Cleans Up Some Old Unusued Modules

They're in git. No reason to keep them around. Plus they're getting in
my way.

base/_archive/cisco_vpn/files/userdata.tpl

@@ -1,102 +0,0 @@
-|
-! ASA Version
-hostname ${hostname}
-!
-ip local pool VPN-POOL ${VPNPoolFrom1}-${VPNPoolTo1} mask ${VPNPoolMask1}
-!access-list split standard permit $ {VPCPOOL} $ {VPCMASK}
-!access-list split standard permit $ {OnPremPool} $ {OnPremMask} 
-! FIPS
-! See https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/140sp/140sp2653.pdf
-!crashinfo console disable
-!fips enable
-!no service password-recovery
-!config-register 0x10011
-!ssl server-version tlsv1-only
-!ssl client-version tlsv1-only
-!ssh version 2
-!
-service-type remote-access
-!
-interface management0/0
-  nameif management
-  management-only
-  security-level 100
-  no ip address 
-  shut
-int tengi 0/0
-  nameif outside
-  security-level 0
-  ip address dhcp setroute
-  no shut
-int tengi 0/1
-  nameif inside
-  security-level 100
-  ip address dhcp
-  no shut 
-!
-!
-webvpn
-enable outside
-!anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1
-anyconnect enable
-tunnel-group-list enable
-group-policy LAB internal
-group-policy LAB attributes
-vpn-tunnel-protocol ssl-client ssl-clientless
-address-pools value VPN-POOL
-!split-tunnel-policy tunnelspecified
-!split-tunnel-network-list value split
-dynamic-access-policy-record DfltAccessPolicy
-username admin nopassword privilege 15
-tunnel-group LAB type remote-access
-tunnel-group LAB general-attributes
-default-group-policy LAB
-address-pool VPN-POOL
-tunnel-group LAB webvpn-attributes
-group-alias LAB-VPN enable
-!
-dns domain-lookup inside
-dns server-group DefaultDNS
-name-server ${dns1}
-name-server ${dns2}
-!
-same-security-traffic permit inter-interface
-same-security-traffic permit intra-interface
-!
-route inside 10.0.0.0 255.0.0.0 ${PrivateSubnet1GW}
-!
-policy-map global_policy
-class inspection_default
-  inspect icmp
-!
-access-list 101 extended permit ip any any 
-access-group 101 in interface outside
-access-group 101 in interface inside
-!
-object network NET-${PrivateSubnet1CIDR}
-subnet ${PrivateSubnet1Pool} ${PrivateSubnet1Mask}
-nat (inside,outside) dynamic interface
-!
-crypto key generate rsa modulus 2048
-ssh 0 0 inside
-ssh 0 0 outside
-!ssh 0 0 management
-ssh timeout 30
-aaa authentication ssh console LOCAL
-username admin nopassword privilege 15
-username admin attributes
-username ${VPNUser} attributes
-username ${VPNUser} password ${VPNPassword} privilege 15
-service-type admin
-!
-name 129.6.15.28 time-a.nist.gov
-name 129.6.15.29 time-b.nist.gov
-name 129.6.15.30 time-c.nist.gov
-ntp server 169.254.169.123
-ntp server time-c.nist.gov
-ntp server time-b.nist.gov
-ntp server time-a.nist.gov
-icmp permit any outside
-icmp permit any inside
-!icmp permit any management
-!

base/_archive/cisco_vpn/main.tf

@@ -1,147 +0,0 @@
-data "aws_security_group" "typical-host" {
-  name   = "typical-host"
-  vpc_id = var.vpc_id
-}
-
-# Use the default EBS key
-data "aws_kms_key" "ebs-key" {
-  key_id = "alias/ebs_root_encrypt_decrypt"
-}
-
-data "aws_subnet" "private_subnet" {
-  id = var.private_subnets[0]
-}
-
-resource "random_password" "password" {
-  keepers = {
-    "version" : 1 # increment to change the password
-    # n.b. you could add other stuff to make this change automatically, e.g.
-    # "instance_type": var.instance_type
-    # Would then change this password every time the instance type changes.
-  }
-  length      = 32
-  special     = false
-  min_lower   = 1
-  min_numeric = 1
-  min_upper   = 1
-  min_special = 0
-  #override_special = "~!%^()-_+"
-}
-
-resource "aws_network_interface" "management" {
-  subnet_id       = var.private_subnets[0]
-  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.inside.id]
-  description     = var.instance_name
-  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-resource "aws_network_interface" "outside" {
-  subnet_id       = var.public_subnets[0]
-  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.outside.id]
-  description     = var.instance_name
-  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-resource "aws_network_interface" "inside" {
-  subnet_id       = var.private_subnets[0]
-  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.inside.id]
-  description     = var.instance_name
-  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-resource "aws_eip" "outside" {
-  vpc  = true
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-resource "aws_eip_association" "outside" {
-  network_interface_id = aws_network_interface.outside.id
-  allocation_id        = aws_eip.outside.id
-}
-
-resource "aws_instance" "instance" {
-  #availability_zone = var.azs[count.index % 2]
-  tenancy                              = "default"
-  ebs_optimized                        = true
-  disable_api_termination              = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type                        = var.instance_type
-  key_name                             = "msoc-build"
-  monitoring                           = false
-  iam_instance_profile                 = "msoc-default-instance-profile"
-
-  ami = "ami-04fe5af2dfd9c9d5e" # not quite sure how to determine other than to launch one
-  # Owner: 
-  # AMI Alias: /aws/service/marketplace/prod-bm2yu6zogql5s/9.15.1.15
-  # Product Code: 80uds1joqwlz35hw1lx5h1bcc
-  # Release Notes: https://www.cisco.com/c/en/us/support/security/asa-firepower-services/products-release-notes-list.html
-  #
-  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
-  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
-  # that could be removed.
-  lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }
-
-  network_interface {
-    network_interface_id = aws_network_interface.management.id
-    device_index         = 0
-  }
-
-  network_interface {
-    network_interface_id = aws_network_interface.outside.id
-    device_index         = 1
-  }
-
-  network_interface {
-    network_interface_id = aws_network_interface.inside.id
-    device_index         = 2
-  }
-
-  user_data = templatefile("${path.module}/files/userdata.tpl",
-    {
-      "hostname"           = var.instance_name,
-      "VPNPoolFrom1"       = "172.16.32.15",
-      "VPNPoolTo1"         = "172.16.32.200",
-      "VPNPoolMask1"       = "255.255.255.0",
-      "VPNUser"            = "admin",
-      "VPNPassword"        = random_password.password.result,
-      "dns1"               = var.dns_servers[0],
-      "dns2"               = var.dns_servers[1],
-      "PrivateSubnet1CIDR" = data.aws_subnet.private_subnet.cidr_block
-      "PrivateSubnet1GW"   = cidrhost(data.aws_subnet.private_subnet.cidr_block, 1),
-      "PrivateSubnet1Pool" = cidrhost(data.aws_subnet.private_subnet.cidr_block, 0),
-      "PrivateSubnet1Mask" = cidrnetmask(data.aws_subnet.private_subnet.cidr_block)
-      #"PrivateSubnet1CIDR" = var.private_cidr[0],
-      #"PrivateSubnet1GW" = cidrhost(var.private_cidr[0], 1),
-      #"PrivateSubnet1Pool" = cidrhost(var.private_cidr[0], 0),
-      #"PrivateSubnet1Mask" = cidrnetmask(var.private_cidr[0])
-    }
-  )
-
-  tags        = merge(var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
-  volume_tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-module "private_dns_record" {
-  source = "../../submodules/dns/private_A_record"
-
-  name            = var.instance_name
-  ip_addresses    = [aws_network_interface.management.private_ip]
-  dns_info        = var.dns_info
-  reverse_enabled = true
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-module "public_dns_record" {
-  source = "../../submodules/dns/public_A_record"
-
-  name         = var.instance_name
-  ip_addresses = [aws_eip.outside.public_ip]
-  dns_info     = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}

base/_archive/cisco_vpn/outputs.tf

@@ -1,20 +0,0 @@
-output "admin_password" {
-  value     = random_password.password.result
-  sensitive = true # To get this output, request it specifically with `terragrunt output db_password`
-}
-
-output "management" {
-  value = aws_network_interface.management.private_ip
-}
-
-output "inside" {
-  value = aws_network_interface.inside.private_ip
-}
-
-output "outside" {
-  value = aws_network_interface.outside.private_ip
-}
-
-output "public" {
-  value = aws_eip.outside.public_ip
-}

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/.gitignore

@@ -1,4 +0,0 @@
-.taskcat
-taskcat_outputs/
-taskcat_outputs/index.html
-cfn-lint.txt

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/.gitmodules

@@ -1,4 +0,0 @@
-[submodule "submodules/quickstart-aws-vpc"]
-	path = submodules/quickstart-aws-vpc
-	url = git@github.com:aws-quickstart/quickstart-aws-vpc.git
-	branch = main

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/.taskcat.yml

@@ -1,24 +0,0 @@
-project:
-  name: quickstart-cisco-asav-ravpn
-  regions:
-   - us-east-1
-  package_lambda: false
-tests:
-  2AZ-test:
-    template: ./templates/quickstart-cisco-asav-ravpn-main.yaml
-    # s3_bucket: maq-cisco-ravpn-quickstart
-    parameters:
-      NumberOfAZs: 2
-      NumberOfASAv: 2
-      KeyPair: sshvans
-      AvailabilityZones: $[taskcat_getaz_2] #to be used with 1 or 2 ASAv
-      #AvailabilityZones: $[taskcat_getaz_3] #to be used with 3 ASAv
-      # AvailabilityZones: $[taskcat_getaz_4] #to be used with 4 ASAv
-      QSS3BucketName: $[taskcat_autobucket]
-      QSS3BucketRegion: $[taskcat_current_region]
-      VPNUser: muffadal
-      VPNPassword: "" # provide your own password
-      OnPremFirewallPublicIP: 4.4.4.4
-      OnPremCIDR: 192.168.128.0/24
-      DnsName: example4.com
-      SSHLockDownCIDR: 0.0.0.0/0

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/CHANGELOG.XDR.md

@@ -1,6 +0,0 @@
-Original source: https://github.com/aws-quickstart/quickstart-cisco-asav-ravpn
-
-With lots of changes because the original is intended to do ... just about everything, from create a VPC to standing up a route 53 zone to adding a transit gateway. Way more than we want.
-
-* Added this file
-

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/LICENSE.txt

@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/NOTICE.txt

@@ -1,7 +0,0 @@
-Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
-
-    http://aws.amazon.com/apache2.0/
-
-or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/README.XDR.md

@@ -1,7 +0,0 @@
-# What this is
-
-This is the source for the cloudformation template from Cisco for the Cisco ASAv Remote Access VPN.
-
-Unfortunately, it does far more than we need.. It sets up VPCs, transit gateways, direct connect VPNs, etc...
-
-Kept here for reference.

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/README.md

@@ -1,37 +0,0 @@
-# quickstart-cisco-asav-ravpn
-## Cisco Systems on the AWS Cloud
-
-This Quick Start reference deployment guide provides step-by-step instructions for deploying a scalable Cisco Remote Access Virtual Private Network (RA-VPN) on the AWS Cloud. This Quick Start is for users who want to deploy or learn about Cisco AnyConnect RA-VPN services on Cisco Adaptive Security Virtual Appliance (ASAv) firewalls using the AWS Cloud architecture.
-
-### Cisco scalable RA-VPN on AWS
-As companies address the ever-increasing demand for secure remote connectivity, the need for a stable and scalable RA-VPN has increased. For many organizations, investing in additional hardware appliances to scale up a network’s infrastructure may not meet timeline objectives and available budgets. But, cloud-based architectures provide computing environments that are highly scalable and flexible in terms of both costs and resources.
-
-**Note:** This deployment can be integrated with both multi-factor authentication (MFA) and authentication, authorization, and accounting (AAA), such as Cisco Duo. For more information, see Duo MFA on AWS.
-
-Please know that we may share who uses AWS Quick Starts with the AWS Partner that collaborated with AWS on the content of the Quick Start.
-
-### Cost and licenses
-You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.
-
-The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.
-
-This Quick Start requires an RA-VPN license from Cisco. The Cisco ASAv virtual firewall provides the following licensing options:
-
-- **Option 1:** Use AWS pay-as-you-go licensing, which is based on hourly billing. This is the default option for this Quick Start.
-- **Option 2:** Use Amazon’s Bring Your Own License (BYOL) model in conjunction with Cisco’s Smart Licensing.
-
-To use this Quick Start in a production environment, see [Cisco Adaptive Security Virtual Appliance (ASAv) — Standard Package](https://aws.amazon.com/marketplace/pp/Cisco-Systems-Inc-Cisco-Adaptive-Security-Virtual-/B00WH2LGM0). Ensure that you subscribe to the image using the correct Region. If you want to use option 2, you must use the correct Amazon Machine Image (AMI). For more information, see how to [Deploy the ASAv on the AWS Cloud](https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/asav/getting-started/asav-913-gsg/asav_aws.html).
-
-**Note:** If you don’t have your own license, the ASAv uses a trial license with reduced capacity. It provides 90 days of free usage and up to two AnyConnect VPN sessions within a nonproduction environment where firewall throughput is limited to 100 Kbps. To upgrade to a production license, see the [Cisco documentation](https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/intro-license-smart.html#task_03242D29B58D4DB9B95F4F844973CE2E).
-
-This Quick Start requires a subscription to the Amazon Machine Image (AMI) for Cisco RA VPN, which is available from [AWS Marketplace](https://aws.amazon.com/marketplace/pp/Cisco-Systems-Inc-Cisco-Adaptive-Security-Virtual-/B00WH2LGM0). Additional pricing, terms, and conditions may apply. For more information, see the [deployment guide](https://fwd.aws/Ebm5R).
-
-### Architecture
-Deploying this Quick Start with **default parameters** builds the following environment in a specific account and Region in the AWS Cloud.
-![quickstart-sumo-logic-security-integrations](https://d0.awsstatic.com/partner-network/QuickStart/datasheets/cisco-asav-ravpn-architecture-diagram.png)
-
-For architectural details, best practices, step-by-step instructions, and customization options, see the [deployment guide](https://fwd.aws/Ebm5R).
-
-To post feedback, submit feature ideas, or report bugs, use the **Issues** section of this GitHub repo.
-
-If you want to submit code for this Quick Start, see the [AWS Quick Start Contributor's Guide](https://aws-quickstart.github.io/).

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/SOURCE

@@ -1,2 +0,0 @@
-origin	https://github.com/aws-quickstart/quickstart-cisco-asav-ravpn.git (fetch)
-origin	https://github.com/aws-quickstart/quickstart-cisco-asav-ravpn.git (push)

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/functions/source/lambda_function.py

@@ -1,49 +0,0 @@
-import json
-import logging
-import boto3
-import cfnresponse
-
-logger = logging.getLogger()
-logger.setLevel(logging.INFO)
-
-def get_vpn_attachment_ids(vpn_id, stackName):
-    try:
-      myDict = {}
-      client = boto3.client('ec2')
-      vpn = client.describe_vpn_connections(VpnConnectionIds=[vpn_id])['VpnConnections']
-      tgw = client.describe_transit_gateway_attachments()['TransitGatewayAttachments']
-      rtb = client.describe_transit_gateway_route_tables()["TransitGatewayRouteTables"]
-      logger.info(vpn)
-      for index in range(len(vpn)):
-        mylist = []
-        for vgwTelemetry in vpn[index]['VgwTelemetry']:
-          mylist.append(vgwTelemetry['OutsideIpAddress'])
-        myDict['vpn'+str(index)+'OutsideIps']=mylist
-      #Get vpn tgw attachment ids
-      for dictionary in tgw:
-        if dictionary["ResourceId"] == vpn_id:
-          myDict["vpn1_tgw_attachment_id"] = dictionary['TransitGatewayAttachmentId']
-      #Get rtb ids
-      for dictionary in rtb:
-        if dictionary["Tags"]:
-          for tagsdictionary in dictionary["Tags"]:
-            if stackName+"-Securityrtb" in tagsdictionary['Value']:
-              myDict["security_tgw_rtb_id"] = dictionary['TransitGatewayRouteTableId']
-    except Exception as e:
-      logger.info('get vpn tgw attachment id failure: {}'.format(e))
-
-    return myDict
-
-def lambda_handler(event, context):
-    logger.info('got event {}'.format(event))
-    responseData = {}
-    
-    if event['RequestType'] == 'Create':
-      responseData = get_vpn_attachment_ids(event['ResourceProperties']['vpn_id'],event['ResourceProperties']['stackName'])
-    
-    else: # delete / update
-      rs = event['PhysicalResourceId'] 
-      responseData['TransitGatewayAttributes'] = rs
-    
-    logger.info('responseData {}'.format(responseData))
-    cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/copy-lambdas.yaml

@@ -1,314 +0,0 @@
-AWSTemplateFormatVersion: '2010-09-09'
-Description: This template creates an S3 bucket in the same region where the stack is launched and copy the Lambda functions code from original bucket to the new bucket. (qs-1qp7e9tkk)
-Parameters:
-  QSS3BucketName:
-    AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
-    ConstraintDescription: S3 bucket name can include numbers, lowercase letters,uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
-    Default: ravpn-quickstart-test
-    Description: Alphanumeric string which identifies the S3 bucket name for the QuickStart assets. It's the bucket to store the copy of the Quick Start assets if you decided to customize or extend them for your own use.
-    Type: String
-  QSS3KeyPrefix:
-    AllowedPattern: "^[0-9a-zA-Z-/._]*$"
-    ConstraintDescription: S3 key prefix can include numbers, lowercase letters, uppercaseletters, hyphens (-), and forward slash (/).
-    Default: quickstart-cisco-asav-ravpn/
-    Description: Alphanumeric string which identifies the S3 key prefix used to simulate a folder for your copy of the Quick Start assets if you decided to customize or extend them for your own use.
-    Type: String
-Resources:
-  CopyObjects:
-    Properties:
-      ServiceToken:
-        Fn::GetAtt:
-        - CopyObjectsFunction
-        - Arn
-      DestBucket:
-        Ref: LambdaZipsBucket
-      Objects:
-      - functions/packages/lambda.zip
-      SourceBucket:
-        Ref: QSS3BucketName
-      Prefix:
-        Ref: QSS3KeyPrefix
-    Type: AWS::CloudFormation::CustomResource
-  CopyObjectsFunction:
-    Properties:
-      Code:
-        ZipFile:
-          Fn::Join:
-          - "\n"
-          - - import json
-            - import logging
-            - import threading
-            - import boto3
-            - import cfnresponse
-            - ''
-            - ''
-            - 'def copy_objects(source_bucket, dest_bucket, prefix, objects):'
-            - "    s3 = boto3.client('s3')"
-            - "    for o in objects:"
-            - "        key = prefix + o"
-            - "        copy_source = {"
-            - "            'Bucket': source_bucket,"
-            - "            'Key': key"
-            - "        }"
-            - "        s3.copy_object(CopySource=copy_source, Bucket=dest_bucket,
-              Key=key)"
-            - ''
-            - ''
-            - 'def delete_objects(bucket):'
-            - "    client = boto3.client('s3')"
-            - '    print(("Collecting data from" + bucket))'
-            - "    paginator = client.get_paginator('list_object_versions')"
-            - "    result = paginator.paginate(Bucket=bucket)"
-            - "    objects = []"
-            - "    for page in result:"
-            - "        try:"
-            - "            for k in page['Versions']:"
-            - "                objects.append({'Key':k['Key'],'VersionId': k['VersionId']})"
-            - "            try:"
-            - "                for k in page['DeleteMarkers']:"
-            - "                    version = k['VersionId']"
-            - "                    key = k['Key']"
-            - "                    objects.append({'Key': key,'VersionId': version})"
-            - "            except:"
-            - "                pass"
-            - '            print("deleting objects")'
-            - "            client.delete_objects(Bucket=bucket,     Delete={'Objects':
-              objects})"
-            - "           # objects = []"
-            - "        except:"
-            - "            pass"
-            - '    print("bucket already empty")'
-            - ''
-            - ''
-            - ''
-            - 'def timeout(event, context):'
-            - "    logging.error('Execution is about to time out, sending failure
-              response to CloudFormation')"
-            - "    cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)"
-            - ''
-            - ''
-            - 'def handler(event, context):'
-            - "    # make sure we send a failure to CloudFormation if the function
-              is going to timeout"
-            - "    timer = threading.Timer((context.get_remaining_time_in_millis()
-              / 1000.00) - 0.5, timeout, args=[event, context])"
-            - "    timer.start()"
-            - ''
-            - "    print(('Received event: %s' % json.dumps(event)))"
-            - "    status = cfnresponse.SUCCESS"
-            - "    try:"
-            - "        source_bucket = event['ResourceProperties']['SourceBucket']"
-            - "        dest_bucket = event['ResourceProperties']['DestBucket']"
-            - "        prefix = event['ResourceProperties']['Prefix']"
-            - "        objects = event['ResourceProperties']['Objects']"
-            - "        if event['RequestType'] == 'Delete':"
-            - "            delete_objects(dest_bucket)"
-            - "        else:"
-            - "            copy_objects(source_bucket, dest_bucket, prefix, objects)"
-            - "    except Exception as e:"
-            - "        logging.error('Exception: %s' % e, exc_info=True)"
-            - "        status = cfnresponse.FAILED"
-            - "    finally:"
-            - "        timer.cancel()"
-            - "        cfnresponse.send(event, context, status, {}, None)"
-            - ''
-      Description: Copies objects from a source S3 bucket to a destination S3 bucket
-      Handler: index.handler
-      Role:
-        Fn::GetAtt:
-        - CopyObjectsRole
-        - Arn
-      Runtime: python3.7
-      Timeout: 240
-    Type: AWS::Lambda::Function
-  CopyObjectsRole:
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-        - Action: sts:AssumeRole
-          Effect: Allow
-          Principal:
-            Service: lambda.amazonaws.com
-        Version: '2012-10-17'
-      ManagedPolicyArns:
-      - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/service-role/AWSLambdaBasicExecutionRole
-      Path: "/"
-      Policies:
-      - PolicyDocument:
-          Statement:
-          - Action:
-            - s3:GetObject
-            Effect: Allow
-            Resource:
-            - Fn::Sub: arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*
-          - Action:
-            - s3:PutObject
-            - s3:DeleteObject
-            - s3:GetObject
-            - s3:ListBucket
-            - s3:ListBucketVersions
-            - s3:DeleteObjectVersion
-            - s3:GetObjectVersion
-            - s3:GetBucketVersioning
-            Effect: Allow
-            Resource:
-            - Fn::Sub: arn:${AWS::Partition}:s3:::${LambdaZipsBucket}/${QSS3KeyPrefix}*
-            - Fn::Sub: arn:${AWS::Partition}:s3:::${LambdaZipsBucket}
-          Version: '2012-10-17'
-        PolicyName: object-copier
-    Type: AWS::IAM::Role
-  LambdaZipsBucket:
-    Properties:
-      Tags: []
-      VersioningConfiguration:
-        Status: Enabled
-    Type: AWS::S3::Bucket
-  CleanUpS3Bucket:
-    Properties:
-      DestBucket:
-        Ref: LambdaZipsBucket
-      ServiceToken:
-        Fn::GetAtt:
-        - CleanUpS3BucketFunction
-        - Arn
-    Type: AWS::CloudFormation::CustomResource
-  CleanUpS3BucketFunction:
-    Properties:
-      Code:
-        ZipFile:
-          Fn::Join:
-          - "\n"
-          - - import json
-            - import logging
-            - import threading
-            - import boto3
-            - import cfnresponse
-            - client = boto3.client('s3')
-            - ''
-            - ''
-            - 'def delete_NonVersionedobjects(bucket):'
-            - '    print(("Collecting data from" + bucket))'
-            - "    paginator =     client.get_paginator('list_objects_v2')"
-            - "    result = paginator.paginate(Bucket=bucket)"
-            - "    objects = []"
-            - "    for page in result:"
-            - "        try:"
-            - "            for k in page['Contents']:"
-            - "                objects.append({'Key': k['Key']})"
-            - '                print("deleting objects")'
-            - "                client.delete_objects(Bucket=bucket, Delete={'Objects':
-              objects})"
-            - "                objects = []"
-            - "        except:"
-            - "            pass"
-            - '            print("bucket is already empty")'
-            - ''
-            - 'def delete_versionedobjects(bucket):'
-            - '    print(("Collecting data from" + bucket))'
-            - "    paginator = client.get_paginator('list_object_versions')"
-            - "    result = paginator.paginate(Bucket=bucket)"
-            - "    objects = []"
-            - "    for page in result:"
-            - "        try:"
-            - "            for k in page['Versions']:"
-            - "                objects.append({'Key':k['Key'],'VersionId': k['VersionId']})"
-            - "            try:"
-            - "                for k in page['DeleteMarkers']:"
-            - "                    version = k['VersionId']"
-            - "                    key = k['Key']"
-            - "                    objects.append({'Key': key,'VersionId': version})"
-            - "            except:"
-            - "                pass"
-            - '            print("deleting objects")'
-            - "            client.delete_objects(Bucket=bucket, Delete={'Objects':
-              objects})"
-            - "           # objects = []"
-            - "        except:"
-            - "            pass"
-            - '    print("bucket already empty")'
-            - ''
-            - ''
-            - ''
-            - 'def timeout(event, context):'
-            - "    logging.error('Execution is about to time out, sending failure
-              response to CloudFormation')"
-            - "    cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)"
-            - ''
-            - ''
-            - 'def handler(event, context):'
-            - "    # make sure we send a failure to CloudFormation if the function
-              is going to timeout"
-            - "    timer = threading.Timer((context.get_remaining_time_in_millis()
-              / 1000.00) - 0.5, timeout, args=[event, context])"
-            - "    timer.start()"
-            - ''
-            - "    print(('Received event: %s' % json.dumps(event)))"
-            - "    status = cfnresponse.SUCCESS"
-            - "    try:"
-            - "        dest_bucket = event['ResourceProperties']['DestBucket']"
-            - "        if event['RequestType'] == 'Delete':"
-            - "            CheckifVersioned = client.get_bucket_versioning(Bucket=dest_bucket)"
-            - "            print(CheckifVersioned)"
-            - "            if 'Status' in CheckifVersioned:"
-            - "                print(CheckifVersioned['Status'])"
-            - '                print ("This is a versioned Bucket")'
-            - "                delete_versionedobjects(dest_bucket)"
-            - "            else:"
-            - '                print("This is not a versioned bucket")'
-            - "                delete_NonVersionedobjects(dest_bucket)"
-            - "        else:"
-            - '            print("Nothing to do")'
-            - "    except Exception as e:"
-            - "        logging.error('Exception: %s' % e, exc_info=True)"
-            - "        status = cfnresponse.FAILED"
-            - "    finally:"
-            - "        timer.cancel()"
-            - "        cfnresponse.send(event, context, status, {}, None)"
-            - ''
-      Description: Empty the S3 Bucket
-      Handler: index.handler
-      Role:
-        Fn::GetAtt:
-        - S3CleanUpRole
-        - Arn
-      Runtime: python3.7
-      Timeout: 240
-    Type: AWS::Lambda::Function
-  S3CleanUpRole:
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-        - Action: sts:AssumeRole
-          Effect: Allow
-          Principal:
-            Service: lambda.amazonaws.com
-        Version: '2012-10-17'
-      ManagedPolicyArns:
-      - !Sub arn:${AWS::Partition}:iam::${AWS::Partition}:policy/service-role/AWSLambdaBasicExecutionRole
-      Path: "/"
-      Policies:
-      - PolicyDocument:
-          Statement:
-          - Action:
-            - s3:PutObject
-            - s3:DeleteObject
-            - s3:GetObject
-            - s3:ListBucket
-            - s3:ListBucketVersions
-            - s3:DeleteObjectVersion
-            - s3:GetObjectVersion
-            - s3:GetBucketVersioning
-            Effect: Allow
-            Resource:
-            - Fn::GetAtt:
-              - LambdaZipsBucket
-              - Arn
-            - Fn::Sub: arn:${AWS::Partition}:s3:::*
-          Version: '2012-10-17'
-        PolicyName: Empty-bucket
-    Type: AWS::IAM::Role
-Outputs:
-  LambdaZipsBucket:
-    Description: S3 Bucket for the Lambda Function Code
-    Value:
-      Ref: LambdaZipsBucket

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-common.yaml

@@ -1,110 +0,0 @@
-AWSTemplateFormatVersion: 2010-09-09
-Description: >-
-  Cisco Systems - Creates hostedzone, Mgmt route table, and SG. (qs-1qp7e9tna)
-Metadata:
-  ParameterLabels:
-    VPCID:
-      default: VPC ID
-    DnsName:
-      default: Dns name
-    SSHLockDownCIDR:
-      default: SSH Lockdown CIDR
-Parameters:
-  DnsName:
-    Type: String
-    Description: DNS name of PublicHostedZone
-  VPCID:
-    Type: AWS::EC2::VPC::Id
-    Description: Select VPC which ASAv will be deployed in
-  SSHLockDownCIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/0-28
-    Description: CIDR block for locking down the SSH access on the outside interface
-    Type: String
-  
-Resources:
-  PublicHostedZone: 
-    Type: "AWS::Route53::HostedZone"
-    Properties: 
-      HostedZoneConfig: 
-        Comment: 'Hosted zone'
-      Name: !Ref DnsName
-      HostedZoneTags: 
-        - 
-          Key: 'Name'
-          Value: 'ASAvHostedZone'
-  MgmtRouteTable:
-    Type: AWS::EC2::RouteTable
-    Properties:
-      VpcId: !Ref VPCID
-      Tags:
-        - Key: Name
-          Value: MGMT subnet Route Table
-  ASAvInstanceSGMGMT:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-        GroupDescription: Security Group for ASAv Instances
-        VpcId: !Ref VPCID
-        Tags:
-        - Key: Name
-          Value: "ASAvSecurityGroup"
-        SecurityGroupIngress:
-        - IpProtocol: "TCP"
-          FromPort: 443
-          ToPort: 443
-          CidrIp: 0.0.0.0/0
-        - IpProtocol: "TCP"
-          FromPort: 22
-          ToPort: 22
-          CidrIp: 0.0.0.0/0
-        - IpProtocol: "TCP"
-          FromPort: 80
-          ToPort: 80
-          CidrIp: 0.0.0.0/0
-  ASAvInstanceSGINSIDE:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-        GroupDescription: Security Group for ASAv Instances
-        VpcId: !Ref VPCID
-        Tags:
-        - Key: Name
-          Value: "ASAvSecurityGroup"
-        SecurityGroupIngress:
-        - IpProtocol: "-1"
-          FromPort: 0
-          ToPort: 65535
-          CidrIp: 0.0.0.0/0
-  ASAvInstanceSGOUTSIDE:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-        GroupDescription: Security Group for ASAv Instances
-        VpcId: !Ref VPCID
-        Tags:
-        - Key: Name
-          Value: "ASAvSecurityGroup"
-        SecurityGroupIngress:
-        - IpProtocol: "TCP"
-          FromPort: 443
-          ToPort: 443
-          CidrIp: 0.0.0.0/0
-        - IpProtocol: "UDP"
-          FromPort: 443
-          ToPort: 443
-          CidrIp: 0.0.0.0/0
-        - IpProtocol: "TCP"
-          FromPort: 22
-          ToPort: 22
-          CidrIp: !Ref SSHLockDownCIDR
-
-Outputs:
-  PublicHostedZone:
-    Value: !Ref 'PublicHostedZone'
-  MgmtRouteTable:
-    Value: !Ref 'MgmtRouteTable'
-  ASAvInstanceSGMGMT:
-    Value: !Ref 'ASAvInstanceSGMGMT'
-  ASAvInstanceSGOUTSIDE:
-    Value: !Ref 'ASAvInstanceSGOUTSIDE'
-  ASAvInstanceSGINSIDE:
-    Value: !Ref 'ASAvInstanceSGINSIDE'

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-instance.yaml

@@ -1,468 +0,0 @@
-AWSTemplateFormatVersion: 2010-09-09
-Description: >-
-  Cisco Systems - Creates the necessary policies, roles, security group and
-  launches Cisco ASAv Instance(s). (qs-1qp7e9tnh)
-Metadata:
-  ParameterLabels:
-    InstanceTypeParam:
-      default: ASAv instance type
-    KeyPair:
-      default: keypair name
-    MgmtSubnet1CIDR:
-      default: Mgmt subnet 1
-    PrivateSubnet1ID:
-      default: Private subnet 1
-    PublicSubnet1ID:
-      default: Public subnet 1
-    VPCID:
-      default: VPC ID
-    DnsName:
-      default: Dns name
-    ASAv1HostName:
-      default: ASAv1 Hostname
-    VPNPoolFrom1:
-      default: VPN Pool Start
-    VPNPoolTo1:
-      default: VPN Pool Finish
-    VPNPoolCIDRMask1:
-      default: NETMASK of VPN Pool
-    VPCCIDRMASK:
-      default: netmask of VPCCIDR
-    VPCPOOL:
-      default: pool of VPC
-    VPNUser:
-      default: VPN User
-    VPNPassword:
-      default: VPN Password
-    OnPremCIDRMask:
-      default: onprem network MASK
-    OnPremPool:
-      default: onprem pool
-    PrivateSubnet1GW:
-      default: private subnet GW
-    PrivateSubnet1CIDR:
-      default: private subnet CIDR format
-    PrivateSubnet1Pool:
-      default: Private subnet pool
-    PrivateSubnet1CIDRMask:
-      default: Private subnet mask
-    PublicHostedZone:
-      default: Private hosted zone Id
-    MgmtRouteTable:
-      default: Management route table Id
-    ASAvInstanceSGMGMT:
-      default: ASAv Instance Management Security group Id
-    ASAvInstanceSGOUTSIDE:
-      default: ASAv Instance Outside Security group Id
-    ASAvInstanceSGINSIDE:
-      default: ASAv Instance Inside Security group Id
-Parameters:
-  InstanceTypeParam:
-    Type: String
-    Default: c5.large
-    AllowedValues:
-      - m4.large
-      - m4.xlarge
-      - m4.2xlarge
-      - c3.large
-      - c3.xlarge
-      - c3.2xlarge
-      - c4.large
-      - c4.xlarge
-      - c4.2xlarge
-      - c5.large
-      - c5.xlarge
-      - c5.2xlarge
-    Description: Select an instance size for the ASAv.
-  KeyPair:
-    Type: AWS::EC2::KeyPair::KeyName
-    Description: ASAv instances will launch with this keypair
-  VPCID:
-    Type: AWS::EC2::VPC::Id
-    Description: Select VPC which ASAv will be deployed in
-  VPNUser:
-    Type: String
-    Description: Test VPN Username
-  VPNPassword:
-    Type: String
-    Description: Test VPN Password
-    NoEcho: true
-  MgmtSubnet1CIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for Mgmt subnet 1 in Availability Zone 1
-    Type: String
-  PrivateSubnet1ID:
-    Type: AWS::EC2::Subnet::Id
-    Description: Private Subnet 1 ID
-  PublicSubnet1ID:
-    Type: AWS::EC2::Subnet::Id
-    Description: Public Subnet 1 ID
-  DnsName:
-    Type: String
-    Description: DNS name of PublicHostedZone
-  ASAv1HostName:
-    Type: String
-    Description: ASAv1 Hostname
-  VPNPoolFrom1:
-    Type: String
-    Description: VPN Pool Start
-  VPNPoolTo1:
-    Type: String
-    Description: VPN Pool Finish
-  VPNPoolCIDRMask1:
-    Type: String
-    Description: NETMASK of VPN CIDR Pool
-  VPCCIDRMASK:
-    Type: String
-    Description: netmask of VPC
-  VPCPOOL:
-    Type: String
-    Description: pool of VPC
-  OnPremCIDRMask:
-    Type: String
-    Description: onprem network MASK
-  OnPremPool:
-    Type: String
-    Description: onprem pool
-  PrivateSubnet1GW:
-    Type: String
-    Description: private subnet GW
-  PrivateSubnet1CIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for the On-prem network
-    Type: String
-  PrivateSubnet1Pool:
-    Type: String
-    Description: Private subnet pool
-  PrivateSubnet1CIDRMask:
-    Type: String
-    Description: Private subnet mask
-
-  PublicHostedZone:
-    Type: String
-    Description: Resource ID of the Public Hosted Zone
-  MgmtRouteTable:
-    Type: String
-    Description: Resource ID of the Management Route Table
-  ASAvInstanceSGMGMT:
-    Type: String
-    Description: Security Group ID for Management instance
-  ASAvInstanceSGOUTSIDE:
-    Type: String
-    Description: Security Group ID for Outside instance
-  ASAvInstanceSGINSIDE:
-    Type: String
-    Description: Security Group ID for Inside instance
-  InstanceIdentifier:
-    Type: Number
-    Description: RAVPN Instance No.
-Mappings:
-  AWSAMIRegionMap:
-    eu-north-1: 
-      HVM64: ami-005e678f521ec99d0
-    ap-south-1: 
-      HVM64: ami-024dc7bfa98b41ec6
-    eu-west-3: 
-      HVM64: ami-06c7b0231eb402d16
-    eu-west-2: 
-      HVM64: ami-0bec420a926af5be6
-    eu-west-1: 
-      HVM64: ami-09cc7f08a29818836
-    ap-northeast-2: 
-      HVM64: ami-08d0dad22fc46b6d9
-    ap-northeast-1: 
-      HVM64: ami-09bdeeb4666c0bb9d
-    sa-east-1: 
-      HVM64: ami-08e47d7858321f80c
-    ca-central-1: 
-      HVM64: ami-07f9b49973a350949
-    ap-southeast-1: 
-      HVM64: ami-0e397151d9d5c4e82
-    ap-southeast-2: 
-      HVM64: ami-07781517dd89226fb
-    eu-central-1: 
-      HVM64: ami-000b858ff24a0d33f
-    us-east-1: 
-      HVM64: ami-0408c1a8f87e2e0d4
-    us-east-2: 
-      HVM64: ami-06554acf8888fbe0d
-    us-west-1: 
-      HVM64: ami-0312fb96da1e1fe74
-    us-west-2: 
-      HVM64: ami-00a1cfa66bfdcfe76
-  CIDRtoSubnetmask:
-    '16':
-      mask: '255.255.0.0'
-    '17':
-      mask: '255.255.128.0'
-    '18':
-      mask: '255.255.192.0'
-    '19':
-      mask: '255.255.224.0'
-    '20':
-      mask: '255.255.240.0'
-    '21':
-      mask: '255.255.248.0'
-    '22':
-      mask: '255.255.252.0'
-    '23':
-      mask: '255.255.254.0'
-    '24':
-      mask: '255.255.255.0'
-    '25':
-      mask: '255.255.255.128'
-    '26':
-      mask: '255.255.255.192'
-    '27':
-      mask: '255.255.255.224'
-    '28':
-      mask: '255.255.255.240'
-Resources:
-  ASAvDNSRecord:
-    Type: AWS::Route53::RecordSet
-    Properties:
-      HostedZoneId: !Ref PublicHostedZone
-      Name: !Join
-        - '.'
-        - - 'vpn'
-          - !Ref DnsName
-      TTL: 5
-      Type: A
-      HealthCheckId: !Ref R53HealthCheck
-      SetIdentifier: !Sub 'Frontend-${InstanceIdentifier}'
-      Weight: 4
-      ResourceRecords:
-      - !Ref outsideIP
-  R53HealthCheck: 
-    Type: 'AWS::Route53::HealthCheck'
-    Properties: 
-      HealthCheckConfig: 
-        IPAddress: !Ref outsideIP
-        Port: 443
-        Type: HTTPS_STR_MATCH
-        ResourcePath: '/'
-        RequestInterval: 30
-        FailureThreshold: 5
-        MeasureLatency: true
-        SearchString: '+CSCOE+'
-      HealthCheckTags: 
-        - 
-          Key: Name
-          Value: ASAvHealthcheck
-  MgmtSubnet1:
-    Type: AWS::EC2::Subnet
-    Properties:
-      VpcId: !Ref VPCID
-      CidrBlock: !Ref 'MgmtSubnet1CIDR'
-      AvailabilityZone: 
-        Fn::Select: 
-          - !Ref InstanceIdentifier
-          - Fn::GetAZs: ""
-      Tags:
-        - Key: Name
-          Value: !Sub 'Mgmt subnet ${InstanceIdentifier}'
-  MGMTRouteTableAssociation:
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      SubnetId: !Ref 'MgmtSubnet1'
-      RouteTableId: !Ref 'MgmtRouteTable'
-  outsideIP:
-      Type: AWS::EC2::EIP
-      Properties:
-        Domain: vpc        
-  associateOutsideIP:
-      Type: AWS::EC2::EIPAssociation
-      Properties:
-        AllocationId: !GetAtt outsideIP.AllocationId 
-        NetworkInterfaceId: !Ref outsideENI
-  mgmtENI:
-      Type: AWS::EC2::NetworkInterface
-      Properties:
-         Tags:
-         - Key: Name
-           Value: MgmtEni
-         Description: A nice description.
-         SourceDestCheck: false
-         GroupSet:
-         - !Ref 'ASAvInstanceSGMGMT'
-         SubnetId: !Ref MgmtSubnet1
-  outsideENI:
-      Type: AWS::EC2::NetworkInterface
-      Properties:
-         Tags:
-         - Key: Name
-           Value: OutsideEni
-         Description: A nice description.
-         SourceDestCheck: false
-         GroupSet:
-         - !Ref 'ASAvInstanceSGOUTSIDE'
-         SubnetId: !Ref PublicSubnet1ID
-  InsideENI:
-      Type: AWS::EC2::NetworkInterface
-      Properties:
-         Tags:
-         - Key: Name
-           Value: InsideEni
-         Description: A nice description.
-         SourceDestCheck: false
-         GroupSet:
-         - !Ref 'ASAvInstanceSGINSIDE'
-         SubnetId: !Ref PrivateSubnet1ID
-  ASAvInstance:
-    Type: 'AWS::EC2::Instance'
-    Properties:
-      Tags:
-        - Key: Name
-          Value: !Ref ASAv1HostName
-      InstanceType: !Ref InstanceTypeParam
-      KeyName: !Ref KeyPair
-      ImageId: !FindInMap 
-        - AWSAMIRegionMap
-        - !Ref 'AWS::Region'
-        - HVM64
-      NetworkInterfaces:
-       - NetworkInterfaceId: !Ref 'mgmtENI'
-         DeviceIndex: '0'
-       - NetworkInterfaceId: !Ref 'outsideENI'
-         DeviceIndex: '1'
-       - NetworkInterfaceId: !Ref 'InsideENI'
-         DeviceIndex: '2'
-      UserData:
-        Fn::Base64: !Sub  
-        - |
-          ! ASA Version
-          hostname ${ASAv1HostName}
-          !
-          ip local pool VPN-POOL ${VPNPoolFrom1}-${VPNPoolTo1} mask ${VPNPoolMask1}
-          access-list split standard permit ${VPCPOOL} ${VPCMASK}
-          access-list split standard permit ${OnPremPool} ${OnPremMask} 
-          !
-          username ${VPNUser} password ${VPNPassword}
-          username ${VPNUser} attributes
-          service-type remote-access
-          !
-          int tengi 0/0
-          nameif outside
-          security-level 0
-          ip address dhcp setroute
-          no shut
-          int tengi 0/1
-          nameif inside
-          security-level 100
-          ip address dhcp
-          no shut 
-          interface management0/0
-          nameif management
-          security-level 100
-          ip address dhcp
-          no shut
-          !
-          !
-          webvpn
-          enable outside
-          anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1
-          anyconnect enable
-          tunnel-group-list enable
-          group-policy LAB internal
-          group-policy LAB attributes
-          vpn-tunnel-protocol ssl-client ssl-clientless
-          address-pools value VPN-POOL
-          split-tunnel-policy tunnelspecified
-          split-tunnel-network-list value split
-          dynamic-access-policy-record DfltAccessPolicy
-          username admin nopassword privilege 15
-          tunnel-group LAB type remote-access
-          tunnel-group LAB general-attributes
-          default-group-policy LAB
-          address-pool VPN-POOL
-          tunnel-group LAB webvpn-attributes
-          group-alias LAB-VPN enable
-          !
-          dns domain-lookup outside
-          dns server-group DefaultDNS
-          name-server 208.67.222.222
-          name-server 208.67.220.220
-          !
-          same-security-traffic permit inter-interface
-          same-security-traffic permit intra-interface
-          !
-          route inside ${OnPremPool} ${OnPremMask} ${PrivateSubnet1GW}
-          !
-          policy-map global_policy
-          class inspection_default
-            inspect icmp
-          !
-          access-list 101 extended permit ip any any 
-          access-group 101 in interface outside
-          access-group 101 in interface inside
-          !
-          object network NET-${PrivateSubnet1CIDR}
-          subnet ${PrivateSubnet1Pool} ${PrivateSubnet1Mask}
-          nat (inside,outside) dynamic interface
-          !
-          crypto key generate rsa modulus 2048
-          ssh 0 0 inside
-          ssh 0 0 outside
-          ssh 0 0 management
-          ssh timeout 30
-          aaa authentication ssh console LOCAL
-          username admin nopassword privilege 15
-          username admin attributes
-          service-type admin
-          !
-          name 129.6.15.28 time-a.nist.gov
-          name 129.6.15.29 time-b.nist.gov
-          name 129.6.15.30 time-c.nist.gov
-          ntp server time-c.nist.gov
-          ntp server time-b.nist.gov
-          ntp server time-a.nist.gov
-          icmp permit any outside
-          icmp permit any inside
-          icmp permit any management
-          !
-        - VPCMASK: !FindInMap
-          - CIDRtoSubnetmask
-          - !Ref VPCCIDRMASK
-          - mask
-          VPNPoolMask1: !FindInMap
-          - CIDRtoSubnetmask
-          - !Ref VPNPoolCIDRMask1
-          - mask
-          OnPremMask: !FindInMap
-          - CIDRtoSubnetmask
-          - !Ref OnPremCIDRMask
-          - mask
-          PrivateSubnet1Mask: !FindInMap
-          - CIDRtoSubnetmask
-          - !Ref PrivateSubnet1CIDRMask
-          - mask  
-Outputs:
-  AccountId:
-    Description: Amazon Account ID
-    Value: !Ref 'AWS::AccountId'
-  MgmtSubnet1CIDR:
-    Description: Mgmt subnet CIDR
-    Value: !Ref 'MgmtSubnet1CIDR'
-  MgmtSubnet1ID:
-    Description: Mgmt subnet ID
-    Value: !Ref 'MgmtSubnet1'
-  InsideENI:
-    Description: ASAv Instance Inside Network Interface ID
-    Value: !Ref 'InsideENI'
-  ASAv1MGMTIP:
-    Description: ASAv Instance Management IP
-    Value: !GetAtt mgmtENI.PrimaryPrivateIpAddress
-  ASAv1PublicIP:
-    Description: ASAv Instance Public IP
-    Value: !Ref outsideIP
-  VPNPoolFrom1:
-    Description: ASAv Instance VPN Pool From
-    Value: !Ref VPNPoolFrom1
-  VPNPoolTo1:
-    Description: ASAv Instance VPN Pool To
-    Value: !Ref VPNPoolTo1
-  VPNPoolCIDRMask1:
-    Description: ASAv Instance VPN Pool Mask
-    Value: !Ref VPNPoolCIDRMask1

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-main.yaml

@@ -1,879 +0,0 @@
-AWSTemplateFormatVersion: 2010-09-09
-Description: >-
-  Cisco Systems - Main Stack - Creates VPC and the necessary policies, roles,
-  security group and launches the Cisco ASAv RAVPN instances. **WARNING** You
-  will be billed for the AWS resources used if you create a stack from this
-  template. (qs-1qp7e9tnp)
-Metadata:
-  'AWS::CloudFormation::Interface':
-    ParameterGroups:
-      - Label:
-          default: Availability Zone Configuration
-        Parameters:
-          - AvailabilityZones
-          - NumberOfAZs
-      - Label:
-          default: VPC Network Configuration
-        Parameters:
-          - VPCCIDR
-          - PublicSubnet1CIDR
-          - PublicSubnet2CIDR
-          - PublicSubnet3CIDR
-          - PublicSubnet4CIDR
-          - PrivateSubnet1CIDR
-          - PrivateSubnet2CIDR
-          - PrivateSubnet3CIDR        
-          - PrivateSubnet4CIDR       
-      - Label:
-          default: ASAv Configuration
-        Parameters:
-          - NumberOfASAv
-          - ASAv1HostName
-          - ASAv2HostName
-          - ASAv3HostName
-          - ASAv4HostName
-          - DnsName
-          - InstanceTypeParam
-          - KeyPair
-          - VPNUser
-          - VPNPassword
-          - SSHLockDownCIDR
-          - MgmtSubnet1CIDR
-          - MgmtSubnet2CIDR
-          - MgmtSubnet3CIDR
-          - MgmtSubnet4CIDR
-          - VPNPoolCIDR1
-          - VPNPoolCIDR2
-          - VPNPoolCIDR3
-          - VPNPoolCIDR4
-      - Label:
-          default: AWS Transit Gateway configuration
-        Parameters:
-          - TGWSubnet1CIDR
-          - TGWSubnet2CIDR
-          - TGWSubnet3CIDR
-          - TGWSubnet4CIDR
-          - AmazonSideAsn
-      - Label:
-          default: On-Premises Gateway Configuration
-        Parameters:
-          - OnPremFirewallPublicIP
-          - OnPremFirewallASN
-          - PreSharedKeyForVPNAttachment
-          - VPNTunnelCIDRs
-          - OnPremCIDR
-      - Label:
-          default: AWS Quick Start Configuration
-        Parameters:
-          - QSS3BucketName
-          - QSS3BucketRegion
-          - QSS3KeyPrefix
-    ParameterLabels: 
-      AvailabilityZones:
-        default: Availability Zones
-      NumberOfAZs:
-        default: Number of Availability Zones 
-      VPCCIDR:
-        default: VPC CIDR
-      PublicSubnet1CIDR:
-        default: Public subnet 1 CIDR
-      PublicSubnet2CIDR:
-        default: Public subnet 2 CIDR
-      PublicSubnet3CIDR:
-        default: Public subnet 3 CIDR
-      PublicSubnet4CIDR:
-        default: Public subnet 4 CIDR
-      PrivateSubnet1CIDR:
-        default: Private subnet 1 CIDR
-      PrivateSubnet2CIDR:
-        default: Private subnet 2 CIDR
-      PrivateSubnet3CIDR:
-        default: Private subnet 3 CIDR
-      PrivateSubnet4CIDR:
-        default: Private subnet 4 CIDR
-      NumberOfASAv:
-        default: Number of ASAv instances
-      ASAv1HostName:
-        default: ASAv1 hostname
-      ASAv2HostName:
-        default: ASAv2 hostname
-      ASAv3HostName:
-        default: ASAv3 hostname
-      ASAv4HostName:
-        default: ASAv4 hostname
-      DnsName:
-        default: DNS name
-      InstanceTypeParam:
-        default: Instance type of ASAv
-      VPNUser:
-        default: VPN user
-      VPNPassword:
-        default: VPN password
-      KeyPair:
-        default: ASAv instance key pair
-      SSHLockDownCIDR:
-        default: SSH lockdown CIDR
-      MgmtSubnet1CIDR:
-        default: Management subnet 1 CIDR
-      MgmtSubnet2CIDR:
-        default: Management subnet 2 CIDR
-      MgmtSubnet3CIDR:
-        default: Management subnet 3 CIDR
-      MgmtSubnet4CIDR:
-        default: Management subnet 4 CIDR
-      VPNPoolCIDR1:
-        default: VPN pool for ASAv1
-      VPNPoolCIDR2:
-        default: VPN pool for ASAv2
-      VPNPoolCIDR3:
-        default: VPN pool for ASAv3
-      VPNPoolCIDR4:
-        default: VPN pool for ASAv4
-      QSS3BucketName:
-        default: Quick Start S3 bucket name
-      QSS3BucketRegion:
-        default: Quick Start S3 bucket region
-      QSS3KeyPrefix:
-        default: Quick Start S3 key prefix
-      TGWSubnet1CIDR:
-        default: TGW subnet 1 CIDR
-      TGWSubnet2CIDR:
-        default: TGW subnet 2 CIDR
-      TGWSubnet3CIDR:
-        default: TGW subnet 3 CIDR
-      TGWSubnet4CIDR:
-        default: TGW subnet 4 CIDR
-      AmazonSideAsn: 
-        default: ASN for TGW S2S VPN attachment
-      OnPremFirewallPublicIP:
-        default: Public IP for customer on-premises gateway
-      OnPremFirewallASN:
-        default: ASN for customer gateway
-      PreSharedKeyForVPNAttachment:
-        default: Pre shared key for VPN attachement
-      VPNTunnelCIDRs:
-        default: On-premises gateway to TGW S2S VPN tunnel CIDR blocks
-      OnPremCIDR:
-        default: On-premises network CIDR
-Parameters:
-  AvailabilityZones:
-    Description: >-
-      List of Availability Zones to use for the subnets in the VPC. Note: The
-      logical order is preserved and up to 4 Availability Zoness are used for 
-      this deployment.
-    Type: 'List<AWS::EC2::AvailabilityZone::Name>'
-  NumberOfAZs:
-    AllowedValues:
-      - '1'
-      - '2'
-      - '3'
-      - '4'
-    Default: '2'
-    Description: >-
-      Number of Availability Zones to use in the VPC. This must match the number
-      of selections in the list of Availability Zones.
-    Type: String
-  VPCCIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.0.0/16
-    Description: CIDR block for the VPC.
-    Type: String
-  PublicSubnet1CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.0.0/21
-    Description: CIDR block for public subnet 1 located in Availability Zone 1, for ASAv1.
-    Type: String
-  PublicSubnet2CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.8.0/21
-    Description: CIDR block for public subnet 2 located in Availability Zone 2, for ASAv2.
-    Type: String
-  PublicSubnet3CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.16.0/21
-    Description: CIDR block for public subnet 3 located in Availability Zone 3, for ASAv3.
-    Type: String
-  PublicSubnet4CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.24.0/21
-    Description: CIDR block for public subnet 4 located in Availability Zone 4, for ASAv4.
-    Type: String
-  PrivateSubnet1CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.32.0/21
-    Description: CIDR block for private subnet 1 located in Availability Zone 1, for ASAv1.
-    Type: String
-  PrivateSubnet2CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.40.0/21
-    Description: CIDR block for private subnet 2 located in Availability Zone 2, for ASAv2.
-    Type: String
-  PrivateSubnet3CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.48.0/21
-    Description: CIDR block for private subnet 3 located in Availability Zone 3, for ASAv3.
-    Type: String
-  PrivateSubnet4CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.56.0/21
-    Description: CIDR block for private subnet 4 located in Availability Zone 4, for ASAv4.
-    Type: String
-  NumberOfASAv:
-    AllowedValues:
-      - '1'
-      - '2'
-      - '3'
-      - '4'
-    Default: '2'
-    Description: >-
-      Number of ASAv instances to be initiated.
-    Type: String  
-  ASAv1HostName:
-    Type: String
-    Default: ASAv01RAVPN
-    Description: Enter ASAv1 hostname.
-  ASAv2HostName:
-    Type: String
-    Default: ASAv02RAVPN
-    Description: Enter ASAv2 hostname.
-  ASAv3HostName:
-    Type: String
-    Default: ASAv03RAVPN
-    Description: Enter ASAv3 hostname.
-  ASAv4HostName:
-    Type: String
-    Default: ASAv04RAVPN
-    Description: Enter ASAv4 hostname.
-  DnsName:
-    Type: String
-    Description: Domain name of PublicHostedZone registered in Route53. This is the domain name behind which the ASAv firewall instances will be load balanced.
-    Default: example.com
-  InstanceTypeParam:
-    Type: String
-    Default: c5.large
-    AllowedValues:
-      - m4.large
-      - m4.xlarge
-      - m4.2xlarge
-      - c3.large
-      - c3.xlarge
-      - c3.2xlarge
-      - c4.large
-      - c4.xlarge
-      - c4.2xlarge
-      - c5.large
-      - c5.xlarge
-      - c5.2xlarge
-    Description: Select an instance type for the ASAv instances.
-  VPNUser:
-    Type: String
-    Description: Test VPN username.
-  VPNPassword:
-    NoEcho: true
-    Type: String
-    Description: Test VPN password.
-  KeyPair:
-    Type: AWS::EC2::KeyPair::KeyName
-    Description: ASAv instances will launch with this key pair.
-  SSHLockDownCIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/0-28
-    Description: CIDR block for locking down SSH access on the outside interface.
-    Type: String
-  MgmtSubnet1CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.64.0/21
-    Description: CIDR block for management subnet 1 located in Availability Zone 1, for ASAv1.
-    Type: String
-  MgmtSubnet2CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.72.0/21
-    Description: CIDR block for management subnet 2 located in Availability Zone 2, for ASAv2.
-    Type: String
-  MgmtSubnet3CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.80.0/21
-    Description: CIDR block for management subnet 3 located in Availability Zone 3, for ASAv3.
-    Type: String
-  MgmtSubnet4CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.88.0/21
-    Description: CIDR block for management subnet 4 located in Availability Zone 4, for ASAv4.
-    Type: String
-  VPNPoolCIDR1:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
-    Default: 172.16.0.0/19
-    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv1. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
-    Type: String
-  VPNPoolCIDR2:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
-    Default: 172.16.32.0/19
-    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv2. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
-    Type: String
-  VPNPoolCIDR3:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
-    Default: 172.16.64.0/19
-    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv3. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
-    Type: String
-  VPNPoolCIDR4:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(19))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19
-    Default: 172.16.96.0/19
-    Description: This is a /19 CIDR block for a ghost VPN pool for ASAv4. VPN clients connecting in will be assigned an IP from this subnet. This subnet should not overlap with the on-premises CIDR or VPC CIDR blocks. You can use the default value.
-    Type: String
-  QSS3BucketName:
-    AllowedPattern: '^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
-    ConstraintDescription: >-
-      Quick Start bucket name can include numbers, lowercase letters, uppercase
-      letters, and hyphens (-). It cannot start or end with a hyphen (-).
-    Default: aws-quickstart
-    Description: >-
-      S3 bucket name for the Quick Start assets. Quick Start bucket name can
-      include numbers, lowercase letters, uppercase letters, and hyphens (-). It
-      cannot start or end with a hyphen (-).
-    Type: String
-  QSS3BucketRegion:
-    Default: us-east-1
-    Description: >-
-      The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted.
-      When using your own bucket, you must specify this value.
-    Type: String
-  QSS3KeyPrefix:
-    AllowedPattern: '^[0-9a-zA-Z-/]*$'
-    ConstraintDescription: >-
-      Quick Start key prefix can include numbers, lowercase letters, uppercase
-      letters, hyphens (-), and forward slash (/).
-    Default: quickstart-cisco-asav-ravpn/
-    Description: >-
-      S3 key prefix for the Quick Start assets. Quick Start key prefix can
-      include numbers, lowercase letters, uppercase letters, hyphens (-), and
-      forward slash (/).
-    Type: String
-  TGWSubnet1CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.96.0/21
-    Description: CIDR block for AWS Transit Gateway subnet 1 located in Availability Zone 1.
-    Type: String
-  TGWSubnet2CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.104.0/21
-    Description: CIDR block for AWS Transit Gateway subnet 2 located in Availability Zone 2.
-    Type: String
-  TGWSubnet3CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.112.0/21
-    Description: CIDR block for AWS Transit Gateway subnet 3 located in Availability Zone 3.
-    Type: String
-  TGWSubnet4CIDR:
-    AllowedPattern: >-
-      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Default: 10.0.120.0/21
-    Description: CIDR block for AWS Transit Gateway subnet 4 located in Availability Zone 4.
-    Type: String
-  AmazonSideAsn:
-    Description: A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
-    Type: String
-    Default: 64513
-  OnPremFirewallPublicIP:
-    Description: Specify the public IP address of the on-premises gateway.
-    Type: String
-  OnPremFirewallASN:
-    Description: Specify the BGP ASN of the on-premises gateway.
-    Type: String
-    Default: 65001
-  PreSharedKeyForVPNAttachment:
-    Description: Specify the pre shared key of the customer gateway. Must be 15 characters in length and cannot start with zero (0).
-    NoEcho: true
-    Type: String
-    Default: casav1234567891
-    MinLength: 15
-    MaxLength: 15
-  OnPremCIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for the on-premises network.
-    Type: String
-  VPNTunnelCIDRs:
-    Description: Specify the tunnel inside CIDR blocks for the on-premises firewall. You can use the default pre-filled CIDR blocks as well.
-    Type: CommaDelimitedList
-    Default: "169.254.6.0/30, 169.254.7.0/30"
-Conditions:
-  UsingDefaultBucket: !Equals 
-    - !Ref QSS3BucketName
-    - aws-quickstart
-  3SubnetCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfAZs'
-      - '3'
-    - !Condition 4SubnetCondition
-  4SubnetCondition: !Equals
-    - !Ref 'NumberOfAZs'
-    - '4'
-  1ASAvCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfASAv'
-      - '1'
-    - !Condition '2ASAvCondition'
-  2ASAvCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfASAv'
-      - '2'
-    - !Condition '3ASAvCondition'
-  3ASAvCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfASAv'
-      - '3'
-    - !Condition '4ASAvCondition'
-  4ASAvCondition: !Equals
-    - !Ref 'NumberOfASAv'
-    - '4'
-Resources:
-  VPCStack:
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        AvailabilityZones: !Join 
-          - ','
-          - !Ref AvailabilityZones
-        NumberOfAZs: !Ref NumberOfAZs
-        VPCCIDR: !Ref VPCCIDR
-        PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR
-        PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR
-        PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR
-        PrivateSubnet4ACIDR: !Ref PrivateSubnet4CIDR
-        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
-        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
-        PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
-        PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
-  TGWStack:
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-tgw.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        AvailabilityZones: !Join 
-          - ','
-          - !Ref AvailabilityZones
-        NumberOfAZs: !Ref NumberOfAZs
-        NumberOfASAv: !Ref NumberOfASAv
-        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
-        NetworkInterfaceId1ASAv1: !If [1ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId1ASAv2: !If [2ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId2ASAv2: !If [2ASAvCondition, !GetAtt 'ASAvStack2.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId1ASAv3: !If [3ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId2ASAv3: !If [3ASAvCondition, !GetAtt 'ASAvStack2.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId3ASAv3: !If [3ASAvCondition, !GetAtt 'ASAvStack3.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId1ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack1.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId2ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack2.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId3ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack3.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        NetworkInterfaceId4ASAv4: !If [4ASAvCondition, !GetAtt 'ASAvStack4.Outputs.InsideENI', !Ref "AWS::NoValue"]
-        PrivateSubnet1ARouteTable: !GetAtt 'VPCStack.Outputs.PrivateSubnet1ARouteTable'
-        PrivateSubnet2ARouteTable: !GetAtt 'VPCStack.Outputs.PrivateSubnet2ARouteTable'
-        PrivateSubnet3ARouteTable: !If [3SubnetCondition, !GetAtt 'VPCStack.Outputs.PrivateSubnet3ARouteTable', !Ref "AWS::NoValue"]
-        PrivateSubnet4ARouteTable: !If [4SubnetCondition, !GetAtt 'VPCStack.Outputs.PrivateSubnet4ARouteTable', !Ref "AWS::NoValue"]
-        VPNPoolCIDR1: !Ref VPNPoolCIDR1
-        VPNPoolCIDR2: !Ref VPNPoolCIDR2
-        VPNPoolCIDR3: !Ref VPNPoolCIDR3
-        VPNPoolCIDR4: !Ref VPNPoolCIDR4
-        TGWSubnet1CIDR: !Ref TGWSubnet1CIDR
-        TGWSubnet2CIDR: !Ref TGWSubnet2CIDR
-        TGWSubnet3CIDR: !Ref TGWSubnet3CIDR
-        TGWSubnet4CIDR: !Ref TGWSubnet4CIDR
-        OnPremFirewallPublicIP: !Ref OnPremFirewallPublicIP
-        OnPremFirewallASN: !Ref OnPremFirewallASN
-        PreSharedKeyForVPNAttachment: !Ref PreSharedKeyForVPNAttachment
-        VPNTunnelCIDRs: !Join
-        - ","
-        - !Ref VPNTunnelCIDRs
-        AmazonSideAsn: !Ref AmazonSideAsn
-        OnPremCIDR: !Ref OnPremCIDR
-        QSS3BucketName: !Ref QSS3BucketName
-        QSS3KeyPrefix: !Ref QSS3KeyPrefix
-        QSS3BucketRegion: !Ref QSS3BucketRegion
-  CommonResourcesStack:
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-common.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        DnsName: !Ref DnsName
-        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
-        SSHLockDownCIDR: !Ref SSHLockDownCIDR
-  ASAvStack1:
-    Condition: 1ASAvCondition
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        InstanceTypeParam: !Ref InstanceTypeParam
-        KeyPair: !Ref KeyPair
-        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
-        VPNUser: !Ref VPNUser
-        VPNPassword: !Ref VPNPassword
-        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID'
-        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
-        MgmtSubnet1CIDR: !Ref MgmtSubnet1CIDR
-        ASAv1HostName: !Ref ASAv1HostName
-        DnsName: !Ref DnsName
-        VPNPoolFrom1: !Sub
-        - ${a}.${b}.0.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
-        VPNPoolTo1: !Sub
-        - ${a}.${b}.31.254
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR1 ]]]]
-        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR1 ]] 
-        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
-        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
-        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
-        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
-        PrivateSubnet1GW: !Sub
-        - ${a}.${b}.${c}.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]]]
-          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]]]
-        PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
-        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet1CIDR]]
-        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet1CIDR ]]
-        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
-        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
-        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
-        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
-        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
-        InstanceIdentifier: 0
-
-  ASAvStack2:
-    Condition: 2ASAvCondition
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        InstanceTypeParam: !Ref InstanceTypeParam
-        KeyPair: !Ref KeyPair
-        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
-        VPNUser: !Ref VPNUser
-        VPNPassword: !Ref VPNPassword
-        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID'
-        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
-        MgmtSubnet1CIDR: !Ref MgmtSubnet2CIDR
-        ASAv1HostName: !Ref ASAv2HostName
-        DnsName: !Ref DnsName
-        VPNPoolFrom1: !Sub
-        - ${a}.${b}.32.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
-        VPNPoolTo1: !Sub
-        - ${a}.${b}.63.254
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR2 ]]]]
-        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR2 ]] 
-        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
-        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
-        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
-        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
-        PrivateSubnet1GW: !Sub
-        - ${a}.${b}.${c}.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]]]
-          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]]]
-        PrivateSubnet1CIDR: !Ref PrivateSubnet2CIDR
-        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet2CIDR]]
-        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet2CIDR ]]
-        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
-        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
-        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
-        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
-        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
-        InstanceIdentifier: 1
-
-  ASAvStack3:
-    Condition: 3ASAvCondition
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        InstanceTypeParam: !Ref InstanceTypeParam
-        KeyPair: !Ref KeyPair
-        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
-        VPNUser: !Ref VPNUser
-        VPNPassword: !Ref VPNPassword
-        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet3AID'
-        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet3ID'
-        MgmtSubnet1CIDR: !Ref MgmtSubnet3CIDR
-        ASAv1HostName: !Ref ASAv3HostName
-        DnsName: !Ref DnsName
-        VPNPoolFrom1: !Sub
-        - ${a}.${b}.64.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
-        VPNPoolTo1: !Sub
-        - ${a}.${b}.95.254
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR3 ]]]]
-        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR3 ]] 
-        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
-        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
-        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
-        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
-        PrivateSubnet1GW: !Sub
-        - ${a}.${b}.${c}.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]]]
-          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]]]
-        PrivateSubnet1CIDR: !Ref PrivateSubnet3CIDR
-        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet3CIDR]]
-        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet3CIDR ]]
-        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
-        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
-        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
-        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
-        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
-        InstanceIdentifier: 2
-
-  ASAvStack4:
-    Condition: 4ASAvCondition
-    Type: 'AWS::CloudFormation::Stack'
-    Properties:
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/quickstart-cisco-asav-ravpn-instance.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        InstanceTypeParam: !Ref InstanceTypeParam
-        KeyPair: !Ref KeyPair
-        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
-        VPNUser: !Ref VPNUser
-        VPNPassword: !Ref VPNPassword
-        PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet4AID'
-        PublicSubnet1ID:  !GetAtt 'VPCStack.Outputs.PublicSubnet4ID'
-        MgmtSubnet1CIDR: !Ref MgmtSubnet4CIDR
-        ASAv1HostName: !Ref ASAv4HostName
-        DnsName: !Ref DnsName
-        VPNPoolFrom1: !Sub
-        - ${a}.${b}.96.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
-        VPNPoolTo1: !Sub
-        - ${a}.${b}.127.254
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref VPNPoolCIDR4 ]]]]
-        VPNPoolCIDRMask1: !Select [1, !Split [ "/" , !Ref VPNPoolCIDR4 ]] 
-        VPCCIDRMASK: !Select [1, !Split [ "/" , !Ref VPCCIDR ]] 
-        VPCPOOL: !Select [0, !Split ["/", !Ref VPCCIDR]]
-        OnPremCIDRMask: !Select [1, !Split [ "/" , !Ref OnPremCIDR ]] 
-        OnPremPool: !Select [0, !Split ["/", !Ref OnPremCIDR]]
-        PrivateSubnet1GW: !Sub
-        - ${a}.${b}.${c}.1
-        - a: !Select [0, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]]]
-          b: !Select [1, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]]]
-          c: !Select [2, !Split ['.', !Select [0, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]]]
-        PrivateSubnet1CIDR: !Ref PrivateSubnet4CIDR
-        PrivateSubnet1Pool: !Select [0, !Split ["/", !Ref PrivateSubnet4CIDR]]
-        PrivateSubnet1CIDRMask: !Select [1, !Split [ "/" , !Ref PrivateSubnet4CIDR ]]
-        PublicHostedZone: !GetAtt 'CommonResourcesStack.Outputs.PublicHostedZone'
-        MgmtRouteTable: !GetAtt 'CommonResourcesStack.Outputs.MgmtRouteTable'
-        ASAvInstanceSGMGMT: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGMGMT'
-        ASAvInstanceSGOUTSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGOUTSIDE'
-        ASAvInstanceSGINSIDE: !GetAtt 'CommonResourcesStack.Outputs.ASAvInstanceSGINSIDE'
-        InstanceIdentifier: 3
-
-Outputs:
-  AccountId:
-    Description: Amazon Account ID
-    Value: !Ref 'AWS::AccountId'
-#------------------------------- ASAvStack1-----------------  
-  ASAv1MGMTIPStack1:
-    Condition: 1ASAvCondition
-    Description: ASAv Instance 1 Management IP
-    Value: !GetAtt ASAvStack1.Outputs.ASAv1MGMTIP
-  ASAv1PublicIPStack1:
-    Condition: 1ASAvCondition  
-    Description: ASAv Instance 1 Public IP
-    Value: !GetAtt ASAvStack1.Outputs.ASAv1PublicIP
-  VPNPoolFrom1Stack1:
-    Condition: 1ASAvCondition  
-    Description: ASAv Instance 1 VPN Pool From
-    Value: !GetAtt ASAvStack1.Outputs.VPNPoolFrom1
-  VPNPoolTo1Stack1:
-    Condition: 1ASAvCondition  
-    Description: ASAv Instance 1 VPN Pool To
-    Value: !GetAtt ASAvStack1.Outputs.VPNPoolTo1
-  VPNPoolMask1Stack1:
-    Condition: 1ASAvCondition  
-    Description: ASAv Instance 1 VPN Pool Mask
-    Value: !GetAtt ASAvStack1.Outputs.VPNPoolCIDRMask1
-#------------------------------- ASAvStack2-----------------
-  ASAv2MGMTIPStack2:
-    Condition: 2ASAvCondition
-    Description: ASAv Instance 2 Management IP
-    Value: !GetAtt ASAvStack2.Outputs.ASAv1MGMTIP
-  ASAv2PublicIPStack2:
-    Condition: 2ASAvCondition  
-    Description: ASAv Instance 2 Public IP
-    Value: !GetAtt ASAvStack2.Outputs.ASAv1PublicIP
-  VPNPoolFrom2Stack2:
-    Condition: 2ASAvCondition  
-    Description: ASAv Instance 2 VPN Pool From
-    Value: !GetAtt ASAvStack2.Outputs.VPNPoolFrom1
-  VPNPoolTo2Stack2:
-    Condition: 2ASAvCondition  
-    Description: ASAv Instance 2 VPN Pool To
-    Value: !GetAtt ASAvStack2.Outputs.VPNPoolTo1
-  VPNPoolMask2Stack2:
-    Condition: 2ASAvCondition  
-    Description: ASAv Instance 2 VPN Pool Mask
-    Value: !GetAtt ASAvStack2.Outputs.VPNPoolCIDRMask1
-#------------------------------- ASAvStack3-----------------
-  ASAv3MGMTIPStack3:
-    Condition: 3ASAvCondition
-    Description: ASAv Instance 3 Management IP
-    Value: !GetAtt ASAvStack3.Outputs.ASAv1MGMTIP
-  ASAv3PublicIPStack3:
-    Condition: 3ASAvCondition  
-    Description: ASAv Instance 3 Public IP
-    Value: !GetAtt ASAvStack3.Outputs.ASAv1PublicIP
-  VPNPoolFrom3Stack3:
-    Condition: 3ASAvCondition  
-    Description: ASAv Instance 3 VPN Pool From
-    Value: !GetAtt ASAvStack3.Outputs.VPNPoolFrom1
-  VPNPoolTo3Stack3:
-    Condition: 3ASAvCondition  
-    Description: ASAv Instance 3 VPN Pool To
-    Value: !GetAtt ASAvStack3.Outputs.VPNPoolTo1
-  VPNPoolMask3Stack3:
-    Condition: 3ASAvCondition  
-    Description: ASAv Instance 3 VPN Pool Mask
-    Value: !GetAtt ASAvStack3.Outputs.VPNPoolCIDRMask1
-#------------------------------- ASAvStack4-----------------
-  ASAv4MGMTIPStack4:
-    Condition: 4ASAvCondition
-    Description: ASAv Instance 4 Management IP
-    Value: !GetAtt ASAvStack4.Outputs.ASAv1MGMTIP
-  ASAv4PublicIPStack4:
-    Condition: 4ASAvCondition  
-    Description: ASAv Instance 4 Public IP
-    Value: !GetAtt ASAvStack4.Outputs.ASAv1PublicIP
-  VPNPoolFrom4Stack4:
-    Condition: 4ASAvCondition  
-    Description: ASAv Instance 4 VPN Pool From
-    Value: !GetAtt ASAvStack4.Outputs.VPNPoolFrom1
-  VPNPoolTo4Stack4:
-    Condition: 4ASAvCondition  
-    Description: ASAv Instance 4 VPN Pool To
-    Value: !GetAtt ASAvStack4.Outputs.VPNPoolTo1
-  VPNPoolMask4Stack4:
-    Condition: 4ASAvCondition  
-    Description: ASAv Instance 4 VPN Pool Mask
-    Value: !GetAtt ASAvStack4.Outputs.VPNPoolCIDRMask1
-#--------------------------------------------------------------
-  VPNTunnelOutsideIPs:
-    Description: VPN Tunnel Outside IP
-    Value: !GetAtt TGWStack.Outputs.VPNTunnelOutsideIPs

base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-tgw.yaml

@@ -1,710 +0,0 @@
-AWSTemplateFormatVersion: 2010-09-09
-Description: The template creates the TGW resource to connect on-premises firewall with cloud (qs-1qp7e9toe)
-Parameters:
-  PrivateSubnet1ARouteTable:
-    Type: String
-    Description: Public Subnet 1 Route Table ID
-  PrivateSubnet2ARouteTable:
-    Type: String
-    Description: Public Subnet 2 Route Table ID
-  PrivateSubnet3ARouteTable:
-    Type: String
-    Default: 'null'
-    Description: Public Subnet 3 Route Table ID
-  PrivateSubnet4ARouteTable:
-    Type: String
-    Default: 'null'
-    Description: Public Subnet 4 Route Table ID
-  OnPremFirewallPublicIP:
-    Description: Specify the Public IP of the on-premises ASAv/router
-    Type: String
-  OnPremFirewallASN:
-    Description: Specify the BGP ASN of the on-premisis ASAv/router
-    Type: String
-  PreSharedKeyForVPNAttachment:
-    Description: Specify the PreSharedKey of vEdgeCloud1. Must be 15 characters in length and cannot start with zero (0).
-    Type: String
-  AmazonSideAsn:
-    Description: A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
-    Type: String
-  VPNTunnelCIDRs:
-    Description: Specify the Tunnel InsideCIDRs for the on-premises firewall. You can use the default pre-filled CIDRs as well.
-    Type: CommaDelimitedList
-  VPCID:
-    Type: AWS::EC2::VPC::Id
-    Description: Select VPC which for VPC Attachment
-  TGWSubnet1CIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for TGW subnet 1 located in Availability Zone 1
-    Type: String
-  TGWSubnet2CIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for TGW subnet 2 located in Availability Zone 1
-    Type: String
-  TGWSubnet3CIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for TGW subnet 3 located in Availability Zone 1
-    Type: String
-  TGWSubnet4CIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for TGW subnet 4 located in Availability Zone 1
-    Type: String
-  VPNPoolCIDR1:
-    Description: CIDR block for the VPN pool 1
-    Type: String
-  VPNPoolCIDR2:
-    Description: CIDR block for the VPN pool 2
-    Type: String
-  VPNPoolCIDR3:
-    Description: CIDR block for the VPN pool 3
-    Type: String
-  VPNPoolCIDR4:
-    Description: CIDR block for the VPN pool 4
-    Type: String
-  OnPremCIDR:
-    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
-    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
-    Description: CIDR block for the On-prem network
-    Type: String
-  AvailabilityZones:
-    Description: >-
-      List of Availability Zones to use for the subnets in the VPC. Note: The
-      logical order is preserved and only 2 AZs are used for this deployment.
-    Type: 'List<AWS::EC2::AvailabilityZone::Name>'
-  NumberOfAZs:
-    Description: >-
-      Number of Availability Zones to use in the VPC. This must match your
-      selections in the list of Availability Zones parameter.
-    Type: String
-  NumberOfASAv:
-    Description: >-
-      Number of ASAv Instances to be initiated.
-    Type: String  
-  NetworkInterfaceId1ASAv1:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv1 for 1 ASAv deployment
-  NetworkInterfaceId1ASAv2:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv1 for 2 ASAv deployment
-  NetworkInterfaceId2ASAv2:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv2 for 2 ASAv deployment
-  NetworkInterfaceId1ASAv3:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv1 for 3 ASAv deployment
-  NetworkInterfaceId2ASAv3:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv2 for 3 ASAv deployment
-  NetworkInterfaceId3ASAv3:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv3 for 3 ASAv deployment
-  NetworkInterfaceId1ASAv4:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv1 for 4 ASAv deployment
-  NetworkInterfaceId2ASAv4:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv2 for 4 ASAv deployment
-  NetworkInterfaceId3ASAv4:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv3 for 4 ASAv deployment
-  NetworkInterfaceId4ASAv4:
-    Type: String
-    Default: 'null'
-    Description: NetworkInterfaceId of ASAv4 for 4 ASAv deployment
-  QSS3BucketName:
-    AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
-    ConstraintDescription: >-
-      Quick Start bucket name can include numbers, lowercase letters, uppercase
-      letters, and hyphens (-). It cannot start or end with a hyphen (-).
-    Description: >-
-      S3 bucket name for the Quick Start assets. Quick Start bucket name can
-      include numbers, lowercase letters, uppercase letters, and hyphens (-). It
-      cannot start or end with a hyphen (-).
-    Type: String
-  QSS3KeyPrefix:
-    AllowedPattern: "^[0-9a-zA-Z-/]*$"
-    ConstraintDescription: >-
-      Quick Start key prefix can include numbers, lowercase letters, uppercase
-      letters, hyphens (-), and forward slash (/).
-    Description: >-
-      S3 key prefix for the Quick Start assets. Quick Start key prefix can
-      include numbers, lowercase letters, uppercase letters, hyphens (-), and
-      forward slash (/).
-    Type: String
-  QSS3BucketRegion:
-    Description: >-
-      The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted.
-      When using your own bucket, you must specify this value.
-    Type: String
-Conditions:
-  UsingDefaultBucket: !Equals 
-    - !Ref QSS3BucketName
-    - aws-quickstart
-  1AZCondition: !Equals
-    - !Ref 'NumberOfAZs'
-    - '1'
-  2AZCondition: !Equals
-    - !Ref 'NumberOfAZs'
-    - '2'
-  3AZCondition: !Equals
-    - !Ref 'NumberOfAZs'
-    - '3'
-  4AZCondition: !Equals
-    - !Ref 'NumberOfAZs'
-    - '4'
-  #Subnet conditions to specifically handle TGW Subnet Resource constraints
-  1SubnetCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfAZs'
-      - '1'
-    - !Condition 2SubnetCondition
-    - !Condition 3SubnetCondition
-    - !Condition 4SubnetCondition
-  2SubnetCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfAZs'
-      - '2'
-    - !Condition 3SubnetCondition
-    - !Condition 4SubnetCondition
-  3SubnetCondition: !Or
-    - !Equals
-      - !Ref 'NumberOfAZs'
-      - '3'
-    - !Condition 4SubnetCondition
-  4SubnetCondition: !Equals
-    - !Ref 'NumberOfAZs'
-    - '4'
-  1ASAvCondition: !Equals
-    - !Ref 'NumberOfASAv'
-    - '1'
-  2ASAvCondition: !Equals
-    - !Ref 'NumberOfASAv'
-    - '2'
-  3ASAvCondition: !Equals
-    - !Ref 'NumberOfASAv'
-    - '3'
-  4ASAvCondition: !Equals
-    - !Ref 'NumberOfASAv'
-    - '4'
-Resources:
-#------------------ TGW Subnets and Routes -------------------------------------------
-  TGWSubnet1:
-    Type: AWS::EC2::Subnet
-    Properties:
-      VpcId: !Ref 'VPCID'
-      CidrBlock: !Ref 'TGWSubnet1CIDR'
-      AvailabilityZone: !Select
-        - '0'
-        - !Ref 'AvailabilityZones'
-      Tags:
-        - Key: Name
-          Value: TGW subnet 1
-  TGWSubnet2:
-    Condition: 2SubnetCondition
-    Type: AWS::EC2::Subnet
-    Properties:
-      VpcId: !Ref 'VPCID'
-      CidrBlock: !Ref 'TGWSubnet2CIDR'
-      AvailabilityZone: !Select
-        - '1'
-        - !Ref 'AvailabilityZones'
-      Tags:
-        - Key: Name
-          Value: TGW subnet 2
-  TGWSubnet3:
-    Condition: 3SubnetCondition
-    Type: AWS::EC2::Subnet
-    Properties:
-      VpcId: !Ref 'VPCID'
-      CidrBlock: !Ref 'TGWSubnet3CIDR'
-      AvailabilityZone: !Select
-        - '2'
-        - !Ref 'AvailabilityZones'
-      Tags:
-        - Key: Name
-          Value: TGW subnet 3
-  TGWSubnet4:
-    Condition: 4AZCondition
-    Type: AWS::EC2::Subnet
-    Properties:
-      VpcId: !Ref 'VPCID'
-      CidrBlock: !Ref 'TGWSubnet4CIDR'
-      AvailabilityZone: !Select
-        - '3'
-        - !Ref 'AvailabilityZones'
-      Tags:
-        - Key: Name
-          Value: TGW subnet 4
-  TGWSubnetRouteTable:
-    Type: AWS::EC2::RouteTable
-    Properties:
-      VpcId: !Ref 'VPCID'
-      Tags:
-        - Key: Name
-          Value: TGW subnets route table
-  TGWSubnet1Route:
-    Condition: 1ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv1
-  TGWSubnet1Route2ASAv:
-    Condition: 2ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv2
-  TGWSubnet1Route3ASAv:
-    Condition: 3ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv3
-  TGWSubnet1Route4ASAv:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      NetworkInterfaceId: !Ref NetworkInterfaceId1ASAv4 
-  TGWSubnet1AZRouteTableAssociation:
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      SubnetId: !Ref 'TGWSubnet1'
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-  TGWSubnet2Route:
-    Condition: 2ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR2
-      NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv2
-  TGWSubnet2Route3ASAv:
-    Condition: 3ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR2
-      NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv3
-  TGWSubnet2Route4ASAv:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR2
-      NetworkInterfaceId: !Ref NetworkInterfaceId2ASAv4
-  TGWSubnet2AZRouteTableAssociation:
-    Condition: 2SubnetCondition
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      SubnetId: !Ref 'TGWSubnet2'
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-  TGWSubnet3Route:
-    Condition: 3ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR3
-      NetworkInterfaceId: !Ref NetworkInterfaceId3ASAv3
-  TGWSubnet3Route4ASAv:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR3
-      NetworkInterfaceId: !Ref NetworkInterfaceId3ASAv4
-  TGWSubnet3AZRouteTableAssociation:
-    Condition: 3SubnetCondition
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      SubnetId: !Ref 'TGWSubnet3'
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-  TGWSubnet4Route:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-      DestinationCidrBlock: !Ref VPNPoolCIDR4
-      NetworkInterfaceId: !Ref NetworkInterfaceId4ASAv4
-  TGWSubnet4AZRouteTableAssociation:
-    Condition: 4SubnetCondition
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      SubnetId: !Ref 'TGWSubnet4'
-      RouteTableId: !Ref 'TGWSubnetRouteTable'
-#------------------ Transit Gateway -------------------------------------------
-  TransitGateway:
-    Type: "AWS::EC2::TransitGateway"
-    Properties:
-      AmazonSideAsn: !Ref AmazonSideAsn
-      AutoAcceptSharedAttachments: enable
-      DefaultRouteTableAssociation: disable
-      DefaultRouteTablePropagation: disable
-      Description: A transit gateway connect onpremsised with AWS 
-      Tags: 
-      - Key: Name
-        Value: !Sub ${AWS::StackName}-TGW
-#------------------ Copy lambda stack into local S3 bucket ------------------------------------------------
-  CopyLambdaStack:
-    Type: AWS::CloudFormation::Stack
-    Properties:
-      #TemplateURL: !Sub "https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/copy-lambdas.yaml"
-      TemplateURL: !Sub 
-        - >-
-          https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/copy-lambdas.yaml
-        - S3Region: !If 
-            - UsingDefaultBucket
-            - !Ref 'AWS::Region'
-            - !Ref QSS3BucketRegion
-          S3Bucket: !If 
-            - UsingDefaultBucket
-            - !Sub '${QSS3BucketName}-${AWS::Region}'
-            - !Ref QSS3BucketName
-      Parameters:
-        QSS3BucketName: !Ref QSS3BucketName
-        QSS3KeyPrefix: !Ref QSS3KeyPrefix
-##------------------ Custom Resource lambda to get the various TGW properties needed -------------------------------------------
-  LambdaBasicExecutionRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-        - Effect: Allow
-          Principal:
-            Service: lambda.amazonaws.com
-          Action: sts:AssumeRole
-          Condition: {}
-      Path: /
-      Policies:
-        - PolicyName: !Sub ${AWS::StackName}-tgwDescribe
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
-              - Effect: Allow
-                Action:
-                  - logs:CreateLogGroup
-                  - logs:CreateLogStream
-                  - logs:PutLogEvents
-                Resource: !Sub arn:${AWS::Partition}:logs:*:*:*
-              - Effect: Allow
-                Action:
-                  - ec2:DescribeVpnConnections
-                  - ec2:DescribeTransitGatewayRouteTables
-                  - ec2:DescribeTransitGatewayAttachments
-                Resource: "*"
-  TransitGatewayProperties:
-    Type: Custom::TransitGatewayProperty
-    Properties:
-      ServiceToken: !GetAtt 'TransitGatewayLambda.Arn'
-      vpn_id: !Ref VPNAttachment
-      stackName: !Ref "AWS::StackName"
-  TransitGatewayLambda:
-    Type: AWS::Lambda::Function
-    Properties:
-      Handler: getTgwProperties/lambda_function.lambda_handler
-      Timeout: 60
-      Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
-      Runtime: python3.6
-      Code:
-        S3Bucket: !GetAtt 'CopyLambdaStack.Outputs.LambdaZipsBucket'
-        S3Key: !Sub "${QSS3KeyPrefix}functions/packages/lambda.zip"
-      MemorySize: 3008
-#------------------ TGW Route Tables and Routes -------------------------------------------
-  TransitGatewaySecurityRouteTable:
-    Type: "AWS::EC2::TransitGatewayRouteTable"
-    Properties:
-      Tags: 
-      - Key: Name
-        Value: !Sub ${AWS::StackName}-Securityrtb
-      TransitGatewayId: !Ref TransitGateway
-  TransitGatewayVPNRoute:
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref OnPremCIDR
-      TransitGatewayAttachmentId: !GetAtt TransitGatewayProperties.vpn1_tgw_attachment_id
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute1:
-    Condition: 1ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      TransitGatewayAttachmentId: !Ref VPCAttachment1AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute2a:
-    Condition: 2ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute2b:
-    Condition: 2ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR2
-      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute3a:
-    Condition: 3ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute3b:
-    Condition: 3ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR2
-      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute3c:
-    Condition: 3ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR3
-      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute4a:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR1
-      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute4b:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR2
-      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute4c:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR3
-      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewayVPNPoolRoute4d:
-    Condition: 4ASAvCondition
-    Type: AWS::EC2::TransitGatewayRoute
-    Properties: 
-      DestinationCidrBlock: !Ref VPNPoolCIDR4
-      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  TransitGatewaySpokeRouteTable:
-    Type: "AWS::EC2::TransitGatewayRouteTable"
-    Properties:
-      Tags: 
-      - Key: Name
-        Value: !Sub ${AWS::StackName}-Spokertb
-      TransitGatewayId: !Ref TransitGateway
-#------------------ TGW VPN attachment -------------------------------------------
-  CustomerGateway: 
-    Type: AWS::EC2::CustomerGateway
-    Properties: 
-      Type: ipsec.1
-      BgpAsn: !Ref OnPremFirewallASN
-      IpAddress: !Ref OnPremFirewallPublicIP
-      Tags:
-      - Key: Name
-        Value: !Sub "${AWS::StackName}-On-Premgateway"
-  VPNAttachment:
-    Type: AWS::EC2::VPNConnection
-    Properties: 
-      CustomerGatewayId: !Ref CustomerGateway
-      TransitGatewayId: !Ref TransitGateway
-      Type: ipsec.1
-      VpnTunnelOptionsSpecifications: 
-        - PreSharedKey: !Ref PreSharedKeyForVPNAttachment
-          TunnelInsideCidr: !Select [0, !Ref VPNTunnelCIDRs] 
-        - PreSharedKey: !Ref PreSharedKeyForVPNAttachment
-          TunnelInsideCidr: !Select [1, !Ref VPNTunnelCIDRs]
-      Tags:
-      - Key: Name
-        Value: !Sub "${AWS::StackName}-VPNAttachment"
-#------------------ TGW VPC attachments -------------------------------------------
-  VPCAttachment1AZ:
-    Condition: 1AZCondition
-    Type: AWS::EC2::TransitGatewayAttachment
-    Properties: 
-      SubnetIds: 
-        - !Ref TGWSubnet1
-      Tags:
-      - Key: Name
-        Value: !Sub "${AWS::StackName}-VPCAttachment"
-      TransitGatewayId: !Ref TransitGateway
-      VpcId: !Ref VPCID
-  VPCAttachment2AZ:
-    Condition: 2AZCondition
-    Type: AWS::EC2::TransitGatewayAttachment
-    Properties: 
-      SubnetIds: 
-        - !Ref TGWSubnet1
-        - !Ref TGWSubnet2
-      Tags:
-      - Key: Name
-        Value: !Sub "${AWS::StackName}-VPCAttachment"
-      TransitGatewayId: !Ref TransitGateway
-      VpcId: !Ref VPCID
-  VPCAttachment3AZ:
-    Condition: 3AZCondition
-    Type: AWS::EC2::TransitGatewayAttachment
-    Properties: 
-      SubnetIds: 
-        - !Ref TGWSubnet1
-        - !Ref TGWSubnet2
-        - !Ref TGWSubnet3
-      Tags:
-      - Key: Name
-        Value: !Sub "${AWS::StackName}-VPCAttachment"
-      TransitGatewayId: !Ref TransitGateway
-      VpcId: !Ref VPCID
-  VPCAttachment4AZ:
-    Condition: 4AZCondition
-    Type: AWS::EC2::TransitGatewayAttachment
-    Properties: 
-      SubnetIds: 
-        - !Ref TGWSubnet1
-        - !Ref TGWSubnet2
-        - !Ref TGWSubnet3
-        - !Ref TGWSubnet4
-      Tags:
-      - Key: Name
-        Value: !Sub "${AWS::StackName}-VPCAttachment"
-      TransitGatewayId: !Ref TransitGateway
-      VpcId: !Ref VPCID
-#------------------ TGW route table associations -------------------------------------------
-  CustomerGatewayTransitGatewayAssociation:
-    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
-    Properties:
-      TransitGatewayAttachmentId: !GetAtt TransitGatewayProperties.vpn1_tgw_attachment_id
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  #The VPC association works
-  VPCTransitGatewayAssociation1AZ:
-    Condition: 1AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment1AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  VPCTransitGatewayAssociation2AZ:
-    Condition: 2AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  VPCTransitGatewayAssociation3AZ:
-    Condition: 3AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  VPCTransitGatewayAssociation4AZ:
-    Condition: 4AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTableAssociation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-#------------------ TGW route table propagations -------------------------------------------
-  EdgeRouteTablePropagation1AZ:
-    Condition: 1AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment1AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  EdgeRouteTablePropagation2AZ:
-    Condition: 2AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment2AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  EdgeRouteTablePropagation3AZ:
-    Condition: 3AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment3AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  EdgeRouteTablePropagation4AZ:
-    Condition: 4AZCondition
-    Type: "AWS::EC2::TransitGatewayRouteTablePropagation"
-    Properties:
-      TransitGatewayAttachmentId: !Ref VPCAttachment4AZ
-      TransitGatewayRouteTableId: !Ref TransitGatewaySecurityRouteTable
-  RouteTableEntryPrivate1:
-    Type: AWS::EC2::Route
-    DependsOn: TransitGatewayVPNRoute
-    Properties: 
-      DestinationCidrBlock: !Ref OnPremCIDR
-      RouteTableId: !Ref PrivateSubnet1ARouteTable
-      TransitGatewayId: !Ref TransitGateway
-  RouteTableEntryPrivate2:
-    Condition: 2SubnetCondition
-    Type: AWS::EC2::Route
-    DependsOn: TransitGatewayVPNRoute
-    #DependsOn: VPCAttachment2AZ
-    Properties: 
-      DestinationCidrBlock: !Ref OnPremCIDR
-      RouteTableId: !Ref PrivateSubnet2ARouteTable
-      TransitGatewayId: !Ref TransitGateway
-  RouteTableEntryPrivate3:
-    Condition: 3SubnetCondition
-    DependsOn: TransitGatewayVPNRoute
-    #DependsOn: VPCAttachment3AZ
-    Type: AWS::EC2::Route
-    Properties: 
-      DestinationCidrBlock: !Ref OnPremCIDR
-      RouteTableId: !Ref PrivateSubnet3ARouteTable
-      TransitGatewayId: !Ref TransitGateway
-  RouteTableEntryPrivate4:
-    Condition: 4SubnetCondition
-    Type: AWS::EC2::Route
-    DependsOn: TransitGatewayVPNRoute
-    #DependsOn: VPCAttachment4AZ
-    Properties: 
-      DestinationCidrBlock: !Ref OnPremCIDR
-      RouteTableId: !Ref PrivateSubnet4ARouteTable
-      TransitGatewayId: !Ref TransitGateway
-Outputs:
-  TransitGateway:
-    Value: !Ref TransitGateway
-    Export: 
-      Name: !Sub ${AWS::StackName}-TransitGateway
-  AmazonSideAsn:
-    Description: "Amazon side ASN for the BGP session"
-    Value: !Ref AmazonSideAsn
-  VPNTunnelInsideCIDRs:
-    Description: "VPN  Tunnel CIDRs"
-    Value: !Join
-      - ','
-      - !Ref VPNTunnelCIDRs
-    Export: 
-      Name: !Sub ${AWS::StackName}-VPNTunnelInsideCIDRs
-  VPNTunnelOutsideIPs:
-    Description: "VPN Tunnel Outside IP"
-    Value: !Join
-      - ','
-      - !GetAtt TransitGatewayProperties.vpn0OutsideIps
-    Export: 
-      Name: !Sub ${AWS::StackName}-VPNTunnelOutsideIPs
-  VPNPreSharedKey:
-    Description: "VPN IPsec PreSharedKey"
-    Value: !Ref PreSharedKeyForVPNAttachment
-    Export: 
-      Name: !Sub ${AWS::StackName}-PreSharedKey

base/_archive/cisco_vpn/security-groups.tf

@@ -1,58 +0,0 @@
-resource "aws_security_group" "outside" {
-  name_prefix = "${var.instance_name}_outside"
-  description = "Security Group for the AWS VPN"
-  vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_security_group_rule" "vpn-in-443-tcp" {
-  type              = "ingress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.outside.id
-}
-
-resource "aws_security_group_rule" "vpn-in-443-udp" {
-  type              = "ingress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.outside.id
-}
-
-resource "aws_security_group_rule" "vpn-in-1194-tcp" {
-  type              = "ingress"
-  from_port         = 1194
-  to_port           = 1194
-  protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.outside.id
-}
-
-resource "aws_security_group_rule" "vpn-in-1194-udp" {
-  type              = "ingress"
-  from_port         = 1194
-  to_port           = 1194
-  protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.outside.id
-}
-
-resource "aws_security_group_rule" "vpn-out" {
-  type              = "egress"
-  from_port         = -1
-  to_port           = -1
-  protocol          = -1
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
-  security_group_id = aws_security_group.outside.id
-}
-
-resource "aws_security_group" "inside" {
-  name_prefix = "${var.instance_name}_inside"
-  description = "Security Group for the AWS VPN"
-  vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
-}

base/_archive/cisco_vpn/vars.tf

@@ -1,41 +0,0 @@
-variable "instance_name" {
-  type        = string
-  description = "Instance Name"
-  default     = "cisco-vpn"
-}
-
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-#variable "private_cidr" {
-#  description = "The cidr of the private side subnet"
-#  type = list(string)
-#}
-
-variable "instance_type" {
-  type    = string
-  default = "c5.large"
-}
-
-variable "instance_tags" {
-  type    = map(any)
-  default = {}
-}
-
-variable "azs" { type = list(string) }
-variable "private_subnets" { type = list(string) }
-variable "public_subnets" { type = list(string) }
-variable "vpc_id" { type = string }
-variable "cidr_map" { type = map(any) }
-variable "dns_info" { type = map(any) }
-variable "dns_servers" { type = list(string) }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "common_services_account" { type = string }
-variable "instance_termination_protection" { type = bool }

base/interconnects/README.md

@@ -1,3 +0,0 @@
-# xdr interconnect instances
-
-Builds and configures the instances that connect govcloud and commercial.

base/interconnects/amis.tf

@@ -1 +0,0 @@
-../amis.tf

base/interconnects/cloud-init.tf

@@ -1,32 +0,0 @@
-# Render a multi-part cloud-init config making use of the part
-# above, and other source files
-data "template_cloudinit_config" "cloud-init" {
-  count         = var.interconnects_count
-  gzip          = true
-  base64_encode = true
-
-  # Main cloud-config configuration file.
-  part {
-    filename     = "init.cfg"
-    content_type = "text/cloud-config"
-    content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
-      {
-        hostname            = "interconnect-${count.index}"
-        fqdn                = "interconnect-${count.index}.${var.dns_info["private"]["zone"]}"
-        saltmaster          = "salt-master.${var.dns_public["name"]}"
-        environment         = var.environment
-        aws_partition       = var.aws_partition
-        aws_partition_alias = var.aws_partition_alias
-        aws_region          = var.aws_region
-        interconnect_id     = count.index
-        vpc_cidr            = var.security_vpc_cidr
-      }
-    )
-  }
-
-  # Additional parts as needed
-  #part {
-  #  content_type = "text/x-shellscript"
-  #  content      = "ffbaz"
-  #}
-}

base/interconnects/cloud-init/cloud-init.tpl

@@ -1,59 +0,0 @@
-#cloud-config
-preserve_hostname: false
-hostname: ${hostname}
-salt-master: ${saltmaster}
-fqdn: ${fqdn}
-
-write_files:
-- content: |
-    ${fqdn}
-  path: /etc/salt/minion_id
-- content: |
-    master: ${saltmaster}
-  path: /etc/salt/minion
-- content: |
-    grains:
-      environment: ${ environment }
-      aws_partition: ${ aws_partition }
-      aws_partition_alias: ${ aws_partition_alias }
-      interconnect_id: ${ interconnect_id }
-      vpc_cidr: ${ vpc_cidr }
-      aws_region: ${ aws_region }
-  path: /etc/salt/minion.d/cloud_init_grains.conf
-
-yum_repos:
-  epel-release:
-    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
-    enabled: false
-    failovermethod: priority
-    gpgcheck: true
-    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
-    name: Extra Packages for Enterprise Linux 7 - Release
-
-packages:
- - vim
-
-package_update: true # Always patch
-
-growpart:
-  mode: auto
-  devices: [ '/', '/var', '/var/log', '/var/log/audit', '/var/tmp', '/tmp', '/home' ]
-  ignore_growroot_disabled: false
-
-runcmd:
- - /bin/systemctl restart salt-minion 
- - /bin/systemctl enable salt-minion
- - /bin/systemctl start amazon-ssm-agent
- - /bin/systemctl enable amazon-ssm-agent
- - /usr/sbin/aide --update --verbose=0
- - /bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-# Either final message or power state, but probably not both
-final_message: "The system is up after $UPTIME seconds"
-#power_state:
-#  delay: "+30"
-#  mode: reboot
-#  message: "System configured after $UPTIME seconds"
-#  timeout: 300
-#  condition: true
-

base/interconnects/cloud-init/cloud-init.tpl.toomuch

@@ -1,258 +0,0 @@
-#cloud-config
-preserve_hostname: false
-hostname: ${hostname}
-fqdn: ${fqdn}
-
-# A lot of this could be done via salt. But for simplicity, i'm presently keeping it out.
-
-yum_repos:
-  epel-release:
-    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
-    enabled: true
-    failovermethod: priority
-    gpgcheck: true
-    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
-    name: Extra Packages for Enterprise Linux 7 - Release
-
-packages:
- - strongswan
- - quagga
- - ntp
- - vim
-
-package_update: true # Always patch
-
-growpart:
-  mode: auto
-  devices: [ '/' ]
-  ignore_growroot_disabled: false
-
-write_files:
-  - path: /etc/strongswan/strongswan.conf
-    content: |
-      # strongswan.conf - strongSwan configuration file
-      #
-      # Refer to the strongswan.conf(5) manpage for details
-      #
-      # Configuration changes should be made in the included files
-      charon {
-        plugins {
-          include strongswan.d/charon/*.conf
-        }
-        load_modular = yes
-        filelog {
-          charon {
-            path = /var/log/charon.log
-            time_format = %b %e %T
-            ike_name = yes
-            append = yes
-          }
-        }
-      }
-    owner: root
-    group: root
-    permissions: '0600'
-  - path: /etc/strongswan/ipsec.conf
-    content: |
-      conn %default
-        leftauth=psk
-        rightauth=psk
-        ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
-        ikelifetime=28800s
-        aggressive=no
-        esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
-        lifetime=3600s
-        type=tunnel
-        dpddelay=10s
-        dpdtimeout=30s
-        keyexchange=ikev1
-        rekey=yes
-        reauth=no
-        dpdaction=restart
-        closeaction=restart
-        left=%defaultroute
-        leftsubnet=0.0.0.0/0,::/0
-        rightsubnet=0.0.0.0/0,::/0
-        leftupdown=/etc/strongswan/ipsec-vti.sh
-        installpolicy=yes
-        compress=no
-        mobike=no
-      conn AWS-VPC-TUNNEL-1
-        left=%any
-        right=TODO-pTunnel1VgwOutsideIpAddress
-        auto=start
-        mark=100
-      conn AWS-VPC-TUNNEL-2
-        left=%any
-        right=TODO-pTunnel2VgwOutsideIpAddress
-        auto=start
-        mark=200
-    owner: root
-    group: root
-    permissions: '0600'
-  - path: /etc/strongswan/ipsec-vti.sh
-    content: |
-      #!/bin/bash
-      
-      #@ /etc/strongswan/ipsec-vti.sh (Centos) or /etc/strongswan.d/ipsec-vti.sh (Ubuntu)
-      
-      # AWS VPC Hardware VPN Strongswan updown Script
-      
-      # Usage Instructions:
-      # Add "install_routes = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
-      # Add "install_virtual_ip = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
-      # For Ubuntu: Add "leftupdown=/etc/strongswan.d/ipsec-vti.sh" to /etc/ipsec.conf
-      # For RHEL/Centos: Add "leftupdown=/etc/strongswan/ipsec-vti.sh" to /etc/strongswan/ipsec.conf
-      # For RHEL/Centos 6 and below: git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git && cd iproute2 && make && cp ./ip/ip /usr/local/sbin/ip
-      
-      # Adjust the below according to the Generic Gateway Configuration file provided to you by AWS.
-      # Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html
-      
-      IP=$(which ip)
-      IPTABLES=$(which iptables)
-      
-      PLUTO_MARK_OUT_ARR=($${!PLUTO_MARK_OUT//// })
-      PLUTO_MARK_IN_ARR=($${!PLUTO_MARK_IN//// })
-      case "$PLUTO_CONNECTION" in
-        AWS-VPC-TUNNEL-1)
-          VTI_INTERFACE=vti1
-          VTI_LOCALADDR=TODO_pTunnel1CgwInsideCidr
-          VTI_REMOTEADDR=TODO_pTunnel1VgwInsideCidr
-          ;;
-        AWS-VPC-TUNNEL-2)
-          VTI_INTERFACE=vti2
-          VTI_LOCALADDR=TODO_pTunnel2CgwInsideCidr
-          VTI_REMOTEADDR=TODO_pTunnel2VgwInsideCidr
-          ;;
-      esac
-      
-      case "$${!PLUTO_VERB}" in
-          up-client)
-              #$IP tunnel add $${!VTI_INTERFACE} mode vti local $${!PLUTO_ME} remote $${!PLUTO_PEER} okey $${!PLUTO_MARK_OUT_ARR[0]} ikey $${!PLUTO_MARK_IN_ARR[0]}
-              $IP link add $${!VTI_INTERFACE} type vti local $${!PLUTO_ME} remote $${!PLUTO_PEER} okey $${!PLUTO_MARK_OUT_ARR[0]} ikey $${!PLUTO_MARK_IN_ARR[0]}
-              sysctl -w net.ipv4.conf.$${!VTI_INTERFACE}.disable_policy=1
-              sysctl -w net.ipv4.conf.$${!VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.$${!VTI_INTERFACE}.rp_filter=0
-              $IP addr add $${!VTI_LOCALADDR} remote $${!VTI_REMOTEADDR} dev $${!VTI_INTERFACE}
-              $IP link set $${!VTI_INTERFACE} up mtu 1436
-              $IPTABLES -t mangle -I FORWARD -o $${!VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-              $IPTABLES -t mangle -I INPUT -p esp -s $${!PLUTO_PEER} -d $${!PLUTO_ME} -j MARK --set-xmark $${!PLUTO_MARK_IN}
-              $IP route flush table 220
-              #/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd
-              ;;
-          down-client)
-              #$IP tunnel del $${!VTI_INTERFACE}
-              $IP link del $${!VTI_INTERFACE}
-              $IPTABLES -t mangle -D FORWARD -o $${!VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-              $IPTABLES -t mangle -D INPUT -p esp -s $${!PLUTO_PEER} -d $${!PLUTO_ME} -j MARK --set-xmark $${!PLUTO_MARK_IN}
-              ;;
-      esac
-    mode: '000700'
-    owner: root
-    group: root
-  - path: /etc/strongswan/ipsec.secrets
-    content: |
-      TODO_pTunnel1VgwOutsideIpAddress : PSK "TODO_pTunnel1Psk"
-      TODO_pTunnel2VgwOutsideIpAddress : PSK "TODO_Tunnel2Psk"
-    mode: '000600'
-    owner: root
-    group: root
-  - path: /etc/quagga/zebra.conf
-    content: |
-      hostname {HOSTNAME}
-      password zebra
-      enable password zebra
-      !
-      log file /var/log/quagga/zebra.log
-      !
-      ! Configure interfaces
-      interface lo
-      ! Change preferred source ip address of received routes
-      route-map RM_SET_SRC permit 10
-        set src {PRIVATE_IP}
-      ip protocol bgp route-map RM_SET_SRC
-      !
-      line vty
-    mode: '000644'
-    owner: root
-    group: root
-  - path: /etc/quagga/bgpd.conf
-    content: |
-      hostname bgpd
-      password zebra
-      enable password zebra
-      !
-      log file /var/log/quagga/bgpd.log
-      !
-      debug bgp events
-      debug bgp filters
-      debug bgp fsm
-      debug bgp keepalives
-      debug bgp updates
-      !
-      router bgp TODO_pLocalBgpAsn
-        bgp router-id {PRIVATE_IP} 
-        network TODO_pVpcCidr
-        neighbor TODO_pTunnel1BgpNeighborIpAddress} remote-as TODO_pTunnel1BgpAsn}
-        neighbor TODO_pTunnel2BgpNeighborIpAddress} remote-as TODO_pTunnel2BgpAsn}
-        neighbor TODO_pTunnel2BgpNeighborIpAddress} route-map RM_LOWER_PRIORITY out
-      !
-      route-map RM_LOWER_PRIORITY permit 10
-        set as-path prepend TODO_pLocalBgpAsn} TODO_pLocalBgpAsn} TODO_pLocalBgpAsn}
-      !
-      line vty
-    mode: '000644'
-    owner: root
-    group: root
-  - path: /etc/sysctl.conf
-    content: |
-      # sysctl settings are defined through files in
-      # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
-      #
-      # Vendors settings live in /usr/lib/sysctl.d/.
-      # To override a whole file, create a new file with the same in
-      # /etc/sysctl.d/ and put new settings there. To override
-      # only specific settings, add a file with a lexically later
-      # name in /etc/sysctl.d/ and put new settings there.
-      #
-      # For more information, see sysctl.conf(5) and sysctl.d(5).
-      
-      net.ipv4.ip_forward = 1
-      net.ipv4.conf.all.send_redirects = 0
-      net.ipv4.conf.default.send_redirects = 0
-      net.ipv4.tcp_max_syn_backlog = 1280
-      net.ipv4.icmp_echo_ignore_broadcasts = 1
-      net.ipv4.conf.all.accept_source_route = 0
-      net.ipv4.conf.all.accept_redirects = 0
-      net.ipv4.conf.all.secure_redirects = 0
-      net.ipv4.conf.all.log_martians = 1
-      net.ipv4.conf.default.accept_source_route = 0
-      net.ipv4.conf.default.accept_redirects = 0
-      net.ipv4.conf.default.secure_redirects = 0
-      net.ipv4.icmp_echo_ignore_broadcasts = 1
-      net.ipv4.icmp_ignore_bogus_error_responses = 1
-      net.ipv4.tcp_syncookies = 1
-      net.ipv4.conf.all.rp_filter = 1
-      net.ipv4.conf.default.rp_filter = 1
-      net.ipv4.tcp_mtu_probing = 1
-    mode: '000600'
-    owner: root
-    group: root
-
-runcmd:
- - echo "${fqdn}" > /etc/salt/minion_id
- - /bin/systemctl restart salt-minion 
- - /bin/systemctl enable salt-minion
- - /bin/systemctl start amazon-ssm-agent
- - /bin/systemctl enable amazon-ssm-agent
- - /usr/sbin/aide --update --verbose=0
- - /bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
-# Since we reboot, either final message or power state, but probably not both
-#final_message: "The system is up after $UPTIME seconds"
-#power_state:
-#  delay: "+30"
-#  mode: reboot
-#  message: "System configured after $UPTIME seconds"
-#  timeout: 300
-#  condition: true
-

base/interconnects/main.tf

@@ -1,148 +0,0 @@
-resource "aws_placement_group" "interconnects" {
-  # Distribute them
-  name     = "interconnects"
-  strategy = "spread"
-}
-
-data "aws_security_group" "aws_endpoints_sg" {
-  name   = "aws_endpoints"
-  vpc_id = var.security_vpc
-}
-
-module "typical_host_security_group" {
-  source = "../../submodules/security_group/typical_host"
-
-  vpc_id           = var.security_vpc
-  cidr_map         = var.cidr_map
-  tags             = merge(var.standard_tags, var.tags)
-  aws_region       = var.aws_region
-  aws_partition    = var.aws_partition
-  aws_endpoints_sg = data.aws_security_group.aws_endpoints_sg.id
-}
-
-resource "aws_network_interface" "interconnects" {
-  count             = var.interconnects_count
-  subnet_id         = var.subnet_id_map["untrusted"][count.index % 2]
-  security_groups   = [module.typical_host_security_group.id, aws_security_group.interconnects_sg.id]
-  source_dest_check = false
-  private_ips_count = 0
-  description       = "XDR Interconnect ${count.index}"
-  tags = {
-    Name = "interconnect-${count.index}"
-  }
-}
-
-resource "aws_eip" "interconnects" {
-  count = var.interconnects_count
-  vpc   = true
-  tags = {
-    Name = "interconnect-${count.index}"
-  }
-}
-
-resource "aws_eip_association" "interconnects" {
-  count                = var.interconnects_count
-  network_interface_id = aws_network_interface.interconnects[count.index].id
-  allocation_id        = aws_eip.interconnects[count.index].id
-}
-
-resource "aws_instance" "interconnects" {
-  count                                = var.interconnects_count
-  availability_zone                    = var.azs[count.index % 2]
-  placement_group                      = aws_placement_group.interconnects.id
-  tenancy                              = "default"
-  ebs_optimized                        = true
-  disable_api_termination              = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type                        = var.interconnects_instance_type
-  key_name                             = var.interconnects_key_name
-  monitoring                           = false
-
-  ami = data.aws_ami.minion.id
-  lifecycle { ignore_changes = [ami, key_name, user_data] }
-
-  tags = merge(
-    var.standard_tags,
-    var.tags,
-    {
-      Name = "interconnect-${count.index}"
-    }
-  )
-  volume_tags = merge(
-    var.standard_tags,
-    var.tags,
-    {
-      Name = "interconnect-${count.index}"
-    }
-  )
-
-  root_block_device {
-    volume_type = "gp2"
-    #volume_size = "60"
-    delete_on_termination = true
-  }
-
-  network_interface {
-    device_index         = 0
-    network_interface_id = aws_network_interface.interconnects[count.index].id
-  }
-
-  user_data            = data.template_cloudinit_config.cloud-init[count.index].rendered
-  iam_instance_profile = "msoc-default-instance-profile"
-
-  #lifecycle {
-  # This might allow us to update/replace easier?
-  #create_before_destroy = true
-  #}
-}
-
-# DNS Records don't support count yet! Time to migrate to 0.13 beta!
-# Seriously, though, if we change the count, we will have to change
-# this module, _if_ we want DNS entries.
-module "private_dns_record_0" {
-  source = "../../submodules/dns/private_A_record"
-
-  name         = "interconnect-0"
-  ip_addresses = [aws_instance.interconnects[0].private_ip]
-  dns_info     = var.dns_info
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-module "private_dns_record_1" {
-  source = "../../submodules/dns/private_A_record"
-
-  name         = "interconnect-1"
-  ip_addresses = [aws_instance.interconnects[1].private_ip]
-  dns_info     = var.dns_info
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-module "public_dns_record_0" {
-  source = "../../submodules/dns/public_A_record"
-
-  name         = "interconnect-0"
-  ip_addresses = [aws_eip.interconnects[0].public_ip]
-  dns_info     = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}
-
-module "public_dns_record_1" {
-  source = "../../submodules/dns/public_A_record"
-
-  name         = "interconnect-1"
-  ip_addresses = [aws_eip.interconnects[1].public_ip]
-  dns_info     = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}

base/interconnects/outputs.tf

@@ -1,29 +0,0 @@
-output "instance_ids" {
-  value = aws_instance.interconnects[*].id
-}
-
-#output "private_ips" {
-#    value = aws_network_interface.interconnects[*].private_ips
-#}
-
-output "private_ips" {
-  # We only want the first one
-  value = [for i in aws_network_interface.interconnects[*].private_ips : tolist(i)[0]]
-}
-
-output "public_ips" {
-  value = aws_eip.interconnects[*].public_ip
-}
-
-output "private_dns" {
-  value = merge(module.private_dns_record_0.forward, module.private_dns_record_1.forward)
-}
-
-output "private_dns_reverse" {
-  value = merge(module.private_dns_record_0.reverse, module.private_dns_record_1.reverse)
-}
-
-output "public_dns" {
-  value = merge(module.public_dns_record_0.forward, module.public_dns_record_1.forward)
-}
-

base/interconnects/security-groups.tf

@@ -1,61 +0,0 @@
-resource "aws_security_group" "interconnects_sg" {
-  name        = "interconnects_sg"
-  description = "Security Rules Specific to XDR interconnects"
-  vpc_id      = var.security_vpc
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_security_group_rule" "trusted_ssh" {
-  type              = "ingress"
-  from_port         = 22
-  to_port           = 22
-  protocol          = "tcp"
-  cidr_blocks       = var.trusted_ips
-  security_group_id = aws_security_group.interconnects_sg.id
-}
-
-resource "aws_security_group_rule" "bgp_ingress" {
-  type              = "ingress"
-  from_port         = 179
-  to_port           = 179
-  protocol          = "tcp"
-  cidr_blocks       = [var.security_vpc_cidr]
-  security_group_id = aws_security_group.interconnects_sg.id
-}
-
-resource "aws_security_group_rule" "ipsec_l2tp_ingress" {
-  type              = "ingress"
-  from_port         = 1701
-  to_port           = 1701
-  protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.interconnects_sg.id
-}
-
-resource "aws_security_group_rule" "ipsec_ike_ingress" {
-  type              = "ingress"
-  from_port         = 500
-  to_port           = 500
-  protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.interconnects_sg.id
-}
-
-resource "aws_security_group_rule" "ipsec_ike_nat_t_ingress" {
-  type              = "ingress"
-  from_port         = 4500
-  to_port           = 4500
-  protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
-  security_group_id = aws_security_group.interconnects_sg.id
-}
-
-resource "aws_security_group_rule" "ipsec_egress" {
-  type              = "egress"
-  from_port         = 0 # all ports
-  to_port           = 0 # all ports
-  protocol          = "all"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
-  security_group_id = aws_security_group.interconnects_sg.id
-}

base/interconnects/vars.tf

@@ -1,28 +0,0 @@
-variable "security_vpc" { type = string }
-variable "azs" { type = list(any) }
-variable "subnet_id_map" { type = map(any) }
-variable "tags" { type = map(any) }
-
-variable "interconnects_instance_type" { type = string }
-variable "interconnects_key_name" { type = string }
-variable "interconnects_count" { type = number }
-
-# Required for DNS module
-variable "dns_info" { type = map(any) }
-
-variable "cidr_map" { type = map(any) }
-variable "instance_termination_protection" { type = bool }
-variable "standard_tags" { type = map(any) }
-variable "aws_marketplace_ubuntu_owner_id" { type = string }
-variable "environment" { type = string }
-variable "trusted_ips" { type = list(any) }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
-variable "security_vpc_cidr" { type = string }
-variable "common_services_account" { type = string }
-
-# Legacy dns, remove this
-variable "dns_public" { type = map(any) }
-variable "dns_private" { type = map(any) }

base/openvpn/amis.tf

@@ -1 +0,0 @@
-../amis.tf

base/openvpn/certificate.tf

@@ -1,35 +0,0 @@
-#Certificate 
-resource "aws_acm_certificate" "cert" {
-  domain_name       = "${var.instance_name}.${var.dns_info["public"]["zone"]}"
-  validation_method = "DNS"
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_acm_certificate_validation" "cert" {
-  certificate_arn         = aws_acm_certificate.cert.arn
-  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
-}
-
-resource "aws_route53_record" "cert_validation" {
-  provider = aws.mdr-common-services-commercial
-
-  for_each = {
-    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
-    }
-  }
-
-  allow_overwrite = true
-  name            = each.value.name
-  records         = [each.value.record]
-  ttl             = 60
-  type            = each.value.type
-  zone_id         = var.dns_info["public"]["zone_id"]
-}

base/openvpn/cloud-init/cloud-init.tpl

@@ -1,80 +0,0 @@
-#cloud-config
-preserve_hostname: false
-hostname: ${hostname}
-salt-master: ${salt_master}
-fqdn: ${fqdn}
-
-# Write files happens early
-write_files:
-- content: |
-    proxy=http://${proxy}:80
-  path: /etc/yum.conf
-  append: true
-- content: |
-    proxy_host: ${proxy}
-    proxy_port: 80
-  path: /etc/salt/minion.d/proxy.conf
-- content: |
-    [global]
-    proxy=${proxy}
-  path: /etc/pip.conf
-- content: |
-    export HTTPS_PROXY=http://${proxy}:80
-    export HTTP_PROXY=http://${proxy}:80
-    export NO_PROXY=localhost,127.0.0.1,169.254.169.254,pvt.xdrtest.accenturefederalcyber.com,pvt.xdr.accenturefederalcyber.com,reposerver.msoc.defpoint.local,jenkins.msoc.defpoint.local,pod1search-splunk-sh.msoc.defpoint.local,s3.amazonaws.com,ssm.${ aws_region }.amazonaws.com,ec2messages.${ aws_region }.amazonaws.com,ec2.${ aws_region }.amazonaws.com,ssmmessages.${ aws_region }.amazonaws.com,iratemoses.mdr.defpoint.com,jira.mdr.defpoint.com,reposerver.pvt.xdr.accenturefederalcyber.com,jenkins.pvt.xdr.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdr.accenturefederalcyber.com,reposerver.pvt.xdrtest.accenturefederalcyber.com,jenkins.pvt.xdrtest.accenturefederalcyber.com,pod1search-splunk-sh.pvt.xdrtest.accenturefederalcyber.com,iratemoses.xdr.accenturefederalcyber.com,jira.xdr.accenturefederalcyber.com,iratemoses.xdrtest.accenturefederalcyber.com,jira.xdrtest.accenturefederalcyber.com
-    export https_proxy=$HTTPS_PROXY
-    export http_proxy=$HTTP_PROXY
-    export no_proxy=$NO_PROXY
-  path: /etc/profile.d/proxy.sh
-- content: |
-    ${fqdn}
-  path: /etc/salt/minion_id
-- content: |
-    master: ${salt_master}
-  path: /etc/salt/minion
-- content: |
-    grains:
-      environment: ${ environment }
-      aws_partition: ${ aws_partition }
-      aws_partition_alias: ${ aws_partition_alias }
-      aws_region: ${ aws_region }
-  path: /etc/salt/minion.d/cloud_init_grains.conf
-
-#yum_repos:
-#  epel-release:
-#    baseurl: http://download.fedoraproject.org/pub/epel/7/$basearch
-#    enabled: false
-#    failovermethod: priority
-#    gpgcheck: true
-#    gpgkey: http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
-#    name: Extra Packages for Enterprise Linux 7 - Release
-
-packages:
- - vim
-
-package_update: true # Always patch
-
-growpart:
-  mode: auto
-  devices: [ '/', '/var', '/var/log', '/var/log/audit', '/var/tmp', '/tmp', '/home' ]
-  ignore_growroot_disabled: false
-
-runcmd:
- - /bin/systemctl restart salt-minion
- - /bin/systemctl enable salt-minion
- - /bin/systemctl start amazon-ssm-agent
- - /bin/systemctl enable amazon-ssm-agent
- - /usr/sbin/aide --update --verbose=0
- - /bin/cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
- # For openvpn only:
- #- /usr/bin/sed -i s/noexec,//g /etc/fstab
- - setenforce 0
-
-# Either final message or power state, but probably not both
-final_message: "The system is up after $UPTIME seconds"
-#power_state:
-#  delay: "+30"
-#  mode: reboot
-#  message: "System configured after $UPTIME seconds"
-#  timeout: 300
-#  condition: true

base/openvpn/elb.tf

@@ -1,159 +0,0 @@
-resource "aws_lb" "openvpn-nlb" {
-  name               = "${var.instance_name}-nlb"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public:exp:2022-08-01
-  load_balancer_type = "network"
-  # Not supported for NLB
-  #security_groups    = [aws_security_group.openvpn-nlb-sg.id]
-  # Note, changing subnets results in recreation of the resource
-  subnets                          = var.public_subnets
-  enable_cross_zone_load_balancing = true
-
-  access_logs {
-    bucket  = "xdr-elb-${var.environment}"
-    enabled = true
-  }
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-#########################
-# Listeners
-resource "aws_lb_listener" "openvpn-nlb-listener-https" {
-  load_balancer_arn = aws_lb.openvpn-nlb.arn
-  port              = "443"
-  protocol          = "TLS"
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
-  certificate_arn   = aws_acm_certificate.cert.arn
-
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.openvpn-nlb-target-https.arn
-  }
-}
-
-# Only alb's can redirect
-#resource "aws_lb_listener" "openvpn-nlb-listener-http" {
-#  load_balancer_arn = aws_lb.openvpn-nlb.arn
-#  port              = "80"
-#  protocol          = "HTTP"
-#
-#  default_action {
-#    type             = "redirect"
-#
-#    redirect {
-#      port        = "443"
-#      protocol    = "HTTPS"
-#      status_code = "HTTP_301"
-#    }
-#  }
-#}
-
-resource "aws_lb_listener" "openvpn-nlb-listener-openvpn" {
-  load_balancer_arn = aws_lb.openvpn-nlb.arn
-  port              = "1194"
-  protocol          = "UDP"
-
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.openvpn-nlb-target-openvpn.arn
-  }
-}
-
-
-#########################
-# Targets
-resource "aws_lb_target_group" "openvpn-nlb-target-https" {
-  name        = "${var.instance_name}-nlb-target-https"
-  port        = 443
-  protocol    = "TLS"
-  target_type = "instance"
-  vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_lb_target_group_attachment" "openvpn-nlb-target-https-instance" {
-  target_group_arn = aws_lb_target_group.openvpn-nlb-target-https.arn
-  target_id        = aws_instance.instance.id
-  port             = 443
-}
-
-resource "aws_lb_target_group" "openvpn-nlb-target-openvpn" {
-  name        = "${var.instance_name}-nlb-target-openvpn"
-  port        = 1194
-  protocol    = "UDP"
-  target_type = "instance"
-  vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_lb_target_group_attachment" "openvpn-nlb-target-openvpn-instance" {
-  target_group_arn = aws_lb_target_group.openvpn-nlb-target-openvpn.arn
-  target_id        = aws_instance.instance.id
-  port             = 1194
-}
-
-
-#########################
-# Security Group for NLB
-# 
-# From tf: 
-# Error: error creating network Load Balancer: InvalidConfigurationRequest: Security groups are not supported for load balancers with type 'network'
-#resource "aws_security_group" "openvpn-nlb-sg" {
-#  name = "openvpn_nlb_sg"
-#  description = "Security Group for the OpenVPN NLB"
-#  vpc_id = var.vpc_id
-#  tags = merge(var.standard_tags, var.tags)
-#}
-#
-#resource "aws_security_group_rule" "openvpn-nlb-in" {
-#  type              = "ingress"
-#  from_port         = 1194
-#  to_port           = 1194
-#  protocol          = "udp"
-#  cidr_blocks       = [ "0.0.0.0/0" ]
-#  security_group_id = aws_security_group.openvpn-nlb-sg.id
-#}
-#
-#resource "aws_security_group_rule" "openvpn-nlb-https-in" {
-#  type              = "ingress"
-#  from_port         = 443
-#  to_port           = 443
-#  protocol          = "tcp"
-#  cidr_blocks       = [ "0.0.0.0/0" ]
-#  security_group_id = aws_security_group.openvpn-nlb-sg.id
-#}
-#
-#resource "aws_security_group_rule" "openvpn-nlb-out" {
-#  type              = "egress"
-#  from_port         = 1194
-#  to_port           = 1194
-#  protocol          = "udp"
-#  # Maybe should limit to the local vpc, but I don't readily have that cidr available
-#  cidr_blocks       = [ "10.0.0.0/8" ]
-#  security_group_id = aws_security_group.openvpn-nlb-sg.id
-#}
-#
-#resource "aws_security_group_rule" "openvpn-nlb-https-out" {
-#  type              = "egress"
-#  from_port         = 443
-#  to_port           = 443
-#  protocol          = "tcp"
-#  # Maybe should limit to the local vpc, but I don't readily have that cidr available
-#  cidr_blocks       = [ "10.0.0.0/8" ]
-#  security_group_id = aws_security_group.openvpn-nlb-sg.id
-#}
-
-#########################
-# DNS Entry
-module "public_dns_record" {
-  source = "../../submodules/dns/public_ALIAS_record"
-
-  name            = var.instance_name
-  target_dns_name = aws_lb.openvpn-nlb.dns_name
-  target_zone_id  = aws_lb.openvpn-nlb.zone_id
-  dns_info        = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}

base/openvpn/main.tf

@@ -1,173 +0,0 @@
-# Some instance variables
-locals {
-  ami_selection = "minion" # master, minion, ...
-}
-
-# Rather than pass in the aws security group, we just look it up. This will
-# probably be useful other places, as well.
-data "aws_security_group" "typical-host" {
-  name   = "typical-host"
-  vpc_id = var.vpc_id
-}
-
-# Use the default EBS key
-data "aws_kms_key" "ebs-key" {
-  key_id = "alias/ebs_root_encrypt_decrypt"
-}
-
-resource "aws_network_interface" "instance" {
-  subnet_id       = var.subnets[0]
-  security_groups = [data.aws_security_group.typical-host.id, aws_security_group.openvpn_security_group.id]
-  description     = var.instance_name
-  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-resource "aws_instance" "instance" {
-  #availability_zone = var.azs[count.index % 2]
-  tenancy                              = "default"
-  ebs_optimized                        = true
-  disable_api_termination              = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type                        = var.instance_type
-  key_name                             = "msoc-build"
-  monitoring                           = false
-  iam_instance_profile                 = "msoc-default-instance-profile"
-
-  ami = local.ami_map[local.ami_selection]
-  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
-  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
-  # that could be removed.
-  lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }
-
-  # These device definitions are optional, but added for clarity.
-  root_block_device {
-    volume_type = "gp2"
-    #volume_size = "60"
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-  }
-
-  ebs_block_device {
-    # swap
-    device_name           = "/dev/xvdm"
-    volume_size           = 48
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    # Snapshot IDs need to be grabbed from the ami, or it will replace every time. It's ugly.
-    # This may prompt replacement when the AMI is updated.
-    # See:
-    #   https://github.com/hashicorp/terraform/issues/19958
-    #   https://github.com/terraform-providers/terraform-provider-aws/issues/13118
-    snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdm"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /home
-    device_name = "/dev/xvdn"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
-
-  }
-  ebs_block_device {
-    # /var
-    device_name = "/dev/xvdo"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdo"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/tmp
-    device_name = "/dev/xvdp"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdp"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/log
-    device_name = "/dev/xvdq"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdq"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /var/log/audit
-    device_name = "/dev/xvdr"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvdr"].ebs.snapshot_id
-  }
-  ebs_block_device {
-    # /tmp
-    device_name = "/dev/xvds"
-    # volume_size = xx
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = data.aws_kms_key.ebs-key.arn
-    snapshot_id           = local.block_device_mappings[local.ami_selection]["/dev/xvds"].ebs.snapshot_id
-  }
-
-  network_interface {
-    device_index         = 0
-    network_interface_id = aws_network_interface.instance.id
-  }
-
-  user_data   = data.template_cloudinit_config.cloud-init.rendered
-  tags        = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-  volume_tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
-}
-
-module "private_dns_record" {
-  source = "../../submodules/dns/private_A_record"
-
-  name            = var.instance_name
-  ip_addresses    = [aws_instance.instance.private_ip]
-  dns_info        = var.dns_info
-  reverse_enabled = var.reverse_enabled
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-# Render a multi-part cloud-init config making use of the part
-# above, and other source files
-data "template_cloudinit_config" "cloud-init" {
-  gzip          = true
-  base64_encode = true
-
-  # Main cloud-config configuration file.
-  part {
-    filename     = "init.cfg"
-    content_type = "text/cloud-config"
-    content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
-      {
-        hostname            = var.instance_name
-        fqdn                = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
-        environment         = var.environment
-        salt_master         = var.salt_master
-        proxy               = var.proxy
-        aws_partition       = var.aws_partition
-        aws_partition_alias = var.aws_partition_alias
-        aws_region          = var.aws_region
-      }
-    )
-  }
-
-  # Additional parts as needed
-  #part {
-  #  content_type = "text/x-shellscript"
-  #  content      = "ffbaz"
-  #}
-}

base/openvpn/outputs.tf

@@ -1,11 +0,0 @@
-output "instance_arn" {
-  value = aws_instance.instance.arn
-}
-
-output "public-name" {
-  value = aws_lb.openvpn-nlb.dns_name
-}
-
-output "instance_private_ip" {
-  value = aws_instance.instance.private_ip
-}

base/openvpn/security-groups.tf

@@ -1,121 +0,0 @@
-resource "aws_security_group" "openvpn_security_group" {
-  name_prefix = "${var.instance_name}_security_group"
-  description = "Security Group for OpenVPN Instance(s)"
-  vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_security_group_rule" "openvpn-in" {
-  type      = "ingress"
-  from_port = 1194
-  to_port   = 1194
-  protocol  = "udp"
-  # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr:exp:2022-08-01
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-https-in" {
-  type      = "ingress"
-  from_port = 443
-  to_port   = 443
-  protocol  = "tcp"
-  # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr:exp:2022-08-01
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-permissive-out" {
-  # We allow all outbound for openvpn
-  type              = "egress"
-  from_port         = -1
-  to_port           = -1
-  protocol          = "all"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-# We have specific egress rules, as well, but the list may be incomplete.
-resource "aws_security_group_rule" "openvpn-splunk-out" {
-  type              = "egress"
-  from_port         = 8000
-  to_port           = 8000
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-https-out" {
-  type              = "egress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-https-alt-out" {
-  type              = "egress"
-  from_port         = 8443
-  to_port           = 8443
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-phantom-out" {
-  type              = "egress"
-  from_port         = 8888
-  to_port           = 8888
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-github-ssh-out" {
-  type              = "egress"
-  from_port         = 122
-  to_port           = 122
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-ssh-out" {
-  type              = "egress"
-  from_port         = 22
-  to_port           = 22
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-nessus-out" {
-  type              = "egress"
-  from_port         = 8834
-  to_port           = 8835
-  protocol          = "tcp"
-  cidr_blocks       = toset(concat(var.cidr_map["vpc-scanners"], var.cidr_map["vpc-private-services"]))
-  security_group_id = aws_security_group.openvpn_security_group.id
-  description       = "Access to Nessus"
-}
-
-resource "aws_security_group_rule" "openvpn-license-server-out" {
-  # Needed for license server check-in.  Seems to be stable IP.
-  type              = "egress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = ["54.183.149.72/32"]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-ldap-out" {
-  type      = "egress"
-  from_port = 636
-  to_port   = 636
-  protocol  = "tcp"
-  # Yes this has to be 0.0.0.0/0 because our SSL ldap server is provided by OKTA behind a NLB in AWS with non static IP
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
-  security_group_id = aws_security_group.openvpn_security_group.id
-}

base/openvpn/vars.tf

@@ -1,51 +0,0 @@
-variable "instance_name" {
-  description = "Hostname, DNS entry, etc."
-  type        = string
-}
-
-variable "azs" {
-  type = list(string)
-}
-
-variable "subnets" {
-  type = list(string)
-}
-
-variable "public_subnets" {
-  type = list(string)
-}
-
-variable "vpc_id" {
-  type = string
-}
-
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-variable "instance_type" {
-  type    = string
-  default = "t3a.micro"
-}
-
-variable "reverse_enabled" {
-  description = "Whether to create the reverse DNS entry."
-  type        = bool
-  default     = true
-}
-
-variable "trusted_ips" { type = list(string) }
-variable "proxy" { type = string }
-variable "salt_master" { type = string }
-
-variable "cidr_map" { type = map(any) }
-variable "dns_info" { type = map(any) }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "common_services_account" { type = string }
-variable "instance_termination_protection" { type = bool }

base/palo_alto/bootstrap/README.md

@@ -1,3 +0,0 @@
-# palo_alto_bootstrap
-
-Creates S3 buckets (one per device) for provisioning the palo alto firewall nodes.

base/palo_alto/bootstrap/init-cfg.txt.tmpl

@@ -1,20 +0,0 @@
-type=dhcp-client
-ip-address=
-default-gateway=
-netmask=
-ipv6-address=
-ipv6-default-gateway=
-hostname=${hostname}
-vm-auth-key=${authkey}
-panorama-server=${panorama_primary}
-panorama-server-2=${panorama_secondary}
-tplname=${tplname}
-dgname=${dgname}
-dns-primary=169.254.169.253
-dns-secondary=8.8.8.8
-op-command-modes=${op-command-modes}
-op-cmd-dpdk-pkt-io=
-dhcp-send-hostname=yes
-dhcp-send-client-id=yes
-dhcp-accept-server-hostname=no
-dhcp-accept-server-domain=no

base/palo_alto/bootstrap/locals.tf

@@ -1,10 +0,0 @@
-locals {
-  file_list = fileset("${path.root}/files", "**/[^.]*")
-  bootstrap_dirs = [
-    "config/",
-    "content/",
-    "software/",
-    "license/",
-    "plugins/"
-  ]
-}

base/palo_alto/bootstrap/main.tf

@@ -1,129 +0,0 @@
-#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
-#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
-resource "aws_s3_bucket" "bucket" {
-  count = var.palo_alto_count
-
-  bucket = "xdr-palo-alto-bootstrap-${count.index}"
-}
-
-resource "aws_s3_bucket_acl" "s3_acl_bucket" {
-  bucket = aws_s3_bucket.bucket.id
-  acl    = "private"
-}
-
-locals {
-  # Bootstrap process requires that folders exist, so we must create them in each bucket. This looks complicated,
-  # but it's just doing a foreach bucket: foreach directory: ...
-  bucket_folder_map = { for p in setproduct(range(var.palo_alto_count), local.bootstrap_dirs) : "${p[0]}/${p[1]}" => {
-    num    = p[0]
-    folder = p[1]
-    }
-  }
-}
-
-resource "aws_s3_bucket_object" "bootstrap_dirs" {
-  for_each = local.bucket_folder_map
-
-  bucket  = aws_s3_bucket.bucket[each.value["num"]].id
-  key     = each.value["folder"]
-  content = "/dev/null"
-}
-
-resource "aws_s3_bucket_object" "init_cfg" {
-  count  = var.palo_alto_count
-  bucket = aws_s3_bucket.bucket[count.index].id
-  key    = "config/init-cfg.txt"
-  content = templatefile("${path.module}/init-cfg.txt.tmpl",
-    {
-      "hostname"           = "xdr_palo_${var.aws_partition_alias}_${var.environment}_${count.index}"
-      "authkey"            = var.palo_alto_auth_keys[count.index]
-      "tplname"            = "XDR-Interconnect-Stack-${count.index}"
-      "dgname"             = "XDR-Interconnects"
-      "op-command-modes"   = "jumbo-frame, mgmt-interface-swap"
-      "panorama_primary"   = var.panorama_servers[0]
-      "panorama_secondary" = var.panorama_servers[1]
-    }
-  )
-}
-
-# No bootstrap configuration, as we're registered to panorama
-# resource "aws_s3_bucket_object" "bootstrap_xml" {
-#  count = var.palo_alto_count
-#  bucket = aws_s3_bucket.bucket[count.index].id
-#  key    = "config/bootstrap.xml"
-#  content = templatefile("${path.module}/bootstrap.xml.tmpl",
-#    {
-#      index = count.index
-#    }
-#  )
-#}
-
-resource "aws_s3_bucket_object" "authcodes" {
-  count   = var.palo_alto_count
-  bucket  = aws_s3_bucket.bucket[count.index].id
-  key     = "license/authcodes"
-  content = <<EOF
-${var.palo_alto_license_keys[count.index]}
-EOF
-}
-
-resource "aws_iam_role" "bootstrap_role" {
-  count = var.palo_alto_count
-  name  = "palo_alto_bootstrap_${count.index}"
-  path  = "/instance/"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-      "Service": "ec2.amazonaws.com"
-    },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "bootstrap_policy" {
-  count = var.palo_alto_count
-  name  = "palo_alto_bootstrap_${count.index}"
-  role  = aws_iam_role.bootstrap_role[count.index].id
-
-  policy = <<EOF
-{
-  "Version" : "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "s3:ListBucket",
-      "Resource": "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket[count.index].bucket}"
-    },
-    {
-    "Effect": "Allow",
-    "Action": "s3:GetObject",
-    "Resource": "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket[count.index].bucket}/*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_instance_profile" "bootstrap" {
-  count = var.palo_alto_count
-  name  = "palo_alto_bootstrap_${count.index}"
-  role  = aws_iam_role.bootstrap_role[count.index].name
-  path  = "/instance/"
-}
-
-//AWS Provider outdated arguments <4.4.0
-/*resource "aws_s3_bucket" "bucket" {
-  count = var.palo_alto_count
-
-  bucket = "xdr-palo-alto-bootstrap-${count.index}"
-  acl    = "private"
-}
-*/

base/palo_alto/bootstrap/outputs.tf

@@ -1,2 +0,0 @@
-output "bucket_ids" { value = aws_s3_bucket.bucket[*].id }
-output "instance_profile_names" { value = aws_iam_instance_profile.bootstrap[*].name }

base/palo_alto/bootstrap/vars.tf

@@ -1,20 +0,0 @@
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-variable "palo_alto_count" { type = number }
-variable "palo_alto_auth_keys" { type = list(any) }
-variable "palo_alto_license_keys" { type = list(any) }
-variable "aws_partition" { type = string }
-variable "panorama_servers" { type = list(any) }
-
-# ----------------------------------
-# Below this line are variables inherited from higher levels, so they
-# do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map(any) }
-variable "inside_domain" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }
-variable "aws_partition_alias" { type = string }

base/palo_alto/firewall_nodes/README.md

@@ -1,3 +0,0 @@
-# Firewall Nodes
-
-Creates firewall nodes spread across the AZs/subnets provided.

base/palo_alto/firewall_nodes/ami.tf

@@ -1,42 +0,0 @@
-# I'd much rather do a find_ami here.
-variable "pavm_byol_ami_id" {
-  default = {
-    us-east-1     = "ami-06962643040d7363f"
-    us-gov-east-1 = "ami-0f0d54de4d1212aae" # 9.1.3
-    #us-gov-east-1 = "ami-a6dd31d7" # 9.1.2
-    us-gov-west-1 = "ami-019045558d9d46abe"
-
-    # The below are old and suspect
-    ap-south-1     = "ami-5c187233",
-    eu-west-1      = "ami-73971600",
-    ap-southeast-1 = "ami-0c60aa6f",
-    ap-southeast-2 = "ami-f9c4e79a",
-    ap-northeast-2 = "ami-fa08c194",
-    eu-central-1   = "ami-74e5041b",
-    ap-northeast-1 = "ami-e44b5a8a",
-    us-west-1      = "ami-acd7aacc",
-    sa-east-1      = "ami-1d860971",
-    us-west-2      = "ami-e7be4b87"
-  }
-}
-
-# From their examples:
-# data "aws_ami" "panos_firewall_ami" {
-#  most_recent = "${var.fw_version == "latest" ? true : false}"
-#  owners      = ["679593333241"]
-#
-#  filter {
-#    name   = "name"
-#    values = ["PA-VM-AWS-${replace(var.fw_version, "/latest/", "")}*"]
-#  }
-#
-#  filter {
-#    name   = "product-code.type"
-#    values = ["marketplace"]
-#  }
-#
-#  filter {
-#    name   = "product-code"
-#    values = ["${lookup(var.bundles, var.fw_bundle)}"]
-#  }
-#}

base/palo_alto/firewall_nodes/main.tf

@@ -1,132 +0,0 @@
-resource "aws_network_interface" "FWManagementNetworkInterface" {
-  count             = var.palo_alto_count
-  subnet_id         = var.subnet_id_map["management"][count.index % 2]
-  security_groups   = var.management_security_group_ids
-  source_dest_check = false
-  private_ips_count = 0
-  private_ips       = [cidrhost(var.subnet_cidr_map["management"][count.index % 2], 10 + (count.index % 2))]
-  description       = "Palo Alto XDR Interconnect ${count.index} management interface"
-  tags = {
-    Name = "xdr-interconnect-${count.index}_management_interface"
-  }
-}
-
-resource "aws_network_interface" "FWPublicNetworkInterface" {
-  count             = var.palo_alto_count
-  subnet_id         = var.subnet_id_map["untrusted"][count.index % 2]
-  security_groups   = var.untrusted_security_group_ids
-  source_dest_check = false
-  private_ips_count = 0
-  private_ips       = [cidrhost(var.subnet_cidr_map["untrusted"][count.index % 2], 10 + (count.index % 2))]
-  description       = "Palo Alto XDR Interconnect ${count.index} untrusted interface"
-  tags = {
-    Name = "xdr-interconnect-${count.index}_untrusted_interface"
-  }
-}
-
-resource "aws_network_interface" "FWPrivateNetworkInterface" {
-  count             = var.palo_alto_count
-  subnet_id         = var.subnet_id_map["private"][count.index % 2]
-  security_groups   = var.untrusted_security_group_ids
-  source_dest_check = false
-  private_ips_count = 0
-  private_ips       = [cidrhost(var.subnet_cidr_map["private"][count.index % 2], 10 + (count.index % 2))]
-  description       = "Palo Alto XDR Interconnect ${count.index} private interface"
-  tags = {
-    Name = "xdr-interconnect-${count.index}_private_interface"
-  }
-}
-
-resource "aws_network_interface" "FWTGWNetworkInterface" {
-  count             = var.palo_alto_count
-  subnet_id         = var.subnet_id_map["tgw_standalone"][count.index % 2]
-  security_groups   = var.untrusted_security_group_ids
-  source_dest_check = false
-  private_ips_count = 0
-  private_ips       = [cidrhost(var.subnet_cidr_map["tgw_standalone"][count.index % 2], 10 + (count.index % 2))]
-  description       = "Palo Alto XDR Interconnect ${count.index} tgw interface"
-  tags = {
-    Name = "xdr-interconnect-${count.index}_tgw_interface"
-  }
-}
-
-resource "aws_eip" "untrusted_eip" {
-  count = var.palo_alto_count
-  vpc   = true
-}
-
-resource "aws_eip" "management_eip" {
-  count = var.palo_alto_count
-  vpc   = true
-}
-
-resource "aws_eip_association" "FWEIPManagementAssociation" {
-  count                = var.palo_alto_count
-  network_interface_id = aws_network_interface.FWManagementNetworkInterface[count.index].id
-  allocation_id        = aws_eip.management_eip[count.index].id
-}
-
-resource "aws_eip_association" "FWEIPPublicAssociation" {
-  count                = var.palo_alto_count
-  network_interface_id = aws_network_interface.FWPublicNetworkInterface[count.index].id
-  allocation_id        = aws_eip.untrusted_eip[count.index].id
-}
-
-resource "aws_placement_group" "palo_group" {
-  name     = "Palo Alto Placement Group"
-  strategy = "spread"
-}
-
-resource "aws_instance" "palo" {
-  count                                = var.palo_alto_count
-  ami                                  = lookup(var.pavm_byol_ami_id, var.aws_region)
-  availability_zone                    = var.azs[count.index % 2]
-  placement_group                      = aws_placement_group.palo_group.id
-  tenancy                              = "default"
-  ebs_optimized                        = true
-  disable_api_termination              = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type                        = var.palo_alto_instance_type
-  key_name                             = var.palo_alto_key_name
-  monitoring                           = false
-  #subnet_id = var.subnet_id_map["untrusted"][count.index % 2]
-  #associate_public_ip_address = true # causes a recreate on apply if you set this!
-  #private_ip = cidrhost(var.subnet_cidr_map["untrusted"][count.index % 2], 10 + (count.index % 2))
-  #source_dest_check = false
-
-  tags = merge(
-    var.standard_tags,
-    var.tags,
-    { Name = "xdr-interconnect-${count.index}" }
-  )
-
-  root_block_device {
-    volume_type           = "gp2"
-    volume_size           = "60"
-    delete_on_termination = true
-  }
-
-  network_interface {
-    device_index         = 0
-    network_interface_id = aws_network_interface.FWPublicNetworkInterface[count.index].id
-  }
-
-  network_interface {
-    device_index         = 1
-    network_interface_id = aws_network_interface.FWManagementNetworkInterface[count.index].id
-  }
-
-  network_interface {
-    device_index         = 2
-    network_interface_id = aws_network_interface.FWPrivateNetworkInterface[count.index].id
-  }
-
-  network_interface {
-    device_index         = 3
-    network_interface_id = aws_network_interface.FWTGWNetworkInterface[count.index].id
-  }
-
-  user_data = base64encode("vmseries-bootstrap-aws-s3bucket=${var.bucket_ids[count.index]}")
-
-  iam_instance_profile = var.instance_profile_names[count.index]
-}

base/palo_alto/firewall_nodes/outputs.tf

@@ -1,20 +0,0 @@
-# Output data from PA
-output "instance_ids" {
-  value = aws_instance.palo[*].id
-}
-
-output "untrusted_ips_private" {
-  value = aws_instance.palo[*].private_ip
-}
-
-output "untrusted_ips" {
-  value = aws_eip.untrusted_eip[*].public_ip
-}
-
-output "management_ips_private" {
-  value = aws_eip.management_eip[*].private_ip
-}
-
-output "management_ips" {
-  value = aws_eip.management_eip[*].public_ip
-}

base/palo_alto/firewall_nodes/vars.tf

@@ -1,57 +0,0 @@
-variable "azs" {
-  description = "List of AZs for the palo altos"
-  type        = list(any)
-}
-
-variable "management_security_group_ids" {
-  description = "List of security groups for PA interfaces."
-  type        = list(any)
-}
-
-variable "untrusted_security_group_ids" {
-  description = "List of security groups for PA interfaces."
-  type        = list(any)
-}
-
-variable "palo_alto_count" {
-  description = "How many to create, should be divisible by 2 for production"
-  type        = number
-  default     = 2
-}
-
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-variable "palo_alto_instance_type" { type = string }
-variable "palo_alto_key_name" { type = string }
-variable "instance_termination_protection" { type = bool }
-variable "subnet_id_map" { type = map(any) }
-variable "subnet_cidr_map" { type = map(any) }
-variable "bucket_ids" { type = list(any) }
-variable "instance_profile_names" { type = list(any) }
-
-# ----------------------------------
-# Below this line are variables inherited from higher levels, so they
-# do not need to be explicitly passed to this module.
-variable "standard_tags" {
-  type = map(any)
-}
-
-variable "inside_domain" {
-  type = string
-}
-
-variable "aws_region" {
-  type = string
-}
-
-variable "environment" {
-  type = string
-}
-
-variable "aws_partition_alias" {
-  type = string
-}

base/palo_alto/panorama/README.md

@@ -1,3 +0,0 @@
-# Panorama
-
-Creates panorama nodes spread across the AZs.

base/palo_alto/panorama/ami.tf

@@ -1,28 +0,0 @@
-# I'd much rather do a find_ami here.
-variable "panorama_ami" {
-  default = {
-    us-east-1     = "ami-0d223a3ed251da3a0"
-    us-gov-east-1 = "ami-12cc2063"
-  }
-}
-
-# From their examples:
-# data "aws_ami" "panos_firewall_ami" {
-#  most_recent = "${var.fw_version == "latest" ? true : false}"
-#  owners      = ["679593333241"]
-#
-#  filter {
-#    name   = "name"
-#    values = ["PA-VM-AWS-${replace(var.fw_version, "/latest/", "")}*"]
-#  }
-#
-#  filter {
-#    name   = "product-code.type"
-#    values = ["marketplace"]
-#  }
-#
-#  filter {
-#    name   = "product-code"
-#    values = ["${lookup(var.bundles, var.fw_bundle)}"]
-#  }
-#}

base/palo_alto/panorama/main.tf

@@ -1,72 +0,0 @@
-# Panorama
-resource "aws_placement_group" "panorama_group" {
-  name     = "Panorama Placement Group"
-  strategy = "spread"
-}
-
-resource "aws_instance" "panorama" {
-  count                                = var.panorama_count
-  ami                                  = lookup(var.panorama_ami, var.aws_region)
-  availability_zone                    = var.azs[count.index % 2]
-  placement_group                      = aws_placement_group.panorama_group.id
-  tenancy                              = "default"
-  ebs_optimized                        = true
-  disable_api_termination              = var.instance_termination_protection
-  instance_initiated_shutdown_behavior = "stop"
-  instance_type                        = var.panorama_instance_type
-  key_name                             = var.panorama_key_name
-  monitoring                           = false
-  vpc_security_group_ids               = var.panorama_security_group_ids
-  subnet_id                            = var.subnet_id_map["management"][count.index % 2]
-  #associate_public_ip_address = true # causes a recreate on apply if you set this!
-  private_ip        = cidrhost(var.subnet_cidr_map["management"][count.index % 2], 5 + (count.index % 2))
-  source_dest_check = true
-
-  tags = merge(
-    var.standard_tags,
-    var.tags,
-    { Name = "xdr-panorama-${count.index}" }
-  )
-
-  root_block_device {
-    volume_type           = "gp2"
-    volume_size           = "81"
-    delete_on_termination = true
-    encrypted             = true
-    kms_key_id            = var.ebs_key
-  }
-
-  # The provisioner doesn't do anything
-  #connection {
-  #  type = "ssh"
-  #  user = "admin"
-  #  private_key = file("~/.ssh/id_rsa") # Use your private key
-  #  host = aws_eip.management_eip[count.index].public_ip
-  #} 
-  #
-  #provisioner "remote-exec" {
-  #  # Used by a provisioner
-  #
-  #  inline = [
-  #    "set mgt-config users admin password",
-  #    "testme",
-  #    "testme",
-  #    "commit"
-  #  ]
-  #  on_failure = continue
-  #}
-}
-
-# EIP for Management Interface, declared separately so they're easier to preserve
-resource "aws_eip" "management_eip" {
-  count = var.panorama_count
-  vpc   = true
-}
-
-resource "aws_eip_association" "eip_assoc" {
-  count              = var.panorama_count
-  instance_id        = aws_instance.panorama[count.index].id
-  allocation_id      = aws_eip.management_eip[count.index].id
-  private_ip_address = cidrhost(var.subnet_cidr_map["management"][count.index % 2], 5 + (count.index % 2))
-}
-

base/palo_alto/panorama/outputs.tf

@@ -1,12 +0,0 @@
-# Output data from PA
-output "instance_ids" {
-  value = aws_instance.panorama[*].id
-}
-
-output "management_private_ips" {
-  value = aws_instance.panorama[*].private_ip
-}
-
-output "management_ips" {
-  value = aws_eip.management_eip[*].public_ip
-}

base/palo_alto/panorama/vars.tf

@@ -1,56 +0,0 @@
-variable "azs" {
-  description = "List of AZs for the devices"
-  type        = list(any)
-}
-
-variable "panorama_security_group_ids" {
-  description = "List of security groups for interfaces."
-  type        = list(any)
-}
-
-
-variable "ebs_key" {
-  description = "Key with which to encrypt the panorama ebs"
-  type        = string
-}
-
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-variable "panorama_count" {
-  description = "How many to create, should be divisible by 2 for production"
-  type        = number
-  default     = 2
-}
-
-variable "panorama_instance_type" { type = string }
-variable "panorama_key_name" { type = string }
-variable "instance_termination_protection" { type = bool }
-variable "subnet_id_map" { type = map(any) }
-variable "subnet_cidr_map" { type = map(any) }
-
-# ----------------------------------
-# Below this line are variables inherited from higher levels, so they
-# do not need to be explicitly passed to this module.
-variable "standard_tags" {
-  type = map(any)
-}
-
-variable "inside_domain" {
-  type = string
-}
-
-variable "aws_region" {
-  type = string
-}
-
-variable "environment" {
-  type = string
-}
-
-variable "aws_partition_alias" {
-  type = string
-}

base/qualys_connector_role/main.tf

@@ -1,50 +0,0 @@
-data "aws_partition" "current" {}
-
-data "aws_iam_policy_document" "qualys_assume_role_policy" {
-  statement {
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:${data.aws_partition.current.partition}:iam::${var.common_services_account}:user/service_accounts/qualys"
-      ]
-    }
-    actions = [
-      "sts:AssumeRole"
-    ]
-
-    condition {
-      test     = "StringEquals"
-      variable = "sts:ExternalId"
-      values = [
-        var.qualys_connector_externalid
-      ]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "qualys_role_policy" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "ec2:DescribeInstances",
-      "ec2:DescribeAddresses",
-      "ec2:DescribeImages"
-    ]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role" "qualys" {
-  name               = "QualysConnectorRole"
-  assume_role_policy = data.aws_iam_policy_document.qualys_assume_role_policy.json
-  description        = "Qualys Connector for EC2 instance enumeration"
-  tags               = var.tags
-}
-
-resource "aws_iam_role_policy" "qualys" {
-  role   = aws_iam_role.qualys.id
-  name   = "QualysEC2Connector"
-  policy = data.aws_iam_policy_document.qualys_role_policy.json
-
-}

base/qualys_connector_role/outputs.tf

@@ -1,3 +0,0 @@
-output "qualys_role_arn" {
-  value = aws_iam_role.qualys.arn
-}

base/qualys_connector_role/variables.tf

@@ -1,13 +0,0 @@
-variable "qualys_connector_externalid" {
-  description = "External ID from Qualys Connector"
-  type        = string
-}
-
-variable "common_services_account" {
-  type = string
-}
-
-variable "tags" {
-  type    = map(any)
-  default = {}
-}

base/qualys_iam_baseaccount/README.md

@@ -1,5 +0,0 @@
-# qualys_iam_baseaccount - makes a qualys "base account"
-
-Qualys has this concept of a "base account" that is effectively
-an IAM account.  This makes an IAM user with keys for qualys to
-use ...

base/qualys_iam_baseaccount/main.tf

@@ -1,30 +0,0 @@
-data "aws_partition" "this" {}
-
-resource "aws_iam_user" "this" {
-  name          = "qualys"
-  path          = "/service_accounts/"
-  tags          = var.tags
-  force_destroy = true
-}
-
-resource "aws_iam_access_key" "this" {
-  user    = aws_iam_user.this.name
-  pgp_key = var.pgp_key
-}
-
-resource "aws_iam_user_policy" "assume_role" {
-  name   = "assume_role"
-  user   = aws_iam_user.this.name
-  policy = data.aws_iam_policy_document.assume_role.json
-}
-
-data "aws_iam_policy_document" "assume_role" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    resources = [
-      "arn:${data.aws_partition.this.partition}:iam::*:role/QualysConnectorRole",
-      "arn:${data.aws_partition.this.partition}:iam::*:role/Role_For_QualysEC2Connector",
-    ]
-  }
-}

base/qualys_iam_baseaccount/outputs.tf

@@ -1,7 +0,0 @@
-output "key_id" {
-  value = aws_iam_access_key.this.id
-}
-
-output "secret" {
-  value = aws_iam_access_key.this.encrypted_secret
-}

base/qualys_iam_baseaccount/variables.tf

@@ -1,8 +0,0 @@
-variable "tags" {
-  type    = map(any)
-  default = {}
-}
-
-variable "pgp_key" {
-  type = string
-}

base/qualys_scanners/ec2.tf

@@ -1,128 +0,0 @@
-data "aws_ami" "preauthorized" {
-
-  most_recent = true
-  owners      = ["aws-marketplace"]
-
-  filter {
-    name   = "product-code"
-    values = ["1mp9h4zd2ze4biqif5schqeyu"]
-  }
-  filter {
-    name   = "name"
-    values = ["qVSA*"]
-  }
-}
-
-data "aws_ami" "standard" {
-
-  most_recent = true
-  owners      = ["aws-marketplace"]
-
-  filter {
-    name   = "product-code"
-    values = ["9hnn1m0a6jb7k2r1n9itk3jxu"]
-  }
-  filter {
-    name   = "name"
-    values = ["qVSA*"]
-  }
-}
-
-# Use the default EBS key
-data "aws_kms_key" "ebs-key" {
-  key_id = "alias/ebs_root_encrypt_decrypt"
-}
-
-resource "aws_instance" "qualys_scanner_preauthorized" {
-
-  count         = var.create_preauthorized_scanner == true ? 1 : 0
-  ami           = data.aws_ami.preauthorized.id
-  instance_type = "t3.medium"
-  subnet_id     = var.subnets[0]
-
-  user_data = base64encode("PERSCODE=${var.personalization_codes["preauthorized"]}%{if var.proxy != ""}\nPROXY_URL=${var.proxy}:80%{endif}")
-  key_name  = "msoc-build"
-
-  ebs_optimized = true
-  vpc_security_group_ids = [
-    module.qualys_scanner_sg.security_group_id
-  ]
-
-  credit_specification {
-    cpu_credits = "unlimited"
-  }
-
-  tags        = merge(var.standard_tags, var.tags, { "Name" : "qualys-scanner-preauthorized" })
-  volume_tags = merge(var.standard_tags, var.tags, { "Name" : "qualys-scanner-preauthorized" })
-  root_block_device {
-    volume_size = 100
-    volume_type = "gp2"
-    encrypted   = true
-    kms_key_id  = data.aws_kms_key.ebs-key.arn
-  }
-  lifecycle {
-    ignore_changes = [ami]
-  }
-}
-
-resource "aws_instance" "qualys_scanner_standard" {
-
-  count         = var.create_standard_scanner == true ? 1 : 0
-  ami           = data.aws_ami.standard.id
-  instance_type = "t3.medium"
-  subnet_id     = var.subnets[0]
-  key_name      = "msoc-build"
-
-  user_data = base64encode("PERSCODE=${var.personalization_codes["standard"]}%{if var.proxy != ""}\nPROXY_URL=${var.proxy}:80%{endif}")
-
-  ebs_optimized = true
-  vpc_security_group_ids = [
-    module.qualys_scanner_sg.security_group_id
-  ]
-
-  credit_specification {
-    cpu_credits = "unlimited"
-  }
-
-  tags        = merge(var.standard_tags, var.tags, { "Name" : "qualys-scanner-standard" })
-  volume_tags = merge(var.standard_tags, var.tags, { "Name" : "qualys-scanner-standard" })
-  root_block_device {
-    volume_size = 100
-    volume_type = "gp2"
-    encrypted   = true
-    kms_key_id  = data.aws_kms_key.ebs-key.arn
-  }
-
-  lifecycle {
-    ignore_changes = [ami]
-  }
-}
-
-module "private_dns_record_preauthorized" {
-  source = "../../submodules/dns/private_A_record"
-  count  = var.create_preauthorized_scanner == true ? 1 : 0
-
-  name            = "qualys-preauthorized"
-  ip_addresses    = [aws_instance.qualys_scanner_preauthorized[count.index].private_ip]
-  dns_info        = var.dns_info
-  reverse_enabled = var.reverse_enabled
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}
-
-module "private_dns_record_standard" {
-  source = "../../submodules/dns/private_A_record"
-
-  count = var.create_standard_scanner == true ? 1 : 0
-
-  name            = "qualys-standard"
-  ip_addresses    = [aws_instance.qualys_scanner_standard[count.index].private_ip]
-  dns_info        = var.dns_info
-  reverse_enabled = var.reverse_enabled
-
-  providers = {
-    aws.c2 = aws.c2
-  }
-}

base/qualys_scanners/security-groups.tf

@@ -1,49 +0,0 @@
-# Several of these security groups will have customer IPs listed in them to allow
-# POP systems to access our services.
-#
-
-locals {
-
-  # Qualys known CIDRs for scanners to call back to home
-  # (in lieu of using the proxy at least for now)
-  qualys_mgmt_cidrs = [
-    "64.39.96.0/24"
-  ]
-
-}
-
-module "qualys_scanner_sg" {
-  use_name_prefix = false
-  source          = "terraform-aws-modules/security-group/aws"
-  version         = "~> 3"
-  name            = "qualys-scanner"
-  tags            = merge(var.standard_tags, var.tags)
-  vpc_id          = var.vpc_id
-
-  egress_with_cidr_blocks = [
-    #{
-    #  from_port   = 443
-    #  to_port     = 443
-    #  protocol    = "TCP"
-    #  description = "Qualys Management Plane"
-    #  cidr_blocks = join(",",local.qualys_mgmt_cidrs)
-    #},
-    {
-      from_port   = -1
-      to_port     = -1
-      protocol    = "ALL"
-      description = "Outbound for scanning things"
-      cidr_blocks = "10.0.0.0/8"
-    }
-  ]
-
-  ingress_with_cidr_blocks = [
-    {
-      from_port   = -1
-      to_port     = -1
-      protocol    = "ICMP"
-      description = "Permit all ICMP"
-      cidr_blocks = "10.0.0.0/8"
-    }
-  ]
-}

base/qualys_scanners/vars.tf

@@ -1,50 +0,0 @@
-variable "create_preauthorized_scanner" {
-  description = "Flag for creating pre-authed scanner instance"
-  type        = bool
-  default     = true
-}
-
-variable "create_standard_scanner" {
-  description = "Flag for creating standard scanner instance"
-  type        = bool
-  default     = true
-}
-
-variable "personalization_codes" {
-  description = "Magic values from qualys authorizing the scanners"
-  type        = map(any)
-  default     = {}
-}
-
-variable "subnets" {
-  type = list(string)
-}
-
-variable "vpc_id" {
-  type = string
-}
-
-variable "proxy" {
-  type    = string
-  default = ""
-}
-
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-variable "reverse_enabled" {
-  description = "Whether to create the reverse DNS entry."
-  type        = bool
-  default     = true
-}
-
-
-variable "dns_info" { type = map(any) }
-
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }

base/security_vpc/README.md

@@ -1,5 +0,0 @@
-# Security VPCs for Palo firewalls
-
-Creates a VPC for the PA firewalls, consisting of two AZs, each with a public and a management VPC. In the interest of keeping security VPCs clean, this has a fewer VPC endpoints. The Palo Altos should not need them.
-
-These VPCs are NOT connected to the transit gateways. Instead, the Palo Alto creates a VPN connection to the TGW.

base/security_vpc/ebs-kms-key.tf

@@ -1,30 +0,0 @@
-module "kms_security" {
-  source = "../../submodules/kms/ebs-key"
-
-  name              = "kms_security"
-  alias             = "alias/kms_security"
-  description       = "Used for encrypting security things such as the interconnects ebs drives."
-  tags              = merge(var.standard_tags, var.tags)
-  key_admin_arns    = []
-  key_user_arns     = []
-  key_attacher_arns = []
-  standard_tags     = var.standard_tags
-  aws_account_id    = var.aws_account_id
-  aws_partition     = var.aws_partition
-  is_legacy         = var.is_legacy
-}
-
-#module "kms_palo" {
-#  source = "../../../submodules/kms/ebs-key"
-#
-#  name = "palo_alto_ebs"
-#  alias = "alias/palo_alto_ebs"
-#  description = "Used for encrypting palo alto and panorama images."
-#  tags = merge(var.standard_tags, var.tags)
-#  key_admin_arns = [ ]
-#  key_user_arns = [ ]
-#  key_attacher_arns =  [ ]
-#  standard_tags = var.standard_tags
-#  aws_account_id = var.aws_account_id
-#  aws_partition = var.aws_partition
-#}

base/security_vpc/main.tf

@@ -1,93 +0,0 @@
-locals {
-  azs = slice(data.aws_availability_zones.available.names, 0, 2)
-  subnets = [
-    cidrsubnet(var.vpc_info["cidr"], 3, 0),
-    cidrsubnet(var.vpc_info["cidr"], 3, 1),
-    cidrsubnet(var.vpc_info["cidr"], 3, 2),
-    cidrsubnet(var.vpc_info["cidr"], 3, 3),
-    cidrsubnet(var.vpc_info["cidr"], 3, 4),
-    cidrsubnet(var.vpc_info["cidr"], 3, 5),
-    cidrsubnet(var.vpc_info["cidr"], 3, 6),
-    cidrsubnet(var.vpc_info["cidr"], 3, 7),
-  ]
-  vpc_name = "${var.vpc_info["name"]}-${var.account_name}"
-}
-
-data "aws_availability_zones" "available" {
-  state = "available"
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> v2.70"
-  name    = local.vpc_name
-  cidr    = var.vpc_info["cidr"]
-
-  azs = local.azs
-
-  # 2 private and 2 public here, but 2 more of each will be created after in the same azs
-  private_subnets = [
-    local.subnets[0],
-    local.subnets[1],
-  ]
-  private_subnet_tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
-
-  public_subnets = [
-    local.subnets[4],
-    local.subnets[5]
-  ]
-  public_subnet_tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
-
-  enable_nat_gateway       = false
-  enable_vpn_gateway       = false
-  enable_dns_hostnames     = true
-  enable_s3_endpoint       = true
-  enable_dynamodb_endpoint = false
-  enable_sts_endpoint      = false
-  enable_kms_endpoint      = false
-  enable_dhcp_options      = true
-
-  enable_ec2_endpoint             = true # PA likes a local ec2 endpoint
-  ec2_endpoint_security_group_ids = [module.aws_endpoints_sg.security_group_id]
-
-  dhcp_options_domain_name = var.dns_info["private"]["zone"]
-
-  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
-}
-
-resource "aws_flow_log" "flowlogs" {
-  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
-  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"
-
-  traffic_type = "REJECT" # ALL is very noisy, and CIS only requires rejects.
-  vpc_id       = module.vpc.vpc_id
-  tags         = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
-}
-
-resource "aws_subnet" "mgmt" {
-  count             = 2
-  depends_on        = [module.vpc]
-  vpc_id            = module.vpc.vpc_id
-  cidr_block        = local.subnets[6 + count.index]
-  availability_zone = local.azs[count.index]
-
-  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
-}
-
-resource "aws_route_table_association" "mgmt-to-internet" {
-  count          = 2
-  depends_on     = [aws_subnet.mgmt, module.vpc]
-  subnet_id      = aws_subnet.mgmt[count.index].id
-  route_table_id = module.vpc.public_route_table_ids[0] # only 1 public route table
-}
-
-resource "aws_subnet" "standalone_tgw" {
-  # A standalone private subnet that could be connected to the tgw
-  count             = 2
-  depends_on        = [module.vpc]
-  vpc_id            = module.vpc.vpc_id
-  cidr_block        = local.subnets[2 + count.index]
-  availability_zone = local.azs[count.index]
-
-  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
-}

base/security_vpc/outputs.tf

@@ -1,64 +0,0 @@
-output "vpc_id" {
-  value = module.vpc.vpc_id
-}
-
-output "public_subnets" {
-  value = concat(
-    module.vpc.public_subnets,
-    aws_subnet.mgmt[*].id
-  )
-}
-
-output "private_subnets" {
-  value = concat(
-    module.vpc.private_subnets,
-    aws_subnet.standalone_tgw[*].id
-  )
-}
-
-output "subnet_id_map" {
-  value = {
-    "untrusted"      = module.vpc.public_subnets,
-    "management"     = aws_subnet.mgmt[*].id,
-    "private"        = module.vpc.private_subnets,
-    "tgw_standalone" = aws_subnet.standalone_tgw[*].id
-  }
-}
-
-output "subnet_cidr_map" {
-  value = {
-    "untrusted"      = module.vpc.public_subnets_cidr_blocks,
-    "management"     = aws_subnet.mgmt[*].cidr_block,
-    "private"        = module.vpc.private_subnets_cidr_blocks,
-    "tgw_standalone" = aws_subnet.standalone_tgw[*].cidr_block,
-  }
-}
-
-output "security_groups" {
-  value = {
-    allow_all          = module.allow_all_sg.security_group_id
-    allow_all_outbound = module.allow_all_outbound_sg.security_group_id
-    allow_trusted      = module.allow_trusted_sg.security_group_id
-    allow_all_intravpc = module.allow_all_intravpc.security_group_id
-  }
-}
-
-output "private_route_tables" {
-  value = module.vpc.private_route_table_ids
-}
-
-output "public_route_tables" {
-  value = module.vpc.public_route_table_ids
-}
-
-output "azs" {
-  value = module.vpc.azs
-}
-
-output "kms_security_arn" {
-  value = module.kms_security.key_arn
-}
-
-#output kms_palo_key_arn {
-#  value = module.kms_palo.key_arn
-#}

base/security_vpc/security-groups.tf

@@ -1,82 +0,0 @@
-# Several of these security groups will have customer IPs listed in them to allow
-# POP systems to access our services.
-#
-
-locals {
-}
-
-module "aws_endpoints_sg" {
-  use_name_prefix = false
-  source          = "terraform-aws-modules/security-group/aws"
-  version         = "= 4.0.0"
-  name            = "aws_endpoints"
-  tags            = merge(var.standard_tags, var.tags)
-  vpc_id          = module.vpc.vpc_id
-
-  ingress_cidr_blocks     = [module.vpc.vpc_cidr_block]
-  egress_cidr_blocks      = [module.vpc.vpc_cidr_block]
-  egress_ipv6_cidr_blocks = []
-
-  egress_rules  = ["all-all"]
-  ingress_rules = ["all-all"]
-}
-
-module "allow_all_sg" {
-  use_name_prefix = false
-  source          = "terraform-aws-modules/security-group/aws"
-  version         = "= 4.0.0"
-  name            = "allow-all"
-  tags            = merge(var.standard_tags, var.tags)
-  vpc_id          = module.vpc.vpc_id
-
-  ingress_cidr_blocks = ["0.0.0.0/0"]
-  egress_cidr_blocks  = ["0.0.0.0/0"]
-  ingress_rules       = ["all-all"]
-  egress_rules        = ["all-all"]
-}
-
-module "allow_all_outbound_sg" {
-  use_name_prefix = false
-  source          = "terraform-aws-modules/security-group/aws"
-  version         = "= 4.0.0"
-  name            = "allow-all-outbound"
-  tags            = merge(var.standard_tags, var.tags)
-  vpc_id          = module.vpc.vpc_id
-
-  egress_rules = ["all-all"]
-}
-
-module "allow_trusted_sg" {
-  use_name_prefix = false
-  source          = "terraform-aws-modules/security-group/aws"
-  version         = "= 4.0.0"
-  name            = "allow_trusted"
-  tags            = merge(var.standard_tags, var.tags)
-  vpc_id          = module.vpc.vpc_id
-
-  egress_rules        = ["all-all"]
-  ingress_rules       = ["http-80-tcp", "https-443-tcp", "ssh-tcp", "all-icmp"]
-  ingress_cidr_blocks = concat(var.trusted_ips, [module.vpc.vpc_cidr_block])
-}
-
-module "allow_all_intravpc" {
-  use_name_prefix = false
-  source          = "terraform-aws-modules/security-group/aws"
-  version         = "= 4.0.0"
-  name            = "allow_all_intravpc"
-  tags            = merge(var.standard_tags, var.tags)
-  vpc_id          = module.vpc.vpc_id
-
-  egress_rules        = ["all-all"]
-  ingress_rules       = ["all-all"]
-  ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
-}
-
-# CIS 4.3 - Default security group should restrict all traffic
-#
-# This resource is special, and clears out existing rules. See:
-# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
-resource "aws_default_security_group" "default" {
-  vpc_id = module.vpc.vpc_id
-  tags   = merge(var.standard_tags, var.tags)
-}

base/security_vpc/vars.tf

@@ -1,23 +0,0 @@
-variable "tags" {
-  description = "Tags to add to the resource (in addition to global standard tags)"
-  type        = map(any)
-  default     = {}
-}
-
-#variable "palo_alto_instance_type" { type = string }
-#variable "palo_alto_key_name" { type = string }
-
-# ----------------------------------
-# Below this line are variables inherited from higher levels, so they
-# do not need to be explicitly passed to this module.
-variable "vpc_info" { type = map(any) }
-variable "is_legacy" { type = bool }
-variable "standard_tags" { type = map(any) }
-variable "dns_info" { type = map(any) }
-variable "aws_account_id" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }
-variable "account_name" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "trusted_ips" { type = list(any) }