-
Notifications
You must be signed in to change notification settings - Fork 28
/
sg_modify.yml
105 lines (105 loc) · 3.06 KB
/
sg_modify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
---
- hosts: localhost
connection: local
gather_facts: no
vars_files:
- staging_vpc_info
vars:
#your region
region: ap-southeast-2
#your ip address
allowed_ip: 54.79.34.239/32
#prefix for naming
prefix: staging
vpc_id: "{{ staging_vpc }}"
private_subnet: 10.0.1.0/24
tasks:
- name: modify sg_web rules
ec2_group:
region: "{{ region }}"
vpc_id: "{{ vpc_id }}"
#your security group name
name: "{{ prefix }}_sg_web"
description: security group for webservers
rules:
# allow ssh access from your ip address
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: "{{ allowed_ip }}"
# allow http access from anywhere
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
# allow https access from anywhere
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
rules_egress:
- proto: tcp
from_port: 3306
to_port: 3306
group_name: "{{ prefix }}_sg_database"
# allow http outbound
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
# allow https outbound
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
- name: modify sg_database rules
ec2_group:
region: "{{ region }}"
vpc_id: "{{ vpc_id }}"
name: "{{ prefix }}_sg_database"
description: security group for databases
rules:
- proto: tcp
from_port: 3306
to_port: 3306
group_name: "{{ prefix }}_sg_web"
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
- name: modify sg_nat rules
ec2_group:
region: "{{ region }}"
vpc_id: "{{ vpc_id }}"
name: "{{ prefix }}_sg_nat"
description: security group for nat
rules:
# allow ssh access from your ip address
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: "{{ allowed_ip }}"
# allow http access from private subnet
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: "{{ private_subnet }}"
# allow https access from private subnet
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: "{{ private_subnet }}"
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0