Release v14.4 (#419)

* POC-720: UserData instead of CfnInit (#409)

* POC-746: Userdata for cpm config (#413)

* POC-747: Userdata for psm config (#414)

* POC-748: New userdata for linux components (#415)

* SHPVWA-16535: Remove SetLocalService for PVWA (#416)

* POC-663: release notes + win2022 + eula (#418)

Author: pelegor

CHANGELOG.md

@@ -1,9 +1,26 @@
-# CyberArk AWS Cloud Package Release Notes
+# CyberArk PAMonCloud Offering Release Notes
+The PAMonCloud Offering includes CyberArk PAM products, delivered as AWS AMIs and Azure images, along with AWS CloudFormation and Azure ARM templates to automate deployment.
 
-The AWS Cloud package includes CyberArk PAS products, delivered as AMIs and AWS CloudFormation templates to automate deployment.
 
+## [PAMonCloud v14.4] (11.12.2024)
 
-## [PAS on Cloud v14.2] (18.6.2024)
+### Added
+- Windows Server 2022 images are now available for all Windows based components.
+- New Terraform deployment offering: The PAMonCloud solution is now available in Terraform for both Azure and AWS, offering more flexibility, self-tailored configurations, cross-region deployments, and the benefits of using the IaC platform. PAMonCloud-terraform modules and examples are publicly available at: [PAMonCloud-Terraform](https://github.com/cyberark/pamoncloud-terraform)
+
+### Changed
+- #### AWS : 
+    - Product configuration and registration are now executed as part of the instance's userdata, rather than CloudFormation::Init.
+    - Product configuration and registration failures are tracked and raised in real-time, rather than only at stack timeout.
+    - Enhanced CloudWatch logging for better observability during deployment.
+    - Deployment and configuration time for Windows-based components has been significantly reduced.
+
+### Removed
+- #### Azure : 
+    - Removed usage of ManagedIdentityExtensionForWindows.
+- Windows components are no longer published based on Windows Server 2016. You can create Win2016-based images using the BYOI solution to suit your needs (subject to product system requirements).
+
+## [PAMonCloud v14.2] (18.6.2024)
 
 ### Changed
 - #### AWS : 

CyberArk Software EULA 20210831.1.pdf

@@ -1,4 +1,4 @@
-Copyright © 2024 CyberArk Software Ltd. All rights reserved.
+Copyright © 2025 CyberArk Software Ltd. All rights reserved.
 <https://cyberark.com>
 
 Licensed under the Apache License, Version 2.0 (the "License");

LICENSE.md renamed to LICENSE

@@ -1,11 +1,9 @@
 # Overview
+We offer comprehensive tools and scripts to facilitate the deployment of CyberArk's Privileged Access Manager (PAM) solution on both Amazon Web Services (AWS) and Microsoft Azure.
 
-We provide you with the necessary tools and scripts to deploy CyberArk's Privileged Access Security (PAS) solution on Amazon Web Services (AWS) and Microsoft Azure with one click.
+Our templates offer the flexibility to deploy CyberArk PAM in various architectures, including hybrid, multi-cloud, and fully cloud-based environments.
 
-The different templates provide you with the flexibility of deploying CyberArk PAS to support your architecture (hybrid, multi-cloud, all in the cloud and etc.).
-
-
-# Licensing
-Copyright © 2024 CyberArk Software Ltd. All rights reserved.
-
-CyberArk’s Privileged Access Security is licensed under the following license terms - "CyberArk Software EULA 20210831.1.pdf". CyberArk’s PAS AWS CloudFormation and Azure Resource Manager (ARM) deployment templates are licensed under Apache License, Version 2.0 - "LICENSE.md".
+# Licensing  
+This repository is subject to the following licenses:  
+- **CyberArk Privileged Access Manager**: Licensed under the [CyberArk Software EULA](https://www.cyberark.com/EULA.pdf).  
+- **CyberArk’s PAM AWS CloudFormation and Azure Resource Manager (ARM) deployment templates**: Licensed under the Apache License, Version 2.0 ([LICENSE](https://github.com/cyberark/pas-on-cloud/blob/master/LICENSE)).  

README.md

@@ -7,26 +7,23 @@ Resources:
       RetentionInDays: 30
     DeletionPolicy: Retain
     UpdateReplacePolicy: Retain
-  CfnInitLogStream:
+  VaultDRUserDataLogStream:
     Type: AWS::Logs::LogStream
     Properties:
       LogGroupName: !Sub '${LogGroup}'
-      LogStreamName: VaultDRMachine/CfnInitLog
-    UpdateReplacePolicy: Retain
+      LogStreamName: VaultDRMachine/UserDataLog
     DeletionPolicy: Retain
-  VaultInitLogStream:
+  VaultDRInitLogStream:
     Type: AWS::Logs::LogStream
     Properties:
       LogGroupName: !Sub '${LogGroup}'
       LogStreamName: VaultDRMachine/VaultInitLog
-    UpdateReplacePolicy: Retain
     DeletionPolicy: Retain
-  VaultPostInstallLogStream:
+  VaultDRPostInstallLogStream:
     Type: AWS::Logs::LogStream
     Properties:
       LogGroupName: !Sub '${LogGroup}'
       LogStreamName: VaultDRMachine/VaultPostInstallLog
-    UpdateReplacePolicy: Retain
     DeletionPolicy: Retain
   VaultAmi:
     Type: Custom::FindAMI
@@ -50,7 +47,11 @@ Resources:
     Type: AWS::CloudFormation::CustomResource
     Properties:
       ServiceToken: !GetAtt 'StorePasswordLambda.Arn'
-      Password: !Ref 'Secret'
+      Password: 
+        Fn::If:
+          - SecretProvided
+          - !Ref 'Secret'
+          - "null"
     DependsOn:
       - LambdaDeployRole
   CleanDRPassword:
@@ -395,7 +396,7 @@ Resources:
               
               while (response['Images'] == []) and (pas_ver_major >= 0):
                 while (response['Images'] == []) and (pas_ver_minor >= 0):
-                  ami_name = 'CyberArk PAS ' + component + ' v'+str(pas_ver_major) + '.' + str(pas_ver_minor) +'*'+ os_filter
+                  ami_name = 'CyberArk PAM ' + component + ' v'+str(pas_ver_major) + '.' + str(pas_ver_minor) +'*'+ os_filter
                   response = boto3.client('ec2').describe_images(
                       Owners= [event['ResourceProperties']['OwnerAccountId']],
                       Filters=[
@@ -442,61 +443,32 @@ Resources:
           - !Ref VaultAmi
           - !Ref VaultCustomAmi
       InstanceType: !Ref 'VaultInstanceType'
-      UserData: !Base64
-        Fn::Sub: |-
-          <script>
-          cfn-init.exe -v -s ${AWS::StackId} -r VaultDRMachine --configsets ascending --region ${AWS::Region}
-          </script>
+      UserData:
+        Fn::Base64: !Sub
+          - |
+            <powershell>
+            $UserDataParams = @{
+              "IsPrimaryOrDR"             = "DR"
+              "Region"                    = "${AWS::Region}"
+              "LogGroup"                  = "${LogGroup}"
+              "UserDataLogStream"         = "${VaultDRUserDataLogStream}"
+              "VaultInitLogStream"        = "${VaultDRInitLogStream}"
+              "VaultPostInstallLogStream" = "${VaultDRPostInstallLogStream}"
+              "SSMDRPassParameterID"      = "${StoreDRPassword.SsmId}"
+              "SSMSecretParameterID"      = "${SecretSsmId}"
+              "VaultPrivateIP"            = "${VaultPrivateIP}"
+              "VaultInstancesRole"        = "${VaultInstancesRole}"
+              "VaultHostname"             = "${VaultHostname}"
+              "StackName"                 = "${AWS::StackName}"
+            }
+            C:\CyberArk\Deployment\UserDataScript.ps1 @UserDataParams
+            </powershell>
+          - SecretSsmId: !If
+              - SecretProvided
+              - !GetAtt StoreSecret.SsmId
+              - ''
       KeyName: !Ref 'KeyName'
       IamInstanceProfile: !Ref 'VaultInstancesProfile'
-    Metadata:
-      AWS::CloudFormation::Init:
-        configSets:
-          ascending:
-            - configSSMAndHostnameAndTagKMS
-            - configServices
-            - configSignal
-        configSSMAndHostnameAndTagKMS:
-          services:
-            windows:
-              AmazonSSMAgent:
-                enabled: true
-                ensureRunning: true
-                files:
-                  - C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json
-          commands:
-            1-configCloudWatch:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\CloudWatch.ps1
-                -LogGroup ${LogGroup} -CfnInitLogStream ${CfnInitLogStream}
-                -VaultPostInstallLogStream ${VaultPostInstallLogStream}
-                -VaultInitLogStream ${VaultInitLogStream} -Region ${AWS::Region}
-            2-restartSSM:
-              command: powershell.exe -Command "Restart-Service AmazonSSMAgent"
-              waitAfterCompletion: 60
-              ignoreErrors: true
-            3-addDNSSuffix:
-              command: powershell.exe -Command "Set-DnsClientGlobalSetting -SuffixSearchList ((Get-DnsClientGlobalSetting).SuffixSearchList += 'pas.local')"
-        configServices:
-          commands:
-            1-postInstall:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\VaultPostInstall.ps1 -SSMDRPassParameterID ${StoreDRPassword.SsmId} -IsPrimaryOrDR "DR" -PrimaryVaultIP ${VaultPrivateIP} -LicensePath "C:\CyberArk\Deployment\vaultLicense.xml" -Region ${AWS::Region} -SSMSecretParameterID ${StoreSecret.SsmId}
-              waitAfterCompletion: 0
-            2-changeKMSTag:
-              command: !Sub >
-                powershell.exe -File C:\CyberArk\Deployment\VaultTagKMS.ps1 -Role ${VaultInstancesRole} -Region ${AWS::Region}
-              waitAfterCompletion: 0
-            3-ChangeHostname:
-              command: !Sub >
-                powershell.exe -Command Rename-Computer -NewName ${VaultHostname} -Force -Restart
-              waitAfterCompletion: forever
-        configSignal:
-          commands:
-            0-signalCompletion:
-              command: !Sub >
-                "C:\Program Files\Amazon\cfn-bootstrap\cfn-signal.exe" -e %ERRORLEVEL% --stack ${AWS::StackId} --resource VaultDRMachine --region ${AWS::Region}
-              waitAfterCompletion: 0
     CreationPolicy:
       ResourceSignal:
         Timeout: PT20M
@@ -513,9 +485,9 @@ Parameters:
     Type: String
     Description: Select a Windows Server version for all Windows-based components.
     AllowedValues:
-      - Win2016
       - Win2019
-    Default: Win2016
+      - Win2022
+    Default: Win2019
   VaultCustomAmi:
     Type: String
     Description: Enter the Vault Image ID, if you wish to use a custom Vault image.
@@ -643,6 +615,10 @@ Metadata:
       Secret:
         default: DR User Secret
 Conditions:
+  SecretProvided: !Not
+    - !Equals
+      - ''
+      - !Ref Secret
   CustomImageEmpty: !Equals
     - ''
     - !Ref VaultCustomAmi