Reputation: 211
Add Ingress Rule to Security Groups using AWS CDK
I'm trying to add an ingress rule to a Security Group via the AWS CDK using Python. As per the documentation here - there's a method add_ingress_rule() on the Class aws_cdk.aws_ec2.
However - when I try to deploy the stack, I get the following error :
AttributeError: 'method' object has no attribute 'jsii__type' Subprocess exited with error 1
Security Group Code snippet below-
sg_elb = ec2.SecurityGroup(
self,
id = "sg_elb",
vpc = vpc,
security_group_name = "sg_elb"
)
sg_elb.add_ingress_rule(
peer = ec2.Peer.any_ipv4,
connection = ec2.Port.tcp(443) # This line seems to be a problem.
)
There's even the same example (in TypeScript) given on the official documentation here so I'm not sure what I'm doing wrong.
Can anyone advise ?
Thanks in advance !
Upvotes: 19
Views: 50182
Answers (5)
Reputation: 11
I believe your initial code didn't work because you didn't specify the peer argument in the ingress rule properly. It should be ec2.Peer.any_ipv4().
For example, your initial code:
...
sg_elb.add_ingress_rule(
peer = ec2.Peer.any_ipv4, # <---- this is invalid
connection = ec2.Port.tcp(443)
)
To correct your ingress rule, it should be defined as follows:
sg_elb.add_ingress_rule(
peer = ec2.Peer.any_ipv4(), # Notice the parenthesis
connection = ec2.Port.tcp(443)
)
If you look at the documentation, you will see that ec2.Peer.any_ipv4() returns a Peer object that satisfies the requirements of the peer argument for add_ingress_rule of a Security Group object.
Upvotes: 0
Reputation: 11
const securityGroup = new SecurityGroup(this, 'MySecurityGroup', { vpc: this.myVpc, securityGroupName: 'MySecurityGroup', description: 'Allow SSH and HTTP traffic', allowAllOutbound: true, });
securityGroup.connections.allowFrom(
Peer.anyIpv4(),
Port.tcp(22),
"ssh"
)
securityGroup.connections.allowFrom(
Peer.ipv4('10.0.0.0/16'),
Port.tcp(22),
"ssh"
)
its working
Upvotes: 1
Reputation: 738
I got the following to work using TS, hope it helps some.
const mySG = new ec2.SecurityGroup(this, `${stack}-security-group`, {
vpc: vpc,
allowAllOutbound: true,
description: 'CDK Security Group'
});
mySG.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'SSH frm anywhere');
mySG.addIngressRule(ec2.Peer.ipv4('10.200.0.0/24'), ec2.Port.tcp(5439), 'Redshift Ingress1');
mySG.addIngressRule(ec2.Peer.ipv4('10.0.0.0/24'), ec2.Port.tcp(5439), 'Redshift Ingress2');
Btw, it is not recommended to use an explicit security group name: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.SecurityGroup.html
Upvotes: 43
Reputation: 171
In SDK documentation: "Direct manipulation of the Security Group through addIngressRule and addEgressRule is possible, but mutation through the .connections object is recommended. If you peer two constructs with security groups this way, appropriate rules will be created in both."
So it's better to add rules like this:
sg.connections.allow_from(
Peer.any_ipv4(),
Port.tcp(22),
"ssh"
)
Upvotes: 4
Reputation: 57
This worked for me
sg = ec2.SecurityGroup(
self,
id="sg_1",
vpc=vpc,
allow_all_outbound=True,
description="CDK Security Group"
# security_group_name = "sg_elb"
# not recommended https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.SecurityGroup.html
)
sg.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port.tcp(22),
description="ssh",
)
Upvotes: 0
Related Questions
- How do I add a cloudformation security group ingress rule that refers to another security group?
- authorize-security-group-ingress not adding rule to security group
- Allow ingress from one security group to another using AWS CDK
- How to add multiple ingress rules in a security group via shell script on AWS?
- Add inbound rule to security group aws cdk
- How create a security group that allow all inbound traffic using the aws cdk?
- how to create an ingress rule with the source being an sg in boto3
- How to specify source security group Id in AWS CDK?
- How to create security group in aws cdk in python?
- Cloud Formation template add ingress rule to existing security group