{ "Description": "(SO8025-proxy) - Centralized Logging with OpenSearch nginx-for-opensearch-stack Template. Template version v2.4.10", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "EC2 Information" }, "Parameters": [ "vpcId", "publicSubnetIds", "privateSubnetIds", "keyName", "nginxSecurityGroupId", "proxyInstanceType", "proxyInstanceNumber" ] }, { "Label": { "default": "OpenSearch Information" }, "Parameters": [ "endpoint", "engineType", "cognitoEndpoint" ] }, { "Label": { "default": "ELB Information" }, "Parameters": [ "elbSecurityGroupId", "elbDomain", "elbDomainCertificateArn", "elbAccessLogBucketName" ] } ], "ParameterLabels": { "vpcId": { "default": "VPCId" }, "publicSubnetIds": { "default": "PublicSubnetIds" }, "privateSubnetIds": { "default": "PrivtaeSubnetIds" }, "nginxSecurityGroupId": { "default": "NginxSecurityGroupId" }, "elbSecurityGroupId": { "default": "ELBSecurityGroupId" }, "keyName": { "default": "KeyName" }, "endpoint": { "default": "Endpoint" }, "cognitoEndpoint": { "default": "CognitoEndpoint" }, "elbDomainCertificateArn": { "default": "ELBDomainCertificateArn" }, "elbDomain": { "default": "ELBDomain" }, "elbAccessLogBucketName": { "default": "ELBAccessLogBucketName" }, "engineType": { "default": "EngineType" }, "proxyInstanceType": { "default": "ProxyInstanceType" }, "proxyInstanceNumber": { "default": "ProxyInstanceNumber" } } }, "cdk_nag": { "rules_to_suppress": [ { "reason": "will replace 0.0.0.0/0 or ::/0 for inbound access in future", "id": "AwsSolutions-EC23" } ] } }, "Parameters": { "vpcId": { "Type": "AWS::EC2::VPC::Id", "Default": "", "Description": "The VPC to deploy the Nginx proxy resource. e.g. vpc-bef13dc7" }, "publicSubnetIds": { "Type": "List", "Default": "", "Description": "The public subnets where ELB are deployed. Please select at least two public subnets. e.g. subnet-12345abc, subnet-54321cba" }, "privateSubnetIds": { "Type": "List", "Default": "", "Description": "The private subnets where Nginx instances are deployed. Please select at least two private subnets. e.g. subnet-12345abc, subnet-54321cba" }, "nginxSecurityGroupId": { "Type": "AWS::EC2::SecurityGroup::Id", "Default": "", "Description": "The Security group associated with the Nginx instances. The scurity group must allow access from ELB security group" }, "elbSecurityGroupId": { "Type": "AWS::EC2::SecurityGroup::Id", "Default": "", "Description": "The Security group being associated with the ELB. e.g. sg-123456" }, "keyName": { "Type": "AWS::EC2::KeyPair::KeyName", "Default": "", "Description": "The PEM key name of the Nginx instances" }, "endpoint": { "Type": "String", "Default": "", "Description": "The OpenSearch endpoint. e.g. vpc-your_opensearch_domain_name-xcvgw6uu2o6zafsiefxubwuohe.us-east-1.es.amazonaws.com" }, "cognitoEndpoint": { "Type": "String", "Default": "", "Description": "The Cognito User Pool endpoint URL of the OpenSearch domain. e.g. mydomain.auth.us-east-1.amazoncognito.com" }, "elbDomainCertificateArn": { "Type": "String", "Default": "", "Description": "The SSL certificate ARN which associated with the ELBDomain. The certificate must be created from Amazon Certificate Manager (ACM)" }, "elbDomain": { "Type": "String", "Default": "", "Description": "The custom domain name of the ELB. e.g. dashboard.example.com" }, "elbAccessLogBucketName": { "Type": "String", "Default": "", "Description": "The Access Log Bucket Name for Proxy ELB" }, "engineType": { "Type": "String", "Default": "OpenSearch", "AllowedValues": [ "OpenSearch", "Elasticsearch" ], "Description": "The engine type of the OpenSearch. Select OpenSearch or Elasticsearch" }, "proxyInstanceType": { "Type": "String", "Default": "t3.large", "AllowedValues": [ "t3.nano", "t3.micro", "t3.small", "t3.large" ], "Description": "OpenSearch proxy instance type. e.g. t3.micro" }, "proxyInstanceNumber": { "Type": "Number", "Default": 2, "Description": "OpenSearch proxy instance number. e.g. 1 to 4" }, "SsmParameterValueawsserviceamiamazonlinuxlatestamzn2amihvmx8664gp2C96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" } }, "Resources": { "NginxEC2SecurityGroupfromNginxForOpenSearchLoadBalancerSecurityGroupE634260B443F3EE2921": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "Description": "Load balancer to target", "FromPort": 443, "GroupId": { "Ref": "nginxSecurityGroupId" }, "IpProtocol": "tcp", "SourceSecurityGroupId": { "Ref": "elbSecurityGroupId" }, "ToPort": 443 }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/NginxEC2SecurityGroup/from NginxForOpenSearchLoadBalancerSecurityGroupE634260B:443", "guard": { "SuppressedRules": [ "EC2_SECURITY_GROUP_INGRESS_OPEN_TO_WORLD_RULE", "SECURITY_GROUP_INGRESS_CIDR_NON_32_RULE" ] } } }, "LoadBalancerSecurityGroupfrom000004430F986CB3": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "CidrIp": "0.0.0.0/0", "Description": "Allow from anyone on port 443", "FromPort": 443, "GroupId": { "Ref": "elbSecurityGroupId" }, "IpProtocol": "tcp", "ToPort": 443 }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/LoadBalancerSecurityGroup/from 0.0.0.0_0:443", "guard": { "SuppressedRules": [ "EC2_SECURITY_GROUP_INGRESS_OPEN_TO_WORLD_RULE", "SECURITY_GROUP_INGRESS_CIDR_NON_32_RULE" ] } } }, "ec2Role38AB65C0": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/AmazonSSMManagedInstanceCore" ] ] } ] }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/ec2Role/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "For PVRE compliance", "id": "AwsSolutions-IAM4" } ] } } }, "ec2RoleDefaultPolicyC400AE24": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudformation:SignalResource", "Effect": "Allow", "Resource": { "Ref": "AWS::StackId" } }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Effect": "Allow", "Resource": { "Ref": "AWS::StackId" } } ], "Version": "2012-10-17" }, "PolicyName": "ec2RoleDefaultPolicyC400AE24", "Roles": [ { "Ref": "ec2Role38AB65C0" } ] }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/ec2Role/DefaultPolicy/Resource" } }, "NginxProxyEC2LaunchTemplateProfileAF1AB61A": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "ec2Role38AB65C0" } ] }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/NginxProxyEC2LaunchTemplate/Profile" } }, "NginxProxyEC2LaunchTemplate7EF99E7D": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateData": { "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "DeleteOnTermination": true, "Encrypted": true, "VolumeSize": 8, "VolumeType": "gp2" } } ], "IamInstanceProfile": { "Arn": { "Fn::GetAtt": [ "NginxProxyEC2LaunchTemplateProfileAF1AB61A", "Arn" ] } }, "ImageId": { "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestamzn2amihvmx8664gp2C96584B6F00A464EAD1953AFF4B05118Parameter" }, "InstanceType": { "Ref": "proxyInstanceType" }, "KeyName": { "Ref": "keyName" }, "MetadataOptions": { "HttpTokens": "required" }, "NetworkInterfaces": [ { "DeviceIndex": 0, "AssociatePublicIpAddress": "false", "Groups": [ { "Ref": "nginxSecurityGroupId" } ] } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ { "Key": "Name", "Value": "NginxForOpenSearch/NginxProxyEC2LaunchTemplate" } ] }, { "ResourceType": "volume", "Tags": [ { "Key": "Name", "Value": "NginxForOpenSearch/NginxProxyEC2LaunchTemplate" } ] } ], "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash\n# fingerprint: 91eb056fc6397fe0\n(\n set +e\n /opt/aws/bin/cfn-init -v --region ", { "Ref": "AWS::Region" }, " --stack ", { "Ref": "AWS::StackName" }, " --resource NginxProxyEC2ASG05E5AAD2 -c default\n /opt/aws/bin/cfn-signal -e $? --region ", { "Ref": "AWS::Region" }, " --stack ", { "Ref": "AWS::StackName" }, " --resource NginxProxyEC2ASG05E5AAD2\n cat /var/log/cfn-init.log >&2\n)\namazon-linux-extras install -y nginx1\nopenssl genrsa -out /etc/nginx/cert.key 2048\nopenssl req -config /etc/nginx/openssl.cnf -new -key /etc/nginx/cert.key -out /etc/nginx/cert.csr\nopenssl x509 -req -days 2048 -in /etc/nginx/cert.csr -signkey /etc/nginx/cert.key -out /etc/nginx/cert.crt\nTOKEN=`curl -X PUT -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" \"http://169.254.169.254/latest/api/token\"`\nACCESS_TOKEN=`curl -H \"X-aws-ec2-metadata-token: $TOKEN\" -X PUT -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" \"http://169.254.169.254/latest/api/token\"`\nmac_address=`curl -H \"X-aws-ec2-metadata-token: $ACCESS_TOKEN\" -v http://169.254.169.254/latest/meta-data/mac`\ncider_block=`curl -H \"X-aws-ec2-metadata-token: $ACCESS_TOKEN\" -v http://169.254.169.254/latest/meta-data/network/interfaces/macs/$mac_address/vpc-ipv4-cidr-block`\ncider_ip=`echo ${cider_block%/*}`\nfront_three=`echo ${cider_ip%.*}`\nlast_value=`echo ${cider_ip##*.}`\nvalue_add_two=`expr $last_value + 2`\ndns_address=$front_three.$value_add_two\nsed -i 's/$DNS_ADDRESS/'$dns_address'/' /etc/nginx/conf.d/default.conf\nsed -i 's/$ES_endpoint/", { "Ref": "endpoint" }, "/' /etc/nginx/conf.d/default.conf\nsed -i 's/$cognito_host/", { "Fn::If": [ "cognitoNotEnabled", { "Ref": "endpoint" }, { "Ref": "cognitoEndpoint" } ] }, "/' /etc/nginx/conf.d/default.conf\nsed -i 's/$SERVER_NAME/", { "Fn::If": [ "customEndpointProvided", { "Fn::GetAtt": [ "LoadBalancerBDB7C56B", "DNSName" ] }, { "Ref": "elbDomain" } ] }, "/' /etc/nginx/conf.d/default.conf\nsed -i 's/$ENGINE_URL/", { "Fn::If": [ "openSearchEngineUsed", "_dashboards", "_plugin\\/kibana" ] }, "/' /etc/nginx/conf.d/default.conf\nsed -i 's/$enable_internal/", { "Fn::If": [ "cognitoNotEnabled", "internal;", "" ] }, "/' /etc/nginx/conf.d/default.conf\nsed -i 's#/bin.*#service nginx reload >/dev/null 2>&1#' /etc/logrotate.d/nginx\nchmod a+x /etc/init.d/nginx\nchkconfig --add /etc/init.d/nginx\nchkconfig nginx on\n/etc/init.d/nginx start" ] ] } } }, "TagSpecifications": [ { "ResourceType": "launch-template", "Tags": [ { "Key": "Name", "Value": "NginxForOpenSearch/NginxProxyEC2LaunchTemplate" } ] } ] }, "DependsOn": [ "ec2RoleDefaultPolicyC400AE24", "ec2Role38AB65C0" ], "Metadata": { "aws:cdk:path": "NginxForOpenSearch/NginxProxyEC2LaunchTemplate/Resource" } }, "NginxProxyEC2ASG05E5AAD2": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "DesiredCapacity": { "Ref": "proxyInstanceNumber" }, "HealthCheckGracePeriod": 300, "HealthCheckType": "ELB", "LaunchTemplate": { "LaunchTemplateId": { "Ref": "NginxProxyEC2LaunchTemplate7EF99E7D" }, "Version": { "Fn::GetAtt": [ "NginxProxyEC2LaunchTemplate7EF99E7D", "LatestVersionNumber" ] } }, "MaxSize": "4", "MinSize": "0", "TargetGroupARNs": [ { "Ref": "LoadBalancerListenerApplicationFleetGroup1419F3BD" } ], "VPCZoneIdentifier": { "Ref": "privateSubnetIds" } }, "CreationPolicy": { "ResourceSignal": { "Count": 0 } }, "UpdatePolicy": { "AutoScalingScheduledAction": { "IgnoreUnmodifiedGroupSizeProperties": true } }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/NginxProxyEC2/ASG", "cdk_nag": { "rules_to_suppress": [ { "reason": "will enable ASG notifications configured for all scaling events.", "id": "AwsSolutions-AS3" } ] }, "AWS::CloudFormation::Init": { "configSets": { "default": [ "config" ] }, "config": { "files": { "/etc/nginx/conf.d/default.conf": { "content": "server {\n listen 443 ssl;\n server_name $SERVER_NAME;\n resolver $DNS_ADDRESS [::1]:5353 valid=30s;\n rewrite ^/$ https://$SERVER_NAME/$ENGINE_URL redirect;\n ssl_certificate /etc/nginx/cert.crt;\n ssl_certificate_key /etc/nginx/cert.key;\n ssl_session_cache builtin:1000 shared:SSL:10m;\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;\n ssl_prefer_server_ciphers on;\n set $es_endpoint $ES_endpoint;\n set $cognito_endpoint $cognito_host;\n location ^~ /$ENGINE_URL {\n # Forward requests to Kibana\n proxy_pass https://$es_endpoint;\n # Handle redirects to Amazon Cognito\n proxy_redirect https://$cognito_endpoint https://$SERVER_NAME; \n # Update cookie domain and path\n proxy_cookie_domain $es_endpoint $SERVER_NAME;\n # Response buffer settings\n proxy_buffer_size 128k;\n proxy_buffers 4 256k;\n proxy_busy_buffers_size 256k;\n # Ignore client disconnection\n proxy_ignore_client_abort on;\n }\n location ~ \\/(log|sign|error|fav|forgot|change|confirm|mfa|saml|oauth2) {\n # Forward requests to Cognito\n proxy_pass https://$cognito_endpoint; \n # Handle redirects to Kibana\n proxy_redirect https://$es_endpoint https://$SERVER_NAME;\n # Handle redirects to Amazon Cognito\n proxy_redirect https://$cognito_endpoint https://$SERVER_NAME; \n # Update cookie domain\n proxy_cookie_domain $cognito_endpoint $SERVER_NAME;\n # Ignore client disconnection\n proxy_ignore_client_abort on;\n # Default value is internal, for OpenSearch with Cognito, enable_internal value is empty.\n $enable_internal\n }\n}\n", "encoding": "plain", "mode": "000644", "owner": "root", "group": "root" }, "/etc/nginx/openssl.cnf": { "content": "[ req ]\nprompt = no\ndistinguished_name = req_distinguished_name\n[ req_distinguished_name ]\nC = GB\nST = Test State\nL = Test Locality\nO = Org Name\nOU = Org Unit Name\nCN = Common Name\nemailAddress = test", "encoding": "plain", "mode": "000644", "owner": "root", "group": "root" }, "/etc/init.d/nginx": { "content": "#!/bin/sh\n#\n# nginx - this script starts and stops the nginx daemon\n#\n# chkconfig: - 85 15\n# description: NGINX is an HTTP(S) server, HTTP(S) reverse \\\n# proxy and IMAP/POP3 proxy server\n# processname: nginx\n# config: /etc/nginx/nginx.conf\n# config: /etc/sysconfig/nginx\n# pidfile: /var/run/nginx.pid\n# Source function library.\n. /etc/rc.d/init.d/functions\n# Source networking configuration.\n. /etc/sysconfig/network\n# Check that networking is up.\n[ \"$NETWORKING\" = \"no\" ] && exit 0\nnginx=\"/sbin/nginx\"\nprog=$(basename $nginx)\nNGINX_CONF_FILE=\"/etc/nginx/conf.d/default.conf\"\n[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx\nlockfile=/var/lock/subsys/nginx\nmake_dirs() {\n # make required directories\n user=`$nginx -V 2>&1 | grep \"configure arguments:\" | sed 's/[^*]*--user=\\([^ ]*\\).*/\\1/g' -`\n if [ -z \"`grep $user /etc/passwd`\" ]; then\n useradd -M -s /bin/nologin $user\n fi\n options=`$nginx -V 2>&1 | grep 'configure arguments:'`\n for opt in $options; do\n if [ `echo $opt | grep '.*-temp-path'` ]; then\n value=`echo $opt | cut -d \"=\" -f 2`\n if [ ! -d \"$value\" ]; then\n # echo \"creating\" $value\n mkdir -p $value && chown -R $user $value\n fi\n fi\n done\n}\nstart() {\n [ -x $nginx ] || exit 5\n [ -f $NGINX_CONF_FILE ] || exit 6\n make_dirs\n echo -n $\"Starting $prog: \"\n daemon $nginx -c $NGINX_CONF_FILE\n retval=$?\n echo\n [ $retval -eq 0 ] && touch $lockfile\n return $retval\n}\nstop() {\n echo -n $\"Stopping $prog: \"\n killproc $prog -QUIT\n retval=$?\n echo\n [ $retval -eq 0 ] && rm -f $lockfile\n return $retval\n}\nrestart() {\n configtest || return $?\n stop\n sleep 1\n start\n}\nreload() {\n configtest || return $?\n echo -n $\"Reloading $prog: \"\n killproc $nginx -HUP\n RETVAL=$?\n echo\n}\nforce_reload() {\n restart\n}\nconfigtest() {\n $nginx -t -c $NGINX_CONF_FILE\n}\nrh_status() {\n status $prog\n}\nrh_status_q() {\n rh_status >/dev/null 2>&1\n}\ncase \"$1\" in\n start)\n rh_status_q && exit 0\n $1\n ;;\n stop)\n rh_status_q || exit 0\n $1\n ;;\n restart|configtest)\n $1\n ;;\n reload)\n rh_status_q || exit 7\n $1\n ;;\n force-reload)\n force_reload\n ;;\n status)\n rh_status\n ;;\n condrestart|try-restart)\n rh_status_q || exit 0\n ;;\n *)\n echo $\"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}\"\n exit 2\nesac", "encoding": "plain", "mode": "000644", "owner": "root", "group": "root" } } } } } }, "LoadBalancerBDB7C56B": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "LoadBalancerAttributes": [ { "Key": "deletion_protection.enabled", "Value": "false" }, { "Key": "access_logs.s3.enabled", "Value": "true" }, { "Key": "access_logs.s3.bucket", "Value": { "Ref": "elbAccessLogBucketName" } }, { "Key": "access_logs.s3.prefix", "Value": "ELBLogs/opensearchproxy" } ], "Scheme": "internet-facing", "SecurityGroups": [ { "Ref": "elbSecurityGroupId" } ], "Subnets": { "Ref": "publicSubnetIds" }, "Type": "application" }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/Load Balancer/Resource", "cdk_nag": { "rules_to_suppress": [ { "reason": "config log enabled for ELB", "id": "AwsSolutions-ELB2" } ] } } }, "LoadBalancerListenerF6F26679": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "Certificates": [ { "CertificateArn": { "Ref": "elbDomainCertificateArn" } } ], "DefaultActions": [ { "TargetGroupArn": { "Ref": "LoadBalancerListenerApplicationFleetGroup1419F3BD" }, "Type": "forward" } ], "LoadBalancerArn": { "Ref": "LoadBalancerBDB7C56B" }, "Port": 443, "Protocol": "HTTPS", "SslPolicy": "ELBSecurityPolicy-TLS-1-2-2017-01" }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/Load Balancer/Listener/Resource" } }, "LoadBalancerListenerApplicationFleetGroup1419F3BD": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "HealthCheckEnabled": true, "HealthCheckPath": "/", "HealthCheckPort": "443", "HealthCheckProtocol": "HTTPS", "Matcher": { "HttpCode": "302" }, "Port": 443, "Protocol": "HTTPS", "TargetGroupAttributes": [ { "Key": "stickiness.enabled", "Value": "false" } ], "TargetType": "instance", "VpcId": { "Ref": "vpcId" } }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/Load Balancer/Listener/ApplicationFleetGroup/Resource" } }, "CDKMetadata": { "Type": "AWS::CDK::Metadata", "Properties": { "Analytics": "v2:deflate64:H4sIAAAAAAAA/11OzWrDMAx+lt5dLxj2AF0Oo1BYSHofqqNkah052HJLMXn3kXQr2U76/iR9RpvXQhcbuMWtbS9bRyedGwF7UWXHFQQYUDCoGqNPwaKCW/zMaI3OZccN2hRI7u/Bp3HPfcAY1QES268jDqMDwfnMX2VSBIPOtXeLuczKO7L35eUT7TkKsMUq+I4cTgqS+GjBEfc675L45kGW7/PGf21S6CAKWeehPYEDtsT91ei8G0dHFoQ8Hzy0b4uHYSm75uscRUH+yfzilX+E0KM8u6zoNM1C6bmlOTiTjyRjkkmxb1Gf48vVGG2MLjbnSLQNiYUG1PVjfgMBtUkTpAEAAA==" }, "Metadata": { "aws:cdk:path": "NginxForOpenSearch/CDKMetadata/Default" }, "Condition": "CDKMetadataAvailable" } }, "Conditions": { "customEndpointProvided": { "Fn::Equals": [ "", { "Ref": "elbDomain" } ] }, "cognitoNotEnabled": { "Fn::Equals": [ "", { "Ref": "cognitoEndpoint" } ] }, "openSearchEngineUsed": { "Fn::Equals": [ "OpenSearch", { "Ref": "engineType" } ] }, "CDKMetadataAvailable": { "Fn::Or": [ { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "af-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-northeast-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-south-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-3" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ap-southeast-4" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "ca-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "cn-northwest-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-central-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-north-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-south-2" ] } ] }, { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "eu-west-3" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "il-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-central-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "me-south-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "sa-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-1" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-east-2" ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-1" ] } ] }, { "Fn::Equals": [ { "Ref": "AWS::Region" }, "us-west-2" ] } ] } }, "Outputs": { "ALBCNAME": { "Description": "CNAME for ALB", "Value": { "Fn::GetAtt": [ "LoadBalancerBDB7C56B", "DNSName" ] } } }, "Rules": {} }