finmod-rds_securitygroup.yaml
AWSTemplateFormatVersion: '2010-09-09' Description: KFS RDS Database Access Security Group

This CloudFormation template creates the EC2 security group to be utilized by KFS RDS instances in the Kuali accounts. This template is based on the kfs_rds_securitygroup.yaml template.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Security Group Metadata Parameters: - VPC - Label: default: Tags Parameters: - TagService - TagName - TagEnvironment - TagCreatedBy - TagContactNetId - TagAccountNumber - TagSubAccount - TagTicketNumber - TagResourceFunction Parameters: VPC: Description: ID of the VPC that this security group should be attached to (NOT the VPC name) Type: String Default: "vpc-0fdb086ebbe09f1a0" TagService: Description: Service name (from the service catalog) that is utilizing this resource Type: String Default: "Financials Modernization" TagName: Description: Descriptive identifier of resource. Type: String Default: "Security Group For KFS Databases" TagEnvironment: Description: Type of environment that is using this resource, such as 'dev', 'tst', 'prd'. Type: String Default: "dev" TagCreatedBy: Description: NetID of the user that created this resource Type: String TagContactNetId: Description: NetID of the person to contact for information about this resource Type: String TagAccountNumber: Description: Financial system account number for the service utilizing this resource Type: String Default: "1192801" TagSubAccount: Description: Financial system subaccount number for the service utilizing this resource Type: String Default: "INTGR" TagTicketNumber: Description: Ticket number that this resource is for Type: String TagResourceFunction: Description: Human-readable description of what function this resource is providing Type: String Default: "CloudFormation stack for KFS RDS Security Group" Resources:

Controls access to the RDS instance that has this security group based on inbound rules below.

KFSRDSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ua-kfs-database-access-sg

Ingress rules taken from the existing 'ua-database-access-sg' in the ua-erp account with additions from the existing ua-kfs-nonprd-database-access-sg used for DEV, TST, STG, and prototypes

SecurityGroupIngress: - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.138.2.0/24 Description: "Mosaic VPN-1" # Based on what is in the kfs_nexus_ecs.yaml template. - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.0/24 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.64/26 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.0/26 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.220.176.0/24 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.220.177.0/24 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 150.135.241.0/24 Description: "Mosaic VPN-2" # Based on what is in a bunch of other templates for UITS. VpcId: !Ref VPC Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Ref TagName - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: KFSRDSSecurityGroupID: Value: !GetAtt KFSRDSSecurityGroup.GroupId Export: Name: !Sub "${AWS::StackName}-id"