CloudFormation parameter for incoming port to allow to external access to the service on the VM

aws-samples / amazon-ec2-nice-dcv-samples

AWS CloudFormation templates to provision Linux or Windows EC2 instances with GUI running Amazon DCV remote display server. Includes option to install GPU drivers

MIT No Attribution

38 stars 4 forks source link

CloudFormation parameter for incoming port to allow to external access to the service on the VM #4

Closed ruzickap closed 6 months ago

ruzickap commented 6 months ago

Would it be possible to add parameter to CloudFormation Templates to open "selected" ports for incoming traffic?

For example - if I would like to install HTTP server on the VM and host there some files...

Thank you for considering it.

limmike commented 6 months ago

Thanks for the suggestion! I have previously explored implementing the option for user to specify additional ports in security group inbound rules. CloudFormation however does not seem to offer a built-in capability to dynamically add ports to security group.

Instead of allowing users to specify, I may consider adding option in CloudFormation to open HTTP/HTTPS ports as web hosting is a common use case.

For now, you can go to CloudFormation console, Resources section, click securityGroup ID, and modify inbound rules directly.

ruzickap commented 6 months ago

Thank you. Opening the HTTP/HTTPS in CloudFormation would be really handy.

Currently I'm using these two commands to identify the proper security group and add port 443 to it:

AWS_EC2_SECURITY_GROUP_ID=$(
  aws ec2 describe-security-groups --output text \
    --filters "Name=tag:Solution,Values=${SOLUTION}" \
    --query 'SecurityGroups[?IpPermissions[?ToPort==`8443` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]].GroupId'
)

aws ec2 authorize-security-group-ingress --group-id "${AWS_EC2_SECURITY_GROUP_ID}" \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

Obviously this is not very nice, because this needs to be done after the CloudFormation and it brings the configuration drift.

Having HTTP/HTTPS port opened using CloudFormation template make much more sense...

Thanks

limmike commented 6 months ago

Thank you for sharing your work flow.

I have added parameter allowWebServerPorts as option to open HTTP and/or HTTPS ports. And added security group using AWS-managed prefix list for Amazon CloudFront as source for use cases where CloudFront is used.

Also add CloudFormation Exports for SG, IAM role and Instance ID. Example

% aws cloudformation list-exports 
{
    "Exports": [
        {
            "ExportingStackId": "arn:aws:cloudformation:ap-southeast-1:12345678:stack/StackName/1234567890",
            "Name": "StackName-SecurityGroup",
            "Value": "sg-03d1794701b4a55da"
        },
        {
        ......
        }
    ]
}

That allows us to easily retrieve the ID values for further customization

ruzickap commented 6 months ago

Awesome - works great :-) Thank you...