From 4f0aca5ca5d783aecb46081d67ce6c9a56ce5ed5 Mon Sep 17 00:00:00 2001 From: Daniel Neilson Date: Tue, 4 Aug 2020 18:21:30 +0000 Subject: [PATCH] fix(ecs-patterns): Adds missing option to secure ingress of ALB in ApplicationLoadBalancedEc2Service --- .../application-load-balanced-service-base.ts | 9 ++- .../aws-ecs-patterns/test/ec2/test.l3s.ts | 56 ++++++++++++++++++- 2 files changed, 63 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts b/packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts index 27da4d31e3be0..3869d38d8826a 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts +++ b/packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts @@ -42,6 +42,13 @@ export interface ApplicationLoadBalancedServiceBaseProps { */ readonly publicLoadBalancer?: boolean; + /** + * Determines whether or not the Security Group for the Load Balancer's Listener will be open to all traffic by default. + * + * @default true -- The security group allows ingress from all IP addresses. + */ + readonly openListener?: boolean; + /** * The desired number of instantiations of the task definition to keep running on the service. * The minimum value is 1 @@ -323,7 +330,7 @@ export abstract class ApplicationLoadBalancedServiceBase extends cdk.Construct { this.listener = loadBalancer.addListener('PublicListener', { protocol, port: props.listenerPort, - open: true, + open: props.openListener ?? true, }); this.targetGroup = this.listener.addTargets('ECS', targetProps); diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts index 71736c651573b..581c1841b7429 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts +++ b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts @@ -1,4 +1,4 @@ -import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert'; +import { arrayWith, expect, haveResource, haveResourceLike, objectLike } from '@aws-cdk/assert'; import { Certificate } from '@aws-cdk/aws-certificatemanager'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as ecs from '@aws-cdk/aws-ecs'; @@ -1048,4 +1048,58 @@ export = { test.done(); }, + + 'test ECS loadbalanced construct default/open security group'(test: Test) { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + const cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') }); + + // WHEN + new ecsPatterns.ApplicationLoadBalancedEc2Service(stack, 'Service', { + cluster, + memoryReservationMiB: 1024, + taskImageOptions: { + image: ecs.ContainerImage.fromRegistry('test'), + }, + }); + + // THEN - Stack contains no ingress security group rules + expect(stack).to(haveResourceLike('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [{ + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }], + })); + + test.done(); + }, + + 'test ECS loadbalanced construct closed security group'(test: Test) { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'VPC'); + const cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') }); + + // WHEN + new ecsPatterns.ApplicationLoadBalancedEc2Service(stack, 'Service', { + cluster, + memoryReservationMiB: 1024, + taskImageOptions: { + image: ecs.ContainerImage.fromRegistry('test'), + }, + openListener: false, + }); + + // THEN - Stack contains no ingress security group rules + expect(stack).notTo(haveResourceLike('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: arrayWith(objectLike({})), + })); + + test.done(); + }, };