From 63b95f4f07a3b56f6cb9cf5795da502763fc32ac Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad Date: Wed, 20 Dec 2023 16:27:59 -0800 Subject: [PATCH 1/3] Move all checks and default values for network stack to respective class Signed-off-by: Sayali Gaikawad --- bin/app.ts | 2 +- lib/networking/vpc-stack.ts | 49 +++++++++++++++++++++++------------- lib/os-cluster-entrypoint.ts | 11 -------- 3 files changed, 33 insertions(+), 29 deletions(-) diff --git a/bin/app.ts b/bin/app.ts index f0f6f685f46..43c31133ad2 100644 --- a/bin/app.ts +++ b/bin/app.ts @@ -6,8 +6,8 @@ The OpenSearch Contributors require contributions made to this file be licensed under the Apache-2.0 license or a compatible open source license. */ -import 'source-map-support/register'; import { App } from 'aws-cdk-lib'; +import 'source-map-support/register'; import { OsClusterEntrypoint } from '../lib/os-cluster-entrypoint'; const app = new App(); diff --git a/lib/networking/vpc-stack.ts b/lib/networking/vpc-stack.ts index e6af873b82e..2835c7a4106 100644 --- a/lib/networking/vpc-stack.ts +++ b/lib/networking/vpc-stack.ts @@ -14,13 +14,17 @@ import { } from 'aws-cdk-lib/aws-ec2'; import { Construct } from 'constructs'; -export interface vpcProps extends StackProps{ - cidrBlock: string, - maxAzs: number, - vpcId: string, - securityGroupId: string, - serverAccessType: string, - restrictServerAccessTo: string, +export interface VpcProps extends StackProps{ + /** CIDR Block for VPC */ + cidr?: string, + /** VPC ID of existing VPC */ + vpcId?: string, + /** Security Group to be used for all sources */ + securityGroupId?: string, + /** The access type to restrict server. Choose from ipv4, ipv6, prefixList or securityGroupId */ + serverAccessType?: string, + /** Restrict server access to */ + restrictServerAccessTo?: string, } export class NetworkStack extends Stack { @@ -28,14 +32,25 @@ export class NetworkStack extends Stack { public readonly osSecurityGroup: ISecurityGroup; - constructor(scope: Construct, id: string, props: vpcProps) { + constructor(scope: Construct, id: string, props: VpcProps) { let serverAccess: IPeer; + + // Properties and context variables check + let cidrRange = `${props?.cidr ?? scope.node.tryGetContext('cidr')}`; + if (cidrRange == 'undefined'){ + cidrRange = '10.0.0.0/16' + } + let vpcId = `${props?.vpcId ?? scope.node.tryGetContext('vpcId')}`; + let serverAccessType = `${props?.serverAccessType ?? scope.node.tryGetContext('serverAccessType')}` + let restrictServerAccessTo = `${props?.restrictServerAccessTo ?? scope.node.tryGetContext('restrictServerAccessTo')}` + let secGroupId = `${props?.securityGroupId ?? scope.node.tryGetContext('securityGroupId')}` + super(scope, id, props); - if (props.vpcId === undefined) { + if (vpcId === 'undefined') { console.log('No VPC-Id Provided, a new VPC will be created'); this.vpc = new Vpc(this, 'opensearchClusterVpc', { - cidr: (props.cidrBlock !== undefined) ? props.cidrBlock : '10.0.0.0/16', - maxAzs: props.maxAzs, + cidr: cidrRange, + maxAzs: 3, subnetConfiguration: [ { name: 'public-subnet', @@ -52,23 +67,23 @@ export class NetworkStack extends Stack { } else { console.log('VPC provided, using existing'); this.vpc = Vpc.fromLookup(this, 'opensearchClusterVpc', { - vpcId: props.vpcId, + vpcId: vpcId, }); } - if (typeof props.restrictServerAccessTo === 'undefined' || typeof props.serverAccessType === 'undefined') { + if (typeof restrictServerAccessTo === 'undefined' || typeof serverAccessType === 'undefined') { throw new Error('serverAccessType and restrictServerAccessTo parameters are required - eg: serverAccessType=ipv4 restrictServerAccessTo=10.10.10.10/32'); } else { - serverAccess = NetworkStack.getServerAccess(props.restrictServerAccessTo, props.serverAccessType); + serverAccess = NetworkStack.getServerAccess(restrictServerAccessTo, serverAccessType); } - if (props.securityGroupId === undefined) { + if (secGroupId === 'undefined') { this.osSecurityGroup = new SecurityGroup(this, 'osSecurityGroup', { vpc: this.vpc, allowAllOutbound: true, }); } else { - this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', props.securityGroupId); + this.osSecurityGroup = SecurityGroup.fromSecurityGroupId(this, 'osSecurityGroup', secGroupId); } /* The security group allows all ip access by default to all the ports. @@ -88,7 +103,7 @@ export class NetworkStack extends Stack { case 'securityGroupId': return Peer.securityGroupId(restrictServerAccessTo); default: - throw new Error('serverAccessType should be one of the below values: ipv4, ipv6, prefixList or securityGroupId'); + throw new Error('serverAccessType should be one of the below values: ipv4, ipv6, prefixList or securityGroupId'); } } } diff --git a/lib/os-cluster-entrypoint.ts b/lib/os-cluster-entrypoint.ts index 7ccad997e3e..a1dc91930e4 100644 --- a/lib/os-cluster-entrypoint.ts +++ b/lib/os-cluster-entrypoint.ts @@ -69,11 +69,6 @@ export class OsClusterEntrypoint { const x64InstanceTypes: string[] = Object.keys(x64Ec2InstanceType); const arm64InstanceTypes: string[] = Object.keys(arm64Ec2InstanceType); - const vpcId: string = scope.node.tryGetContext('vpcId'); - const securityGroupId = scope.node.tryGetContext('securityGroupId'); - const cidrRange = scope.node.tryGetContext('cidr'); - const restrictServerAccessTo = scope.node.tryGetContext('restrictServerAccessTo'); - const serverAccessType = scope.node.tryGetContext('serverAccessType'); const distVersion = `${scope.node.tryGetContext('distVersion')}`; if (distVersion.toString() === 'undefined') { @@ -233,12 +228,6 @@ export class OsClusterEntrypoint { } const network = new NetworkStack(scope, networkStackName, { - cidrBlock: cidrRange, - maxAzs: 3, - vpcId, - securityGroupId, - serverAccessType, - restrictServerAccessTo, ...props, }); From 51e238b1df0d2785a09b97a16cbaf4d6bc6c4462 Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad Date: Wed, 20 Dec 2023 16:35:48 -0800 Subject: [PATCH 2/3] Refactor Signed-off-by: Sayali Gaikawad --- lib/networking/vpc-stack.ts | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/networking/vpc-stack.ts b/lib/networking/vpc-stack.ts index 2835c7a4106..4a59da1cfed 100644 --- a/lib/networking/vpc-stack.ts +++ b/lib/networking/vpc-stack.ts @@ -33,8 +33,9 @@ export class NetworkStack extends Stack { public readonly osSecurityGroup: ISecurityGroup; constructor(scope: Construct, id: string, props: VpcProps) { + super(scope, id, props); + let serverAccess: IPeer; - // Properties and context variables check let cidrRange = `${props?.cidr ?? scope.node.tryGetContext('cidr')}`; if (cidrRange == 'undefined'){ @@ -45,7 +46,13 @@ export class NetworkStack extends Stack { let restrictServerAccessTo = `${props?.restrictServerAccessTo ?? scope.node.tryGetContext('restrictServerAccessTo')}` let secGroupId = `${props?.securityGroupId ?? scope.node.tryGetContext('securityGroupId')}` - super(scope, id, props); + if (typeof restrictServerAccessTo === 'undefined' || typeof serverAccessType === 'undefined') { + throw new Error('serverAccessType and restrictServerAccessTo parameters are required - eg: serverAccessType=ipv4 restrictServerAccessTo=10.10.10.10/32'); + } else { + serverAccess = NetworkStack.getServerAccess(restrictServerAccessTo, serverAccessType); + } + + // VPC specs if (vpcId === 'undefined') { console.log('No VPC-Id Provided, a new VPC will be created'); this.vpc = new Vpc(this, 'opensearchClusterVpc', { @@ -71,12 +78,7 @@ export class NetworkStack extends Stack { }); } - if (typeof restrictServerAccessTo === 'undefined' || typeof serverAccessType === 'undefined') { - throw new Error('serverAccessType and restrictServerAccessTo parameters are required - eg: serverAccessType=ipv4 restrictServerAccessTo=10.10.10.10/32'); - } else { - serverAccess = NetworkStack.getServerAccess(restrictServerAccessTo, serverAccessType); - } - + // Security Group specs if (secGroupId === 'undefined') { this.osSecurityGroup = new SecurityGroup(this, 'osSecurityGroup', { vpc: this.vpc, From 96bc4edc3a47f4250e93dc4452a0547b421c5b3d Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad Date: Wed, 20 Dec 2023 16:43:30 -0800 Subject: [PATCH 3/3] Refactor Signed-off-by: Sayali Gaikawad --- lib/networking/vpc-stack.ts | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/networking/vpc-stack.ts b/lib/networking/vpc-stack.ts index 4a59da1cfed..8d1f22c2457 100644 --- a/lib/networking/vpc-stack.ts +++ b/lib/networking/vpc-stack.ts @@ -34,17 +34,17 @@ export class NetworkStack extends Stack { constructor(scope: Construct, id: string, props: VpcProps) { super(scope, id, props); - + let serverAccess: IPeer; // Properties and context variables check let cidrRange = `${props?.cidr ?? scope.node.tryGetContext('cidr')}`; - if (cidrRange == 'undefined'){ - cidrRange = '10.0.0.0/16' + if (cidrRange === 'undefined') { + cidrRange = '10.0.0.0/16'; } - let vpcId = `${props?.vpcId ?? scope.node.tryGetContext('vpcId')}`; - let serverAccessType = `${props?.serverAccessType ?? scope.node.tryGetContext('serverAccessType')}` - let restrictServerAccessTo = `${props?.restrictServerAccessTo ?? scope.node.tryGetContext('restrictServerAccessTo')}` - let secGroupId = `${props?.securityGroupId ?? scope.node.tryGetContext('securityGroupId')}` + const vpcId = `${props?.vpcId ?? scope.node.tryGetContext('vpcId')}`; + const serverAccessType = `${props?.serverAccessType ?? scope.node.tryGetContext('serverAccessType')}`; + const restrictServerAccessTo = `${props?.restrictServerAccessTo ?? scope.node.tryGetContext('restrictServerAccessTo')}`; + const secGroupId = `${props?.securityGroupId ?? scope.node.tryGetContext('securityGroupId')}`; if (typeof restrictServerAccessTo === 'undefined' || typeof serverAccessType === 'undefined') { throw new Error('serverAccessType and restrictServerAccessTo parameters are required - eg: serverAccessType=ipv4 restrictServerAccessTo=10.10.10.10/32'); @@ -74,7 +74,7 @@ export class NetworkStack extends Stack { } else { console.log('VPC provided, using existing'); this.vpc = Vpc.fromLookup(this, 'opensearchClusterVpc', { - vpcId: vpcId, + vpcId, }); }