CloudFormation Stack

Deploy a production-ready OnePAM gateway on AWS with a single CloudFormation template. Includes EC2 Auto Scaling, IAM roles, security groups, and optional S3 session recording.

GitHub

aws cloudformation deploy \
  --template-file cloudformation-gateway.yaml \
  --stack-name onepam-gateway \
  --capabilities CAPABILITY_IAM

Architecture

The CloudFormation template provisions the following resources:

Compute

EC2 Launch Template
Auto Scaling Group (1 instance, fixed)
cloud-init user data

Security

Security Group (HTTPS, mTLS, and WireGuard VPN)
IAM Role + Instance Profile
SSM Parameter Store integration
SSM SecureString
IMDSv2 enforced

Storage

S3 bucket for session recordings
IAM policy for S3 access
EBS-backed root volumes

Stack Parameters

Required Parameters

Parameter	Description
`GatewayId`	Gateway ID from your OnePAM instance
`ApiUrl`	OnePAM server URL (e.g. `https://onepam.com`)
`ApiToken`	API token for gateway authentication
`VpcId`	VPC ID for security group placement
`SubnetId`	Subnet ID for the EC2 instances
`S3Bucket`	S3 bucket name for session recordings
`S3AccessKey` NoEcho	S3 access key
`S3SecretKey` NoEcho	S3 secret key

Optional Parameters

Parameter	Default	Description
`InstanceType`	`t4g.small`	EC2 instance type
`Architecture`	`arm64`	CPU architecture (arm64 or amd64)
`PublicDomain`	-	Public FQDN
`S3Region`	`us-east-1`	S3 region
`S3Endpoint`	-	S3-compatible endpoint
`S3PathStyle`	`0`	Path-style S3
`AcmeEnabled`	`0`	Enable ACME
`AcmeEmail`	-	ACME registration email
`EnableVPN`	`0`	Enable WireGuard VPN
`EnableMTLS`	`1`	Enable mTLS on port 9443

Quick Start

Deploy via AWS CLI

# Download the template
curl -fsSL -o cloudformation-gateway.yaml \
  https://raw.githubusercontent.com/onepamcom/onepam-terraform/main/cloudformation-gateway.yaml

# Deploy the stack
aws cloudformation deploy \
  --template-file cloudformation-gateway.yaml \
  --stack-name onepam-gateway \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
    GatewayId="YOUR-GATEWAY-ID" \
    ApiUrl="https://onepam.com" \
    ApiToken="YOUR-API-TOKEN" \
    VpcId="vpc-0123456789abcdef0" \
    SubnetId="subnet-0123456789abcdef0" \
    S3Bucket="my-onepam-recordings" \
    S3AccessKey="YOUR-S3-ACCESS-KEY" \
    S3SecretKey="YOUR-S3-SECRET-KEY"

# Check stack status
aws cloudformation describe-stacks \
  --stack-name onepam-gateway \
  --query 'Stacks[0].StackStatus'

Deploy via AWS Console

Navigate to CloudFormation in the AWS Console
Click Create stack > With new resources
Upload cloudformation-gateway.yaml
Fill in the required parameters (Gateway ID, API URL, API Token, VPC, Subnet)
Acknowledge IAM capability and create the stack

Production Deployment

For production, enable S3 session recording and TLS:

aws cloudformation deploy \
  --template-file cloudformation-gateway.yaml \
  --stack-name onepam-gateway-prod \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
    GatewayId="YOUR-GATEWAY-ID" \
    ApiUrl="https://onepam.com" \
    ApiToken="YOUR-API-TOKEN" \
    VpcId="vpc-0123456789abcdef0" \
    SubnetId="subnet-0123456789abcdef0" \
    S3Bucket="my-onepam-recordings" \
    S3AccessKey="YOUR-S3-ACCESS-KEY" \
    S3SecretKey="YOUR-S3-SECRET-KEY" \
    PublicDomain="gateway.example.com" \
    AcmeEnabled="1" \
    AcmeEmail="admin@example.com" \
    Architecture="arm64" \
    EnableVPN="1"

Security Note: Store the ApiToken in AWS Secrets Manager or SSM Parameter Store rather than passing it directly. The template supports SSM parameter references.

Stack Management

# Update the stack
aws cloudformation deploy \
  --template-file cloudformation-gateway.yaml \
  --stack-name onepam-gateway \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides InstanceType="t4g.medium"

# View stack events
aws cloudformation describe-stack-events \
  --stack-name onepam-gateway

# Delete the stack
aws cloudformation delete-stack \
  --stack-name onepam-gateway

For multi-cloud gateway deployments, see Terraform or Helm for Kubernetes-based deployments.

AWS CloudFormation