From aaae5360032a08e3385fbb28207e1ef6c80b5292 Mon Sep 17 00:00:00 2001
From: dtomlinson <dtomlinson@panaetius.co.uk>
Date: Fri, 1 May 2020 19:44:14 +0100
Subject: [PATCH] updating VPC CF template

---
 .cloudformation/02-stack-vpc.yaml | 103 ++++++++++++++++++++++++------
 1 file changed, 85 insertions(+), 18 deletions(-)

diff --git a/.cloudformation/02-stack-vpc.yaml b/.cloudformation/02-stack-vpc.yaml
index 9a77ba8..242c301 100644
--- a/.cloudformation/02-stack-vpc.yaml
+++ b/.cloudformation/02-stack-vpc.yaml
@@ -7,15 +7,77 @@ Resources:
       CidrBlock: "172.31.0.0/16"
       EnableDnsHostnames: true
       EnableDnsSupport: true
-  PublicSecurityGroup:
+  ELBSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
-      GroupName: !Sub "${AWS::StackName}-PublicSecurityGroup"
-      GroupDescription: Security group for the EC2 instances. This group does
-        not set any ingress/egress permissions as Elastic Beanstalk will create
-        these for us. This group will be attached to our EC2 instances, and the
-        RDS instance will permit incoming traffic from this group only.
+      GroupName: !Sub "${AWS::StackName}-ELBSecurityGroup"
+      GroupDescription: Security group for the Elastic Load Balancer.
+        This permits inbound 80/443 from any IP, to 80/443 to the
+        Auto Scaling security group.
       VpcId: !Ref PublicVPC
+  ELBSecurityGroupIngressHttp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ELBSecurityGroup for HTTP.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 80
+      CidrIp: 0.0.0.0/0
+  ELBSecurityGroupIngressHttps:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ELBSecurityGroup for HTTPS.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+      CidrIp: 0.0.0.0/0
+  ELBSecurityGroupEgressHttp:
+    Type: AWS::EC2::SecurityGroupEgress
+    Properties:
+      Description: Egress for ELBSecurityGroup for HTTP.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 80
+      SourceSecurityGroupId: !Ref ASSecurityGroup
+  ELBSecurityGroupEgressHttps:
+    Type: AWS::EC2::SecurityGroupEgress
+    Properties:
+      Description: Egress for ELBSecurityGroup for HTTPS.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+      SourceSecurityGroupId: !Ref ASSecurityGroup
+  ASSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupName: !Sub "${AWS::StackName}-ASSecurityGroup"
+      GroupDescription: Security group for the Auto Scaler. This security group
+        will be applied to any EC2 instances that the Auto Scaler creates. This
+        group permits inbound 80/443 from the Elastic Load Balancer security
+        group.
+      VpcId: !Ref PublicVPC
+  ASSecurityGroupIngressHttp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ASSecurityGroup for HTTP.
+      GroupId: !Ref ASSecurityGroup
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 80
+      SourceSecurityGroupId: !Ref ELBSecurityGroup
+  ASSecurityGroupIngressHttps:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ASSecurityGroup for HTTPS.
+      GroupId: !Ref ASSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+      SourceSecurityGroupId: !Ref ELBSecurityGroup
   PublicSubnet0:
     Type: AWS::EC2::Subnet
     Properties:
@@ -81,32 +143,37 @@ Resources:
       RouteTableId: !Ref PublicRouteTable
 Outputs:
   PublicVPCID:
-    Description: The VPC ID.
+    Description: The VPC for the environment.
     Value: !Ref PublicVPC
     Export:
       Name: !Sub "${AWS::StackName}-PublicVPC"
-  PublicSecurityGroupId:
-    Description: The EC2 security group ID.
-    Value: !Ref PublicSecurityGroup
+  ELBSecurityGroupOutput:
+    Description: ELB Security Group
+    Value: !Ref ELBSecurityGroup
     Export:
-      Name: !Sub "${AWS::StackName}-PublicSecurityGroup"
-  PublicVPCIDDefaultSecurityGroup:
-    Description: The VPC default security group.
-    Value: !GetAtt PublicVPC.DefaultSecurityGroup
+      Name: !Sub "${AWS::StackName}-ELBSecurityGroup"
+  ASSecurityGroupOutput:
+    Description: AS Security Group
+    Value: !Ref ASSecurityGroup
     Export:
-      Name: !Sub "${AWS::StackName}-PublicVPCIDDefaultSecurityGroup"
+      Name: !Sub "${AWS::StackName}-ASSecurityGroup"
+  # PublicVPCIDDefaultSecurityGroup:
+  #   Description: The VPC default security group.
+  #   Value: !GetAtt PublicVPC.DefaultSecurityGroup
+  #   Export:
+  #     Name: !Sub "${AWS::StackName}-PublicVPCIDDefaultSecurityGroup"
   PublicSubnet0ID:
-    Description: The ID of the subnet.
+    Description: The public subnet 0.
     Value: !Ref PublicSubnet0
     Export:
       Name: !Sub "${AWS::StackName}-PublicSubnet0"
   PublicSubnet1ID:
-    Description: The ID of the subnet.
+    Description: The public subnet 1.
     Value: !Ref PublicSubnet1
     Export:
       Name: !Sub "${AWS::StackName}-PublicSubnet1"
   PublicSubnet2ID:
-    Description: The ID of the subnet.
+    Description: The public subnet 2.
     Value: !Ref PublicSubnet2
     Export:
       Name: !Sub "${AWS::StackName}-PublicSubnet2"