Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Add Ingress Rule to Security Groups using AWS CDK

Tags:

python

aws-cdk

I'm trying to add an ingress rule to a Security Group via the AWS CDK using Python. As per the documentation here - there's a method add_ingress_rule() on the Class aws_cdk.aws_ec2.

However - when I try to deploy the stack, I get the following error :

AttributeError: 'method' object has no attribute 'jsii__type' Subprocess exited with error 1

Security Group Code snippet below-

        sg_elb = ec2.SecurityGroup(
            self,
            id = "sg_elb",
            vpc = vpc,
            security_group_name = "sg_elb"
        )

        sg_elb.add_ingress_rule(
            peer = ec2.Peer.any_ipv4,
            connection = ec2.Port.tcp(443)   # This line seems to be a problem.
        )

There's even the same example (in TypeScript) given on the official documentation here so I'm not sure what I'm doing wrong.

Can anyone advise ?

Thanks in advance !

like image 804
SwapnilJak Avatar asked Sep 13 '19 10:09

SwapnilJak


2 Answers

I got the following to work using TS, hope it helps some.

const mySG = new ec2.SecurityGroup(this, `${stack}-security-group`, {
    vpc: vpc,
    allowAllOutbound: true,
    description: 'CDK Security Group'
});

mySG.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'SSH frm anywhere');
mySG.addIngressRule(ec2.Peer.ipv4('10.200.0.0/24'), ec2.Port.tcp(5439), 'Redshift Ingress1');
mySG.addIngressRule(ec2.Peer.ipv4('10.0.0.0/24'), ec2.Port.tcp(5439), 'Redshift Ingress2');

Btw, it is not recommended to use an explicit security group name: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.SecurityGroup.html

like image 92
Ultradoxx Avatar answered Oct 18 '22 19:10

Ultradoxx


In SDK documentation: "Direct manipulation of the Security Group through addIngressRule and addEgressRule is possible, but mutation through the .connections object is recommended. If you peer two constructs with security groups this way, appropriate rules will be created in both."

So it's better to add rules like this:

sg.connections.allow_from(
  Peer.any_ipv4(),
  Port.tcp(22),
  "ssh" 
)
like image 43
Shams Larbi Avatar answered Oct 18 '22 20:10

Shams Larbi