li0nel/security-groups.yml

## security-groups.yml
# This security group defines who/where is allowed to access the ECS hosts directly.
# By default we're just allowing access from the load balancer.  If you want to SSH
# into the hosts, or expose non-load balanced services you can open their ports here.
ECSSecurityGroup:
   Type: AWS::EC2::SecurityGroup
   Properties:
       VpcId: !Ref VPC
       GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
       SecurityGroupIngress:
           # Only allow inbound access to ECS from the ELB
           - SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
             IpProtocol: -1
           - IpProtocol: tcp
             CidrIp: 0.0.0.0/0
             FromPort: '22'
             ToPort: '22'
       Tags:
           - Key: Name
             Value: !Sub ${EnvironmentName}-ECS-Hosts

# This security group defines who/where is allowed to access the Application Load Balancer.
# By default, we've opened this up to the public internet (0.0.0.0/0) but can you restrict
# it further if you want.
LoadBalancerSecurityGroup:
   Type: AWS::EC2::SecurityGroup
   Properties:
       VpcId: !Ref VPC
       GroupDescription: Access to the load balancer that sits in front of ECS
       SecurityGroupIngress:
           # Allow access from anywhere to our ECS services
           - CidrIp: 0.0.0.0/0
             IpProtocol: -1
       Tags:
           - Key: Name
             Value: !Sub ${EnvironmentName}-LoadBalancers

DBSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
      GroupDescription: Open database for access
      VpcId: !Ref VPC
      SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: '3306'
            ToPort: '3306'
            SourceSecurityGroupId: !Ref ECSSecurityGroup
      Tags:
          - Key: Name
            Value: !Sub ${EnvironmentName}-DB-Host
	# This security group defines who/where is allowed to access the ECS hosts directly.
	# By default we're just allowing access from the load balancer. If you want to SSH
	# into the hosts, or expose non-load balanced services you can open their ports here.
	ECSSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	VpcId: !Ref VPC
	GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
	SecurityGroupIngress:
	# Only allow inbound access to ECS from the ELB
	- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
	IpProtocol: -1
	- IpProtocol: tcp
	CidrIp: 0.0.0.0/0
	FromPort: '22'
	ToPort: '22'
	Tags:
	- Key: Name
	Value: !Sub ${EnvironmentName}-ECS-Hosts

	# This security group defines who/where is allowed to access the Application Load Balancer.
	# By default, we've opened this up to the public internet (0.0.0.0/0) but can you restrict
	# it further if you want.
	LoadBalancerSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	VpcId: !Ref VPC
	GroupDescription: Access to the load balancer that sits in front of ECS
	SecurityGroupIngress:
	# Allow access from anywhere to our ECS services
	- CidrIp: 0.0.0.0/0
	IpProtocol: -1
	Tags:
	- Key: Name
	Value: !Sub ${EnvironmentName}-LoadBalancers

	DBSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Open database for access
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: '3306'
	ToPort: '3306'
	SourceSecurityGroupId: !Ref ECSSecurityGroup
	Tags:
	- Key: Name
	Value: !Sub ${EnvironmentName}-DB-Host