templates/bbb-on-aws-securitygroups.template.yaml

---
AWSTemplateFormatVersion: '2010-09-09'
Description: >

  This Cloudformation Template deploys the Security Groups used by all stacks.

  Disclaimer: Not for production use. Demo and testing purposes only.

  Author: David Surey <suredavi@amazon.com>

Parameters:
  BBBVPC:
    Description: Reference for the VPC
    Type: String
  BBBECSInstanceType: 
    Description: Set the ECS Cluster Type to either EC2 based or Fargate based deployments
    Type: String
  BBBFrontendType: 
    Type: String
    Default: Greenlight
    AllowedValues:
      - Greenlight
      - External

Conditions:
  BBBECSFargate: !Equals [!Ref BBBECSInstanceType, fargate]
  BBBECSEC2: !Not [!Equals [!Ref BBBECSInstanceType, fargate]]
  BBBGreenlight: !Equals [!Ref BBBFrontendType, Greenlight]

Resources:
  BBBECSTaskSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: ECS Instance Security Group
      VpcId: !Ref BBBVPC

  BBBECSTaskSecurityGroupPorts:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref BBBECSTaskSecurityGroup
      IpProtocol: tcp
      FromPort: !If [ BBBECSFargate, 80, 32768]
      ToPort: !If [ BBBECSFargate, 80, 60999]
      SourceSecurityGroupId: !Ref BBBScaleliteELBSecurityGroup

  BBBScaleliteELBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Scalelite Security Group
      VpcId: !Ref BBBVPC

  BBBScaleliteELBSecurityGroupPorts:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref BBBScaleliteELBSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIp: 0.0.0.0/0

  BBBFrontendELBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: ALB Security Group
      VpcId: !Ref BBBVPC

  BBBECSSecurityGroupPublicports:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      GroupId: !Ref BBBFrontendELBSecurityGroup

  BBBECSSecurityGroupPublicHTTP:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      GroupId: !Ref BBBFrontendELBSecurityGroup

  BBBFrontendSecurityGroupALBports:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref BBBECSTaskSecurityGroup
      IpProtocol: tcp
      FromPort: !If [ BBBECSFargate, 3000, 32768]
      ToPort: !If [ BBBECSFargate, 3000, 60999]
      SourceSecurityGroupId: !Ref BBBFrontendELBSecurityGroup

  BBBDBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Ref: BBBVPC
      GroupDescription: Security group for the Postgres DB

  BBBDBSecurityGroupPorts:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      SourceSecurityGroupId: !Ref BBBECSTaskSecurityGroup
      IpProtocol: tcp
      FromPort: 5432
      ToPort: 5432
      GroupId: !Ref BBBDBSecurityGroup

  BBBCACHEDBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Ref: BBBVPC
      GroupDescription: Security group for the Redis Cache

  BBBCACHEDBSecurityGroupPorts:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      SourceSecurityGroupId: !Ref BBBECSTaskSecurityGroup
      IpProtocol: tcp
      FromPort: 6379
      ToPort: 6379
      GroupId: !Ref BBBCACHEDBSecurityGroup

  BBBApplicationSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Ref: BBBVPC
      GroupDescription: Security group for the BigBlueButton Application Host

  BBBApplicationSecurityGroupWebSSLPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      GroupId: !Ref BBBApplicationSecurityGroup

  BBBApplicationSecurityGroupWebPlainPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      GroupId: !Ref BBBApplicationSecurityGroup

  BBBApplicationSecurityGroupVCPorts:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: udp
      FromPort: 16384
      ToPort: 32768
      GroupId: !Ref BBBApplicationSecurityGroup

  BBBTurnSecurityGroupWebSSLUDPPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: udp
      FromPort: 443
      ToPort: 443
      GroupId: !Ref BBBApplicationSecurityGroup

  BBBTurnSecurityGroupWebPlainUDPPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: udp
      FromPort: 3478
      ToPort: 3478
      GroupId: !Ref BBBApplicationSecurityGroup

  BBBTurnSecurityGroupWebPlainTCPPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      CidrIp: 0.0.0.0/0
      IpProtocol: tcp
      FromPort: 3478
      ToPort: 3478
      GroupId: !Ref BBBApplicationSecurityGroup

  BBBSharedStorageSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Ref: BBBVPC
      GroupDescription: Security group for the Shared Storage

  BBBSharedStorageSecurityGroupApplicationPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      SourceSecurityGroupId: !Ref BBBApplicationSecurityGroup
      IpProtocol: tcp
      FromPort: 2049
      ToPort: 2049
      GroupId: !Ref BBBSharedStorageSecurityGroup

  BBBSharedStorageSecurityGroupECSPort:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      SourceSecurityGroupId: !Ref BBBECSTaskSecurityGroup
      IpProtocol: tcp
      FromPort: 2049
      ToPort: 2049
      GroupId: !Ref BBBSharedStorageSecurityGroup

Outputs:
  BBBECSTaskSecurityGroup:
    Description: A reference to the created Security Group for ECS
    Value: !Ref BBBECSTaskSecurityGroup
  BBBFrontendELBSecurityGroup:
    Description: A reference to the created Security Group for ELB
    Value: !Ref BBBFrontendELBSecurityGroup
  BBBScaleliteELBSecurityGroup:
    Description: A reference to the created Security Group for the Scalelite Load Balancer
    Value: !Ref BBBScaleliteELBSecurityGroup
  BBBDBSecurityGroup:
    Description: A reference to the created Security Group for the Database
    Value: !Ref BBBDBSecurityGroup
  BBBCACHEDBSecurityGroup:
    Description: A reference to the created Security Group for the Redis Cache
    Value: !Ref BBBCACHEDBSecurityGroup
  BBBApplicationSecurityGroup:
    Description: A reference to the created Security Group for the Public Ports of the Application
    Value: !Ref BBBApplicationSecurityGroup
  BBBSharedStorageSecurityGroup:
    Description: A reference to the created Security Group for the SharedStorage
    Value: !Ref BBBSharedStorageSecurityGroup