-
Notifications
You must be signed in to change notification settings - Fork 0
/
03-securitygroups.yaml
executable file
·153 lines (151 loc) · 4.5 KB
/
03-securitygroups.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
AWSTemplateFormatVersion: 2010-09-09
Description: Reference Architecture to host Moodle on AWS - Creates VPC security groups
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: AWS Parameters
Parameters:
- SshAccessCidr
- Vpc
- Label:
default: Database Parameters
Parameters:
- DatabasePort
ParameterLabels:
SshAccessCidr:
default: SSH Access From
Vpc:
default: Vpc Id
DatabasePort:
default: DB port
Parameters:
SshAccessCidr:
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
Description: The CIDR IP range that is permitted to SSH to bastion instance. Note - a value of 0.0.0.0/0 will allow access from ANY IP address.
Type: String
Default: 0.0.0.0/0
Vpc:
AllowedPattern: ^(vpc-)([a-z0-9]{8}|[a-z0-9]{17})$
Description: The Vpc Id of an existing Vpc.
Type: AWS::EC2::VPC::Id
DatabasePort:
ConstraintDescription: Must be a valid RDS instance port.
Description: The Amazon RDS database port.
Type: String
Resources:
BastionSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for Bastion instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SshAccessCidr
VpcId:
!Ref Vpc
DatabaseSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for Amazon RDS cluster
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: !Ref DatabasePort
ToPort: !Ref DatabasePort
SourceSecurityGroupId: !Ref WebSecurityGroup
VpcId:
!Ref Vpc
ElastiCacheSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ElastiCache cache cluster
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 11211
ToPort: 11211
SourceSecurityGroupId: !Ref WebSecurityGroup
VpcId:
!Ref Vpc
PublicAlbSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ALB
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
VpcId:
!Ref Vpc
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for web instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !Ref PublicAlbSecurityGroup
- IpProtocol: tcp
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !Ref PublicAlbSecurityGroup
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref BastionSecurityGroup
VpcId:
!Ref Vpc
NasSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for nas instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 111
ToPort: 111
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: udp
FromPort: 111
ToPort: 111
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: tcp
FromPort: 2049
ToPort: 2049
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: udp
FromPort: 2049
ToPort: 2049
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: tcp
FromPort: 20048
ToPort: 20048
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: udp
FromPort: 20048
ToPort: 20048
SourceSecurityGroupId: !Ref WebSecurityGroup
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref BastionSecurityGroup
VpcId:
!Ref Vpc
Outputs:
BastionSecurityGroup:
Value: !Ref BastionSecurityGroup
DatabaseSecurityGroup:
Value: !Ref DatabaseSecurityGroup
ElastiCacheSecurityGroup:
Value: !Ref ElastiCacheSecurityGroup
PublicAlbSecurityGroup:
Value: !Ref PublicAlbSecurityGroup
WebSecurityGroup:
Value: !Ref WebSecurityGroup
NasSecurityGroup:
Value: !Ref NasSecurityGroup