-
Notifications
You must be signed in to change notification settings - Fork 611
/
aws-refarch-wordpress-02-securitygroups.yaml
147 lines (134 loc) · 4.05 KB
/
aws-refarch-wordpress-02-securitygroups.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
AWSTemplateFormatVersion: 2010-09-09
Description: Reference Architecture to host WordPress on AWS - Creates VPC security groups
Metadata:
Authors:
Description: Darryl Osborne ([email protected])
License:
Description: 'Copyright 2018 Amazon.com, Inc. and its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0'
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: AWS Parameters
Parameters:
- SshAccessCidr
- Vpc
ParameterLabels:
SshAccessCidr:
default: SSH Access From
Vpc:
default: Vpc Id
Parameters:
SshAccessCidr:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
Description: The CIDR IP range that is permitted to SSH to bastion instance. Note - a value of 0.0.0.0/0 will allow access from ANY IP address.
Type: String
Default: 0.0.0.0/0
Vpc:
AllowedPattern: ^(vpc-)([a-z0-9]{8}|[a-z0-9]{17})$
Description: The Vpc Id of an existing Vpc.
Type: AWS::EC2::VPC::Id
Resources:
BastionSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for Bastion instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SshAccessCidr
VpcId:
!Ref Vpc
DatabaseSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for Amazon RDS cluster
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId: !Ref WebSecurityGroup
VpcId:
!Ref Vpc
ElastiCacheSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ElastiCache cache cluster
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 11211
ToPort: 11211
SourceSecurityGroupId: !Ref WebSecurityGroup
VpcId:
!Ref Vpc
EfsSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for EFS mount targets
VpcId: !Ref Vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 2049
ToPort: 2049
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref BastionSecurityGroup
EfsSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 2049
ToPort: 2049
SourceSecurityGroupId: !GetAtt EfsSecurityGroup.GroupId
GroupId: !GetAtt EfsSecurityGroup.GroupId
PublicAlbSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ALB
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
VpcId:
!Ref Vpc
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for web instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !Ref PublicAlbSecurityGroup
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !Ref PublicAlbSecurityGroup
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref BastionSecurityGroup
VpcId:
!Ref Vpc
Outputs:
BastionSecurityGroup:
Value: !Ref BastionSecurityGroup
DatabaseSecurityGroup:
Value: !Ref DatabaseSecurityGroup
EfsSecurityGroup:
Value: !Ref EfsSecurityGroup
ElastiCacheSecurityGroup:
Value: !Ref ElastiCacheSecurityGroup
PublicAlbSecurityGroup:
Value: !Ref PublicAlbSecurityGroup
WebSecurityGroup:
Value: !Ref WebSecurityGroup