Move security group to it's own stack

Fix default subnet ids
Fix AMI

cloudy_mozdef/cloudformation/mozdef-instance.yml

@@ -20,11 +20,17 @@ Parameters:
   AutoScaleGroupSubnetIds:
     Type: "List<AWS::EC2::Subnet::Id>"
     Description: "A comma delimited list of subnet IDs"
-    Default: "subnet-8931f7ee,subnet-de322aa8,subnet-2582cd7d"
+    Default: "subnet-dd8eacb5,subnet-df8eacb7,subnet-de8eacb6"
   AMIImageId:
     Type: "String"
     Description: "The AMI Image ID to use of the EC2 instance"
     Default: "ami-0e7bda6769c8b3854"
+  MozDefSecurityGroupId:
+    Type: "String"
+    Description: "The security group to apply to the EC2 instance"
+  MozDefLoadBalancerSecurityGroupId:
+    Type: "String"
+    Description: "The security group to apply to the EC2 instance"
 Resources:
   MozDefElasticLoadBalancingV2TargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup
@@ -38,10 +44,14 @@ Resources:
   MozDefLaunchConfiguration:
     Type: AWS::AutoScaling::LaunchConfiguration
     Properties:
+      AssociatePublicIpAddress: true
       IamInstanceProfile: !Ref IamInstanceProfile
       ImageId: !Ref AMIImageId
       InstanceType: !Ref InstanceType
       KeyName: !Ref KeyName
+      SecurityGroups:
+        - !Ref MozDefSecurityGroupId
+      # UserData: xxx
   MozDefAutoScaleGroup:
     Type: AWS::AutoScaling::AutoScalingGroup
     Properties:
@@ -49,28 +59,20 @@ Resources:
       LaunchConfigurationName: !Ref MozDefLaunchConfiguration
       MaxSize: 1
       MinSize: 1
+      Tags:
+        - Key: Name
+          Value: mozdef
+          PropagateAtLaunch: true
+        - Key: application
+          Value: mozdef
+          PropagateAtLaunch: true
       TargetGroupARNs: !GetAtt MozDefElasticLoadBalancingV2TargetGroup.LoadBalancerArns
       VPCZoneIdentifier: !Ref AutoScaleGroupSubnetIds
-  MozDefLoadBalancerSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      GroupDescription: Security Group of the MozDef ALB
-      SecurityGroupEgress:
-        - Description: Allow all egress traffic
-          IpProtocol: -1
-          CidrIp: "0.0.0.0/0"
-      SecurityGroupIngress:
-        - Description: Allow 443 inbound from everywhere
-          IpProtocol: tcp
-          FromPort: 443
-          ToPort: 443
-          CidrIp: "0.0.0.0/0"
-      VpcId: !Ref VpcId
   MozDefElasticLoadBalancingV2LoadBalancer:
     Type: AWS::ElasticLoadBalancingV2::LoadBalancer
     Properties:
       SecurityGroups:
-        - !Ref MozDefLoadBalancerSecurityGroup
+        - !Ref MozDefLoadBalancerSecurityGroupId
       Subnets: !Ref AutoScaleGroupSubnetIds
       Tags:
         - Key: application

cloudy_mozdef/cloudformation/mozdef-parent.yml

@@ -12,16 +12,23 @@ Parameters:
   KeyName:
     Type: "AWS::EC2::KeyPair::KeyName"
     Description: "Name of an existing EC2 KeyPair to enable SSH access to the web server"
-    Default: "gene-keys"
+    Default: "infosec-pdx-workweek-2018"
   PublicSubnetIds:
     Type: "List<AWS::EC2::Subnet::Id>"
     Description: "A comma delimited list of public subnet IDs"
-    Default: "subnet-8931f7ee,subnet-de322aa8,subnet-2582cd7d"
+    Default: "subnet-dd8eacb5,subnet-df8eacb7,subnet-de8eacb6"
   AMIImageId:
     Type: "String"
     Description: "The AMI Image ID to use of the EC2 instance"
     Default: "ami-09c6e771"
 Resources:
+  MozDefSecurityGroups:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      Tags:
+        - Key: application
+          Value: mozdef
+      TemplateURL: https://s3-us-west-2.amazonaws.com/mozdef.infosec.mozilla.org/cf/mozdef-security-group.yml
   MozDefIAMRoleAndInstanceProfile:
     Type: AWS::CloudFormation::Stack
     Properties:
@@ -39,7 +46,9 @@ Resources:
         IamInstanceProfile: !GetAtt MozDefIAMRoleAndInstanceProfile.Outputs.InstanceProfileArn
         AutoScaleGroupSubnetIds: !Join [ ",", !Ref PublicSubnetIds ]
         AMIImageId: !Ref AMIImageId
+        MozDefSecurityGroupId: !GetAtt MozDefSecurityGroups.Outputs.MozDefSecurityGroupId
+        MozDefLoadBalancerSecurityGroupId: !GetAtt MozDefSecurityGroups.Outputs.MozDefLoadBalancerSecurityGroupId
       Tags:
         - Key: application
           Value: mozdef
-      TemplateURL: https://s3-us-west-2.amazonaws.com/mozdef.infosec.mozilla.org/cf/mozdef-instance.yml
+      TemplateURL: https://s3-us-west-2.amazonaws.com/mozdef.infosec.mozilla.org/cf/mozdef-instance.yml

cloudy_mozdef/cloudformation/mozdef-security-group.yml

@@ -0,0 +1,53 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Create MozDef EC2 security groups
+Parameters:
+  VpcId:
+    Type: "AWS::EC2::VPC::Id"
+    Description: "The VPC ID of the VPC to deploy in"
+    Default: "vpc-dc8eacb4"
+Resources:
+  MozDefSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Security Group of the MozDef EC2 instance
+      SecurityGroupEgress:
+      - IpProtocol: -1
+        CidrIp: 0.0.0.0/0
+      SecurityGroupIngress:
+      - IpProtocol: tcp
+        FromPort: 22
+        ToPort: 22
+        CidrIp: 0.0.0.0/0
+      - IpProtocol: tcp
+        FromPort: 80
+        ToPort: 80
+        SourceSecurityGroupId: !Ref MozDefLoadBalancerSecurityGroup
+      Tags:
+        - Key: application
+          Value: mozdef
+      VpcId: !Ref VpcId
+  MozDefLoadBalancerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Security Group of the MozDef ALB
+      SecurityGroupEgress:
+        - Description: Allow all egress traffic
+          IpProtocol: -1
+          CidrIp: "0.0.0.0/0"
+      SecurityGroupIngress:
+        - Description: Allow 443 inbound from everywhere
+          IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: "0.0.0.0/0"
+      Tags:
+        - Key: application
+          Value: mozdef
+      VpcId: !Ref VpcId
+Outputs:
+  MozDefSecurityGroupId:
+    Description: The security group ID of the MozDef EC2 instance security group
+    Value: !GetAtt MozDefSecurityGroup.GroupId
+  MozDefLoadBalancerSecurityGroupId:
+    Description: The security group ID of the MozDef load balancer security group
+    Value: !GetAtt MozDefLoadBalancerSecurityGroup.GroupId