kfs_rds_securitygroup.yaml
AWSTemplateFormatVersion: '2010-09-09' Description: KFS RDS Database Access Security Group

This CloudFormation template creates the EC2 security group to be utilized by KFS RDS instances in the Kuali accounts.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Security Group Metadata Parameters: - VPC - Label: default: Tags Parameters: - TagService - TagName - TagEnvironment - TagCreatedBy - TagContactNetId - TagAccountNumber - TagSubAccount - TagTicketNumber - TagResourceFunction Parameters: VPC: Description: ID of the VPC that this security group should be attached to (NOT the VPC name) Type: String TagService: Description: Service name (from the service catalog) that is utilizing this resource Type: String TagName: Description: Descriptive identifier of resource. Type: String TagEnvironment: Description: Type of environment that is using this resource, such as 'dev', 'tst', 'prd'. Type: String TagCreatedBy: Description: NetID of the user that created this resource Type: String TagContactNetId: Description: NetID of the person to contact for information about this resource Type: String TagAccountNumber: Description: Financial system account number for the service utilizing this resource Type: String TagSubAccount: Description: Financial system subaccount number for the service utilizing this resource Type: String TagTicketNumber: Description: Ticket number that this resource is for Type: String TagResourceFunction: Description: Human-readable description of what function this resource is providing Type: String Resources:

Members of this security group will be allowed to access resources in the RDS Security Group, meaning that KFS application instances should have this security group applied to them.

KFSAppSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ua-kfs-app-access-sg VpcId: !Ref VPC Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Ref TagName - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction KFSRDSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ua-kfs-database-access-sg

Ingress rules taken from the existing 'ua-database-access-sg' in the ua-erp account

SecurityGroupIngress: - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.138.2.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.140.24.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.140.4.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.140.14.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.64/26 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.0/26 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.140.30.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.220.176.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.220.177.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 150.135.241.0/24 - IpProtocol: tcp FromPort: '1521' ToPort: '1521' SourceSecurityGroupId: !Ref KFSAppSecurityGroup VpcId: !Ref VPC Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Ref TagName - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction