Last active
February 23, 2018 22:46
-
-
Save eddiecorrigall/b5c68fbb92c8b6cb675777ed1d886604 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Resources: | |
VPC: | |
Type: 'AWS::EC2::VPC' | |
Properties: | |
CidrBlock: 10.0.0.0/16 | |
InternetGateway: | |
Type: 'AWS::EC2::InternetGateway' | |
GatewayToInternet: | |
Type: 'AWS::EC2::VPCGatewayAttachment' | |
Properties: | |
VpcId: !Ref VPC | |
InternetGatewayId: !Ref InternetGateway | |
S3Endpoint: # S3 shortcut for public and private subnets | |
Type: 'AWS::EC2::VPCEndpoint' | |
Properties: | |
VpcId: !Ref VPC | |
ServiceName: !Join ['', ['com.amazonaws.', !Ref 'AWS::Region', '.s3']] | |
RouteTableIds: | |
- !Ref PublicRouteTable | |
- !Ref PrivateRouteTable | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: '*' | |
Action: | |
- 's3:GetObject' | |
- 's3:ListBucket' | |
- 's3:ListAllMyBuckets' | |
Resource: | |
- 'arn:aws:s3:::vpn-shared-bucket/*' | |
PublicSubnet: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
MapPublicIpOnLaunch: true # Automatically assign public ip | |
VpcId: !Ref VPC | |
CidrBlock: 10.0.1.0/24 | |
AvailabilityZone: !Select | |
- 0 # Select distinct AZ from private subnet | |
- Fn::GetAZs: !Ref 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: Public Subnet (10.0.1.*) | |
PublicRouteTable: | |
Type: 'AWS::EC2::RouteTable' | |
Properties: | |
VpcId: !Ref VPC | |
PublicSubnetRouteTableAssociation: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
SubnetId: !Ref PublicSubnet | |
RouteTableId: !Ref PublicRouteTable | |
PublicInternetRoute: | |
Type: 'AWS::EC2::Route' | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
DestinationCidrBlock: 0.0.0.0/0 | |
GatewayId: !Ref InternetGateway | |
NatEIP: | |
Type: AWS::EC2::EIP | |
Properties: | |
Domain: vpc | |
NatGateway: | |
Type: 'AWS::EC2::NatGateway' | |
Properties: | |
AllocationId: !GetAtt NatEIP.AllocationId | |
SubnetId: !Ref PublicSubnet | |
PrivateSubnet: | |
Type: 'AWS::EC2::Subnet' | |
Properties: | |
VpcId: !Ref VPC | |
CidrBlock: 10.0.2.0/24 | |
AvailabilityZone: !Select | |
- 1 # Select distinct AZ from private subnet | |
- Fn::GetAZs: !Ref 'AWS::Region' | |
Tags: | |
- Key: Name | |
Value: Private Subnet (10.0.2.*) | |
PrivateRouteTable: | |
Type: 'AWS::EC2::RouteTable' | |
Properties: | |
VpcId: !Ref VPC | |
PrivateSubnetRouteTableAssociation: | |
Type: 'AWS::EC2::SubnetRouteTableAssociation' | |
Properties: | |
RouteTableId: !Ref PrivateRouteTable | |
SubnetId: !Ref PrivateSubnet | |
PrivateInternetRoute: | |
Type: 'AWS::EC2::Route' | |
Properties: | |
RouteTableId: !Ref PrivateRouteTable | |
DestinationCidrBlock: 0.0.0.0/0 | |
NatGatewayId: !Ref NatGateway | |
DmzSecurityGroup: | |
Type: 'AWS::EC2::SecurityGroup' | |
Properties: | |
VpcId: !Ref VPC | |
GroupDescription: 'DMZ security group for web DMZ' | |
SecurityGroupIngress: # Traffic in | |
- IpProtocol: tcp # SSH | |
FromPort: 22 | |
ToPort: 22 | |
CidrIp: 0.0.0.0/0 # TODO: restrict | |
- IpProtocol: tcp # HTTP | |
FromPort: 80 | |
ToPort: 80 | |
CidrIp: 0.0.0.0/0 | |
- IpProtocol: tcp # SSL (HTTPS) | |
FromPort: 443 | |
ToPort: 443 | |
CidrIp: 0.0.0.0/0 | |
SecurityGroupEgress: # All traffic out | |
- IpProtocol: icmp | |
FromPort: -1 | |
ToPort: -1 | |
CidrIp: 0.0.0.0/0 | |
- IpProtocol: tcp # SSH | |
FromPort: 22 | |
ToPort: 22 | |
CidrIp: 0.0.0.0/0 | |
# For system updates | |
- IpProtocol: tcp # HTTP | |
FromPort: 80 | |
ToPort: 80 | |
CidrIp: 0.0.0.0/0 | |
- IpProtocol: tcp # SSL (HTTPS) | |
FromPort: 443 | |
ToPort: 443 | |
CidrIp: 0.0.0.0/0 | |
RdsSecurityGroup: | |
Type: 'AWS::EC2::SecurityGroup' | |
Properties: | |
VpcId: !Ref VPC | |
GroupDescription: 'RDS security group with http(s) access for software updates' | |
SecurityGroupIngress: # Traffic in | |
- IpProtocol: tcp # SSH | |
FromPort: 22 | |
ToPort: 22 | |
SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId | |
- IpProtocol: tcp # Postgres | |
FromPort: 5432 | |
ToPort: 5432 | |
SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId | |
- IpProtocol: tcp # MySQL | |
FromPort: 3306 | |
ToPort: 3306 | |
SourceSecurityGroupId: !GetAtt DmzSecurityGroup.GroupId | |
SecurityGroupEgress: # All traffic out | |
- IpProtocol: icmp | |
FromPort: -1 | |
ToPort: -1 | |
CidrIp: 0.0.0.0/0 | |
# For system updates | |
- IpProtocol: tcp # HTTP | |
FromPort: 80 | |
ToPort: 80 | |
CidrIp: 0.0.0.0/0 | |
- IpProtocol: tcp # SSL (HTTPS) | |
FromPort: 443 | |
ToPort: 443 | |
CidrIp: 0.0.0.0/0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment