Skip to content

Commit

Permalink
refactor(filemanager): remove any ip address from public database clu…
Browse files Browse the repository at this point in the history
…ster
  • Loading branch information
mmalenic committed Jan 1, 2024
1 parent 8647464 commit aa023cf
Showing 2 changed files with 12 additions and 8 deletions.
4 changes: 3 additions & 1 deletion lib/workload/stateful/filemanager/deploy/bin/filemanager.ts
Original file line number Diff line number Diff line change
@@ -27,7 +27,9 @@ new FilemanagerStack(
enableMonitoring: {
enablePerformanceInsights: true,
},
public: true,
public: [
// Put your IP here if you want the database to be reachable.
],
migrateDatabase: process.env.FILEMANAGER_DEPLOY_MIGRATE_DATABASE == 'true',
}
);
16 changes: 9 additions & 7 deletions lib/workload/stateful/filemanager/deploy/constructs/database.ts
Original file line number Diff line number Diff line change
@@ -33,9 +33,9 @@ export type EnableMonitoringProps = {
*/
export type DatabaseSettings = {
/**
* Whether the database is publically available.
* If present, specifies the database as public and adds additional inbound CIDRs to the security group.
*/
readonly public?: boolean;
readonly public?: string[];
/**
* Whether to destroy the database on stack removal. Defaults to keeping a snapshot.
*/
@@ -136,11 +136,13 @@ export class Database extends Construct {
});

if (props.public) {
// If it's public, anyone can connect.
this._securityGroup.addIngressRule(
ec2.Peer.anyIpv4(),
ec2.Port.tcp(this._cluster.clusterEndpoint.port)
);
// If it's public, set the CIDRs from the config.
props.public.forEach((cidr) => {
this._securityGroup.addIngressRule(
ec2.Peer.ipv4(cidr),
ec2.Port.tcp(this._cluster.clusterEndpoint.port)
);
});
} else {
// Any inbound connections within the same security group are allowed access to the database port.
this._securityGroup.addIngressRule(

0 comments on commit aa023cf

Please sign in to comment.