fix: Disable public IP address for Linux, Windows, and RStudio when A…

…ppStream is enabled(awslabs#731)
jxuamazon · Oct 6, 2021 · ed8f29d · ed8f29d
1 parent e55f3be
commit ed8f29d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml b/...packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml
@@ -52,6 +52,7 @@ Conditions:
   IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
   EgressStoreIamPolicyEmpty: !Equals [!Ref EgressStoreIamPolicyDocument, '{}']
   AppStreamEnabled: !Equals [!Ref IsAppStreamEnabled, 'true']
+  AppStreamDisabled: !Equals [!Ref IsAppStreamEnabled, 'false']
 
 Resources:
   InstanceRolePermissionBoundary:
@@ -198,7 +199,7 @@ Resources:
             Encrypted: true
             KmsKeyId: !Ref EncryptionKeyArn
       NetworkInterfaces:
-        - AssociatePublicIpAddress: 'true'
+        - AssociatePublicIpAddress: !If [ AppStreamEnabled, 'false', 'true' ]
           DeviceIndex: '0'
           GroupSet:
             - !Ref SecurityGroup
@@ -230,6 +231,7 @@ Outputs:
 
   Ec2WorkspacePublicIp:
     Description: Public IP address of the EC2 workspace instance
+    Condition: AppStreamDisabled
     Value: !GetAtt [EC2Instance, PublicIp]
 
   Ec2WorkspaceInstanceId:

diff --git a/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml b/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml
@@ -55,6 +55,7 @@ Conditions:
   IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
   EgressStoreIamPolicyEmpty: !Equals [!Ref EgressStoreIamPolicyDocument, '{}']
   AppStreamEnabled: !Equals [!Ref IsAppStreamEnabled, 'true']
+  AppStreamDisabled: !Equals [!Ref IsAppStreamEnabled, 'false']
 
 Resources:
   InstanceRolePermissionBoundary:
@@ -212,7 +213,7 @@ Resources:
             Encrypted: true
             KmsKeyId: !Ref EncryptionKeyArn
       NetworkInterfaces:
-        - AssociatePublicIpAddress: 'true'
+        - AssociatePublicIpAddress: !If [ AppStreamEnabled, 'false', 'true' ]
           DeviceIndex: '0'
           GroupSet:
             - !Ref SecurityGroup
@@ -244,10 +245,11 @@ Outputs:
 
   Ec2WorkspacePublicIp:
     Description: Public IP address of the EC2 workspace instance
+    Condition: AppStreamDisabled
     Value: !GetAtt [EC2Instance, PublicIp]
 
   Ec2WorkspacePrivateIp:
-    Description: Public IP address of the EC2 workspace instance
+    Description: Private IP address of the EC2 workspace instance
     Value: !GetAtt [EC2Instance, PrivateIp]
 
   Ec2WorkspaceInstanceId:

diff --git a/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml b/...ckages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml
@@ -74,6 +74,7 @@ Conditions:
   IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
   EgressStoreIamPolicyEmpty: !Equals [!Ref EgressStoreIamPolicyDocument, '{}']
   AppStreamEnabled: !Equals [!Ref IsAppStreamEnabled, 'true']
+  AppStreamDisabled: !Equals [!Ref IsAppStreamEnabled, 'false']
 
 Resources:
   InstanceRolePermissionBoundary:
@@ -265,7 +266,7 @@ Resources:
             KmsKeyId: !Ref EncryptionKeyArn
             DeleteOnTermination: true
       NetworkInterfaces:
-        - AssociatePublicIpAddress: true
+        - AssociatePublicIpAddress: !If [ AppStreamEnabled, 'false', 'true' ]
           DeviceIndex: '0'
           GroupSet:
             - !Ref SecurityGroup
@@ -376,6 +377,7 @@ Outputs:
 
   Ec2WorkspacePublicIp:
     Description: Public IP address of the EC2 workspace instance
+    Condition: AppStreamDisabled
     Value: !GetAtt [EC2Instance, PublicIp]
 
   Ec2WorkspaceInstanceId: