aws · eschirle · May 24, 2024 · May 24, 2024 · May 24, 2024 · May 24, 2024
diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md
@@ -837,7 +837,7 @@ const sg = ec2.SecurityGroup.fromSecurityGroupId(this, 'SecurityGroupImport', 's
 });
 ```
 
-Alternatively, use lookup methods to import security groups if you do not know the ID or the configuration details. Method `SecurityGroup.fromLookupByName` looks up a security group if the security group ID is unknown.
+Alternatively, use lookup methods to import security groups if you do not know the ID or the configuration details. Method `SecurityGroup.fromLookupByName` looks up a security group if the security group ID is unknown, and you can uniquely identify the security group by name or by name and owner.
 
 ```ts fixture=with-vpc
 const sg = ec2.SecurityGroup.fromLookupByName(this, 'SecurityGroupLookup', 'security-group-name', vpc);

diff --git a/packages/aws-cdk-lib/aws-ec2/lib/security-group.ts b/packages/aws-cdk-lib/aws-ec2/lib/security-group.ts
@@ -383,8 +383,8 @@ export class SecurityGroup extends SecurityGroupBase {
   /**
    * Look up a security group by name.
    */
-  public static fromLookupByName(scope: Construct, id: string, securityGroupName: string, vpc: IVpc) {
-    return this.fromLookupAttributes(scope, id, { securityGroupName, vpc });
+  public static fromLookupByName(scope: Construct, id: string, securityGroupName: string, vpc: IVpc, owner?: string) {
+    return this.fromLookupAttributes(scope, id, { securityGroupName, vpc, owner });
   }
 
   /**
@@ -434,7 +434,12 @@ export class SecurityGroup extends SecurityGroupBase {
    * Look up a security group.
    */
   private static fromLookupAttributes(scope: Construct, id: string, options: SecurityGroupLookupOptions) {
-    if (Token.isUnresolved(options.securityGroupId) || Token.isUnresolved(options.securityGroupName) || Token.isUnresolved(options.vpc?.vpcId)) {
+    if (
+      Token.isUnresolved(options.securityGroupId) ||
+      Token.isUnresolved(options.securityGroupName) ||
+      Token.isUnresolved(options.vpc?.vpcId) ||
+      Token.isUnresolved(options.owner)
+    ) {
       throw new Error('All arguments to look up a security group must be concrete (no Tokens)');
     }
 
@@ -444,6 +449,7 @@ export class SecurityGroup extends SecurityGroupBase {
         securityGroupId: options.securityGroupId,
         securityGroupName: options.securityGroupName,
         vpcId: options.vpc?.vpcId,
+        owner: options.owner,
       },
       dummyValue: {
         securityGroupId: 'sg-12345678',
@@ -515,8 +521,8 @@ export class SecurityGroup extends SecurityGroupBase {
     this.securityGroup = new CfnSecurityGroup(this, 'Resource', {
       groupName: this.physicalName,
       groupDescription,
-      securityGroupIngress: Lazy.any({ produce: () => this.directIngressRules }, { omitEmptyArray: true } ),
-      securityGroupEgress: Lazy.any({ produce: () => this.directEgressRules }, { omitEmptyArray: true } ),
+      securityGroupIngress: Lazy.any({ produce: () => this.directIngressRules }, { omitEmptyArray: true }),
+      securityGroupEgress: Lazy.any({ produce: () => this.directEgressRules }, { omitEmptyArray: true }),
       vpcId: props.vpc.vpcId,
     });
 
@@ -653,7 +659,7 @@ export class SecurityGroup extends SecurityGroupBase {
       const description = this.allowAllOutbound ? ALLOW_ALL_RULE.description : MATCH_NO_TRAFFIC.description;
       super.addEgressRule(peer, port, description, false);
     } else {
-      const rule = this.allowAllOutbound? ALLOW_ALL_RULE : MATCH_NO_TRAFFIC;
+      const rule = this.allowAllOutbound ? ALLOW_ALL_RULE : MATCH_NO_TRAFFIC;
       this.directEgressRules.push(rule);
     }
   }
@@ -843,4 +849,13 @@ interface SecurityGroupLookupOptions {
    * @default Don't filter on VPC
    */
   readonly vpc?: IVpc;
+
+  /**
+   * The Owner of the security group
+   *
+   * If given, will filter the SecurityGroup based on the Owner.
+   *
+   * @default Don't filter on Owner
+   */
+  readonly owner?: string;
 }
diff --git a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts
@@ -596,6 +596,31 @@ describe('security group lookup', () => {
 
   });
 
+  test('can look up a security group by name, vpc, and owner', () => {
+    // GIVEN
+    const account = '1234';
+    const app = new App();
+    const stack = new Stack(app, 'stack', {
+      env: {
+        account: account,
+        region: 'us-east-1',
+      },
+    });
+
+    const vpc = Vpc.fromVpcAttributes(stack, 'VPC', {
+      vpcId: 'vpc-1234',
+      availabilityZones: ['dummy1a', 'dummy1b', 'dummy1c'],
+    });
+
+    // WHEN
+    const securityGroup = SecurityGroup.fromLookupByName(stack, 'SG1', 'my-security-group', vpc, account);
+
+    // THEN
+    expect(securityGroup.securityGroupId).toEqual('sg-12345678');
+    expect(securityGroup.allowAllOutbound).toEqual(true);
+
+  });
+
   test('can look up a security group and use it as a peer', () => {
     // GIVEN
     const app = new App();
@@ -676,6 +701,27 @@ describe('security group lookup', () => {
 
   });
 
+  test('throws if owner is tokenized', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'stack', {
+      env: {
+        account: '1234',
+        region: 'us-east-1',
+      },
+    });
+
+    const vpc = Vpc.fromVpcAttributes(stack, 'VPC', {
+      vpcId: 'vpc-1234',
+      availabilityZones: ['dummy1a', 'dummy1b', 'dummy1c'],
+    });
+
+    // WHEN
+    expect(() => {
+      SecurityGroup.fromLookupByName(stack, 'stack', 'my-security-group', vpc, Lazy.string({ produce: () => '1234' }));
+    }).toThrow('All arguments to look up a security group must be concrete (no Tokens)');
+  });
+
 });
 
 function testRulesAreInlined(contextDisableInlineRules: boolean | undefined | null, optionsDisableInlineRules: boolean | undefined) {

diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/context-queries.ts b/packages/aws-cdk-lib/cloud-assembly-schema/lib/cloud-assembly/context-queries.ts
@@ -449,6 +449,13 @@ export interface SecurityGroupContextQuery {
    * @default - None
    */
   readonly vpcId?: string;
+
+  /**
+   * Owner
+   *
+   * @default - None
+   */
+  readonly owner?: string;
 }
 
 /**

diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.schema.json b/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.schema.json
@@ -870,6 +870,10 @@
                 "vpcId": {
                     "description": "VPC ID (Default - None)",
                     "type": "string"
+                },
+                "owner": {
+                    "description": "Owner (Default - None)",
+                    "type": "string"
                 }
             },
             "required": [

diff --git a/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.version.json b/packages/aws-cdk-lib/cloud-assembly-schema/schema/cloud-assembly.version.json
@@ -1 +1 @@
-{"version":"36.0.0"}
+{"version":"37.0.0"}
@@ -17,7 +17,7 @@ export class SecurityGroupContextProviderPlugin implements ContextProviderPlugin
       throw new Error('\'securityGroupId\' and \'securityGroupName\' can not be specified both when looking up a security group');
     }
 
-    if (!args.securityGroupId && !args.securityGroupName) {
+    if (!args.securityGroupId && !args.securityGroupName) {
       throw new Error('\'securityGroupId\' or \'securityGroupName\' must be specified to look up a security group');
     }
 
@@ -37,6 +37,12 @@ export class SecurityGroupContextProviderPlugin implements ContextProviderPlugin
         Values: [args.securityGroupName],
       });
     }
+    if (args.owner) {
+      filters.push({
+        Name: 'owner-id',
+        Values: [args.owner],
+      });
+    }
 
     const response = await ec2.describeSecurityGroups({
       GroupIds: args.securityGroupId ? [args.securityGroupId] : undefined,

@@ -226,6 +226,64 @@ describe('security group context provider plugin', () => {
     expect(res.allowAllOutbound).toEqual(true);
   });
 
+  test('looks up by security group name, vpc id, and owner', async () => {
+    // GIVEN
+    const provider = new SecurityGroupContextProviderPlugin(mockSDK);
+
+    AWS.mock('EC2', 'describeSecurityGroups', (_params: aws.EC2.DescribeSecurityGroupsRequest, cb: AwsCallback<aws.EC2.DescribeSecurityGroupsResult>) => {
+      expect(_params).toEqual({
+        Filters: [
+          {
+            Name: 'vpc-id',
+            Values: ['vpc-1234567'],
+          },
+          {
+            Name: 'group-name',
+            Values: ['my-security-group'],
+          },
+          {
+            Name: 'owner-id',
+            Values: ['1234'],
+          },
+        ],
+      });
+      cb(null, {
+        SecurityGroups: [
+          {
+            GroupId: 'sg-1234',
+            IpPermissionsEgress: [
+              {
+                IpProtocol: '-1',
+                IpRanges: [
+                  { CidrIp: '0.0.0.0/0' },
+                ],
+              },
+              {
+                IpProtocol: '-1',
+                Ipv6Ranges: [
+                  { CidrIpv6: '::/0' },
+                ],
+              },
+            ],
+          },
+        ],
+      });
+    });
+
+    // WHEN
+    const res = await provider.getValue({
+      account: '1234',
+      region: 'us-east-1',
+      securityGroupName: 'my-security-group',
+      vpcId: 'vpc-1234567',
+      owner: '1234',
+    });
+
+    // THEN
+    expect(res.securityGroupId).toEqual('sg-1234');
+    expect(res.allowAllOutbound).toEqual(true);
+  });
+
   test('detects non all-outbound egress', async () => {
     // GIVEN
     const provider = new SecurityGroupContextProviderPlugin(mockSDK);