Borislav Hadzhiev
Last updated: Apr 15, 2022
Check out my new book
In order to import an existing security group into a CDK stack, we have to use the fromSecurityGroupId static method on the SecurityGroup class.
Let's look at an example of importing a security group in a CDK stack:
import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as cdk from 'aws-cdk-lib'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); // 👇 import security group by ID const importedSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId( this, 'imported-security-group', 'YOUR-SG-ID', {allowAllOutbound: true, mutable: true}, ); console.log('security group id 👉', importedSecurityGroup.securityGroupId); } }
Let's go over the code snippet.
We imported a security group into our CDK stack by using the
fromSecurityGroupId
static method on the SecurityGroup
class
The fromSecurityGroupId
method takes the following parameters:
scope
- the scope the method is invoked in
id
- the construct identifier (must be unique in the scope)
securityGroupId
- the id of the security group
securityGroupImportOptions
- a configuration object for the imported
security group
The allowAllOutbound
property is set to true
by default and specifies that
the security group allows all outbound traffic. The fromSecurityGroupId
method assumes that the imported security group allows all outbound traffic,
so it doesn't modify any of the egress rules. If we wanted to modify the
outbound rules of the imported security group, we would have to set
allowAllOutbound
to false
.
The mutable
property is also set to true
by default. Setting the
property to true
allows us to add rules to the imported security group. We
can only add inbound rules, unless allowAllOutbound
is set to false
.
In order to add an inbound rule to an imported security group in CDK, we have to:
mutable
property to true
when importing the security group. The
mutable
prop is set to true
by default, so we can omit passing it
altogetherimport * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as cdk from 'aws-cdk-lib'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); // ... rest // 👇 `mutable` is `true`, so we can add ingress rules importedSecurityGroup.addIngressRule( ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'allow SSH access from anywhere', ); } }
We used the addIngressRule
method to add the following inbound rule to the
imported security group:
Type | Protocol | Port | Source |
---|---|---|---|
SSH | TCP | 22 | 0.0.0.0/0 |
If I run the npx aws-cdk deploy
command with an existing security group id, we
can see that the inbound rule gets applied:
Note that if we were to destroy the CDK stack, the inbound rule would get deleted and removed from the security group.
In order to add an outbound rule to an imported security group in CDK, we have to:
allowAllOutbound
property to false
and the mutable
property to
true
const importedSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId( this, 'imported-security-group', 'sg-0364cc5f9a979e9a6', {allowAllOutbound: false, mutable: true}, );
Let's look at an example, where we add an egress rule to an imported security group:
import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as cdk from 'aws-cdk-lib'; export class CdkStarterStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); // ... rest // 👇 `mutable` is `true`, so we can add ingress rules importedSecurityGroup.addEgressRule( ec2.Peer.ipv4('10.0.0.0/16'), ec2.Port.tcp(3306), 'allow outgoing traffic on port 3306', ); } }
In the code snippet we used the addEgressRule
method on the imported security
group to add the following outbound rule:
Type | Protocol | Port | Destination |
---|---|---|---|
MYSQL | TCP | 3306 | 10.0.0.0/16 |
If I deploy the new egress rule, we can see that the outbound rules of the imported security group get updated:
If we take a look at the resources the CloudFormation stack has provisioned, we can see the ingress and egress security group rules:
Deleting the stack would remove all of the ingress and egress rules we added to the imported security group.