Add Security Group lookup by name

[thesurlydev]

Similar to SecurityGroup.fromSecurityGroupId(), please add a SecurityGroup.fromSecurityGroupName.

Use Case

There are cases where existing SecurityGroups need to be referenced and have well-known names but not the ids. It would be nice to be able to look up SGs by name. Otherwise, a custom resource and/or SDK is needed to do the lookup.

Proposed Solution

Add a SecurityGroup.fromSecurityGroupName method.

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[rix0rrr]

We will not be able to make a security group from a name. We might be able to look one up, given CLI support.

[thesurlydev]

I just want to be able to look up an existing SG by name.

[tmo-trustpilot]

I have the same issue, I am trying to create an AWS Batch compute environment in an with existing subnets and security groups.

I am able to find the private subnets by looking up the VPC by name, but I have no way of finding the ids of the existing security groups.

const vpc = ec2.Vpc.fromLookup(this, "vpc", {
  vpcName: `${vpcName}`
});

const subnetIds = vpc.privateSubnets.map(sn => sn.subnetId);

const computeResourcesProperties: batch.CfnComputeEnvironment.ComputeResourcesProperty = {
    type: "EC2",
    ...snip...
    subnets: subnetIds,
    securityGroupIds: ???
};

Attempting to use a security group name seems to provision fine until the compute environment tries to add instances to the cluster: CLIENT_ERROR - Invalid value '<SNIP>' for groupName. You may not reference Amazon VPC security groups by name. Please use the corresponding id for this operation.

[kulesha]

is this feature available yet ?
it would be super useful to us too ..
in our case we have one cdk script that deploys 'infrastructure' ( vpc, subnets, security groups etc .. )
and another one is creating spot fleets to run applications in this infrastructure ..
at the moment we have to hard code the security group id in the application script ..

[michal-ziarnik]

It would be useful to us too. We're trying to create Redshift cluster and having an option to do a lookup for existing Security Groups by name would be a grate help.

[levarne]

nothing? Need to reference Security group per environment like I did with my existing VPC

cont vpc = Vpc.fromLookup(this, 'VPC', {
    vpcName: `dynamo-${environment}-app`,
})

Would be nice to do:

const groupWebAccess = SecurityGroup.fromLookup(this, 'Security-group-WebAccess', {
     groupName: `dynamo-${environment}-app-webAccess`
})
const groupProxyServer= SecurityGroup.fromLookup(this, 'Security-group-WebAccess', {
     groupName: `dynamo-${environment}-app-proxyServer`
})

new WebpackFunction(this, 'Metric', {
  vpc,
  securityGroups: [groupWebAccess, groupProxyServer]
})

But now I have to write each environments ID into a env file or configuration,
the above will allow me to change the security group without needing to redeploy code.

[calebpalmer]

I would also like this too. I'm trying to deploy a Simple AD and some workspaces, I need to update the ingress rules on the worker sg created by the simple ad and the only way to know if (I think) is by the name it creates for it, directoryId_workspaceMembers.

[felipepulpo]

+1

[daminisinha]

+1, need this feature please

[suryakiran7]

+1

[suhas-hr]

+1

[laurabaste]

+1

[Prashanna313]

+1

[Amchien]

+1

[erikdebruin]

+1

[Nicoowr]

+1

[argenstijn]

+10

[argenstijn]

any process?

[yukihato]

+1

[ammonsabrinaPFG]

+1

[argenstijn]

@NetaNir
What is the status of this request?

[mmislam101]

+12

[james-bw]

+1

[njlynch]

Given the attention this issue has received, I'm correctly labeling it as a p1, which means it should be on our near-term roadmap.

We welcome community contributions! If you are able, we encourage you to contribute. If you decide to contribute, please start an engineering discussion in this issue to ensure there is a commonly understood design before submitting code. This will minimize the number of review cycles and get your code merged faster. Security group lookup by id was added in #11089, and would be a good inspiration for this work.

[jumic]

I would suggest to extend the existing logic from PR #11089 and introduce the additional properties securityGroupName and vpc.
From my point of view, the main topic which should be discussed is the interface in class SecurityGroup.

ec2 SecurityGroup
Method fromLookup() already exists.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts

Line 320 in 27a0113

public static fromLookup(scope: Construct, id: string, securityGroupId: string) {

Create a new method fromLookupAttributes() which can be used to lookup a SecurityGroup by name or id. (I'm not sure if this is a good name, actually I would prefere fromLookup() which is already in use.)

public static fromLookupAttributes(scope: Construct, id: string, options: SecurityGroupLookupOptions)

Move code from fromLookup() to this new method and use the new method in fromLookup().

The interface will allow a security group name or id (if both or non of them are specified, it will throw an error).

export interface SecurityGroupLookupOptions {
  readonly securityGroupName?: string;
  readonly securityGroupId?: string;
  readonly vpc?: IVpc;
}

Using this interface it is possible to extend the attributes later (e.g. lookup by tag).

(Alternative solution: implement method fromLookupName() with string-parameter securityGroupName similar to fromLookup() which has a string-parameter, too.) (Not recommended anymore after adding attribute vpc).

SecurityGroupContextQuery
In SecurityGroupContextQuery change variable securityGroupId to optional and add optional variables securityGroupName and vpcId.

SecurityGroupContextProviderPlugin
In SecurityGroupContextProviderPlugin add additional parameters GroupNames and vpc-id filter to describeSecurityGroups(). It is possible to query the security group by name using this SDK method. Furthermore, check if both id and name or neither id nor name will be passed and throw an error in this case.

@njlynch I would be happy to have your feedback.

Enhancement to original version:
I added parameter vpc (vpcId). The same security group name can be used in multiple VPCs. For example, each VPC has a default security group named default. In this case, parameter vpc has to be specified. Otherwise, it is not possible to identify the correct security group.

[Arthus15]

Any update on this topic?

[ranma2913]

Requesting this be looked at for my group too!

[ranma2913]

I would suggest to extend the existing logic from PR #11089 and introduce the additional property securityGroupName. From my point of view, the main topic which should be discussed is the interface in class SecurityGroup.

ec2 SecurityGroup Method fromLookup() already exists.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts

Line 320 in 27a0113

public static fromLookup(scope: Construct, id: string, securityGroupId: string) {

Create a new method fromLookupAttributes() which can be used to lookup a SecurityGroup by name or id. (I'm not sure if this is a good name, actually I would prefere fromLookup() which is already in use.)

public static fromLookupAttributes(scope: Construct, id: string, options: SecurityGroupLookupOptions)

Move code from fromLookup() to this new method and use the new method in fromLookup().

The interface will allow a security group name or id (if both or non of them are specified, it will throw an error).

export interface SecurityGroupLookupOptions {
  readonly securityGroupName?: string;
  readonly securityGroupId?: string;
}

Using this interface it is possible to extend the attributes later (e.g. lookup by tag).

(Alternative solution: implement method fromLookupName() with string-parameter securityGroupName similar to fromLookup() which has a string-parameter, too.)

SecurityGroupContextQuery In SecurityGroupContextQuery change variable securityGroupId to optional and add optional variable securityGroupName.

SecurityGroupContextProviderPlugin In SecurityGroupContextProviderPlugin add additional parameter GroupNames to describeSecurityGroups(). It is possible to query the security group by name using this SDK method. Furthermore, check if both id and name or neither id nor name will be passed and throw an error in this case.

@njlynch I would be happy to have your feedback.

I'll use this right away! any idea when it might go in?

[njlynch]

@jumic - Thanks for the proposed solution, and apologies for the delay in commenting.

Everything you've described sounds good.

In SecurityGroupContextProviderPlugin add additional parameters GroupNames and vpc-id filter to describeSecurityGroups(). It is possible to query the security group by name using this SDK method. Furthermore, check if both id and name or neither id nor name will be passed and throw an error in this case.

Note that per the documentation, it appears we'll need to use the filters property to filter on group name and/or vpc; using the groupNames property directly will only work with the default VPC.

I look forward to seeing the PR!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.