-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathsecurity-groups.yaml
181 lines (161 loc) · 6.26 KB
/
security-groups.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
Description: >
This template contains the security groups required by our entire stack.
We create them in a seperate nested template, so they can be referenced
by all of the other nested templates.
Last Modified: 30 June 2019
By Ian Turner(iant18150@gmail.com), Mike Lonergan (mikethecanuck@gmail.com)
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the security groups should be deployed to
Resources:
## TODO: Refactor these security groups so that ECSHostSecurityGroup references
## the "web server access" and "SSH access" that is defined as common, and then
## also point BastionHost and LoadBalancer at these common resources
# This security group defines who/where is allowed to access the Bastion host directly.
BastionHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the bastion host that runs in the public subntet
SecurityGroupIngress:
# Allow access from anywhere to our Bastion Host via SSH
- CidrIp: 0.0.0.0/0
IpProtocol: TCP
FromPort: 22
ToPort: 22
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-Bastion-Hosts
- Key: Account
Value: HackOregon
- Key: Project
Value: Admin
# This security group defines who/where is allowed to access the ECS hosts directly.
ECSHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: -1
- SourceSecurityGroupId: !Ref BastionHostSecurityGroup
IpProtocol: -1
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-ECS-Hosts
- Key: Account
Value: HackOregon
- Key: Project
Value: Admin
# This security group is meant for production-protected databases.
# This security group defines who/where is allowed to access the DB hosts directly.
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the DB hosts from ecs and the bastion host
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref ECSHostSecurityGroup
IpProtocol: -1
- SourceSecurityGroupId: !Ref BastionHostSecurityGroup
IpProtocol: -1
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-DB-Hosts
- Key: Account
Value: HackOregon
- Key: Project
Value: Admin
# This security group is meant for developer-accessible databases.
DBPublicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to DB instances from anywhere on the Internet
SecurityGroupIngress:
# Allow access from anywhere to the DB instances on port 5432
- CidrIp: 0.0.0.0/0
IpProtocol: TCP
FromPort: 0
ToPort: 5432
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-DB-Public-Hosts
- Key: Account
Value: HackOregon
- Key: Project
Value: Admin
# This security group defines who/where is allowed to access load balancer
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the load balancer that sits in front of ECS
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-LoadBalancers
- Key: Account
Value: HackOregon
- Key: Project
Value: Admin
# This security group defines who/where is allowed to access the Tasks running in ECS
ECSTaskSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the ECS tasks/containers that run on ECS (EXPERIMENTAL)
SecurityGroupIngress:
## Appears to allow all traffic to the containerized app - health checks and external requests
- IpProtocol: tcp
FromPort: '8000'
ToPort: '8000'
CidrIp: 0.0.0.0/0
## TODO: figure out what these are for, and if there's any reason to keep these part of the ECS Task SG
# - IpProtocol: tcp
# FromPort: '80'
# ToPort: '80'
# CidrIp: 0.0.0.0/0
# - IpProtocol: tcp
# FromPort: '443'
# ToPort: '443'
# CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-ECS-Hosts
- Key: Account
Value: HackOregon
- Key: Project
Value: Admin
Outputs:
BastionHostSecurityGroup:
Description: A reference to the security group for bastion hosts
Value: !Ref BastionHostSecurityGroup
ECSHostSecurityGroup:
Description: A reference to the security group for ECS hosts
Value: !Ref ECSHostSecurityGroup
DBSecurityGroup:
Description: A reference to the security group for protected DB instances
Value: !Ref DBSecurityGroup
DBPublicSecurityGroup:
Description: A reference to the security group for public DB instances
Value: !Ref DBPublicSecurityGroup
LoadBalancerSecurityGroup:
Description: A reference to the security group for load balancers
Value: !Ref LoadBalancerSecurityGroup
ECSTaskSecurityGroup:
Description: A reference to the security group for ECS tasks
Value: !Ref ECSTaskSecurityGroup