From f10494cab79c033d7913a435b0e2db12fe59698d Mon Sep 17 00:00:00 2001 From: Jimmy Gaussen Date: Sat, 13 Apr 2024 00:36:27 +0200 Subject: [PATCH] feat(ec2): well-known port aliases (#29793) ### Issue # (if applicable) None as far as I can tell ### Reason for this change The web console lists commonly used ports when adding a rule to a security group, this aims to reproduce this simple quality of life shortcut. It can also help with code readability, and might save people from a typo ### Description of changes * Add well-known static `Port` instances * Intersection of the AWS web console listed ports and the [IANA Service Name and Transport Protocol Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) ### Description of how you validated changes Compared the AWS web console values to the IANA list, and added a unit test to make sure the alias behaved properly ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-ec2/README.md | 19 +++++----- packages/aws-cdk-lib/aws-ec2/lib/port.ts | 35 +++++++++++++++++++ .../aws-ec2/test/security-group.test.ts | 6 ++++ 3 files changed, 51 insertions(+), 9 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index 511d194a8bf69..73bb89cb2ae89 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -215,7 +215,7 @@ const provider = ec2.NatProvider.instanceV2({ new ec2.Vpc(this, 'TheVPC', { natGatewayProvider: provider, }); -provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80)); +provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP); ``` You can also customize the characteristics of your NAT instances, including their security group, @@ -266,7 +266,7 @@ const provider = ec2.NatProvider.instance({ new ec2.Vpc(this, 'TheVPC', { natGatewayProvider: provider, }); -provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80)); +provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP); ``` ### Ip Address Management @@ -724,13 +724,13 @@ declare const appFleet: autoscaling.AutoScalingGroup; declare const dbFleet: autoscaling.AutoScalingGroup; // Allow connections from anywhere -loadBalancer.connections.allowFromAnyIpv4(ec2.Port.tcp(443), 'Allow inbound HTTPS'); +loadBalancer.connections.allowFromAnyIpv4(ec2.Port.HTTPS, 'Allow inbound HTTPS'); // The same, but an explicit IP address -loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.tcp(443), 'Allow inbound HTTPS'); +loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.HTTPS, 'Allow inbound HTTPS'); // Allow connection between AutoScalingGroups -appFleet.connections.allowTo(dbFleet, ec2.Port.tcp(443), 'App can call database'); +appFleet.connections.allowTo(dbFleet, ec2.Port.HTTPS, 'App can call database'); ``` ### Connection Peers @@ -747,7 +747,7 @@ peer = ec2.Peer.anyIpv4(); peer = ec2.Peer.ipv6('::0/0'); peer = ec2.Peer.anyIpv6(); peer = ec2.Peer.prefixList('pl-12345'); -appFleet.connections.allowTo(peer, ec2.Port.tcp(443), 'Allow outbound HTTPS'); +appFleet.connections.allowTo(peer, ec2.Port.HTTPS, 'Allow outbound HTTPS'); ``` Any object that has a security group can itself be used as a connection peer: @@ -758,9 +758,9 @@ declare const fleet2: autoscaling.AutoScalingGroup; declare const appFleet: autoscaling.AutoScalingGroup; // These automatically create appropriate ingress and egress rules in both security groups -fleet1.connections.allowTo(fleet2, ec2.Port.tcp(80), 'Allow between fleets'); +fleet1.connections.allowTo(fleet2, ec2.Port.HTTP, 'Allow between fleets'); -appFleet.connections.allowFromAnyIpv4(ec2.Port.tcp(80), 'Allow from load balancer'); +appFleet.connections.allowFromAnyIpv4(ec2.Port.HTTP, 'Allow from load balancer'); ``` ### Port Ranges @@ -770,6 +770,7 @@ the connection specifier: ```ts ec2.Port.tcp(80) +ec2.Port.HTTPS ec2.Port.tcpRange(60000, 65535) ec2.Port.allTcp() ec2.Port.allIcmp() @@ -823,7 +824,7 @@ const mySecurityGroupWithoutInlineRules = new ec2.SecurityGroup(this, 'SecurityG disableInlineRules: true }); //This will add the rule as an external cloud formation construct -mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'allow ssh access from the world'); +mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.SSH, 'allow ssh access from the world'); ``` ### Importing an existing security group diff --git a/packages/aws-cdk-lib/aws-ec2/lib/port.ts b/packages/aws-cdk-lib/aws-ec2/lib/port.ts index 8b7633fe117ab..85155b42fef26 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/port.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/port.ts @@ -188,6 +188,41 @@ export interface PortProps { * Interface for classes that provide the connection-specification parts of a security group rule */ export class Port { + /** Well-known SSH port (TCP 22) */ + public static readonly SSH = Port.tcp(22); + /** Well-known SMTP port (TCP 25) */ + public static readonly SMTP = Port.tcp(25); + /** Well-known DNS port (UDP 53) */ + public static readonly DNS_UDP = Port.udp(53); + /** Well-known DNS port (TCP 53) */ + public static readonly DNS_TCP = Port.tcp(53); + /** Well-known HTTP port (TCP 80) */ + public static readonly HTTP = Port.tcp(80); + /** Well-known POP3 port (TCP 110) */ + public static readonly POP3 = Port.tcp(110); + /** Well-known IMAP port (TCP 143) */ + public static readonly IMAP = Port.tcp(143); + /** Well-known LDAP port (TCP 389) */ + public static readonly LDAP = Port.tcp(389); + /** Well-known HTTPS port (TCP 443) */ + public static readonly HTTPS = Port.tcp(443); + /** Well-known SMB port (TCP 445) */ + public static readonly SMB = Port.tcp(445); + /** Well-known IMAPS port (TCP 993) */ + public static readonly IMAPS = Port.tcp(993); + /** Well-known POP3S port (TCP 995) */ + public static readonly POP3S = Port.tcp(995); + /** Well-known Microsoft SQL Server port (TCP 1433) */ + public static readonly MSSQL = Port.tcp(1433); + /** Well-known NFS port (TCP 2049) */ + public static readonly NFS = Port.tcp(2049); + /** Well-known MySQL and Aurora port (TCP 3306) */ + public static readonly MYSQL_AURORA = Port.tcp(3306); + /** Well-known Microsoft Remote Desktop Protocol port (TCP 3389) */ + public static readonly RDP = Port.tcp(3389); + /** Well-known PostgreSQL port (TCP 5432) */ + public static readonly POSTGRES = Port.tcp(5432); + /** * A single TCP port */ diff --git a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts index 1fc998a758617..50e7f9ae5f224 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts @@ -503,6 +503,12 @@ describe('security group', () => { }], }); }); + + test('Static well-known ports are well-defined', () => { + // THEN + expect(Port.SSH).toEqual(Port.tcp(22)); + expect(Port.DNS_UDP).toEqual(Port.udp(53)); + }); }); });