Skip to content

Commit

Permalink
refactor security groups
Browse files Browse the repository at this point in the history
  • Loading branch information
guslington committed Jul 3, 2018
1 parent 7b69870 commit cd19d5a
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 22 deletions.
4 changes: 2 additions & 2 deletions bastion.cfhighlander.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
end

ComponentParam 'VPCId', type: 'AWS::EC2::VPC::Id'
ComponentParam 'SecurityGroupDev', type: 'AWS::EC2::SecurityGroup::Id'
ComponentParam 'SecurityGroupOps', type: 'AWS::EC2::SecurityGroup::Id'
ComponentParam 'SecurityGroupDev'
ComponentParam 'SecurityGroupOps'
end
end
21 changes: 2 additions & 19 deletions bastion.cfndsl.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,7 @@
EC2_SecurityGroup('SecurityGroupBastion') do
GroupDescription FnJoin(' ', [ Ref('EnvironmentName'), component_name ])
VpcId Ref('VPCId')
end

EC2_SecurityGroupIngress('OpsIngressRule') do
Description 'SSH access from ops security group'
IpProtocol 'tcp'
FromPort '22'
ToPort '22'
GroupId FnGetAtt('SecurityGroupBastion','GroupId')
SourceSecurityGroupId Ref('SecurityGroupOps')
end

EC2_SecurityGroupIngress('DevIngressRule') do
Description 'SSH access from dev security group'
IpProtocol 'tcp'
FromPort '22'
ToPort '22'
GroupId FnGetAtt('SecurityGroupBastion','GroupId')
SourceSecurityGroupId Ref('SecurityGroupDev')
SecurityGroupIngress sg_create_rules(securityGroups, ip_blocks) if defined? securityGroups
end

EIP('BastionIPAddress') do
Expand Down Expand Up @@ -65,7 +48,7 @@
"#!/bin/bash\n",
"aws --region ", Ref("AWS::Region"), " ec2 associate-address --allocation-id ", FnGetAtt('BastionIPAddress','AllocationId') ," --instance-id $(curl http://169.254.169.254/2014-11-05/meta-data/instance-id -s)\n",
"hostname ", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\n",
"sed '/HOSTNAME/d' /etc/sysconfig/network > /tmp/network && mv -f /tmp/network /etc/sysconfig/network && echo \"HOSTNAME=", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\" >>/etc/sysconfig/network && /etc/init.d/network restart\n",
"sed '/HOSTNAME/d' /etc/sysconfig/network > /tmp/network && mv -f /tmp/network /etc/sysconfig/network && echo \"HOSTNAME=", Ref('EnvironmentName') ,"-" ,"bastion-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`\" >>/etc/sysconfig/network && /etc/init.d/network restart\n",
]))
end

Expand Down
17 changes: 16 additions & 1 deletion bastion.config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1 +1,16 @@
maximum_availability_zones: 5
maximum_availability_zones: 5

# Set `ip_blocks` here or export from vpc component
# ip_blocks:
# local:
# - 127.0.0.1/32
#
# securityGroups:
# -
# rules:
# -
# IpProtocol: tcp
# FromPort: 22
# ToPort: 22
# ips:
# - local

0 comments on commit cd19d5a

Please sign in to comment.