From aa023cf5f0eb730f3c4e0b7558620055049f4113 Mon Sep 17 00:00:00 2001 From: Marko Malenic Date: Tue, 2 Jan 2024 10:53:20 +1100 Subject: [PATCH] refactor(filemanager): remove any ip address from public database cluster --- .../filemanager/deploy/bin/filemanager.ts | 4 +++- .../filemanager/deploy/constructs/database.ts | 16 +++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/workload/stateful/filemanager/deploy/bin/filemanager.ts b/lib/workload/stateful/filemanager/deploy/bin/filemanager.ts index 3cf86c656..061692463 100644 --- a/lib/workload/stateful/filemanager/deploy/bin/filemanager.ts +++ b/lib/workload/stateful/filemanager/deploy/bin/filemanager.ts @@ -27,7 +27,9 @@ new FilemanagerStack( enableMonitoring: { enablePerformanceInsights: true, }, - public: true, + public: [ + // Put your IP here if you want the database to be reachable. + ], migrateDatabase: process.env.FILEMANAGER_DEPLOY_MIGRATE_DATABASE == 'true', } ); diff --git a/lib/workload/stateful/filemanager/deploy/constructs/database.ts b/lib/workload/stateful/filemanager/deploy/constructs/database.ts index c84593eb8..1b8530808 100644 --- a/lib/workload/stateful/filemanager/deploy/constructs/database.ts +++ b/lib/workload/stateful/filemanager/deploy/constructs/database.ts @@ -33,9 +33,9 @@ export type EnableMonitoringProps = { */ export type DatabaseSettings = { /** - * Whether the database is publically available. + * If present, specifies the database as public and adds additional inbound CIDRs to the security group. */ - readonly public?: boolean; + readonly public?: string[]; /** * Whether to destroy the database on stack removal. Defaults to keeping a snapshot. */ @@ -136,11 +136,13 @@ export class Database extends Construct { }); if (props.public) { - // If it's public, anyone can connect. - this._securityGroup.addIngressRule( - ec2.Peer.anyIpv4(), - ec2.Port.tcp(this._cluster.clusterEndpoint.port) - ); + // If it's public, set the CIDRs from the config. + props.public.forEach((cidr) => { + this._securityGroup.addIngressRule( + ec2.Peer.ipv4(cidr), + ec2.Port.tcp(this._cluster.clusterEndpoint.port) + ); + }); } else { // Any inbound connections within the same security group are allowed access to the database port. this._securityGroup.addIngressRule(