diff --git a/.metadata b/.metadata
new file mode 100644
index 0000000..fdd1b78
--- /dev/null
+++ b/.metadata
@@ -0,0 +1 @@
+language_type: cloudformation
diff --git a/.taskcat.yml b/.taskcat.yml
index 6bb3790..ca91d0b 100644
--- a/.taskcat.yml
+++ b/.taskcat.yml
@@ -23,7 +23,7 @@ tests:
     parameters:
       AvailabilityZones: $[taskcat_genaz_2]
       HECClientLocation: 10.0.0.0/16
-      KeyName: taskcat-test
+      KeyName: $[taskcat_getkeypair]
       QSS3BucketName: $[taskcat_autobucket]
       QSS3BucketRegion: $[taskcat_current_region]
       SSHClientLocation: 10.0.0.0/16
@@ -32,7 +32,7 @@ tests:
       SplunkIndexerDiscoverySecret: $[taskcat_genpass_10]
       WebClientLocation: 72.21.196.66/32
     regions:
-    - us-west-1
+    # - us-west-1
     - us-east-2
     s3_bucket: ''
-    template: templates/splunk-enterprise-master.template.yaml
+    template: templates/splunk-enterprise-main.template.yaml
diff --git a/README.md b/README.md
index 955e8f8..5de1030 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ View the accompanying [deployment guide](https://fwd.aws/bGBmy) for everything y
 
 ### Prerequisites
 
-Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download.  The following steps will guide you through that process.   *(Note:  This step is not required, and you can upload your license from the Splunk web interface.  It is, however, required that you have a non-trial Splunk Enterprise license to fully utilize the deployment our template creates.  If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)*
+Before getting started with the template configuration, you will need to make your Splunk Enterprise license privately accessible for CloudFormation template deployment via S3 download.  The following steps will guide you through that process.   *(Note:  This step is required.  A non-trial Splunk Enterprise license is required to allow our template to configure the Splunk deployment.  If you don't already have a Splunk Enterprise license, you can obtain one by contacting sales@splunk.com.)*
 
  1. From the AWS Console, select "S3" under the "Storage" heading, or by simply typing "S3" into the search bar.
  2. You can either select an existing private bucket to upload to, or create a new one. If you select an existing bucket, make sure its access policy does not grant public access. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. For this exercise, I'm outlining how to create a new bucket.
@@ -32,6 +32,4 @@ This project is licensed under Apache License 2.0 - see [LICENSE.txt](./LICENSE.
 ## Help
 
 If you have any problems or general questions, please file an issue in the parent repository:
-https://github.com/aws-quickstart/quickstart-splunk-enterprise/issues
-
-
+https://github.com/aws-quickstart/quickstart-splunk-enterprise/issues
\ No newline at end of file
diff --git a/scripts/user_data.sh b/scripts/user_data.sh
new file mode 100644
index 0000000..321924f
--- /dev/null
+++ b/scripts/user_data.sh
@@ -0,0 +1,622 @@
+#!/bin/bash -xe
+
+#### start universal functions
+function base
+{
+
+  # variables
+  export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
+  export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
+  export SPLUNK_USER=splunk
+  export SPLUNK_BIN=/opt/splunk/bin/splunk
+  export SPLUNK_HOME=/opt/splunk
+
+  # make cloud-init output log readable by root only to protect sensitive parameter values
+  chmod 600 /var/log/cloud-init-output.log
+
+  #- The newer version of the Splunk AMI does not come with Splunk pre-installed.  Instead
+  #- Splunk is installed via ansible as part of cloud-init.  The following code (starting at line 30) is
+  #- needed to ensure these install scripts are ran prior to the remainder of the Cloudformation
+  #- user scripts. Without doing this first, the Splunk installer is ran after CloudFormation's
+  #- cloud-init scripts, leaving no Splunk install to configure.
+
+  #- remove the cloud-init scripts from running
+  rm -f /etc/cloud/cloud.cfg.d/20_install_splunk.cfg
+  rm -f /var/lib/cloud/instance/scripts/runcmd
+
+  # run the ansible code 
+  (cd /opt/splunk-ansible && time sudo -u ec2-user -E -S bash -c "SPLUNK_BUILD_URL=/tmp/splunk.tgz SPLUNK_ENABLE_SERVICE=true  SPLUNK_PASSWORD=SPLUNK-$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) ansible-playbook -i inventory/environ.py site.yml")
+
+  #- as of 8.2.0, aws-cfn-bootstrap is no longer pre-installed on the AMI.
+  #- install aws-cfn-bootstrap package
+  yum -y install aws-cfn-bootstrap
+
+
+  # setup auth with user-selected admin password
+  mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
+  cat >> $SPLUNK_HOME/etc/system/local/user-seed.conf << end
+  [user_info]
+  USERNAME = admin
+  PASSWORD = $ADMIN_PASSWORD
+end
+
+  sed -i '/guid/d' $SPLUNK_HOME/etc/instance.cfg
+  touch $SPLUNK_HOME/etc/.ui_login
+
+  # restart Splunk for admin password update
+  $SPLUNK_BIN restart
+}
+
+function restart_signal
+{
+
+  # restart splunk
+  $SPLUNK_BIN restart
+
+  # communicate back to CloudFormation the status of the instance creation
+  /opt/aws/bin/cfn-signal -e $? --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION
+
+  # disable splunk user login
+  usermod --expiredate 1 splunk
+}
+
+#### end universal config
+
+#####
+#### start role-specific functions
+#####
+
+###
+# setup nvme drives for i3 indexers
+function nvme_setup
+{
+  # first, determine the instance type.
+  ec2_type=$(curl -s http://169.254.169.254/latest/meta-data/instance-type)
+
+  # this script is intended to run on i3* instance types.
+  if [[ "$ec2_type" != *"i3"* ]]
+  then
+    return 0
+  fi
+
+  # find the attached nvme drives.  lsblk could work here, but utilizing the nvme-list utility due to
+  # json formatting and simpler parsing.  install the nvme-cli and jq packages to accomplish this.
+  yum -y install nvme-cli jq >/dev/null
+
+  # save the nvme drive information to a temp file for parsing
+  nvme list --output-format=json > /tmp/nvme_drive.json
+
+  # declare the nvme device array
+  declare -a nvme_devices
+  unset nvme_devices
+
+  for nvme_device in $(jq '.Devices[] | .DevicePath' /tmp/nvme_drive.json)
+  do
+    # test to ensure that the storage device is instance storage.  in testing, I have
+    # seen EBS volues show as NVME.  this logic will ensure attached EBS devices are not
+    # added to the nvme raid0
+    nvme_model_type=$(jq -r '.Devices[] | select(.DevicePath=='$nvme_device') | .ModelNumber' /tmp/nvme_drive.json)
+    if [[ $nvme_model_type = *"NVMe Instance Storage"* ]]
+    then
+      # unfortunate 'hack' here to remove the quotes from the device name.  without them, the jq lookup
+      # will fail in the previous step.  however, they need to be removed for the md raid creation later.
+      # additionally, since there needs to be a space between device names for the md create, convert
+      # quotes to spaces, and remove leading space.  this leaves "$nvme_device " (note trailing space)
+      # stored in the array.  this will allow for simply using the contents of the array as an argument for
+      # building the raid0 device
+      nvme_device=$(echo $nvme_device|sed 's/"/ /g'| sed 's/^ //g')
+
+      # save device list in nvme_devices array
+      nvme_devices+=("$nvme_device")
+    else
+      # if the nvme model type is not instance storage, continue to the next iteration of the loop
+      continue
+    fi
+  done
+
+  # name of the raid device to create
+  raid_device="/dev/md0"
+
+  # mount point of the raid device
+  raid_mount="/opt/splunk"
+
+  # make directory for mount point
+  mkdir -p $raid_mount
+
+  # create the raid device
+  mdadm --create $raid_device --level=raid0 --raid-devices=${#nvme_devices[@]} ${nvme_devices[@]}
+
+  # create filesystem on raid device
+  if [ ${#nvme_devices[@]} -eq 1 ]
+   then
+      discardOption=""
+    else
+      discardOption="-E nodiscard"
+  fi
+
+  mkfs.ext4 -m 2 -F -F ${discardOption} $raid_device
+
+  # add entry to fstab for mounting on reboot
+  echo "$raid_device $raid_mount auto defaults,nofail,noatime 0 2" >>/etc/fstab
+
+  # mount device
+  mount $raid_device
+
+}
+
+###
+# Splunk Cluster Master / License Master
+###
+function splunk_cm
+{
+  # execute base install and configuration
+  base
+
+  export RESOURCE="SplunkCM"
+  printf '%s\t%s\n' "$LOCALIP" 'splunklicense' >> /etc/hosts
+  hostname splunklicense
+
+  #- for the CM, we can't reference CM_PRIVATEIP in the CloudFormation UserData like
+  #- we do in the other resources because the CM hasn't been created yet.  To keep the
+  #- syntax consistent across each resource in user_data.sh, export $CM_PRIVATEIP to
+  #- the CM's local ip address
+  export CM_PRIVATEIP=$LOCALIP
+
+  # Install license from metadata.
+  if [ $INSTALL_LICENSE = 1 ]; then
+    mkdir -p $SPLUNK_HOME/etc/licenses/enterprise/
+    chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/licenses/enterprise
+    /opt/aws/bin/cfn-init -v --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION
+  fi
+
+  # Increase splunkweb connection timeout with splunkd
+  mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
+  [settings]
+  splunkdConnectionTimeout = 300
+end
+
+ # Forward to indexer cluster using indexer discovery\n",
+ cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
+  # Turn off indexing
+  [indexAndForward]
+  index = false
+
+  [tcpout]
+  defaultGroup = indexer_cluster_peers
+  forwardedindex.filter.disable = true
+  indexAndForward = false
+
+  [tcpout:indexer_cluster_peers]
+  indexerDiscovery = cluster_master
+
+  [indexer_discovery:cluster_master]
+  pass4SymmKey = $SYMMKEY
+  master_uri = https://127.0.0.1:8089
+end
+
+  chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
+  $SPLUNK_BIN restart
+  # sleep 20 seconds to make sure Splunk has restarted before applying the configuration
+  sleep 20
+
+  # log in to splunk to execute several commands without requiring -auth
+  sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:$ADMIN_PASSWORD
+
+  # create the indexer cluster
+  sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode master -multisite true \
+  -replication_factor $REPFACTOR -available_sites $SITELIST -site site1 \
+  -site_replication_factor origin:1,total:$REPFACTOR -site_search_factor \
+  origin:1,total:$SEARCHFACTOR -secret $SPLUNK_CLUSTER_SECRET -cluster_label SplunkIndexersASG
+
+
+  # Configure indexer discovery
+  cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
+
+  [indexer_discovery]
+  pass4SymmKey = $SYMMKEY
+  indexerWeightByDiskCapacity = true
+end
+  chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local/server.conf
+
+  # generate the config file and HEC token
+  sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable \
+  -uri https://localhost:8089
+
+  sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector create default-token \
+  -uri https://localhost:8089 > /tmp/token
+  TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token
+
+  # place generated config into master-apps
+  mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local
+  mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local
+
+  # peer config 2: enable splunk tcp input
+  cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <<end
+  [splunktcp://9997]
+  disabled=0
+end
+
+  # Configure smartstore as a configuration in a bundle.
+
+  mkdir -p $SPLUNK_HOME/etc/master-apps/_cluster/local/
+  touch $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf
+
+  cat >>$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf <<end
+  [default]
+  repFactor = auto
+  remotePath = volume:remote_store/splunk_db/$_index_name
+  coldPath=$SPLUNK_DB/$_index_name/colddb
+  thawedPath=$SPLUNK_DB/$_index_name/thaweddb
+
+  [volume:remote_store]
+  storageType = remote
+
+  path = s3://$SMARTSTORE_BUCKET
+  remote.s3.encryption = sse-s3
+end
+
+  chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf
+  restart_signal
+
+  # signal with the generated HEC to show on cloudformation outputs section
+  /opt/aws/bin/cfn-signal -e 0 -i token -d $TOKEN $SplunkCMWaitHandle
+
+}
+
+function splunk_indexer
+{
+  #- run through setting up nvme raid device.
+  #- if the indexer is not an i3, the function immediately exits and continues to base config as normal
+  nvme_setup
+
+  #- execute base install and configuration
+  base
+
+  export INSTANCE_MAC_ADDR=$(curl -s http://169.254.169.254/latest/meta-data/mac)
+  export INSTANCE_SUBNET_ID=$(curl -s http://169.254.169.254/latest/meta-data/network/interfaces/macs/$INSTANCE_MAC_ADDR/subnet-id)
+  export RESOURCE="SplunkIndexerNodesASG"
+
+  #- configure smartstore as if it were a bundle already pushed by the CM.
+
+  mkdir -p $SPLUNK_HOME/etc/slave-apps/_cluster/local
+  touch $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf
+
+  cat >> $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf << end
+  [default]
+  repFactor = auto
+  remotePath = volume:remote_store/splunk_db/$_index_name
+  coldPath=$SPLUNK_DB/$_index_name/colddb
+  thawedPath=$SPLUNK_DB/$_index_name/thaweddb
+end
+
+  cat >>$SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf <<end
+
+  [volume:remote_store]
+  storageType = remote
+  path = s3://$SMARTSTORE_BUCKET
+  remote.s3.encryption = sse-s3
+end
+
+  chown -R splunk:splunk $SPLUNK_HOME/etc/slave-apps/_cluster/
+  $SPLUNK_BIN restart
+
+
+  # set splunk server name to local hostname.
+  sudo -u $SPLUNK_USER $SPLUNK_BIN set servername $HOSTNAME -auth admin:$ADMIN_PASSWORD
+
+  # Increase splunkweb connection timeout with splunkd"
+  mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
+
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
+  [settings]
+  splunkdConnectionTimeout = 300
+end
+  # Configure some SHC parameters
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <<end
+  [shclustering]
+  register_replication_address = $LOCALIP
+end
+
+  # Configure instance as license slave
+  cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
+  [license]
+  master_uri = https://$CM_PRIVATEIP:8089
+end
+
+  chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
+
+  case $INSTANCE_SUBNET_ID in
+    "$SUBNET1_ID")
+      site=site1
+    ;;
+    "$SUBNET2_ID")
+      site=site2
+    ;;
+    "$SUBNET3_ID")
+      site=site3
+    ;;
+    *)
+      echo "Unexpected subnet id"
+      exit 1
+  esac
+
+
+  # sleep to ensure splunkd is up before modifying cluster config
+  sleep 10
+
+  sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode slave \
+    -site $site \
+    -manager_uri https://$CM_PRIVATEIP:8089 \
+    -auth admin:$ADMIN_PASSWORD \
+    -replication_port 9887 \
+    -secret $SPLUNK_CLUSTER_SECRET
+
+  restart_signal
+}
+
+function splunk_cluster_sh
+{
+
+  # the splunk search head cluster in quickstart is pre-defined with 3 nodes.
+  # verify that the argument passed is 1, 2, or 3
+
+  if [[ "$1" =~ ^[1-3]$ ]]
+  then
+      # execute base install and configuration
+      base
+
+      # search head number is the argument passed.  1 = SH1, 2 = SH2, etc.
+      num=$1
+
+      # if this is a 3AZ deployment, place the third search head in site3.
+      # if not, place the third search head in site1.
+      # in all cases searchhead1 is site1, and searchhead2 is site2
+
+      if [ $THREEAZ -eq 0 ] && [ $num -eq 3 ]
+      then
+        sitenum="site1"
+      else
+        sitenum="site$num"
+      fi
+
+      export RESOURCE="SplunkSHCMember$num"
+
+      printf '%s\t%s\n' \"$LOCALIP\" \"splunksearch-$num\" >> /etc/hosts
+      hostname "splunksearch-$num"
+
+      # set splunk servername
+      sudo -u $SPLUNK_USER $SPLUNK_BIN set servername SHC$num
+
+      # Increase splunkweb connection timeout with splunkd
+      cat >$SPLUNK_HOME/etc/system/local/web.conf <<end
+      [settings]
+      splunkdConnectionTimeout = 300
+end
+      # Configure some SHC parameters
+      cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
+    [shclustering]
+    register_replication_address = $LOCALIP
+end
+      chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local
+      $SPLUNK_BIN restart
+
+      #- sleep 20 seconds to make sure Splunk has restarted before applying the configuration
+      sleep 20
+
+      #- log in to splunk to execute several commands without requiring -auth
+      sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:$ADMIN_PASSWORD
+
+      sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave \
+      -master_uri https://$CM_PRIVATEIP:8089
+
+      #- configure searchhead cluster
+      #echo "### setup splunk search head cluster"
+      #echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config -mgmt_uri https://$LOCALIP:8089 -replication_port 8090 -replication_factor $SH_REPLICATION_FACTOR -conf_deploy_fetch_url https://$SH_DEPLOYER_IP:8089 \ -shcluster_label SplunkSHC -secret $SPLUNK_CLUSTER_SECRET"
+
+      sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config \
+      -auth admin:$ADMIN_PASSWORD \
+      -mgmt_uri https://$LOCALIP:8089 \
+      -replication_port 8090 \
+      -replication_factor $SH_REPLICATION_FACTOR \
+      -conf_deploy_fetch_url https://$SH_DEPLOYER_IP:8089 \
+      -shcluster_label SplunkSHC\
+      -secret $SPLUNK_CLUSTER_SECRET
+
+      $SPLUNK_BIN restart
+      sleep 20
+
+      #echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode searchhead -site $sitenum -manager_uri https://$CM_PRIVATEIP:8089 -secret $SPLUNK_CLUSTER_SECRET"
+
+      sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config \
+      -mode searchhead \
+      -site $sitenum \
+      -manager_uri https://$CM_PRIVATEIP:8089 \
+      -secret $SPLUNK_CLUSTER_SECRET \
+      -auth admin:$ADMIN_PASSWORD 
+
+      # Bootstrap SHC captain
+
+      # Since we need all three searchhead ip addresses in order to make a captain,
+      # and searchhead3 is the last to be created, it will be bootstrapped as the
+      # first searchhead cluster captain.
+      if [ $num -eq 3 ]
+      then
+        export SH3_IP=$LOCALIP
+
+        #echo "### sudo -u $SPLUNK_USER $SPLUNK_BIN bootstrap shcluster-captain -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089"
+
+        sudo -u $SPLUNK_USER $SPLUNK_BIN bootstrap shcluster-captain \
+        -servers_list https://$SH1_IP:8089,https://$SH2_IP:8089,https://$SH3_IP:8089 \
+        -auth admin:$ADMIN_PASSWORD
+      fi
+      restart_signal
+  else
+    echo "Incorrect value passed.  \"$1\" is not 1, 2, or 3."
+    # communicate back to CloudFormation the status of the instance creation
+    /opt/aws/bin/cfn-signal -e 1 --stack $STACK_NAME --resource $RESOURCE --region $AWS_REGION
+    exit 1
+  fi
+}
+
+###
+# Splunk Deployer
+###
+function splunk_deployer
+{
+  # execute base install and configuration
+  base
+
+  export RESOURCE="SplunkSHCDeployer"
+  printf "$LOCALIP \t splunk-shc-deployer\n" >> /etc/hosts
+  hostname splunk-shc-deployer
+
+  # Increase splunkweb connection timeout with splunkd
+  mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
+[settings]
+splunkdConnectionTimeout = 300
+end
+
+  # Configure some SHC parameters
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <<end
+[shclustering]
+pass4SymmKey = $SYMMKEY
+shcluster_label = SplunkSHC
+end
+
+  # Forward to indexer cluster using indexer discovery
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
+# Turn off indexing on the search head
+[indexAndForward]
+index = false
+
+[tcpout]
+defaultGroup = indexer_cluster_peers
+forwardedindex.filter.disable = true
+indexAndForward = false
+
+[tcpout:indexer_cluster_peers]
+indexerDiscovery = cluster_master
+
+[indexer_discovery:cluster_master]
+pass4SymmKey = $SYMMKEY
+master_uri = https://$CM_PRIVATEIP:8089
+end
+
+  # update permissions
+  chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
+
+  # Add base config for search head cluster members
+  mkdir -p $SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local
+  cat >>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <<end
+# Turn off indexing on the search head
+[indexAndForward]
+index = false
+
+[tcpout]
+defaultGroup = indexer_cluster_peers
+forwardedindex.filter.disable = true
+indexAndForward = false
+
+[tcpout:indexer_cluster_peers]
+indexerDiscovery = cluster_master
+
+[indexer_discovery:cluster_master]
+pass4SymmKey = $SYMMKEY
+master_uri = https://$CM_PRIVATEIP:8089
+end
+
+  #- set ownership
+  chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps
+
+  $SPLUNK_BIN restart
+  sleep 10
+
+  sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave \
+  -master_uri https://$CM_PRIVATEIP:8089 \
+  -auth admin:$ADMIN_PASSWORD
+
+  sudo -u $SPLUNK_USER $SPLUNK_BIN apply shcluster-bundle -action stage --answer-yes
+
+  restart_signal
+}
+
+## splunk single search head
+function splunk_single_sh
+{
+  # execute base install and configuration
+  base
+
+  export RESOURCE="SplunkSearchHeadInstance"
+
+  # sleep 20 seconds to make sure Splunk has restarted before applying the configuration
+  sleep 20
+
+  # add hostname to /etc/hosts and set hostname
+  printf "$LOCALIP \t splunksearch\n" >> /etc/hosts
+  hostname splunksearch
+
+  # Increase splunkweb connection timeout with splunkd
+  mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
+  [settings]
+  splunkdConnectionTimeout = 300
+end
+
+  # Forward to indexer cluster using indexer discovery
+  cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
+  # Turn off indexing on the search head
+  [indexAndForward]
+  index = false
+
+  [tcpout]
+  defaultGroup = indexer_cluster_peers
+  forwardedindex.filter.disable = true
+  indexAndForward = false
+  [tcpout:indexer_cluster_peers]
+  indexerDiscovery = cluster_master
+  [indexer_discovery:cluster_master]
+  pass4SymmKey = $SYMMKEY
+  manager_uri = https://$CM_PRIVATEIP:8089
+end
+
+  # update permissions
+  chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
+
+  # setup license server communication
+  sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave -manager_uri https://$CM_PRIVATEIP:8089 -auth admin:$ADMIN_PASSWORD
+
+  # configure communication to the splunk indexer cluster
+  sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config \
+  -secret $SPLUNK_CLUSTER_SECRET \
+  -mode searchhead \
+  -site site1 \
+  -manager_uri https://$CM_PRIVATEIP:8089 \
+  -auth admin:$ADMIN_PASSWORD
+
+  # final restart and cfn signal
+  restart_signal
+}
+
+case "$1" in
+  "single_sh")
+  splunk_single_sh
+  ;;
+  "cluster_sh")
+  splunk_cluster_sh $2
+  ;;
+  "indexer")
+  splunk_indexer
+  ;;
+  "cm")
+  splunk_cm
+  ;;
+  "deployer")
+  splunk_deployer
+  ;;
+  *)
+  echo "Usage:  $(basename -- "$0") [single_sh|cluster_sh|indexer|cm|deployer]";
+  echo "        Note: a single argument of integers 1,2, or 3 must be passed to cluster_sh to specify the specific search head cluster node."
+  exit 0
+esac
diff --git a/templates/splunk-enterprise-main.template.yaml b/templates/splunk-enterprise-main.template.yaml
new file mode 100644
index 0000000..8a3787e
--- /dev/null
+++ b/templates/splunk-enterprise-main.template.yaml
@@ -0,0 +1,417 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Splunk deployment with indexer, search head clustering and cluster master. (qs-1qup6ramh)
+Metadata:
+  QuickStartDocumentation:
+    EntrypointName: "Parameters for a new VPC"
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: AWS Instance and Network Settings
+        Parameters:
+          - IndexerInstanceType
+          - SearchHeadInstanceType
+          - KeyName
+          - WebClientLocation
+          - HECClientLocation
+          - SSHClientLocation
+          - AvailabilityZones
+          - NumberOfAZs
+          - VPCCIDR
+          - PublicSubnet1CIDR
+          - PublicSubnet2CIDR
+          - PublicSubnet3CIDR
+      - Label:
+          default: Splunk Settings
+        Parameters:
+          - SplunkAdminPassword
+          - SplunkClusterSecret
+          - SplunkIndexerDiscoverySecret
+          - SplunkLicenseBucket
+          - SplunkLicensePath
+          - SplunkIndexerCount
+          - SplunkIndexerDiskSize
+          - SplunkSearchHeadDiskSize
+          - SplunkReplicationFactor
+          - SplunkSearchFactor
+          - SHCEnabled
+          - IndexerApps
+          - SearchHeadApps
+      - Label:
+          default: AWS Quick Start Configuration
+        Parameters:
+          - QSS3BucketName
+          - QSS3BucketRegion
+          - QSS3KeyPrefix
+    ParameterLabels:
+      AvailabilityZones:
+        default: Availability Zones
+      NumberOfAZs:
+        default: Number of Availability Zones
+      WebClientLocation:
+        default: Permitted CIDR for Splunk web interface
+      HECClientLocation:
+        default: Permitted CIDR for Splunk HTTP event collector input
+      IndexerInstanceType:
+        default: EC2 instance type for Splunk indexer
+      SearchHeadInstanceType:
+        default: EC2 instance type for Splunk search head
+      KeyName:
+        default: Key Name
+      PublicSubnet1CIDR:
+        default: Public Subnet 1 CIDR
+      PublicSubnet2CIDR:
+        default: Public Subnet 2 CIDR
+      PublicSubnet3CIDR:
+        default: Public Subnet 3 CIDR
+      QSS3BucketName:
+        default: QuickStart S3 Bucket Name
+      QSS3BucketRegion:
+        default: Quick Start S3 bucket region
+      QSS3KeyPrefix:
+        default: QuickStart S3 Key Prefix
+      SHCEnabled:
+        default: Enable Search Head Cluster?
+      SSHClientLocation:
+        default: Permitted CIDR for ssh
+      SplunkAdminPassword:
+        default: Splunk Admin Password
+      SplunkIndexerCount:
+        default: No. of Splunk Indexers
+      SplunkIndexerDiskSize:
+        default: Indexer Disk Size
+      SplunkSearchHeadDiskSize:
+        default: Search Head(s) Disk Size
+      SplunkLicenseBucket:
+        default: Splunk License Bucket
+      SplunkLicensePath:
+        default: Splunk License S3 Bucket Path
+      SplunkReplicationFactor:
+        default: Index Cluster Replication Factor
+      SplunkSearchFactor:
+        default: Index Cluster Search Factor
+      SplunkClusterSecret:
+        default: Shared Security Key for Cluster Nodes
+      SplunkIndexerDiscoverySecret:
+        default: Shared Security Key for Forwarders using Indexer Discovery
+      IndexerApps:
+        default: Apps/Add-ons to pre-Install on Splunk Indexers
+      SearchHeadApps:
+        default: Apps/Add-ons to pre-Install on Splunk Search Heads
+      VPCCIDR:
+        default: VPC CIDR
+Parameters:
+  AvailabilityZones:
+    Description: List of Availability Zones to use for the subnets in the VPC (logical
+      order preserved). This must match the Number of Availability Zones parameter
+      value.
+    Type: List<AWS::EC2::AvailabilityZone::Name>
+  NumberOfAZs:
+    AllowedValues:
+      - '2'
+      - '3'
+    Default: '2'
+    Description: Number of Availability Zones to use in the VPC. This must match your
+      selections in the list of Availability Zones parameter.
+    Type: String
+  WebClientLocation:
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+    ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0
+      for no restrictions.
+    Description: 'The IP address range that is allowed to connect to the Splunk web
+      interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
+    MaxLength: '19'
+    MinLength: '9'
+    Type: String
+  HECClientLocation:
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+    ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0
+      for no restrictions.
+    Description: 'The IP address range that is allowed to send data to Splunk HTTP
+      Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
+    MaxLength: '19'
+    MinLength: '9'
+    Type: String
+  IndexerInstanceType:
+    AllowedValues:
+      - c4.2xlarge
+      - c4.4xlarge
+      - c4.8xlarge
+      - m4.2xlarge
+      - m4.4xlarge
+      - m4.10xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - c5.18xlarge
+      - i3.2xlarge
+      - i3.4xlarge
+      - i3.8xlarge
+    Description: EC2 instance type for Splunk Indexers
+    ConstraintDescription: must be a valid EC2 instance type.
+    Default: c5.4xlarge
+    Type: String
+  SearchHeadInstanceType:
+    AllowedValues:
+      - c4.2xlarge
+      - c4.4xlarge
+      - c4.8xlarge
+      - r4.4xlarge
+      - r4.8xlarge
+      - r4.16xlarge
+      - c5.2xlarge
+      - c5.4xlarge
+      - c5.9xlarge
+      - m5.2xlarge
+      - m5.4xlarge
+      - m5.12xlarge
+    Description: EC2 instance type for Splunk Search Heads
+    ConstraintDescription: must be a valid EC2 instance type.
+    Default: c5.4xlarge
+    Type: String
+  IndexerApps:
+    Description: Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl)
+      to pre-install on indexer(s)
+    Default: ''
+    Type: CommaDelimitedList
+  SearchHeadApps:
+    Description: Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl)
+      to pre-install on search head(s)
+    Default: ''
+    Type: CommaDelimitedList
+  KeyName:
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
+    Type: AWS::EC2::KeyPair::KeyName
+  PublicSubnet1CIDR:
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
+    Default: 10.0.1.0/24
+    Description: The address space that will be assigned to the first Splunk server
+      subnet. (x.x.x.x/x notation)
+    Type: String
+  PublicSubnet2CIDR:
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
+    Default: 10.0.2.0/24
+    Description: The address space that will be assigned to the second Splunk server
+      subnet. (x.x.x.x/x notation)
+    Type: String
+  PublicSubnet3CIDR:
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
+    Default: 10.0.3.0/24
+    Description: The address space that will be assigned to the second Splunk server
+      subnet. (x.x.x.x/x notation)
+    Type: String
+  QSS3BucketName:
+    Default: aws-quickstart
+    Description: S3 bucket name for the Quick Start assets.
+    Type: String
+  QSS3BucketRegion:
+    Default: 'us-west-2'
+    Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.'
+    Type: String
+  QSS3KeyPrefix:
+    Default: quickstart-splunk-enterprise/
+    Description: S3 key prefix for the Quick Start assets.
+    Type: String
+  SHCEnabled:
+    AllowedValues:
+      - 'yes'
+      - 'no'
+    Default: 'no'
+    Description: Do you want to build a Splunk search head cluster?
+    Type: String
+  SSHClientLocation:
+    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
+    ConstraintDescription: Must be a valid IP range in x.x.x.x/x notation.  Use 0.0.0.0/0
+      for no restrictions.
+    Description: 'The IP address range that is allowed to SSH to the EC2 instances.
+      Note: a value of 0.0.0.0/0 will allow access from ANY ip address'
+    MaxLength: '19'
+    MinLength: '9'
+    Type: String
+  SplunkAdminPassword:
+    AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
+    ConstraintDescription: Must be at least 8 characters containing letters, numbers
+      and symbols.
+    Description: Admin password for Splunk. Must be at least 6 characters containing
+      letters, numbers and symbols
+    MaxLength: '32'
+    MinLength: '6'
+    NoEcho: 'true'
+    Type: String
+  SplunkIndexerCount:
+    ConstraintDescription: must be a valid number, 3-10
+    Default: '3'
+    Description: How many Splunk indexers to launch.  [3-10]
+    MaxValue: '10'
+    MinValue: '3'
+    Type: Number
+  SplunkIndexerDiskSize:
+    ConstraintDescription: must be a valid number, 320-16000
+    Default: '320'
+    Description: The size of the attached EBS volume to the Splunk indexers.  (in
+      GB)
+    MaxValue: '16000'
+    MinValue: '320'
+    Type: Number
+  SplunkSearchHeadDiskSize:
+    ConstraintDescription: must be a valid number, 320-16000
+    Default: '320'
+    Description: The size of the attached EBS volume to the Splunk search head(s).  (in
+      GB)
+    MaxValue: '16000'
+    MinValue: '320'
+    Type: Number
+  SplunkLicenseBucket:
+    Default: ''
+    Description: Name of private S3 bucket with licenses to be accessed via authenticated
+      requests
+    Type: String
+  SplunkLicensePath:
+    Default: ''
+    Description: Path to license file in S3 Bucket (without leading '/')
+    Type: String
+  SplunkReplicationFactor:
+    ConstraintDescription: must be a valid number, 2-4
+    Default: '2'
+    Description: How many copies of data should be stored in the Splunk Indexer Cluster
+    MaxValue: '4'
+    MinValue: '2'
+    Type: Number
+  SplunkSearchFactor:
+    ConstraintDescription: must be a valid number, 2-4
+    Default: '2'
+    Description: How many copies of data should be searchable in the Splunk indexer
+      clusters
+    MaxValue: '4'
+    MinValue: '2'
+    Type: Number
+  SplunkClusterSecret:
+    AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
+    ConstraintDescription: Must be at least 8 characters containing letters, numbers
+      and symbols.
+    Description: Shared cluster secret for Search Head and Indexer clusters. Must
+      be at least 8 characters containing letters, numbers and symbols.
+    MaxLength: '32'
+    MinLength: '6'
+    NoEcho: 'true'
+    Type: String
+  SplunkIndexerDiscoverySecret:
+    AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*
+    ConstraintDescription: Must be at least 8 characters containing letters, numbers
+      and symbols.
+    Description: >-
+      Security key used for communication between your forwarders and the cluster
+      master. This value should also be used by forwarders in order to retrieve list
+      of available peer nodes from cluster master. Must be at least 8 characters containing
+      letters, numbers and symbols.
+    MaxLength: '32'
+    MinLength: '8'
+    NoEcho: 'true'
+    Type: String
+  VPCCIDR:
+    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
+    Default: 10.0.0.0/16
+    Description: The address space that will be assigned to the entire VPC where Splunk
+      will reside. (Recommend at least a /16)
+    MaxLength: '19'
+    MinLength: '9'
+    Type: String
+Conditions:
+  Create3AZ: !Equals
+    - !Ref 'NumberOfAZs'
+    - '3'
+  UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
+Resources:
+  VPCStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL:
+        !Sub
+          - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template'
+          - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
+            S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${QSS3BucketRegion}', !Ref QSS3BucketName]
+      Parameters:
+        AvailabilityZones: !Join
+          - ','
+          - !Ref 'AvailabilityZones'
+        CreatePrivateSubnets: 'false'
+        KeyPairName: !Ref 'KeyName'
+        NumberOfAZs: !Ref 'NumberOfAZs'
+        PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR'
+        PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR'
+        PublicSubnet3CIDR: !Ref 'PublicSubnet3CIDR'
+        VPCCIDR: !Ref 'VPCCIDR'
+      TimeoutInMinutes: 15
+  SplunkStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL:
+        !Sub
+          - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/splunk-enterprise.template.yaml'
+          - S3Bucket: !If
+              - UsingDefaultBucket
+              - !Sub '${QSS3BucketName}-${QSS3BucketRegion}'
+              - !Ref 'QSS3BucketName'
+            S3Region: !If
+              - UsingDefaultBucket
+              - !Ref 'AWS::Region'
+              - !Ref 'QSS3BucketRegion'
+      Parameters:
+        VPCID: !GetAtt 'VPCStack.Outputs.VPCID'
+        VPCCIDR: !GetAtt 'VPCStack.Outputs.VPCCIDR'
+        PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'
+        PublicSubnet2ID: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
+        PublicSubnet3ID: !If
+          - Create3AZ
+          - !GetAtt 'VPCStack.Outputs.PublicSubnet3ID'
+          - !GetAtt 'VPCStack.Outputs.PublicSubnet2ID'
+        NumberOfAZs: !Ref 'NumberOfAZs'
+        IndexerInstanceType: !Ref 'IndexerInstanceType'
+        SearchHeadInstanceType: !Ref 'SearchHeadInstanceType'
+        SplunkAdminPassword: !Ref 'SplunkAdminPassword'
+        SplunkClusterSecret: !Ref 'SplunkClusterSecret'
+        SplunkIndexerDiscoverySecret: !Ref 'SplunkIndexerDiscoverySecret'
+        SplunkLicenseBucket: !Ref 'SplunkLicenseBucket'
+        SplunkLicensePath: !Ref 'SplunkLicensePath'
+        KeyName: !Ref 'KeyName'
+        SSHClientLocation: !Ref 'SSHClientLocation'
+        HECClientLocation: !Ref 'HECClientLocation'
+        WebClientLocation: !Ref 'WebClientLocation'
+        SplunkIndexerCount: !Ref 'SplunkIndexerCount'
+        SHCEnabled: !Ref 'SHCEnabled'
+        SplunkIndexerDiskSize: !Ref 'SplunkIndexerDiskSize'
+        SplunkReplicationFactor: !Ref 'SplunkReplicationFactor'
+        QSS3BucketName: !Ref QSS3BucketName
+        QSS3BucketRegion: !Ref QSS3BucketRegion
+        QSS3KeyPrefix: !Ref QSS3KeyPrefix
+        IndexerApps: !Join
+          - ','
+          - !Ref 'IndexerApps'
+        SearchHeadApps: !Join
+          - ','
+          - !Ref 'SearchHeadApps'
+      TimeoutInMinutes: 60
+Outputs:
+  SearchHeadURL:
+    Description: Splunk Enterprise - Search Head URL
+    Value: !GetAtt 'SplunkStack.Outputs.SearchHeadURL'
+  ClusterMasterURL:
+    Description: Splunk Enterprise - Cluster Master URL
+    Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterURL'
+  ClusterMasterManagementURL:
+    Description: Splunk Enterprise - Cluster Master Management URL (required for Indexer
+      Discovery)
+    Value: !GetAtt 'SplunkStack.Outputs.ClusterMasterManagementURL'
+  DeployerURL:
+    Description: Splunk Enterprise - Search Head Cluster Deployer URL
+    Value: !GetAtt 'SplunkStack.Outputs.DeployerURL'
+  HttpEventCollectorURL:
+    Description: HTTP Event Collector URL
+    Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorURL'
+  HttpEventCollectorToken:
+    Description: HTTP Event Collector Token
+    Value: !GetAtt 'SplunkStack.Outputs.HttpEventCollectorToken'