forked from saltstack-formulas/aws-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpillar.example
237 lines (235 loc) · 8.34 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
# This example creates a 3 tiered (web, app, db) VPC spanning 3 Avalability Zones.
# web tier has public IPs and app/db tier are internal and use a NAT Gateway for internet access.
#
# Using Jinja to set a few variables to cause repeated hard-coding of values in the pillar
# Global CIDR for all your VPCs. Use this for Security Group rules
{% set cidr_global = '10.0.0.0/8' %}
aws:
region:
us-east-2:
keys:
mykey: 'ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [email protected]'
profile:
region: us-east-2
keyid: ASDFASDFASDFASDFASDF
key: AB12Cd3Efg45hIjk67lMNop8q9RST0uvwXyz
vpc:
# Set VPC specific variables at the top of each pillar.
# settting vpc_name so that Security Groups names can include the VPC name
{%- set vpc_name = 'vpcProdEast2' %}
# setting cidr_local for use in secuirty group rules
{%- set cidr_local = '10.20.0.0/16' %}
{{ vpc_name }}:
cidr_prefix: '10.20'
vpc:
name: {{ vpc_name }}
cidr_block: '{{ cidr_local }}'
instance_tenancy: default
dns_support: 'true'
dns_hostnames: 'true'
# Can only have one internet_gateway
internet_gateway:
name: internet_gateway
subnets:
# web subnets are 1,2,3
1:
name: subWebA
az: a
nat_gateway: true
2:
name: subWebB
az: b
nat_gateway: true
3:
name: subWebC
az: c
nat_gateway: true
# app subnets are 11,12,13
11:
name: subAppA
az: a
12:
name: subAppB
az: b
13:
name: subAppC
az: c
# db subnets are 21, 22, 23
21:
name: subDbA
az: a
22:
name: subDbB
az: b
23:
name: subDbC
az: c
# These will be added to every table
# get the instance ID of the VPN server to connect to the 10.10 region
# VPC and put here, then uncomment below
# routing_tables_global:
# vpnPROD:
# destination_cidr_block: '10.10.0.0/16'
# instance_id: i-xxxxxxxxxxxxxx
routing_tables:
# Create a public routing table for web subnet in each AZ per best practices
publicA:
routes:
default:
destination_cidr_block: '0.0.0.0/0'
internet_gateway_name: internet_gateway
subnet_names:
- subWebA
publicB:
routes:
default:
destination_cidr_block: '0.0.0.0/0'
internet_gateway_name: internet_gateway
subnet_names:
- subWebB
publicC:
routes:
default:
destination_cidr_block: '0.0.0.0/0'
internet_gateway_name: internet_gateway
subnet_names:
- subWebC
# Create a private routing table for App and DB subnets in each AZ
privateA:
# Update nat_gateway_id below from AWS Console.
# VPC/NAT Gateways. Use private IP to determine correct one.
# then incomment below lines
# routes:
# default:
# destination_cidr_block: '0.0.0.0/0'
# nat_gateway_id: 'nat-xxxxxxxxxxxxxx'
subnet_names:
- subAppA
- subDbA
privateB:
# Update nat_gateway_id below from AWS Console.
# VPC/NAT Gateways. Use private IP to determine correct one.
# then incomment below lines
# routes:
# default:
# destination_cidr_block: '0.0.0.0/0'
# nat_gateway_id: 'nat-xxxxxxxxxxxxxx'
subnet_names:
- subAppB
- subDbB
privateC:
# Update nat_gateway_id below from AWS Console.
# VPC/NAT Gateways. Use private IP to determine correct one.
# then incomment below lines
# routes:
# default:
# destination_cidr_block: '0.0.0.0/0'
# nat_gateway_id: 'nat-xxxxxxxxxxxxxx'
subnet_names:
- subAppC
- subDbC
security_groups:
# Create a baseline security group with rules that apply to all servers
# All security groups includ theVPC name in case these security group
# names are used in another vpc via vpc peering
sgBase-{{ vpc_name }}:
description: Base SG for all servers
rules:
ssh:
ip_protocol: tcp
port: 22
cidr_ip: '{{ cidr_global }}'
icmp:
ip_protocol: icmp
port: -1
cidr_ip: '{{ cidr_global }}'
rules_egress:
all:
ip_protocol: all
port: -1
cidr_ip: '0.0.0.0/0'
# Web servers can access app servers.
# App servers can access other app servers.
sgApp-{{ vpc_name }}:
description: SG for all App servers
rules:
http:
ip_protocol: tcp
port: 80
source_group_name:
- sgWeb-{{ vpc_name }}
- sgApp-{{ vpc_name }}
https:
ip_protocol: tcp
port: 443
source_group_name:
- sgWeb-{{ vpc_name }}
- sgApp-{{ vpc_name }}
# App servers can access DB servers
# DB servers can access other DB servers ( for replication to slaves )
sgDB-{{ vpc_name }}:
description: SG for all DB servers
rules:
mysql:
ip_protocol: tcp
port: 3306
source_group_name:
- sgApp-{{ vpc_name }}
- sgDB-{{ vpc_name }}
# Allow openVPN users access
sgOpenVPN-{{ vpc_name }}:
description: SG for all OpenVPN servers
rules:
openVPN_tcp:
ip_protocol: tcp
port: 1194
cidr_ip: '0.0.0.0/0'
openVPN_udp:
ip_protocol: udp
port: 1194
cidr_ip: '0.0.0.0/0'
# All servers can talk to the salt server
sgSalt-{{ vpc_name }}:
description: SG for all Salt servers
rules:
salt-master:
ip_protocol: tcp
from_port: 4505
to_port: 4506
cidr_ip: '{{ cidr_local }}'
salt-api:
ip_protocol: tcp
port: 443
cidr_ip: '{{ cidr_local }}'
# Ipsec VPN servers can communicate across the internet
sgVPN-{{ vpc_name }}:
description: SG for all IPSec VPN servers
rules:
vpn_ike:
ip_protocol: udp
port: 500
cidr_ip: '0.0.0.0/0'
vpn_ipsec_nat_tcp:
ip_protocol: udp
port: 4500
cidr_ip: '0.0.0.0/0'
vpn_ipsec_nat_udp:
ip_protocol: tcp
port: 4500
cidr_ip: '0.0.0.0/0'
vpn_l2tp:
ip_protocol: udp
port: 1701
cidr_ip: '0.0.0.0/0'
# Internet can access web servers
sgWeb-{{ vpc_name }}:
description: SG for all Web servers
rules:
http:
ip_protocol: tcp
port: 80
cidr_ip: '0.0.0.0/0'
https:
ip_protocol: tcp
port: 443
cidr_ip: '0.0.0.0/0'