feat(ecs): implement IConnectable interface for ManagedInstancesCapacityProvider

packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.managedinstances-capacity-provider.js.snapshot/integ-managedinstances-capacity-provider.template.json

@@ -438,7 +438,7 @@
         {
          "Ref": "AWS::Partition"
         },
-        ":iam::aws:policy/AdministratorAccess"
+        ":iam::aws:policy/AmazonECSInfrastructureRolePolicyForManagedInstances"
        ]
       ]
      }
@@ -470,7 +470,7 @@
         {
          "Ref": "AWS::Partition"
         },
-        ":iam::aws:policy/AdministratorAccess"
+        ":iam::aws:policy/AmazonECSInstanceRolePolicyForManagedInstances"
        ]
       ]
      }
@@ -500,6 +500,34 @@
       "IpProtocol": "-1"
      }
     ],
+    "SecurityGroupIngress": [
+     {
+      "CidrIp": {
+       "Fn::GetAtt": [
+        "Vpc8378EB38",
+        "CidrBlock"
+       ]
+      },
+      "Description": {
+       "Fn::Join": [
+        "",
+        [
+         "from ",
+         {
+          "Fn::GetAtt": [
+           "Vpc8378EB38",
+           "CidrBlock"
+          ]
+         },
+         ":80"
+        ]
+       ]
+      },
+      "FromPort": 80,
+      "IpProtocol": "tcp",
+      "ToPort": 80
+     }
+    ],
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }

packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.managedinstances-capacity-provider.ts

@@ -24,15 +24,15 @@ const infrastructureRole = new iam.Role(stack, 'InfrastructureRole', {
   roleName: 'AmazonECSInfrastructureRoleForOmakase',
   assumedBy: new iam.ServicePrincipal('ecs.amazonaws.com'),
   managedPolicies: [
-    iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
+    iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInfrastructureRolePolicyForManagedInstances'),
   ],
 });
 
 const instanceRole = new iam.Role(stack, 'InstanceRole', {
   roleName: 'AmazonECSInstanceRoleForOmakase',
   assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
   managedPolicies: [
-    iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
+    iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInstanceRolePolicyForManagedInstances'),
   ],
 });
 
@@ -63,6 +63,9 @@ const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(stack, 'Mana
   },
 });
 
+// Configure security group rules using IConnectable interface
+miCapacityProvider.connections.allowFrom(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(80));
+
 // Add FMI capacity provider to cluster
 cluster.addManagedInstancesCapacityProvider(miCapacityProvider);
 cluster.addDefaultCapacityProviderStrategy([

packages/aws-cdk-lib/aws-ecs/README.md

@@ -1687,6 +1687,9 @@ const miCapacityProvider = new ecs.ManagedInstancesCapacityProvider(this, 'MICap
   propagateTags: ecs.PropagateManagedInstancesTags.CAPACITY_PROVIDER,
 });
 
+// Optionally configure security group rules using IConnectable interface
+miCapacityProvider.connections.allowFrom(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(80));
+
 // Add the capacity provider to the cluster
 cluster.addManagedInstancesCapacityProvider(miCapacityProvider);
 

packages/aws-cdk-lib/aws-ecs/lib/cluster.ts

@@ -1653,7 +1653,7 @@ export interface ManagedInstancesCapacityProviderProps {
  * Managed Instances for task placement with managed infrastructure.
  */
 @propertyInjectable
-export class ManagedInstancesCapacityProvider extends Construct {
+export class ManagedInstancesCapacityProvider extends Construct implements ec2.IConnectable {
   /**
    * Uniquely identifies this class.
    */
@@ -1664,6 +1664,11 @@ export class ManagedInstancesCapacityProvider extends Construct {
    */
   readonly capacityProviderName: string;
 
+  /**
+   * The network connections associated with this resource.
+   */
+  readonly connections: ec2.Connections;
+
   /**
    * The CloudFormation capacity provider resource
    */
@@ -1738,6 +1743,10 @@ export class ManagedInstancesCapacityProvider extends Construct {
 
     this.capacityProviderName = this.capacityProvider.ref;
 
+    this.connections = new ec2.Connections({
+      securityGroups: props.securityGroups,
+    });
+
     this.node.defaultChild = this.capacityProvider;
   }
 

packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts

@@ -3264,6 +3264,59 @@ describe('cluster', () => {
       }).toThrow(/Invalid Capacity Provider Name: fargatecp, If a name is specified, it cannot start with aws, ecs, or fargate./);
     });
 
+    test('allows modifying security groups via IConnectable interface', () => {
+      // GIVEN
+      const app = new cdk.App();
+      const stack = new cdk.Stack(app, 'test');
+      const vpc = new ec2.Vpc(stack, 'Vpc');
+
+      const infrastructureRole = new iam.Role(stack, 'InfrastructureRole', {
+        assumedBy: new iam.ServicePrincipal('ecs.amazonaws.com'),
+        managedPolicies: [
+          iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInfrastructureRolePolicyForManagedInstances'),
+        ],
+      });
+
+      const instanceRole = new iam.Role(stack, 'InstanceRole', {
+        assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
+        managedPolicies: [
+          iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonECSInstanceRolePolicyForManagedInstances'),
+        ],
+      });
+
+      const instanceProfile = new iam.InstanceProfile(stack, 'InstanceProfile', {
+        role: instanceRole,
+      });
+
+      const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup', {
+        vpc,
+        description: 'Test security group',
+      });
+
+      // WHEN
+      const capacityProvider = new ecs.ManagedInstancesCapacityProvider(stack, 'provider', {
+        infrastructureRole,
+        ec2InstanceProfile: instanceProfile,
+        subnets: vpc.privateSubnets,
+        securityGroups: [securityGroup],
+      });
+
+      // Use connections API to allow inbound traffic
+      capacityProvider.connections.allowFrom(ec2.Peer.anyIpv4(), ec2.Port.tcp(80));
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', {
+        SecurityGroupIngress: [
+          {
+            IpProtocol: 'tcp',
+            FromPort: 80,
+            ToPort: 80,
+            CidrIp: '0.0.0.0/0',
+          },
+        ],
+      });
+    });
+
     test('can add Managed Instances capacity via Capacity Provider', () => {
       // GIVEN
       const app = new cdk.App();