[QOLDEV-1068] revert security group rules to CloudFront group

qld-gov-au · Mar 3, 2025 · cd38466 · cd38466
1 parent 78e1d7b
commit cd38466
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 27 deletions.
diff --git a/templates/Datashades-OpsWorks-CKAN-Stack.cfn.yml.j2 b/templates/Datashades-OpsWorks-CKAN-Stack.cfn.yml.j2
@@ -111,9 +111,12 @@ Parameters:
   AdminSG:
     Description: The exported name of the security group ID containing sysadmin inbound rules
     Type: String
-  LoadBalancerSG:
+  AppLBSG:
     Description: The exported name of the security group ID to attach to the application load balancer.
     Type: String
+  CloudFrontSG:
+    Description: The exported name of the security group ID for resources that should be accessed by CloudFront.
+    Type: String
   DatabaseSG:
     Description: The exported name of the security group ID to attach to the database layer.
     Type: String
@@ -544,7 +547,8 @@ Resources:
         - Key: access_logs.s3.enabled
           Value: false
       SecurityGroups:
-        - Fn::ImportValue: !Ref LoadBalancerSG
+        - Fn::ImportValue: !Ref AppLBSG
+        - Fn::ImportValue: !Ref CloudFrontSG
       Subnets:
         - Fn::ImportValue: !Sub "${WebSubnets}A"
         - Fn::ImportValue: !Sub "${WebSubnets}B"

diff --git a/templates/security_groups.cfn.yml.j2 b/templates/security_groups.cfn.yml.j2
@@ -25,12 +25,70 @@ Parameters:
     Description: Name of the platform ie GI, Services, Static
 
 Resources:
+  CloudfrontHTTP:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Cloudfront Ranges HTTP Security Group
+      VpcId:
+        Fn::ImportValue: !Ref VPC
+      SecurityGroupIngress:
+        # IPv4 Entries
+{% for entry in aws_ipv4_json %}
+{% if entry.service == "CLOUDFRONT" %}
+        - IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIp: {{ entry.ip_prefix }}
+{% endif %}
+{% endfor %}
+        # IPv6 Entries
+{% for entry in aws_ipv6_json %}
+{% if entry.service == "CLOUDFRONT" %}
+        - IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIpv6: {{ entry.ipv6_prefix }}
+{% endif %}
+{% endfor %}
+      Tags:
+        - Key: Name
+          Value: cloudfront-http
+        - Key: AutoUpdate
+          Value: true
+        - Key: Protocol
+          Value: http
   CloudfrontHTTPS:
     Type: AWS::EC2::SecurityGroup
     Properties:
       GroupDescription: Cloudfront Ranges HTTPS Security Group
       VpcId:
         Fn::ImportValue: !Ref VPC
+      SecurityGroupIngress:
+        # IPv4 Entries
+{% for entry in aws_ipv4_json %}
+{% if entry.service == "CLOUDFRONT" %}
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: {{ entry.ip_prefix }}
+{% endif %}
+{% endfor %}
+        # IPv6 Entries
+{% for entry in aws_ipv6_json %}
+{% if entry.service == "CLOUDFRONT" %}
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIpv6: {{ entry.ipv6_prefix }}
+{% endif %}
+{% endfor %}
+      Tags:
+        - Key: Name
+          Value: cloudfront-https
+        - Key: AutoUpdate
+          Value: true
+        - Key: Protocol
+          Value: https
 
   Management:
     Type: AWS::EC2::SecurityGroup
@@ -59,31 +117,10 @@ Resources:
         Fn::ImportValue: !Ref VPC
       GroupDescription: allow connections from specified CIDR ranges
       SecurityGroupIngress:
-        # IPv4 Entries
-{% for entry in aws_ipv4_json %}
-{% if entry.service == "CLOUDFRONT" %}
         - IpProtocol: tcp
-          FromPort: 443
-          ToPort: 443
-          CidrIp: {{ entry.ip_prefix }}
-{% endif %}
-{% endfor %}
-        # IPv6 Entries
-{% for entry in aws_ipv6_json %}
-{% if entry.service == "CLOUDFRONT" %}
-        - IpProtocol: tcp
-          FromPort: 443
-          ToPort: 443
-          CidrIpv6: {{ entry.ipv6_prefix }}
-{% endif %}
-{% endfor %}
-      Tags:
-        - Key: Name
-          Value: app-loadbalancer
-        - Key: AutoUpdate
-          Value: true
-        - Key: Protocol
-          Value: https
+          FromPort: 80
+          ToPort: 80
+          SourceSecurityGroupId: !Ref WebAsg
 
   AppAsg:
     Type: AWS::EC2::SecurityGroup
@@ -97,6 +134,29 @@ Resources:
           ToPort: 80
           SourceSecurityGroupId: !Ref AppLoadBalancer
 
+  WebLoadBalancer:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId:
+        Fn::ImportValue: !Ref VPC
+      GroupDescription: allow connections from specified CIDR ranges
+
+  WebAsg:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId:
+        Fn::ImportValue: !Ref VPC
+      GroupDescription: allow connections from specified CIDR ranges
+      SecurityGroupIngress:
+      - IpProtocol: tcp
+        FromPort: 80
+        ToPort: 80
+        SourceSecurityGroupId: !Ref WebLoadBalancer
+      - IpProtocol: tcp
+        FromPort: 443
+        ToPort: 443
+        SourceSecurityGroupId: !Ref WebLoadBalancer
+
   Database:
     Type: AWS::EC2::SecurityGroup
     Properties:
@@ -136,6 +196,27 @@ Outputs:
           - - !Ref Environment
             - !Ref Platform
             - "ManagementSG"
+  WebAsgSG:
+    Description: Web auto-scaling group security group
+    Value: !Ref WebAsg
+    Export:
+      Name:
+        Fn::Join:
+          - ""
+          - - !Ref Environment
+            - !Ref Platform
+            - "WebAsgSG"
+
+  WebLoadBalancerSG:
+    Description: Web load balancer security group
+    Value: !Ref WebLoadBalancer
+    Export:
+      Name:
+        Fn::Join:
+          - ""
+          - - !Ref Environment
+            - !Ref Platform
+            - "WebLoadBalancerSG"
 
   AppAsgSG:
     Description: Application auto-scaling group security group
@@ -170,6 +251,17 @@ Outputs:
             - !Ref Platform
             - "DatabaseSG"
 
+  CloudfrontHTTPSG:
+    Description: Cloudfront HTTP Security Group
+    Value: !Ref CloudfrontHTTP
+    Export:
+      Name:
+        Fn::Join:
+          - ""
+          - - !Ref Environment
+            - !Ref Platform
+            - "CloudfrontHTTPSG"
+
   CloudfrontHTTPSSG:
     Description: Cloudfront HTTPS Security Group
     Value: !Ref CloudfrontHTTPS

diff --git a/vars/CKAN-Stack.var.yml b/vars/CKAN-Stack.var.yml
@@ -32,7 +32,8 @@ common_stack: &common_stack
     InternalStackZone: "{{ Environment }}CKANPrivateHostedZone"
     WebSubnets: "{{ Environment }}CKANWebSubnet"
     AdminSG: "{{ Environment }}CKANManagementSG"
-    LoadBalancerSG: "{{ Environment }}CKANAppLoadBalancerSG"
+    AppLBSG: "{{ Environment }}CKANAppLoadBalancerSG"
+    CloudFrontSG: "{{ Environment }}CKANCloudfrontHTTPSSG"
     DatabaseSG: "{{ Environment }}CKANDatabaseSG"
     EnableDataStore: "{{ enable_datastore | default('no') }}"
     SSMKey: "{{ SSMKey | default('') }}"