-
Notifications
You must be signed in to change notification settings - Fork 0
/
security.yml
110 lines (97 loc) · 2.51 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
Description: >
Ricardo Bonilla
This template deploy the security for each service.
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
Default: staging
AllowedValues:
- production
- staging
- sandbox
- development
Conditions:
NotSandbox: !Not
- !Equals
- !Ref EnvironmentName
- sandbox
IsSandbox: !Equals
- !Ref EnvironmentName
- sandbox
Resources:
LBSecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Fn::ImportValue:
!Sub "${EnvironmentName}-VPCID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
WebServerSecGroup:
Type: AWS::EC2::SecurityGroup
Condition: NotSandbox
Properties:
GroupDescription: Allow http to our hosts
VpcId:
Fn::ImportValue:
!Sub "${EnvironmentName}-VPCID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
SandboxWebServerSecGroup:
Type: AWS::EC2::SecurityGroup
Condition: IsSandbox
Properties:
GroupDescription: Allow http and ssh to our hosts
VpcId:
Fn::ImportValue:
!Sub "${EnvironmentName}-VPCID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
Outputs:
LBSecGroup:
Description: A reference to the load balancer security group
Value: !Ref LBSecGroup
Export:
Name: !Sub ${EnvironmentName}-LB-SEC-GROUP
WebServerSecGroup:
Description: A reference to web server security group
Value: !Ref WebServerSecGroup
Condition: NotSandbox
Export:
Name: !Sub ${EnvironmentName}-WS-SEC-GROUP
SandboxWebServerSecGroup:
Description: A reference to web server security group with ssh access
Value: !Ref SandboxWebServerSecGroup
Condition: IsSandbox
Export:
Name: !Sub ${EnvironmentName}-sandbox-WS-SEC-GROUP