Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Create dedicated SGs for environment and interface endpoints #736

Merged
merged 3 commits into from
Oct 8, 2021
Merged

feat: Create dedicated SGs for environment and interface endpoints #736

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dc47f72
feat: Create dedicated SGs for environment and interface endpoints
jn1119 Oct 8, 2021
8dddef0
chore: Rename Environment to Workspace for consistency
jn1119 Oct 8, 2021
82a0543
docs: correct description for WorkspaceSG
jn1119 Oct 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 56 additions & 16 deletions ...ns/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -706,6 +706,8 @@ Resources:
VpcEndpointType: Interface
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kms'
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref InterfaceEndpointSecurityGroup

STSEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Expand All @@ -717,6 +719,8 @@ Resources:
PrivateDnsEnabled: true
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.sts'
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref InterfaceEndpointSecurityGroup

EC2Endpoint:
Type: 'AWS::EC2::VPCEndpoint'
Expand All @@ -728,6 +732,8 @@ Resources:
PrivateDnsEnabled: true
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2'
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref InterfaceEndpointSecurityGroup

CfnEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Expand All @@ -740,18 +746,50 @@ Resources:
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.cloudformation'
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref CfnEndpointSecurityGroup
- !Ref InterfaceEndpointSecurityGroup

CfnEndpointSecurityGroup:
EnvironmentSecurityGroup:
Type: AWS::EC2::SecurityGroup
Condition: isAppStream
Properties:
GroupDescription: 'CFN Security Group for interface endpoint'
GroupName: 'CFN-SG'
GroupDescription: 'Security Group for AppStream instances to connect with environments, and for environments to connect with interface endpoints'
GroupName: 'Environment-SG'
VpcId: !Ref VPC
SecurityGroupIngress:
- SourceSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup
IpProtocol: '-1'

EnvironmentSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Condition: isAppStream
Properties:
GroupId: !Ref EnvironmentSecurityGroup
SourceSecurityGroupId: !Ref AppStreamSecurityGroup
Description: 'Allow AppStream ingress from environments'
IpProtocol: '-1'

EnvironmentSecurityGroupEgress:
Type: AWS::EC2::SecurityGroupEgress
Condition: isAppStream
Properties:
GroupId: !Ref EnvironmentSecurityGroup
DestinationSecurityGroupId: !Ref InterfaceEndpointSecurityGroup
Description: 'Allow Interface Endpoint egress from environments'
IpProtocol: '-1'

InterfaceEndpointSecurityGroup:
Type: AWS::EC2::SecurityGroup
Condition: isAppStream
Properties:
GroupDescription: 'Security Group for interface endpoints'
GroupName: 'Interface-Endpoint-SG'
VpcId: !Ref VPC

InterfaceEndpointSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Condition: isAppStream
Properties:
GroupId: !Ref InterfaceEndpointSecurityGroup
SourceSecurityGroupId: !Ref EnvironmentSecurityGroup
Description: 'Allow environment ingress from interface endpoints'
IpProtocol: '-1'

SSMEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Expand All @@ -763,6 +801,8 @@ Resources:
PrivateDnsEnabled: true
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref InterfaceEndpointSecurityGroup

# https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html
SagemakerNotebookEndpoint:
Expand Down Expand Up @@ -799,7 +839,7 @@ Resources:
GroupName: 'Sagemaker-API-SG'
VpcId: !Ref VPC
SecurityGroupIngress:
- SourceSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup
- SourceSecurityGroupId: !Ref EnvironmentSecurityGroup
IpProtocol: '-1'

SageMakerSecurityGroup:
Expand All @@ -823,7 +863,7 @@ Resources:
SecurityGroupEgress:
- CidrIp: 127.0.0.1/32
IpProtocol: '-1'
- DestinationSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup
- DestinationSecurityGroupId: !Ref EnvironmentSecurityGroup
IpProtocol: '-1'

AppStreamSecurityGroupEgress:
Expand Down Expand Up @@ -954,19 +994,19 @@ Outputs:
Condition: isAppStream
Value: !Ref AppStreamStack

CFNEndpointSG:
Description: Security group of CFN endpoint
InterfaceEndpointSG:
Description: Security group of Interface endpoints
Condition: isAppStream
Value: !Ref CfnEndpointSecurityGroup
Value: !Ref InterfaceEndpointSecurityGroup
Export:
Name: !Join ['', [Ref: Namespace, '-CfnEndpointSecurityGroup']]
Name: !Join ['', [Ref: Namespace, '-InterfaceEndpointSG']]

VPCDefaultSG:
EnvironmentSG:
jn1119 marked this conversation as resolved.
Show resolved Hide resolved
Description: Default SG for VPC
jn1119 marked this conversation as resolved.
Show resolved Hide resolved
Condition: isAppStream
Value: !GetAtt VPC.DefaultSecurityGroup
Value: !Ref EnvironmentSecurityGroup
Export:
Name: !Join ['', [Ref: Namespace, '-SwbVPCDefaultSG']]
Name: !Join ['', [Ref: Namespace, '-EnvironmentSG']]

AppStreamStackName:
Description: Name of the stack created by AppStream
Expand Down
12 changes: 2 additions & 10 deletions ...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,18 +146,10 @@ Resources:
FromPort: -1
ToPort: -1
CidrIp: !Ref AccessFromCIDRBlock
- !If
- AppStreamEnabled
- DestinationSecurityGroupId:
Fn::ImportValue: !Sub "${SolutionNamespace}-CfnEndpointSecurityGroup"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
SecurityGroupIngress:
- !If
- AppStreamEnabled
- SourceSecurityGroupId:
Fn::ImportValue: !Sub "${SolutionNamespace}-SwbAppStreamSG"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
- IpProtocol: tcp
FromPort: 22
ToPort: 22
Expand Down Expand Up @@ -205,7 +197,7 @@ Resources:
- !Ref SecurityGroup
- !If
- AppStreamEnabled
- Fn::ImportValue: !Sub "${SolutionNamespace}-SwbVPCDefaultSG"
- Fn::ImportValue: !Sub "${SolutionNamespace}-EnvironmentSG"
- !Ref "AWS::NoValue"
SubnetId: !Ref Subnet
Tags:
Expand Down
12 changes: 2 additions & 10 deletions ...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,18 +159,10 @@ Resources:
FromPort: -1
ToPort: -1
CidrIp: !Ref AccessFromCIDRBlock
- !If
- AppStreamEnabled
- DestinationSecurityGroupId:
Fn::ImportValue: !Sub "${SolutionNamespace}-CfnEndpointSecurityGroup"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
SecurityGroupIngress:
- !If
- AppStreamEnabled
- SourceSecurityGroupId:
Fn::ImportValue: !Sub "${SolutionNamespace}-SwbAppStreamSG"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
jn1119 marked this conversation as resolved.
Show resolved Hide resolved
- IpProtocol: tcp
FromPort: 22
ToPort: 22
Expand Down Expand Up @@ -219,7 +211,7 @@ Resources:
- !Ref SecurityGroup
- !If
- AppStreamEnabled
- Fn::ImportValue: !Sub "${SolutionNamespace}-SwbVPCDefaultSG"
- Fn::ImportValue: !Sub "${SolutionNamespace}-EnvironmentSG"
- !Ref "AWS::NoValue"
SubnetId: !Ref Subnet
Tags:
Expand Down
12 changes: 2 additions & 10 deletions ...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,18 +168,10 @@ Resources:
FromPort: -1
ToPort: -1
CidrIp: !Ref AccessFromCIDRBlock
- !If
- AppStreamEnabled
- DestinationSecurityGroupId:
Fn::ImportValue: !Sub "${SolutionNamespace}-CfnEndpointSecurityGroup"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
SecurityGroupIngress:
- !If
- AppStreamEnabled
- SourceSecurityGroupId:
Fn::ImportValue: !Sub "${SolutionNamespace}-SwbAppStreamSG"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389
Expand Down Expand Up @@ -272,7 +264,7 @@ Resources:
- !Ref SecurityGroup
- !If
- AppStreamEnabled
- Fn::ImportValue: !Sub "${SolutionNamespace}-SwbVPCDefaultSG"
- Fn::ImportValue: !Sub "${SolutionNamespace}-EnvironmentSG"
- !Ref "AWS::NoValue"
SubnetId: !Ref Subnet
Tags:
Expand Down
9 changes: 8 additions & 1 deletion ...base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,13 @@ Resources:
Fn::ImportValue: !Sub "${SolutionNamespace}-SageMakerApiSecurityGroup"
IpProtocol: '-1'
- !Ref "AWS::NoValue"
- !If
- AppStreamEnabled
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
- !Ref "AWS::NoValue"
PreSignedURLBoundary:
Type: AWS::IAM::ManagedPolicy
Condition: AppStreamEnabled
Expand Down Expand Up @@ -233,7 +240,7 @@ Resources:
- !Ref SecurityGroup
- !If
- AppStreamEnabled
- Fn::ImportValue: !Sub "${SolutionNamespace}-SwbVPCDefaultSG"
- Fn::ImportValue: !Sub "${SolutionNamespace}-EnvironmentSG"
- !Ref "AWS::NoValue"
DirectInternetAccess:
!If
Expand Down