diff --git a/lib/networking/vpc-stack.ts b/lib/networking/vpc-stack.ts index 045935b4447..6c5ae5dca73 100644 --- a/lib/networking/vpc-stack.ts +++ b/lib/networking/vpc-stack.ts @@ -47,7 +47,11 @@ export class NetworkStack extends Stack { const serverAccessType = `${props?.serverAccessType ?? scope.node.tryGetContext('serverAccessType')}`; const restrictServerAccessTo = `${props?.restrictServerAccessTo ?? scope.node.tryGetContext('restrictServerAccessTo')}`; - if (typeof restrictServerAccessTo === 'undefined' || typeof serverAccessType === 'undefined') { + if (serverAccessType === 'securityGroupId' && vpcId === 'undefined') { + throw new Error('securityGroupID needs to belong to the same VPC as other resources. Please specify existing vpcId'); + } + + if (restrictServerAccessTo === 'undefined' || serverAccessType === 'undefined') { throw new Error('serverAccessType and restrictServerAccessTo parameters are required - eg: serverAccessType=ipv4 restrictServerAccessTo=10.10.10.10/32'); } else { serverAccess = NetworkStack.getServerAccess(restrictServerAccessTo, serverAccessType); diff --git a/test/opensearch-cluster-cdk.test.ts b/test/opensearch-cluster-cdk.test.ts index 334eb54a432..afd44af32fe 100644 --- a/test/opensearch-cluster-cdk.test.ts +++ b/test/opensearch-cluster-cdk.test.ts @@ -872,6 +872,7 @@ test('Test Resources with securityGroupId param', () => { distVersion: '1.0.0', serverAccessType: 'securityGroupId', restrictServerAccessTo: 'sg-012a34s123d234f90', + vpcId: 'vpc-12345', }, }); @@ -895,3 +896,39 @@ test('Test Resources with securityGroupId param', () => { ], }); }); + +test('Test Resources with securityGroupId and vpcID param missing', () => { + const app = new App({ + context: { + securityDisabled: false, + minDistribution: false, + distributionUrl: 'www.example.com', + cpuArch: 'x64', + singleNodeCluster: false, + dashboardsUrl: 'www.example.com', + distVersion: '1.0.0', + serverAccessType: 'securityGroupId', + restrictServerAccessTo: 'sg-012a34s123d234f90', + }, + }); + + try { + const networkStack = new NetworkStack(app, 'opensearch-network-stack', { + env: { account: 'test-account', region: 'us-east-1' }, + }); + + // @ts-ignore + const infraStack = new InfraStack(app, 'opensearch-infra-stack', { + vpc: networkStack.vpc, + securityGroup: networkStack.osSecurityGroup, + env: { account: 'test-account', region: 'us-east-1' }, + }); + + // eslint-disable-next-line no-undef + fail('Expected an error to be thrown'); + } catch (error) { + expect(error).toBeInstanceOf(Error); + // @ts-ignore + expect(error.message).toEqual('securityGroupID needs to belong to the same VPC as other resources. Please specify existing vpcId'); + } +});