eddiecorrigall/vpn_public_private.yaml

## vpn_public_private.yaml
AWSTemplateFormatVersion: 2010-09-09
Resources:
  VPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: 10.0.0.0/16
  InternetGateway:
    Type: 'AWS::EC2::InternetGateway'
  GatewayToInternet:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  S3Endpoint: # S3 shortcut for public and private subnets
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Join ['', ['com.amazonaws.', !Ref 'AWS::Region', '.s3']]
      RouteTableIds:
        - !Ref PublicRouteTable
        - !Ref PrivateRouteTable
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 's3:GetObject'
              - 's3:ListBucket'
              - 's3:ListAllMyBuckets'
            Resource:
              - 'arn:aws:s3:::vpn-shared-bucket/*'

  PublicSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      MapPublicIpOnLaunch: true # Automatically assign public ip
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: !Select
        - 0 # Select distinct AZ from private subnet
        - Fn::GetAZs: !Ref 'AWS::Region'
      Tags:
      - Key: Name
        Value: Public Subnet (10.0.1.*)
  PublicRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref VPC
  PublicSubnetRouteTableAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable
  PublicInternetRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  NatEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
  NatGateway:
    Type: 'AWS::EC2::NatGateway'
    Properties:
      AllocationId: !GetAtt NatEIP.AllocationId
      SubnetId: !Ref PublicSubnet

  PrivateSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.2.0/24
      AvailabilityZone: !Select
        - 1 # Select distinct AZ from private subnet
        - Fn::GetAZs: !Ref 'AWS::Region'
      Tags:
      - Key: Name
        Value: Private Subnet (10.0.2.*)
  PrivateRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref VPC
  PrivateSubnetRouteTableAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      SubnetId: !Ref PrivateSubnet
  PrivateInternetRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway

  DmzSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: !Ref VPC
      GroupDescription: 'DMZ security group for web DMZ'
      SecurityGroupIngress: # Traffic in
        - IpProtocol: tcp # SSH
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0 # TODO: restrict
        - IpProtocol: tcp # HTTP
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp # SSL (HTTPS)
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress: # All traffic out
        - IpProtocol: icmp
          FromPort: -1
          ToPort: -1
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp # SSH
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
        # For system updates
        - IpProtocol: tcp # HTTP
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp # SSL (HTTPS)
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0

  RdsSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: !Ref VPC
      GroupDescription: 'RDS security group with http(s) access for software updates'
      SecurityGroupIngress: # Traffic in
        - IpProtocol: tcp # SSH
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId
        - IpProtocol: tcp # Postgres
          FromPort: 5432
          ToPort: 5432
          SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId
        - IpProtocol: tcp # MySQL
          FromPort: 3306
          ToPort: 3306
          SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId
      SecurityGroupEgress: # All traffic out
        - IpProtocol: icmp
          FromPort: -1
          ToPort: -1
          CidrIp: 0.0.0.0/0
        # For system updates
        - IpProtocol: tcp # HTTP
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp # SSL (HTTPS)
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
	AWSTemplateFormatVersion: 2010-09-09
	Resources:
	VPC:
	Type: 'AWS::EC2::VPC'
	Properties:
	CidrBlock: 10.0.0.0/16
	InternetGateway:
	Type: 'AWS::EC2::InternetGateway'
	GatewayToInternet:
	Type: 'AWS::EC2::VPCGatewayAttachment'
	Properties:
	VpcId: !Ref VPC
	InternetGatewayId: !Ref InternetGateway
	S3Endpoint: # S3 shortcut for public and private subnets
	Type: 'AWS::EC2::VPCEndpoint'
	Properties:
	VpcId: !Ref VPC
	ServiceName: !Join ['', ['com.amazonaws.', !Ref 'AWS::Region', '.s3']]
	RouteTableIds:
	- !Ref PublicRouteTable
	- !Ref PrivateRouteTable
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal: '*'
	Action:
	- 's3:GetObject'
	- 's3:ListBucket'
	- 's3:ListAllMyBuckets'
	Resource:
	- 'arn:aws:s3:::vpn-shared-bucket/*'

	PublicSubnet:
	Type: 'AWS::EC2::Subnet'
	Properties:
	MapPublicIpOnLaunch: true # Automatically assign public ip
	VpcId: !Ref VPC
	CidrBlock: 10.0.1.0/24
	AvailabilityZone: !Select
	- 0 # Select distinct AZ from private subnet
	- Fn::GetAZs: !Ref 'AWS::Region'
	Tags:
	- Key: Name
	Value: Public Subnet (10.0.1.*)
	PublicRouteTable:
	Type: 'AWS::EC2::RouteTable'
	Properties:
	VpcId: !Ref VPC
	PublicSubnetRouteTableAssociation:
	Type: 'AWS::EC2::SubnetRouteTableAssociation'
	Properties:
	SubnetId: !Ref PublicSubnet
	RouteTableId: !Ref PublicRouteTable
	PublicInternetRoute:
	Type: 'AWS::EC2::Route'
	Properties:
	RouteTableId: !Ref PublicRouteTable
	DestinationCidrBlock: 0.0.0.0/0
	GatewayId: !Ref InternetGateway

	NatEIP:
	Type: AWS::EC2::EIP
	Properties:
	Domain: vpc
	NatGateway:
	Type: 'AWS::EC2::NatGateway'
	Properties:
	AllocationId: !GetAtt NatEIP.AllocationId
	SubnetId: !Ref PublicSubnet

	PrivateSubnet:
	Type: 'AWS::EC2::Subnet'
	Properties:
	VpcId: !Ref VPC
	CidrBlock: 10.0.2.0/24
	AvailabilityZone: !Select
	- 1 # Select distinct AZ from private subnet
	- Fn::GetAZs: !Ref 'AWS::Region'
	Tags:
	- Key: Name
	Value: Private Subnet (10.0.2.*)
	PrivateRouteTable:
	Type: 'AWS::EC2::RouteTable'
	Properties:
	VpcId: !Ref VPC
	PrivateSubnetRouteTableAssociation:
	Type: 'AWS::EC2::SubnetRouteTableAssociation'
	Properties:
	RouteTableId: !Ref PrivateRouteTable
	SubnetId: !Ref PrivateSubnet
	PrivateInternetRoute:
	Type: 'AWS::EC2::Route'
	Properties:
	RouteTableId: !Ref PrivateRouteTable
	DestinationCidrBlock: 0.0.0.0/0
	NatGatewayId: !Ref NatGateway

	DmzSecurityGroup:
	Type: 'AWS::EC2::SecurityGroup'
	Properties:
	VpcId: !Ref VPC
	GroupDescription: 'DMZ security group for web DMZ'
	SecurityGroupIngress: # Traffic in
	- IpProtocol: tcp # SSH
	FromPort: 22
	ToPort: 22
	CidrIp: 0.0.0.0/0 # TODO: restrict
	- IpProtocol: tcp # HTTP
	FromPort: 80
	ToPort: 80
	CidrIp: 0.0.0.0/0
	- IpProtocol: tcp # SSL (HTTPS)
	FromPort: 443
	ToPort: 443
	CidrIp: 0.0.0.0/0
	SecurityGroupEgress: # All traffic out
	- IpProtocol: icmp
	FromPort: -1
	ToPort: -1
	CidrIp: 0.0.0.0/0
	- IpProtocol: tcp # SSH
	FromPort: 22
	ToPort: 22
	CidrIp: 0.0.0.0/0
	# For system updates
	- IpProtocol: tcp # HTTP
	FromPort: 80
	ToPort: 80
	CidrIp: 0.0.0.0/0
	- IpProtocol: tcp # SSL (HTTPS)
	FromPort: 443
	ToPort: 443
	CidrIp: 0.0.0.0/0

	RdsSecurityGroup:
	Type: 'AWS::EC2::SecurityGroup'
	Properties:
	VpcId: !Ref VPC
	GroupDescription: 'RDS security group with http(s) access for software updates'
	SecurityGroupIngress: # Traffic in
	- IpProtocol: tcp # SSH
	FromPort: 22
	ToPort: 22
	SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId
	- IpProtocol: tcp # Postgres
	FromPort: 5432
	ToPort: 5432
	SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId
	- IpProtocol: tcp # MySQL
	FromPort: 3306
	ToPort: 3306
	SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId
	SecurityGroupEgress: # All traffic out
	- IpProtocol: icmp
	FromPort: -1
	ToPort: -1
	CidrIp: 0.0.0.0/0
	# For system updates
	- IpProtocol: tcp # HTTP
	FromPort: 80
	ToPort: 80
	CidrIp: 0.0.0.0/0
	- IpProtocol: tcp # SSL (HTTPS)
	FromPort: 443
	ToPort: 443
	CidrIp: 0.0.0.0/0