Onboarding CloudFormation Template
This CloudFormation template (CFT) simplifies the cloud resource configuration by creating the project store, security group, and cross account roles. The CFT below is annotated to explain what each section does and why the permissions are required.
caution
This CFT is only a sample and cannot be copied and run. When launching the CFT during onboarding, use the CFT provided in the console.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Dremio Cloud",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Dremio Configuration"
},
"Parameters": [
"DremioEC2VPC",
"DremioEC2Subnets",
"DremioS3ProjectStore",
"DremioS3ProjectStoreEncryptionMethod",
"DremioS3ProjectStoreSSEKMSArn"
]
}
],
"ParameterLabels": {
"DremioEC2VPC": {
"default": "VPC"
},
"DremioEC2Subnets": {
"default": "Subnets"
},
"DremioS3ProjectStore": {
"default": "Project Store"
},
"DremioS3ProjectStoreEncryptionMethod": {
"default": "Encryption Type"
},
"DremioS3ProjectStoreSSEKMSArn" : {
"default": "KMS Key ARN"
}
}
}
},
"Parameters": {
"DremioEC2VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "(Required) Select the EC2 VPC to run Dremio."
},
"DremioEC2Subnets": {
"Type": "List<AWS::EC2::Subnet::Id>",
"Description": "(Required) Select the EC2 subnets to run Dremio, this should be one or more subnet ids from the selected VPC."
},
"DremioS3ProjectStore": {
"Type": "String",
"Description": "(Required) Provide the S3 bucket name that Dremio should use to store data like metadata and reflections. If you change the default value, ensure that the bucket name is unique and Dremio has permission to create objects in this path",
"Default": "dremio-f81ceed7-cffb-4cc4-8b86-1c5c9a9c6b98"
},
"DremioS3ProjectStoreEncryptionMethod": {
"Type": "String",
"AllowedValues" : ["SSE-S3", "SSE-KMS (AWS Managed Key)", "SSE-KMS (Customer Managed Key)"],
"Default": "SSE-S3"
},
"DremioS3ProjectStoreSSEKMSArn": {
"Type": "String",
"Default": "",
"Description":"Required only if the encryption type is SSE-KMS (Customer Managed Key)."
}
},
"Conditions" : {
"IsSSES3Encryption" : {"Fn::Equals" : [{"Ref" : "DremioS3ProjectStoreEncryptionMethod"}, "SSE-S3"]},
"IsKMSCustomerManagedEncryption": {"Fn::Equals" : [{"Ref" : "DremioS3ProjectStoreEncryptionMethod"}, "SSE-KMS (Customer Managed Key)"]}
},
"Mappings": {
"RegionMap": {
"us-east-1": {
"SNS": "arn:aws:sns:us-east-1:228847291132:dremio-cft-callback",
"VPCEndpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0f1d9e34070ece1a0"
},
"us-east-2": {
"SNS": "arn:aws:sns:us-east-2:228847291132:dremio-cft-callback",
"VPCEndpointServiceName": "com.amazonaws.vpce.us-east-2.vpce-svc-0ea92ed5866a4f87f"
},
"us-west-1": {
"SNS": "arn:aws:sns:us-west-1:228847291132:dremio-cft-callback",
"VPCEndpointServiceName": "com.amazonaws.vpce.us-west-1.vpce-svc-025b290b21437986f"
},
"us-west-2": {
"SNS": "arn:aws:sns:us-west-2:228847291132:dremio-cft-callback",
"VPCEndpointServiceName": "com.amazonaws.vpce.us-west-2.vpce-svc-09affe0899be7919e"
},
"eu-central-1": {
"SNS": "",
"VPCEndpointServiceName": ""
},
"eu-west-1": {
"SNS": "",
"VPCEndpointServiceName": ""
},
"eu-west-2": {
"SNS": "",
"VPCEndpointServiceName": ""
},
"eu-west-3": {
"SNS": "",
"VPCEndpointServiceName": ""
},
"ca-central-1": {
"SNS": "arn:aws:sns:ca-central-1:228847291132:dremio-cft-callback",
"VPCEndpointServiceName": "com.amazonaws.vpce.ca-central-1.vpce-svc-03208680d05ec68c3"
}
}
},
"Rules": {
"SubnetsInVPC": {
"Assertions": [
{
"Assert": {
"Fn::EachMemberIn": [
{
"Fn::ValueOfAll": [
"AWS::EC2::Subnet::Id",
"VpcId"
]
},
{
"Fn::RefAll": "AWS::EC2::VPC::Id"
}
]
},
"AssertDescription": "The selected subnets must be in the VPC."
}
]
}
},
"Resources": {
"DremioCFTBegin": {
"Type": "Custom::DremioCFTBegin",
"Properties": {
"ServiceToken": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"SNS"
]
},
"Version": "1.0.0",
"Region": {
"Ref": "AWS::Region"
},
"VPC": {
"Ref": "DremioEC2VPC"
},
"Subnets": {
"Ref": "DremioEC2Subnets"
},
"ProjectStorePath": {
"Ref": "DremioS3ProjectStore"
},
"SignupData": "eyJvaWQiOiI0MDliYzExNy1kNWQ0LTQ4YWUtYTZjNi00MDk0MDM1ODg0NmMiLCJvcmdOYW1lIjoiaXNoYS10ZXN0IiwicHJvamVjdE5hbWUiOiJGaXJzdCBwcm9qZWN0IiwiZXh0ZXJuYWxJZCI6IjRkOTUxYmRlLTVjN2QtNDliOC04ZTY2LTBjZDI5YjA3ODE4MyIsImVlaWQiOiJmMDRiNWZkOS1mYzdjLTRjMDMtYjhkYS1lY2E4YWYxMDk3ZGQiLCJwZWlkIjoiOTc2MzE4MzAtNzJkZC00NGJhLTgxMDQtNmQ1MDUzNWM5NGE1IiwiY2lkIjoiZmMzYjczY2UtMjY3NC00ODU4LWIzN2MtMjg5ZDQ1OGRmMzUxIiwicGlkIjoiZmExODU0MjctNzBhNy00NDUzLWIwNzMtZjE4M2E4YTUyMjkxIn0="
}
},
"DremioS3ProjectBucket": {
"Type": "AWS::S3::Bucket",
"DependsOn": [
"DremioCFTBegin"
],
"Metadata": {
"Comment": "Bucket used for Dremio project-related data. The applied bucket & IAM policies ensure that only Dremio has access to the contents of this bucket."
},
"Properties": {
"BucketName": {
"Fn::GetAtt": [
"DremioCFTBegin",
"ProjectStoreBucket"
]
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": {
"Fn::If" : [
"IsSSES3Encryption",
"AES256",
"aws:kms"
]
},
"KMSMasterKeyID": {
"Fn::If" : [
"IsKMSCustomerManagedEncryption",
{"Ref" : "DremioS3ProjectStoreSSEKMSArn"},
{"Ref" : "AWS::NoValue"}
]
}
},
"BucketKeyEnabled": {
"Fn::If" : [
"IsSSES3Encryption",
{"Ref" : "AWS::NoValue"},
true
]
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
}
},
"DremioS3ProjectBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"DependsOn": [
"DremioS3ProjectBucket"
],
"Properties": {
"Bucket": {
"Ref": "DremioS3ProjectBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::GetAtt": [
"DremioIAMProjectDataAccessRole",
"Arn"
]
}
]
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DremioS3ProjectBucket"
},
"/",
{
"Fn::GetAtt": [
"DremioCFTBegin",
"ProjectStoreKey"
]
},
"*"
]
]
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
{
"Fn::GetAtt": [
"DremioIAMProjectDataAccessRole",
"Arn"
]
}
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::GetAtt": [
"DremioCFTBegin",
"ProjectStoreBucket"
]
}
]
]
}
}
]
}
}
},
"DremioIAMCloudComputePolicyCreate": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole",
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Require the "dremio_managed" tag for instances/volumes when creating instances
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/dremio_managed": "true"
}
}
},
# Allow creating instances without the "dremio_managed" tag on resources other than instances/volumes.
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:fleet/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:placement-group/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateFleet",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/dremio_managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateFleet",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:image/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateLaunchTemplate",
"Resource": "arn:aws:ec2:*:*:launch-template/*"
},
# Allow Dremio to create a placement group
{
"Effect": "Allow",
"Action": "ec2:CreatePlacementGroup",
"Resource": "arn:aws:ec2:*:*:placement-group/*"
},
# This section is necessary only if you are using a storage role
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"sts:AssumeRole"
],
"Resource": {
"Fn::GetAtt": [
"DremioIAMProjectDataAccessRole",
"Arn"
]
}
}
]
},
"PolicyName": "dremio-cloud-compute-policy-create",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputePolicyTagging": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole",
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Allow Dremio to create tags on instances/volumes only upon the initial creation of an instance
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateLaunchTemplate"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateFleet"
}
}
},
# Allow Dremio to create tags on placement groups (PG) upon the initial creation of a PG
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreatePlacementGroup"
}
}
}
]
},
"PolicyName": "dremio-cloud-compute-policy-tagging",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputePolicyDelete": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole",
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Allow Dremio to terminate instances with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Only allow Dremio to delete fleets with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:DeleteFleets",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Only allow Dremio to delete launch templates with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:DeleteLaunchTemplate",
"Resource": "arn:aws:ec2:*:*:launch-template/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Only allow Dremio to delete placement groups with the "dremio_managed" tag
{
"Effect": "Allow",
"Action": "ec2:DeletePlacementGroup",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
}
]
},
"PolicyName": "dremio-cloud-compute-policy-delete",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputePolicyDescribe": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"Comment": "Dremio enumerates resources related to the operation of Dremio Cloud."
},
"DependsOn": [
"DremioIAMCloudComputeRole",
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeFleets",
"Resource": "arn:aws:ec2:*:*:fleet/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/dremio_managed": "true"
}
}
},
# Allow Dremio to enumerate resources in the account
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
},
"PolicyName": "dremio-cloud-compute-policy-describe",
"Roles": [
{
"Ref": "DremioIAMCloudComputeRole"
}
]
}
},
"DremioIAMCloudComputeRole": {
"Type": "AWS::IAM::Role",
"DependsOn": [
"DremioCFTBegin"
],
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::228847291132:root"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "4d951bde-5c7d-49b8-8e66-0cd29b078183"
}
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": []
}
},
"DremioIAMProjectDataAccessRole": {
"Type": "AWS::IAM::Role",
"DependsOn": [
"DremioCFTBegin"
],
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::228847291132:root"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "4d951bde-5c7d-49b8-8e66-0cd29b078183"
}
},
"Action": [
"sts:AssumeRole"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Path": "/",
"Policies": []
}
},
"DremioIAMProjectDataAccessInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"DependsOn": [
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "DremioIAMProjectDataAccessRole"
}
]
}
},
"DremioEC2VPCEndpointSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": [
"DremioCFTBegin"
],
"Properties": {
"VpcId": {
"Ref": "DremioEC2VPC"
},
"GroupDescription": "Security group for Dremio VPC endpoint"
}
},
"DremioEC2VPCEndpointIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn": [
"DremioEC2VPCEndpointSecurityGroup",
"DremioEC2SecurityGroup"
],
"Properties": {
"Description": "Security group ingress for Dremio VPC endpoint",
"GroupId": {
"Ref": "DremioEC2VPCEndpointSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"SourceSecurityGroupId": {
"Ref": "DremioEC2SecurityGroup"
}
}
},
"DremioEC2SecurityGroupEgressVPCEndpoint": {
"Type": "AWS::EC2::SecurityGroupEgress",
"DependsOn": [
"DremioEC2SecurityGroup",
"DremioEC2VPCEndpointSecurityGroup"
],
"Properties": {
"Description": "Security group egress for Dremio VPC endpoint",
"GroupId": {
"Ref": "DremioEC2VPCEndpointSecurityGroup"
},
"IpProtocol": "-1",
"CidrIp": "127.0.0.1/32"
}
},
"DremioEC2VPCEndpoint": {
"Type": "AWS::EC2::VPCEndpoint",
"DependsOn": [
"DremioEC2VPCEndpointSecurityGroup"
],
"Properties": {
"SecurityGroupIds": [
{
"Ref": "DremioEC2VPCEndpointSecurityGroup"
}
],
"ServiceName": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"VPCEndpointServiceName"
]
},
"SubnetIds": {
"Ref": "DremioEC2Subnets"
},
"VpcId": {
"Ref": "DremioEC2VPC"
},
"VpcEndpointType": "Interface"
}
},
"DremioIAMProjectDataAccessPolicyMain": {
"Type": "AWS::IAM::Policy",
"DependsOn": [
"DremioIAMCloudComputeRole",
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
# Allow Dremio to enumerate S3 buckets within the account
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
# Allow Dremio read and write access to the Project Store bucket used to store housekeeping information such as metadata and reflections
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::GetAtt": [
"DremioCFTBegin",
"ProjectStoreBucket"
]
},
"/",
{
"Fn::GetAtt": [
"DremioCFTBegin",
"ProjectStoreKey"
]
},
"*"
]
]
}
},
# Allow Dremio to determine the region, list content and add tags on the Project Store bucket
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutBucketTagging"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::GetAtt": [
"DremioCFTBegin",
"ProjectStoreBucket"
]
}
]
]
}
},
# Allow Dremio read access to sample datasets used to get users started easily on the platform without connecting their own data
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::ap-southwest-1.examples.dremio.com",
"arn:aws:s3:::eu-west-1.examples.dremio.com",
"arn:aws:s3:::us-east-1.examples.dremio.com",
"arn:aws:s3:::us-west-1.examples.dremio.com",
"arn:aws:s3:::us-west-2.examples.dremio.com"
]
}
]
},
"PolicyName": "dremio-project-data-access-policy",
"Roles": [
{
"Ref": "DremioIAMProjectDataAccessRole"
}
]
}
},
"DremioIAMProjectDataAccessKMSEncryptionPolicy" : {
"Type": "AWS::IAM::Policy",
"Condition": "IsKMSCustomerManagedEncryption",
"DependsOn": [
"DremioIAMProjectDataAccessRole"
],
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": {
"Ref": "DremioS3ProjectStoreSSEKMSArn"
}
}
]
},
"PolicyName": "dremio-project-data-access-kms-encrypt-policy",
"Roles": [
{
"Ref": "DremioIAMProjectDataAccessRole"
}
]
}
},
"DremioEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": [
"DremioCFTBegin"
],
"Metadata": {
"Comment": "Dremio utilizes this security group to connect to supported sources which vary in IP and port range."
},
"Properties": {
"VpcId": {
"Ref": "DremioEC2VPC"
},
"GroupDescription": "Security group for Dremio."
}
},
"DremioEC2SecurityGroupIngressSelf": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn": [
"DremioEC2SecurityGroup"
],
"Properties": {
"Description": "Self ingress endpoint for Dremio EC2 Security Group",
"GroupId": {
"Ref": "DremioEC2SecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "45678",
"ToPort": "45678",
"SourceSecurityGroupId": {
"Ref": "DremioEC2SecurityGroup"
}
}
},
"DremioEC2SecurityGroupEgressAll": {
"Type": "AWS::EC2::SecurityGroupEgress",
"DependsOn": [
"DremioEC2SecurityGroup"
],
"Properties": {
"Description": "Egress endpoint for Dremio EC2 Security Group",
"GroupId": {
"Ref": "DremioEC2SecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "0",
"ToPort": "65535",
"CidrIp": "0.0.0.0/0"
}
},
"DremioCFTCompletion": {
"Type": "Custom::DremioCFTCompletion",
"Properties": {
"ServiceToken": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"SNS"
]
},
"Version": "1.0.0",
"Region": {
"Ref": "AWS::Region"
},
"VPC": {
"Ref": "DremioEC2VPC"
},
"Subnets": {
"Ref": "DremioEC2Subnets"
},
"SecurityGroup": {
"Fn::GetAtt": [
"DremioEC2SecurityGroup",
"GroupId"
]
},
"ProjectStorePath": {
"Ref": "DremioS3ProjectStore"
},
"SignupData": "eyJvaWQiOiI0MDliYzExNy1kNWQ0LTQ4YWUtYTZjNi00MDk0MDM1ODg0NmMiLCJvcmdOYW1lIjoiaXNoYS10ZXN0IiwicHJvamVjdE5hbWUiOiJGaXJzdCBwcm9qZWN0IiwiZXh0ZXJuYWxJZCI6IjRkOTUxYmRlLTVjN2QtNDliOC04ZTY2LTBjZDI5YjA3ODE4MyIsImVlaWQiOiJmMDRiNWZkOS1mYzdjLTRjMDMtYjhkYS1lY2E4YWYxMDk3ZGQiLCJwZWlkIjoiOTc2MzE4MzAtNzJkZC00NGJhLTgxMDQtNmQ1MDUzNWM5NGE1IiwiY2lkIjoiZmMzYjczY2UtMjY3NC00ODU4LWIzN2MtMjg5ZDQ1OGRmMzUxIiwicGlkIjoiZmExODU0MjctNzBhNy00NDUzLWIwNzMtZjE4M2E4YTUyMjkxIn0=",
"CloudComputeRoleARN": {
"Fn::GetAtt": [
"DremioIAMCloudComputeRole",
"Arn"
]
},
"ProjectDataRoleARN": {
"Fn::GetAtt": [
"DremioIAMProjectDataAccessRole",
"Arn"
]
},
"ProjectDataInstanceProfileARN": {
"Fn::GetAtt": [
"DremioIAMProjectDataAccessInstanceProfile",
"Arn"
]
},
"VpcEndpointId": {
"Ref": "DremioEC2VPCEndpoint"
}
}
}
}
}