- 最新
- 投票最多
- 评论最多
You could consider parameterising the list of IP addresses in your CloudFormation template. That way, the users could simply click the "update" button on the CloudFormation stack, without having even to see the template, and update the current list of IP addresses in the comma-separated list in the parameter to include theirs.
Another simple option would be for you to configure the security group to permit traffic from an IP prefix list, AWS::EC2::PrefixList (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-prefixlist.html). Users could update the prefix list via the console, and the CloudFormation stack could only reference the prefix list ID in the SourcePrefixListId property of the inbound security group rule (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html#cfn-ec2-securitygroupingress-sourceprefixlistid).
If you want to avoid having to hardcode or parameterise the prefix list ID in your CloudFormation template, you could also place it in a parameter in the SSM parameter store and import the value into the CloudFormation stack: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-pattern
Ooh, I like the idea, Leo K, of using a Prefix List as a way of keeping the bastion host SG IN_SYNC, though assume I'll have to manually create the Prefix List outside CloudFormation as otherwise all I'm doing is moving the issue to another stack.
I'm already considering the need, for Business Continuity/Disaster Recovery purposes, creating a CloudFormation script that will create some resources initially, and then deleting the stack but retaining the resources as they are too dynamic to manage through CloudFormation. Could include the Prefix List and then add the details to SSM which I'm also looking to adopt to predefine parameters so nested scripts will run non-interactively.
This is definitely food for thought. Many thanks.
相关内容
- AWS 官方已更新 4 个月前
