kfs_rds_securitygroup.yaml
AWSTemplateFormatVersion: '2010-09-09' Description: KFS RDS Database Access Security Group

This CloudFormation template creates the EC2 security group to be utilized by KFS RDS instances in the Kuali accounts.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Security Group Metadata Parameters: - VPC - Label: default: Tags Parameters: - TagService - TagName - TagEnvironment - TagCreatedBy - TagContactNetId - TagAccountNumber - TagSubAccount - TagTicketNumber - TagResourceFunction Parameters: VPC: Description: ID of the VPC that this security group should be attached to (NOT the VPC name) Type: String Default: "vpc-2b1ea94c" TagService: Description: Service name (from the service catalog) that is utilizing this resource Type: String Default: "UAccess Financials" TagName: Description: Descriptive identifier of resource. Type: String Default: "Security Group For KFS Databases" TagEnvironment: Description: Type of environment that is using this resource, such as 'dev', 'tst', 'prd'. Type: String Default: "dev" TagCreatedBy: Description: NetID of the user that created this resource Type: String TagContactNetId: Description: NetID of the person to contact for information about this resource Type: String TagAccountNumber: Description: Financial system account number for the service utilizing this resource Type: String Default: "1192620" TagSubAccount: Description: Financial system subaccount number for the service utilizing this resource Type: String Default: "12AWS" TagTicketNumber: Description: Ticket number that this resource is for Type: String Default: "FIN-1903" TagResourceFunction: Description: Human-readable description of what function this resource is providing Type: String Default: "CloudFormation stack for KFS RDS Security Group" Resources:

Controls access to the RDS instance that has this security group based on inbound rules below.

KFSRDSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ua-kfs-database-access-sg

Ingress rules taken from the existing 'ua-database-access-sg' in the ua-erp account with additions from the existing ua-kfs-nonprd-database-access-sg used for DEV, TST, STG, and prototypes

SecurityGroupIngress: - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.138.2.0/24 Description: "Mosaic VPN-1" # Based on what is in the kfs_nexus_ecs.yaml template. - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.0/24 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.64/26 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.221.2.0/26 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.220.176.0/24 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 10.220.177.0/24 Description: "Related to Oracle RDS" - IpProtocol: tcp FromPort: '1521' ToPort: '1521' CidrIp: 150.135.241.0/24 Description: "Mosaic VPN-2" # Based on what is in a bunch of other templates for UITS. - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.161.64/26" Description: "UAIR Dev Account Private Subnet1" - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.161.128/26" Description: "UAIR Dev Account Private Subnet2" - IpProtocol: "tcp" FromPort: "1521" ToPort: "1521" CidrIp: "10.220.169.193/32" Description: "OEM 13.3" - IpProtocol: "tcp" FromPort: "3872" ToPort: "3872" CidrIp: "10.220.169.193/32" Description: "Oracle Management Service and default port" # https://docs.oracle.com/cd/B16240_01/doc/em.102/e10954/firewalls.htm VpcId: !Ref VPC Tags: - Key: service Value: !Ref TagService - Key: Name Value: !Ref TagName - Key: environment Value: !Ref TagEnvironment - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: KFSRDSSecurityGroupID: Value: !GetAtt KFSRDSSecurityGroup.GroupId