antklim · March 22, 2018 20:45
diff --git a/api-services-infrastructure-p2-security-groups.yml b/api-services-infrastructure-p2-security-groups.yml
 Description: This template deploys security groups for SimpleAPI

 Parameters:
  Environment:
    Description: An environment name that will be prefixed to resource names
    Type: String

  Namespace:
    Description: An infrastructure namespace that will be prefixed to resource names
    Type: String
    Default: simple-api

  SSHFrom:
    Description: Limit SSH access to bastion hosts to a CIDR IP block
    Type: String
    MinLength: 9
    MaxLength: 18
    Default: 0.0.0.0/0

  VPC:
    Description: A reference to the VPC
    Type: String

 Resources:
  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Access to load balancer that sits in front of EC2 hosts
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: -1
      Tags:
        - Key: Name
          Value: !Sub ${Namespace}-${Environment}-LB

  EC2HostSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Access to EC2 hosts which run services
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
          IpProtocol: -1
        - SourceSecurityGroupId: !Ref BastionSecurityGroup
          IpProtocol: tcp
          ToPort: 22
          FromPort: 22
      Tags:
        - Key: Name
          Value: !Sub ${Namespace}-${Environment}-ec2-hosts

  EC2HostSecurityGroupFromBastionIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref EC2HostSecurityGroup
      IpProtocol: tcp
      ToPort: 22
      FromPort: 22
      SourceSecurityGroupId: !Ref BastionSecurityGroup

  BastionSecurityGroup:
      Type: AWS::EC2::SecurityGroup
      Properties:
        GroupDescription: Enable access to the bastion host
        VpcId: !Ref VPC
        SecurityGroupIngress:
        - CidrIp: !Ref SSHFrom
          IpProtocol: tcp
          ToPort: 22
          FromPort: 22
        SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          ToPort: 80
          FromPort: 80
        - CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          ToPort: 443
          FromPort: 443
        - CidrIp: 0.0.0.0/0
          IpProtocol: udp
          ToPort: 123
          FromPort: 123
        Tags:
        - Key: Name
          Value: !Sub ${Namespace}-${Environment}-bastion-host

  BastionSecurityGroupToEC2HostEgress:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      GroupId: !Ref BastionSecurityGroup
      IpProtocol: tcp
      ToPort: 22
      FromPort: 22
      DestinationSecurityGroupId: !Ref EC2HostSecurityGroup

 Outputs:
  BastionSecurityGroup:
    Description: A reference to the security group for Bastion host
    Value: !Ref BastionSecurityGroup

  EC2HostSecurityGroup:
    Description: A reference to the security group for EC2 hosts
    Value: !Ref EC2HostSecurityGroup

  LoadBalancerSecurityGroup:
    Description: A reference to the security group for load balancers
    Value: !Ref LoadBalancerSecurityGroup
	Description: This template deploys security groups for SimpleAPI

	Parameters:
	Environment:
	Description: An environment name that will be prefixed to resource names
	Type: String

	Namespace:
	Description: An infrastructure namespace that will be prefixed to resource names
	Type: String
	Default: simple-api

	SSHFrom:
	Description: Limit SSH access to bastion hosts to a CIDR IP block
	Type: String
	MinLength: 9
	MaxLength: 18
	Default: 0.0.0.0/0

	VPC:
	Description: A reference to the VPC
	Type: String

	Resources:
	LoadBalancerSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Access to load balancer that sits in front of EC2 hosts
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- CidrIp: 0.0.0.0/0
	IpProtocol: -1
	Tags:
	- Key: Name
	Value: !Sub ${Namespace}-${Environment}-LB

	EC2HostSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Access to EC2 hosts which run services
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
	IpProtocol: -1
	- SourceSecurityGroupId: !Ref BastionSecurityGroup
	IpProtocol: tcp
	ToPort: 22
	FromPort: 22
	Tags:
	- Key: Name
	Value: !Sub ${Namespace}-${Environment}-ec2-hosts

	EC2HostSecurityGroupFromBastionIngress:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: !Ref EC2HostSecurityGroup
	IpProtocol: tcp
	ToPort: 22
	FromPort: 22
	SourceSecurityGroupId: !Ref BastionSecurityGroup

	BastionSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Enable access to the bastion host
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- CidrIp: !Ref SSHFrom
	IpProtocol: tcp
	ToPort: 22
	FromPort: 22
	SecurityGroupEgress:
	- CidrIp: 0.0.0.0/0
	IpProtocol: tcp
	ToPort: 80
	FromPort: 80
	- CidrIp: 0.0.0.0/0
	IpProtocol: tcp
	ToPort: 443
	FromPort: 443
	- CidrIp: 0.0.0.0/0
	IpProtocol: udp
	ToPort: 123
	FromPort: 123
	Tags:
	- Key: Name
	Value: !Sub ${Namespace}-${Environment}-bastion-host

	BastionSecurityGroupToEC2HostEgress:
	Type: AWS::EC2::SecurityGroupEgress
	Properties:
	GroupId: !Ref BastionSecurityGroup
	IpProtocol: tcp
	ToPort: 22
	FromPort: 22
	DestinationSecurityGroupId: !Ref EC2HostSecurityGroup

	Outputs:
	BastionSecurityGroup:
	Description: A reference to the security group for Bastion host
	Value: !Ref BastionSecurityGroup

	EC2HostSecurityGroup:
	Description: A reference to the security group for EC2 hosts
	Value: !Ref EC2HostSecurityGroup

	LoadBalancerSecurityGroup:
	Description: A reference to the security group for load balancers
	Value: !Ref LoadBalancerSecurityGroup