From a3337a4edd2c3de034f50926fb20fb1383bcbd34 Mon Sep 17 00:00:00 2001 From: Jesse Mandel Date: Mon, 1 May 2023 12:36:17 -0700 Subject: [PATCH 1/2] Issue #198 - Add ForcePrivateOnly parameter to disable private IP --- ...nux-bastion-entrypoint-existing-vpc.template.yaml | 12 +++++++++++- .../linux-bastion-entrypoint-new-vpc.template.yaml | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/templates/linux-bastion-entrypoint-existing-vpc.template.yaml b/templates/linux-bastion-entrypoint-existing-vpc.template.yaml index 4931a96..c1813d4 100644 --- a/templates/linux-bastion-entrypoint-existing-vpc.template.yaml +++ b/templates/linux-bastion-entrypoint-existing-vpc.template.yaml @@ -18,6 +18,7 @@ Metadata: - PublicSubnet1ID - PublicSubnet2ID - RemoteAccessCIDR + - ForcePrivateOnly - Label: default: IAM configuration Parameters: @@ -79,6 +80,8 @@ Metadata: default: X11 forwarding EnvironmentVariables: default: Environment variables + ForcePrivateOnly: + default: Use to disable public IP KeyPairName: default: Key pair name NumBastionHosts: @@ -254,6 +257,11 @@ Parameters: AllowedPattern: ^disabled-onlyssmaccess$|^pl-([0-9a-f]{8}|[0-9a-f]{17})$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be disabled-onlyssmaccess or in the format "x.x.x.x/x". Default: disabled-onlyssmaccess + ForcePrivateOnly: + Type: String + Description: Choose "true" to disable public IP. + AllowedValues: ['true', 'false'] + Default: "false" VPCID: Type: AWS::EC2::VPC::Id Description: ID of the VPC (for example, vpc-0343606e). @@ -638,7 +646,9 @@ Conditions: - !Not [!Equals [!Ref RemoteAccessCIDR, disabled-onlyssmaccess]] - !Not [!Condition HasPrefixList] HasPrefixList: !Equals [!Select [0, !Split ['-', !Ref RemoteAccessCIDR]], pl] - NeedsEip: !Or [!Condition HasRemoteCIDR, !Condition HasPrefixList] + NeedsEip: !And + - !Or [!Condition HasRemoteCIDR, !Condition HasPrefixList] + - !Equals [!Ref ForcePrivateOnly, 'false'] UseAlternativeInitialization: !Not [!Equals [!Ref AlternativeInitializationScript, '']] CreateIAMRole: !Equals [!Ref AlternativeIAMRole, ''] UseOSImageOverride: !Not [!Equals [!Ref OSImageOverride, '']] diff --git a/templates/linux-bastion-entrypoint-new-vpc.template.yaml b/templates/linux-bastion-entrypoint-new-vpc.template.yaml index 50fbfc0..604402f 100644 --- a/templates/linux-bastion-entrypoint-new-vpc.template.yaml +++ b/templates/linux-bastion-entrypoint-new-vpc.template.yaml @@ -20,6 +20,7 @@ Metadata: - PublicSubnet2CIDR - RemoteAccessCIDR - VPCTenancy + - ForcePrivateOnly - Label: default: IAM configuration Parameters: @@ -83,6 +84,8 @@ Metadata: default: X11 forwarding EnvironmentVariables: default: Environment variables + ForcePrivateOnly: + default: Use to disable public IP KeyPairName: default: Key pair name NumBastionHosts: @@ -289,6 +292,11 @@ Parameters: AllowedPattern: ^disabled-onlyssmaccess$|^pl-([0-9a-f]{8}|[0-9a-f]{17})$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be disabled-onlyssmaccess or in the format "x.x.x.x/x". Default: disabled-onlyssmaccess + ForcePrivateOnly: + Type: String + Description: Choose "true" to disable public IP. + AllowedValues: ['true', 'false'] + Default: "false" VPCCIDR: Type: String Description: CIDR block for the VPC. @@ -335,7 +343,9 @@ Parameters: Description: Will be attached to all created IAM roles to satisfy security requirements. Default: '' Conditions: - NeedsEip: !Not [!Equals [!Ref RemoteAccessCIDR, disabled-onlyssmaccess]] + NeedsEip: !And + - !Not [!Equals [!Ref RemoteAccessCIDR, disabled-onlyssmaccess]] + - !Equals [!Ref ForcePrivateOnly, 'false'] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart] Resources: VPCStack: From 96727da2fcb138fed4faf4e0739a324a4aefa715 Mon Sep 17 00:00:00 2001 From: Jesse Mandel Date: Mon, 1 May 2023 12:54:26 -0700 Subject: [PATCH 2/2] match convention --- templates/linux-bastion-entrypoint-existing-vpc.template.yaml | 2 +- templates/linux-bastion-entrypoint-new-vpc.template.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/linux-bastion-entrypoint-existing-vpc.template.yaml b/templates/linux-bastion-entrypoint-existing-vpc.template.yaml index c1813d4..777083c 100644 --- a/templates/linux-bastion-entrypoint-existing-vpc.template.yaml +++ b/templates/linux-bastion-entrypoint-existing-vpc.template.yaml @@ -261,7 +261,7 @@ Parameters: Type: String Description: Choose "true" to disable public IP. AllowedValues: ['true', 'false'] - Default: "false" + Default: 'false' VPCID: Type: AWS::EC2::VPC::Id Description: ID of the VPC (for example, vpc-0343606e). diff --git a/templates/linux-bastion-entrypoint-new-vpc.template.yaml b/templates/linux-bastion-entrypoint-new-vpc.template.yaml index 604402f..d8f7586 100644 --- a/templates/linux-bastion-entrypoint-new-vpc.template.yaml +++ b/templates/linux-bastion-entrypoint-new-vpc.template.yaml @@ -296,7 +296,7 @@ Parameters: Type: String Description: Choose "true" to disable public IP. AllowedValues: ['true', 'false'] - Default: "false" + Default: 'false' VPCCIDR: Type: String Description: CIDR block for the VPC.