From 1c0b45e656e80953761e676dec134a8a20320db7 Mon Sep 17 00:00:00 2001 From: Jimmy Gaussen Date: Thu, 11 Apr 2024 06:06:16 +0200 Subject: [PATCH 1/3] feat(ec2): well-known port aliases --- packages/aws-cdk-lib/aws-ec2/README.md | 19 +++++----- packages/aws-cdk-lib/aws-ec2/lib/port.ts | 37 +++++++++++++++++++ .../aws-ec2/test/security-group.test.ts | 6 +++ 3 files changed, 53 insertions(+), 9 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index 511d194a8bf69..73bb89cb2ae89 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -215,7 +215,7 @@ const provider = ec2.NatProvider.instanceV2({ new ec2.Vpc(this, 'TheVPC', { natGatewayProvider: provider, }); -provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80)); +provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP); ``` You can also customize the characteristics of your NAT instances, including their security group, @@ -266,7 +266,7 @@ const provider = ec2.NatProvider.instance({ new ec2.Vpc(this, 'TheVPC', { natGatewayProvider: provider, }); -provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80)); +provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP); ``` ### Ip Address Management @@ -724,13 +724,13 @@ declare const appFleet: autoscaling.AutoScalingGroup; declare const dbFleet: autoscaling.AutoScalingGroup; // Allow connections from anywhere -loadBalancer.connections.allowFromAnyIpv4(ec2.Port.tcp(443), 'Allow inbound HTTPS'); +loadBalancer.connections.allowFromAnyIpv4(ec2.Port.HTTPS, 'Allow inbound HTTPS'); // The same, but an explicit IP address -loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.tcp(443), 'Allow inbound HTTPS'); +loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.HTTPS, 'Allow inbound HTTPS'); // Allow connection between AutoScalingGroups -appFleet.connections.allowTo(dbFleet, ec2.Port.tcp(443), 'App can call database'); +appFleet.connections.allowTo(dbFleet, ec2.Port.HTTPS, 'App can call database'); ``` ### Connection Peers @@ -747,7 +747,7 @@ peer = ec2.Peer.anyIpv4(); peer = ec2.Peer.ipv6('::0/0'); peer = ec2.Peer.anyIpv6(); peer = ec2.Peer.prefixList('pl-12345'); -appFleet.connections.allowTo(peer, ec2.Port.tcp(443), 'Allow outbound HTTPS'); +appFleet.connections.allowTo(peer, ec2.Port.HTTPS, 'Allow outbound HTTPS'); ``` Any object that has a security group can itself be used as a connection peer: @@ -758,9 +758,9 @@ declare const fleet2: autoscaling.AutoScalingGroup; declare const appFleet: autoscaling.AutoScalingGroup; // These automatically create appropriate ingress and egress rules in both security groups -fleet1.connections.allowTo(fleet2, ec2.Port.tcp(80), 'Allow between fleets'); +fleet1.connections.allowTo(fleet2, ec2.Port.HTTP, 'Allow between fleets'); -appFleet.connections.allowFromAnyIpv4(ec2.Port.tcp(80), 'Allow from load balancer'); +appFleet.connections.allowFromAnyIpv4(ec2.Port.HTTP, 'Allow from load balancer'); ``` ### Port Ranges @@ -770,6 +770,7 @@ the connection specifier: ```ts ec2.Port.tcp(80) +ec2.Port.HTTPS ec2.Port.tcpRange(60000, 65535) ec2.Port.allTcp() ec2.Port.allIcmp() @@ -823,7 +824,7 @@ const mySecurityGroupWithoutInlineRules = new ec2.SecurityGroup(this, 'SecurityG disableInlineRules: true }); //This will add the rule as an external cloud formation construct -mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'allow ssh access from the world'); +mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.SSH, 'allow ssh access from the world'); ``` ### Importing an existing security group diff --git a/packages/aws-cdk-lib/aws-ec2/lib/port.ts b/packages/aws-cdk-lib/aws-ec2/lib/port.ts index 8b7633fe117ab..129caa66ea95b 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/port.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/port.ts @@ -188,6 +188,43 @@ export interface PortProps { * Interface for classes that provide the connection-specification parts of a security group rule */ export class Port { + /** Well-known SSH port (TCP 22) */ + public static readonly SSH = Port.tcp(22); + /** Well-known SMTP port (TCP 25) */ + public static readonly SMTP = Port.tcp(25); + /** Well-known DNS port (UDP 53) */ + public static readonly DNS_UDP = Port.udp(53); + /** Well-known DNS port (TCP 53) */ + public static readonly DNS_TCP = Port.tcp(53); + /** Well-known HTTP port (TCP 80) */ + public static readonly HTTP = Port.tcp(80); + /** Well-known POP3 port (TCP 110) */ + public static readonly POP3 = Port.tcp(110); + /** Well-known IMAP port (TCP 143) */ + public static readonly IMAP = Port.tcp(143); + /** Well-known LDAP port (TCP 389) */ + public static readonly LDAP = Port.tcp(389); + /** Well-known HTTPS port (TCP 443) */ + public static readonly HTTPS = Port.tcp(443); + /** Well-known SMB port (TCP 445) */ + public static readonly SMB = Port.tcp(445); + /** Well-known SMTPS port (TCP 465) */ + public static readonly SMTPS = Port.tcp(465); + /** Well-known IMAPS port (TCP 993) */ + public static readonly IMAPS = Port.tcp(993); + /** Well-known POP3S port (TCP 995) */ + public static readonly POP3S = Port.tcp(995); + /** Well-known Microsoft SQL Server port (TCP 1433) */ + public static readonly MSSQL = Port.tcp(1433); + /** Well-known NFS port (TCP 2049) */ + public static readonly NFS = Port.tcp(2049); + /** Well-known MySQL and Aurora port (TCP 3306) */ + public static readonly MYSQL_AURORA = Port.tcp(3306); + /** Well-known Microsoft Remote Desktop Protocol port (TCP 3389) */ + public static readonly RDP = Port.tcp(3389); + /** Well-known PostgreSQL port (TCP 5432) */ + public static readonly POSTGRES = Port.tcp(5432); + /** * A single TCP port */ diff --git a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts index 1fc998a758617..05d5f79dac67d 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts @@ -503,6 +503,12 @@ describe('security group', () => { }], }); }); + + test.only('Static well-known ports are well-defined', () => { + // THEN + expect(Port.SSH).toEqual(Port.tcp(22)); + expect(Port.DNS_UDP).toEqual(Port.udp(53)); + }); }); }); From 931c5ba987abb73280c507c1f092375b0981637f Mon Sep 17 00:00:00 2001 From: Jimmy Gaussen Date: Thu, 11 Apr 2024 06:14:53 +0200 Subject: [PATCH 2/3] fix: remove non well-known --- packages/aws-cdk-lib/aws-ec2/lib/port.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/lib/port.ts b/packages/aws-cdk-lib/aws-ec2/lib/port.ts index 129caa66ea95b..85155b42fef26 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/port.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/port.ts @@ -208,8 +208,6 @@ export class Port { public static readonly HTTPS = Port.tcp(443); /** Well-known SMB port (TCP 445) */ public static readonly SMB = Port.tcp(445); - /** Well-known SMTPS port (TCP 465) */ - public static readonly SMTPS = Port.tcp(465); /** Well-known IMAPS port (TCP 993) */ public static readonly IMAPS = Port.tcp(993); /** Well-known POP3S port (TCP 995) */ From b359a0d4596128362bd93e781091cb5296cf053c Mon Sep 17 00:00:00 2001 From: Jimmy Gaussen Date: Thu, 11 Apr 2024 06:27:31 +0200 Subject: [PATCH 3/3] fix: remove only --- packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts index 05d5f79dac67d..50e7f9ae5f224 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts @@ -504,7 +504,7 @@ describe('security group', () => { }); }); - test.only('Static well-known ports are well-defined', () => { + test('Static well-known ports are well-defined', () => { // THEN expect(Port.SSH).toEqual(Port.tcp(22)); expect(Port.DNS_UDP).toEqual(Port.udp(53));