If you make ALB with Fargate with CDK, Security Group will be fully opened. If it is a development environment or an internal service, I would like to narrow down the IP in consideration of security, but with CDK it was easy to add but difficult to delete, so I will share that method
First, create the Security Group to be changed
alb_sg=ec2.SecurityGroup(self, "alb-sg",
vpc=ivpc,
description="alb sg"
)
Next, create an ALB that uses that Security Group.
ecs_alb=elasticloadbalancingv2.ApplicationLoadBalancer(self, "alb",
security_group=alb_sg,
vpc=ivpc,
internet_facing=True,
load_balancer_name="ecs-alb"
)
Then use ecs_patterns to create a FargateService
fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "service",
cluster=cluster,
task_definition=task,
load_balancer=ecs_alb,
cloud_map_options = ecs.CloudMapOptions(
name = 'hoge'
)
)
When you execute it, you can see that a Security Group with 80 ports fully open is created as shown below. (Only the Security Group part is extracted)
$ cdk diff ecs
Stack ecs
Security Group Changes
┌───┬───────────────────────────────────────────────────────┬─────┬──────────┬────────────────────────────────┐
│ │ Group │ Dir │ Protocol │ Peer │
├───┼───────────────────────────────────────────────────────┼─────┼──────────┼────────────────────────────────┤
│ + │ ${prod-alb-sg.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │
└───┴───────────────────────────────────────────────────────┴─────┴──────────┴────────────────────────────────┘
Resources
[~] AWS::EC2::SecurityGroup prod-alb-sg prodmonitoralbsg0D94D960
└─ [+] SecurityGroupIngress
└─ [{"CidrIp":"0.0.0.0/0","Description":"Allow from anyone on port 80","FromPort":80,"IpProtocol":"tcp","ToPort":80}]
It can be overwritten with node.default_child.add_override, so specify the key and overwrite
The following two are specified, and since only one rule that is fully open is added, the 0th is specified.
alb_sg.node.default_child.add_override(
"Properties.SecurityGroupIngress.0.CidrIp",
"1.1.1.1/32"
)
alb_sg.node.default_child.add_override(
"Properties.SecurityGroupIngress.0.Description",
"Google"
)
When run, the default TCP80 allow Everyone disappears and changes to the specified IP
$ SYSTEM_ENV=prod cdk diff ecs
Stack ecs
Security Group Changes
┌───┬────────────────────────────────┬─────┬──────────┬─────────────────┐
│ │ Group │ Dir │ Protocol │ Peer │
├───┼────────────────────────────────┼─────┼──────────┼─────────────────┤
│ - │ ${prod-alb-sg.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │
├───┼────────────────────────────────┼─────┼──────────┼─────────────────┤
│ + │ ${prod-alb-sg.GroupId} │ In │ TCP 80 │ 1.1.1.1/32 │
└───┴────────────────────────────────┴─────┴──────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Resources
[~] AWS::EC2::SecurityGroup prod-alb-sg prodmonitoralbsg0D94D960
└─ [~] SecurityGroupIngress
└─ @@ -1,7 +1,7 @@
[ ] [
[ ] {
[-] "CidrIp": "0.0.0.0/0",
[-] "Description": "Allow from anyone on port 80",
[+] "CidrIp": "1.1.1.1/32",
[+] "Description": "Google",
[ ] "FromPort": 80,
[ ] "IpProtocol": "tcp",
[ ] "ToPort": 80
That's how to play with ALB default SG from CDK
Recommended Posts