feat(elasticloadbalancingv2): multiple security groups for ALBs (#10244)

njlynch · web-flow · commit 1ebf36206b1e · 2020-09-09T09:00:19.000Z
Provide an `addSecurityGroup` method for ALBs for use cases where multiple security groups are needed. I opted for this approach over adding a new (and redundant) `securityGroups` prop to `ApplicationLoadBalancerProps` to keep the props targeted at the most common use case of a single (or default) group. fixes #5138 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
@@ -1,4 +1,5 @@
 ## Amazon Elastic Load Balancing V2 Construct Library
+
 <!--BEGIN STABILITY BANNER-->
 ---
 
@@ -61,6 +62,21 @@ listener.addTargets('ApplicationFleet', {
 The security groups of the load balancer and the target are automatically
 updated to allow the network traffic.
 
+One (or more) security groups can be associated with the load balancer;
+if a security group isn't provided, one will be automatically created.
+
+```ts
+const securityGroup1 = new ec2.SecurityGroup(stack, 'SecurityGroup1', { vpc });
+const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
+  vpc,
+  internetFacing: true,
+  securityGroup: securityGroup1, // Optional - will be automatically created otherwise
+});
+
+const securityGroup2 = new ec2.SecurityGroup(stack, 'SecurityGroup2', { vpc });
+lb.addSecurityGroup(securityGroup2);
+```
+
 #### Conditions
 
 It's possible to route traffic to targets based on conditions in the incoming
@@ -320,6 +336,7 @@ public attachToApplicationTargetGroup(targetGroup: ApplicationTargetGroup): Load
   };
 }
 ```
+
 `targetType` should be one of `Instance` or `Ip`. If the target can be
 directly added to the target group, `targetJson` should contain the `id` of
 the target (either instance ID or IP address depending on the type) and
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
@@ -58,22 +58,21 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
 
   public readonly connections: ec2.Connections;
   public readonly ipAddressType?: IpAddressType;
-  private readonly securityGroup: ec2.ISecurityGroup;
 
   constructor(scope: Construct, id: string, props: ApplicationLoadBalancerProps) {
     super(scope, id, props, {
       type: 'application',
-      securityGroups: Lazy.listValue({ produce: () => [this.securityGroup.securityGroupId] }),
+      securityGroups: Lazy.listValue({ produce: () => this.connections.securityGroups.map(sg => sg.securityGroupId) }),
       ipAddressType: props.ipAddressType,
     });
 
     this.ipAddressType = props.ipAddressType ?? IpAddressType.IPV4;
-    this.securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
+    const securityGroups = [props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
       vpc: props.vpc,
       description: `Automatically created Security Group for ELB ${this.node.uniqueId}`,
       allowAllOutbound: false,
-    });
-    this.connections = new ec2.Connections({ securityGroups: [this.securityGroup] });
+    })];
+    this.connections = new ec2.Connections({ securityGroups });
 
     if (props.http2Enabled === false) { this.setAttribute('routing.http2.enabled', 'false'); }
     if (props.idleTimeout !== undefined) { this.setAttribute('idle_timeout.timeout_seconds', props.idleTimeout.toSeconds().toString()); }
@@ -107,6 +106,13 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
     });
   }
 
+  /**
+   * Add a security group to this load balancer
+   */
+  public addSecurityGroup(securityGroup: ec2.ISecurityGroup) {
+    this.connections.addSecurityGroup(securityGroup);
+  }
+
   /**
    * Return the given named metric for this Application Load Balancer
    *
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
@@ -314,4 +314,24 @@ describe('tests', () => {
     const listener = alb.addListener('Listener', { port: 80 });
     expect(() => listener.addTargets('Targets', { port: 8080 })).not.toThrow();
   });
+
+  test.only('can add secondary security groups', () => {
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+
+    const alb = new elbv2.ApplicationLoadBalancer(stack, 'LB', {
+      vpc,
+      securityGroup: new ec2.SecurityGroup(stack, 'SecurityGroup1', { vpc }),
+    });
+    alb.addSecurityGroup(new ec2.SecurityGroup(stack, 'SecurityGroup2', { vpc }));
+
+    // THEN
+    expect(stack).toHaveResource('AWS::ElasticLoadBalancingV2::LoadBalancer', {
+      SecurityGroups: [
+        { 'Fn::GetAtt': ['SecurityGroup1F554B36F', 'GroupId'] },
+        { 'Fn::GetAtt': ['SecurityGroup23BE86BB7', 'GroupId'] },
+      ],
+      Type: 'application',
+    });
+  });
 });
