-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ec2): add helper method for creating intra-security-group traffic rules #5519
feat(ec2): add helper method for creating intra-security-group traffic rules #5519
Conversation
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
…azon/aws-cdk into add-intra-sg-method
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Have you seen |
I actually made that change a few days ago, after checking out the Connections documentation. |
Okay, but you have to talk me through the value proposition that is being offered in this PR. As far as I can tell, it's wrapper methods to do what can already be achieved. Presumably you would like this merged because in your opinion will be easier to find/more discoverable. Can you share some motivation/justification on why you think the current methods are not discoverable and the ones you've added will be better, AND better for the majority of users? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Marking this as "changes requested" so it will disappear from my TODO list. Please re-request a review using the GitHub interface when ready.
Re: discoverability -- if I am looking to create rules for a Security Group, the first step is to go to the Security Group documentation. On that page, I see methods for "addIngressRule" and "addEgressRule", which sounds exactly like what I want. public addEgressRule(peer: IPeer, connection: Port, description?: string, remoteRule?: boolean): void public addIngressRule(peer: IPeer, connection: Port, description?: string, remoteRule?: boolean): void I go to the Peer page to check the syntax for adding a Security Group, but there is no method for doing so. I only see options for ipv4/ipv6 CIDRs and prefix lists. At this point, I am not sure where to turn, so I start searching Google for the answer. Ideally, there would be a Peer for a security group, however when I tried implementing such a thing I ran into an error:
Looking at the implementation of SecurityGroup, it looks like it uses the Peer as an input to compute the construct id for ingress/egress rules. And since the construct id is used to compute the logical resource name, that can’t depend on a ref. Changing this is definitely NOT backwards compatible, so I scrapped that idea. The right way to add an inter or intra-SG rule is to use the SecurityGroupIngress and SecurityGroupEgress resources, per AWS documentation. Connections will do this for you, but it isn't advertised at all on the Security Group documentation. Searching for "Connections" on the Security Group documentation brings up the property "connections" but there is no documentation on what it is or does. I saw two options: to increase the visibility of the Connections class and how to use it for common cases, or abstract it away in the Security Group class. I prefer the abstraction because it provides a quick method for a CDK user to add an intra-security group rule, which in my experience is a common use case, and which is visible from the Security Group page, which is where I would expect to find it. |
For people already familiar with the inner workings of Security Groups, our `.connections` pattern is a little confusing. Add some more verbiage to the documentation which points people in the right direction with respect to security group manipulation. Closes #5519.
I tried improving the docs you searched in this PR: #5662 to hopefully make it easier for you and others to find the right methods. I hope to explain the philosophy using these sentences:
|
OH! It makes so much more sense after reading PR #5662. That's a really nice way to abstract security groups from CDK users. |
How does this work for things not managed with a security group, like Network Load Balancers? I only see options like "allowFromAnyIpv4", which isn't ideal, and a better would be something like "allowFromVpcIpv4" |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
You can always make a |
For people already familiar with the inner workings of Security Groups, our `.connections` pattern is a little confusing. Add some more verbiage to the documentation which points people in the right direction with respect to security group manipulation. Closes #5519. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Helper method part of a security group that abstracts this code:
and makes it into:
I created this because I spent a lot of time looking through documentation trying to allow security group members to talk to each other. Having a method that abstracts away the Connections object would eliminate figuring out how to accomplish this.