From e4823d6a740cf1a9b37a71b1bf47ba219f435ab0 Mon Sep 17 00:00:00 2001 From: Marco Marasca <8505576+marcomarasca@users.noreply.github.com> Date: Tue, 7 Jan 2025 09:42:55 -0800 Subject: [PATCH 1/2] IT-4226: Add option OSS VPC endpoint for the VPC --- templates/vpc.yaml | 50 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/templates/vpc.yaml b/templates/vpc.yaml index d52846a..0d286a6 100644 --- a/templates/vpc.yaml +++ b/templates/vpc.yaml @@ -42,9 +42,19 @@ Parameters: - true - false Default: true + IncludeOpenSearchServerlessEndpoint: + Type: String + Description: > + true to deploy an OpenSearch Serverless VPC endpoint + false (default) to skip the OpenSearch Serverless VPC endpoint + AllowedValues: + - true + - false + Default: false Conditions: EnableS3GatewayEndpoint: !Equals [!Ref IncludeS3GatewayEndpoint, true] EnableBastianSecurityGroup: !Equals [!Ref IncludeBastianSecurityGroup, true] + EnableOpenSearchServerlessVPCEndpoint: !Equals [!Ref IncludeOpenSearchServerlessEndpoint, true] Mappings: SubnetConfig: VPC: @@ -463,6 +473,40 @@ Resources: - !Ref PublicRouteTable - !Ref PrivateRouteTable ServiceName: "com.amazonaws.us-east-1.s3" + OpenSearchServerlessVPCEndpointSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: EnableOpenSearchServerlessVPCEndpoint + Properties: + VpcId: !Ref VPC + SecurityGroupIngress: + - CidrIp: !Join + - '.' + - - !Ref VpcSubnetPrefix + - !FindInMap [SubnetConfig, VPC, CIDR] + FromPort: 443 + ToPort: 443 + IpProtocol: tcp + Description: "Allows HTTPS connection from the VPC" + SecurityGroupEgress: + - CidrIp: "0.0.0.0/0" + FromPort: -1 + ToPort: -1 + IpProtocol: "-1" + Tags: + - Key: "Application" + Value: + Ref: "AWS::StackName" + OpenSearchServerlessVPCEndpoint: + Type: AWS::OpenSearchServerless::VpcEndpoint + Condition: EnableOpenSearchServerlessVPCEndpoint + Properties: + Name: !Sub '${AWS::StackName}-OSSVPCEndpoint' + VpcId: !Ref VPC + SubnetIds: + - !Ref PrivateSubnet + SecurityGroupIds: + - !Ref OpenSearchServerlessVPCEndpointSecurityGroup + Outputs: VPCId: Description: "VPCId of the newly created VPC" @@ -564,3 +608,9 @@ Outputs: Value: !Ref S3GatewayEndpoint Export: Name: !Sub '${AWS::Region}-${AWS::StackName}-S3GatewayEndpointId' + OpenSearchServerlessVPCEndpointId: + Description: OpenSearch Serverless VPC endpoint ID + Condition: EnableOpenSearchServerlessVPCEndpoint + Value: !Ref OpenSearchServerlessVPCEndpoint + Export: + Name: !Sub '${AWS::Region}-${AWS::StackName}-OSSVpcEndpointId' From 6bc71bd2a8cb959de86a5f6a6812e1827835d0c4 Mon Sep 17 00:00:00 2001 From: Marco Marasca <8505576+marcomarasca@users.noreply.github.com> Date: Tue, 7 Jan 2025 09:51:09 -0800 Subject: [PATCH 2/2] IT-4226: Add security group description --- templates/vpc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vpc.yaml b/templates/vpc.yaml index 0d286a6..de66f07 100644 --- a/templates/vpc.yaml +++ b/templates/vpc.yaml @@ -477,6 +477,7 @@ Resources: Type: AWS::EC2::SecurityGroup Condition: EnableOpenSearchServerlessVPCEndpoint Properties: + GroupDescription: Security Group for the OpenSearch Serverless VPC endpoint VpcId: !Ref VPC SecurityGroupIngress: - CidrIp: !Join @@ -506,7 +507,6 @@ Resources: - !Ref PrivateSubnet SecurityGroupIds: - !Ref OpenSearchServerlessVPCEndpointSecurityGroup - Outputs: VPCId: Description: "VPCId of the newly created VPC"