add possibility to pass security group and expose it (#11)

lib/index.ts

@@ -53,6 +53,14 @@ export interface BastionHostRDSForwardProps {
    * Can be omitted, when not using IAM Authentication
    */
   readonly iamUser?: string;
+
+  /**
+   * The security group, which is attached to the bastion host.
+   *
+   * @default If none is provided a default security group is attached, which
+   * doesn't allow incoming traffic and allows outbound traffic to everywhere
+   */
+  readonly securityGroup?: ec2.ISecurityGroup;
 }
 
 export class BastionHostRDSForward extends cdk.Construct {
@@ -62,12 +70,23 @@ export class BastionHostRDSForward extends cdk.Construct {
    */
   public readonly instanceId: string;
 
+  /**
+   * @returns the security group attached to the bastion host
+   */
+  public readonly securityGroup: ec2.ISecurityGroup;
+
   constructor(scope: cdk.Construct, id: string, props: BastionHostRDSForwardProps) {
     super(scope, id);
 
+    this.securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'BastionHostSecurityGroup', {
+        vpc: props.vpc,
+        allowAllOutbound: true,
+    });
+
     const bastionHost = new ec2.BastionHostLinux(this, 'BastionHost', {
       instanceName: props.name || 'BastionHost',
       vpc: props.vpc,
+      securityGroup: this.securityGroup,
     });
 
     const databasesHaProxy = props.databases.reduce(

package.json

@@ -13,7 +13,7 @@
     "url": "https://github.com/moia-dev/bastion-host-rds-forward"
   },
   "license": "Apache-2.0",
-  "version": "0.1.3",
+  "version": "0.2.0",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "scripts": {

test/bastion-host-rds-forward.test.ts

@@ -12,6 +12,7 @@
 */
 
 import { expect as expectCDK, haveResource } from '@aws-cdk/assert';
+import { strict as assert } from 'assert';
 import * as cdk from '@aws-cdk/core';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as rds from '@aws-cdk/aws-rds';
@@ -232,3 +233,35 @@ test('Bastion Host created with extended Role for IAM RDS Connection', () => {
       }
   }));
 });
+
+test('Bastion Host with own securityGroup', () => {
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, 'TestStack');
+    const testVpc = new ec2.Vpc(stack, 'TestVpc');
+    const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup', {
+      vpc: testVpc,
+      allowAllOutbound: false,
+      description: 'My test securityGroup description',
+      securityGroupName: 'MyTestSecurityGroupName',
+    });
+
+    const testRds = new rds.DatabaseInstance(stack, 'TestRDS', {
+      masterUsername: 'testuser',
+      engine: rds.DatabaseInstanceEngine.POSTGRES,
+      instanceClass: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
+      vpc: testVpc
+    });
+
+    // WHEN
+    const bastionHost = new BastionHostRDSForward.BastionHostRDSForward(stack, 'MyTestConstruct', {
+      vpc: testVpc,
+      databases: ['mypostgres', 'yourpostgres'],
+      name: 'MyBastion',
+      rdsInstance: testRds,
+      securityGroup,
+    });
+    const bastionHostSecurityGroup = bastionHost.securityGroup as ec2.SecurityGroup;
+
+    assert.equal(securityGroup.securityGroupName, bastionHostSecurityGroup.securityGroupName);
+    assert.equal(securityGroup.allowAllOutbound, bastionHostSecurityGroup.allowAllOutbound);
+});