aws|cft| create one instance profile

CheckPointSW · Sep 26, 2023 · 18e955a · 18e955a
1 parent 82fa26d
commit 18e955a
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 15 deletions.
diff --git a/aws/templates/general/README.md b/aws/templates/general/README.md
@@ -10,11 +10,11 @@
     <tbody>
         <tr>
             <td>
-                <b>Create an Instance profile for Security Management Server</b><br/>
-                Creates an Instance profile in your account preconfigured with permissions to manage resources.<br/>    
+                <b>Create an IAM role for Security Management Server</b><br/>
+                Creates an IAM role in your account preconfigured with permissions to manage resources.<br/>    
                 For more details, refer to <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074">sk122074 </a>.
             </td>
-            <td><a href="https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml&stackName=Check-Point-Instance-profile"><img src="../../images/launch.png"></a></td>
+            <td><a href="https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml&stackName=Check-Point-IAM-role"><img src="../../images/launch.png"></a></td>
         </tr>
         <tr>
             <td>

diff --git a/aws/templates/general/cme-iam-role.yaml b/aws/templates/general/cme-iam-role.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Creates an IAM role for selected permissions (20211212)
+Description: Creates an IAM role for selected permissions (20230926)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -143,9 +143,9 @@ Resources:
   InstanceProfile:
     Type: AWS::IAM::InstanceProfile
     Properties:
-      InstanceProfileName: !Ref CMEIAMRole
-      Roles:
-        - !Ref CMEIAMRole
+        InstanceProfileName: !Ref CMEIAMRole
+        Roles:
+          - !Ref CMEIAMRole
 Outputs:
   CMEIAMRole:
     Description: The IAM role.

diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: 2010-09-09
-Description: Deploys a Check Point Management Server (20230830)
+Description: Deploys a Check Point Management Server (20230926)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -395,6 +395,7 @@ Conditions:
   EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
   UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
   NoSIC: !Equals [!Ref ManagementSICKey, '']
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
 Resources:
   AMI:
     Type: AWS::CloudFormation::Stack
@@ -477,11 +478,11 @@ Resources:
         STSRoles: !Join [',', !Ref ManagementSTSRoles]
   InstanceProfile:
     Type: AWS::IAM::InstanceProfile
-    Condition: UseRole
+    Condition: PreRole
     Properties:
       Path: /
       Roles:
-        - !If [CreateRole, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole, !Ref ManagementPredefinedRole]
+        - !Ref ManagementPredefinedRole
   ManagementInstance:
     Type: AWS::EC2::Instance
     DependsOn: ManagementSecurityGroup
@@ -491,7 +492,7 @@ Resources:
           Value: !Ref ManagementName
       ImageId: !GetAtt AMI.Outputs.ImageId
       InstanceType: !Ref ManagementInstanceType
-      IamInstanceProfile: !If [UseRole, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+      IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue']
       KeyName: !Ref KeyName
       NetworkInterfaces:
         - DeviceIndex: 0

diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml
@@ -1,5 +1,5 @@
 AWSTemplateFormatVersion: '2010-09-09'
-Description: Deploys a Check Point Multi-Domain Server (20230830)
+Description: Deploys a Check Point Multi-Domain Server (20230926)
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -375,6 +375,7 @@ Conditions:
   UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]]
   PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server]
   SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server]
+  PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
 Resources:
   AMI:
     Type: AWS::CloudFormation::Stack
@@ -446,11 +447,11 @@ Resources:
         STSRoles: !Join [',', !Ref MDSSTSRoles]
   InstanceProfile:
     Type: AWS::IAM::InstanceProfile
-    Condition: UseRole
+    Condition: PreRole
     Properties:
       Path: /
       Roles:
-        - !If [CreateRole, !GetAtt MDSRoleStack.Outputs.CMEIAMRole, !Ref MDSPredefinedRole]
+        - !Ref MDSPredefinedRole
   MDSInstance:
     Type: AWS::EC2::Instance
     DependsOn: MDSSecurityGroup
@@ -460,7 +461,7 @@ Resources:
           Value: !Ref MDSName
       ImageId: !GetAtt AMI.Outputs.ImageId
       InstanceType: !Ref MDSInstanceType
-      IamInstanceProfile: !If [UseRole, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+      IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue']
       KeyName: !Ref KeyName
       NetworkInterfaces:
         - DeviceIndex: 0