From 8e32ead0e6b67caabd159533f015da314b44940f Mon Sep 17 00:00:00 2001 From: Marcel Patzwahl Date: Mon, 24 Feb 2020 15:26:07 +0100 Subject: [PATCH] add possibility to pass security group and expose it (#11) --- lib/index.ts | 19 +++++++++++++++ package.json | 2 +- test/bastion-host-rds-forward.test.ts | 33 +++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) diff --git a/lib/index.ts b/lib/index.ts index 7673e09..44e60cf 100644 --- a/lib/index.ts +++ b/lib/index.ts @@ -53,6 +53,14 @@ export interface BastionHostRDSForwardProps { * Can be omitted, when not using IAM Authentication */ readonly iamUser?: string; + + /** + * The security group, which is attached to the bastion host. + * + * @default If none is provided a default security group is attached, which + * doesn't allow incoming traffic and allows outbound traffic to everywhere + */ + readonly securityGroup?: ec2.ISecurityGroup; } export class BastionHostRDSForward extends cdk.Construct { @@ -62,12 +70,23 @@ export class BastionHostRDSForward extends cdk.Construct { */ public readonly instanceId: string; + /** + * @returns the security group attached to the bastion host + */ + public readonly securityGroup: ec2.ISecurityGroup; + constructor(scope: cdk.Construct, id: string, props: BastionHostRDSForwardProps) { super(scope, id); + this.securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'BastionHostSecurityGroup', { + vpc: props.vpc, + allowAllOutbound: true, + }); + const bastionHost = new ec2.BastionHostLinux(this, 'BastionHost', { instanceName: props.name || 'BastionHost', vpc: props.vpc, + securityGroup: this.securityGroup, }); const databasesHaProxy = props.databases.reduce( diff --git a/package.json b/package.json index c47587a..f321524 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ "url": "https://github.com/moia-dev/bastion-host-rds-forward" }, "license": "Apache-2.0", - "version": "0.1.3", + "version": "0.2.0", "main": "lib/index.js", "types": "lib/index.d.ts", "scripts": { diff --git a/test/bastion-host-rds-forward.test.ts b/test/bastion-host-rds-forward.test.ts index ad25875..de7ec40 100644 --- a/test/bastion-host-rds-forward.test.ts +++ b/test/bastion-host-rds-forward.test.ts @@ -12,6 +12,7 @@ */ import { expect as expectCDK, haveResource } from '@aws-cdk/assert'; +import { strict as assert } from 'assert'; import * as cdk from '@aws-cdk/core'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as rds from '@aws-cdk/aws-rds'; @@ -232,3 +233,35 @@ test('Bastion Host created with extended Role for IAM RDS Connection', () => { } })); }); + +test('Bastion Host with own securityGroup', () => { + const app = new cdk.App(); + const stack = new cdk.Stack(app, 'TestStack'); + const testVpc = new ec2.Vpc(stack, 'TestVpc'); + const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup', { + vpc: testVpc, + allowAllOutbound: false, + description: 'My test securityGroup description', + securityGroupName: 'MyTestSecurityGroupName', + }); + + const testRds = new rds.DatabaseInstance(stack, 'TestRDS', { + masterUsername: 'testuser', + engine: rds.DatabaseInstanceEngine.POSTGRES, + instanceClass: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO), + vpc: testVpc + }); + + // WHEN + const bastionHost = new BastionHostRDSForward.BastionHostRDSForward(stack, 'MyTestConstruct', { + vpc: testVpc, + databases: ['mypostgres', 'yourpostgres'], + name: 'MyBastion', + rdsInstance: testRds, + securityGroup, + }); + const bastionHostSecurityGroup = bastionHost.securityGroup as ec2.SecurityGroup; + + assert.equal(securityGroup.securityGroupName, bastionHostSecurityGroup.securityGroupName); + assert.equal(securityGroup.allowAllOutbound, bastionHostSecurityGroup.allowAllOutbound); +});