From 0d2ea37c8da0ee9d351b9a24eb5c96675a220d37 Mon Sep 17 00:00:00 2001 From: Sam Stephens Date: Fri, 3 Jun 2022 17:41:34 +1200 Subject: [PATCH 1/2] feat(opensearchservice) defaultPort enforceHttps For an Opensearch domain, if enforceHttps is enabled, set the defaultPort for the connections object of the domain, as we know it communicates over 443 in this scenario. --- .../aws-opensearchservice/lib/domain.ts | 6 +++- .../aws-opensearchservice/test/domain.test.ts | 28 ++++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts index 807fefc0e40ec..960b9b626f8c7 100644 --- a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts +++ b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts @@ -1241,7 +1241,11 @@ export class Domain extends DomainBase implements IDomain, ec2.IConnectable { vpc: props.vpc, description: `Security group for domain ${this.node.id}`, })]; - this._connections = new ec2.Connections({ securityGroups }); + if (props.enforceHttps) { + this._connections = new ec2.Connections({ securityGroups, defaultPort: ec2.Port.tcp(443) }); + } else { + this._connections = new ec2.Connections({ securityGroups }); + } } // If VPC options are supplied ensure that the number of subnets matches the number AZ diff --git a/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts b/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts index 0dc5f7a736c71..428adf6899b6d 100644 --- a/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts +++ b/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts @@ -2,7 +2,7 @@ import { Match, Template } from '@aws-cdk/assertions'; import * as acm from '@aws-cdk/aws-certificatemanager'; import { Metric, Statistic } from '@aws-cdk/aws-cloudwatch'; -import { Vpc, EbsDeviceVolumeType, SecurityGroup } from '@aws-cdk/aws-ec2'; +import { Vpc, EbsDeviceVolumeType, Port, SecurityGroup } from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; import * as kms from '@aws-cdk/aws-kms'; import * as logs from '@aws-cdk/aws-logs'; @@ -109,6 +109,32 @@ test('default subnets and security group when vpc is used', () => { }); +test('connections has no default port if enforceHttps is false', () => { + + const vpc = new Vpc(stack, 'Vpc'); + const domain = new Domain(stack, 'Domain', { + version: defaultVersion, + vpc, + enforceHttps: false, + }); + + expect(domain.connections.defaultPort).toBeUndefined(); + +}); + +test('connections has default port 443 if enforceHttps is true', () => { + + const vpc = new Vpc(stack, 'Vpc'); + const domain = new Domain(stack, 'Domain', { + version: defaultVersion, + vpc, + enforceHttps: true, + }); + + expect(domain.connections.defaultPort).toEqual(Port.tcp(443)); + +}); + test('default removalpolicy is retain', () => { new Domain(stack, 'Domain', { version: defaultVersion, From ff2117e7bc6481139377a602e207e00056282725 Mon Sep 17 00:00:00 2001 From: Sam Stephens Date: Fri, 3 Jun 2022 17:47:53 +1200 Subject: [PATCH 2/2] feat(opensearchservice) fix test title The title of one of the tests should say "connections throws if domain is *not* placed inside a vpc". --- packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts b/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts index 428adf6899b6d..07094a348e52b 100644 --- a/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts +++ b/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts @@ -31,7 +31,7 @@ const readWriteActions = [ const defaultVersion = EngineVersion.OPENSEARCH_1_0; -test('connections throws if domain is placed inside a vpc', () => { +test('connections throws if domain is not placed inside a vpc', () => { expect(() => { new Domain(stack, 'Domain', {