Make bastion an optional component.

aws-samples · Jan 4, 2019 · c9e137e · c9e137e
1 parent 80c31db
commit c9e137e
Show file tree

Hide file tree

Showing 5 changed files with 613 additions and 20 deletions.
diff --git a/cmd.sh b/cmd.sh
@@ -0,0 +1 @@
+aws cloudformation create-stack --region=us-east-1 --stack-name startupkit-eb --template-body file://vpc-eb-rds.cfn.yml --capabilities CAPABILITY_IAM --parameters ParameterKey=DatabasePassword,ParameterValue=aquasush ParameterKey=TemplateBucket,ParameterValue=gjg-startupkit-templates ParameterKey=AppS3Bucket,ParameterValue=gjg-startupkit-testing ParameterKey=AppS3Key,ParameterValue=demoapp/1.zip ParameterKey=AvailabilityZone1,ParameterValue=us-east-1a ParameterKey=AvailabilityZone2,ParameterValue=us-east-1b ParameterKey=StackType,ParameterValue=rails
diff --git a/templates/bastion.cfn.yml b/templates/bastion.cfn.yml
@@ -19,7 +19,8 @@ Parameters:
 
   KeyName:
     Description: EC2 key pair name for bastion host SSH access
-    Type: AWS::EC2::KeyPair::KeyName
+    Type: String
+    Default: ''
 
   LogRetentionInDays:
     Description: Number of days you would like your CloudWatch Logs to be retained
@@ -36,6 +37,9 @@ Parameters:
       - true
       - false
 
+Conditions:
+  HasKeyName: !Not [ !Equals [ !Ref KeyName, '' ]]
+
 Mappings:
 
   # Amazon Linux AMI - https://aws.amazon.com/amazon-linux-ami/
@@ -211,7 +215,7 @@ Resources:
 
     Properties:
       InstanceType: t2.micro
-      KeyName: !Ref KeyName
+      KeyName: !If [ HasKeyName, !Ref KeyName, !Ref "AWS::NoValue" ]
       NetworkInterfaces:
         - NetworkInterfaceId: !Ref BastionNetworkInterface
           DeviceIndex: 0

diff --git a/templates/elastic-beanstalk.cfn.yml b/templates/elastic-beanstalk.cfn.yml
@@ -43,6 +43,14 @@ Parameters:
     MaxLength: 255
     AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
 
+  Bastion:
+    Description: Flag on whether to allow SSH access to instances via bastion instead of Session Manager
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+
   DatabaseStackName:
     Description: Name of an active CloudFormation stack of database resources
     Type: String
@@ -80,7 +88,8 @@ Parameters:
 
   EC2KeyPairName:
     Description: EC2 key pair name for SSH access
-    Type: AWS::EC2::KeyPair::KeyName
+    Type: String
+    Default: ''
 
   DevInstanceType:
     Description: The instance type for the dev environment
@@ -122,16 +131,19 @@ Parameters:
 Conditions:
 
   CreateProdEnv: !Equals [ !Ref EnvironmentName, prod ]
+  HasKeyName: !Not [ !Equals [ !Ref EC2KeyPairName, '' ]]
 
   TlsEnabled: !Not [ !Equals [ !Ref SSLCertificateArn, "" ] ]
 
+  CreateBastion: !Equals [ !Ref Bastion, true ]
+
 Mappings:
   # Maps stack type parameter to solution stack name string
   StackMap:
     node:
       stackName: 64bit Amazon Linux 2018.03 v4.5.3 running Node.js
     rails:
-      stackName: 64bit Amazon Linux 2018.03 v2.8.3 running Ruby 2.4 (Puma)
+      stackName: 64bit Amazon Linux 2018.03 v2.8.7 running Ruby 2.4 (Puma)
     spring:
       stackName: 64bit Amazon Linux 2018.03 v3.0.3 running Tomcat 8 Java 8
     python:
@@ -213,18 +225,20 @@ Resources:
         Value: !Ref AutoScalingMaxInstanceCount
 
       - Namespace: aws:autoscaling:launchconfiguration
-        OptionName: SecurityGroups
-        Value:
-          Fn::ImportValue: !Sub "${NetworkStackName}-AppSecurityGroupID"
+        OptionName: SSHSourceRestriction
+        Value: !If 
+          - CreateBastion
+          - "Fn::Join":
+            - ','
+            - - 'tcp, 22, 22'
+              - !ImportValue
+                  "Fn::Sub": "${NetworkStackName}-BastionGroupID"
+          - 'tcp, 22, 22, 127.0.0.1/32'
 
       - Namespace: aws:autoscaling:launchconfiguration
-        OptionName: SSHSourceRestriction
+        OptionName: SecurityGroups
         Value:
-          "Fn::Join":
-          - ','
-          - - 'tcp, 22, 22'
-            - !ImportValue
-                "Fn::Sub": "${NetworkStackName}-BastionGroupID"
+          Fn::ImportValue: !Sub "${NetworkStackName}-AppSecurityGroupID"
 
       - Namespace: aws:autoscaling:launchconfiguration
         OptionName: InstanceType
@@ -236,7 +250,7 @@ Resources:
 
       - Namespace: aws:autoscaling:launchconfiguration
         OptionName: EC2KeyName
-        Value: !Ref EC2KeyPairName
+        Value: !If [ HasKeyName, !Ref EC2KeyPairName, !Ref "AWS::NoValue" ]
 
       - Namespace: aws:autoscaling:updatepolicy:rollingupdate
         OptionName: RollingUpdateEnabled

diff --git a/templates/vpc.cfn.yml b/templates/vpc.cfn.yml
@@ -4,8 +4,8 @@ AWSTemplateFormatVersion: 2010-09-09
 Description: SASKV5N VPC
 
 # This VPC stack should be created first before any other
-# CloudFormation stacks, such as a bastion stack, database
-# stack and application stack
+# CloudFormation stacks, such as a database stack 
+# and application stack
 Parameters:
 
   AvailabilityZone1:
@@ -18,6 +18,14 @@ Parameters:
     Type: AWS::EC2::AvailabilityZone::Name
     ConstraintDescription: Must be a valid availability zone
 
+  Bastion:
+    Description: Flag on whether to allow SSH access to instances via bastion instead of Session Manager
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+
   SSHFrom:
     Description: Limit SSH access to bastion hosts to a CIDR IP block
     Type: String
@@ -76,6 +84,7 @@ Metadata:
 Conditions:
   CreateSingleNatGateway: !Equals [ !Ref SingleNatGateway, true ]
   CreateMultipleNatGateways: !Not [ Condition: CreateSingleNatGateway ]
+  CreateBastion: !Equals [ !Ref Bastion, true ]
 
 Mappings:
 
@@ -230,10 +239,6 @@ Resources:
         IpProtocol: tcp
         ToPort: !Ref AppIngressPort
         FromPort: !Ref AppIngressPort
-      - SourceSecurityGroupId: !Ref BastionSecurityGroup
-        IpProtocol: tcp
-        ToPort: 22
-        FromPort: 22
       Tags:
       - Key: Name
         Value: !Sub "${AWS::StackName}-AppSecurityGroup"
@@ -248,6 +253,7 @@ Resources:
       SourceSecurityGroupId: !Ref ELBSecurityGroup
 
   AppSecurityGroupFromBastionIngress:
+    Condition: CreateBastion
     Type: AWS::EC2::SecurityGroupIngress  # prevent security group circular references
     Properties:
       GroupId: !Ref AppSecurityGroup
@@ -257,6 +263,7 @@ Resources:
       SourceSecurityGroupId: !Ref BastionSecurityGroup
 
   BastionSecurityGroup:
+    Condition: CreateBastion
     Type: AWS::EC2::SecurityGroup
     Properties:
       GroupDescription: Enable access to the bastion host
@@ -284,6 +291,7 @@ Resources:
         Value: !Sub "${AWS::StackName}-BastionSecurityGroup"
 
   BastionSecurityGroupToAppEgress:
+    Condition: CreateBastion
     Type: AWS::EC2::SecurityGroupEgress  # prevent security group circular references
     Properties:
       GroupId: !Ref BastionSecurityGroup
@@ -293,6 +301,7 @@ Resources:
       DestinationSecurityGroupId: !Ref AppSecurityGroup
 
   BastionSecurityGroupToDbEgress:
+    Condition: CreateBastion
     Type: AWS::EC2::SecurityGroupEgress  # prevent security group circular references
     Properties:
       GroupId: !Ref BastionSecurityGroup
@@ -320,6 +329,7 @@ Resources:
         Value: !Sub "${AWS::StackName}-DbSecurityGroup"
 
   DbSecurityGroupFromBastionIngress:
+    Condition: CreateBastion
     Type: AWS::EC2::SecurityGroupIngress  # prevent security group circular references
     Properties:
       GroupId: !Ref DbSecurityGroup
@@ -482,6 +492,7 @@ Outputs:
 
   BastionSecurityGroup:
     Description: Security group ID for bastion host
+    Condition: CreateBastion
     Value: !GetAtt BastionSecurityGroup.GroupId
     Export:
       Name: !Sub "${AWS::StackName}-BastionGroupID"