feat: add default security group stack #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

tractorcow merged 5 commits into master from fix/security-group-default

Feb 9, 2025

dist/fargate.d.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,7 @@ import * as cdk from 'aws-cdk-lib'; @@
     import * as ecs from 'aws-cdk-lib/aws-ecs';
     import * as ecs_patterns from 'aws-cdk-lib/aws-ecs-patterns';
     import * as ecr from 'aws-cdk-lib/aws-ecr';
+    import * as ec2 from 'aws-cdk-lib/aws-ec2';
     import * as acm from 'aws-cdk-lib/aws-certificatemanager';
     import * as route53 from 'aws-cdk-lib/aws-route53';
     import { StackConfig } from './configuration';
@@ Expand Down Expand Up / @@ -35,6 +36,7 @@ interface FargateServiceProps extends cdk.NestedStackProps { @@
         repository?: ecr.IRepository;
         taskConfiguration: TaskConfiguration;
         image?: ecs.ContainerImage;
+        securityGroup?: ec2.ISecurityGroup;
     }
     /**
      * Generate a fargate service that can be attached to a cluster. This service will include its own
@@ Expand Down @@

dist/fargate.js

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -33,6 +33,7 @@ const iam = __importStar(require("aws-cdk-lib/aws-iam"));
  
    const route53 = __importStar(require("aws-cdk-lib/aws-route53"));

    const targets = __importStar(require("aws-cdk-lib/aws-route53-targets"));

    const route53_1 = require("./route53");

    const security_group_1 = require("./security-group");

    // Default docker image to use

    const DEFAULT_IMAGE = 'nginxdemos/hello:latest';

    /**

    @@ -47,7 +48,7 @@ const DEFAULT_IMAGE = 'nginxdemos/hello:latest';
  
    class FargateService extends cdk.NestedStack {

        constructor(scope, id, props) {

            super(scope, id, props);

            const { healthCheckPath = '/health-check', imageVersion = 'latest', subDomainIncludingDot = '', stack, cluster, certificate, zone, repository, taskConfiguration, } = props;

            const { healthCheckPath = '/health-check', imageVersion = 'latest', subDomainIncludingDot = '', stack, cluster, certificate, zone, repository, taskConfiguration, securityGroup: defaultSecurityGroup, } = props;

            // Compile secrets into list of mapped ecs.Secrets

            const secrets = {};

            const secretValues = taskConfiguration.secrets;

    @@ -66,8 +67,14 @@ class FargateService extends cdk.NestedStack {
  
                (repository &&

                    ecs.ContainerImage.fromEcrRepository(repository, imageVersion)) ||

                ecs.ContainerImage.fromRegistry(DEFAULT_IMAGE);

            // Scaffold default security group if not provided

            let securityGroup = defaultSecurityGroup;

            if (!securityGroup) {

                const groupStack = new security_group_1.SecurityGroup(this, stack.getResourceID('SecurityGroup'), { vpc: cluster.vpc });

                securityGroup = groupStack.securityGroup;

            }

            const desiredCount = taskConfiguration?.desiredCount || 1;

            this.service = new ecs_patterns.ApplicationLoadBalancedFargateService(this, stack.getResourceID('AdminService'), {

            this.service = new ecs_patterns.ApplicationLoadBalancedFargateService(this, stack.getResourceID('FargateService'), {

                assignPublicIp: true,

                cluster: cluster,

                certificate: certificate,

    @@ -85,6 +92,7 @@ class FargateService extends cdk.NestedStack {
  
                    subnetType: ec2.SubnetType.PUBLIC,

                    onePerAz: true,

                },

                securityGroups: [securityGroup],

            });

            // Setup AutoScaling policy

            if (taskConfiguration.autoScalingCpuTarget) {

dist/index.d.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ export * from './helper'; @@
     export * from './ipv6vpc';
     export * from './rds';
     export * from './route53';
+    export * from './security-group';
     export * from './s3';
     export * from './vpc';
     export * from './website-distribution';

dist/index.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -24,6 +24,7 @@ __exportStar(require("./helper"), exports); @@
     __exportStar(require("./ipv6vpc"), exports);
     __exportStar(require("./rds"), exports);
     __exportStar(require("./route53"), exports);
+    __exportStar(require("./security-group"), exports);
     __exportStar(require("./s3"), exports);
     __exportStar(require("./vpc"), exports);
     __exportStar(require("./website-distribution"), exports);

dist/rds.js

-Original file line number
+Diff line change
@@ Expand Up / @@ -92,6 +92,8 @@ class PostgresInstanceWithBastion extends PostgresInstance { @@
             // Create a security group for the bastion host
             const bastionSecurityGroup = new ec2.SecurityGroup(this, stack.getResourceID('BastionSecurityGroup'), {
                 vpc,
+                allowAllOutbound: true,
+                allowAllIpv6Outbound: true,
             });
             // Allow SSH access from anywhere
             bastionSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22));
@@ Expand Down @@

dist/security-group.d.ts

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    import { Construct } from 'constructs';
+    import * as cdk from 'aws-cdk-lib';
+    import * as ec2 from 'aws-cdk-lib/aws-ec2';
+    export interface SecurityGroupProps extends cdk.NestedStackProps {
+        vpc: ec2.IVpc;
+        incomingPorts?: number[];
+    }
+    /**
+     * Default security group suitable for a basic ECS service
+     */
+    export declare class SecurityGroup extends cdk.NestedStack {
+        readonly securityGroup: ec2.ISecurityGroup;
+        constructor(scope: Construct, id: string, props: SecurityGroupProps);
+    }

dist/security-group.js

-Original file line number
+Diff line change
@@ -0,0 +1,50 @@
+    "use strict";
+    var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+        if (k2 === undefined) k2 = k;
+        var desc = Object.getOwnPropertyDescriptor(m, k);
+        if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+          desc = { enumerable: true, get: function() { return m[k]; } };
+        }
+        Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+        if (k2 === undefined) k2 = k;
+        o[k2] = m[k];
+    }));
+    var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+        Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+        o["default"] = v;
+    });
+    var __importStar = (this && this.__importStar) || function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.SecurityGroup = void 0;
+    const cdk = __importStar(require("aws-cdk-lib"));
+    const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+    /**
+     * Default security group suitable for a basic ECS service
+     */
+    class SecurityGroup extends cdk.NestedStack {
+        constructor(scope, id, props) {
+            super(scope, id, props);
+            const { vpc, incomingPorts } = props;
+            this.securityGroup = new ec2.SecurityGroup(this, `${id}Group`, {
+                vpc,
+                description: 'Allows HTTP/HTTPS ingress and all egress traffic',
+                allowAllOutbound: true,
+                allowAllIpv6Outbound: true,
+            });
+            const portsToOpen = incomingPorts || [80, 443];
+            // Open all selected ports
+            portsToOpen.forEach((port) => {
+                this.securityGroup.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(port), `Allow ${port} from anywhere (IPv4)`);
+                this.securityGroup.addIngressRule(ec2.Peer.anyIpv6(), ec2.Port.tcp(port), `Allow ${port} from anywhere (IPv6)`);
+            });
+        }
+    }
+    exports.SecurityGroup = SecurityGroup;

src/fargate.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ import * as targets from 'aws-cdk-lib/aws-route53-targets' @@
     import { StackConfig } from './configuration'
     import { ARecord } from './route53'
     import * as elb from 'aws-cdk-lib/aws-elasticloadbalancingv2'
+    import { SecurityGroup } from './security-group'
     // Default docker image to use
     const DEFAULT_IMAGE = 'nginxdemos/hello:latest'
@@ Expand Down Expand Up / @@ -50,6 +51,7 @@ interface FargateServiceProps extends cdk.NestedStackProps { @@
       repository?: ecr.IRepository
       taskConfiguration: TaskConfiguration
       image?: ecs.ContainerImage
+      securityGroup?: ec2.ISecurityGroup
     }
     /**
@@ Expand Down Expand Up / @@ -77,6 +79,7 @@ export class FargateService extends cdk.NestedStack { @@
           zone,
           repository,
           taskConfiguration,
+          securityGroup: defaultSecurityGroup,
         } = props
         // Compile secrets into list of mapped ecs.Secrets
@@ Expand Down Expand Up / @@ -104,10 +107,21 @@ export class FargateService extends cdk.NestedStack { @@
             ecs.ContainerImage.fromEcrRepository(repository, imageVersion)) ||
           ecs.ContainerImage.fromRegistry(DEFAULT_IMAGE)
+        // Scaffold default security group if not provided
+        let securityGroup = defaultSecurityGroup
+        if (!securityGroup) {
+          const groupStack = new SecurityGroup(
+            this,
+            stack.getResourceID('SecurityGroup'),
+            { vpc: cluster.vpc },
+          )
+          securityGroup = groupStack.securityGroup
+        }
         const desiredCount = taskConfiguration?.desiredCount || 1
         this.service = new ecs_patterns.ApplicationLoadBalancedFargateService(
           this,
-          stack.getResourceID('AdminService'),
+          stack.getResourceID('FargateService'),
           {
             assignPublicIp: true,
             cluster: cluster,
@@ Expand All / @@ -127,6 +141,7 @@ export class FargateService extends cdk.NestedStack { @@
               subnetType: ec2.SubnetType.PUBLIC,
               onePerAz: true,
             },
+            securityGroups: [securityGroup],
           },
         )
@@ Expand Down @@

src/index.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ export * from './helper' @@
     export * from './ipv6vpc'
     export * from './rds'
     export * from './route53'
+    export * from './security-group'
     export * from './s3'
     export * from './vpc'
     export * from './website-distribution'

src/rds.ts

-Original file line number
+Diff line change
@@ Expand Up @@
           stack.getResourceID('BastionSecurityGroup'),
           {
             vpc,
+            allowAllOutbound: true,
+            allowAllIpv6Outbound: true,
           },
         )
@@ Expand Down @@

src/security-group.ts

-Original file line number
+Diff line change
@@ -0,0 +1,43 @@
+    import { Construct } from 'constructs'
+    import * as cdk from 'aws-cdk-lib'
+    import * as ec2 from 'aws-cdk-lib/aws-ec2'
+    export interface SecurityGroupProps extends cdk.NestedStackProps {
+      vpc: ec2.IVpc
+      incomingPorts?: number[]
+    }
+    /**
+     * Default security group suitable for a basic ECS service
+     */
+    export class SecurityGroup extends cdk.NestedStack {
+      public readonly securityGroup: ec2.ISecurityGroup
+      constructor(scope: Construct, id: string, props: SecurityGroupProps) {
+        super(scope, id, props)
+        const { vpc, incomingPorts } = props
+        this.securityGroup = new ec2.SecurityGroup(this, `${id}Group`, {
+          vpc,
+          description: 'Allows HTTP/HTTPS ingress and all egress traffic',
+          allowAllOutbound: true,
+          allowAllIpv6Outbound: true,
+        })
+        const portsToOpen = incomingPorts || [80, 443]
+        // Open all selected ports
+        portsToOpen.forEach((port) => {
+          this.securityGroup.addIngressRule(
+            ec2.Peer.anyIpv4(),
+            ec2.Port.tcp(port),
+            `Allow ${port} from anywhere (IPv4)`,
+          )
+          this.securityGroup.addIngressRule(
+            ec2.Peer.anyIpv6(),
+            ec2.Port.tcp(port),
+            `Allow ${port} from anywhere (IPv6)`,
+          )
+        })
+      }
+    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add default security group stack #23

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!