Import an Existing Security Group in AWS CDK

avatar

Borislav Hadzhiev

Tue May 04 20214 min read

banner

Photo by Dannii Coughlan

In order to import an existing security group into a CDK stack, we have to use the `fromSecurityGroupId` static method on the `SecurityGroup` class.

Table of Contents #

  1. Importing an Existing Security Group in AWS CDK
  2. Adding Inbound rules to an Imported Security Group in CDK
  3. Adding Outbound rules to an Imported Security Group in CDK

Importing an Existing Security Group in AWS CDK #

In order to import an existing security group into a CDK stack, we have to use the fromSecurityGroupId static method on the SecurityGroup class.

The code for this article is available on GitHub

Let's look at an example of importing a security group in a CDK stack:

lib/cdk-starter-stack.ts
import * as ec2 from '@aws-cdk/aws-ec2';
import * as cdk from '@aws-cdk/core';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ๐Ÿ‘‡ import security group by ID
    const importedSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(
      this,
      'imported-security-group',
      'YOUR-SG-ID',
      {allowAllOutbound: true, mutable: true},
    );

    console.log('security group id ๐Ÿ‘‰', importedSecurityGroup.securityGroupId);
  }
}

Let's go over the code snippet.

  1. we imported a security group into our CDK stack by using the fromSecurityGroupId static method on the SecurityGroup class

  2. the fromSecurityGroupId method takes the following parameters:

  • scope - the scope the method is invoked in

  • id - the construct identifier, must be unique in the scope

  • securityGroupId - the id of the security group

  • securityGroupImportOptions - a configuration object for the imported security group.

    The allowAllOutbound property is set to true by default and specifies that the security group allows all outbound traffic. The fromSecurityGroupId method assumes that the imported security group allows all outbound traffic, so it doesn't modify any of the egress rules. If we wanted to modify the outbound rules of the imported security group, we would have to set allowAllOutbound to false.

    The mutable property is also set to true by default. Setting the property to true allows us to add rules to the imported security group. We can only add inbound rules, unless allowAllOutbound is set to false.

Adding Inbound rules to an Imported Security Group in CDK #

In order to add an inbound rule to an imported security group in CDK, we have to:

  1. set the mutable property to true when importing the security group. The mutable prop is set to true by default, so we can omit passing it altogether
  2. use the addIngressRule method on the imported security group
The code for this article is available on GitHub
lib/cdk-starter-stack.ts
import * as ec2 from '@aws-cdk/aws-ec2';
import * as cdk from '@aws-cdk/core';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ... rest

    // ๐Ÿ‘‡ `mutable` is `true`, so we can add ingress rules
    importedSecurityGroup.addIngressRule(
      ec2.Peer.anyIpv4(),
      ec2.Port.tcp(22),
      'allow SSH access from anywhere',
    );
  }
}

In the code snippet we used the addIngressRule method to add the following inbound rule to the imported security group:

TypeProtocolPortSource
SSHTCP220.0.0.0/0

If I run the npx cdk deploy command with an existing security group id, we can see that the inbound rule gets applied:

imported security group inbound

Note that if we were to destroy the CDK stack, the inbound rule would get deleted and removed from the security group.

Adding Outbound rules to an Imported Security Group in CDK #

In order to add an outbound rule to an imported security group in CDK, we have to:

  1. set the allowAllOutbound property to false and the mutable property to true
lib/cdk-starter-stack.ts
const importedSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(
  this,
  'imported-security-group',
  'sg-0364cc5f9a979e9a6',
  {allowAllOutbound: false, mutable: true},
);
  1. use the addEgressRule method on the imported security group
The code for this article is available on GitHub

Let's look at an example, where we add an egress rule to an imported security group:

lib/cdk-starter-stack.ts
import * as ec2 from '@aws-cdk/aws-ec2';
import * as cdk from '@aws-cdk/core';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ... rest

    // ๐Ÿ‘‡ `mutable` is `true`, so we can add ingress rules
    importedSecurityGroup.addEgressRule(
      ec2.Peer.ipv4('10.0.0.0/16'),
      ec2.Port.tcp(3306),
      'allow outgoing traffic on port 3306',
    );
  }
}

In the code snippet we used the addEgressRule method on the imported security group to add the following outbound rule:

TypeProtocolPortDestination
MYSQLTCP330610.0.0.0/16

If I deploy the new egress rule, we can see that the outbound rules of the imported security group get updated:

imported security group outbound

If we take a look at the resources the CloudFormation stack has provisioned, we can see the ingress and egress security group rules:

cloudformation security group rules

Deleting the stack would remove all of the ingress and egress rules we added to the imported security group.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee
About
Contacts
Policy
Terms & Conditions
TwitterGitHubLinkedinLinkedin

Copyright ยฉ 2021 Borislav Hadzhiev