Skip to content

Commit 79d91ad

Browse files
go-to-kgo-to-k
authored
fix(elasticache): security group for ServerlessCache does not use default endpoint port (#35738)
### Issue # (if applicable) N/A ### Reason for this change A security group ingress for the new `ServerlessCache` construct does not use an endpoint port. The following CDK code generates an INVALID CFn template with `null` for `FromPort` and `ToPort`: ```ts const cache = new ServerlessCache(this, 'ServerlessCache', { vpc, }); const sg = new SecurityGroup(this, 'SecurityGroup', { vpc, }); sg.connections.allowToDefaultPort(cache); ``` ```json "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { // ... // ... "FromPort": null, // ... // ... "ToPort": null }, ``` An expected template: ```json "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { // ... // ... "FromPort": { "Fn::GetAtt": [ "Cache18F6EE16", "Endpoint.Port" ] }, // ... // ... "ToPort": { "Fn::GetAtt": [ "Cache18F6EE16", "Endpoint.Port" ] } } }, ``` FYI: The method `cache.connections.defaultPort?.toRuleJson()` outputs `{"Value":{"ipProtocol":"tcp","fromPort":null,"toPort":null}}`. But we expect `{"Value":{"ipProtocol":"tcp","fromPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]},"toPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]}}}`. ### Description of changes Use `Token.asNumber` for the `defaultPort` of `Connections` in `ServerlessCache`: ```diff this.connections = new ec2.Connections({ securityGroups: this.securityGroups, - defaultPort: ec2.Port.tcp(Lazy.number({ produce: () => parseInt(this.serverlessCacheEndpointPort) })), + defaultPort: ec2.Port.tcp(Token.asNumber(this.serverlessCacheEndpointPort)), }); ``` ### Describe any new or updated permissions being added ### Description of how you validated changes Both an unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 40a7689 commit 79d91ad

10 files changed

Lines changed: 331 additions & 32 deletions

File tree

packages/@aws-cdk/aws-elasticache-alpha/lib/serverless-cache.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -469,7 +469,7 @@ export class ServerlessCache extends ServerlessCacheBase {
469469

470470
this.connections = new ec2.Connections({
471471
securityGroups: this.securityGroups,
472-
defaultPort: ec2.Port.tcp(Lazy.number({ produce: () => parseInt(this.serverlessCacheEndpointPort) })),
472+
defaultPort: ec2.Port.tcp(Token.asNumber(this.serverlessCacheEndpointPort)),
473473
});
474474

475475
Object.defineProperty(this, ELASTICACHE_SERVERLESSCACHE_SYMBOL, { value: true });

packages/@aws-cdk/aws-elasticache-alpha/test/integ.serverless-cache.js.snapshot/asset.53e3ecec991005bc2ddc98d13a897e8eadf082b86dedf53475c933aed3069238.bundle/index.js renamed to packages/@aws-cdk/aws-elasticache-alpha/test/integ.serverless-cache.js.snapshot/asset.c11608a15785084ea1afe65826e575ee316add10c8b1bb373e93297e26aec564.bundle/index.js

Lines changed: 26 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-elasticache-alpha/test/integ.serverless-cache.js.snapshot/aws-cdk-serverless-cache.assets.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk/aws-elasticache-alpha/test/integ.serverless-cache.js.snapshot/aws-cdk-serverless-cache.template.json

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -546,6 +546,37 @@
546546
}
547547
}
548548
},
549+
"SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": {
550+
"Type": "AWS::EC2::SecurityGroupIngress",
551+
"Properties": {
552+
"Description": "from awscdkserverlesscacheClientSG6D18D5F9:{IndirectPort}",
553+
"FromPort": {
554+
"Fn::GetAtt": [
555+
"Cache18F6EE16",
556+
"Endpoint.Port"
557+
]
558+
},
559+
"GroupId": {
560+
"Fn::GetAtt": [
561+
"SecurityGroupDD263621",
562+
"GroupId"
563+
]
564+
},
565+
"IpProtocol": "tcp",
566+
"SourceSecurityGroupId": {
567+
"Fn::GetAtt": [
568+
"ClientSG4CAE4F40",
569+
"GroupId"
570+
]
571+
},
572+
"ToPort": {
573+
"Fn::GetAtt": [
574+
"Cache18F6EE16",
575+
"Endpoint.Port"
576+
]
577+
}
578+
}
579+
},
549580
"User00B015A1": {
550581
"Type": "AWS::ElastiCache::User",
551582
"Properties": {
@@ -622,6 +653,22 @@
622653
],
623654
"UpdateReplacePolicy": "Delete",
624655
"DeletionPolicy": "Delete"
656+
},
657+
"ClientSG4CAE4F40": {
658+
"Type": "AWS::EC2::SecurityGroup",
659+
"Properties": {
660+
"GroupDescription": "aws-cdk-serverless-cache/ClientSG",
661+
"SecurityGroupEgress": [
662+
{
663+
"CidrIp": "0.0.0.0/0",
664+
"Description": "Allow all outbound traffic by default",
665+
"IpProtocol": "-1"
666+
}
667+
],
668+
"VpcId": {
669+
"Ref": "VPCB9E5F0B4"
670+
}
671+
}
625672
}
626673
},
627674
"Parameters": {

packages/@aws-cdk/aws-elasticache-alpha/test/integ.serverless-cache.js.snapshot/awscdkserverlesscacheintegDefaultTestDeployAssert7BD34438.assets.json

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)