15

I'm trying to add an ingress rule to a Security Group via the AWS CDK using Python. As per the documentation here - there's a method add_ingress_rule() on the Class aws_cdk.aws_ec2.

However - when I try to deploy the stack, I get the following error :

AttributeError: 'method' object has no attribute 'jsii__type' Subprocess exited with error 1

Security Group Code snippet below-

        sg_elb = ec2.SecurityGroup(
            self,
            id = "sg_elb",
            vpc = vpc,
            security_group_name = "sg_elb"
        )

        sg_elb.add_ingress_rule(
            peer = ec2.Peer.any_ipv4,
            connection = ec2.Port.tcp(443)   # This line seems to be a problem.
        )

There's even the same example (in TypeScript) given on the official documentation here so I'm not sure what I'm doing wrong.

Can anyone advise ?

Thanks in advance !

SwapnilJak
  • 171
  • 1
  • 1
  • 7

3 Answers3

36

I got the following to work using TS, hope it helps some.

const mySG = new ec2.SecurityGroup(this, `${stack}-security-group`, {
    vpc: vpc,
    allowAllOutbound: true,
    description: 'CDK Security Group'
});

mySG.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'SSH frm anywhere');
mySG.addIngressRule(ec2.Peer.ipv4('10.200.0.0/24'), ec2.Port.tcp(5439), 'Redshift Ingress1');
mySG.addIngressRule(ec2.Peer.ipv4('10.0.0.0/24'), ec2.Port.tcp(5439), 'Redshift Ingress2');

Btw, it is not recommended to use an explicit security group name: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.SecurityGroup.html

lloiacono
  • 4,714
  • 2
  • 30
  • 46
Ultradoxx
  • 668
  • 7
  • 14
  • Oh - so the difference is between any_ipv4 and any_ipv4(). That change has worked for me. Thanks ! – SwapnilJak Sep 26 '19 at 11:48
  • `any_ipv4` is a function, so you need to use `any_ipv4()` to call it. – Saksham Feb 28 '20 at 11:45
  • It would be good if the docs mentioned *why* it's not recommended to use an explicit SG name so we can come to an informed decision on whether or not to heed the recommendation. – devklick Sep 02 '21 at 10:20
  • 1
    @devklick https://aws.amazon.com/blogs/devops/best-practices-for-developing-cloud-applications-with-aws-cdk/ – drrkmcfrrk Jan 12 '22 at 03:10
3

In SDK documentation: "Direct manipulation of the Security Group through addIngressRule and addEgressRule is possible, but mutation through the .connections object is recommended. If you peer two constructs with security groups this way, appropriate rules will be created in both."

So it's better to add rules like this:

sg.connections.allow_from(
  Peer.any_ipv4(),
  Port.tcp(22),
  "ssh" 
)
Shams Larbi
  • 151
  • 2
  • 5
  • When the original security group is created in another CDK stack, this is a life saver. Otherwise, you'll encounter cyclic dependency errors. Thanks for the solution. – Buğra Ekuklu Aug 15 '23 at 22:34
0

This worked for me

        sg = ec2.SecurityGroup(
            self,
            id="sg_1",
            vpc=vpc,
            allow_all_outbound=True,
            description="CDK Security Group"
            # security_group_name = "sg_elb"
            # not recommended https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.SecurityGroup.html
        )

        sg.add_ingress_rule(
            peer=ec2.Peer.any_ipv4(),
            connection=ec2.Port.tcp(22),
            description="ssh",
        )
Luis Andrés Juárez Sandoval
  • 57
  • 6