From c3734562e82e2239638323493f4987d71f7cfd8c Mon Sep 17 00:00:00 2001 From: Andy Gallagher Date: Sat, 16 Mar 2024 14:40:22 +0000 Subject: [PATCH] :facepalm: --- .../__snapshots__/concierge-graphql.test.ts.snap | 14 ++++++++++++++ cdk/lib/concierge-graphql.ts | 10 ++++++---- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/cdk/lib/__snapshots__/concierge-graphql.test.ts.snap b/cdk/lib/__snapshots__/concierge-graphql.test.ts.snap index febeed7..8ca818a 100644 --- a/cdk/lib/__snapshots__/concierge-graphql.test.ts.snap +++ b/cdk/lib/__snapshots__/concierge-graphql.test.ts.snap @@ -426,6 +426,13 @@ exports[`The ConciergeGraphql stack matches the snapshot 1`] = ` "IpProtocol": "tcp", "ToPort": 443, }, + { + "CidrIp": "10.0.0.0/8", + "Description": "Allow outgoing connections to Elasticsearch", + "FromPort": 9200, + "IpProtocol": "tcp", + "ToPort": 9200, + }, ], "Tags": [ { @@ -1091,6 +1098,13 @@ exports[`The ConciergeGraphql stack matches the snapshot 1`] = ` "IpProtocol": "tcp", "ToPort": 1515, }, + { + "CidrIp": "10.0.0.0/8", + "Description": "Allow outgoing connections to Elasticsearch", + "FromPort": 9200, + "IpProtocol": "tcp", + "ToPort": 9200, + }, ], "Tags": [ { diff --git a/cdk/lib/concierge-graphql.ts b/cdk/lib/concierge-graphql.ts index 6889235..8d17378 100644 --- a/cdk/lib/concierge-graphql.ts +++ b/cdk/lib/concierge-graphql.ts @@ -3,7 +3,7 @@ import {GuParameter, GuStack} from "@guardian/cdk/lib/constructs/core"; import type {App} from "aws-cdk-lib"; import {aws_ssm} from "aws-cdk-lib"; import {GuPlayApp} from "@guardian/cdk"; -import {InstanceClass, InstanceSize, InstanceType, Peer, Subnet, Vpc} from "aws-cdk-lib/aws-ec2"; +import {InstanceClass, InstanceSize, InstanceType, Peer, Port, Subnet, Vpc} from "aws-cdk-lib/aws-ec2"; import {AccessScope} from "@guardian/cdk/lib/constants"; import {getHostName} from "./hostname"; import {GuSecurityGroup, GuVpc} from "@guardian/cdk/lib/constructs/ec2"; @@ -60,7 +60,7 @@ export class ConciergeGraphql extends GuStack { stringValue: authTable.tableName }); - const {loadBalancer, listener} = new GuPlayApp(this, { + const {loadBalancer, listener, autoScalingGroup} = new GuPlayApp(this, { access: { //You should put a gateway in front of this scope: AccessScope.INTERNAL, @@ -125,6 +125,8 @@ export class ConciergeGraphql extends GuStack { vpc }); + autoScalingGroup.connections.allowTo(Peer.ipv4("10.0.0.0/8"), Port.tcp(9200), "Allow outgoing connections to Elasticsearch"); + //OK - so this is a good idea and should really be in here. But it's damn fiddly so leaving it out for now. //The idea is we need a connection to the relevant Elasticsearch instance. So, we define a "connection" (which basically //to an egress rule) on our SG which allows egress to the remote ES SG. You still manually need to add a rule on the relevant @@ -159,9 +161,9 @@ export class ConciergeGraphql extends GuStack { getAccountPath(scope:GuStack, isPreview:boolean, elementName: string) { const basePath = "/account/vpc"; if(isPreview) { - return scope.stage=="CODE" ? `${basePath}/CODE-preview/${elementName}` : `${basePath}/PROD-preview/${elementName}`; + return scope.stage.startsWith("CODE") ? `${basePath}/CODE-preview/${elementName}` : `${basePath}/PROD-preview/${elementName}`; } else { - return scope.stage=="CODE" ? `${basePath}/CODE-live/${elementName}` : `${basePath}/PROD-live/${elementName}`; + return scope.stage.startsWith("CODE") ? `${basePath}/CODE-live/${elementName}` : `${basePath}/PROD-live/${elementName}`; } }