okta-asa.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: This AWS CloudFormation template deploys a bastion host enrolled with Okta Advanced Server Access (qs-1rm280cl1)
Metadata:
  LICENSE: Apache License, Version 2.0
  QuickStartDocumentation:
    EntrypointName: Parameters for deploying Okta ASA into an existing VPC
    Order: "2"
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Network configuration
        Parameters:
          - VPCID
          - PublicSubnet1ID
          - PublicSubnet2ID
          - RemoteAccessCIDR
      - Label:
          default: Amazon EC2 configuration
        Parameters:
          - KeyPairName
          - EC2AMIOS
          - EC2InstanceType
          - RootVolumeSize
      - Label:
          default: Linux bastion configuration
        Parameters:
          - NumEC2Hosts
          - BastionHostName
          - EC2Tenancy
          - EnableBanner
          - EC2Banner
          - EnableTCPForwarding
          - EnableX11Forwarding
      - Label:
          default: Alternative configurations
        Parameters:
          - AlternativeInitializationScript
          - OSImageOverride
          - AlternativeIAMRole
          - EnvironmentVariables
      - Label:
          default: AWS Quick Start configuration
        Parameters:
          - QSS3BucketName
          - QSS3KeyPrefix
          - QSS3BucketRegion
      - Label:
          default: Okta Advanced Server Access parameters
        Parameters:
          - EnrollmentToken
    ParameterLabels:
      AlternativeIAMRole:
        default: Alternative IAM role
      AlternativeInitializationScript:
        default: Alternative initialization script
      EC2AMIOS:
        default: Bastion AMI operating system
      BastionHostName:
        default: Bastion host name
      EC2Tenancy:
        default: Bastion tenancy
      EC2Banner:
        default: Banner text
      QSS3BucketRegion:
        default: Quick Start S3 bucket Region
      EC2InstanceType:
        default: Bastion instance type
      EnableBanner:
        default: Bastion banner
      EnableTCPForwarding:
        default: TCP forwarding
      EnableX11Forwarding:
        default: X11 forwarding
      EnvironmentVariables:
        default: Environment variables
      KeyPairName:
        default: Key pair name
      NumEC2Hosts:
        default: Number of bastion hosts
      OSImageOverride:
        default: Operating-system image override
      PublicSubnet1ID:
        default: Public subnet 1 ID
      PublicSubnet2ID:
        default: Public subnet 2 ID
      QSS3BucketName:
        default: Quick Start S3 bucket name
      QSS3KeyPrefix:
        default: Quick Start S3 key prefix
      RemoteAccessCIDR:
        default: Allowed bastion external access CIDR
      VPCID:
        default: VPC ID
      RootVolumeSize:
        default: Root volume size
      EnrollmentToken:
        default: Okta Advanced Server Access enrollment token
  cfn-lint:
    config:
      ignore_checks:
        - E9007
Parameters:
  EC2AMIOS:
    AllowedValues:
      - Ubuntu-Server-20.04-LTS-HVM
      - CentOS-7-HVM
      - SUSE-SLES-15-HVM
      - Amazon-Linux2-HVM
    Default: Amazon-Linux2-HVM
    Description: Linux distribution for the AMI to be used for the bastion instances.
    Type: String
  BastionHostName:
    Default: LinuxBastion
    Description: Value used for the name tag of the bastion host.
    Type: String
  EC2Banner:
    Default: ""
    Description: Banner text to display upon login.
    Type: String
  EC2Tenancy:
    Description: VPC tenancy to launch the bastion in. To change from "default," choose "dedicated."
    Type: String
    Default: default
    AllowedValues:
      - dedicated
      - default
  EC2InstanceType:
    AllowedValues:
      - t2.nano
      - t2.micro
      - t2.small
      - t2.medium
      - t2.large
      - t3.micro
      - t3.small
      - t3.medium
      - t3.large
      - t3.xlarge
      - t3.2xlarge
      - m4.large
      - m4.xlarge
      - m4.2xlarge
      - m4.4xlarge
    Default: t2.micro
    Description: Amazon EC2 instance type for the bastion instances.
    Type: String
  EnableBanner:
    AllowedValues:
      - "true"
      - "false"
    Default: "false"
    Description: To display a banner when connecting to the bastion using SSH, choose "true."
    Type: String
  EnableTCPForwarding:
    Type: String
    Description:
      With TCP forwarding on a Linux bastion host, you can set up direct connections from outside of the VPC to services running in private subnets by routing the traffic through the bastion
      host. To disable TCP forwarding, choose "false."
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  EnableX11Forwarding:
    Type: String
    Description:
      With X11 forwarding on a Linux bastion host, you can establish management connections to Linux instances using GUIs (as opposed to text-based SSH connections). To disable X11 forwarding,
      choose "false."
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  KeyPairName:
    Description: Name of an existing public/private key pair. You use this name to securely connect to your instance after it launches. If you do not have one in this AWS Region, create one before continuing.
    Type: AWS::EC2::KeyPair::KeyName
  NumEC2Hosts:
    AllowedValues:
      - "1"
      - "2"
      - "3"
      - "4"
    Default: "1"
    Description: Number of bastion hosts to create. The maximum number is four.
    Type: String
  PublicSubnet1ID:
    Description: ID of the public subnet 1 that you want to provision the first bastion into (e.g., subnet-a0246dcd).
    Type: AWS::EC2::Subnet::Id
  PublicSubnet2ID:
    Description: ID of the public subnet 2 that you want to provision the second bastion into (e.g., subnet-e3246d8e).
    Type: AWS::EC2::Subnet::Id
  QSS3BucketName:
    AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
    ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Default: aws-ia
    Description:
      Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new
      Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.
    Type: String
  QSS3BucketRegion:
    Default: us-east-1
    Description:
      AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point
      to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: ^([0-9a-zA-Z-.]+/)*$
    ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). The prefix should end with a forward slash (/).
    Default: cfn-ps-okta-asa/
    Description:
      S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates
      code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html
      and https://aws-quickstart.github.io/option1.html.
    Type: String
  RemoteAccessCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
    Description: Allowed CIDR block for external SSH access to the bastions.
    Type: String
  VPCID:
    Description: ID of the VPC (e.g., vpc-0343606e).
    Type: AWS::EC2::VPC::Id
  AlternativeInitializationScript:
    AllowedPattern: ^http.*|^$
    ConstraintDescription: URL must begin with http
    Description: Alternative initialization script to run during setup.
    Default: ""
    Type: String
  OSImageOverride:
    Description: Region-specific image to use for the instance.
    Type: String
    Default: ""
  AlternativeIAMRole:
    Description: Existing IAM role name to attach to the bastion. If kept blank, a new role will be created.
    Default: ""
    Type: String
  EnvironmentVariables:
    Description: Comma-separated list of environment variables for use in bootstrapping. Variables must be in the format KEY=VALUE. VALUE cannot contain commas.
    Type: String
    Default: ""
  RootVolumeSize:
    Description: Size in GB for the root EBS volume.
    Type: Number
    Default: "10"
  EnrollmentToken:
    Type: String
    Description: Okta Advanced Server Access enrollment token.
    MinLength: 24
    ConstraintDescription: Must contain a valid ASA enrollment token.
Rules:
  SubnetsInVPC:
    Assertions:
      - Assert:
          Fn::EachMemberIn:
            - Fn::ValueOfAll:
                - AWS::EC2::Subnet::Id
                - VpcId
            - Fn::RefAll: AWS::EC2::VPC::Id
        AssertDescription: All subnets must exist in the VPC.
Mappings:
  AWSAMIRegionMap:
    af-south-1:
      AMZNLINUX2: ami-0bb140f2ff1df29fc
      US2004HVM: ami-012b8921f84acdd04
      CENTOS7HVM: ami-0a2be7731769e6cc1
    ap-northeast-1:
      AMZNLINUX2: ami-00f045aed21a55240
      US2004HVM: ami-0f2322bff98877761
      CENTOS7HVM: ami-06a46da680048c8ae
      SLES15HVM: ami-056ac8ad44e6a7e1f
    ap-northeast-2:
      AMZNLINUX2: ami-03461b78fdba0ff9d
      US2004HVM: ami-0cd95d39e3d87eb40
      CENTOS7HVM: ami-06e83aceba2cb0907
      SLES15HVM: ami-0f81fff879bafe6b8
    ap-south-1:
      AMZNLINUX2: ami-08f63db601b82ff5f
      US2004HVM: ami-07ab71173dc8c331e
      CENTOS7HVM: ami-026f33d38b6410e30
      SLES15HVM: ami-01be89269d32f2a16
    ap-southeast-1:
      AMZNLINUX2: ami-0d728fd4e52be968f
      US2004HVM: ami-086d2d413b385037d
      CENTOS7HVM: ami-07f65177cb990d65b
      SLES15HVM: ami-070356c21596ddc67
    ap-southeast-2:
      AMZNLINUX2: ami-09f765d333a8ebb4b
      US2004HVM: ami-061c4c77197bf567a
      CENTOS7HVM: ami-0b2045146eb00b617
      SLES15HVM: ami-0c4245381c67efb39
    ca-central-1:
      AMZNLINUX2: ami-0fca0f98dc87d39df
      US2004HVM: ami-0d4ae853aceec6074
      CENTOS7HVM: ami-04a25c39dc7a8aebb
      SLES15HVM: ami-0c97d9b588207dad6
    eu-central-1:
      AMZNLINUX2: ami-0bd39c806c2335b95
      US2004HVM: ami-0be656e75e69af1a9
      CENTOS7HVM: ami-0e8286b71b81c3cc1
      SLES15HVM: ami-05dfd265ea534a3e9
    me-south-1:
      AMZNLINUX2: ami-0b38d62acce7fb76a
      US2004HVM: ami-0147ed463d9315c94
      CENTOS7HVM: ami-011c71a894b10f35b
      SLES15HVM: ami-0252c6d3a59c7473b
    ap-east-1:
      AMZNLINUX2: ami-7284c903
      US2004HVM: ami-34cf8245
      CENTOS7HVM: ami-0e5c29e6c87a9644f
      SLES15HVM: ami-0ad6e15bcbb2dbe38
    eu-north-1:
      AMZNLINUX2: ami-02511cb3673b49e04
      US2004HVM: ami-0faf140cd5302841b
      CENTOS7HVM: ami-05788af9005ef9a93
      SLES15HVM: ami-0741fa1a008af40ad
    eu-south-1:
      AMZNLINUX2: ami-08a2aed6e0a6f9c7d
      US2004HVM: ami-01eec6bdfa20f008e
      CENTOS7HVM: ami-0a84267606bcea16b
      SLES15HVM: ami-051cbea0e7660063d
    eu-west-1:
      AMZNLINUX2: ami-0ce1e3f77cd41957e
      US2004HVM: ami-055958ae2f796344b
      CENTOS7HVM: ami-0b850cf02cc00fdc8
      SLES15HVM: ami-0a58a1b152ba55f1d
    eu-west-2:
      AMZNLINUX2: ami-08b993f76f42c3e2f
      US2004HVM: ami-09c4a4b013e66b291
      CENTOS7HVM: ami-09e5afc68eed60ef4
      SLES15HVM: ami-01497522185aaa4ee
    eu-west-3:
      AMZNLINUX2: ami-0e9c91a3fc56a0376
      US2004HVM: ami-0b14b90c53fdbb103
      CENTOS7HVM: ami-0cb72d2e599cffbf9
      SLES15HVM: ami-0f238bd4c6fdbefb0
    sa-east-1:
      AMZNLINUX2: ami-0096398577720a4a3
      US2004HVM: ami-0f1aecac8376e25fe
      CENTOS7HVM: ami-0b30f38d939dd4b54
      SLES15HVM: ami-0772af912976aa692
    us-east-1:
      AMZNLINUX2: ami-04d29b6f966df1537
      US2004HVM: ami-0be3f0371736d5394
      CENTOS7HVM: ami-0affd4508a5d2481b
      SLES15HVM: ami-0b1764f3d7d2e2316
    us-gov-west-1:
      AMZNLINUX2: ami-cb2a11aa
      SLES15HVM: ami-57c0ba36
    us-gov-east-1:
      AMZNLINUX2: ami-c2e209b3
      SLES15HVM: ami-05e4bedfad53425e9
    us-east-2:
      AMZNLINUX2: ami-09558250a3419e7d0
      US2004HVM: ami-0b289b3e97908e84e
      CENTOS7HVM: ami-01e36b7901e884a10
      SLES15HVM: ami-05ea824317ffc0c20
    us-west-1:
      AMZNLINUX2: ami-08d9a394ac1c2994c
      US2004HVM: ami-05ddb1bcba9ace858
      CENTOS7HVM: ami-098f55b4287a885ba
      SLES15HVM: ami-00e34a7624e5a7107
    us-west-2:
      AMZNLINUX2: ami-0e472933a1395e172
      US2004HVM: ami-0c007ac192ba0744b
      CENTOS7HVM: ami-0bc06212a56393ee1
      SLES15HVM: ami-0f1e3b3fb0fec0361
    cn-north-1:
      AMZNLINUX2: ami-0cf913cef98c31648
      CENTOS7HVM: ami-08c16f7e830c0e393
      SLES15HVM: ami-021392849b6221a81
    cn-northwest-1:
      AMZNLINUX2: ami-0a12cb9cd7fea53e7
      CENTOS7HVM: ami-0f21aa96a61df8c44
      SLES15HVM: ami-00e1de3ee6d0d28ea
  LinuxAMINameMap:
    Amazon-Linux2-HVM:
      Code: AMZNLINUX2
      OS: Amazon
    CentOS-7-HVM:
      Code: CENTOS7HVM
      OS: CentOS
    Ubuntu-Server-18.04-LTS-HVM:
      Code: US1804HVM
      OS: Ubuntu
    Ubuntu-Server-20.04-LTS-HVM:
      Code: US2004HVM
      OS: Ubuntu
    SUSE-SLES-15-HVM:
      Code: SLES15HVM
      OS: SLES
Conditions:
  2BastionCondition:
    Fn::Or:
      - Fn::Equals:
          - Ref: NumEC2Hosts
          - "2"
      - Condition: 3BastionCondition
      - Condition: 4BastionCondition
  3BastionCondition:
    Fn::Or:
      - Fn::Equals:
          - Ref: NumEC2Hosts
          - "3"
      - Condition: 4BastionCondition
  4BastionCondition:
    Fn::Equals:
      - Ref: NumEC2Hosts
      - "4"
  UseAlternativeInitialization:
    Fn::Not:
      - Fn::Equals:
          - Ref: AlternativeInitializationScript
          - ""
  CreateIAMRole:
    Fn::Equals:
      - Ref: AlternativeIAMRole
      - ""
  UseOSImageOverride:
    Fn::Not:
      - Fn::Equals:
          - Ref: OSImageOverride
          - ""
  UsingDefaultBucket:
    Fn::Equals:
      - Ref: QSS3BucketName
      - aws-ia
  DefaultBanner:
    Fn::Equals:
      - Ref: EC2Banner
      - ""
Resources:
  BastionMainLogGroup:
    Type: AWS::Logs::LogGroup
  SSHMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName:
        Ref: BastionMainLogGroup
      FilterPattern: ON FROM USER PWD
      MetricTransformations:
        - MetricName: SSHCommandCount
          MetricValue: "1"
          MetricNamespace:
            Fn::Sub: AWSQuickStart/${AWS::StackName}
  BastionHostRole:
    Condition: CreateIAMRole
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Principal:
              Service:
                - Fn::Sub: ec2.${AWS::URLSuffix}
            Effect: Allow
        Version: 2012-10-17
      ManagedPolicyArns:
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy
  BastionHostPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: BastionPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - s3:GetObject
            Resource:
              Fn::Sub:
                - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}*
                - S3Bucket:
                    Fn::If:
                      - UsingDefaultBucket
                      - Fn::Sub: ${QSS3BucketName}-${AWS::Region}
                      - Ref: QSS3BucketName
            Effect: Allow
          - Action:
              - logs:CreateLogStream
              - logs:GetLogEvents
              - logs:PutLogEvents
              - logs:DescribeLogGroups
              - logs:DescribeLogStreams
              - logs:PutRetentionPolicy
              - logs:PutMetricFilter
              - logs:CreateLogGroup
            Resource:
              Fn::Sub: arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${BastionMainLogGroup}:*
            Effect: Allow
          - Action:
              - ec2:AssociateAddress
              - ec2:DescribeAddresses
            Resource: "*"
            Effect: Allow
      Roles:
        - Fn::If:
            - CreateIAMRole
            - Ref: BastionHostRole
            - Ref: AlternativeIAMRole
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - EIAMPolicyWildcardResource
          ignore_reasons:
            - EIAMPolicyWildcardResource: Intent assumed for initial migration.
  BastionHostProfile:
    DependsOn: BastionHostPolicy
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - Fn::If:
            - CreateIAMRole
            - Ref: BastionHostRole
            - Ref: AlternativeIAMRole
      Path: /
  EIP1:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
  EIP2:
    Type: AWS::EC2::EIP
    Condition: 2BastionCondition
    Properties:
      Domain: vpc
  EIP3:
    Type: AWS::EC2::EIP
    Condition: 3BastionCondition
    Properties:
      Domain: vpc
  EIP4:
    Type: AWS::EC2::EIP
    Condition: 4BastionCondition
    Properties:
      Domain: vpc
  BastionAutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      LaunchConfigurationName:
        Ref: BastionLaunchConfiguration
      VPCZoneIdentifier:
        - Ref: PublicSubnet1ID
        - Ref: PublicSubnet2ID
      MinSize:
        Ref: NumEC2Hosts
      MaxSize:
        Ref: NumEC2Hosts
      Cooldown: "900"
      DesiredCapacity:
        Ref: NumEC2Hosts
      Tags:
        - Key: Name
          Value:
            Ref: BastionHostName
          PropagateAtLaunch: true
    CreationPolicy:
      ResourceSignal:
        Count:
          Ref: NumEC2Hosts
        Timeout: PT60M
      AutoScalingCreationPolicy:
        MinSuccessfulInstancesPercent: 100
    UpdatePolicy:
      AutoScalingReplacingUpdate:
        WillReplace: true
  BastionLaunchConfiguration:
    Type: AWS::AutoScaling::LaunchConfiguration
    Metadata:
      AWS::CloudFormation::Authentication:
        S3AccessCreds:
          type: S3
          roleName:
            Fn::If:
              - CreateIAMRole
              - Ref: BastionHostRole
              - Ref: AlternativeIAMRole
          buckets:
            - Fn::If:
                - UsingDefaultBucket
                - Fn::Sub: ${QSS3BucketName}-${AWS::Region}
                - Ref: QSS3BucketName
      AWS::CloudFormation::Init:
        config:
          files:
            /tmp/install_asa_bastion.sh:
              source:
                Fn::Sub:
                  - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/install_asa_bastion.sh
                  - S3Region:
                      Fn::If:
                        - UsingDefaultBucket
                        - Ref: AWS::Region
                        - Ref: QSS3BucketRegion
                    S3Bucket:
                      Fn::If:
                        - UsingDefaultBucket
                        - Fn::Sub: ${QSS3BucketName}-${AWS::Region}
                        - Ref: QSS3BucketName
              mode: "000550"
              owner: root
              group: root
              authentication: S3AccessCreds
            /tmp/auditd.rules:
              mode: "000550"
              owner: root
              group: root
              content: "-a exit,always -F arch=b64 -S execve\n-a exit,always -F arch=b32 -S execve\n"
            /tmp/auditing_configure.sh:
              source:
                Fn::Sub:
                  - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/auditing_configure.sh
                  - S3Region:
                      Fn::If:
                        - UsingDefaultBucket
                        - Ref: AWS::Region
                        - Ref: QSS3BucketRegion
                    S3Bucket:
                      Fn::If:
                        - UsingDefaultBucket
                        - Fn::Sub: ${QSS3BucketName}-${AWS::Region}
                        - Ref: QSS3BucketName
              mode: "000550"
              owner: root
              group: root
              authentication: S3AccessCreds
            /tmp/bastion_bootstrap.sh:
              source:
                Fn::If:
                  - UseAlternativeInitialization
                  - Ref: AlternativeInitializationScript
                  - Fn::Sub:
                      - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh
                      - S3Region:
                          Fn::If:
                            - UsingDefaultBucket
                            - Ref: AWS::Region
                            - Ref: QSS3BucketRegion
                        S3Bucket:
                          Fn::If:
                            - UsingDefaultBucket
                            - Fn::Sub: ${QSS3BucketName}-${AWS::Region}
                            - Ref: QSS3BucketName
              mode: "000550"
              owner: root
              group: root
              authentication: S3AccessCreds
          commands:
            a-add_auditd_rules:
              cwd: /tmp/
              env:
                BASTION_OS:
                  Fn::FindInMap:
                    - LinuxAMINameMap
                    - Ref: EC2AMIOS
                    - OS
              command: ./auditing_configure.sh
            b-bootstrap:
              cwd: /tmp/
              env:
                REGION:
                  Fn::Sub: ${AWS::Region}
                URL_SUFFIX:
                  Fn::Sub: ${AWS::URLSuffix}
                BANNER_REGION:
                  Fn::If:
                    - UsingDefaultBucket
                    - Ref: AWS::Region
                    - Ref: QSS3BucketRegion
              command:
                Fn::Sub:
                  - ./bastion_bootstrap.sh --banner ${BannerUrl} --enable ${EnableBanner} --tcp-forwarding ${EnableTCPForwarding} --x11-forwarding ${EnableX11Forwarding}
                  - BannerUrl:
                      Fn::If:
                        - DefaultBanner
                        - Fn::Sub:
                            - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/banner_message.txt
                            - S3Bucket:
                                Fn::If:
                                  - UsingDefaultBucket
                                  - Fn::Sub: ${QSS3BucketName}-${AWS::Region}
                                  - Ref: QSS3BucketName
                        - Ref: EC2Banner
            c-install_asa:
              cwd: /tmp/
              env:
                BASTION_OS:
                  Fn::FindInMap:
                    - LinuxAMINameMap
                    - Ref: EC2AMIOS
                    - OS
                ENROLLMENT_TOKEN:
                  Ref: EnrollmentToken
                BASTION_HOSTNAME:
                  Ref: BastionHostName
              command: ./install_asa_bastion.sh
    Properties:
      AssociatePublicIpAddress: true
      PlacementTenancy:
        Ref: EC2Tenancy
      KeyName:
        Ref: KeyPairName
      IamInstanceProfile:
        Ref: BastionHostProfile
      ImageId:
        Fn::If:
          - UseOSImageOverride
          - Ref: OSImageOverride
          - Fn::FindInMap:
              - AWSAMIRegionMap
              - Ref: AWS::Region
              - Fn::FindInMap:
                  - LinuxAMINameMap
                  - Ref: EC2AMIOS
                  - Code
      SecurityGroups:
        - Ref: BastionSecurityGroup
      InstanceType:
        Ref: EC2InstanceType
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            VolumeSize:
              Ref: RootVolumeSize
            VolumeType: gp2
            Encrypted: true
            DeleteOnTermination: true
      UserData:
        Fn::Base64:
          Fn::Sub:
            - "#!/bin/bash\nset -x\nfor e in $(echo \"${EnvironmentVariables}\" | tr ',' ' '); do\n  export $e\ndone\nexport PATH=$PATH:/usr/local/bin\n#cfn signaling functions\nyum install git -y || apt-get\
              \ install -y git || zypper -n install git\n\nfunction cfn_fail\n{\n  cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup\n  exit 1\n}\n\nfunction\
              \ cfn_success\n{\n  cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource BastionAutoScalingGroup\n  exit 0\n}\n\nuntil git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git\
              \ ; do echo \"Retrying\"; done\ncd /quickstart-linux-utilities;\nsource quickstart-cfn-tools.source;\nqs_update-os || qs_err;\nqs_bootstrap_pip || qs_err \" pip bootstrap failed \";\nqs_aws-cfn-bootstrap\
              \ || qs_err \" cfn bootstrap failed \";\n\nEIP_LIST=\"${EIP1},${EIP2},${EIP3},${EIP4}\"\nCLOUDWATCHGROUP=${BastionMainLogGroup}\ncfn-init -v --stack '${AWS::StackName}' --resource BastionLaunchConfiguration\
              \ --region ${AWS::Region} || cfn_fail\n[ $(qs_status) == 0 ] && cfn_success || cfn_fail\n"
            - EIP2:
                Fn::If:
                  - 2BastionCondition
                  - Ref: EIP2
                  - "Null"
              EIP3:
                Fn::If:
                  - 3BastionCondition
                  - Ref: EIP3
                  - "Null"
              EIP4:
                Fn::If:
                  - 4BastionCondition
                  - Ref: EIP4
                  - "Null"
  BastionSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enables SSH Access to Bastion Hosts
      VpcId:
        Ref: VPCID
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp:
            Ref: RemoteAccessCIDR
        - IpProtocol: icmp
          FromPort: -1
          ToPort: -1
          CidrIp:
            Ref: RemoteAccessCIDR
Outputs:
  BastionAutoScalingGroup:
    Description: Auto Scaling Group Reference ID
    Value:
      Ref: BastionAutoScalingGroup
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-BastionAutoScalingGroup
  EIP1:
    Description: Elastic IP 1 for Bastion
    Value:
      Ref: EIP1
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-EIP1
  EIP2:
    Condition: 2BastionCondition
    Description: Elastic IP 2 for Bastion
    Value:
      Ref: EIP2
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-EIP2
  EIP3:
    Condition: 3BastionCondition
    Description: Elastic IP 3 for Bastion
    Value:
      Ref: EIP3
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-EIP3
  EIP4:
    Condition: 4BastionCondition
    Description: Elastic IP 4 for Bastion
    Value:
      Ref: EIP4
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-EIP4
  CloudWatchLogs:
    Description: CloudWatch Logs GroupName. Your SSH logs will be stored here.
    Value:
      Ref: BastionMainLogGroup
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-CloudWatchLogs
  BastionSecurityGroupID:
    Description: Bastion Security Group ID
    Value:
      Ref: BastionSecurityGroup
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-BastionSecurityGroupID
  BastionHostRole:
    Description: Bastion IAM role name
    Value:
      Fn::If:
        - CreateIAMRole
        - Ref: BastionHostRole
        - Ref: AlternativeIAMRole
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-BastionHostRole
  Postdeployment:
    Description: To test your deployment, see the procedure in the deployment guide.
    Value: https://fwd.aws/3EYzN