Maintaining Network ACLs and Security Group Ingress/Egress Rules within Nucleator Cages and Stacksets

How to refine and extend the network ACL and security group ingress/egress rules used in Nucleator Cages and Stacksets

Modifying Cage Network ACLs
Modifying Security Group Ingress and Egress Rules

Nucleator comes with several common Stacksets that provide implementations for common use cases such as virtual "cages" (nucleator-core-cage) and automated build environments (nucleator-core-builder). These Stacksets define best practice network ACLs and Security Group ingress/egress rules that are appropriate for many use cases.

However, you may have requirements that dictate modifying or augmenting Cage network ACLs or Stackset security group rules for your situation.

Modifying Cage Network ACLs

To customize Nucleator Cage network ACLs, you should fork the nucleator-core-cage stackset into your own GitHub or other source control repository. After forking, you can modify the following files in the ansible/roles/instantiate_cage_templates/vars/ directory of the Stackset:

public_acl.yml
private_acl.yml
database_acl.yml

These files declare the network ACLs to be used for a Cage's pubic, private and database subnets respectively.

After making necessary changes to your forked Cage Stackset, update your .nucleator/sources.yml so that the "Cage" Stackset points to your forked version. After updating your sources.yml, you will need to run "nucleator update" to pull the modified version into your Nucleator installation.

Modifying Security Group Ingress and Egress Rules

To customize security group ingress and egress rules within a Stackset, you should fork the Stackset into your own GitHub or other source control repository. After forking, modify any YAML files in the ansible/roles/stackset_templates/vars/ directory that declare security group ingress / egress rules.

To take the nucleator-core-builder stackset as an example, you would edit the file ansible/roles/stackset_templates/vars/builder.yml. This file contains a number of declarations in YAML format that define the security ingress and egress rules required by the Stackset. You can follow this pattern to add, remove or modify rules as your needs require.

After saving changes in your forked repository, you will need to update your .nucleator/sources.yml to point to your modified stackset. After updating sources.yml, you will need to run "nucleator update" to pull the modified Stackset into your Nucleator installation.

Next: Nucleator Core - Cage