forked from Sage-Bionetworks-IT/organizations-infra
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_tasks.yaml
210 lines (201 loc) · 6.78 KB
/
_tasks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
Parameters:
<<: !Include '../_parameters.yaml'
appName:
Type: String
Default: 'client-vpn'
accountId:
Type: String
Description: The identifier for the account
Default: !Ref TransitAccount
vpnVpc:
Type: String
Description: The VPC name to associate with the VPN
Default: 'unionstationvpc'
splitTunnel:
Type: String
Description: "Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint (false for full tunnel)"
Default: false
AllowedValues:
- true
- false
VpnIdp:
Type: update-stacks
Template: vpn-idp.yaml
StackName: !Sub '${resourcePrefix}-${appName}-idp'
StackDescription: Setup VPN integration with IDP
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
Account: !Ref accountId
OrganizationBindings:
AllBinding:
Account:
- !Ref accountId
IncludeMasterAccount: false
Parameters:
TransitVpnMetadata: !ReadFile idp/jumpcloud/transitvpn.xml
TransitVpnSspMetadata: !ReadFile idp/jumpcloud/transitvpnssp.xml
Vpn:
DependsOn: [ VpnIdp ]
Type: update-stacks
Template: vpn.yaml
StackName: !Sub '${resourcePrefix}-${appName}'
StackDescription: The AWS client VPN
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
Account: !Ref accountId
OrganizationBindings:
AllBinding:
Account:
- !Ref accountId
IncludeMasterAccount: false
Parameters:
ClientCidrBlock: "10.100.0.0/16"
VpnSamlProviderArn: !CopyValue [!Sub '${resourcePrefix}-${appName}-idp-TransitVpnSamlProviderArn']
VpnSspSamlProviderArn: !CopyValue [!Sub '${resourcePrefix}-${appName}-idp-TransitVpnSspSamlProviderArn']
VpcId: !CopyValue [!Sub '${resourcePrefix}-tgw-${vpnVpc}-VpcId']
ConnectionLogGroup: !Sub '/aws/vpn/${resourcePrefix}-${appName}'
SessionTimeoutHours: "12"
LogRetentionInDays: "3653"
# manually generated and imported server cert, saved to lastpass "Sage VPN Certificate"
# https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html#cvpn-getting-started-certs
ServerCertificateArn: !Sub 'arn:aws:acm:${primaryRegion}:${accountId}:certificate/e749946e-981f-42b9-869e-f2adf362b2a8'
SplitTunnel: !Ref splitTunnel
VpnDnsServers: ["10.50.0.2", "8.8.8.8"]
VpnAuthRoutes:
DependsOn: [ Vpn ]
Type: update-stacks
Template: vpn-auth-routes.njk
StackName: !Sub '${resourcePrefix}-${appName}-auth-routes'
StackDescription: Setup AWS client VPN authorizations and routes
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
Account: !Ref accountId
OrganizationBindings:
AllBinding:
Account:
- !Ref accountId
IncludeMasterAccount: false
Parameters:
ClientVpnEndpointId: !CopyValue [!Sub '${resourcePrefix}-${appName}-EndpointId']
SplitTunnel: !Ref splitTunnel
TemplatingContext:
# work around for issue https://github.com/org-formation/org-formation-cli/issues/259
SubnetIds:
- !Sub '!ImportValue ${resourcePrefix}-tgw-${vpnVpc}-SubnetA'
- !Sub '!ImportValue ${resourcePrefix}-tgw-${vpnVpc}-SubnetB'
- !Sub '!ImportValue ${resourcePrefix}-tgw-${vpnVpc}-SubnetC'
TgwSpokes:
# "10.50.0.0/16" (unionstationvpc) route automatically setup by the VPN endpoint association
# AccessGroups values must match Jumpcloud User Group names
# org-sagebase-itsandbox
dustbunnyvpc:
CIDR: "10.29.0.0/16"
AccessGroups:
- "aws-admins"
# org-sagebase-scicomp
computevpc:
CIDR: "10.5.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-scicomp-developers"
- "scientists"
snowflakevpc:
CIDR: "10.25.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-scicomp-developers"
# org-sagebase-bridgedev
BridgeServer2-develop-vpc:
CIDR: "172.48.0.0/16"
AccessGroups:
- "aws-admins"
- "bridge-developers"
bridge-aux:
CIDR: "172.51.0.0/16"
AccessGroups:
- "aws-admins"
- "bridge-developers"
# org-sagebase-bridgeprod
BridgeServer2-vpc:
CIDR: "172.32.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-bridgeprod-admins"
# org-sagebase-synapsedw
vpc:
CIDR: "10.12.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-synapse-admins"
- "synapsedw-users"
# org-sagebase-synapsedev
synapse-dev-vpc-2:
CIDR: "10.24.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-synapse-admins"
- "aws-synapsedev-developers"
# org-sagebase-synapseprod
synapse-prod-vpc-2:
CIDR: "10.20.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-synapse-admins"
- "aws-synapseprod-developers"
synapse-ops-vpc-v2:
CIDR: "10.30.0.0/16"
AccessGroups:
- "aws-admins"
- "aws-synapse-admins"
- "aws-synapseprod-developers"
# org-sagebase-agora-dev
agoradev-vpc:
CIDR: "10.255.45.0/24"
AccessGroups:
- "aws-admins"
- "aws-agoradev-admins"
- "aws-agoradev-developers"
# org-sagebase-scipooldev
cesspoolvpc:
CIDR: "10.31.0.0/16"
AccessGroups:
- "aws-admins"
- "scientists"
# org-sagebase-scipoolprod
internalpoolvpc:
CIDR: "10.41.0.0/16"
AccessGroups:
- "aws-admins"
- "scientists"
# org-sagebase-sageit
defaultvpc:
CIDR: "10.13.0.0/16"
AccessGroups:
- "aws-admins"
- "scientists"
- "sageit-users"
# org-sagebase-dpe-prod
orca-vpc:
CIDR: "10.255.24.0/24"
AccessGroups:
- "aws-admins"
- "staff"
VpnEndpointRedirect:
DependsOn: [ Vpn ]
Type: update-stacks
Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.4.8/templates/s3-redirector.yaml
StackName: !Sub '${resourcePrefix}-${appName}-redirect'
StackDescription: Setup a redirect to the VPN URL endpoint
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
Account: !Ref SageITAccount
Parameters:
# the endpoint we are redirecting from
SourceHostName: "vpn.sageit.org"
SourceAcmCertificateArn: !CopyValue [!Sub '${primaryRegion}-sageit-org-acm-cert-CertificateArn']
# ID of the sageit.org zone (in sageit account)
SourceHostedZoneId: "Z0478495257GEB73WFM63"
# the endpoint we are redirecting to (AWS VPN client self service)
TargetHostName: "self-service.clientvpn.amazonaws.com"
# and a path to our specific config
TargetKey: !Join ['/', ['endpoints', !CopyValue [!Sub '${resourcePrefix}-${appName}-EndpointId', !Ref TransitAccount]]]