-
Notifications
You must be signed in to change notification settings - Fork 0
/
security-groups.yaml
114 lines (101 loc) · 3.58 KB
/
security-groups.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
Description: >
This template contains the security groups required by our entire stack.
We create them in a seperate nested template, so they can be referenced
by all of the other nested templates.
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the security groups should be deployed to
SSHLocation:
Description: The IP address range that can be used to SSH to the Bastion host
Type: String
Resources:
##BasionSecurityGroup
BastionSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: !Ref SSHLocation
# This security group defines who/where is allowed to access the ec2 hosts directly.
# By default we're just allowing access from the load balancer. If you want to SSH
# into the hosts, or expose non-load balanced services you can open their ports here.
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the ec2 hosts and the tasks/containers that run on them
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-ec2-Hosts
# This security group defines who/where is allowed to access the Application Load Balancer.
# By default, we've opened this up to the public internet (0.0.0.0/0) but can you restrict
# it further if you want.
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the load balancer that sits in front of ec2
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-LoadBalancers
# Security Group for VPC Endpoint
VPCEndpointSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow access to VPC endpoint
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Outputs:
EC2SecurityGroup:
Description: A reference to the security group for ec2 hosts
Value: !Ref EC2SecurityGroup
LoadBalancerSecurityGroup:
Description: A reference to the security group for load balancers
Value: !Ref LoadBalancerSecurityGroup
BastionSecurityGroup:
Description: A reference to the security group for Bastion
Value: !Ref BastionSecurityGroup
VPCEndpointSecurityGroup:
Description: A reference to the security group for VPCEndpoint
Value: !Ref VPCEndpointSecurityGroup
SecurityGroups:
Description: A list of the SecurityGroups
Value: !Join [",", [!Ref EC2SecurityGroup, !Ref LoadBalancerSecurityGroup]]