diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index ae5b2bf..fc794dc 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -12,6 +12,14 @@ jobs:
timeout-minutes: 50
steps:
+ - name: Extract branch name for non PR
+ if: github.event_name != 'pull_request'
+ shell: bash
+ run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr _. - )" >> $GITHUB_ENV
+ id: extract_branch
+ - name: Extract branch name for PR
+ if: github.event_name == 'pull_request'
+ run: echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF} | tr _. -)" >> $GITHUB_ENV
- name: Set env
run: |
echo "AWS_DEFAULT_REGION=eu-west-2" >> $GITHUB_ENV
@@ -54,7 +62,8 @@ jobs:
export BUCKETREGION=`aws s3api get-bucket-location --bucket ${{ env.TEST_S3_BUCKET }} | grep LocationConstraint | awk -F' ' '{print $NF}' | tr -d '"'`
sed -i "s@SolaceStackRegionNAME@${AWS_DEFAULT_REGION}@g" ci/solace-aws-ha-3az-prod-test.json
sed -i "s@SolaceBucketRegionNAME@${BUCKETREGION}@g" ci/solace-aws-ha-3az-prod-test.json
- aws s3 sync . s3://${{ env.TEST_S3_BUCKET }}/solace/eventbroker/latest --acl public-read
+ sed -i "s@SolaceBranchNAME@${{ env.BRANCH_NAME }}@g" ci/solace-aws-ha-3az-prod-test.json
+ aws s3 sync . s3://${{ env.TEST_S3_BUCKET }}/solace/eventbroker/${{ env.BRANCH_NAME }} --acl public-read
- name: Test with production deployment option (create public subnet)
run: |
diff --git a/.github/workflows/build-vpc-test.yml b/.github/workflows/build-vpc-test.yml
new file mode 100644
index 0000000..3c5d5be
--- /dev/null
+++ b/.github/workflows/build-vpc-test.yml
@@ -0,0 +1,160 @@
+name: build-private-vpc
+
+# Controls when the action will run.
+on:
+ #pull_request_target:
+
+ push:
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ timeout-minutes: 50
+
+ steps:
+ - name: Extract branch name for non PR
+ if: github.event_name != 'pull_request'
+ shell: bash
+ run: echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | tr _. - )" >> $GITHUB_ENV
+ id: extract_branch
+ - name: Extract branch name for PR
+ if: github.event_name == 'pull_request'
+ run: echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF} | tr _. -)" >> $GITHUB_ENV
+ - name: Set env
+ run: |
+ echo "AWS_DEFAULT_REGION=eu-west-1" >> $GITHUB_ENV
+ echo "TEST_S3_BUCKET=solace-cf-quickstart-ghtest" >> $GITHUB_ENV
+ TESTSTACKPREFIX=T$(echo $(date +%s) | rev)
+ echo "TESTSTACKPREFIX=$TESTSTACKPREFIX" >> $GITHUB_ENV
+ echo "TESTSTACKNAME=$TESTSTACKPREFIX-sol-aws-ghtest" >> $GITHUB_ENV
+ echo "TESTSTACK_VPCNAME=$TESTSTACKPREFIX-vpc-sol-aws-ghtest" >> $GITHUB_ENV
+
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Recourse submodules
+ run: |
+ sed -i 's/git@github.com:/https:\/\/github.com\//' .gitmodules; cat .gitmodules
+ git submodule sync
+ git submodule init
+ git submodule update
+
+ - name: Configure AWS credentials from Test account
+ uses: aws-actions/configure-aws-credentials@v1
+ with:
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+ - name: Lint yaml templates
+ run: |
+ sudo apt-get update -y; sudo apt-get install -y yamllint
+ aws cloudformation validate-template --template-body file://templates/solace-master.template
+ aws cloudformation validate-template --template-body file://templates/solace.template
+ aws cloudformation validate-template --template-body file://templates/nodecreate.template
+ aws s3 mb s3://${{ env.TEST_S3_BUCKET }} || echo "s3 bucket already existed"
+
+ - name: Copy test artifacts to test S3 bucket
+ run: |
+ MESSAGEBROKERNODEINSTANCETYPE=t2.medium
+ sed -i "s@SolaceDockerImageParameterValue@solace/solace-pubsub-standard:latest@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@EventBrokerNodeInstanceTypeParameterValue@${MESSAGEBROKERNODEINSTANCETYPE}@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ aws s3 mb s3://${{ env.TEST_S3_BUCKET }} || echo "s3 bucket already existed"
+ export BUCKETREGION=`aws s3api get-bucket-location --bucket ${{ env.TEST_S3_BUCKET }} | grep LocationConstraint | awk -F' ' '{print $NF}' | tr -d '"'`
+ sed -i "s@SolaceStackRegionNAME@${AWS_DEFAULT_REGION}@g" ci/solace-aws-private-vpc-test.json
+ sed -i "s@SolaceBucketRegionNAME@${BUCKETREGION}@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceBucketRegionNAME@${BUCKETREGION}@g" ci/solace-aws-private-vpc-test.json
+ sed -i "s@SolaceBranchNAME@${{ env.BRANCH_NAME }}@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceBranchNAME@${{ env.BRANCH_NAME }}@g" ci/solace-aws-private-vpc-test.json
+ aws s3 sync . s3://${{ env.TEST_S3_BUCKET }}/solace/eventbroker/${{ env.BRANCH_NAME }} --acl public-read
+
+ - name: Test with production deployment option (create public subnet)
+ run: |
+ aws cloudformation create-stack --stack-name $TESTSTACK_VPCNAME --template-body file://templates/setup_sample_new_vpc.template --parameters file://ci/solace-aws-private-vpc-test.json --on-failure ROLLBACK --capabilities CAPABILITY_NAMED_IAM
+ echo "Waiting for stack create complete"
+ sleep 30; aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME
+ until aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME | grep -m 1 -E 'CREATE_COMPLETE'; do
+ sleep 10
+ if aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME | grep -m 1 -E 'ROLLBACK_IN_PROGRESS'; then
+ aws cloudformation describe-stack-events --stack-name $TESTSTACK_VPCNAME
+ aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME
+ exit 1
+ fi
+ sleep 10
+ done
+ aws cloudformation describe-stack-events --stack-name $TESTSTACK_VPCNAME
+ aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME --query "Stacks[0].Outputs"
+ echo "Pausing to get the VPC ready"; sleep 10
+ export private_vpc_conf="$(aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME --query Stacks[0].Outputs)"; echo $private_vpc_conf
+ echo "VPC set up complete"
+ sed -i "s@VPCIDParam@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "VPCID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@VPCSecurityGroupIDParam@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "VPCSecurityGroupID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceStackPublicSubnetID1A@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "PublicSubnet1ID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceStackPublicSubnetID2B@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "PublicSubnet2ID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceStackPrivateSubnetID1A@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "PrivateSubnet1ID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceStackPrivateSubnetID2B@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "PrivateSubnet2ID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ sed -i "s@SolaceStackPrivateSubnetID3C@$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "PrivateSubnet3ID").OutputValue' | tr -d '"')@g" ci/solace-aws-ha-3az-private-vpc-prod-test.json
+ echo "BASTION_HOST=$(echo $private_vpc_conf | jq '.[] | select(.OutputKey == "EIP1").OutputValue' | tr -d '"')" >> $GITHUB_ENV
+ aws cloudformation create-stack --stack-name $TESTSTACKNAME --template-body file://templates/solace.template --parameters file://ci//solace-aws-ha-3az-private-vpc-prod-test.json --on-failure ROLLBACK --capabilities CAPABILITY_NAMED_IAM
+ echo "Waiting for stack create complete"
+ sleep 30; aws cloudformation describe-stacks --stack-name $TESTSTACKNAME
+ until aws cloudformation describe-stacks --stack-name $TESTSTACKNAME | grep -m 1 -E 'CREATE_COMPLETE'; do
+ sleep 10
+ if aws cloudformation describe-stacks --stack-name $TESTSTACKNAME | grep -m 1 -E 'ROLLBACK_IN_PROGRESS'; then
+ aws cloudformation describe-stack-events --stack-name $TESTSTACKNAME
+ aws cloudformation describe-stacks --stack-name $TESTSTACKNAME
+ exit 1
+ fi
+ sleep 10
+ done
+ aws cloudformation describe-stack-events --stack-name $TESTSTACKNAME
+ aws cloudformation describe-stacks --stack-name $TESTSTACKNAME
+ echo "Pausing to get the ELB ready"; sleep 10
+ export url="$(aws elbv2 describe-load-balancers | grep DNSName | grep `echo $TESTSTACKPREFIX | head -c4` | awk -F '"' '{print $4}')"; echo $url
+ echo "BROKER_ELB=$(echo $url)" >> $GITHUB_ENV
+
+ - name: Validate PubSub deployment
+ uses: appleboy/ssh-action@v0.1.0
+ with:
+ timeout: 5m
+ command_timeout: 10m
+ host: ${{ env.BASTION_HOST }}
+ username: "ec2-user"
+ key: ${{ secrets.CI_KEY }}
+ script: |
+ echo "Validating Broker Setup with LB ${{ env.BROKER_ELB }}";
+ until curl http://${{ env.BROKER_ELB }}:8080; do sleep 10; done;
+ curl -O https://sftp.solace.com/download/SDKPERF_C_LINUX64;
+ tar -xvf SDKPERF_C_LINUX64;
+ sleep 120;
+ curl -sS -u admin:admin http://${{ env.BROKER_ELB }}:8080/SEMP -d "";
+ curl -sS -u admin:admin http://${{ env.BROKER_ELB }}:8080/SEMP -d "";
+ if [[ -z `curl -sS -u admin:admin http://${{ env.BROKER_ELB }}:8080/SEMP -d "" | grep "Up"` ]] ; then echo "config-sync not up!"; exit 1; fi;
+ pubSubTools/sdkperf_c -cip=${{ env.BROKER_ELB }} -mn=100000 -mr=0 -ptl=t1 -stl=t1 | grep "Total Messages"
+ echo "Validation completed.";
+
+
+ - name: Delete test deployment (Cleanup)
+ if: ${{ always() }}
+ run: |
+ aws cloudformation delete-stack --stack-name $TESTSTACKNAME || echo "Couldn't delete stack $TESTSTACKNAME"
+ echo "Waiting for stack delete complete"
+ stackid="$(aws cloudformation describe-stacks --stack-name $TESTSTACKNAME | grep StackId | awk -F '"' '{print $4}')"
+ if [ -n "$stackid" ]; then until aws cloudformation describe-stacks --stack-name $stackid | grep -m 1 "DELETE_COMPLETE"; do sleep 10; done; fi
+
+ aws cloudformation delete-stack --stack-name $TESTSTACK_VPCNAME || echo "Couldn't delete stack $TESTSTACK_VPCNAME"
+ echo "Waiting for stack delete complete"
+ vpcStackid="$(aws cloudformation describe-stacks --stack-name $TESTSTACK_VPCNAME | grep StackId | awk -F '"' '{print $4}')"
+ if [ -n "$vpcStackid" ]; then until aws cloudformation describe-stacks --stack-name $vpcStackid | grep -m 1 "DELETE_COMPLETE"; do sleep 10; done; fi
+
+ - name: Update QuickStart S3 on success for SolaceProducts
+ if: ${{ success() }} && github.event_name == 'push'
+ run: |
+ if [ ${{ github.ref }} == 'refs/heads/master' ] && [ ${{ github.repository_owner }} == 'SolaceProducts' ] ; then
+ aws s3 sync . s3://solace-products/pubsubplus-aws-ha-quickstart/latest --acl public-read
+ fi
+
+ - name: Delete all unattached volumes (Cleanup)
+ if: ${{ always() }}
+ run: |
+ for volume in `aws ec2 describe-volumes --filter "Name=status,Values=available" --query "Volumes[*].{ID:VolumeId}" --region $AWS_DEFAULT_REGION | grep ID | awk -F '"' '{print $4}'`; do aws ec2 delete-volume --volume-id $volume --region $AWS_DEFAULT_REGION; done
diff --git a/README.md b/README.md
index 1cabe43..d4cc5b1 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,8 @@
# Install and Configure Solace PubSub+ Software Event Broker in an HA Tuple using AWS Cloud Formation
-This project is a best practice template intended for development and demo purposes. The tested and recommended Solace PubSub+ Software Event Broker version is 9.12.
+This project is a best practice template intended for development and demo purposes. The tested and recommended Solace PubSub+ Software Event Broker version is 9.13.
+It is important to note that for earlier versions of Solace PubSub+ Software Event Broker, it is recommended that you use v3.1.0 of the quickstart.
This document provides a quick getting started guide to install a Solace PubSub+ software event broker deployment in Amazon Web Services cloud computing platform.
@@ -12,11 +13,15 @@ This Quick Start template installs Solace PubSub+ Software Event Broker in fault
To learn more about event broker redundancy see the [Redundancy Documentation](https://docs.solace.com/Features/SW-Broker-Redundancy-and-Fault-Tolerance.htm ). If you are not familiar with Solace PubSub+ or high-availability configurations it is recommended that you review this document.
+Alternatively this Quick Start can create event brokers in an environment suitable for Proof-of-Concept testing where loss of an AWS Availability Zone will not cause loss of access to mission critical data.
+
-Alternatively this Quick Start can create event brokers in an environment suitable for Proof-of-Concept testing where loss of an AWS Availability Zone will not cause loss of access to mission critical data.
+There is another option where the Solace PubSub+ Software Event Broker is deployed in private VPC with internal facing network load balancer (LB).
+This options ensures the broker services are not exposed externally and only accessible in the private VPC selected during deployment.
+
+
-To learn more about connectivity to the HA redundancy group see the AWS [VPC Gateway Documentation](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html ).
# Minimum Resource Requirements
@@ -63,7 +68,8 @@ The Docker image reference can be:
**Step 2**: Go to the AWS Cloud Formation service and launch the template. The following links are for your convenience and take you directly to the event broker templates.
-**Note:** Using `Launch Quick Start (for new VPC)` launches the AWS infrastructure stacks needed with the event broker stack on top (recommended). However, if you have previously launched this Quick Start within your target region and would like to re-deploy just the event broker stack on top of the existing AWS infrastructure stacks, you can use `Launch Quick Start (for existing VPC)`.
+**Note:** Using `Launch Quick Start (for new VPC)` launches the AWS infrastructure stacks needed with the event broker stack on top (recommended)[-see Launch Option 1 in the next section of this document](#launch-option-1-parameters-for-deploying-into-a-new-vpc). However, if you have already have a VPC or previously launched this Quick Start within your target region and would like to re-deploy just the event broker stack on top of the existing AWS infrastructure stacks, you can use `Launch Quick Start (for existing VPC)`.
+This approach of deployment of the PubSub+ Event Broker is associated with Launch [Option 2](#launch-option-2-parameters-for-deploying-into-an-existing-vpc-with-publicly-accessible-broker-services) and [3](#launch-option-3-parameters-for-deploying-into-an-existing-vpc-with-broker-services-accessible-internally-within-vpc-only).
@@ -97,7 +103,7 @@ The next screen will allow you to fill in the details for the selected launch op
-### Launch option 1: Parameters for deploying into a new VPC
+### Launch option 1: Parameters for deploying into a new VPC with publicly accessible broker services
| Parameter label (name) | Default | Description |
|----------------------------|-----------|--------------------------------------------------------------------|
@@ -126,17 +132,29 @@ The next screen will allow you to fill in the details for the selected launch op
| Quick Start S3 bucket region (QSS3BucketRegion) | us-east-1 | The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. |
| Quick Start S3 Key Prefix (QSS3KeyPrefix) | pubsubplus-aws-ha-quickstart/latest/ | Specifies the S3 folder for your copy of Quick Start assets. Change this parameter if you decide to customize or extend the Quick Start for your own use. |
-### Launch option 2: Parameters for deploying into an existing VPC
+### Launch option 2: Parameters for deploying into an existing VPC with publicly accessible broker services.
If you are deploying into an existing VPC, most of the parameters are the same as for the new VPC option with the following additions:
-| Parameter label (name) | Default | Description |
-|----------------------------|-----------|--------------------------------------------------------------------|
-| **Network Configuration** | | |
-| VPC ID (VPCID) | _Requires_ _input_ | Choose the ID of your existing VPC stack - for a value, refer to the `VPCID` in the "VPCStack"'s `Outputs` tab in the AWS CloudFormation view (e.g., vpc-0343606e). This VPC must exist with the proper configuration for PubSub+ cluster access. |
-| Public Subnet IDs (Public SubnetIDs) | _Requires_ _input_ | Choose public subnet IDs in your existing VPC from this list (e.g., subnet-4b8d329f,subnet-bd73afc8,subnet-a01106c2), matching your deployment architecture. |
-| Private Subnet IDs (PrivateSubnetIDs) | _Requires_ _input_ | Choose private subnet IDs in your existing VPC from this list (e.g., subnet-4b8d329f,subnet-bd73afc8,subnet-a01106c2), matching your deployment architecture. Note: This parameter is ignored if you set the Use private subnets parameter to false, however you must still provide at least one item from the list (any) to satisfy parameter validation. |
-| Security group allowed to access console SSH (SSHSecurityGroupID) | _Requires_ _input_ | The ID of the security group in your existing VPC that is allowed to access the console via SSH - for a value, refer to the `BastionSecurityGroupID` in the "BastionStack"'s `Outputs` tab in the AWS CloudFormation view (e.g., sg-7f16e910). Note: This parameter is ignored if you set the Use private subnets parameter to false. |
+| Parameter label (name) | Default | Description |
+|-------------------------------------------------------------------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Network Configuration** | | |
+| VPC ID (VPCID) | _Requires_ _input_ | Choose the ID of your existing VPC stack - for a value, refer to the `VPCID` in the "VPCStack"'s `Outputs` tab in the AWS CloudFormation view (e.g., vpc-0343606e). This VPC must exist with the proper configuration for PubSub+ cluster access. |
+| VPC CIDR (VPC CIDR) | _0.0.0.0/0_ | Choose the VPC CIDR of your existing VPC stack - for a value, refer to the `VPCCIDR` in the "VPCStack"'s `Outputs` tab in the AWS CloudFormation view (e.g., 10.0.0.0/16). This VPC CIDR must match with the `VPCID` parameter for proper configuration for PubSub+ cluster access. This parameter is required to ensure the health port can only be accessed from the VPC address range as it is internal only |
+| Public Subnet IDs (Public SubnetIDs) | _Requires_ _input_ | Choose public subnet IDs in your existing VPC from this list (e.g., subnet-4b8d329f,subnet-bd73afc8,subnet-a01106c2), matching your deployment architecture. |
+| Private Subnet IDs (PrivateSubnetIDs) | _Requires_ _input_ | Choose private subnet IDs in your existing VPC from this list (e.g., subnet-4b8d329f,subnet-bd73afc8,subnet-a01106c2), matching your deployment architecture. Note: This parameter is ignored if you set the Use private subnets parameter to false, however you must still provide at least one item from the list (any) to satisfy parameter validation. |
+| Security group allowed to access console SSH (SSHSecurityGroupID) | _Requires_ _input_ | The ID of the security group in your existing VPC that is allowed to access the console via SSH - for a value, refer to the `BastionSecurityGroupID` in the "BastionStack"'s `Outputs` tab in the AWS CloudFormation view (e.g., sg-7f16e910). Note: This parameter is ignored if you set the Use private subnets parameter to false. |
+
+### Launch option 3: Parameters for deploying into an existing VPC with broker services accessible internally within VPC only.
+
+If you are deploying into an existing private VPC, then you will need the third deployment option. This allows broker nodes and services to only be accessed from within the private VPC. Both "VPC internal access only" and "Use private subnets" parameters needs to be set to `true` for the broker nodes and services to only be accessible internally within VPC. It uses most of the parameters from the first two options.
+
+| Parameter label (name) | Default | Description |
+|-------------------------------------------------------------------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Network Configuration** | | |
+| VPC Internal access only (VPCAccessOnly) | false | Whether broker nodes and services are only exposed internally to the VPC. Only applicable if private subnets used. |
+| Use private subnets (UsePrivateSubnets) | true | Whether to deploy broker nodes into Private Subnets. Note: When this parameter and `VPCAccessOnly` are set to `true` it will ensure broker nodes are only accessible inside the VPC `VPCID` |
+
@@ -213,6 +231,14 @@ For data, the event broker cluster can be accessed through the ELB’s public DN
+# Updating or Upgrading the HA cluster
+
+It is important to note that, AWS HA quickstart will not be used to modify an existing deployment. That is, you can not update, one deployment configuration to another with the quickstart.
+You can not for instance migrate PubSub+ broker HA nodes in public VPC to a private VPC by running the AWS HA quickstart. You can also, not upgrade or downgrade docker images or other configurations after installation.
+It is strictly for installation and has no update workflow.
+
+
+
## Contributing
Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us.
diff --git a/ci/solace-aws-ha-3az-private-vpc-prod-test.json b/ci/solace-aws-ha-3az-private-vpc-prod-test.json
new file mode 100644
index 0000000..6325b32
--- /dev/null
+++ b/ci/solace-aws-ha-3az-private-vpc-prod-test.json
@@ -0,0 +1,78 @@
+[
+ {
+ "ParameterKey": "SolaceDockerImage",
+ "ParameterValue": "SolaceDockerImageParameterValue"
+ },
+ {
+ "ParameterKey": "AdminPassword",
+ "ParameterValue": "admin"
+ },
+ {
+ "ParameterKey": "ContainerLoggingFormat",
+ "ParameterValue": "graylog"
+ },
+ {
+ "ParameterKey": "NumberOfAZs",
+ "ParameterValue": "3"
+ },
+ {
+ "ParameterKey": "VPCID",
+ "ParameterValue": "VPCIDParam"
+ },
+ {
+ "ParameterKey": "VPCAccessOnly",
+ "ParameterValue": "true"
+ },
+ {
+ "ParameterKey": "UsePrivateSubnets",
+ "ParameterValue": "true"
+ },
+ {
+ "ParameterKey": "PublicSubnetIDs",
+ "ParameterValue": "SolaceStackPublicSubnetID1A"
+ },
+ {
+ "ParameterKey": "PrivateSubnetIDs",
+ "ParameterValue": "SolaceStackPrivateSubnetID1A,SolaceStackPrivateSubnetID2B,SolaceStackPrivateSubnetID3C"
+ },
+ {
+ "ParameterKey": "SSHSecurityGroupID",
+ "ParameterValue": "VPCSecurityGroupIDParam"
+ },
+ {
+ "ParameterKey": "BootDiskSize",
+ "ParameterValue": "24"
+ },
+ {
+ "ParameterKey": "WorkerNodeInstanceType",
+ "ParameterValue": "EventBrokerNodeInstanceTypeParameterValue"
+ },
+ {
+ "ParameterKey": "WorkerNodeStorage",
+ "ParameterValue": "20"
+ },
+ {
+ "ParameterKey": "MonitorNodeInstanceType",
+ "ParameterValue": "t2.small"
+ },
+ {
+ "ParameterKey": "KeyPairName",
+ "ParameterValue": "cikey"
+ },
+ {
+ "ParameterKey": "RemoteAccessCIDR",
+ "ParameterValue": "0.0.0.0/0"
+ },
+ {
+ "ParameterKey": "QSS3BucketName",
+ "ParameterValue": "solace-cf-quickstart-ghtest"
+ },
+ {
+ "ParameterKey": "QSS3BucketRegion",
+ "ParameterValue": "SolaceBucketRegionNAME"
+ },
+ {
+ "ParameterKey": "QSS3KeyPrefix",
+ "ParameterValue": "solace/eventbroker/SolaceBranchNAME/"
+ }
+]
diff --git a/ci/solace-aws-ha-3az-prod-test.json b/ci/solace-aws-ha-3az-prod-test.json
index 4c00839..d9e9a89 100644
--- a/ci/solace-aws-ha-3az-prod-test.json
+++ b/ci/solace-aws-ha-3az-prod-test.json
@@ -61,6 +61,6 @@
},
{
"ParameterKey": "QSS3KeyPrefix",
- "ParameterValue": "solace/eventbroker/latest/"
+ "ParameterValue": "solace/eventbroker/SolaceBranchNAME/"
}
]
diff --git a/ci/solace-aws-private-vpc-test.json b/ci/solace-aws-private-vpc-test.json
new file mode 100644
index 0000000..4c8fd4e
--- /dev/null
+++ b/ci/solace-aws-private-vpc-test.json
@@ -0,0 +1,34 @@
+[
+ {
+ "ParameterKey": "NumberOfAZs",
+ "ParameterValue": "3"
+ },
+ {
+ "ParameterKey": "AvailabilityZones",
+ "ParameterValue": "SolaceStackRegionNAMEa,SolaceStackRegionNAMEb,SolaceStackRegionNAMEc"
+ },
+ {
+ "ParameterKey": "CreatePrivateSubnets",
+ "ParameterValue": "true"
+ },
+ {
+ "ParameterKey": "KeyPairName",
+ "ParameterValue": "cikey"
+ },
+ {
+ "ParameterKey": "SSHAccessCIDR",
+ "ParameterValue": "0.0.0.0/0"
+ },
+ {
+ "ParameterKey": "QSS3BucketName",
+ "ParameterValue": "solace-cf-quickstart-ghtest"
+ },
+ {
+ "ParameterKey": "QSS3BucketRegion",
+ "ParameterValue": "SolaceBucketRegionNAME"
+ },
+ {
+ "ParameterKey": "QSS3KeyPrefix",
+ "ParameterValue": "solace/eventbroker/SolaceBranchNAME/"
+ }
+]
diff --git a/images/CloudWatch_logging.png b/images/CloudWatch_logging.png
index 8b4011f..a1f1f61 100644
Binary files a/images/CloudWatch_logging.png and b/images/CloudWatch_logging.png differ
diff --git a/images/Select-Template.png b/images/Select-Template.png
index 7d9a278..dda90df 100644
Binary files a/images/Select-Template.png and b/images/Select-Template.png differ
diff --git a/images/Solace-AWS-HA-PoC-2AZ.png b/images/Solace-AWS-HA-PoC-2AZ.png
index dd5317e..40005af 100644
Binary files a/images/Solace-AWS-HA-PoC-2AZ.png and b/images/Solace-AWS-HA-PoC-2AZ.png differ
diff --git a/images/Solace-AWS-HA-Prod-3AZ.png b/images/Solace-AWS-HA-Prod-3AZ.png
index 9297523..77a7336 100644
Binary files a/images/Solace-AWS-HA-Prod-3AZ.png and b/images/Solace-AWS-HA-Prod-3AZ.png differ
diff --git a/images/Solace-AWS-HA-Prod-Private-VPC-3AZ.png b/images/Solace-AWS-HA-Prod-Private-VPC-3AZ.png
new file mode 100644
index 0000000..631fd18
Binary files /dev/null and b/images/Solace-AWS-HA-Prod-Private-VPC-3AZ.png differ
diff --git a/images/capabilities.png b/images/capabilities.png
index 81c8b50..7aff613 100644
Binary files a/images/capabilities.png and b/images/capabilities.png differ
diff --git a/images/ec2-instance-details.png b/images/ec2-instance-details.png
index 5047c1c..c8a87a7 100644
Binary files a/images/ec2-instance-details.png and b/images/ec2-instance-details.png differ
diff --git a/images/elb-details.png b/images/elb-details.png
index 1574131..d1d2cfa 100644
Binary files a/images/elb-details.png and b/images/elb-details.png differ
diff --git a/images/specify-details.png b/images/specify-details.png
index c900a32..e89c5ca 100644
Binary files a/images/specify-details.png and b/images/specify-details.png differ
diff --git a/images/stacks-after-deploy-success.png b/images/stacks-after-deploy-success.png
index 9e04d48..95a04c2 100644
Binary files a/images/stacks-after-deploy-success.png and b/images/stacks-after-deploy-success.png differ
diff --git a/scripts/install-solace.sh b/scripts/install-solace.sh
index d0a4a57..f6a2a8a 100644
--- a/scripts/install-solace.sh
+++ b/scripts/install-solace.sh
@@ -184,17 +184,12 @@ chown -R 1000001 $(dirname ${admin_password_file})
chmod 700 $(dirname ${admin_password_file})
if [[ ${disk_size} == "0" ]]; then
- echo "`date` Using ephemeral volumes"
- #Create new volumes that the PubSub+ Message Broker container can use to consume and store data.
- docker volume create --name=jail
- docker volume create --name=var
- docker volume create --name=adb
- docker volume create --name=softAdb
- docker volume create --name=diagnostics
- docker volume create --name=internalSpool
- SPOOL_MOUNT="-v jail:/usr/sw/jail -v var:/usr/sw/var -v softAdb:/usr/sw/internalSpool/softAdb -v adb:/usr/sw/adb -v diagnostics:/var/lib/solace/diags -v internalSpool:/usr/sw/internalSpool"
+ echo "`date` Using ephemeral volume"
+ #Create new volume that the PubSub+ Message Broker container can use to consume and store data.
+ docker volume create --name=solace
+ SPOOL_MOUNT="-v solace:/var/lib/solace"
else
- echo "`date` Using persistent volumes"
+ echo "`date` Using persistent volume"
echo "`date` Create primary partition on new disk"
(
echo n # Add a new partition
@@ -210,16 +205,11 @@ else
echo "UUID=${UUID} /opt/pubsubplus xfs defaults 0 0" >> /etc/fstab
mkdir /opt/pubsubplus
mount -a
- mkdir /opt/pubsubplus/jail
- mkdir /opt/pubsubplus/var
- mkdir /opt/pubsubplus/adb
- mkdir /opt/pubsubplus/softAdb
- mkdir /opt/pubsubplus/diagnostics
- mkdir /opt/pubsubplus/internalSpool
+ mkdir /opt/pubsubplus/solace
chown 1000001 -R /opt/pubsubplus/
#chmod -R 777 /opt/pubsubplus
- SPOOL_MOUNT="-v /opt/pubsubplus/jail:/usr/sw/jail -v /opt/pubsubplus/var:/usr/sw/var -v /opt/pubsubplus/adb:/usr/sw/adb -v /opt/pubsubplus/softAdb:/usr/sw/internalSpool/softAdb -v /opt/pubsubplus/diagnostics:/var/lib/solace/diags -v /opt/pubsubplus/internalSpool:/usr/sw/internalSpool"
+ SPOOL_MOUNT="-v /opt/pubsubplus/solace:/var/lib/solace"
fi
############# From here execution path is different for nonHA and HA
diff --git a/templates/nodecreate.template b/templates/nodecreate.template
index dca1ff6..9a9e1e9 100644
--- a/templates/nodecreate.template
+++ b/templates/nodecreate.template
@@ -71,9 +71,16 @@ Parameters:
SubnetID:
Description: >-
Comma separated list of VPC subnet IDs for the cluster deployment (e.g. subnet-4b8d329f,subnet-bd73afc8);
- VPC must exist with proper configuration for Solacet cluster access (internal
+ VPC must exist with proper configuration for Solace cluster access (internal
and external) and the subnets must be in the same VPC as the security groups
Type: AWS::EC2::Subnet::Id
+ AssociatePublicIP:
+ AllowedValues:
+ - 'true'
+ - 'false'
+ Default: 'true'
+ Description: Whether to associate a public IP address to this instance
+ Type: String
NodeSecurityGroup:
Description: Comma separated list of security groups for the members of the cluster
(e.g. sg-7f16e910,sg-4be93ca2); The security groups must be in the same VPC
@@ -154,6 +161,8 @@ Mappings:
AMZNLINUXHVM: ami-050b8344d77081f4b
eu-west-3:
AMZNLINUXHVM: ami-053418e626d0549fc
+ eu-north-1:
+ AMZNLINUXHVM: ami-8c169ef2
sa-east-1:
AMZNLINUXHVM: ami-05b7dbc290217250d
us-east-1:
@@ -197,6 +206,9 @@ Conditions:
- 'io1'
UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
NonHA: !Equals [!Ref NodeDesignation, 'event-broker-singlenode']
+ AssociatePublicIPCondition: !Equals
+ - !Ref 'AssociatePublicIP'
+ - 'true'
Resources:
CloudFormationLogs:
Type: AWS::Logs::LogGroup
@@ -632,6 +644,6 @@ Outputs:
Name: !Sub '${AWS::StackName}-PrivateDnsName'
PublicDNSName:
Description: Public DNS name of the created ec2 instance
- Value: !GetAtt BrokerNodeInstance.PublicDnsName
+ Value: !If [AssociatePublicIPCondition, !GetAtt BrokerNodeInstance.PublicDnsName, 'Public DNS name not available']
Export:
Name: !Sub '${AWS::StackName}-PublicDNSName'
diff --git a/templates/setup_sample_new_vpc.template b/templates/setup_sample_new_vpc.template
index 79d54ec..94d1d6f 100644
--- a/templates/setup_sample_new_vpc.template
+++ b/templates/setup_sample_new_vpc.template
@@ -113,6 +113,7 @@ Resources:
CreatePrivateSubnets: !Ref 'CreatePrivateSubnets'
KeyPairName: !Ref 'KeyPairName'
NumberOfAZs: !Ref 'NumberOfAZs'
+ VPCTenancy: "default"
BastionHostRole:
Type: 'AWS::IAM::Role'
Properties:
@@ -164,3 +165,45 @@ Resources:
QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/
RemoteAccessCIDR: !Ref 'SSHAccessCIDR'
VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
+ VPCSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ VpcId: !GetAtt 'VPCStack.Outputs.VPCID'
+ GroupDescription: Security Group
+ SecurityGroupIngress:
+ - IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ CidrIp: '0.0.0.0/0'
+ - IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ CidrIp: '0.0.0.0/0'
+Outputs:
+ VPCID:
+ Description: VPC ID
+ Value: !GetAtt 'VPCStack.Outputs.VPCID'
+ VPCCIDR:
+ Description: VPC CIDR
+ Value: !GetAtt 'VPCStack.Outputs.VPCCIDR'
+ PrivateSubnet1ID:
+ Description: Private VPC Subnet 1
+ Value: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID'
+ PrivateSubnet2ID:
+ Description: Private VPC Subnet 2
+ Value: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID'
+ PrivateSubnet3ID:
+ Description: Private VPC Subnet 3
+ Value: !GetAtt 'VPCStack.Outputs.PrivateSubnet3AID'
+ PublicSubnet1ID:
+ Description: Public VPC Subnet 1
+ Value: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
+ PublicSubnet2ID:
+ Description: Public VPC Subnet 2
+ Value: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
+ VPCSecurityGroupID:
+ Description: VPC Security Group
+ Value: !GetAtt 'VPCSecurityGroup.GroupId'
+ EIP1:
+ Description: Bastion Host EIP
+ Value: !GetAtt 'BastionStack.Outputs.EIP2'
\ No newline at end of file
diff --git a/templates/setup_sample_new_vpc_no_bastion.template b/templates/setup_sample_new_vpc_no_bastion.template
new file mode 100644
index 0000000..4f0c784
--- /dev/null
+++ b/templates/setup_sample_new_vpc_no_bastion.template
@@ -0,0 +1,146 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: >-
+ This template creates a new VPC infrastructure for PubSub+ high availability architecture.
+ **WARNING** This template creates Amazon EC2 instance and related resources. You
+ will be billed for the AWS resources used if you create a stack from this template.
+ (qs-1nju7g5qq)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - NumberOfAZs
+ - AvailabilityZones
+ - CreatePrivateSubnets
+ - KeyPairName
+ - Label:
+ default: AWS Quick Start Configuration
+ Parameters:
+ - QSS3BucketName
+ - QSS3BucketRegion
+ - QSS3KeyPrefix
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of Availability Zones
+ KeyPairName:
+ default: Key Pair Name
+ CreatePrivateSubnets:
+ default: Create production ready environment
+ QSS3BucketName:
+ default: Quick Start S3 Bucket Name
+ QSS3BucketRegion:
+ default: Quick Start S3 bucket region
+ QSS3KeyPrefix:
+ default: Quick Start S3 Key Prefix
+Parameters:
+ AvailabilityZones:
+ Description: 'List of Availability Zones to use for the subnets in the VPC. Note:
+ The logical order is preserved. The number of zones to choose must be equal
+ to ''Number of Availability Zones'' previously specified'
+ Type: List
+ NumberOfAZs:
+ ConstraintDescription: Valid numbers are 3 or 2
+ Default: '3'
+ Description: Number of availability zones, based on availability in the target region, valid numbers are 3 or 2. 3 means each node in own AZ, 2 puts monitor and backup
+ in one AZ.
+ AllowedValues:
+ - '2'
+ - '3'
+ Type: Number
+ KeyPairName:
+ Description: Name of an existing EC2 key pair within the AWS region; all instances
+ will launch with this key pair
+ Type: AWS::EC2::KeyPair::KeyName
+ CreatePrivateSubnets:
+ AllowedValues:
+ - 'true'
+ - 'false'
+ Default: 'true'
+ Description: Whether to create and use Private Subnets with a fronting ELB
+ Type: String
+ QSS3BucketName:
+ AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
+ ConstraintDescription: Quick Start bucket name can include numbers, lowercase
+ letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen
+ (-).
+ Default: solace-products
+ Description: S3 bucket name for the Quick Start assets. Quick Start bucket name
+ can include numbers, lowercase letters, uppercase letters, and hyphens (-).
+ It cannot start or end with a hyphen (-).
+ Type: String
+ QSS3BucketRegion:
+ Default: 'us-east-1'
+ Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.'
+ Type: String
+ QSS3KeyPrefix:
+ AllowedPattern: ^[0-9a-zA-Z-/]*$
+ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters,
+ uppercase letters, hyphens (-), and forward slash (/).
+ Default: pubsubplus-aws-ha-quickstart/latest/
+ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix
+ can include numbers, lowercase letters, uppercase letters, hyphens (-), and
+ forward slash (/).
+ Type: String
+Mappings: {}
+Conditions:
+ UsePrivateSubnets: !Equals
+ - !Ref 'CreatePrivateSubnets'
+ - 'true'
+ UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL:
+ !Sub
+ - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml'
+ - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
+ S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
+ Parameters:
+ AvailabilityZones: !Join
+ - ','
+ - !Ref 'AvailabilityZones'
+ CreatePrivateSubnets: !Ref 'CreatePrivateSubnets'
+ NumberOfAZs: !Ref 'NumberOfAZs'
+ VPCSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ VpcId: !GetAtt 'VPCStack.Outputs.VPCID'
+ GroupDescription: Security Group
+ SecurityGroupIngress:
+ - IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ CidrIp: '0.0.0.0/0'
+ - IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ CidrIp: '0.0.0.0/0'
+Outputs:
+ VPCID:
+ Description: VPC ID
+ Value: !GetAtt 'VPCStack.Outputs.VPCID'
+ VPCCIDR:
+ Description: VPC CIDR
+ Value: !GetAtt 'VPCStack.Outputs.VPCCIDR'
+ PrivateSubnet1ID:
+ Description: Private VPC Subnet 1
+ Value: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID'
+ PrivateSubnet2ID:
+ Description: Private VPC Subnet 2
+ Value: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID'
+ PrivateSubnet3ID:
+ Description: Private VPC Subnet 3
+ Value: !GetAtt 'VPCStack.Outputs.PrivateSubnet3AID'
+ PublicSubnet1ID:
+ Description: Public VPC Subnet 1
+ Value: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
+ PublicSubnet2ID:
+ Description: Public VPC Subnet 2
+ Value: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
+ VPCSecurityGroupID:
+ Description: VPC Security Group
+ Value: !GetAtt 'VPCSecurityGroup.GroupId'
diff --git a/templates/solace-master.template b/templates/solace-master.template
index 0176431..4976d20 100644
--- a/templates/solace-master.template
+++ b/templates/solace-master.template
@@ -262,7 +262,6 @@ Resources:
AvailabilityZones: !Join
- ','
- !Ref 'AvailabilityZones'
- CreatePrivateSubnets: !Ref 'CreatePrivateSubnets'
NumberOfAZs: !Ref 'NumberOfAZs'
BastionHostRole:
Type: 'AWS::IAM::Role'
@@ -373,3 +372,4 @@ Resources:
- - !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
- !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
+ VPCCIDR: !GetAtt 'VPCStack.Outputs.VPCCIDR'
diff --git a/templates/solace.template b/templates/solace.template
index 7a52fb7..be3e6d7 100644
--- a/templates/solace.template
+++ b/templates/solace.template
@@ -20,6 +20,8 @@ Metadata:
default: Network Configuration
Parameters:
- VPCID
+ - VPCCIDR
+ - VPCAccessOnly
- NumberOfAZs
- UsePrivateSubnets
- PublicSubnetIDs
@@ -68,8 +70,12 @@ Metadata:
default: Security group allowed to access console SSH. Ignored if not using private subnets.
UsePrivateSubnets:
default: Use private subnets
+ VPCAccessOnly:
+ default: VPC internal access only
VPCID:
default: VPC ID
+ VPCCIDR:
+ default: VPC CIDR
PrivateSubnetIDs:
default: Private Subnet IDs
PublicSubnetIDs:
@@ -192,12 +198,19 @@ Parameters:
- 'true'
- 'false'
Default: 'true'
- Description: Whether to use Private Subnets with fronting Bastion Servers
+ Description: Whether to deploy broker nodes into Private Subnets.
+ Type: String
+ VPCAccessOnly:
+ AllowedValues:
+ - 'true'
+ - 'false'
+ Default: 'false'
+ Description: Whether broker nodes and services are only exposed internally to the VPC. Only applicable if private subnets used.
Type: String
RemoteAccessCIDR:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
- Description: Allowed CIDR block for external access to cluster nodes
+ Description: Allowed CIDR block for access to broker services
Type: String
MonitorNodeInstanceType:
AllowedValues:
@@ -224,11 +237,18 @@ Parameters:
PublicSubnetIDs:
Description: Comma separated list of VPC public subnet IDs for the cluster deployment
(e.g. subnet-4b8d329f,subnet-bd73afc8); VPC must exist with proper configuration
- for Solace cluster access
+ for Solace cluster access.
+ IGNORED if 'VPC access only' AND 'use private subnets' both true but even in this case must provide at least one item
Type: List
VPCID:
Description: ID of the VPC (e.g. vpc-0343606e)
Type: AWS::EC2::VPC::Id
+ VPCCIDR:
+ AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+ ConstraintDescription: Private VPC CIDR block parameter must be in the form x.x.x.x/x
+ Description: The CIDR block configured for the VPC
+ Default: '0.0.0.0/0'
+ Type: String
QSS3BucketName:
AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
ConstraintDescription: Quick Start bucket name can include numbers, lowercase
@@ -262,6 +282,9 @@ Conditions:
UsePrivateSubnetsCondition: !Equals
- !Ref 'UsePrivateSubnets'
- 'true'
+ VPCAccessOnlyCondition: !Equals
+ - !Ref 'VPCAccessOnly'
+ - 'true'
UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
Resources:
EventBrokerPrimaryStack:
@@ -295,6 +318,7 @@ Resources:
QSS3BucketName: !Ref 'QSS3BucketName'
QSS3BucketRegion: !Ref 'QSS3BucketRegion'
QSS3KeyPrefix: !Ref 'QSS3KeyPrefix'
+ AssociatePublicIP: !If [VPCAccessOnlyCondition, 'false', 'true']
SubnetID: !Select
- 0
- !If
@@ -332,6 +356,7 @@ Resources:
QSS3BucketName: !Ref 'QSS3BucketName'
QSS3BucketRegion: !Ref 'QSS3BucketRegion'
QSS3KeyPrefix: !Ref 'QSS3KeyPrefix'
+ AssociatePublicIP: !If [VPCAccessOnlyCondition, 'false', 'true']
SubnetID: !Select
- 1
- !If
@@ -365,6 +390,7 @@ Resources:
QSS3BucketName: !Ref 'QSS3BucketName'
QSS3BucketRegion: !Ref 'QSS3BucketRegion'
QSS3KeyPrefix: !Ref 'QSS3KeyPrefix'
+ AssociatePublicIP: !If [VPCAccessOnlyCondition, 'false', 'true']
SubnetID: !Select
- !If [Use3AZs, 2, 1]
- !If [UsePrivateSubnetsCondition, !Ref PrivateSubnetIDs, !Ref PublicSubnetIDs]
@@ -464,7 +490,7 @@ Resources:
- IpProtocol: tcp
FromPort: 5550
ToPort: 5550
- CidrIp: '0.0.0.0/0'
+ CidrIp: !Ref 'VPCCIDR'
- IpProtocol: tcp
FromPort: 55555
ToPort: 55555
@@ -529,8 +555,8 @@ Resources:
- EventBrokerBackupStack
Condition: UsePrivateSubnetsCondition
Properties:
- Scheme: internet-facing
- Subnets: !Ref 'PublicSubnetIDs'
+ Scheme: !If [VPCAccessOnlyCondition, 'internal', 'internet-facing']
+ Subnets: !If [VPCAccessOnlyCondition, !Ref 'PrivateSubnetIDs', !Ref 'PublicSubnetIDs']
Type: network
Port55555NetworkLoadBalancerTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
@@ -837,6 +863,6 @@ Outputs:
Name: !Sub '${AWS::StackName}-BrokerMemberNodesSecurityGroup'
LoadBalancerDNS:
Value: !If [UsePrivateSubnetsCondition, !GetAtt ELB.DNSName, 'No LB available, access EC2s through public addresses']
- Description: The DNS name for the load balancer for external access
+ Description: The DNS name for the load balancer to access broker services
Export:
Name: !Sub '${AWS::StackName}-LoadBalancerDNS'