By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CDK - Importing and modifying security group from a previous stack

0

We have a CDK stack that deploys a set resources to be shared across multiple application services (e.g. database). Naturally the security groups to those resources are define in the same stack.

this.DbSecurityGroup = new SecurityGroup(this, sgName, new SecurityGroupProps()
{
	Vpc = this._baseNetStack.Vpc,
	SecurityGroupName = sgName,
	Description = "DB SG"
});
// This ingress rule works neatly because its own security group depends on
// the security group defined in the previous dependency (network) stack.
this.DbSecurityGroup.AddIngressRule(this._baseNetStack.BastionHostSecurityGroup, Port.Tcp(3306), "Allow connection from bastion host.");

We want to define the application services - which are not known ahead of time - in their own stacks. They are of course going to define their own applicaiton-specific security groups, which the above database needs to allow for incoming connections.

If the application stacks are declared in the same CDK application project, it seems like an easy case of passing in the above dependency (data) stack to the app stack constructor, letting it reference its publicly exposed properties (i.e. security group).

this.App1SecurityGroup = new SecurityGroup(this, sgName, new SecurityGroupProps()
{
	Vpc = this._baseNetStack.Vpc,
	SecurityGroupName = sgName,
	Description = "Application 1 SG"
});
// This adjustment is NOT considered part of the app stack but data stack,
// because it's not modifying its own security group but that of the one in the data stack.
this._dataStack.DbSecurityGroup.AddIngressRule(this.App1SecurityGroup, Port.Tcp(3306), "Allow connection from app1.");

However, while it logically seems like the app stack depends on the data stack, the reality is the data stack depends on the app stack because the AddIngressRule() method sets that direction. This is problematic because there can be other resources in the app stack that have dependencies on the data stack resources, causing cyclic references.

How can the app stack safely reference the data stack security group and modify the rules while retaining the proper dependency direction?

Topics
Management & GovernanceDevOpsNetworking & Content Delivery
Tags
AWS CloudFormationDevOpsSecurity Group
Language
English
icelava
asked a year ago1170 views
1 Answer
0
Accepted Answer

Looks like it's necessary to export the base security group ID as an output.

// Export the security group ID for dependent stacks to reference and retrieve raw security group via CDK From methods.
var outputName = StackHelper.SharedExports.DbSecurityGroupId(this.StackName);
new CfnOutput(this, outputName,
	new CfnOutputProps
	{
		ExportName = outputName,
		Value = this.DbSecurityGroup.SecurityGroupId,
		Description = dbSgName + " security group ID."

	});

Then the dependent app stack imports the security group ID and retrieves the security group by itself instead of a direct code reference.

var dbSecurityGroupId = Fn.ImportValue(StackHelper.SharedExports.DbSecurityGroupId(this._dataStack.StackName));
var dbSecurityGroup = SecurityGroup.FromSecurityGroupId(this, "dbSg", dbSecurityGroupId);
dbSecurityGroup.AddIngressRule(this.AppSecurityGroup, Port.Tcp(3306), "Allow connection from app1.");

This way the dependent stack only owns (and adds) the ingress rule to the base security group, and the base stack doesn't know about/depend on the app stack.

icelava
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content