Build-NetworkAcls.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Build-NetworkAcls Template.
  This adds NetworkAcls to an existing Build VPC. This Template is optional, and can be added (or removed) at any time to apply an additional layer of network security. This initially simply replicates the Default NetworkAcl, so we have a Template from which we can iterate to tighten security.
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Stack Dependencies
        Parameters:
          - VPCStackName
    ParameterLabels:
      VPCStackName:
        default: VPC Stack Name
Parameters:
  VPCStackName:
    Description: Name of the CloudFormation Stack containing the Build VPC
    Type: String
    MinLength: 6
    MaxLength: 64
    Default: Build-VPC
    AllowedPattern: ^[A-Z][-a-zA-Z0-9]*$
    ConstraintDescription: must begin with an upper case letter and contain alphanumeric characters and dashes.
Resources:
  PublicNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !ImportValue
        Fn::Sub: ${VPCStackName}-VPC
      Tags:
        - Key: Name
          Value: !Sub
            - ${VPCName}-PublicNetworkAcl
            - VPCName: !ImportValue
                Fn::Sub: ${VPCStackName}-VPCName
  PublicNetworkAclEntryInbound100:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: 100
      Protocol: -1
      Egress: false
      CidrBlock: 0.0.0.0/0
      RuleAction: allow
  PublicNetworkAclEntryOutbound100:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: 100
      Protocol: -1
      Egress: true
      CidrBlock: 0.0.0.0/0
      RuleAction: allow
  PublicSubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-PublicSubnetA
      NetworkAclId: !Ref PublicNetworkAcl
  PublicSubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-PublicSubnetB
      NetworkAclId: !Ref PublicNetworkAcl
  Public1SubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-Public1SubnetA
      NetworkAclId: !Ref PublicNetworkAcl
  Public1SubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-Public1SubnetB
      NetworkAclId: !Ref PublicNetworkAcl
  WebSubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-WebSubnetA
      NetworkAclId: !Ref PublicNetworkAcl
  WebSubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-WebSubnetB
      NetworkAclId: !Ref PublicNetworkAcl
  PrivateNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !ImportValue
        Fn::Sub: ${VPCStackName}-VPC
      Tags:
        - Key: Name
          Value: !Sub
            - ${VPCName}-PrivateNetworkAcl
            - VPCName: !ImportValue
                Fn::Sub: ${VPCStackName}-VPCName
  PrivateNetworkAclEntryInbound100:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PrivateNetworkAcl
      RuleNumber: 100
      Protocol: -1
      Egress: false
      CidrBlock: 0.0.0.0/0
      RuleAction: allow
  PrivateNetworkAclEntryOutbound100:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref PrivateNetworkAcl
      RuleNumber: 100
      Protocol: -1
      Egress: true
      CidrBlock: 0.0.0.0/0
      RuleAction: allow
  ApplicationSubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-ApplicationSubnetA
      NetworkAclId: !Ref PrivateNetworkAcl
  ApplicationSubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-ApplicationSubnetB
      NetworkAclId: !Ref PrivateNetworkAcl
  DatabaseSubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-DatabaseSubnetA
      NetworkAclId: !Ref PrivateNetworkAcl
  DatabaseSubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-DatabaseSubnetB
      NetworkAclId: !Ref PrivateNetworkAcl
  BuildSubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-BuildSubnetA
      NetworkAclId: !Ref PrivateNetworkAcl
  BuildSubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-BuildSubnetB
      NetworkAclId: !Ref PrivateNetworkAcl
  IdentitySubnetANetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-IdentitySubnetA
      NetworkAclId: !Ref PrivateNetworkAcl
  IdentitySubnetBNetworkAclAssociation:
    Type: AWS::EC2::SubnetNetworkAclAssociation
    Properties:
      SubnetId: !ImportValue
        Fn::Sub: ${VPCStackName}-IdentitySubnetB
      NetworkAclId: !Ref PrivateNetworkAcl