Merge pull request #8805 from aws/njlynch/issue3433

feat(autoscaling): bring your own security group
aws · Jun 30, 2020 · c085bd7 · c085bd7
2 parents c337d4a + 3698f47
commit c085bd7
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-autoscaling/README.md b/packages/@aws-cdk/aws-autoscaling/README.md
@@ -29,9 +29,20 @@ new autoscaling.AutoScalingGroup(this, 'ASG', {
 });
 ```
 
-> NOTE: AutoScalingGroup has an property called `allowAllOutbound` (allowing the instances to contact the
-> internet) which is set to `true` by default. Be sure to set this to `false`  if you don't want
-> your instances to be able to start arbitrary connections.
+NOTE: AutoScalingGroup has an property called `allowAllOutbound` (allowing the instances to contact the
+internet) which is set to `true` by default. Be sure to set this to `false`  if you don't want
+your instances to be able to start arbitrary connections. Alternatively, you can specify an existing security
+group to attach to the instances that are launched, rather than have the group create a new one.
+
+```ts
+const mySecurityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {...});
+new autoscaling.AutoScalingGroup(this, 'ASG', {
+  vpc,
+  instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+  machineImage: new ec2.AmazonLinuxImage(),
+  securityGroup: mySecurityGroup,
+});
+```
 
 ### Machine Images (AMIs)
 

diff --git a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts
@@ -255,6 +255,13 @@ export interface AutoScalingGroupProps extends CommonAutoScalingGroupProps {
    */
   readonly machineImage: ec2.IMachineImage;
 
+  /**
+   * Security group to launch the instances in.
+   *
+   * @default - A SecurityGroup will be created if none is specified.
+   */
+  readonly securityGroup?: ec2.ISecurityGroup;
+
   /**
    * Specific UserData to use
    *
@@ -475,7 +482,7 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements
   constructor(scope: Construct, id: string, props: AutoScalingGroupProps) {
     super(scope, id);
 
-    this.securityGroup = new ec2.SecurityGroup(this, 'InstanceSecurityGroup', {
+    this.securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'InstanceSecurityGroup', {
       vpc: props.vpc,
       allowAllOutbound: props.allowAllOutbound !== false,
     });

diff --git a/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/test/test.auto-scaling-group.ts
@@ -658,6 +658,28 @@ export = {
     test.done();
   },
 
+  'an existing security group can be specified instead of auto-created'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = mockVpc(stack);
+    const securityGroup = ec2.SecurityGroup.fromSecurityGroupId(stack, 'MySG', 'most-secure');
+
+    // WHEN
+    new autoscaling.AutoScalingGroup(stack, 'MyASG', {
+      vpc,
+      instanceType: ec2.InstanceType.of(ec2.InstanceClass.M4, ec2.InstanceSize.MICRO),
+      machineImage: new ec2.AmazonLinuxImage(),
+      securityGroup,
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::AutoScaling::LaunchConfiguration', {
+      SecurityGroups: ['most-secure'],
+    },
+    ));
+    test.done();
+  },
+
   'an existing role can be specified instead of auto-created'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();