix:
-              command: powershell.exe -Command "Set-DnsClientGlobalSetting -SuffixSearchList ((Get-DnsClientGlobalSetting).SuffixSearchList += 'pas.local')"
-        configServices:
-          commands:
-            1-postInstall:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\VaultPostInstall.ps1 -SSMDRPassParameterID ${StoreDRPassword.SsmId} -IsPrimaryOrDR "DR" -PrimaryVaultIP ${VaultMachine.PrivateIp} -LicensePath "C:\CyberArk\Deployment\vaultLicense.xml" -Region ${AWS::Region} -SSMSecretParameterID ${StoreSecret.SsmId}
-              waitAfterCompletion: 0
-            2-changeKMSTag:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\VaultTagKMS.ps1 -Role ${VaultDRInstancesRole} -Region ${AWS::Region}
-              waitAfterCompletion: 0
-            3-ChangeHostname:
-              command: !Sub >
-                powershell.exe -Command Rename-Computer -NewName ${VaultHostname}-dr -Force -Restart
-              waitAfterCompletion: forever
-        configSignal:
-          commands:
-            0-signalCompletion:
-              command: !Sub >
-                "C:\Program Files\Amazon\cfn-bootstrap\cfn-signal.exe" -e %ERRORLEVEL% --stack ${AWS::StackId} --resource VaultDRMachine --region ${AWS::Region}
-              waitAfterCompletion: 0
     CreationPolicy:
       ResourceSignal:
-        Timeout: PT20M
+        Timeout: PT10M
     DeletionPolicy: Retain
     DependsOn:
       - VaultMachine
@@ -1947,9 +1888,10 @@ Metadata:
       PTAInstanceSubnetId:
         default: PTA Instance Subnet Id
 Conditions:
-  SecretEmpty: !Equals
-    - ''
-    - !Ref Secret
+  SecretProvided: !Not
+    - !Equals
+      - ''
+      - !Ref Secret
   VaultCustomImageEmpty: !Equals
     - ''
     - !Ref VaultCustomAmi