infra: Migrate internal load balancer security group to CDK (#8428)

Co-authored-by: DanielCliftonGuardian <[email protected]> Co-authored-by: Charlotte <[email protected]> Co-authored-by: Parisa Tork <[email protected]>
guardian · Aug 4, 2023 · e9f8816 · e9f8816
1 parent 4e78704
commit e9f8816
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 42 deletions.
diff --git a/dotcom-rendering/cdk/bin/cdk.ts b/dotcom-rendering/cdk/bin/cdk.ts
@@ -4,10 +4,12 @@ import { DotcomRendering } from '../lib/dotcom-rendering';
 
 const app = new App();
 new DotcomRendering(app, 'DotcomRendering-PROD', {
+	app: 'rendering',
 	stack: 'frontend',
 	stage: 'PROD',
 });
 new DotcomRendering(app, 'DotcomRendering-CODE', {
+	app: 'rendering',
 	stack: 'frontend',
 	stage: 'CODE',
 });
diff --git a/dotcom-rendering/cdk/lib/__snapshots__/dotcom-rendering.test.ts.snap b/dotcom-rendering/cdk/lib/__snapshots__/dotcom-rendering.test.ts.snap
@@ -45,6 +45,7 @@ exports[`The DotcomRendering stack matches the snapshot 1`] = `
   "Metadata": {
     "gu:cdk:constructs": [
       "GuVpcParameter",
+      "GuSecurityGroup",
     ],
     "gu:cdk:version": "TEST",
   },
@@ -361,7 +362,10 @@ exports[`The DotcomRendering stack matches the snapshot 1`] = `
             "FromPort": 9000,
             "IpProtocol": "tcp",
             "SourceSecurityGroupId": {
-              "Ref": "InternalLoadBalancerSecurityGroup",
+              "Fn::GetAtt": [
+                "InternalLoadBalancerSecurityGroup",
+                "GroupId",
+              ],
             },
             "ToPort": 9000,
           },
@@ -453,7 +457,10 @@ exports[`The DotcomRendering stack matches the snapshot 1`] = `
         "Scheme": "internal",
         "SecurityGroups": [
           {
-            "Ref": "InternalLoadBalancerSecurityGroup",
+            "Fn::GetAtt": [
+              "InternalLoadBalancerSecurityGroup",
+              "GroupId",
+            ],
           },
         ],
         "Subnets": {
@@ -493,15 +500,24 @@ exports[`The DotcomRendering stack matches the snapshot 1`] = `
     "InternalLoadBalancerSecurityGroup": {
       "Properties": {
         "GroupDescription": "Allows HTTP and HTTPS inbound connections from within the VPC",
+        "SecurityGroupEgress": [
+          {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "Allow all outbound traffic by default",
+            "IpProtocol": "-1",
+          },
+        ],
         "SecurityGroupIngress": [
           {
             "CidrIp": "10.248.136.0/22",
+            "Description": "TCP 80 ingress",
             "FromPort": 80,
             "IpProtocol": "tcp",
             "ToPort": 80,
           },
           {
             "CidrIp": "10.248.136.0/22",
+            "Description": "TCP 443 ingress",
             "FromPort": 443,
             "IpProtocol": "tcp",
             "ToPort": 443,
@@ -510,13 +526,7 @@ exports[`The DotcomRendering stack matches the snapshot 1`] = `
         "Tags": [
           {
             "Key": "App",
-            "Value": {
-              "Fn::FindInMap": [
-                "Constants",
-                "App",
-                "Value",
-              ],
-            },
+            "Value": "rendering",
           },
           {
             "Key": "gu:cdk:version",

diff --git a/dotcom-rendering/cdk/lib/dotcom-rendering.test.ts b/dotcom-rendering/cdk/lib/dotcom-rendering.test.ts
@@ -13,6 +13,7 @@ describe('The DotcomRendering stack', () => {
 		const stack = new DotcomRendering(app, 'DotcomRendering', {
 			stack: 'frontend',
 			stage: 'TEST',
+			app: 'rendering',
 		});
 		const template = Template.fromStack(stack);
 		expect(template.toJSON()).toMatchSnapshot();

diff --git a/dotcom-rendering/cdk/lib/dotcom-rendering.ts b/dotcom-rendering/cdk/lib/dotcom-rendering.ts
@@ -1,22 +1,50 @@
 import { join } from 'path';
 import type { GuStackProps } from '@guardian/cdk/lib/constructs/core';
 import { GuStack } from '@guardian/cdk/lib/constructs/core';
-import { GuVpc } from '@guardian/cdk/lib/constructs/ec2';
+import { GuSecurityGroup, GuVpc } from '@guardian/cdk/lib/constructs/ec2';
 import type { App } from 'aws-cdk-lib';
+import { Peer } from 'aws-cdk-lib/aws-ec2';
 import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
 
+interface DCRProps extends GuStackProps {
+	app: string;
+}
 export class DotcomRendering extends GuStack {
-	constructor(scope: App, id: string, props: GuStackProps) {
+	constructor(scope: App, id: string, props: DCRProps) {
 		super(scope, id, props);
 
+		// This fetches the VPC using the SSM parameter defined for this account
+		// and specifies the CIDR block to use with it here
 		const vpc = GuVpc.fromIdParameter(this, 'vpc', {
 			vpcCidrBlock: '10.248.136.0/22',
 		});
 
-		const cfnParameters = {
-			VpcId: vpc.vpcId,
-			VPCIpBlock: vpc.vpcCidrBlock,
-		};
+		const lbSecurityGroup = new GuSecurityGroup(
+			this,
+			'InternalLoadBalancerSecurityGroup',
+			{
+				app: props.app,
+				description:
+					'Allows HTTP and HTTPS inbound connections from within the VPC',
+				vpc,
+				ingresses: [
+					{
+						range: Peer.ipv4(vpc.vpcCidrBlock),
+						port: 80,
+						description: 'TCP 80 ingress',
+					},
+					{
+						range: Peer.ipv4(vpc.vpcCidrBlock),
+						port: 443,
+						description: 'TCP 443 ingress',
+					},
+				],
+			},
+		);
+		this.overrideLogicalId(lbSecurityGroup, {
+			logicalId: 'InternalLoadBalancerSecurityGroup',
+			reason: 'Retaining a stateful resource previously defined in YAML',
+		});
 
 		const yamlTemplateFilePath = join(
 			__dirname,
@@ -26,7 +54,12 @@ export class DotcomRendering extends GuStack {
 
 		new CfnInclude(this, 'YamlTemplate', {
 			templateFile: yamlTemplateFilePath,
-			parameters: cfnParameters,
+			parameters: {
+				VpcId: vpc.vpcId,
+				VPCIpBlock: vpc.vpcCidrBlock,
+				InternalLoadBalancerSecurityGroup:
+					lbSecurityGroup.securityGroupId,
+			},
 		});
 	}
 }
diff --git a/dotcom-rendering/cloudformation.yml b/dotcom-rendering/cloudformation.yml
@@ -58,6 +58,9 @@ Parameters:
   FrontendConfigKey:
     Description: Parameter store KMS key
     Type: String
+  InternalLoadBalancerSecurityGroup:
+    Description: Load balancer security group, now defined outside of this file
+    Type: String
 
 Conditions:
   HasLatencyScalingAlarm: !Equals [!Ref Stage, 'PROD']
@@ -78,32 +81,6 @@ Mappings:
       MaxCapacity: 4
 
 Resources:
-  InternalLoadBalancerSecurityGroup:
-    Type: AWS::EC2::SecurityGroup
-    Properties:
-      GroupDescription: Allows HTTP and HTTPS inbound connections from within the VPC
-      VpcId:
-        Ref: VpcId
-      SecurityGroupIngress:
-        - IpProtocol: tcp
-          FromPort: '80'
-          ToPort: '80'
-          CidrIp: !Ref VPCIpBlock
-        - IpProtocol: tcp
-          FromPort: '443'
-          ToPort: '443'
-          CidrIp: !Ref VPCIpBlock
-      Tags:
-        - Key: Stage
-          Value:
-            Ref: Stage
-        - Key: Stack
-          Value:
-            Fn::FindInMap: [Constants, Stack, Value]
-        - Key: App
-          Value:
-            Fn::FindInMap: [Constants, App, Value]
-
   InstanceSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties: