03-securitygroups.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Reference Architecture to host Moodle on AWS - Creates VPC security groups
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: AWS Parameters
      Parameters:
        - SshAccessCidr
        - Vpc
    - Label:
        default: Database Parameters
      Parameters:
        - DatabasePort
    ParameterLabels:
      SshAccessCidr:
        default: SSH Access From
      Vpc:
        default: Vpc Id
      DatabasePort:
        default: DB port
Parameters:
  SshAccessCidr:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    Description: The CIDR IP range that is permitted to SSH to bastion instance. Note - a value of 0.0.0.0/0 will allow access from ANY IP address.
    Type: String
    Default: 0.0.0.0/0
  Vpc:
    AllowedPattern: ^(vpc-)([a-z0-9]{8}|[a-z0-9]{17})$
    Description: The Vpc Id of an existing Vpc.
    Type: AWS::EC2::VPC::Id
  DatabasePort:
    ConstraintDescription: Must be a valid RDS instance port.
    Description: The Amazon RDS database port.
    Type: String

Resources:
  BastionSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Bastion instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref SshAccessCidr
      VpcId:
        !Ref Vpc

  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Amazon RDS cluster
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref DatabasePort
          ToPort: !Ref DatabasePort
          SourceSecurityGroupId: !Ref WebSecurityGroup
      VpcId:
        !Ref Vpc
  ElastiCacheSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for ElastiCache cache cluster
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 11211
          ToPort: 11211
          SourceSecurityGroupId: !Ref WebSecurityGroup
      VpcId:
        !Ref Vpc
  PublicAlbSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for ALB
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      VpcId:
        !Ref Vpc       
  WebSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for web instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourceSecurityGroupId: !Ref PublicAlbSecurityGroup
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          SourceSecurityGroupId: !Ref PublicAlbSecurityGroup
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId: !Ref BastionSecurityGroup
      VpcId:
        !Ref Vpc
  NasSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for nas instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 111
          ToPort: 111
          SourceSecurityGroupId: !Ref WebSecurityGroup
        - IpProtocol: udp
          FromPort: 111
          ToPort: 111
          SourceSecurityGroupId: !Ref WebSecurityGroup
        - IpProtocol: tcp
          FromPort: 2049
          ToPort: 2049
          SourceSecurityGroupId: !Ref WebSecurityGroup
        - IpProtocol: udp
          FromPort: 2049
          ToPort: 2049
          SourceSecurityGroupId: !Ref WebSecurityGroup
        - IpProtocol: tcp
          FromPort: 20048
          ToPort: 20048
          SourceSecurityGroupId: !Ref WebSecurityGroup
        - IpProtocol: udp
          FromPort: 20048
          ToPort: 20048
          SourceSecurityGroupId: !Ref WebSecurityGroup
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId: !Ref BastionSecurityGroup
      VpcId:
        !Ref Vpc
Outputs:
  BastionSecurityGroup:
    Value: !Ref BastionSecurityGroup
  DatabaseSecurityGroup:
    Value: !Ref DatabaseSecurityGroup
  ElastiCacheSecurityGroup:
    Value: !Ref ElastiCacheSecurityGroup
  PublicAlbSecurityGroup:
    Value: !Ref PublicAlbSecurityGroup
  WebSecurityGroup:
    Value: !Ref WebSecurityGroup
  NasSecurityGroup:
    Value: !Ref NasSecurityGroup