From ff4a64b69faa7268bed10e10c8d5eb09fe682c4e Mon Sep 17 00:00:00 2001 From: Mike Cowgill Date: Tue, 28 Aug 2018 01:18:13 -0700 Subject: [PATCH 1/3] feat(aws-autoscaling): add the ability attach a security group to an autoscaling launch configuration (#636) --- .../aws-autoscaling/lib/auto-scaling-group.ts | 16 ++++++++-- .../test/test.auto-scaling-group.ts | 30 +++++++++++++++++++ 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts index 34462984f87fe..a7cbc6b5083f3 100644 --- a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts @@ -153,7 +153,8 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB private readonly userDataLines = new Array(); private readonly autoScalingGroup: cloudformation.AutoScalingGroupResource; - private readonly securityGroup: ec2.SecurityGroup; + private readonly securityGroup: ec2.SecurityGroupRef; + private readonly securityGroups: ec2.SecurityGroupRef[] = []; private readonly loadBalancerNames: cdk.Token[] = []; constructor(parent: cdk.Construct, name: string, props: AutoScalingGroupProps) { @@ -161,6 +162,7 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB this.securityGroup = new ec2.SecurityGroup(this, 'InstanceSecurityGroup', { vpc: props.vpc }); this.connections = new ec2.Connections({ securityGroup: this.securityGroup }); + this.securityGroups.push(this.securityGroup); if (props.allowAllOutbound !== false) { this.connections.allowTo(new ec2.AnyIPv4(), new ec2.AllConnections(), 'Outbound traffic allowed by default'); @@ -177,12 +179,13 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB // use delayed evaluation const machineImage = props.machineImage.getImage(this); const userDataToken = new cdk.Token(() => new cdk.FnBase64((machineImage.os.createUserData(this.userDataLines)))); + const securityGroupsToken = new cdk.Token(() => this.securityGroups.map((sg) => sg.securityGroupId)); const launchConfig = new cloudformation.LaunchConfigurationResource(this, 'LaunchConfig', { imageId: machineImage.imageId, keyName: props.keyName, instanceType: props.instanceType.toString(), - securityGroups: [this.securityGroup.securityGroupId], + securityGroups: securityGroupsToken, iamInstanceProfile: iamProfile.ref, userData: userDataToken }); @@ -227,6 +230,15 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB this.applyUpdatePolicies(props); } + /** + * Attach the security group to all instances in this autoscaling group + * + * @param securityGroup: The SecurityGroupRef to add + */ + public attachSecurityGroup(securityGroup: ec2.SecurityGroupRef): void { + this.securityGroups.push(securityGroup); + } + public attachToClassicLB(loadBalancer: ec2.ClassicLoadBalancer): void { this.loadBalancerNames.push(loadBalancer.loadBalancerName); } diff --git a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts index 5deccbfbe8d5b..4d0b04f310315 100644 --- a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts @@ -332,6 +332,30 @@ export = { test.done(); }, + 'can add Security Group to Fleet'(test: Test) { + // GIVEN + const stack = new cdk.Stack(undefined, 'MyStack', { env: { region: 'us-east-1', account: '1234' }}); + const vpc = mockVpc(stack); + + // WHEN + const asg = new autoscaling.AutoScalingGroup(stack, 'MyFleet', { + instanceType: new ec2.InstanceTypePair(ec2.InstanceClass.M4, ec2.InstanceSize.Micro), + machineImage: new ec2.AmazonLinuxImage(), + vpc, + }); + asg.attachSecurityGroup(mockSecurityGroup(stack)); + expect(stack).to(haveResource("AWS::AutoScaling::LaunchConfiguration", { + SecurityGroups: [ + { + "Fn::GetAtt": [ + "MyFleetInstanceSecurityGroup774E8234", + "GroupId" + ] + }, + 'most-secure'], + })); + test.done(); + }, }; function mockVpc(stack: cdk.Stack) { @@ -342,3 +366,9 @@ function mockVpc(stack: cdk.Stack) { privateSubnetIds: [ new ec2.VpcSubnetId('pri1') ], }); } + +function mockSecurityGroup(stack: cdk.Stack) { + return ec2.SecurityGroupRef.import(stack, 'MySG', { + securityGroupId: new ec2.SecurityGroupId('most-secure'), + }); +} From 7ffd142c3a10860a172483dbe0aad88a67654ef7 Mon Sep 17 00:00:00 2001 From: Mike Cowgill Date: Tue, 28 Aug 2018 09:35:26 -0700 Subject: [PATCH 2/3] refactor to `addSecurityGroup` from `attachSecurityGroup`; small code cleanup --- packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts | 4 ++-- .../@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts index a7cbc6b5083f3..3a23aa2f1ef51 100644 --- a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts @@ -179,7 +179,7 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB // use delayed evaluation const machineImage = props.machineImage.getImage(this); const userDataToken = new cdk.Token(() => new cdk.FnBase64((machineImage.os.createUserData(this.userDataLines)))); - const securityGroupsToken = new cdk.Token(() => this.securityGroups.map((sg) => sg.securityGroupId)); + const securityGroupsToken = new cdk.Token(() => this.securityGroups.map(sg => sg.securityGroupId)); const launchConfig = new cloudformation.LaunchConfigurationResource(this, 'LaunchConfig', { imageId: machineImage.imageId, @@ -235,7 +235,7 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB * * @param securityGroup: The SecurityGroupRef to add */ - public attachSecurityGroup(securityGroup: ec2.SecurityGroupRef): void { + public addSecurityGroup(securityGroup: ec2.SecurityGroupRef): void { this.securityGroups.push(securityGroup); } diff --git a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts index 4d0b04f310315..92c0ac81c27f5 100644 --- a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts @@ -343,7 +343,7 @@ export = { machineImage: new ec2.AmazonLinuxImage(), vpc, }); - asg.attachSecurityGroup(mockSecurityGroup(stack)); + asg.addSecurityGroup(mockSecurityGroup(stack)); expect(stack).to(haveResource("AWS::AutoScaling::LaunchConfiguration", { SecurityGroups: [ { From 2a69ad6d93ff50a9fce79fb5df2b1fdd7656e7bf Mon Sep 17 00:00:00 2001 From: Mike Cowgill Date: Tue, 28 Aug 2018 22:01:40 -0700 Subject: [PATCH 3/3] changing the method comment to match the name and adding more detail about launch config --- packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts index 3a23aa2f1ef51..fc8ff9c4720ba 100644 --- a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts @@ -231,7 +231,8 @@ export class AutoScalingGroup extends cdk.Construct implements ec2.IClassicLoadB } /** - * Attach the security group to all instances in this autoscaling group + * Add the security group to all instances via the launch configuration + * security groups array. * * @param securityGroup: The SecurityGroupRef to add */