fix(ec2): Allow ingress to VPC interface endpoints

The default rule created for VPC endpoints did not have any ingress rules meaning that the VPC endpoints were totally inaccessible. This made them completely useless. This commit add a default ingress rule that allows all IPv4 and IPv6 traffic to the port of the service. fixes aws#4937
joehillen · Nov 9, 2019 · fc75423 · fc75423
1 parent 142bd0e
commit fc75423
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts
@@ -2,6 +2,7 @@ import iam = require('@aws-cdk/aws-iam');
 import { Aws, Construct, IResource, Lazy, Resource } from '@aws-cdk/core';
 import { Connections, IConnectable } from './connections';
 import { CfnVPCEndpoint } from './ec2.generated';
+import { Peer } from './peer';
 import { Port } from './port';
 import { ISecurityGroup, SecurityGroup } from './security-group';
 import { allRouteTableIds } from './util';
@@ -377,12 +378,21 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn
   constructor(scope: Construct, id: string, props: InterfaceVpcEndpointProps) {
     super(scope, id);
 
-    const securityGroups = props.securityGroups || [new SecurityGroup(this, 'SecurityGroup', {
-      vpc: props.vpc
-    })];
+    const port = Port.tcp(props.service.port);
+    let securityGroups = props.securityGroups;
+
+    if (!securityGroups || securityGroups.length === 0) {
+      const defaultSecurityGroup = new SecurityGroup(this, "SecurityGroup", {
+        vpc: props.vpc,
+      });
+      defaultSecurityGroup.addIngressRule(Peer.anyIpv4(), port);
+      defaultSecurityGroup.addIngressRule(Peer.anyIpv6(), port);
+      securityGroups = [defaultSecurityGroup];
+    }
+
     this.securityGroupId = securityGroups[0].securityGroupId;
     this.connections = new Connections({
-      defaultPort: Port.tcp(props.service.port),
+      defaultPort: port,
       securityGroups
     });
 

diff --git a/packages/@aws-cdk/aws-ec2/test/test.vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/test/test.vpc-endpoint.ts
@@ -1,4 +1,4 @@
-import { expect, haveResource } from '@aws-cdk/assert';
+import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
 import { AnyPrincipal, PolicyStatement } from '@aws-cdk/aws-iam';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
@@ -307,6 +307,36 @@ export = {
         SecurityGroupIds: ['existing-id'],
       }));
 
+      test.done();
+    },
+    'security group has ingress'(test: Test) {
+      // GIVEN
+      const stack = new Stack();
+      const vpc = new Vpc(stack, 'VpcNetwork');
+
+      // WHEN
+      vpc.addInterfaceEndpoint('SecretsManagerEndpoint', {
+        service: InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
+      });
+
+      // THEN
+      expect(stack).to(haveResourceLike('AWS::EC2::SecurityGroup', {
+        SecurityGroupIngress: [
+          {
+            CidrIp: "0.0.0.0/0",
+            FromPort: 443,
+            IpProtocol: "tcp",
+            ToPort: 443
+          },
+          {
+            CidrIpv6: "::0/0",
+            FromPort: 443,
+            IpProtocol: "tcp",
+            ToPort: 443
+          }
+        ]
+      }, ));
+
       test.done();
     }
   }