├── docs
    ├── partner_editable
    │   ├── regions.adoc
    │   ├── specialized_knowledge.adoc
    │   ├── licenses.adoc
    │   ├── service_limits.adoc
    │   ├── overview_target_and_usage.adoc
    │   ├── _settings.adoc
    │   ├── product_description.adoc
    │   ├── faq_troubleshooting.adoc
    │   ├── pre-reqs.adoc
    │   ├── deployment_options.adoc
    │   ├── architecture.adoc
    │   ├── deploy_steps.adoc
    │   └── additional_info.adoc
    └── images
    │   ├── cfn_outputs.png
    │   ├── cluster-master-sfrf-met.png
    │   ├── indexer-clustering-menu.png
    │   ├── search-head-distributed-search-menu.png
    │   ├── splunk-enterprise-architecture-on-aws.png
    │   └── search-head-distributed-search-success.png
├── .gitmodules
├── NOTICE.txt
├── ci
    ├── taskcat.yml
    └── defaults.json
├── README.md
├── LICENSE.txt
├── templates
    ├── splunk-enterprise-master.template
    └── splunk-enterprise.template
└── scripts
    └── user_data.sh


/docs/partner_editable/regions.adoc:
--------------------------------------------------------------------------------
1 | - All AWS Regions 
2 | 


--------------------------------------------------------------------------------
/docs/images/cfn_outputs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/quickstart-splunk-enterprise/HEAD/docs/images/cfn_outputs.png


--------------------------------------------------------------------------------
/docs/images/cluster-master-sfrf-met.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/quickstart-splunk-enterprise/HEAD/docs/images/cluster-master-sfrf-met.png


--------------------------------------------------------------------------------
/docs/images/indexer-clustering-menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/quickstart-splunk-enterprise/HEAD/docs/images/indexer-clustering-menu.png


--------------------------------------------------------------------------------
/docs/images/search-head-distributed-search-menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/quickstart-splunk-enterprise/HEAD/docs/images/search-head-distributed-search-menu.png


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "submodules/quickstart-aws-vpc"]
2 | 	path = submodules/quickstart-aws-vpc
3 | 	url = ../../aws-quickstart/quickstart-aws-vpc.git 
4 | 	branch = master
5 | 


--------------------------------------------------------------------------------
/docs/images/splunk-enterprise-architecture-on-aws.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/quickstart-splunk-enterprise/HEAD/docs/images/splunk-enterprise-architecture-on-aws.png


--------------------------------------------------------------------------------
/docs/images/search-head-distributed-search-success.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/splunk/quickstart-splunk-enterprise/HEAD/docs/images/search-head-distributed-search-success.png


--------------------------------------------------------------------------------
/docs/partner_editable/specialized_knowledge.adoc:
--------------------------------------------------------------------------------
1 | // Describe or link to specific knowledge requirements; for example: “familiarity with basic concepts in the areas of networking, database operations, and data encryption” or “familiarity with <software>.”
2 | 
3 | This Quick Start assumes familiarity with basic concepts of networking and Linux system administration, as well as basic knowledge of {partner-product-name}
4 | 


--------------------------------------------------------------------------------
/docs/partner_editable/licenses.adoc:
--------------------------------------------------------------------------------
1 | This Quick Start requires a subscription to the Amazon Machine Image (AMI) for {partner-product-name}, which is available from AWS Marketplace. For subscription instructions, see step 2 under "Subscribe to the {partner-product-name} AMI" in the link:#_deployment_steps[deployment steps]. In addition, to fully utilize the Quick Start environment, a {partner-product-name} license is required.  If you do not have one, please contact sales@splunk.com
2 | 


--------------------------------------------------------------------------------
/docs/partner_editable/service_limits.adoc:
--------------------------------------------------------------------------------
 1 | // Replace the <n> in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used.
 2 | 
 3 | |===
 4 | |Resource |This deployment uses
 5 | 
 6 | // Space needed to maintain table headers
 7 | |VPCs |1
 8 | |AWS Identity and Access Management (IAM) security groups |2 or more
 9 | |IAM roles |2 or more
10 | |Auto Scaling groups |1
11 | |Classic Load Balancers |2
12 | |EC2 Instances |5 or more
13 | |EBS Volumes|5 or more
14 | |S3 Buckets |1
15 | |===
16 | 


--------------------------------------------------------------------------------
/NOTICE.txt:
--------------------------------------------------------------------------------
1 | Copyright 2016-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | 
3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
4 | 
5 |     http://aws.amazon.com/apache2.0/
6 | 
7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
8 | 


--------------------------------------------------------------------------------
/docs/partner_editable/overview_target_and_usage.adoc:
--------------------------------------------------------------------------------
1 | This Quick Start provides architectural guidance and step-by-step instructions for a high availability deployment of {partner-product-name} on AWS.  The guide addresses common scalability, high-availability, and security considerations for your deployment.
2 | 
3 | This guide is intended for a variety of audiences, including IT infrastructure architects, administrators, and DevOps professionals who are planning to implement or extend their Splunk Enterprise deployments on the AWS Cloud.  It also provides direct links for viewing and launching AWS CloudFormation templates that assist with automating the deployment
4 | 


--------------------------------------------------------------------------------
/ci/taskcat.yml:
--------------------------------------------------------------------------------
 1 | global:
 2 |   marketplace-ami: true
 3 |   owner: quickstart@amazon.com
 4 |   qsname: quickstart-splunk-enterprise
 5 |   regions:
 6 |     - ap-northeast-1
 7 |     - ap-northeast-2
 8 |     - ap-south-1
 9 |     - ap-southeast-1
10 |     - ap-southeast-2
11 |     - ca-central-1
12 |     - eu-central-1
13 |     - eu-west-1
14 |     - eu-west-2
15 |     - sa-east-1
16 |     - us-east-1
17 |     - us-east-2
18 |     - us-west-1
19 |     - us-west-2
20 |   reporting: true
21 | tests:
22 |   splunk-enterprise:
23 |     parameter_input: defaults.json
24 |     template_file: splunk-enterprise-master.template
25 |     regions:
26 |     - us-west-1
27 |     - us-east-2
28 | 


--------------------------------------------------------------------------------
/docs/partner_editable/_settings.adoc:
--------------------------------------------------------------------------------
 1 | :quickstart-project-name: quickstart-splunk-enterprise
 2 | :partner-product-name: Splunk Enterprise
 3 | :partner-company-name: Splunk Inc.
 4 | :doc-month: March
 5 | :doc-year: 2021
 6 | :partner-contributors: Bill Bartlett, {partner-company-name}
 7 | :quickstart-contributors: Shivansh Singh, Amazon Web Services
 8 | :deployment_time: 25 minutes
 9 | :default_deployment_region: us-east-1
10 | // Uncomment these two attributes if you are leveraging
11 | // - an AWS Marketplace listing.
12 | // Additional content will be auto-generated based on these attributes.
13 | :marketplace_subscription:
14 | :marketplace_listing_url: https://aws.amazon.com/marketplace/pp/Splunk-Splunk-Enterprise/B00PUXWXNE
15 | 


--------------------------------------------------------------------------------
/docs/partner_editable/product_description.adoc:
--------------------------------------------------------------------------------
1 | This Quick Start deploys {partner-product-name} on the AWS Cloud
2 | 
3 | {partner-product-name} is the platform for turning data into doing. By monitoring and analyzing everything from customer clickstreams and transactions to security events and network activity, {partner-product-name} is a scalable and reliable data platform for investigating, monitoring, analyzing and acting on your data. With a full range of powerful search, analysis, alert, and visualization capabilities along with prepackaged content for many typical use cases, users can quickly discover and share insights.
4 | 
5 | For more details about the features and functionality of {partner-product-name}, see the https://docs.splunk.com/Documentation/Splunk[Splunk Enterprise documentation^].
6 | 
7 | 
8 | 


--------------------------------------------------------------------------------
/docs/partner_editable/faq_troubleshooting.adoc:
--------------------------------------------------------------------------------
1 | // Add any tips or answers to anticipated questions. This could include the following troubleshooting information. If you don’t have any other Q&A to add, change “FAQ” to “Troubleshooting.”
2 | 
3 | == FAQ
4 | *Q.* Why is my search factor and/or replication factor not being met?
5 | 
6 | *A.* The most common reason for this is the cluster replication or search factor is set higher than the minimum indexers in a site.  For example, if you create a 5 node cluster across two sites, you will have 3 indexers in site1, and 2 indexers in site2.  In this example, if you also configured RF and/or SF = 3, Splunk will not be able to meet the required replication or search factor.  (RF or SF = 3, but you only have 2 indexers in site2)  For further reading, this topic is outlined in https://docs.splunk.com/Documentation/Splunk/8.1.2/Indexer/Bucketreplicationissues#Multisite_cluster_does_not_meet_its_replication_or_search_factors[Splunk documentation^].
7 | 


--------------------------------------------------------------------------------
/docs/partner_editable/pre-reqs.adoc:
--------------------------------------------------------------------------------
 1 | // If no preperation is required, remove all content from here.
 2 | There are two important steps to verify prior to launching this Quick start:
 3 | 
 4 | * Ensure that the SmartStore bucket that is defined in the "SmartStoreBucketName" parameter *does not exist*.  This Quick Start will attempt to create that bucket with an appropriate bucket policy. If that bucket already exists, the Quick Start will fail.
 5 | * Upload a valid Splunk license to an S3 bucket owned by the user launching the Quick Start.  Take note of the bucket name as well as the path to the license file.  An example may look something like this:
 6 | ** Splunk license file is named "splunk.license" and uploaded to an S3 bucket called "my-s3-bucket" under the 'directory' called "license"
 7 | *** Parameter "SplunkLicenseBucket" should be configured to: my-s3-bucket
 8 | *** Parameter "SplunkLicensePath" should be configured to: license/splunk.license (note the lack of a leading "/" on the license path)
 9 | 
10 | 


--------------------------------------------------------------------------------
/ci/defaults.json:
--------------------------------------------------------------------------------
 1 | [
 2 |   {
 3 |     "ParameterKey": "AvailabilityZones",
 4 |     "ParameterValue": "$[taskcat_genaz_2]"
 5 |   },
 6 |   {
 7 |     "ParameterKey": "WebClientLocation",
 8 |     "ParameterValue": "72.21.196.66/32"
 9 |   },
10 |   {
11 |     "ParameterKey": "HECClientLocation",
12 |     "ParameterValue": "10.0.0.0/16"
13 |   },
14 |   {
15 |     "ParameterKey": "KeyName",
16 |     "ParameterValue": "$[taskcat_getkeypair]"
17 |   },
18 |   {
19 |     "ParameterKey": "SSHClientLocation",
20 |     "ParameterValue": "10.0.0.0/16"
21 |   },
22 |   {
23 |     "ParameterKey": "SplunkAdminPassword",
24 |     "ParameterValue": "$[taskcat_genpass_10]"
25 |   },
26 |   {
27 |     "ParameterKey": "SplunkClusterSecret",
28 |     "ParameterValue": "$[taskcat_genpass_10]"
29 |   },
30 |   {
31 |     "ParameterKey": "SplunkIndexerDiscoverySecret",
32 |     "ParameterValue": "$[taskcat_genpass_10]"
33 |   },
34 |   {
35 |     "ParameterKey": "QSS3BucketName",
36 |     "ParameterValue": "$[taskcat_autobucket]"
37 |   }
38 | ]
39 | 


--------------------------------------------------------------------------------
/docs/partner_editable/deployment_options.adoc:
--------------------------------------------------------------------------------
 1 | // There are generally two deployment options. If additional are required, add them here
 2 | 
 3 | This Quick Start provides two deployment options:
 4 | 
 5 | * *Deploy {partner-product-name} into a new VPC (end-to-end deployment)*. This option builds a new AWS environment consisting of the VPC, subnets, security groups, load balancers, and other infrastructure components. It then deploys {partner-product-name} into this new VPC.
 6 | 
 7 | * *Deploy {partner-product-name} into an existing VPC*. This option provisions {partner-product-name} in your existing AWS infrastructure.
 8 | 
 9 | The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and {partner-product-name} settings, as discussed later in this guide.
10 | 
11 | For further information about the dimensions of a Splunk Enterprise deployment, see the {partner-product-name} https://docs.splunk.com/Documentation/Splunk/latest/Capacity/DimensionsofaSplunkEnterprisedeployment[capacity planning manual^].  Finally, for additional information specific to an AWS deployment, see {partner-product-name} https://www.splunk.com/pdfs/technical-briefs/deploying-splunk-enterprise-on-amazon-web-services-technical-brief.pdf[AWS tech brief^] for instance sizing considerations.
12 | 


--------------------------------------------------------------------------------
/docs/partner_editable/architecture.adoc:
--------------------------------------------------------------------------------
 1 | Deploying this Quick Start for a new VPC with default parameters builds the following {partner-product-name} environment in the AWS Cloud.
 2 | [#architecture1]
 3 | .Quick Start architecture for {partner-product-name} on AWS
 4 | [link=images/splunk-enterprise-architecture-on-aws.png]
 5 | image::../images/splunk-enterprise-architecture-on-aws.png[Architecture,width=648,height=439]
 6 | 
 7 | As shown in figure 1, the Quick Start sets up the following:
 8 | 
 9 | * A VPC configured across two or three Availability Zones, depending on your selection. The Quick Start provisions one public subnet in each Availability Zone.
10 | * Two Elastic Load Balancing (ELB) load balancers: one to load-balance HTTP web traffic to the search head instances, and the other to load-balance HTTP event traffic destined for the Splunk HTTP Event Collector (HEC) across all indexer instances.
11 | * An IAM user with fine-grained permissions for access to AWS services necessary for the initial deployment process.
12 | * Appropriate security groups for each instance or function to restrict access to only necessary protocols and ports.
13 | * Amazon Simple Storage Service (Amazon S3) bucket for Splunk SmartStore usage.
14 | * In the public subnets, EC2 instances for {partner-product-name}, including the following:
15 | ** {partner-product-name} indexer cluster with the number of indexers you specify (3-10), distributed across the number of Availability Zones you specify (2 or 3). The Splunk receiver (splunktcp) and Splunk HEC are enabled across all indexers.
16 | ** Splunk search head(s), either stand-alone or in a 3-node cluster, based on your input during deployment. In the latter case, the search heads are distributed across the number of Availability Zones you specify.
17 | ** Splunk license server and indexer cluster master, co-located.
18 | ** Splunk search head deployer, where applicable.
19 | 
20 | 
21 | If you decide to deploy Splunk Enterprise into your existing VPC, please see link:#_deployment_options[deployment options] later in this guide.  The Quick Start assumes that the infrastructure components already exist, and deploys Splunk Enterprise into the environment you specify.
22 | 
23 | 
24 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Splunk Enterprise on AWS - Quick Start
 2 | 
 3 | Source code associated with [Splunk Enterprise AWS Quick Start](https://fwd.aws/r7QNJ)
 4 | 
 5 | ## Usage
 6 | 
 7 | Use these templates to deploy a highly available Splunk Enterprise environment across multiple AZs (2 or 3) in a given AWS region.
 8 | AZ-aware indexer clustering is enabled for horizontal scaling and to guarantee data is replicated in every AZ.
 9 | AZ-aware Search head clustering (3 nodes by default) can also be enabled for horizontal scaling and to guarantee data is available for search in every AZ.
10 | 
11 | View the accompanying [deployment guide](https://fwd.aws/bGBmy) for everything you need to get started. Refer to 'Deployment Steps' section for a step-by-step walkthrough on how to use these templates in AWS console.
12 | 
13 | ### Prerequisites
14 | 
15 | Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download.  The following steps will guide you through that process.   *(Note:  This step is required.  A non-trial Splunk Enterprise license is required to allow our template to configure the Splunk deployment.  If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)*
16 | 
17 |  1. From the AWS Console, select "S3" under the "Storage" heading, or by simply typing "S3" into the search bar.
18 |  2. You can either select an existing private bucket to upload to, or create a new one. If you select an existing bucket, make sure its access policy does not grant public access. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. For this exercise, I'm outlining how to create a new bucket.
19 |  3. Click "create bucket"
20 |  4. Name your bucket, and select your region.  In this example, I will use "bbartlett-splunk-config".  Your bucket name must be unique, and you should select the same region where you plan on deploying Splunk. <br><br> ![new bucket example](https://s3-us-west-2.amazonaws.com/splk-bbartlett/splunk_newbucket.png) <br><br>
21 |  5. Once you've created your bucket, select your new bucket from the list of buckets.
22 |  6. Click "Upload" on the upper left of the page
23 |  7. Click "Add Files"
24 |  8. Select your license file.
25 |  9. Click "Start Upload" on the lower right of the page.
26 |  10. Once the license has finished uploading, you'll need the bucket name and the filename to use with the CloudFormation template.
27 | 
28 | ## License
29 | 
30 | This project is licensed under Apache License 2.0 - see [LICENSE.txt](./LICENSE.txt) file for details
31 | 
32 | ## Help
33 | 
34 | If you have any problems or general questions, please file an issue in the parent repository:
35 | https://github.com/aws-quickstart/quickstart-splunk-enterprise/issues
36 | 
37 | 
38 | 


--------------------------------------------------------------------------------
/docs/partner_editable/deploy_steps.adoc:
--------------------------------------------------------------------------------
 1 | // We need to work around Step numbers here if we are going to potentially exclude the AMI subscription
 2 | === Sign in to your AWS account
 3 | 
 4 | . Sign in to your AWS account at https://aws.amazon.com with an AWS Identity and Access Management (IAM) user role that has the necessary permissions. For details, see link:#_planning_the_deployment[Planning the deployment] earlier in this guide.
 5 | . Make sure that your AWS account is configured correctly, as discussed in the link:#_technical_requirements[Technical requirements] section.
 6 | 
 7 | // Optional based on Marketplace listing. Not to be edited
 8 | ifdef::marketplace_subscription[]
 9 | === Subscribe to the {partner-product-name} AMI
10 | 
11 | This Quick Start requires a subscription to the Amazon Machine Image (AMI) for {partner-product-name} in AWS Marketplace.
12 | 
13 | . Sign in to your AWS account.
14 | . {marketplace_listing_url}[Open the page for the {partner-product-name} AMI in AWS Marketplace], and then choose *Continue to Subscribe*.
15 | . Review the terms and conditions for software usage, and then choose *Accept Terms*. +
16 |   A confirmation page loads, and an email confirmation is sent to the account owner. For detailed subscription instructions, see the https://aws.amazon.com/marketplace/help/200799470[AWS Marketplace documentation^].
17 | 
18 | . When the subscription process is complete, close AWS Marketplace without further action. *Do not* provision the software from AWS Marketplace, as the Quick Start deploys the AMI for you.
19 | endif::marketplace_subscription[]
20 | // \Not to be edited
21 | 
22 | === Launch the Quick Start
23 | 
24 | NOTE: You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.
25 | 
26 | . Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see link:#_deployment_options[deployment options] earlier in this guide.
27 | 
28 | [cols=",]
29 | |===
30 | |https://fwd.aws/MNRVe[Deploy {partner-product-name} into a new VPC on AWS^]
31 | |https://fwd.aws/DD3gQ[Deploy {partner-product-name} into an existing VPC on AWS^]
32 | |===
33 | 
34 | WARNING: If you’re deploying {partner-product-name} into an existing VPC, make sure that your VPC has at least two subnets in different Availability Zones for the indexers and search head(s), and that the subnets aren’t shared. If you choose to deploy into three AZ, then your VPC will require at least three available AZ with three separate subnets.  This Quick Start doesn’t support https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[shared subnets^].
35 | 
36 | Each deployment takes about {deployment_time} to complete.
37 | 
38 | [start=2]
39 | . Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where {partner-product-name} will be deployed. The template is launched in the {default_deployment_region} Region by default.
40 | 
41 | [start=3]
42 | . On the *Create stack* page, keep the default setting for the template URL, and then choose *Next*.
43 | . On the *Specify stack details* page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary.
44 | 
45 | // In the following tables, parameters are listed by category and described separately for the two deployment options:
46 | 
47 | // * Parameters for deploying {partner-product-name} into a new VPC
48 | 
49 | // * Parameters for deploying {partner-product-name} into an existing VPC
50 | 


--------------------------------------------------------------------------------
/docs/partner_editable/additional_info.adoc:
--------------------------------------------------------------------------------
 1 | // Add steps as necessary for accessing the software, post-configuration, and testing. Don’t include full usage instructions for your software, but add links to your product documentation for that information.
 2 | //Should any sections not be applicable, remove them
 3 | 
 4 | == Post deployment steps
 5 | // If steps are required to test the deployment, add them here. If not, remove the heading
 6 | 
 7 | After the Quick Start has successfully completed, you can log into your {partner-product-name} deployment from a web browser and verify configuration.
 8 | 
 9 | ==== Verify Distributed Search
10 | . Begin by logging into {partner-product-name} search head to verify all of the indexers are available for search. To log into the {partner-product-name} search head, navigate your browser to the URL shown in the CloudFormation Outputs labeled "SearchHeadURL" with the credentials of "admin" and the password configured with the "SplunkAdminPassword" parameter when launching the Quick Start.
11 | . Navigate to Settings -> 'Distributed search' menu item as shown below
12 | 
13 | image:../images/search-head-distributed-search-menu.png[distributed_search_menu,width=850,height=294,link="../docs/images/search-head-distributed-search-menu.png"]
14 | [start=3]
15 | . Click on "Search peers"
16 | 
17 | . A screen similar to the screenshot below indicates that distributed search in good standing. (This example was created with a 4 node indexer cluster.)
18 | 
19 | image:../images/search-head-distributed-search-success.png[distributed_search_success,width=850,height=202,link="../docs/images/search-head-distributed-search-success.png"]
20 | 
21 | ==== Verify Indexer Replication Status
22 | . Begin by logging into {partner-product-name} cluster master to verify all of the indexers are successfully replicating buckets across the cluster. To log into the {partner-product-name} cluster master, navigate your browser to the URL shown in the CloudFormation Outputs labeled "ClusterMasterURL" with the credentials of "admin" and the password configured with the "SplunkAdminPassword" parameter when launching the Quick Start.
23 | . Navigate to Settings -> 'Indexer clustering' menu item as shown below
24 | 
25 | image:../images/indexer-clustering-menu.png[indexer_clustering_menu,width=850,height=294,link="../docs/images/indexer-clustering-menu.png"]
26 | [start=3]
27 | . A screen similar to the screenshot below indicates that both the search factor and replication factor are in good standing. (This example was created with a 4 node indexer cluster across 2 AZ)
28 | .. _Please note that it will likely take a few minutes after the Quick Start has successfully launched before the buckets are replicated and this status window shows both search factor and replication factor being met. If there are errors for replication and/or search factor after 10 minutes, please see the link:#_faq[FAQ section] below._
29 | 
30 | image:../images/cluster-master-sfrf-met.png[indexer_clustering_success,width=850,height=202,link="../docs/images/cluster-master-sfrf-met.png"]
31 | 
32 | == Security
33 | // Provide post-deployment best practices for using the technology on AWS, including considerations such as migrating data, backups, ensuring high performance, high availability, etc. Link to software documentation for detailed information.
34 | 
35 | The {partner-product-name} Quick Start exposes three user-configurable security group access parameters: 'WebClientLocation', 'HECClientLocation', and 'SSHClientLocation'. Be sure that the 'SSHClientLocation' parameter is accessible only on tightly controlled authorized network ranges as this allows direct access to the instances.  The parameter 'WebClientLocation' allows connections to the {partner-product-name} web interfaces, while 'HECClientLocation' controls access to the load balancer in front of the {partner-product-name} HTTP Event Collector listener.
36 | 


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 
203 | 


--------------------------------------------------------------------------------
/templates/splunk-enterprise-master.template:
--------------------------------------------------------------------------------
  1 | AWSTemplateFormatVersion: '2010-09-09'
  2 | Description: Splunk deployment with indexer clustering, search head (optional search head clustering), and cluster master/license server.
  3 | Parameters:
  4 |   AvailabilityZones:
  5 |     Description: List of Availability Zones to use for the subnets in the VPC (logical order preserved). This must match the Number of Availability Zones parameter value.
  6 |     Type: List<AWS::EC2::AvailabilityZone::Name>
  7 |   NumberOfAZs:
  8 |     AllowedValues:
  9 |       - '2'
 10 |       - '3'
 11 |     Default: '2'
 12 |     Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
 13 |     Type: String
 14 |   WebClientLocation:
 15 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 16 |     ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0 for no restrictions.
 17 |     Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.'
 18 |     MaxLength: '19'
 19 |     MinLength: '9'
 20 |     Type: String
 21 |   HECClientLocation:
 22 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 23 |     ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0 for no restrictions.
 24 |     Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address.'
 25 |     MaxLength: '19'
 26 |     MinLength: '9'
 27 |     Type: String
 28 |   IndexerInstanceType:
 29 |     AllowedValues:
 30 |       - m5.4xlarge
 31 |       - m5.8xlarge
 32 |       - c5.4xlarge
 33 |       - c5.9xlarge
 34 |       - c5.18xlarge
 35 |       - i3.4xlarge
 36 |       - i3.8xlarge
 37 |       - i3en.3xlarge
 38 |       - i3en.6xlarge
 39 |       - i3en.12xlarge
 40 |     Description: EC2 instance type for Splunk Indexers
 41 |     ConstraintDescription: must be a valid EC2 instance type.
 42 |     Default: i3.4xlarge
 43 |     Type: String
 44 |   SearchHeadInstanceType:
 45 |     AllowedValues:
 46 |       - r5.4xlarge
 47 |       - r5.8xlarge
 48 |       - r5.16xlarge
 49 |       - c5.4xlarge
 50 |       - c5.9xlarge
 51 |       - m5.2xlarge
 52 |       - m5.4xlarge
 53 |       - m5.8xlarge
 54 |       - m5.12xlarge
 55 |     Description: EC2 instance type for Splunk Search Heads
 56 |     ConstraintDescription: must be a valid EC2 instance type.
 57 |     Default: c5.4xlarge
 58 |     Type: String
 59 |   KeyName:
 60 |     ConstraintDescription: Must be the name of an existing EC2 KeyPair.
 61 |     Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
 62 |     Type: AWS::EC2::KeyPair::KeyName
 63 |   PublicSubnet1CIDR:
 64 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 65 |     ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
 66 |     Default: 10.0.1.0/24
 67 |     Description: The address space that will be assigned to the first Splunk server subnet. (x.x.x.x/x notation)
 68 |     Type: String
 69 |   PublicSubnet2CIDR:
 70 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 71 |     ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x
 72 |     Default: 10.0.2.0/24
 73 |     Description: The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)
 74 |     Type: String
 75 |   PublicSubnet3CIDR:
 76 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 77 |     ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
 78 |     Default: 10.0.3.0/24
 79 |     Description: The address space that will be assigned to the second Splunk server subnet. (x.x.x.x/x notation)
 80 |     Type: String
 81 |   QSS3BucketName:
 82 |     Description: S3 bucket name for the Quick Start assets.
 83 |     Default: ''
 84 |     Type: String
 85 |   QSS3KeyPrefix:
 86 |     Default: quickstart-splunk-enterprise/
 87 |     Description: S3 key prefix for the Quick Start assets.
 88 |     Type: String
 89 |   SHCEnabled:
 90 |     AllowedValues:
 91 |       - 'yes'
 92 |       - 'no'
 93 |     Default: 'no'
 94 |     Description: Do you want to build a Splunk search head cluster? yes or no
 95 |     Type: String
 96 |   SSHClientLocation:
 97 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 98 |     ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0 for no restrictions.
 99 |     Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
100 |     MaxLength: '19'
101 |     MinLength: '9'
102 |     Type: String
103 |   SplunkAdminPassword:
104 |     AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
105 |     ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols.
106 |     Description: Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols
107 |     MaxLength: '32'
108 |     MinLength: '6'
109 |     NoEcho: 'true'
110 |     Type: String
111 |   SplunkIndexerCount:
112 |     ConstraintDescription: must be a valid number, 4-10
113 |     Default: '4'
114 |     Description: How many Splunk indexers to launch.  [4-10]
115 |     MaxValue: '10'
116 |     MinValue: '4'
117 |     Type: Number
118 |   SplunkIndexerDiskSize:
119 |     ConstraintDescription: must be a valid number, 100-16000
120 |     Default: '334'
121 |     Description: The size of the attached EBS volume to the Splunk indexers.  (in GB)
122 |     MaxValue: '16000'
123 |     MinValue: '100'
124 |     Type: Number
125 |   SplunkSearchHeadDiskSize:
126 |     ConstraintDescription: must be a valid number, 100-16000
127 |     Default: '334'
128 |     Description: The size of the attached EBS volume to the Splunk search head(s).  (in GB)
129 |     MaxValue: '16000'
130 |     MinValue: '100'
131 |     Type: Number
132 |   SplunkLicenseBucket:
133 |     AllowedPattern: (?=^.{3,63}$)(?!xn--)([a-z0-9](?:[a-z0-9-]*)[a-z0-9])$
134 |     ConstraintDescription: 'Required for QuickStart to function and must be a valid s3 bucket'
135 |     Description: 'Name of private S3 bucket with licenses to be accessed via authenticated requests'
136 |     MinLength: '3'
137 |     MaxLength: '63'
138 |     Type: String
139 |   SplunkLicensePath:
140 |     ConstraintDescription: 'Required for QuickStart to function and must point to a valid Splunk license'
141 |     AllowedPattern: ([0-9]|[A-Z]|[a-z]|[\/\._-])+
142 |     Description: 'Path to license file in S3 Bucket, without leading /. (ex: license/splunk.license)'
143 |     MinLength: '2'
144 |     MaxLength: '128'
145 |     Type: String
146 |   SplunkReplicationFactor:
147 |     ConstraintDescription: must be a valid number, 2-4
148 |     Default: '2'
149 |     Description: How many copies of data should be stored in the Splunk Indexer Cluster
150 |     MaxValue: '4'
151 |     MinValue: '2'
152 |     Type: Number
153 |   SplunkSearchFactor:
154 |     ConstraintDescription: must be a valid number, 2-4
155 |     Default: '2'
156 |     Description: How many copies of data should be searchable in the Splunk indexer clusters
157 |     MaxValue: '4'
158 |     MinValue: '2'
159 |     Type: Number
160 |   SplunkClusterSecret:
161 |     AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
162 |     ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols.
163 |     Description: Shared cluster secret for Search Head and Indexer clusters. Must be at least 8 characters containing letters, numbers and symbols.
164 |     MaxLength: '32'
165 |     MinLength: '6'
166 |     NoEcho: 'true'
167 |     Type: String
168 |   SplunkIndexerDiscoverySecret:
169 |     AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
170 |     ConstraintDescription: Must be at least 8 characters containing letters, numbers and symbols.
171 |     Description: Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.
172 |     MaxLength: '32'
173 |     MinLength: '8'
174 |     NoEcho: 'true'
175 |     Type: String
176 |   VPCCIDR:
177 |     AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
178 |     ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
179 |     Default: 10.0.0.0/16
180 |     Description: The address space that will be assigned to the entire VPC where Splunk will reside. (Recommend at least a /16)
181 |     MaxLength: '19'
182 |     MinLength: '9'
183 |     Type: String
184 |   SmartStoreBucketName:
185 |     Default: ''
186 |     Description: Name of bucket that will be created for SmartStore storage
187 |     Type: String
188 | Metadata:
189 |   QuickStartDocumentation:
190 |     EntrypointName: "Splunk QuickStart (New VPC)"
191 |   AWS::CloudFormation::Interface:
192 |     ParameterGroups:
193 |       - Label:
194 |           default: AWS Instance and Network Settings
195 |         Parameters:
196 |           - IndexerInstanceType
197 |           - SearchHeadInstanceType
198 |           - KeyName
199 |           - WebClientLocation
200 |           - HECClientLocation
201 |           - SSHClientLocation
202 |           - AvailabilityZones
203 |           - NumberOfAZs
204 |           - VPCCIDR
205 |           - PublicSubnet1CIDR
206 |           - PublicSubnet2CIDR
207 |           - PublicSubnet3CIDR
208 |       - Label:
209 |           default: Splunk Settings
210 |         Parameters:
211 |           - SplunkAdminPassword
212 |           - SplunkClusterSecret
213 |           - SplunkIndexerDiscoverySecret
214 |           - SplunkLicenseBucket
215 |           - SplunkLicensePath
216 |           - SplunkIndexerCount
217 |           - SplunkIndexerDiskSize
218 |           - SplunkSearchHeadDiskSize
219 |           - SplunkReplicationFactor
220 |           - SplunkSearchFactor
221 |           - SmartStoreBucketName
222 |           - SHCEnabled
223 |       - Label:
224 |           default: AWS Quick Start Configuration
225 |         Parameters:
226 |           - QSS3BucketName
227 |           - QSS3KeyPrefix
228 |     ParameterLabels:
229 |       AvailabilityZones:
230 |         default: Availability Zones
231 |       SplunkSearchHeadDiskSize:
232 |         default: Size (in GB) of Splunk search head disk
233 |       NumberOfAZs:
234 |         default: Number of Availability Zones
235 |       WebClientLocation:
236 |         default: Permitted CIDR for Splunk web interface
237 |       HECClientLocation:
238 |         default: Permitted CIDR for Splunk HTTP event collector input
239 |       IndexerInstanceType:
240 |         default: EC2 instance type for Splunk indexer
241 |       SearchHeadInstanceType:
242 |         default: EC2 instance type for Splunk search head
243 |       KeyName:
244 |         default: Key Name
245 |       PublicSubnet1CIDR:
246 |         default: Public Subnet 1 CIDR
247 |       PublicSubnet2CIDR:
248 |         default: Public Subnet 2 CIDR
249 |       PublicSubnet3CIDR:
250 |         default: Public Subnet 3 CIDR
251 |       QSS3BucketName:
252 |         default: QuickStart S3 Bucket Name
253 |       QSS3KeyPrefix:
254 |         default: QuickStart S3 Key Prefix
255 |       SHCEnabled:
256 |         default: Enable Search Head Cluster?
257 |       SSHClientLocation:
258 |         default: Permitted CIDR for ssh
259 |       SplunkAdminPassword:
260 |         default: Splunk Admin Password
261 |       SplunkIndexerCount:
262 |         default: No. of Splunk Indexers
263 |       SplunkIndexerDiskSize:
264 |         default: Indexer Disk Size
265 |       SplunkLicenseBucket:
266 |         default: Splunk License Bucket
267 |       SplunkLicensePath:
268 |         default: Splunk License S3 Bucket Path
269 |       SplunkReplicationFactor:
270 |         default: Index Cluster Replication Factor
271 |       SplunkSearchFactor:
272 |         default: Index Cluster Search Factor
273 |       SmartStoreBucketName:
274 |         default: Name of bucket that will be created for SmartStore storage
275 |       SplunkClusterSecret:
276 |         default: Shared Security Key for Cluster Nodes
277 |       SplunkIndexerDiscoverySecret:
278 |         default: Shared Security Key for Forwarders using Indexer Discovery
279 |       VPCCIDR:
280 |         default: VPC CIDR
281 | Conditions:
282 |   Create3AZ: !Equals
283 |     - !Ref 'NumberOfAZs'
284 |     - '3'
285 | Resources:
286 |   VPCStack:
287 |     Type: AWS::CloudFormation::Stack
288 |     Properties:
289 |       TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml'
290 |       Parameters:
291 |         AvailabilityZones: !Join
292 |           - ','
293 |           - !Ref 'AvailabilityZones'
294 |         CreatePrivateSubnets: 'false'
295 |         CreatePublicSubnets: 'true'
296 |         CreateNATGateways: 'false'
297 |         NumberOfAZs: !Ref 'NumberOfAZs'
298 |         PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR'
299 |         PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR'
300 |         PublicSubnet3CIDR: !Ref 'PublicSubnet3CIDR'
301 |         VPCCIDR: !Ref 'VPCCIDR'
302 |       TimeoutInMinutes: 15
303 |   SplunkStack:
304 |     Type: AWS::CloudFormation::Stack
305 |     Properties:
306 |       TemplateURL: !Sub 'https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/splunk-enterprise.template'
307 |       Parameters:
308 |         VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
309 |         VPCCIDR: !GetAtt 'VPCStack.Outputs.VPCCIDR'
310 |         PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
311 |         PublicSubnet2ID: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
312 |         PublicSubnet3ID: !If
313 |           - Create3AZ
314 |           - !GetAtt 'VPCStack.Outputs.PublicSubnet3ID'
315 |           - !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
316 |         NumberOfAZs: !Ref 'NumberOfAZs'
317 |         IndexerInstanceType: !Ref 'IndexerInstanceType'
318 |         SearchHeadInstanceType: !Ref 'SearchHeadInstanceType'
319 |         SplunkAdminPassword: !Ref 'SplunkAdminPassword'
320 |         SplunkClusterSecret: !Ref 'SplunkClusterSecret'
321 |         SplunkIndexerDiscoverySecret: !Ref 'SplunkIndexerDiscoverySecret'
322 |         SplunkLicenseBucket: !Ref 'SplunkLicenseBucket'
323 |         SplunkLicensePath: !Ref 'SplunkLicensePath'
324 |         KeyName: !Ref 'KeyName'
325 |         SSHClientLocation: !Ref 'SSHClientLocation'
326 |         HECClientLocation: !Ref 'HECClientLocation'
327 |         WebClientLocation: !Ref 'WebClientLocation'
328 |         SplunkIndexerCount: !Ref 'SplunkIndexerCount'
329 |         SHCEnabled: !Ref 'SHCEnabled'
330 |         SplunkIndexerDiskSize: !Ref 'SplunkIndexerDiskSize'
331 |         SmartStoreBucketName: !Ref 'SmartStoreBucketName'
332 |         SplunkReplicationFactor: !Ref 'SplunkReplicationFactor'
333 |       TimeoutInMinutes: 45
334 | Outputs:
335 |   SearchHeadURL:
336 |     Description: Splunk Enterprise - Search Head URL
337 |     Value: !GetAtt 'SplunkStack.Outputs.SearchHeadURL'
338 |   ClusterMasterURL:
339 |     Description: Splunk Enterprise - Cluster Master URL
340 |     Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterURL'
341 |   ClusterMasterManagementURL:
342 |     Description: Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)
343 |     Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterManagementURL'
344 |   DeployerURL:
345 |     Description: Splunk Enterprise - Search Head Cluster Deployer URL
346 |     Value: !GetAtt 'SplunkStack.Outputs.DeployerURL'
347 |   HttpEventCollectorURL:
348 |     Description: HTTP Event Collector URL
349 |     Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorURL'
350 |   HttpEventCollectorToken:
351 |     Description: HTTP Event Collector Token
352 |     Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorToken'
353 | 


--------------------------------------------------------------------------------
/scripts/user_data.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash -xe
  2 | 
  3 | #### start universal functions
  4 | function base
  5 | {
  6 | 
  7 |   # variables
  8 |   export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  9 |   export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
 10 |   export SPLUNK_USER=splunk
 11 |   export SPLUNK_BIN=/opt/splunk/bin/splunk
 12 |   export SPLUNK_HOME=/opt/splunk
 13 | 
 14 |   # make cloud-init output log readable by root only to protect sensitive parameter values
 15 |   chmod 600 /var/log/cloud-init-output.log
 16 | 
 17 |   #- The newer version of the Splunk AMI does not come with Splunk pre-installed.  Instead
 18 |   #- Splunk is installed via ansible as part of cloud-init.  The following code (starting at line 30) is
 19 |   #- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation
 20 |   #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's
 21 |   #- cloud-init scripts, leaving no Splunk install to configure.
 22 | 
 23 |   #- remove the cloud-init scripts from running
 24 |   rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg
 25 |   rm -f /var/lib/cloud/instance/scripts/runcmd
 26 | 
 27 |   # run the ansible code 
 28 |   (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true  SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml")
 29 | 
 30 |   #- as of 8.2.0, aws-cfn-bootstrap is no longer pre-installed on the AMI.
 31 |   #- install aws-cfn-bootstrap package
 32 |   yum -y install aws-cfn-bootstrap
 33 | 
 34 | 
 35 |   # setup auth with user-selected admin password
 36 |   mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
 37 |   cat >> $SPLUNK_HOME/etc/system/local/user-seed.conf << end
 38 |   [user_info]
 39 |   USERNAME = admin
 40 |   PASSWORD = $ADMIN_PASSWORD
 41 | end
 42 | 
 43 |   sed -i '/guid/d' $SPLUNK_HOME/etc/instance.cfg
 44 |   touch $SPLUNK_HOME/etc/.ui_login
 45 | 
 46 |   # restart Splunk for admin password update
 47 |   $SPLUNK_BIN restart
 48 | }
 49 | 
 50 | function restart_signal
 51 | {
 52 | 
 53 |   # restart splunk
 54 |   $SPLUNK_BIN restart
 55 | 
 56 |   # communicate back to CloudFormation the status of the instance creation
 57 |   /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION
 58 | 
 59 |   # disable splunk user login
 60 |   usermod --expiredate 1 splunk
 61 | }
 62 | 
 63 | #### end universal config
 64 | 
 65 | #####
 66 | #### start role-specific functions
 67 | #####
 68 | 
 69 | ###
 70 | # setup nvme drives for i3 indexers
 71 | function nvme_setup
 72 | {
 73 |   # first, determine the instance type.
 74 |   ec2_type=$(curl -s http://169.254.169.254/latest/meta-data/instance-type)
 75 | 
 76 |   # this script is intended to run on i3* instance types.
 77 |   if [[ "$ec2_type" != *"i3"* ]]
 78 |   then
 79 |     return 0
 80 |   fi
 81 | 
 82 |   # find the attached nvme drives.  lsblk could work here, but utilizing the nvme-list utility due to
 83 |   # json formatting and simpler parsing.  install the nvme-cli and jq packages to accomplish this.
 84 |   yum -y install nvme-cli jq >/dev/null
 85 | 
 86 |   # save the nvme drive information to a temp file for parsing
 87 |   nvme list --output-format=json > /tmp/nvme_drive.json
 88 | 
 89 |   # declare the nvme device array
 90 |   declare -a nvme_devices
 91 |   unset nvme_devices
 92 | 
 93 |   for nvme_device in $(jq '.Devices[] | .DevicePath' /tmp/nvme_drive.json)
 94 |   do
 95 |     # test to ensure that the storage device is instance storage.  in testing, I have
 96 |     # seen EBS volues show as NVME.  this logic will ensure attached EBS devices are not
 97 |     # added to the nvme raid0
 98 |     nvme_model_type=$(jq -r '.Devices[] | select(.DevicePath=='$nvme_device') | .ModelNumber' /tmp/nvme_drive.json)
 99 |     if [[ $nvme_model_type = *"NVMe Instance Storage"* ]]
100 |     then
101 |       # unfortunate 'hack' here to remove the quotes from the device name.  without them, the jq lookup
102 |       # will fail in the previous step.  however, they need to be removed for the md raid creation later.
103 |       # additionally, since there needs to be a space between device names for the md create, convert
104 |       # quotes to spaces, and remove leading space.  this leaves "$nvme_device " (note trailing space)
105 |       # stored in the array.  this will allow for simply using the contents of the array as an argument for
106 |       # building the raid0 device
107 |       nvme_device=$(echo $nvme_device|sed 's/"/ /g'| sed 's/^ //g')
108 | 
109 |       # save device list in nvme_devices array
110 |       nvme_devices+=("$nvme_device")
111 |     else
112 |       # if the nvme model type is not instance storage, continue to the next iteration of the loop
113 |       continue
114 |     fi
115 |   done
116 | 
117 |   # name of the raid device to create
118 |   raid_device="/dev/md0"
119 | 
120 |   # mount point of the raid device
121 |   raid_mount="/opt/splunk"
122 | 
123 |   # make directory for mount point
124 |   mkdir -p $raid_mount
125 | 
126 |   # create the raid device
127 |   mdadm --create $raid_device --level=raid0 --raid-devices=${#nvme_devices[@]} ${nvme_devices[@]}
128 | 
129 |   # create filesystem on raid device
130 |   if [ ${#nvme_devices[@]} -eq 1 ]
131 |    then
132 |       discardOption=""
133 |     else
134 |       discardOption="-E nodiscard"
135 |   fi
136 | 
137 |   mkfs.ext4 -m 2 -F -F ${discardOption} $raid_device
138 | 
139 |   # add entry to fstab for mounting on reboot
140 |   echo "$raid_device $raid_mount auto defaults,nofail,noatime 0 2" >>/etc/fstab
141 | 
142 |   # mount device
143 |   mount $raid_device
144 | 
145 | }
146 | 
147 | ###
148 | # Splunk Cluster Master / License Master
149 | ###
150 | function splunk_cm
151 | {
152 |   # execute base install and configuration
153 |   base
154 | 
155 |   export RESOURCE="SplunkCM"
156 |   printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts
157 |   hostname splunklicense
158 | 
159 |   #- for the CM, we can't reference CM_PRIVATEIP in the CloudFormation UserData like
160 |   #- we do in the other resources because the CM hasn't been created yet.  To keep the
161 |   #- syntax consistent across each resource in user_data.sh, export $CM_PRIVATEIP to
162 |   #- the CM's local ip address
163 |   export CM_PRIVATEIP=$LOCALIP
164 | 
165 |   # Install license from metadata.
166 |   if [ $INSTALL_LICENSE = 1 ]; then
167 |     mkdir -p $SPLUNK_HOME/etc/licenses/enterprise/
168 |     chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise
169 |     /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION
170 |   fi
171 | 
172 |   # Increase splunkweb connection timeout with splunkd
173 |   mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
174 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
175 |   [settings]
176 |   splunkdConnectionTimeout = 300
177 | end
178 | 
179 |  # Forward to indexer cluster using indexer discovery\n",
180 |  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
181 |   # Turn off indexing
182 |   [indexAndForward]
183 |   index = false
184 | 
185 |   [tcpout]
186 |   defaultGroup = indexer_cluster_peers
187 |   forwardedindex.filter.disable = true
188 |   indexAndForward = false
189 | 
190 |   [tcpout:indexer_cluster_peers]
191 |   indexerDiscovery = cluster_master
192 | 
193 |   [indexer_discovery:cluster_master]
194 |   pass4SymmKey = $SYMMKEY
195 |   master_uri = https://127.0.0.1:8089
196 | end
197 | 
198 |   chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
199 |   $SPLUNK_BIN restart
200 |   # sleep 20 seconds to make sure Splunk has restarted before applying the configuration
201 |   sleep 20
202 | 
203 |   # log in to splunk to execute several commands without requiring -auth
204 |   sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:$ADMIN_PASSWORD
205 | 
206 |   # create the indexer cluster
207 |   sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode master -multisite true \
208 |   -replication_factor $REPFACTOR -available_sites $SITELIST -site site1 \
209 |   -site_replication_factor origin:1,total:$REPFACTOR -site_search_factor \
210 |   origin:1,total:$SEARCHFACTOR -secret $SPLUNK_CLUSTER_SECRET -cluster_label SplunkIndexersASG
211 | 
212 | 
213 |   # Configure indexer discovery
214 |   cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
215 | 
216 |   [indexer_discovery]
217 |   pass4SymmKey = $SYMMKEY
218 |   indexerWeightByDiskCapacity = true
219 | end
220 |   chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local/server.conf
221 | 
222 |   # generate the config file and HEC token
223 |   sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable \
224 |   -uri https://localhost:8089
225 | 
226 |   sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector create default-token \
227 |   -uri https://localhost:8089 > /tmp/token
228 |   TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token
229 | 
230 |   # place generated config into master-apps
231 |   mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local
232 |   mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local
233 | 
234 |   # peer config 2: enable splunk tcp input
235 |   cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <<end
236 |   [splunktcp://9997]
237 |   disabled=0
238 | end
239 | 
240 |   # Configure smartstore as a configuration in a bundle.
241 | 
242 |   mkdir -p $SPLUNK_HOME/etc/master-apps/_cluster/local/
243 |   touch $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf
244 | 
245 |   cat >>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf <<end
246 |   [default]
247 |   repFactor = auto
248 |   remotePath = volume:remote_store/splunk_db/$_index_name
249 |   coldPath=$SPLUNK_DB/$_index_name/colddb
250 |   thawedPath=$SPLUNK_DB/$_index_name/thaweddb
251 | 
252 |   [volume:remote_store]
253 |   storageType = remote
254 | 
255 |   path = s3://$SMARTSTORE_BUCKET
256 |   remote.s3.encryption = sse-s3
257 | end
258 | 
259 |   chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf
260 |   restart_signal
261 | 
262 |   # signal with the generated HEC to show on cloudformation outputs section
263 |   /opt/aws/bin/cfn-signal -e 0 -i token -d $TOKEN $SplunkCMWaitHandle
264 | 
265 | }
266 | 
267 | function splunk_indexer
268 | {
269 |   #- run through setting up nvme raid device.
270 |   #- if the indexer is not an i3, the function immediately exits and continues to base config as normal
271 |   nvme_setup
272 | 
273 |   #- execute base install and configuration
274 |   base
275 | 
276 |   export INSTANCE_MAC_ADDR=$(curl -s http://169.254.169.254/latest/meta-data/mac)
277 |   export INSTANCE_SUBNET_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$INSTANCE_MAC_ADDR/subnet-id)
278 |   export RESOURCE="SplunkIndexerNodesASG"
279 | 
280 |   #- configure smartstore as if it were a bundle already pushed by the CM.
281 | 
282 |   mkdir -p $SPLUNK_HOME/etc/slave-apps/_cluster/local
283 |   touch $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf
284 | 
285 |   cat >> $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf << end
286 |   [default]
287 |   repFactor = auto
288 |   remotePath = volume:remote_store/splunk_db/$_index_name
289 |   coldPath=$SPLUNK_DB/$_index_name/colddb
290 |   thawedPath=$SPLUNK_DB/$_index_name/thaweddb
291 | end
292 | 
293 |   cat >>$SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf <<end
294 | 
295 |   [volume:remote_store]
296 |   storageType = remote
297 |   path = s3://$SMARTSTORE_BUCKET
298 |   remote.s3.encryption = sse-s3
299 | end
300 | 
301 |   chown -R splunk:splunk $SPLUNK_HOME/etc/slave-apps/_cluster/
302 |   $SPLUNK_BIN restart
303 | 
304 | 
305 |   # set splunk server name to local hostname.
306 |   sudo -u $SPLUNK_USER $SPLUNK_BIN set servername $HOSTNAME -auth admin:$ADMIN_PASSWORD
307 | 
308 |   # Increase splunkweb connection timeout with splunkd"
309 |   mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
310 | 
311 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
312 |   [settings]
313 |   splunkdConnectionTimeout = 300
314 | end
315 |   # Configure some SHC parameters
316 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <<end
317 |   [shclustering]
318 |   register_replication_address = $LOCALIP
319 | end
320 | 
321 |   # Configure instance as license slave
322 |   cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
323 |   [license]
324 |   master_uri = https://$CM_PRIVATEIP:8089
325 | end
326 | 
327 |   chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
328 | 
329 |   case $INSTANCE_SUBNET_ID in
330 |     "$SUBNET1_ID")
331 |       site=site1
332 |     ;;
333 |     "$SUBNET2_ID")
334 |       site=site2
335 |     ;;
336 |     "$SUBNET3_ID")
337 |       site=site3
338 |     ;;
339 |     *)
340 |       echo "Unexpected subnet id"
341 |       exit 1
342 |   esac
343 | 
344 | 
345 |   # sleep to ensure splunkd is up before modifying cluster config
346 |   sleep 10
347 | 
348 |   sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode slave \
349 |     -site $site \
350 |     -manager_uri https://$CM_PRIVATEIP:8089 \
351 |     -auth admin:$ADMIN_PASSWORD \
352 |     -replication_port 9887 \
353 |     -secret $SPLUNK_CLUSTER_SECRET
354 | 
355 |   restart_signal
356 | }
357 | 
358 | function splunk_cluster_sh
359 | {
360 | 
361 |   # the splunk search head cluster in quickstart is pre-defined with 3 nodes.
362 |   # verify that the argument passed is 1, 2, or 3
363 | 
364 |   if [[ "$1" =~ ^[1-3]$ ]]
365 |   then
366 |       # execute base install and configuration
367 |       base
368 | 
369 |       # search head number is the argument passed.  1 = SH1, 2 = SH2, etc.
370 |       num=$1
371 | 
372 |       # if this is a 3AZ deployment, place the third search head in site3.
373 |       # if not, place the third search head in site1.
374 |       # in all cases searchhead1 is site1, and searchhead2 is site2
375 | 
376 |       if [ $THREEAZ -eq 0 ] && [ $num -eq 3 ]
377 |       then
378 |         sitenum="site1"
379 |       else
380 |         sitenum="site$num"
381 |       fi
382 | 
383 |       export RESOURCE="SplunkSHCMember$num"
384 | 
385 |       printf '%s\t%s\n' \"$LOCALIP\" \"splunksearch-$num\" >> /etc/hosts
386 |       hostname "splunksearch-$num"
387 | 
388 |       # set splunk servername
389 |       sudo -u $SPLUNK_USER $SPLUNK_BIN set servername SHC$num
390 | 
391 |       # Increase splunkweb connection timeout with splunkd
392 |       cat >$SPLUNK_HOME/etc/system/local/web.conf <<end
393 |       [settings]
394 |       splunkdConnectionTimeout = 300
395 | end
396 |       # Configure some SHC parameters
397 |       cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
398 |     [shclustering]
399 |     register_replication_address = $LOCALIP
400 | end
401 |       chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local
402 |       $SPLUNK_BIN restart
403 | 
404 |       #- sleep 20 seconds to make sure Splunk has restarted before applying the configuration
405 |       sleep 20
406 | 
407 |       #- log in to splunk to execute several commands without requiring -auth
408 |       sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:$ADMIN_PASSWORD
409 | 
410 |       sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave \
411 |       -master_uri https://$CM_PRIVATEIP:8089
412 | 
413 |       #- configure searchhead cluster
414 |       #echo "### setup splunk search head cluster"
415 |       #echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config -mgmt_uri https://$LOCALIP:8089 -replication_port 8090 -replication_factor $SH_REPLICATION_FACTOR -conf_deploy_fetch_url https://$SH_DEPLOYER_IP:8089 \ -shcluster_label SplunkSHC -secret $SPLUNK_CLUSTER_SECRET"
416 | 
417 |       sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config \
418 |       -auth admin:$ADMIN_PASSWORD \
419 |       -mgmt_uri https://$LOCALIP:8089 \
420 |       -replication_port 8090 \
421 |       -replication_factor $SH_REPLICATION_FACTOR \
422 |       -conf_deploy_fetch_url https://$SH_DEPLOYER_IP:8089 \
423 |       -shcluster_label SplunkSHC\
424 |       -secret $SPLUNK_CLUSTER_SECRET
425 | 
426 |       $SPLUNK_BIN restart
427 |       sleep 20
428 | 
429 |       #echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode searchhead -site $sitenum -manager_uri https://$CM_PRIVATEIP:8089 -secret $SPLUNK_CLUSTER_SECRET"
430 | 
431 |       sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config \
432 |       -mode searchhead \
433 |       -site $sitenum \
434 |       -manager_uri https://$CM_PRIVATEIP:8089 \
435 |       -secret $SPLUNK_CLUSTER_SECRET \
436 |       -auth admin:$ADMIN_PASSWORD 
437 | 
438 |       # Bootstrap SHC captain
439 | 
440 |       # Since we need all three searchhead ip addresses in order to make a captain,
441 |       # and searchhead3 is the last to be created, it will be bootstrapped as the
442 |       # first searchhead cluster captain.
443 |       if [ $num -eq 3 ]
444 |       then
445 |         export SH3_IP=$LOCALIP
446 | 
447 |         #echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN bootstrap shcluster-captain -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089"
448 | 
449 |         sudo -u $SPLUNK_USER $SPLUNK_BIN bootstrap shcluster-captain \
450 |         -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089 \
451 |         -auth admin:$ADMIN_PASSWORD
452 |       fi
453 |       restart_signal
454 |   else
455 |     echo "Incorrect value passed.  \"$1\" is not 1, 2, or 3."
456 |     # communicate back to CloudFormation the status of the instance creation
457 |     /opt/aws/bin/cfn-signal -e 1 --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION
458 |     exit 1
459 |   fi
460 | }
461 | 
462 | ###
463 | # Splunk Deployer
464 | ###
465 | function splunk_deployer
466 | {
467 |   # execute base install and configuration
468 |   base
469 | 
470 |   export RESOURCE="SplunkSHCDeployer"
471 |   printf "$LOCALIP \t splunk-shc-deployer\n" >> /etc/hosts
472 |   hostname splunk-shc-deployer
473 | 
474 |   # Increase splunkweb connection timeout with splunkd
475 |   mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
476 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
477 | [settings]
478 | splunkdConnectionTimeout = 300
479 | end
480 | 
481 |   # Configure some SHC parameters
482 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <<end
483 | [shclustering]
484 | pass4SymmKey = $SYMMKEY
485 | shcluster_label = SplunkSHC
486 | end
487 | 
488 |   # Forward to indexer cluster using indexer discovery
489 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
490 | # Turn off indexing on the search head
491 | [indexAndForward]
492 | index = false
493 | 
494 | [tcpout]
495 | defaultGroup = indexer_cluster_peers
496 | forwardedindex.filter.disable = true
497 | indexAndForward = false
498 | 
499 | [tcpout:indexer_cluster_peers]
500 | indexerDiscovery = cluster_master
501 | 
502 | [indexer_discovery:cluster_master]
503 | pass4SymmKey = $SYMMKEY
504 | master_uri = https://$CM_PRIVATEIP:8089
505 | end
506 | 
507 |   # update permissions
508 |   chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
509 | 
510 |   # Add base config for search head cluster members
511 |   mkdir -p $SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local
512 |   cat >>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <<end
513 | # Turn off indexing on the search head
514 | [indexAndForward]
515 | index = false
516 | 
517 | [tcpout]
518 | defaultGroup = indexer_cluster_peers
519 | forwardedindex.filter.disable = true
520 | indexAndForward = false
521 | 
522 | [tcpout:indexer_cluster_peers]
523 | indexerDiscovery = cluster_master
524 | 
525 | [indexer_discovery:cluster_master]
526 | pass4SymmKey = $SYMMKEY
527 | master_uri = https://$CM_PRIVATEIP:8089
528 | end
529 | 
530 |   #- set ownership
531 |   chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps
532 | 
533 |   $SPLUNK_BIN restart
534 |   sleep 10
535 | 
536 |   sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave \
537 |   -master_uri https://$CM_PRIVATEIP:8089 \
538 |   -auth admin:$ADMIN_PASSWORD
539 | 
540 |   sudo -u $SPLUNK_USER $SPLUNK_BIN apply shcluster-bundle -action stage --answer-yes
541 | 
542 |   restart_signal
543 | }
544 | 
545 | ## splunk single search head
546 | function splunk_single_sh
547 | {
548 |   # execute base install and configuration
549 |   base
550 | 
551 |   export RESOURCE="SplunkSearchHeadInstance"
552 | 
553 |   # sleep 20 seconds to make sure Splunk has restarted before applying the configuration
554 |   sleep 20
555 | 
556 |   # add hostname to /etc/hosts and set hostname
557 |   printf "$LOCALIP \t splunksearch\n" >> /etc/hosts
558 |   hostname splunksearch
559 | 
560 |   # Increase splunkweb connection timeout with splunkd
561 |   mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
562 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
563 |   [settings]
564 |   splunkdConnectionTimeout = 300
565 | end
566 | 
567 |   # Forward to indexer cluster using indexer discovery
568 |   cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
569 |   # Turn off indexing on the search head
570 |   [indexAndForward]
571 |   index = false
572 | 
573 |   [tcpout]
574 |   defaultGroup = indexer_cluster_peers
575 |   forwardedindex.filter.disable = true
576 |   indexAndForward = false
577 |   [tcpout:indexer_cluster_peers]
578 |   indexerDiscovery = cluster_master
579 |   [indexer_discovery:cluster_master]
580 |   pass4SymmKey = $SYMMKEY
581 |   manager_uri = https://$CM_PRIVATEIP:8089
582 | end
583 | 
584 |   # update permissions
585 |   chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
586 | 
587 |   # setup license server communication
588 |   sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave -manager_uri https://$CM_PRIVATEIP:8089 -auth admin:$ADMIN_PASSWORD
589 | 
590 |   # configure communication to the splunk indexer cluster
591 |   sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config \
592 |   -secret $SPLUNK_CLUSTER_SECRET \
593 |   -mode searchhead \
594 |   -site site1 \
595 |   -manager_uri https://$CM_PRIVATEIP:8089 \
596 |   -auth admin:$ADMIN_PASSWORD
597 | 
598 |   # final restart and cfn signal
599 |   restart_signal
600 | }
601 | 
602 | case "$1" in
603 |   "single_sh")
604 |   splunk_single_sh
605 |   ;;
606 |   "cluster_sh")
607 |   splunk_cluster_sh $2
608 |   ;;
609 |   "indexer")
610 |   splunk_indexer
611 |   ;;
612 |   "cm")
613 |   splunk_cm
614 |   ;;
615 |   "deployer")
616 |   splunk_deployer
617 |   ;;
618 |   *)
619 |   echo "Usage:  $(basename -- "$0") [single_sh|cluster_sh|indexer|cm|deployer]";
620 |   echo "        Note: a single argument of integers 1,2, or 3 must be passed to cluster_sh to specify the specific search head cluster node."
621 |   exit 0
622 | esac
623 | 


--------------------------------------------------------------------------------
/templates/splunk-enterprise.template:
--------------------------------------------------------------------------------
   1 | AWSTemplateFormatVersion: '2010-09-09'
   2 | Description: 'Splunk deployment with indexer, search head clustering and cluster master. QS(5030)'
   3 | Parameters:
   4 |   WebClientLocation:
   5 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
   6 |     ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0 for no restrictions.'
   7 |     Description: 'The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
   8 |     MaxLength: '19'
   9 |     MinLength: '9'
  10 |     Type: String
  11 |   HECClientLocation:
  12 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
  13 |     ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0 for no restrictions.'
  14 |     Description: 'The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
  15 |     MaxLength: '19'
  16 |     MinLength: '9'
  17 |     Type: String
  18 |   IndexerInstanceType:
  19 |     AllowedValues:
  20 |       - m5.4xlarge
  21 |       - m5.8xlarge
  22 |       - c5.4xlarge
  23 |       - c5.9xlarge
  24 |       - c5.18xlarge
  25 |       - i3.4xlarge
  26 |       - i3.8xlarge
  27 |       - i3en.3xlarge
  28 |       - i3en.6xlarge
  29 |       - i3en.12xlarge
  30 |     Description: 'EC2 instance type for Splunk Indexers'
  31 |     ConstraintDescription: 'Must be a valid EC2 instance type.'
  32 |     Default: i3.4xlarge
  33 |     Type: String
  34 |   SearchHeadInstanceType:
  35 |     AllowedValues:
  36 |       - r5.4xlarge
  37 |       - r5.8xlarge
  38 |       - r5.16xlarge
  39 |       - c5.4xlarge
  40 |       - c5.9xlarge
  41 |       - m5.2xlarge
  42 |       - m5.4xlarge
  43 |       - m5.8xlarge
  44 |       - m5.12xlarge
  45 |     Description: 'EC2 instance type for Splunk Search Heads'
  46 |     ConstraintDescription: 'Must be a valid EC2 instance type.'
  47 |     Default: c5.4xlarge
  48 |     Type: String
  49 |   KeyName:
  50 |     ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.'
  51 |     Description: 'Name of an existing EC2 KeyPair to enable SSH access to the instance.'
  52 |     Type: AWS::EC2::KeyPair::KeyName
  53 |   NumberOfAZs:
  54 |     AllowedValues:
  55 |       - '2'
  56 |       - '3'
  57 |     Default: '2'
  58 |     Description: 'Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters.'
  59 |     Type: String
  60 |   PublicSubnet1ID:
  61 |     Description: 'ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)'
  62 |     Type: AWS::EC2::Subnet::Id
  63 |   PublicSubnet2ID:
  64 |     Description: 'ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)'
  65 |     Type: AWS::EC2::Subnet::Id
  66 |   PublicSubnet3ID:
  67 |     Description: 'ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)'
  68 |     Type: AWS::EC2::Subnet::Id
  69 |   QSS3BucketName:
  70 |     Default: ''
  71 |     Description: 'S3 bucket name for the Quick Start assets.'
  72 |     Type: String
  73 |   QSS3KeyPrefix:
  74 |     Default: quickstart-splunk-enterprise/
  75 |     Description: 'S3 key prefix for the Quick Start assets.'
  76 |     Type: String
  77 |   SHCEnabled:
  78 |     AllowedValues:
  79 |       - 'yes'
  80 |       - 'no'
  81 |     Default: 'no'
  82 |     Description: 'Do you want to build a Splunk search head cluster?'
  83 |     Type: String
  84 |   SSHClientLocation:
  85 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
  86 |     ConstraintDescription: 'Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0 for no restrictions.'
  87 |     Description: 'The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
  88 |     MaxLength: '19'
  89 |     MinLength: '9'
  90 |     Type: String
  91 |   SplunkAdminPassword:
  92 |     AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
  93 |     ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.'
  94 |     Description: 'Admin password for Splunk. Must be at least 8 characters containing letters, numbers and symbols.'
  95 |     MaxLength: '32'
  96 |     MinLength: '8'
  97 |     NoEcho: 'true'
  98 |     Type: String
  99 |   SplunkIndexerCount:
 100 |     ConstraintDescription: 'Must be a valid number, 4-10'
 101 |     Default: '4'
 102 |     Description: 'How many Splunk indexers to launch.  [4-10]'
 103 |     MaxValue: '10'
 104 |     MinValue: '4'
 105 |     Type: Number
 106 |   SplunkIndexerDiskSize:
 107 |     ConstraintDescription: 'Must be a valid number, 100-16000'
 108 |     Default: '334'
 109 |     Description: 'The size of the attached EBS volume to the Splunk indexers.  (in GB)'
 110 |     MaxValue: '16000'
 111 |     MinValue: '100'
 112 |     Type: Number
 113 |   SplunkSearchHeadDiskSize:
 114 |     ConstraintDescription: 'Must be a valid number, 100-16000'
 115 |     Default: '334'
 116 |     Description: 'The size of the attached EBS volume to the Splunk search head(s).  (in GB)'
 117 |     MaxValue: '16000'
 118 |     MinValue: '100'
 119 |     Type: Number
 120 |   SmartStoreBucketName:
 121 |     Default: ''
 122 |     Description: 'Name of S3 bucket to be created for SmartStore storage'
 123 |     Type: String
 124 |   SplunkLicenseBucket:
 125 |     ConstraintDescription: 'Required for QuickStart to function and must be a valid s3 bucket'
 126 |     AllowedPattern: (?=^.{3,63}$)(?!xn--)([a-z0-9](?:[a-z0-9-]*)[a-z0-9])$
 127 |     Description: 'Name of private S3 bucket with licenses to be accessed via authenticated requests'
 128 |     MinLength: '3'
 129 |     MaxLength: '63'
 130 |     Type: String
 131 |   SplunkLicensePath:
 132 |     ConstraintDescription: 'Required for QuickStart to function and must point to a valid Splunk license'
 133 |     AllowedPattern: ([0-9]|[A-Z]|[a-z]|[\/\._-])+
 134 |     Description: 'Path to license file in S3 Bucket (without leading /)'
 135 |     MinLength: '1'
 136 |     MaxLength: '128'
 137 |     Type: String
 138 |   SplunkReplicationFactor:
 139 |     ConstraintDescription: 'Must be a valid number, 2-6'
 140 |     Default: '2'
 141 |     Description: 'How many copies of data should be stored in the Splunk Indexer Cluster'
 142 |     MaxValue: '6'
 143 |     MinValue: '2'
 144 |     Type: Number
 145 |   SplunkSearchFactor:
 146 |     ConstraintDescription: 'Must be a valid number, 2-6'
 147 |     Default: '2'
 148 |     Description: 'How many copies of data should be searchable in the Splunk indexer clusters'
 149 |     MaxValue: '6'
 150 |     MinValue: '2'
 151 |     Type: Number
 152 |   SplunkClusterSecret:
 153 |     AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
 154 |     ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.'
 155 |     Description: 'Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.'
 156 |     MaxLength: '32'
 157 |     MinLength: '8'
 158 |     NoEcho: 'true'
 159 |     Type: String
 160 |   SplunkIndexerDiscoverySecret:
 161 |     AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
 162 |     ConstraintDescription: 'Must be at least 8 characters containing letters, numbers and symbols.'
 163 |     Description: 'Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.'
 164 |     MaxLength: '32'
 165 |     MinLength: '8'
 166 |     NoEcho: 'true'
 167 |     Type: String
 168 |   VPCCIDR:
 169 |     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
 170 |     ConstraintDescription: 'Must be a valid IP CIDR range of the form x.x.x.x/x.'
 171 |     Description: VPC CIDR Block (x.x.x.x/x notation)
 172 |     Type: String
 173 |   VPCID:
 174 |     Description: VPC ID
 175 |     Type: AWS::EC2::VPC::Id
 176 | Metadata:
 177 |   AWSAMIRegionMap:
 178 |     Filters:
 179 |       SPLUNKENTHVM:
 180 |         name: splunk_AMI*
 181 |         owner-alias: aws-marketplace
 182 |         product-code.type: marketplace
 183 |   QuickStartDocumentation:
 184 |     EntrypointName: "Splunk QuickStart (Existing VPC)"
 185 |   AWS::CloudFormation::Interface:
 186 |     ParameterGroups:
 187 |       - Label:
 188 |           default: AWS Instance and Network Settings
 189 |         Parameters:
 190 |           - IndexerInstanceType
 191 |           - SearchHeadInstanceType
 192 |           - KeyName
 193 |           - WebClientLocation
 194 |           - HECClientLocation
 195 |           - SSHClientLocation
 196 |           - VPCID
 197 |           - VPCCIDR
 198 |           - PublicSubnet1ID
 199 |           - PublicSubnet2ID
 200 |           - PublicSubnet3ID
 201 |           - NumberOfAZs
 202 |       - Label:
 203 |           default: Splunk Settings
 204 |         Parameters:
 205 |           - SplunkAdminPassword
 206 |           - SplunkClusterSecret
 207 |           - SplunkIndexerDiscoverySecret
 208 |           - SplunkLicenseBucket
 209 |           - SplunkLicensePath
 210 |           - SplunkIndexerCount
 211 |           - SplunkIndexerDiskSize
 212 |           - SplunkSearchHeadDiskSize
 213 |           - SplunkReplicationFactor
 214 |           - SplunkSearchFactor
 215 |           - SmartStoreBucketName
 216 |           - SHCEnabled
 217 |     ParameterLabels:
 218 |       WebClientLocation:
 219 |         default: Permitted CIDR for Splunk web interface
 220 |       HECClientLocation:
 221 |         default: Permitted CIDR for Splunk HTTP event collector input
 222 |       IndexerInstanceType:
 223 |         default: EC2 instance type for Splunk indexer
 224 |       SearchHeadInstanceType:
 225 |         default: EC2 instance type for Splunk search head
 226 |       KeyName:
 227 |         default: Key Name
 228 |       PublicSubnet1ID:
 229 |         default: Public Subnet 1 ID
 230 |       PublicSubnet2ID:
 231 |         default: Public Subnet 2 ID
 232 |       PublicSubnet3ID:
 233 |         default: Public Subnet 3 ID
 234 |       NumberOfAZs:
 235 |         default: Number of Availability Zones
 236 |       SHCEnabled:
 237 |         default: Enable Search Head Cluster?
 238 |       SSHClientLocation:
 239 |         default: Permitted CIDR for ssh
 240 |       SplunkAdminPassword:
 241 |         default: Splunk Admin Password
 242 |       SplunkIndexerCount:
 243 |         default: No. of Splunk Indexers
 244 |       SmartStoreBucketName:
 245 |         default: Name of bucket to be created for Smartstore storage
 246 |       SplunkIndexerDiskSize:
 247 |         default: Indexer Disk Size
 248 |       SplunkSearchHeadDiskSize:
 249 |         default: Search Head(s) Disk Size
 250 |       SplunkLicenseBucket:
 251 |         default: Splunk License Bucket
 252 |       SplunkLicensePath:
 253 |         default: Splunk License S3 Bucket Path
 254 |       SplunkReplicationFactor:
 255 |         default: Index Cluster Replication Factor
 256 |       SplunkSearchFactor:
 257 |         default: Index Cluster Search Factor
 258 |       SplunkClusterSecret:
 259 |         default: Shared Security Key for Cluster Nodes
 260 |       SplunkIndexerDiscoverySecret:
 261 |         default: Shared Security Key for Forwarders using Indexer Discovery
 262 |       VPCCIDR:
 263 |         default: VPC CIDR
 264 |       VPCID:
 265 |         default: VPC ID
 266 | Conditions:
 267 |   Create3AZ: !Equals
 268 |     - !Ref 'NumberOfAZs'
 269 |     - '3'
 270 |   CreateSingleSearchHead: !Equals
 271 |     - !Ref 'SHCEnabled'
 272 |     - 'no'
 273 |   CreateSHC: !Equals
 274 |     - !Ref 'SHCEnabled'
 275 |     - 'yes'
 276 |   ConfigureLicense: !And
 277 |     - !Not
 278 |       - !Equals
 279 |         - ''
 280 |         - !Ref 'SplunkLicenseBucket'
 281 |     - !Not
 282 |       - !Equals
 283 |         - ''
 284 |         - !Ref 'SplunkLicensePath'
 285 | Mappings:
 286 |   AWSAMIRegionMap:
 287 |     AMI:
 288 |       SPLUNKENTHVM: splunk_AMI_8.2.3.3_2021-12-18_00-53-30-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d
 289 |     us-west-1:
 290 |       SPLUNKENTHVM: ami-09661ae18cb9aedb4
 291 |     us-west-2:
 292 |       SPLUNKENTHVM: ami-0c22deb9fc3c775d9
 293 |     us-east-1:
 294 |       SPLUNKENTHVM: ami-0582e6c6a47fc48c5
 295 |     us-east-2:
 296 |       SPLUNKENTHVM: ami-01021135eb4ce4d5d
 297 |     ap-south-1:
 298 |       SPLUNKENTHVM: ami-005110201be854c36
 299 |     ap-northeast-1:
 300 |       SPLUNKENTHVM: ami-0f652f101b96c37e9
 301 |     ap-northeast-2:
 302 |       SPLUNKENTHVM: ami-0673efcda653adfb5
 303 |     ap-southeast-1:
 304 |       SPLUNKENTHVM: ami-091a6c8fd0012281e
 305 |     ap-southeast-2:
 306 |       SPLUNKENTHVM: ami-0cdb50ab376ee7d58
 307 |     ca-central-1:
 308 |       SPLUNKENTHVM: ami-03c36e8753b649758
 309 |     eu-central-1:
 310 |       SPLUNKENTHVM: ami-00018e48dd37a4de3
 311 |     eu-west-1:
 312 |       SPLUNKENTHVM: ami-01495bcd527c0ff9d
 313 |     eu-west-2:
 314 |       SPLUNKENTHVM: ami-0b285d7712449bb17
 315 |     eu-west-3:
 316 |       SPLUNKENTHVM: ami-05f8860a4be3a2a86
 317 |     eu-north-1:
 318 |       SPLUNKENTHVM: ami-0a2d7f72e56037575
 319 |     sa-east-1:
 320 |       SPLUNKENTHVM: ami-08c43f4591f7fc7a6
 321 | 
 322 |   SplunkConfig:
 323 |     dedicated-instance-type:
 324 |       clusterMaster: c5.xlarge
 325 |       shclusterDeployer: c5.xlarge
 326 |     shcluster-replication-factor:
 327 |       num: '3'
 328 |     labels:
 329 |       cluster: IndexerCluster
 330 |       shcluster: SearchHeadCluster
 331 | 
 332 | Resources:
 333 |   SplunkSmartstoreBucket:
 334 |     Type: AWS::S3::Bucket
 335 |     Properties:
 336 |       BucketName: !Ref 'SmartStoreBucketName'
 337 |       BucketEncryption:
 338 |         ServerSideEncryptionConfiguration:
 339 |           - ServerSideEncryptionByDefault:
 340 |               SSEAlgorithm: AES256
 341 |     DeletionPolicy: Delete
 342 |   SmartStoreS3BucketRole:
 343 |     Type: AWS::IAM::Role
 344 |     Properties:
 345 |       AssumeRolePolicyDocument:
 346 |         Statement:
 347 |           - Effect: Allow
 348 |             Principal:
 349 |               Service:
 350 |                 - ec2.amazonaws.com
 351 |             Action:
 352 |               - sts:AssumeRole
 353 |       Path: /
 354 |   SmartStoreS3AccessInstanceProfile:
 355 |     Type: AWS::IAM::InstanceProfile
 356 |     Properties:
 357 |       Path: /
 358 |       Roles:
 359 |         - !Ref 'SmartStoreS3BucketRole'
 360 |   SmartStoreS3BucketPolicy:
 361 |     Type: AWS::IAM::Policy
 362 |     Properties:
 363 |       PolicyName: SmartStoreS3BucketPolicy
 364 |       PolicyDocument:
 365 |         Statement:
 366 |           - Action:
 367 |               - s3:ListBucket
 368 |             Effect: Allow
 369 |             Resource:
 370 |               - !Join
 371 |                 - ''
 372 |                 - - 'arn:aws:s3:::'
 373 |                   - !Ref 'SmartStoreBucketName'
 374 |           - Action:
 375 |               - s3:PutObject
 376 |               - s3:GetObject
 377 |               - s3:DeleteObject
 378 |               - s3:PutObjectAcl
 379 |             Effect: Allow
 380 |             Resource:
 381 |               - !Join
 382 |                 - ''
 383 |                 - - 'arn:aws:s3:::'
 384 |                   - !Ref 'SmartStoreBucketName'
 385 |                   - '/*'
 386 |       Roles:
 387 |         - !Ref 'SmartStoreS3BucketRole'
 388 |   SplunkSearchHeadSecurityGroup:
 389 |     Type: AWS::EC2::SecurityGroup
 390 |     Properties:
 391 |       VpcId: !Ref 'VPCID'
 392 |       GroupDescription: 'Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication'
 393 |       SecurityGroupIngress:
 394 |         - IpProtocol: tcp
 395 |           FromPort: 8000
 396 |           ToPort: 8000
 397 |           CidrIp: !Ref 'WebClientLocation'
 398 |         - IpProtocol: tcp
 399 |           FromPort: 8090
 400 |           ToPort: 8090
 401 |           CidrIp: !Ref 'VPCCIDR'
 402 |         - IpProtocol: tcp
 403 |           FromPort: 8191
 404 |           ToPort: 8191
 405 |           CidrIp: !Ref 'VPCCIDR'
 406 |       Tags:
 407 |         - Key: Application
 408 |           Value: !Ref 'AWS::StackId'
 409 |         - Key: Name
 410 |           Value: SplunkSearchHeadSecurityGroup
 411 |   SplunkIndexerSecurityGroup:
 412 |     Type: AWS::EC2::SecurityGroup
 413 |     Properties:
 414 |       VpcId: !Ref 'VPCID'
 415 |       GroupDescription: 'Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication'
 416 |       SecurityGroupIngress:
 417 |         - IpProtocol: tcp
 418 |           FromPort: 9997
 419 |           ToPort: 9997
 420 |           CidrIp: !Ref 'VPCCIDR'
 421 |         - IpProtocol: tcp
 422 |           FromPort: 8088
 423 |           ToPort: 8088
 424 |           SourceSecurityGroupId: !Ref 'SplunkHttpEventCollectorLoadBalancerSecurityGroup'
 425 |         - IpProtocol: tcp
 426 |           FromPort: 514
 427 |           ToPort: 514
 428 |           CidrIp: !Ref 'VPCCIDR'
 429 |         - IpProtocol: udp
 430 |           FromPort: 514
 431 |           ToPort: 514
 432 |           CidrIp: !Ref 'VPCCIDR'
 433 |         - IpProtocol: tcp
 434 |           FromPort: 9887
 435 |           ToPort: 9887
 436 |           CidrIp: !Ref 'VPCCIDR'
 437 |       Tags:
 438 |         - Key: Application
 439 |           Value: !Ref 'AWS::StackId'
 440 |         - Key: Name
 441 |           Value: SplunkIndexerSecurityGroup
 442 |   SplunkSecurityGroup:
 443 |     Type: AWS::EC2::SecurityGroup
 444 |     Properties:
 445 |       VpcId: !Ref 'VPCID'
 446 |       GroupDescription: 'Enable administrative ports like restricted SSH and management port'
 447 |       SecurityGroupIngress:
 448 |         - IpProtocol: tcp
 449 |           FromPort: 22
 450 |           ToPort: 22
 451 |           CidrIp: !Ref 'SSHClientLocation'
 452 |         - IpProtocol: tcp
 453 |           FromPort: 8089
 454 |           ToPort: 8089
 455 |           CidrIp: !Ref 'VPCCIDR'
 456 |       Tags:
 457 |         - Key: Application
 458 |           Value: !Ref 'AWS::StackId'
 459 |         - Key: Name
 460 |           Value: SplunkSecurityGroup
 461 |   SplunkHttpEventCollectorLoadBalancerSecurityGroup:
 462 |     Type: AWS::EC2::SecurityGroup
 463 |     Properties:
 464 |       VpcId: !Ref 'VPCID'
 465 |       GroupDescription: 'Enable port 8088 on ELB for HEC input'
 466 |       SecurityGroupIngress:
 467 |         - IpProtocol: tcp
 468 |           FromPort: 8088
 469 |           ToPort: 8088
 470 |           CidrIp: !Ref 'HECClientLocation'
 471 |       Tags:
 472 |         - Key: Application
 473 |           Value: !Ref 'AWS::StackId'
 474 |         - Key: Name
 475 |           Value: SplunkHttpEventCollectorLoadBalancerSecurityGroup
 476 |   SplunkSearchHeadInstance:
 477 |     Type: AWS::EC2::Instance
 478 |     Condition: CreateSingleSearchHead
 479 |     CreationPolicy:
 480 |       ResourceSignal:
 481 |         Timeout: PT15M
 482 |     Properties:
 483 |       ImageId: !FindInMap
 484 |         - AWSAMIRegionMap
 485 |         - !Ref 'AWS::Region'
 486 |         - SPLUNKENTHVM
 487 |       InstanceType: !Ref 'SearchHeadInstanceType'
 488 |       KeyName: !Ref 'KeyName'
 489 |       Tags:
 490 |         - Key: Application
 491 |           Value: !Ref 'AWS::StackId'
 492 |         - Key: Role
 493 |           Value: splunk-search-head
 494 |         - Key: Name
 495 |           Value: search-head
 496 |       NetworkInterfaces:
 497 |         - GroupSet:
 498 |             - !Ref 'SplunkSecurityGroup'
 499 |             - !Ref 'SplunkSearchHeadSecurityGroup'
 500 |           AssociatePublicIpAddress: true
 501 |           DeviceIndex: '0'
 502 |           DeleteOnTermination: true
 503 |           SubnetId: !Ref 'PublicSubnet1ID'
 504 |       BlockDeviceMappings:
 505 |         - DeviceName: /dev/xvda
 506 |           Ebs:
 507 |             VolumeType: gp2
 508 |             VolumeSize: !Ref 'SplunkSearchHeadDiskSize'
 509 |       UserData:
 510 |         Fn::Base64:
 511 |           Fn::Sub:
 512 |             - |
 513 |               #!/bin/bash -xe
 514 |               export INSTALL_LICENSE="0"
 515 |               export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 516 |               export ADMIN_PASSWORD="${SplunkAdminPassword}"
 517 |               export STACK_NAME="${AWS::StackName}"
 518 |               export AWS_REGION="${AWS::Region}"
 519 |               export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 520 |               export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 521 |               export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 522 |               wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 523 |               export CM_PRIVATEIP="${SplunkCMIP}"
 524 |               /tmp/user_data.sh single_sh && rm -f /tmp/user_data.sh
 525 |             - SplunkCMIP: !GetAtt SplunkCM.PrivateIp
 526 |   SplunkCM:
 527 |     Type: AWS::EC2::Instance
 528 |     CreationPolicy:
 529 |       ResourceSignal:
 530 |         Timeout: PT15M
 531 |     Metadata:
 532 |       AWS::CloudFormation::Init: !If
 533 |         - ConfigureLicense
 534 |         - config:
 535 |             files:
 536 |               /opt/splunk/etc/licenses/enterprise/splunk.license:
 537 |                 source: !If
 538 |                   - ConfigureLicense
 539 |                   - !Join
 540 |                     - ''
 541 |                     - - https://
 542 |                       - !Ref 'SplunkLicenseBucket'
 543 |                       - .s3.amazonaws.com/
 544 |                       - !Ref 'SplunkLicensePath'
 545 |                   - !Ref 'AWS::NoValue'
 546 |                 mode: '000600'
 547 |                 owner: splunk
 548 |                 group: splunk
 549 |                 authentication: S3AccessCreds
 550 |         - !Ref 'AWS::NoValue'
 551 |       AWS::CloudFormation::Authentication: !If
 552 |         - ConfigureLicense
 553 |         - S3AccessCreds:
 554 |             type: S3
 555 |             accessKeyId: !Ref 'CfnKeys'
 556 |             secretKey: !GetAtt 'CfnKeys.SecretAccessKey'
 557 |             buckets:
 558 |               - !Ref 'SplunkLicenseBucket'
 559 |         - !Ref 'AWS::NoValue'
 560 |     Properties:
 561 |       BlockDeviceMappings:
 562 |         - DeviceName: /dev/xvda
 563 |           Ebs:
 564 |             VolumeType: gp2
 565 |             VolumeSize: 334
 566 |       NetworkInterfaces:
 567 |         - GroupSet:
 568 |             - !Ref 'SplunkSecurityGroup'
 569 |             - !Ref 'SplunkSearchHeadSecurityGroup'
 570 |           AssociatePublicIpAddress: true
 571 |           DeviceIndex: '0'
 572 |           DeleteOnTermination: true
 573 |           SubnetId: !Ref 'PublicSubnet1ID'
 574 |       ImageId: !FindInMap
 575 |         - AWSAMIRegionMap
 576 |         - !Ref 'AWS::Region'
 577 |         - SPLUNKENTHVM
 578 |       InstanceType: !FindInMap
 579 |         - SplunkConfig
 580 |         - dedicated-instance-type
 581 |         - clusterMaster
 582 |       KeyName: !Ref 'KeyName'
 583 |       Tags:
 584 |         - Key: Application
 585 |           Value: !Ref 'AWS::StackId'
 586 |         - Key: Role
 587 |           Value: cluster-master
 588 |         - Key: Name
 589 |           Value: cluster-master
 590 |       UserData:
 591 |        Fn::Base64:
 592 |         Fn::Sub:
 593 |           - |
 594 |             #!/bin/bash -xe
 595 |             export INSTALL_LICENSE="0"
 596 |             export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 597 |             export ADMIN_PASSWORD="${SplunkAdminPassword}"
 598 |             export STACK_NAME="${AWS::StackName}"
 599 |             export AWS_REGION="${AWS::Region}"
 600 |             export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 601 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 602 |             export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 603 |             export REPFACTOR="${SplunkReplicationFactor}"
 604 |             export SEARCHFACTOR="${SplunkSearchFactor}"
 605 |             export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 606 |             export SITELIST="${Sitelist}"
 607 |             export INSTALL_LICENSE="${InstallLicense}"
 608 |             wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 609 |             /tmp/user_data.sh cm && rm -f /tmp/user_data.sh
 610 |           - Sitelist: !If [Create3AZ, "site1,site2,site3", "site1,site2" ]
 611 |             InstallLicense: !If [ConfigureLicense, "1", "0"]
 612 |   SplunkCMWaitHandle:
 613 |     Type: AWS::CloudFormation::WaitConditionHandle
 614 |   SplunkCMWaitCondition:
 615 |     Type: AWS::CloudFormation::WaitCondition
 616 |     DependsOn: SplunkCM
 617 |     Properties:
 618 |       Handle: !Ref 'SplunkCMWaitHandle'
 619 |       Timeout: '900'
 620 |   SplunkSHCDeployer:
 621 |     Type: AWS::EC2::Instance
 622 |     Condition: CreateSHC
 623 |     CreationPolicy:
 624 |       ResourceSignal:
 625 |         Timeout: PT10M
 626 |     Properties:
 627 |       ImageId: !FindInMap
 628 |         - AWSAMIRegionMap
 629 |         - !Ref 'AWS::Region'
 630 |         - SPLUNKENTHVM
 631 |       InstanceType: !FindInMap
 632 |         - SplunkConfig
 633 |         - dedicated-instance-type
 634 |         - shclusterDeployer
 635 |       KeyName: !Ref 'KeyName'
 636 |       Tags:
 637 |         - Key: Application
 638 |           Value: !Ref 'AWS::StackId'
 639 |         - Key: Role
 640 |           Value: splunk-deployer
 641 |         - Key: Name
 642 |           Value: deployer
 643 |       NetworkInterfaces:
 644 |         - GroupSet:
 645 |             - !Ref 'SplunkSecurityGroup'
 646 |             - !Ref 'SplunkSearchHeadSecurityGroup'
 647 |           AssociatePublicIpAddress: true
 648 |           DeviceIndex: '0'
 649 |           DeleteOnTermination: true
 650 |           SubnetId: !Ref 'PublicSubnet1ID'
 651 |       BlockDeviceMappings:
 652 |         - DeviceName: /dev/xvda
 653 |           Ebs:
 654 |             VolumeType: gp2
 655 |             VolumeSize: !Ref 'SplunkSearchHeadDiskSize'
 656 |       UserData:
 657 |        Fn::Base64:
 658 |         Fn::Sub:
 659 |           - |
 660 |             #!/bin/bash -xe
 661 |             export INSTALL_LICENSE="0"
 662 |             export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 663 |             export ADMIN_PASSWORD="${SplunkAdminPassword}"
 664 |             export STACK_NAME="${AWS::StackName}"
 665 |             export AWS_REGION="${AWS::Region}"
 666 |             export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 667 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 668 |             export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 669 |             export REPFACTOR="${SplunkReplicationFactor}"
 670 |             export SEARCHFACTOR="${SplunkSearchFactor}"
 671 |             export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 672 |             export CM_PRIVATEIP="${SplunkCMIP}"
 673 |             wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 674 |             /tmp/user_data.sh deployer && rm -f /tmp/user_data.sh
 675 |           - SplunkCMIP: !GetAtt SplunkCM.PrivateIp
 676 |   SplunkSHCMember1:
 677 |     Type: AWS::EC2::Instance
 678 |     Condition: CreateSHC
 679 |     CreationPolicy:
 680 |       ResourceSignal:
 681 |         Timeout: PT10M
 682 |     Properties:
 683 |       ImageId: !FindInMap
 684 |         - AWSAMIRegionMap
 685 |         - !Ref 'AWS::Region'
 686 |         - SPLUNKENTHVM
 687 |       InstanceType: !Ref 'SearchHeadInstanceType'
 688 |       KeyName: !Ref 'KeyName'
 689 |       Tags:
 690 |         - Key: Application
 691 |           Value: !Ref 'AWS::StackId'
 692 |         - Key: Role
 693 |           Value: splunk-search-head
 694 |         - Key: Name
 695 |           Value: search-head-1
 696 |       NetworkInterfaces:
 697 |         - GroupSet:
 698 |             - !Ref 'SplunkSecurityGroup'
 699 |             - !Ref 'SplunkSearchHeadSecurityGroup'
 700 |           AssociatePublicIpAddress: true
 701 |           DeviceIndex: '0'
 702 |           DeleteOnTermination: true
 703 |           SubnetId: !Ref 'PublicSubnet1ID'
 704 |       BlockDeviceMappings:
 705 |         - DeviceName: /dev/xvda
 706 |           Ebs:
 707 |             VolumeType: gp2
 708 |             VolumeSize: !Ref 'SplunkSearchHeadDiskSize'
 709 |       UserData:
 710 |        Fn::Base64:
 711 |         Fn::Sub:
 712 |           - |
 713 |             #!/bin/bash -xe
 714 |             export INSTALL_LICENSE="0"
 715 |             export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 716 |             export ADMIN_PASSWORD="${SplunkAdminPassword}"
 717 |             export STACK_NAME="${AWS::StackName}"
 718 |             export AWS_REGION="${AWS::Region}"
 719 |             export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 720 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 721 |             export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 722 |             export REPFACTOR="${SplunkReplicationFactor}"
 723 |             export SEARCHFACTOR="${SplunkSearchFactor}"
 724 |             export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 725 |             export CM_PRIVATEIP="${SplunkCMIP}"
 726 |             export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}"
 727 |             export THREEAZ="${THREEAZ}"
 728 |             export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}"
 729 |             wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 730 |             /tmp/user_data.sh cluster_sh 1 && rm -f /tmp/user_data.sh
 731 |           - SplunkCMIP: !GetAtt SplunkCM.PrivateIp
 732 |             SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp
 733 |             THREEAZ: !If [ Create3AZ, "1", "0" ]
 734 |   SplunkSHCMember2:
 735 |     Type: AWS::EC2::Instance
 736 |     Condition: CreateSHC
 737 |     CreationPolicy:
 738 |       ResourceSignal:
 739 |         Timeout: PT10M
 740 |     Properties:
 741 |       ImageId: !FindInMap
 742 |         - AWSAMIRegionMap
 743 |         - !Ref 'AWS::Region'
 744 |         - SPLUNKENTHVM
 745 |       InstanceType: !Ref 'SearchHeadInstanceType'
 746 |       KeyName: !Ref 'KeyName'
 747 |       Tags:
 748 |         - Key: Application
 749 |           Value: !Ref 'AWS::StackId'
 750 |         - Key: Role
 751 |           Value: splunk-search-head
 752 |         - Key: Name
 753 |           Value: search-head-2
 754 |       NetworkInterfaces:
 755 |         - GroupSet:
 756 |             - !Ref 'SplunkSecurityGroup'
 757 |             - !Ref 'SplunkSearchHeadSecurityGroup'
 758 |           AssociatePublicIpAddress: true
 759 |           DeviceIndex: '0'
 760 |           DeleteOnTermination: true
 761 |           SubnetId: !Ref 'PublicSubnet2ID'
 762 |       BlockDeviceMappings:
 763 |         - DeviceName: /dev/xvda
 764 |           Ebs:
 765 |             VolumeType: gp2
 766 |             VolumeSize: !Ref 'SplunkSearchHeadDiskSize'
 767 |       UserData:
 768 |        Fn::Base64:
 769 |         Fn::Sub:
 770 |           - |
 771 |             #!/bin/bash -xe
 772 |             export INSTALL_LICENSE="0"
 773 |             export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 774 |             export ADMIN_PASSWORD="${SplunkAdminPassword}"
 775 |             export STACK_NAME="${AWS::StackName}"
 776 |             export AWS_REGION="${AWS::Region}"
 777 |             export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 778 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 779 |             export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 780 |             export REPFACTOR="${SplunkReplicationFactor}"
 781 |             export SEARCHFACTOR="${SplunkSearchFactor}"
 782 |             export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 783 |             export CM_PRIVATEIP="${SplunkCMIP}"
 784 |             export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}"
 785 |             export THREEAZ="${THREEAZ}"
 786 |             export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}"
 787 |             wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 788 |             /tmp/user_data.sh cluster_sh 2 && rm -f /tmp/user_data.sh
 789 |           - SplunkCMIP: !GetAtt SplunkCM.PrivateIp
 790 |             SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp
 791 |             THREEAZ: !If [ Create3AZ, "1", "0" ]
 792 |   SplunkSHCMember3:
 793 |     Type: AWS::EC2::Instance
 794 |     Condition: CreateSHC
 795 |     CreationPolicy:
 796 |       ResourceSignal:
 797 |         Timeout: PT10M
 798 |     Properties:
 799 |       ImageId: !FindInMap
 800 |         - AWSAMIRegionMap
 801 |         - !Ref 'AWS::Region'
 802 |         - SPLUNKENTHVM
 803 |       InstanceType: !Ref 'SearchHeadInstanceType'
 804 |       KeyName: !Ref 'KeyName'
 805 |       Tags:
 806 |         - Key: Application
 807 |           Value: !Ref 'AWS::StackId'
 808 |         - Key: Role
 809 |           Value: splunk-search-head
 810 |         - Key: Name
 811 |           Value: search-head-3
 812 |       NetworkInterfaces:
 813 |         - GroupSet:
 814 |             - !Ref 'SplunkSecurityGroup'
 815 |             - !Ref 'SplunkSearchHeadSecurityGroup'
 816 |           AssociatePublicIpAddress: true
 817 |           DeviceIndex: '0'
 818 |           DeleteOnTermination: true
 819 |           SubnetId: !If
 820 |             - Create3AZ
 821 |             - !Ref 'PublicSubnet3ID'
 822 |             - !Ref 'PublicSubnet2ID'
 823 |       BlockDeviceMappings:
 824 |         - DeviceName: /dev/xvda
 825 |           Ebs:
 826 |             VolumeType: gp2
 827 |             VolumeSize: !Ref 'SplunkSearchHeadDiskSize'
 828 |       UserData:
 829 |        Fn::Base64:
 830 |         Fn::Sub:
 831 |           - |
 832 |             #!/bin/bash -xe
 833 |             export INSTALL_LICENSE="0"
 834 |             export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 835 |             export ADMIN_PASSWORD="${SplunkAdminPassword}"
 836 |             export STACK_NAME="${AWS::StackName}"
 837 |             export AWS_REGION="${AWS::Region}"
 838 |             export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 839 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 840 |             export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 841 |             export REPFACTOR="${SplunkReplicationFactor}"
 842 |             export SEARCHFACTOR="${SplunkSearchFactor}"
 843 |             export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 844 |             export CM_PRIVATEIP="${SplunkCMIP}"
 845 |             export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}"
 846 |             export THREEAZ="${THREEAZ}"
 847 |             export SH_DEPLOYER_IP="${SH_DEPLOYER_IP}"
 848 |             export SH1_IP=${SH1_IP}
 849 |             export SH2_IP=${SH2_IP}
 850 |             wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 851 |             /tmp/user_data.sh cluster_sh 3 && rm -f /tmp/user_data.sh
 852 |           - SplunkCMIP: !GetAtt SplunkCM.PrivateIp
 853 |             SH_DEPLOYER_IP: !GetAtt SplunkSHCDeployer.PrivateIp
 854 |             SH1_IP: !GetAtt SplunkSHCMember1.PrivateIp
 855 |             SH2_IP: !GetAtt SplunkSHCMember2.PrivateIp
 856 |             THREEAZ: !If [ Create3AZ, "1", "0" ]
 857 |   CfnUser:
 858 |     Type: AWS::IAM::User
 859 |     Condition: ConfigureLicense
 860 |     Properties:
 861 |       Path: /
 862 |   CfnKeys:
 863 |     Type: AWS::IAM::AccessKey
 864 |     Condition: ConfigureLicense
 865 |     Properties:
 866 |       UserName: !Ref 'CfnUser'
 867 |   BucketPolicy:
 868 |     Type: AWS::S3::BucketPolicy
 869 |     Condition: ConfigureLicense
 870 |     Properties:
 871 |       PolicyDocument:
 872 |         Version: '2012-10-17'
 873 |         Id: MyPolicy
 874 |         Statement:
 875 |           - Sid: ReadAccess
 876 |             Action:
 877 |               - s3:GetObject
 878 |             Effect: Allow
 879 |             Resource: !Join
 880 |               - ''
 881 |               - - 'arn:aws:s3:::'
 882 |                 - !Ref 'SplunkLicenseBucket'
 883 |                 - /*
 884 |             Principal:
 885 |               AWS: !GetAtt 'CfnUser.Arn'
 886 |       Bucket: !Ref 'SplunkLicenseBucket'
 887 |   SplunkIndexerLaunchConfiguration:
 888 |     Type: AWS::AutoScaling::LaunchConfiguration
 889 |     Properties:
 890 |       AssociatePublicIpAddress: true
 891 |       IamInstanceProfile: !Ref 'SmartStoreS3AccessInstanceProfile'
 892 |       BlockDeviceMappings:
 893 |         - DeviceName: /dev/xvda
 894 |           Ebs:
 895 |             VolumeType: gp2
 896 |             VolumeSize: !Ref 'SplunkIndexerDiskSize'
 897 |       SecurityGroups:
 898 |         - !Ref 'SplunkSecurityGroup'
 899 |         - !Ref 'SplunkIndexerSecurityGroup'
 900 |       ImageId: !FindInMap
 901 |         - AWSAMIRegionMap
 902 |         - !Ref 'AWS::Region'
 903 |         - SPLUNKENTHVM
 904 |       InstanceType: !Ref 'IndexerInstanceType'
 905 |       KeyName: !Ref 'KeyName'
 906 |       UserData:
 907 |        Fn::Base64:
 908 |         Fn::Sub:
 909 |           - |
 910 |             #!/bin/bash -xe
 911 |             export INSTALL_LICENSE="0"
 912 |             export SYMMKEY="${SplunkIndexerDiscoverySecret}"
 913 |             export ADMIN_PASSWORD="${SplunkAdminPassword}"
 914 |             export STACK_NAME="${AWS::StackName}"
 915 |             export AWS_REGION="${AWS::Region}"
 916 |             export SPLUNK_CLUSTER_SECRET="${SplunkClusterSecret}"
 917 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 918 |             export SplunkCMWaitHandle="${SplunkCMWaitHandle}"
 919 |             export REPFACTOR="${SplunkReplicationFactor}"
 920 |             export SEARCHFACTOR="${SplunkSearchFactor}"
 921 |             export S3_USERDATA="https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}scripts/user_data.sh"
 922 |             export CM_PRIVATEIP="${SplunkCMIP}"
 923 |             export SH_REPLICATION_FACTOR="${SplunkReplicationFactor}"
 924 |             export SMARTSTORE_BUCKET="${SmartStoreBucketName}"
 925 |             export CM_PRIVATEIP="${SplunkCMIP}"
 926 |             export SUBNET1_ID="${PublicSubnet1ID}"
 927 |             export SUBNET2_ID="${PublicSubnet2ID}"
 928 |             export SUBNET3_ID="${PublicSubnet3ID}"
 929 |             wget $S3_USERDATA -O /tmp/user_data.sh && chmod +x /tmp/user_data.sh
 930 |             /tmp/user_data.sh indexer && rm -f /tmp/user_data.sh
 931 |           - SplunkCMIP: !GetAtt SplunkCM.PrivateIp
 932 |   SplunkSHCLoadBalancer:
 933 |     Type: AWS::ElasticLoadBalancing::LoadBalancer
 934 |     Condition: CreateSHC
 935 |     Properties:
 936 |       ConnectionDrainingPolicy:
 937 |         Enabled: true
 938 |         Timeout: 300
 939 |       LBCookieStickinessPolicy:
 940 |         - CookieExpirationPeriod: '86400'
 941 |           PolicyName: SplunkWebCookiePolicy
 942 |       Instances:
 943 |         - !Ref 'SplunkSHCMember1'
 944 |         - !Ref 'SplunkSHCMember2'
 945 |         - !Ref 'SplunkSHCMember3'
 946 |       Listeners:
 947 |         - LoadBalancerPort: '8000'
 948 |           InstancePort: '8000'
 949 |           Protocol: HTTP
 950 |           PolicyNames:
 951 |             - SplunkWebCookiePolicy
 952 |       Scheme: internet-facing
 953 |       SecurityGroups:
 954 |         - !Ref 'SplunkSecurityGroup'
 955 |         - !Ref 'SplunkSearchHeadSecurityGroup'
 956 |       CrossZone: true
 957 |       Subnets: !If
 958 |         - Create3AZ
 959 |         - - !Ref 'PublicSubnet1ID'
 960 |           - !Ref 'PublicSubnet2ID'
 961 |           - !Ref 'PublicSubnet3ID'
 962 |         - - !Ref 'PublicSubnet1ID'
 963 |           - !Ref 'PublicSubnet2ID'
 964 |       HealthCheck:
 965 |         Target: TCP:8089
 966 |         HealthyThreshold: '2'
 967 |         UnhealthyThreshold: '3'
 968 |         Interval: '30'
 969 |         Timeout: '5'
 970 |   SplunkHttpEventCollectorLoadBalancer:
 971 |     Type: AWS::ElasticLoadBalancing::LoadBalancer
 972 |     Properties:
 973 |       ConnectionDrainingPolicy:
 974 |         Enabled: true
 975 |         Timeout: 300
 976 |       Listeners:
 977 |         - InstancePort: '8088'
 978 |           InstanceProtocol: HTTPS
 979 |           LoadBalancerPort: '8088'
 980 |           Protocol: HTTP
 981 |       Scheme: internet-facing
 982 |       SecurityGroups:
 983 |         - !Ref 'SplunkHttpEventCollectorLoadBalancerSecurityGroup'
 984 |       CrossZone: true
 985 |       Subnets: !If
 986 |         - Create3AZ
 987 |         - - !Ref 'PublicSubnet1ID'
 988 |           - !Ref 'PublicSubnet2ID'
 989 |           - !Ref 'PublicSubnet3ID'
 990 |         - - !Ref 'PublicSubnet1ID'
 991 |           - !Ref 'PublicSubnet2ID'
 992 |       HealthCheck:
 993 |         Target: HTTPS:8088/services/collector/health
 994 |         HealthyThreshold: '3'
 995 |         UnhealthyThreshold: '2'
 996 |         Interval: '20'
 997 |         Timeout: '5'
 998 |       Policies:
 999 |         - PolicyName: EnableProxyProtocol
1000 |           PolicyType: ProxyProtocolPolicyType
1001 |           Attributes:
1002 |             - Name: ProxyProtocol
1003 |               Value: true
1004 |           InstancePorts:
1005 |             - '8088'
1006 |   SplunkIndexerNodesASG:
1007 |     Type: AWS::AutoScaling::AutoScalingGroup
1008 |     DependsOn: SplunkCM
1009 |     Properties:
1010 |       VPCZoneIdentifier: !If
1011 |         - Create3AZ
1012 |         - - !Ref 'PublicSubnet1ID'
1013 |           - !Ref 'PublicSubnet2ID'
1014 |           - !Ref 'PublicSubnet3ID'
1015 |         - - !Ref 'PublicSubnet1ID'
1016 |           - !Ref 'PublicSubnet2ID'
1017 |       LaunchConfigurationName: !Ref 'SplunkIndexerLaunchConfiguration'
1018 |       MinSize: !Ref 'SplunkIndexerCount'
1019 |       MaxSize: !Ref 'SplunkIndexerCount'
1020 |       DesiredCapacity: !Ref 'SplunkIndexerCount'
1021 |       LoadBalancerNames:
1022 |         - !Ref 'SplunkHttpEventCollectorLoadBalancer'
1023 |       Tags:
1024 |         - Key: Application
1025 |           Value: !Ref 'AWS::StackId'
1026 |           PropagateAtLaunch: true
1027 |         - Key: Role
1028 |           Value: splunk-indexer
1029 |           PropagateAtLaunch: true
1030 |         - Key: Name
1031 |           Value: indexer-N
1032 |           PropagateAtLaunch: true
1033 |     CreationPolicy:
1034 |       ResourceSignal:
1035 |         Count: !Ref 'SplunkIndexerCount'
1036 |         Timeout: PT20M
1037 | Outputs:
1038 |   SearchHeadURL:
1039 |     Description: 'Splunk Enterprise - Search Head URL'
1040 |     Value: !Join
1041 |       - ''
1042 |       - - http://
1043 |         - !If
1044 |           - CreateSHC
1045 |           - !GetAtt 'SplunkSHCLoadBalancer.DNSName'
1046 |           - !GetAtt 'SplunkSearchHeadInstance.PublicIp'
1047 |         - :8000
1048 |   ClusterMasterURL:
1049 |     Description: 'Splunk Enterprise - Cluster Master URL'
1050 |     Value: !Join
1051 |       - ''
1052 |       - - http://
1053 |         - !GetAtt 'SplunkCM.PublicIp'
1054 |         - :8000
1055 |   ClusterMasterManagementURL:
1056 |     Description: 'Splunk Enterprise - Cluster Master Management URL (required for Indexer Discovery)'
1057 |     Value: !Join
1058 |       - ''
1059 |       - - https://
1060 |         - !GetAtt SplunkCM.PrivateIp
1061 |         - :8089
1062 |   DeployerURL:
1063 |     Description: 'Splunk Enterprise - Search Head Cluster Deployer URL'
1064 |     Value: !If
1065 |       - CreateSHC
1066 |       - !Join
1067 |         - ''
1068 |         - - http://
1069 |           - !GetAtt 'SplunkSHCDeployer.PublicIp'
1070 |           - :8000
1071 |       - Applicable when Search Head Cluster is selected
1072 |   HttpEventCollectorURL:
1073 |     Description: 'HTTP Event Collector URL'
1074 |     Value: !Join
1075 |       - ''
1076 |       - - http://
1077 |         - !GetAtt 'SplunkHttpEventCollectorLoadBalancer.DNSName'
1078 |         - :8088
1079 |         - /services/collector
1080 |   HttpEventCollectorToken:
1081 |     Description: 'HTTP Event Collector Token'
1082 |     Value: !Select
1083 |       - '1'
1084 |       - !Split
1085 |         - '"'
1086 |         - !Select
1087 |           - '1'
1088 |           - !Split
1089 |             - ':'
1090 |             - !GetAtt 'SplunkCMWaitCondition.Data'
1091 | 


--------------------------------------------------------------------------------