def create_cache_cluster(stack, name, cache_type, vpc, cidrs, subnet_ids, instance_type, num_cache_clusters): """Add Elasticache Cache cluster Resource.""" ports = {'redis': 6379, 'memcached': 11211} ingress = [] for idx, cidr in enumerate(cidrs): ingress.append( SecurityGroupRule( '{0}{1}{2}'.format(name.replace('-', ''), cache_type, idx), CidrIp=cidr, FromPort=ports[cache_type], ToPort=ports[cache_type], IpProtocol='tcp', )) secgroup = stack.stack.add_resource( SecurityGroup( '{0}{1}SecurityGroup'.format(name.replace('-', ''), cache_type), GroupDescription='{0} {1} Security Group'.format(name, cache_type), SecurityGroupIngress=ingress, SecurityGroupEgress=[ SecurityGroupRule('{0}egress'.format(name.replace('-', '')), CidrIp='0.0.0.0/0', IpProtocol='-1') ], VpcId=vpc, )) subnet_group = stack.stack.add_resource( elasticache.SubnetGroup( '{0}{1}cache'.format(name.replace('-', ''), cache_type), Description='{0}{1} cache'.format(name, cache_type), SubnetIds=subnet_ids, )) if num_cache_clusters > 1: stack.stack.add_resource( elasticache.ReplicationGroup( '{0}CacheCluster'.format(name.replace('-', '')), ReplicationGroupId='{0}'.format(name), ReplicationGroupDescription='{0}cluster'.format(name), Engine='{0}'.format(cache_type), EngineVersion='3.2.6', CacheNodeType=instance_type, NumCacheClusters=num_cache_clusters, CacheSubnetGroupName=Ref(subnet_group), SecurityGroupIds=[Ref(secgroup)], AtRestEncryptionEnabled=True)) else: stack.stack.add_resource( elasticache.CacheCluster('{0}CacheCluster'.format( name.replace('-', '')), ClusterName='{0}'.format(name), Engine='{0}'.format(cache_type), EngineVersion='3.2.10', CacheNodeType=instance_type, NumCacheNodes=num_cache_clusters, VpcSecurityGroupIds=[Ref(secgroup)], CacheSubnetGroupName=Ref(subnet_group)))
def create_sg(t, vpc): sglocal = t.add_resource( SecurityGroup( "VPCAccess", GroupDescription="VPC Access Only", SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='-1', CidrIp=Join( '', [vpc["vpcenvcidr"], '.', vpc["service_id"], '.0/24']), FromPort='-1', ToPort='-1') ], VpcId=vpc['vpc'])) sgtrusted = t.add_resource( SecurityGroup( "TrustedAccess", GroupDescription="Access From Trusted Locations", SecurityGroupIngress=[ # ECS Offices SecurityGroupRule(IpProtocol='-1', CidrIp=Join('', ['0.0.0.0/0']), FromPort='-1', ToPort='-1') ], VpcId=vpc['vpc'])) output_sg = {} output_sg["sgtrusted"] = GetAtt(sgtrusted, "GroupId") output_sg["sglocal"] = GetAtt(sglocal, "GroupId") return t, output_sg
def add_alb_secuirty_group(self): ''' Add security group to load balancer ''' self.cfn_template.add_resource(SecurityGroup( title=constants.ALB_SG, GroupDescription='Load balancer security group', SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='tcp', FromPort=int('8228'), ToPort=int('8228'), CidrIp=Ref('CIDRBLK'), ), SecurityGroupRule( IpProtocol='-1', FromPort=int('-1'), ToPort=int('-1'), SourceSecurityGroupId=ImportValue(Sub('${Environment}-AppSecurityGroup')), ) ], SecurityGroupEgress=[ SecurityGroupRule( IpProtocol='-1', CidrIp='0.0.0.0/0' ) ], VpcId=ImportValue(Sub('${Environment}-${VpcId}')) )) return self.cfn_template
def create_security_group(stack, name, rules=()): """Add EC2 Security Group Resource.""" ingress_rules = [] for rule in rules: ingress_rules.append( SecurityGroupRule( '{0}'.format(rule['name']), CidrIp=rule['cidr'], FromPort=rule['from_port'], ToPort=rule['to_port'], IpProtocol=rule['protocol'], )) return stack.stack.add_resource( SecurityGroup( '{0}SecurityGroup'.format(name), GroupDescription='{0} Security Group'.format(name), SecurityGroupIngress=ingress_rules, SecurityGroupEgress=[ SecurityGroupRule('{0}egress'.format(name.replace('-', '')), CidrIp='0.0.0.0/0', IpProtocol='-1') ], VpcId=Ref(stack.vpc), ))
def __init__(self, env_name, vpc_id, name=None, internal=False, tg_salt=None): self.env_name = env_name self.vpc_id = vpc_id if len(env_name) > 10: raise ValidationException( "env_name must be no more than 10 characters long") self.template = Template() self.subnet_ids = [] self.cert_ids = [] self.default_targets = [] self.http_redirect_targets = [] self.alt_listeners = [] self.target_paths = collections.defaultdict(TargetPath) self._sticky = True self._json = None self._priority_cache = [] self._global_tags = [] self._alarm_topic = None self.alarm_namespace = "AWS/ApplicationELB" self._log_bucket = None self._ecs_redirect = False self.idle_timeout_seconds = 120 self._custom_elb_sgs = None self._tg_salt = tg_salt self._specified_elb_name = name if name is None: self._elb_name = Ref("AWS::StackName") else: self._elb_name = name self._deletion_protection = False if internal: self._elb_scheme = "internal" else: self._elb_scheme = "internet-facing" self._sg_rules = [ SecurityGroupRule(CidrIp="0.0.0.0/0", IpProtocol="tcp", FromPort=443, ToPort=443), SecurityGroupRule(CidrIp="0.0.0.0/0", IpProtocol="tcp", FromPort=80, ToPort=80) ] # The first call to allow() should clear the default _sg_rules, # subsequent calls should not. self._reset_sg_rules = True
def allow_cidr(self, *cidrs): self.allow(*list( SecurityGroupRule( CidrIp=c, IpProtocol="tcp", FromPort=443, ToPort=443) for c in cidrs)) self.allow(*list( SecurityGroupRule( CidrIp=c, IpProtocol="tcp", FromPort=80, ToPort=80) for c in cidrs))
def test_noproperty(self): t = SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ) d = t.to_dict() with self.assertRaises(KeyError): d["Properties"]
def test_noproperty(self): t = SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ) d = t.to_dict() with self.assertRaises(KeyError): d['Properties']
def _add_autopush_security_group(self): self.InternalRouterSG = self.add_resource( SecurityGroup("AutopushInternalRouter", GroupDescription="Internal Routing SG")) self.EndpointSG = self.add_resource( SecurityGroup( "AutopushEndpointNode", SecurityGroupIngress=[ allow_tcp(8082), allow_tcp(22), ], GroupDescription="Allow HTTP traffic to autoendpoint node", )) self.ConnectionSG = self.add_resource( SecurityGroup( "AutopushConnectionNode", SecurityGroupIngress=[ allow_tcp(8080), allow_tcp(22), SecurityGroupRule(IpProtocol="tcp", FromPort=8081, ToPort=8081, SourceSecurityGroupName=Ref( self.InternalRouterSG)) ], GroupDescription=("Allow Websocket traffic to autopush node")))
def test_noproperty(self): t = SecurityGroupRule( IpProtocol="tcp", FromPort="22", ToPort="22", CidrIp="0.0.0.0/0", ) d = json.loads(json.dumps(t, cls=awsencode)) with self.assertRaises(KeyError): d['Properties']
def create_rules(self, rules): ingress_rules = [] for rule in rules: ingress_rule = 0 if 'source_security_group_id' in rule: ingress_rule = SecurityGroupRule( ToPort=rule['to_port'], FromPort=rule['from_port'], IpProtocol=rule['ip_protocol'], SourceSecurityGroupId=rule['source_security_group_id']) elif 'cidr_ip' in rule: ingress_rule = SecurityGroupRule( ToPort=rule['to_port'], FromPort=rule['from_port'], IpProtocol=rule['ip_protocol'], CidrIp=rule['cidr_ip']) ingress_rules.append(ingress_rule) return ingress_rules
def add_app_secuirty_group(self): ''' Add security group tfor all application ''' self.cfn_template.add_resource( SecurityGroup(title=constants.APP_SG, GroupDescription= 'Allow communication between application servers', SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='tcp', FromPort=int('0'), ToPort=int('65535'), CidrIp=Ref('PublicSubnet1CIDRBlock'), ), SecurityGroupRule( IpProtocol='tcp', FromPort=int('0'), ToPort=int('65535'), CidrIp=Ref('PrivateSubnet1CIDRBlock'), ), SecurityGroupRule( IpProtocol='tcp', FromPort=int('0'), ToPort=int('65535'), CidrIp=Ref('PublicSubnet2CIDRBlock'), ), SecurityGroupRule( IpProtocol='tcp', FromPort=int('0'), ToPort=int('65535'), CidrIp=Ref('PrivateSubnet2CIDRBlock'), ), ], SecurityGroupEgress=[ SecurityGroupRule(IpProtocol='-1', CidrIp='0.0.0.0/0') ], VpcId=Ref(constants.VPC))) return self.cfn_template
def test_security_group(self): template = self._create_test_document() SecurityGroup('sg', template, GroupDescription='test', SecurityGroupEgress=[ SecurityGroupRule(IpProtocol='tcp', FromPort=22, ToPort=22, CidrIp="0.0.0.0/0") ], SecurityGroupIngress=[ SecurityGroupRule(IpProtocol='tcp', FromPort=22, ToPort=22, CidrIp="0.0.0.0/0") ]) security_group = template.resources['sg'] for rule in security_group.properties['SecurityGroupEgress']: self.assertIsInstance(rule, SecurityGroupRule) for rule in security_group.properties['SecurityGroupIngress']: self.assertIsInstance(rule, SecurityGroupRule)
def create_sg_ingress_rule(_type): if _type.lower() not in ["ssh", "http", "https"]: raise ValueError("Wrong key value given") _sg_ingress_rule = SecurityGroupRule( IpProtocol="tcp", FromPort=SecurityGroupFunctions._sg_ingress[_type.lower()], ToPort=SecurityGroupFunctions._sg_ingress[_type.lower()], CidrIp=SecurityGroupFunctions._cidr_ip) # print(_sg_ingress_rule) return _sg_ingress_rule
def create_security_groups(self, vpc_param): elb_sg = self.t.add_resource( SecurityGroup( "ElbSg", GroupDescription= "Allows inbound connection from from everywhere on port 80", VpcId=Ref(vpc_param), SecurityGroupIngress=[ SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp="0.0.0.0/0", ) ])) autoscaling_sg = self.t.add_resource( SecurityGroup("AutoscalingSG", GroupDescription= "Allows inbound connection from elb sg on port 80", VpcId=Ref(vpc_param), SecurityGroupIngress=[ SecurityGroupRule( IpProtocol="tcp", FromPort="80", ToPort="80", SourceSecurityGroupId=Ref(elb_sg), ) ])) self.t.add_resource( SecurityGroupEgress("ELBegress", DestinationSecurityGroupId=Ref(autoscaling_sg), GroupId=Ref(elb_sg), IpProtocol="-1", FromPort="-1", ToPort="-1")) return elb_sg, autoscaling_sg
def add_security_groups(self): t = self.template self.asgSg = t.add_resource( SecurityGroup( 'AsgSg', VpcId=Ref(self.vpcIdParam), GroupDescription='Security group for ASG.', SecurityGroupIngress=[ SecurityGroupRule(ToPort='80', FromPort='80', IpProtocol='tcp', SourceSecurityGroupId=Ref(self.elbSg)), SecurityGroupRule(ToPort='22', FromPort='22', IpProtocol='tcp', SourceSecurityGroupId=Ref( self.vpnSgIdParam)) #TODO HTTPS ], Tags=self.defaultTags + [Tag('Name', Join("", [self.namePrefix, 'AsgSg']))])) self.rdsSg = t.add_resource( SecurityGroup('RdsSg', VpcId=Ref(self.vpcIdParam), GroupDescription='Security group for RDS.', SecurityGroupIngress=[ SecurityGroupRule(ToPort='3306', FromPort='3306', IpProtocol='tcp', SourceSecurityGroupId=Ref( self.asgSg)) ], Tags=self.defaultTags + [Tag('Name', Join("", [self.namePrefix, 'RdsSg']))])) return 0
def add_security_group(self): t = self.template self.security_group = t.add_resource( SecurityGroup( "SecurityGroup", GroupDescription="Security Group", SecurityGroupIngress=[ SecurityGroupRule(IpProtocol="tcp", FromPort="80", ToPort="80", CidrIp=Ref(self.whitelist_ip_param)) ], VpcId=Ref(self.vpc_id_param), ))
def add_elb(self): t = self.template self.elbSg = t.add_resource( SecurityGroup( 'ElbSecurityGroup', VpcId=Ref(self.vpcIdParam), GroupDescription='Security group for ELB.', SecurityGroupIngress=[ SecurityGroupRule(ToPort='80', FromPort='80', IpProtocol='tcp', CidrIp="0.0.0.0/0") #TODO HTTPS ], Tags=self.defaultTags + [Tag('Name', Join("", [self.namePrefix, 'ElbSecurityGroup'])) ])) self.elbListener = Listener('ElbListener', LoadBalancerPort="80", InstancePort="80", Protocol="HTTP", InstanceProtocol="HTTP") self.elbHealthCheck = HealthCheck(Target="TCP:80", Timeout="2", Interval="5", HealthyThreshold="2", UnhealthyThreshold="2") publicSubnetIds = [ self.sceptreUserData['subnets']['publicInfraAZ1Id'], self.sceptreUserData['subnets']['publicInfraAZ2Id'], self.sceptreUserData['subnets']['publicInfraAZ3Id'] ] self.elb = t.add_resource( LoadBalancer('Elb', Listeners=[self.elbListener], Scheme='internet-facing', HealthCheck=self.elbHealthCheck, CrossZone=True, Subnets=publicSubnetIds, SecurityGroups=[Ref(self.elbSg)], Tags=self.defaultTags + [Tag('Name', Join("", [self.namePrefix, 'Elb']))])) return 0
def add_ssh_security(self): ''' Add SSH security group ''' self.cfn_template.add_resource(SecurityGroup( title=constants.SSH_SG, GroupDescription='Allow ssh connections to the cluster host instances', SecurityGroupIngress=[SecurityGroupRule( IpProtocol='tcp', FromPort=int('0'), ToPort=int('65535'), CidrIp=Ref('CIDRBLK') )], VpcId=ImportValue(Sub('${Environment}-VPCID')) )) return self.cfn_template
def add_open_ssh_security_group(template): if not template.get_security_group_metadata(sshsg_name): new_security_group = SecurityGroup( sshsg_name, sshsg_description, SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='tcp', FromPort='22', ToPort='22', CidrIp='0.0.0.0/0' ) ] ) template.add_security_group_metadata(sshsg_name, new_security_group) template.add_resource(new_security_group)
def add_base_resources(self): """ Allow ingress from load balancers with this """ ingress_sg = SecurityGroup( "IncomingSg", GroupDescription="SG for ecs instances for incoming alb", VpcId=self.cluster.get('vpc'), SecurityGroupIngress=[ SecurityGroupRule( IpProtocol="tcp", FromPort=0, ToPort=64500, SourceSecurityGroupId=ImportValue(f"{self.cluster['name']}-cluster:ALBBadgeSg") ) ] ) self.template.add_resource(ingress_sg)
def buildTemplate(self): ref_stack_id = Ref('AWS::StackId') ref_stack_name = Ref('AWS::StackName') security_group = self.t.add_resource( SecurityGroup( 'BastionSshSecurityGroup', GroupDescription="Allow SSH from anywhere to the Bastion Host", VpcId=Ref("VpcId"), SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='tcp', FromPort=22, ToPort=22, CidrIp='0.0.0.0/0', ), ], )) host = self.t.add_resource( Instance("Bastion", KeyName=Ref("KeyName"), InstanceType="t2.nano", ImageId=Ref("ImageId"), SecurityGroupIds=[Ref(security_group)], SubnetId=Ref("SubnetId"), UserData=Base64(Ref(self.paramUserData)), Tags=Tags( Name=Join('', [ref_stack_name, '-BastionHost']), Department=Ref(self.paramDepartment), ))) self.t.add_output( Output( "InstanceId", Description="Instance Id of the Bastion Host", Value=Ref(host), )) self.t.add_output( Output( "BastionDns", Description="DNS of Bastion Host", Value=GetAtt(host, "PublicDnsName"), )),
def ts_add_security_group(t, vpc_id=None, name='MySecurityGroup', desc='Enable all ingress'): if vpc_id is None: vpc_id = get_default_vpc() return t.add_resource( SecurityGroup(name, GroupDescription=desc, VpcId=vpc_id, SecurityGroupIngress=[ SecurityGroupRule(IpProtocol='tcp', CidrIp="0.0.0.0/0", FromPort=0, ToPort=65535), ], Tags=Tags( Application=Ref("AWS::StackName"), Developer="cisco::haoru", )))
def _add_processor_databases(self): # Add the security group for Redis access self.LambdaProcessorSG = self.add_resource( SecurityGroup( "LambdaProcessorSG", GroupDescription="Lambda Message Processor", VpcId=Ref(self.ProcessorVPCId), )) self.RedisClusterSG = self.add_resource( SecurityGroup( "RedisClusterSG", SecurityGroupIngress=[ SecurityGroupRule(IpProtocol="tcp", FromPort=6379, ToPort=6379, SourceSecurityGroupId=GetAtt( self.LambdaProcessorSG, "GroupId")) ], GroupDescription="Allow HTTP traffic to redis", VpcId=Ref(self.ProcessorVPCId), )) self.RedisClusterSubnetGroup = self.add_resource( SubnetGroup( "RedisClusterSubnetGroup", Description="Subnet group for Redis Cluster", SubnetIds=[Ref(self.MessageAPISubnetId)], )) self.RedisCluster = self.add_resource( CacheCluster( "RedisPushMessages", Engine="redis", CacheNodeType="cache.m3.medium", NumCacheNodes=1, CacheSubnetGroupName=Ref(self.RedisClusterSubnetGroup), VpcSecurityGroupIds=[ GetAtt(self.RedisClusterSG, "GroupId"), ], Tags=self._instance_tags("push-messages", "push-messages"), ))
def create_security_group(self, security_group_args, prefix): ''' Method creates a security group and adds it to the resources list @param security_group_args [dict] collection of keyword arguments for the security group ''' security_group_ingress = [] for ingress in security_group_args['ingress']: rule = SecurityGroupRule(IpProtocol=ingress['ip_protocol'], FromPort=ingress['from_port'], ToPort=ingress['to_port'], CidrIp=ingress['cidr_ip']) security_group_ingress.append(rule) return self.add_resource( SecurityGroup( prefix + 'SecurityGroup', GroupDescription='Enable SSH access via port 22', SecurityGroupIngress=security_group_ingress, VpcId=Ref(self.vpc), ))
def _rulesFromYaml(self, obj): sgrules = [] try: with open(obj, 'r') as stream: doc = yaml.load(stream) for ruleset in doc: for cidr in doc[ruleset]['cidr']: for protocol in doc[ruleset]['protocols']: for port in doc[ruleset]['protocols'][protocol]: sgrules.append( SecurityGroupRule(''.join( ch for ch in (cidr + protocol + port) if ch.isalnum()), CidrIp=cidr, IpProtocol=protocol, FromPort=port, ToPort=port)) except Exception as e: print(e) exit(1) finally: return sgrules
def create_cache_cluster(stack, cache_type): """Add Elasticache Cache cluster Resource.""" ports = {'redis': 6379, 'memcached': 11211} secgroup = stack.stack.add_resource( SecurityGroup( '{0}SecurityGroup'.format(cache_type), GroupDescription="{0} Security Group".format(cache_type), SecurityGroupIngress=[ SecurityGroupRule( "{0}".format(cache_type), CidrIp=Ref(stack.vpc_address_param), FromPort=ports[cache_type], ToPort=ports[cache_type], IpProtocol="tcp", ) ], VpcId=Ref(stack.vpc), )) subnet_group = stack.stack.add_resource( elasticache.SubnetGroup( '{0}cache'.format(stack.env), Description='{0} cache'.format(stack.env), SubnetIds=[Ref(stack.backend1_subnet), Ref(stack.backend2_subnet)], )) stack.stack.add_resource( elasticache.ReplicationGroup( 'CacheCluster', ReplicationGroupId='{0}cluster'.format(stack.env), ReplicationGroupDescription='{0}cluster'.format(stack.env), Engine='{0}'.format(cache_type), CacheNodeType=Ref(stack.cache_instance_type_param), NumCacheClusters='2', CacheSubnetGroupName=Ref(subnet_group), SecurityGroupIds=[Ref(secgroup)]))
def _add_resources(self): rules = [("tcp", 443), ("tcp", 943), ("udp", 1194)] if self.sceptre_user_data['enable_ssh']: rules.append(("tcp", 22)) self.openvpn_sg = SecurityGroup( "SSHSecurityGroup", VpcId=Ref(self.vpc_id_param), GroupDescription="Enable SSH access via port 22", SecurityGroupIngress=[SecurityGroupRule( IpProtocol=protocol, FromPort=port, ToPort=port, CidrIp=Ref(self.ssh_ip),) for protocol, port in rules], Tags=Tags( Name=Join('-', [Ref(self.stack_prefix), "openvpn"]) ), ) self.template.add_resource(self.openvpn_sg) self.openvpn_instance = Instance( "OpenVPNInstance", ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), InstanceType="t2.micro", KeyName=Ref(self.key_name), SecurityGroupIds=[Ref(self.openvpn_sg)], SourceDestCheck=False, SubnetId=Ref(self.public_subnet_id), Tags=Tags( Name=Join('-', [Ref(self.stack_prefix), "openvpn"]) ), ) self.template.add_resource(self.openvpn_instance)
"AMI": "ami-5b6dde3b" }, "us-west-1": { "AMI": "ami-74cb9b14" }, }) instance_security_group = SecurityGroup( 'InstanceSecurityGroup', template=template, GroupDescription="Instance security group.", VpcId=Ref(vpc_id), SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='-1', FromPort='-1', ToPort='-1', CidrIp='0.0.0.0/0', ) ]) load_balancer = elb.LoadBalancer('LoadBalancer', template=template, Subnets=[ Ref(public_subnet), ], SecurityGroups=[Ref(instance_security_group)], Listeners=[ elb.Listener(LoadBalancerPort=80, InstanceProtocol='HTTP', InstancePort=8080, Protocol='HTTP'),
"Ec2Instance", ImageId=FindInMap("RegionMap", Ref("AWS::Region"), "AMI"), InstanceType="t1.micro", KeyName=Ref(keyname_param), SecurityGroups=["default"], UserData=Base64("80") )) instanceSecurityGroup = template.add_resource( SecurityGroup( 'InstanceSecurityGroup', GroupDescription='Enable SSH access via port 22', SecurityGroupIngress=[ SecurityGroupRule( IpProtocol='tcp', FromPort='22', ToPort='22', CidrIp='0.0.0.0/0'), SecurityGroupRule( IpProtocol='tcp', FromPort='80', ToPort='80', CidrIp='0.0.0.0/0')], )) template.add_output([ Output( "InstanceId", Description="InstanceId of the newly created EC2 instance", Value=Ref(ec2_instance), ),
Description="Subnet ID where the MountTarget and instance " "should be created", Type="String", )) # security group for the host efs_host_security_group = SecurityGroup( "EFSHostSecurityGroup", GroupDescription="EC2 Instance Security Group") template.add_resource(efs_host_security_group) # create security group for NFS over TCP for EC2 instances. Only allow the # instance(s) from the efs_host_security_group to access the mount target # given by this security group. efs_security_group_rule = SecurityGroupRule( IpProtocol='tcp', FromPort='2049', ToPort='2049', SourceSecurityGroupId=Ref(efs_host_security_group)) # Security group that's applied to the Mount Targets. efs_security_group = SecurityGroup( "SecurityGroup", SecurityGroupIngress=[efs_security_group_rule], VpcId=Ref(vpcid_param), GroupDescription="Allow NFS over TCP") template.add_resource(efs_security_group) # Create FileSystem. This is the actual filesystem, which has one or more # mount targets. Give it some tags so we can identify it later. tags = Tags(Name='MyEFSFileSystem') efs_file_system = FileSystem("MyEFSFileSystem", FileSystemTags=tags)