AWSTemplateFormatVersion: 2010-09-09 Description: Reference Architecture to host Moodle on AWS - Creates VPC security groups Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: AWS Parameters Parameters: - SshAccessCidr - Vpc ParameterLabels: SshAccessCidr: default: SSH Access From Vpc: default: Vpc Id Parameters: SshAccessCidr: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ Description: The CIDR IP range that is permitted to SSH to bastion instance. Note - a value of 0.0.0.0/0 will allow access from ANY IP address. Type: String Default: 0.0.0.0/0 Vpc: AllowedPattern: ^(vpc-)([a-z0-9]{8}|[a-z0-9]{17})$ Description: The VPC Id of an existing VPC. Type: AWS::EC2::VPC::Id Resources: BastionSecurityGroup: Metadata: cfn_nag: rules_to_suppress: - id: W40 reason: Default egress rule - id: W5 reason: Default egress rule Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Bastion instances SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref SshAccessCidr Description: SSH origin IP range SecurityGroupEgress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Description: To all VpcId: !Ref Vpc DatabaseSecurityGroup: Metadata: cfn_nag: rules_to_suppress: - id: W40 reason: Default egress rule - id: W5 reason: Default egress rule Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: Security group for Amazon RDS cluster SecurityGroupIngress: - IpProtocol: tcp FromPort: 3306 ToPort: 3306 SourceSecurityGroupId: !Ref WebSecurityGroup Description: From Web Security Group SecurityGroupEgress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Description: to all VpcId: !Ref Vpc ElastiCacheSecurityGroup: Metadata: cfn_nag: rules_to_suppress: - id: W40 reason: Default egress rule - id: W5 reason: Default egress rule Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: Security group for ElastiCache cache cluster SecurityGroupIngress: - IpProtocol: tcp FromPort: 6379 ToPort: 6379 SourceSecurityGroupId: !Ref WebSecurityGroup Description: From Web Security Group SecurityGroupEgress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Description: to all VpcId: !Ref Vpc EfsSecurityGroup: Metadata: cfn_nag: rules_to_suppress: - id: W40 reason: Default egress rule - id: W5 reason: Default egress rule Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: Security group for EFS cluster VpcId: !Ref Vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 2049 ToPort: 2049 SourceSecurityGroupId: !Ref WebSecurityGroup Description: From Web Security Group - IpProtocol: tcp FromPort: 22 ToPort: 22 SourceSecurityGroupId: !Ref BastionSecurityGroup Description: From Bastion SecurityGroupEgress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Description: to all EfsSecurityGroupIngress: Type: "AWS::EC2::SecurityGroupIngress" Properties: IpProtocol: tcp FromPort: 2049 ToPort: 2049 SourceSecurityGroupId: !GetAtt EfsSecurityGroup.GroupId GroupId: !GetAtt EfsSecurityGroup.GroupId Description: From self PublicAlbSecurityGroup: Metadata: cfn_nag: rules_to_suppress: - id: W9 reason: "This is a security group for public facing ALB" - id: W2 reason: "This is a security group for public facing ALB" - id: W40 reason: "Default egress rule" - id: W5 reason: "Default egress rule" Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for ALB SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 Description: From public - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: From public SecurityGroupEgress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Description: to all VpcId: !Ref Vpc WebSecurityGroup: Metadata: cfn_nag: rules_to_suppress: - id: W40 reason: Default egress rule - id: W5 reason: Default egress rule Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for web instances SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !Ref PublicAlbSecurityGroup Description: From public ALB - IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref PublicAlbSecurityGroup Description: From public ALB - IpProtocol: tcp FromPort: 22 ToPort: 22 SourceSecurityGroupId: !Ref BastionSecurityGroup Description: From Bastion SecurityGroupEgress: - IpProtocol: -1 FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Description: To all VpcId: !Ref Vpc Outputs: BastionSecurityGroup: Value: !Ref BastionSecurityGroup DatabaseSecurityGroup: Value: !Ref DatabaseSecurityGroup EfsSecurityGroup: Value: !Ref EfsSecurityGroup ElastiCacheSecurityGroup: Value: !Ref ElastiCacheSecurityGroup PublicAlbSecurityGroup: Value: !Ref PublicAlbSecurityGroup WebSecurityGroup: Value: !Ref WebSecurityGroup