kfs_security_groups.yaml
---

KFS SecurityGroups CloudFormation Deployment

This CloudFormation template will build out the security groups required for a KFS environment. This template must be run immediately prior to kfs_opsworks.yaml and values from this template passed to the following one.

AWSTemplateFormatVersion: '2010-09-09' Description: KFS Security Groups

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: EnvAppName: MinLength: '3' Type: String Description: Full Application name, ie 'Kuali Financials' Default: "Uaccess Financials" EnvSlug: MinLength: '2' Type: String Description: Short environment slug, ie 'dev', or 'markdev'. Lowercase letters, numbers and dashes only AllowedPattern: "[a-z0-9]*" Default: "sg" AppSlug: MinLength: '3' Type: String Description: Short application slug, ie 'kfs'. Lowercase letters, numbers and dashes only AllowedPattern: "[a-z0-9-]*" Default: "uaf" VPCCloudFormationName: Description: VPC CloudFormation Name Type: String Default: "kuali-vpc" TagService: Description: Service name (from the service catalog) that is utilizing this resource Type: String Default: "Uaccess Financials" TagName: Description: Descriptive identifier of resource. Type: String Default: "Security Group" TagEnvironment: Description: Type of environment that is using this resource, such as 'dev', 'tst', 'prd'. Type: String Default: "Security Groups" TagCreatedBy: Description: NetID of the user that created this resource Type: String Default: "kellehs" TagContactNetId: Description: NetID of the person to contact for information about this resource Type: String Default: "kellehs" TagAccountNumber: Description: Financial system account number for the service utilizing this resource Type: String Default: "Uaccess Financials" TagSubAccount: Description: Financial system subaccount number for the service utilizing this resource Type: String Default: "Uaccess Financials" TagTicketNumber: Description: Ticket number that this resource is for Type: String Default: "UAFAWS-16" TagResourceFunction: Description: Human-readable description of what function this resource is providing Type: String Default: "Security Group"

Resources

These are all of the actual AWS resources created for this application.

Resources:

Instance Security Group

Security group for the OpsWorks application instances themselves. Needs to permit incoming traffice from the ELB, and any other authorized incoming sources.

InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow Load Balancer and SSH to host VpcId: Fn::ImportValue: !Sub "${VPCCloudFormationName}-vpcid" SecurityGroupIngress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '80' ToPort: '80' SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup - IpProtocol: tcp FromPort: '8080' ToPort: '8080' SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Sub "${TagName}-instance-sg" - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Load Balancer Security Group

This is the Security Group that wraps the Load Balancer. This controls what network traffic is allowed into the ELB. Just web traffic is allowed from anywhere.

LoadBalancerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow web traffic to the Load Balancer VpcId: Fn::ImportValue: !Sub "${VPCCloudFormationName}-vpcid" SecurityGroupIngress: - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '8080' ToPort: '8080' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '443' ToPort: '443' CidrIp: 0.0.0.0/0 Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Sub "${TagName}-lb-sg" - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction #Created this so any database can talk to any other database within the VPC #Had to create a separate AWS type to avoid a circular issue when trying to create #in the actual DbSg security group. DbSgIngress: Type: "AWS::EC2::SecurityGroupIngress" Properties: GroupId: !Ref "DBSecurityGroup" IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" SourceSecurityGroupId: !Ref "DBSecurityGroup"

DB Security Group

Defines the Security Group for the RDS Database. This restricts DB access to only the devices in the InstanceSecurityGroup, so our App nodes.

DBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow DB traffic from Application Instances VpcId: Fn::ImportValue: !Sub "${VPCCloudFormationName}-vpcid" #Allow inbound traffic on port 1521 from the App Security Group and Various IP Ranges SecurityGroupIngress: - IpProtocol: tcp FromPort: '1521' ToPort: '1521' SourceSecurityGroupId: !Ref InstanceSecurityGroup - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.138.0.0/17" #Mosaic VPN - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.140.14.0/24" #SUP RAC Servers - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.140.24.0/24" #PRD RAC Servers - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.140.30.0/24" #VM View - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.140.4.0/24" #DEV RAC Severs - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.140.5.0/24" #?? - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.221.72.0/24" #?? - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.221.75.0/24" #?? #Include the private subnets from the UAIR Dev account - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.161.64/26" #UAIR Dev Account Private Subnet1 - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.161.128/26" #UAIR Dev Account Private Subnet2 #Include the private subnets from the UAIR Prod account - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.183.128/26" Description: "UAIR Prod Account Private Subnet1" - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.183.192/26" Description: "UAIR Prod Account Private Subnet2" #Include the private subnets from the DR account - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.160.64/26" #DR Account Private Subnet1 - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.160.128/26" #DR Account Private Subnet2 #Adding private subnets from PeopleSoft nonprod - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.169.0/24" #PeopleSoft non-prod Subnet A Description: "PeopleSoft non-prod Subnet A" - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.170.0/24" #PeopleSoft non-prod Subnet B Description: "PeopleSoft non-prod Subnet B" Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Sub "${TagName}-db-sg" - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

SSH Security Group

Defines the Security Group for a server that may need to be ssh into

SshSg: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow SSH Traffic from various subnets VpcId: Fn::ImportValue: !Sub "${VPCCloudFormationName}-vpcid" #Allow inbound traffic on port 22 from Various IP Ranges SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "10.138.0.0/17" #Mosaic VPN - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "150.135.241.0/24" #?? Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Sub "${TagName}-ssh-sg" - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

ControlM Agent Security Group

Security group for the control M agent server

ControlMAgentSg: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "kuali-controlm-agent-sg" VpcId: Fn::ImportValue: !Sub "${VPCCloudFormationName}-vpcid" #Allow inbound traffic on port 7017 from Enterprise Manager #Also allow ICMP on all ports (so we can use ping) to Agent and EM SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "7017" ToPort: "7017" CidrIp: "128.196.130.131/32" #ConrtrolM Enterprise Manager Test - IpProtocol: "tcp" FromPort: "7017" ToPort: "7017" CidrIp: "128.196.130.130/32" #ConrtrolM Enterprise Manager Prod - IpProtocol: "icmp" FromPort: "-1" ToPort: "-1" CidrIp: "128.196.130.131/32" #ConrtrolM Enterprise Manager Test - IpProtocol: "icmp" FromPort: "-1" ToPort: "-1" CidrIp: "128.196.130.130/32" #ConrtrolM Enterprise Manager Prod #Allow all outbound traffic SecurityGroupEgress: - IpProtocol: "-1" CidrIp: "0.0.0.0/0" Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Sub "kuali-controlm-agent-sg" - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: OutVPCID: Description: The VPC ID PeopleSoft Environments will be placed Value: Fn::ImportValue: !Sub "${VPCCloudFormationName}-vpcid" Export: Name: !Sub "${AWS::StackName}-VPCID" OutPrivSubNet1: Description: Private SubNet 1 Value: Fn::ImportValue: !Sub "${VPCCloudFormationName}-private-subnet-a" Export: Name: !Sub "${AWS::StackName}-PrivSubNet1" OutPrivSubNet2: Description: Private SubNet 2 Value: Fn::ImportValue: !Sub "${VPCCloudFormationName}-private-subnet-b" Export: Name: !Sub "${AWS::StackName}-PrivSubNet2" OutPubSubNet1: Description: Public SubNet 1 Value: Fn::ImportValue: !Sub "${VPCCloudFormationName}-public-subnet-a" Export: Name: !Sub "${AWS::StackName}-PubSubNet1" OutPubSubNet2: Description: Public SubNet 2 Value: Fn::ImportValue: !Sub "${VPCCloudFormationName}-public-subnet-b" Export: Name: !Sub "${AWS::StackName}-PubSubNet2" DBSecurityGroup: Value: !Ref DBSecurityGroup Export: Name: !Sub "${AWS::StackName}-DbSecurityGroup" LoadBalancerSecurityGroup: Value: !Ref LoadBalancerSecurityGroup Export: Name: !Sub "${AWS::StackName}-LbSg" InstanceSecurityGroup: Value: !Ref InstanceSecurityGroup Export: Name: !Sub "${AWS::StackName}-InstSg" SshSecurityGroup: Value: !Ref SshSg Export: Name: !Sub "${AWS::StackName}-SshSg" ControlMAgentSecurityGroup: Value: !Ref ControlMAgentSg Export: Name: !Sub "${AWS::StackName}-ControlMAgentSg"