Allow whitelisting IPs for webserver, flower, etc from service.yml

andresionek91 · andresionek91 · commit d9c2fbc2a420 · 2020-09-10T13:24:22.000+01:00
diff --git a/cloudformation/83_airflow-flower.yml.j2 b/cloudformation/83_airflow-flower.yml.j2
@@ -7,10 +7,7 @@ Resources:
       GroupDescription: Security group for Airflow Flower.  Allow all inbound traffic.
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-flower-external-security-group"
       SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
-          FromPort: 0
-          IpProtocol: -1
-          ToPort: 0
+        {{ securityGroupEgressRules }}
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
           FromPort: "{{ service.port }}"
diff --git a/cloudformation/84_airflow-scheduler.yml.j2 b/cloudformation/84_airflow-scheduler.yml.j2
@@ -7,10 +7,7 @@ Resources:
       GroupDescription: Security group for Airflow Scheduler
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-scheduler-security-group"
       SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
-          FromPort: 0
-          IpProtocol: -1
-          ToPort: 0
+        {{ securityGroupEgressRules }}
       VpcId: !ImportValue network-VpcId
       Tags:
         - Key: Name
diff --git a/cloudformation/85_airflow-webserver.yml.j2 b/cloudformation/85_airflow-webserver.yml.j2
@@ -7,10 +7,7 @@ Resources:
       GroupDescription: Security group for Airflow webserver. Allow all inbound traffic.
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-webserver-security-group"
       SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
-          FromPort: 0
-          IpProtocol: -1
-          ToPort: 0
+        {{ securityGroupEgressRules }}
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
           FromPort: "{{ service.port }}"
diff --git a/cloudformation/86_airflow-workers.yml.j2 b/cloudformation/86_airflow-workers.yml.j2
@@ -7,10 +7,7 @@ Resources:
       GroupDescription: Security group for Airflow workers
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-workers-security-group"
       SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
-          FromPort: 0
-          IpProtocol: -1
-          ToPort: 0
+        {{ securityGroupEgressRules }}
       SecurityGroupIngress:
         - CidrIp: "{{ service.cidrBlock }}/16"
           FromPort: "{{ service.workers.port }}"
diff --git a/dags/crypto_extract_dag.py b/dags/crypto_extract_dag.py
diff --git a/service.yml b/service.yml
@@ -81,6 +81,14 @@ publicSubnet:
     cidrBlock: 10.0.3.0/24
     availabilityZone: c
 
+# List of SecurityGroupEgress.
+# Will be used to whitelist IPs for webserver, flower, workers and scheduler
+securityGroupEgressRules:
+  - CidrIp: 0.0.0.0/0
+    FromPort: 0
+    IpProtocol: -1
+    ToPort: 0
+
 metadataDb:
   instanceType: db.t3.micro
   port: 5432
