updating VPC CF template

2020-05-01 19:44:14 +01:00
parent c97321790b
commit aaae536003
1 changed files with 85 additions and 18 deletions
--- a/.cloudformation/02-stack-vpc.yaml
+++ b/.cloudformation/02-stack-vpc.yaml
@@ -7,15 +7,77 @@ Resources:
      CidrBlock: "172.31.0.0/16"
      EnableDnsHostnames: true
      EnableDnsSupport: true
-  PublicSecurityGroup:
+  ELBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
-      GroupName: !Sub "${AWS::StackName}-PublicSecurityGroup"
-      GroupDescription: Security group for the EC2 instances. This group does
-        not set any ingress/egress permissions as Elastic Beanstalk will create
-        these for us. This group will be attached to our EC2 instances, and the
-        RDS instance will permit incoming traffic from this group only.
+      GroupName: !Sub "${AWS::StackName}-ELBSecurityGroup"
+      GroupDescription: Security group for the Elastic Load Balancer.
+        This permits inbound 80/443 from any IP, to 80/443 to the
+        Auto Scaling security group.
      VpcId: !Ref PublicVPC
+  ELBSecurityGroupIngressHttp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ELBSecurityGroup for HTTP.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 80
+      CidrIp: 0.0.0.0/0
+  ELBSecurityGroupIngressHttps:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ELBSecurityGroup for HTTPS.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+      CidrIp: 0.0.0.0/0
+  ELBSecurityGroupEgressHttp:
+    Type: AWS::EC2::SecurityGroupEgress
+    Properties:
+      Description: Egress for ELBSecurityGroup for HTTP.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 80
+      SourceSecurityGroupId: !Ref ASSecurityGroup
+  ELBSecurityGroupEgressHttps:
+    Type: AWS::EC2::SecurityGroupEgress
+    Properties:
+      Description: Egress for ELBSecurityGroup for HTTPS.
+      GroupId: !Ref ELBSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+      SourceSecurityGroupId: !Ref ASSecurityGroup
+  ASSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupName: !Sub "${AWS::StackName}-ASSecurityGroup"
+      GroupDescription: Security group for the Auto Scaler. This security group
+        will be applied to any EC2 instances that the Auto Scaler creates. This
+        group permits inbound 80/443 from the Elastic Load Balancer security
+        group.
+      VpcId: !Ref PublicVPC
+  ASSecurityGroupIngressHttp:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ASSecurityGroup for HTTP.
+      GroupId: !Ref ASSecurityGroup
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 80
+      SourceSecurityGroupId: !Ref ELBSecurityGroup
+  ASSecurityGroupIngressHttps:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress for ASSecurityGroup for HTTPS.
+      GroupId: !Ref ASSecurityGroup
+      IpProtocol: tcp
+      FromPort: 443
+      ToPort: 443
+      SourceSecurityGroupId: !Ref ELBSecurityGroup
  PublicSubnet0:
    Type: AWS::EC2::Subnet
    Properties:
@@ -81,32 +143,37 @@ Resources:
      RouteTableId: !Ref PublicRouteTable
 Outputs:
  PublicVPCID:
-    Description: The VPC ID.
+    Description: The VPC for the environment.
    Value: !Ref PublicVPC
    Export:
      Name: !Sub "${AWS::StackName}-PublicVPC"
-  PublicSecurityGroupId:
-    Description: The EC2 security group ID.
-    Value: !Ref PublicSecurityGroup
+  ELBSecurityGroupOutput:
+    Description: ELB Security Group
+    Value: !Ref ELBSecurityGroup
    Export:
-      Name: !Sub "${AWS::StackName}-PublicSecurityGroup"
-  PublicVPCIDDefaultSecurityGroup:
-    Description: The VPC default security group.
-    Value: !GetAtt PublicVPC.DefaultSecurityGroup
+      Name: !Sub "${AWS::StackName}-ELBSecurityGroup"
+  ASSecurityGroupOutput:
+    Description: AS Security Group
+    Value: !Ref ASSecurityGroup
    Export:
-      Name: !Sub "${AWS::StackName}-PublicVPCIDDefaultSecurityGroup"
+      Name: !Sub "${AWS::StackName}-ASSecurityGroup"
+  # PublicVPCIDDefaultSecurityGroup:
+  #   Description: The VPC default security group.
+  #   Value: !GetAtt PublicVPC.DefaultSecurityGroup
+  #   Export:
+  #     Name: !Sub "${AWS::StackName}-PublicVPCIDDefaultSecurityGroup"
  PublicSubnet0ID:
-    Description: The ID of the subnet.
+    Description: The public subnet 0.
    Value: !Ref PublicSubnet0
    Export:
      Name: !Sub "${AWS::StackName}-PublicSubnet0"
  PublicSubnet1ID:
-    Description: The ID of the subnet.
+    Description: The public subnet 1.
    Value: !Ref PublicSubnet1
    Export:
      Name: !Sub "${AWS::StackName}-PublicSubnet1"
  PublicSubnet2ID:
-    Description: The ID of the subnet.
+    Description: The public subnet 2.
    Value: !Ref PublicSubnet2
    Export:
      Name: !Sub "${AWS::StackName}-PublicSubnet2"