The following "01-security-group.config" was create under the .ebxtensions directory.
I then ran eb create using PHP sample application (php.zip).
The VPC is a custom VPC, not a default VPC.
EC2 and ELB are located on public subnets.
KeyPair also sets.
Resources:
AWSEBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
SecurityGroupIngress:
- ToPort: 80
FromPort: 80
IpProtocol: tcp
SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
- ToPort: 22
FromPort: 22
IpProtocol: tcp
CidrIp: xx.xx.xx.xx/32
The expectation is that the AWSEBSecurityGroup description field and inbound rules will be as specified.
However, the results are as follows, with a different description and an unnecessary rule (SSH, 0.0.0.0/0).
ID:sg-058b4d99a88ea5c75
Description: VPC Security Group
Inbound Rule
Type | Protocol | Port | Source |
---|
SSH | TCP | 22 | 0.0.0.0/0 |
HTTP | TCP | 80 | awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9 |
SSH | TCP | 22 | xx.xx.xx.xx/32 |
Next, eb deploy was run with the following changes.
Resources:
AWSEBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 SecurityGroup for ElasticBeanstalk environment.
SecurityGroupIngress:
- ToPort: 80
FromPort: 80
IpProtocol: tcp
SourceSecurityGroupId: { "Fn::GetAtt" : [ "AWSEBLoadBalancerSecurityGroup", "GroupId" ]}
option_settings:
aws:autoscaling:launchconfiguration:
SSHSourceRestriction: tcp, 22, 22, xx.xx.xx.xx/32
There are no more unnecessary rules in the security group as shown below.
ID: sg-058b4d99a88ea5c75
Description: VPC Security Group
Inbound Rule
Type | Protocol | Port | Source |
---|
HTTP | TCP | 80 | awseb-e-kbmrvrb9qk-stack-AWSEBLoadBalancerSecurityGroup-DXLN25QVL0F9 |
SSH | TCP | 22 | xx.xx.xx.xx/32 |
Based on the above, I have two questions.
- I would like to complete the configuration with just Resources instead of separating it with Resouces and option_seggings, is there a way to do this?
- Is it possible to change the description field?
for your information, AWSEBLoadBalancerSecurityGroup reflects the description field (security group is replaced). Thanks.
Hi Tsumita, Thanks.