Fix ingress rules for security group

Signed-off-by: Sayali Gaikawad <[email protected]>
gaiksaya · Feb 17, 2024 · 04428da · 04428da
1 parent c23b512
commit 04428da
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 9 deletions.
diff --git a/lib/networking/vpc-stack.ts b/lib/networking/vpc-stack.ts
@@ -10,7 +10,9 @@ import {
   IPeer,
   ISecurityGroup,
   IVpc,
-  Peer, Port, SecurityGroup, SubnetType, Vpc,
+  Peer,
+  Port,
+  SecurityGroup, SubnetType, Vpc,
 } from 'aws-cdk-lib/aws-ec2';
 import { Construct } from 'constructs';
 
@@ -44,7 +46,6 @@ export class NetworkStack extends Stack {
     const vpcId = `${props?.vpcId ?? scope.node.tryGetContext('vpcId')}`;
     const serverAccessType = `${props?.serverAccessType ?? scope.node.tryGetContext('serverAccessType')}`;
     const restrictServerAccessTo = `${props?.restrictServerAccessTo ?? scope.node.tryGetContext('restrictServerAccessTo')}`;
-    const secGroupId = `${props?.securityGroupId ?? scope.node.tryGetContext('securityGroupId')}`;
 
     if (typeof restrictServerAccessTo === 'undefined' || typeof serverAccessType === 'undefined') {
       throw new Error('serverAccessType and restrictServerAccessTo parameters are required - eg: serverAccessType=ipv4 restrictServerAccessTo=10.10.10.10/32');
@@ -79,19 +80,20 @@ export class NetworkStack extends Stack {
     }
 
     // Security Group specs
-    if (secGroupId === 'undefined') {
+    if (serverAccessType !== 'securityGroupId') {
       this.osSecurityGroup = new SecurityGroup(this, 'osSecurityGroup', {
         vpc: this.vpc,
         allowAllOutbound: true,
       });
+      this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(80));
+      this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(443));
+      this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(9200));
+      this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(5601));
+      this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(8443));
+      this.osSecurityGroup.addIngressRule(this.osSecurityGroup, Port.allTraffic());
     } else {
-      this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', secGroupId);
+      this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', restrictServerAccessTo);
     }
-
-    /* The security group allows all ip access by default to all the ports.
-    Please update below if you want to restrict access to certain ips and ports */
-    this.osSecurityGroup.addIngressRule(serverAccess, Port.allTcp());
-    this.osSecurityGroup.addIngressRule(this.osSecurityGroup, Port.allTraffic());
   }
 
   private static getServerAccess(restrictServerAccessTo: string, serverAccessType: string): IPeer {

diff --git a/test/opensearch-cluster-cdk.test.ts b/test/opensearch-cluster-cdk.test.ts
@@ -209,6 +209,38 @@ test('Test Resources with security enabled multi-node with existing Vpc with use
     SecurityGroupIngress: [
       {
         CidrIp: '10.10.10.10/32',
+        Description: 'from 10.10.10.10/32:80',
+        FromPort: 80,
+        IpProtocol: 'tcp',
+        ToPort: 80,
+      },
+      {
+        CidrIp: '10.10.10.10/32',
+        Description: 'from 10.10.10.10/32:443',
+        FromPort: 443,
+        IpProtocol: 'tcp',
+        ToPort: 443,
+      },
+      {
+        CidrIp: '10.10.10.10/32',
+        Description: 'from 10.10.10.10/32:9200',
+        FromPort: 9200,
+        IpProtocol: 'tcp',
+        ToPort: 9200,
+      },
+      {
+        CidrIp: '10.10.10.10/32',
+        Description: 'from 10.10.10.10/32:5601',
+        FromPort: 5601,
+        IpProtocol: 'tcp',
+        ToPort: 5601,
+      },
+      {
+        CidrIp: '10.10.10.10/32',
+        Description: 'from 10.10.10.10/32:8443',
+        FromPort: 8443,
+        IpProtocol: 'tcp',
+        ToPort: 8443,
       },
     ],
   });
@@ -827,3 +859,39 @@ test('Test additionalConfig overriding values', () => {
     },
   });
 });
+
+test('Test Resources with securityGroupId param', () => {
+  const app = new App({
+    context: {
+      securityDisabled: false,
+      minDistribution: false,
+      distributionUrl: 'www.example.com',
+      cpuArch: 'x64',
+      singleNodeCluster: false,
+      dashboardsUrl: 'www.example.com',
+      distVersion: '1.0.0',
+      serverAccessType: 'securityGroupId',
+      restrictServerAccessTo: 'sg-012a34s123d234f90',
+    },
+  });
+
+  // WHEN
+  const networkStack = new NetworkStack(app, 'opensearch-network-stack', {
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+
+  // @ts-ignore
+  const infraStack = new InfraStack(app, 'opensearch-infra-stack', {
+    vpc: networkStack.vpc,
+    securityGroup: networkStack.osSecurityGroup,
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+  const networkTemplate = Template.fromStack(networkStack);
+  networkTemplate.resourceCountIs('AWS::EC2::SecurityGroup', 0);
+  const infraTemplate = Template.fromStack(infraStack);
+  infraTemplate.hasResourceProperties('AWS::AutoScaling::LaunchConfiguration', {
+    SecurityGroups: [
+      'sg-012a34s123d234f90',
+    ],
+  });
+});