Merge branch 'main' of https://github.com/flaviostutz/cdk-practical-c…

…onstructs into feat/lifecycle-control
flaviostutz · Nov 11, 2024 · 93a9115 · 93a9115
2 parents caeb44b + 078a24d
commit 93a9115
Show file tree

Hide file tree

Showing 11 changed files with 186 additions and 207 deletions.
diff --git a/examples/pnpm-lock.yaml b/examples/pnpm-lock.yaml
diff --git a/examples/src/cdk/configs.ts b/examples/src/cdk/configs.ts
@@ -6,7 +6,6 @@ import { TestConfig } from './types/TestConfig';
 export const testStageConfigs: StagesConfig<TestConfig> = {
   default: {
     lambda: {
-      allowAllOutbound: true,
       logGroupRetention: RetentionDays.ONE_WEEK,
     },
   },

diff --git a/examples/src/lambda/cdk.ts b/examples/src/lambda/cdk.ts
@@ -11,6 +11,22 @@ import {
 import { Construct } from 'constructs';
 
 export const addLambdaGetTest = (scope: Construct): void => {
+  const vpc = vpcFromConfig(scope, {
+    // get these from your actual AWS account configuration
+    vpcId: 'aaa',
+    availabilityZones: ['a'],
+    privateSubnetIds: ['a'],
+    privateSubnetRouteTableIds: ['a'],
+  });
+  const customSG = new SecurityGroup(scope, 'customsg', {
+    vpc,
+    description: 'custom sg',
+    allowAllOutbound: false,
+  });
+  customSG.addIngressRule(Peer.ipv4('9.9.9.9/32'), Port.allTraffic(), 'allow ingress');
+  customSG.addEgressRule(Peer.ipv4('8.8.8.8/32'), Port.allTraffic(), 'allow egress');
+  customSG.addEgressRule(Peer.ipv4('1.2.3.4/32'), Port.tcp(8888), 'Sample egress rule');
+
   const lambdaConfig: BaseNodeJsProps = {
     stage: 'dev',
     network: {
@@ -26,29 +42,14 @@ export const addLambdaGetTest = (scope: Construct): void => {
     },
     baseCodePath: 'src/lambda',
     logGroupRetention: RetentionDays.FIVE_DAYS,
+    securityGroups: [customSG],
   };
 
-  if (!lambdaConfig.network) throw new Error('network should be defined');
-  const vpc = vpcFromConfig(scope, lambdaConfig.network);
-
-  const customSG = new SecurityGroup(scope, 'customsg', {
-    vpc,
-    description: 'custom sg',
-    allowAllOutbound: false,
-  });
-  customSG.addIngressRule(Peer.ipv4('9.9.9.9/32'), Port.allTraffic(), 'allow ingress');
-  customSG.addEgressRule(Peer.ipv4('8.8.8.8/32'), Port.allTraffic(), 'allow egress');
-  lambdaConfig.securityGroups = [customSG];
   lambdaConfig.logGroupSubscriberLambdaArn = {
     type: LogGroupSubscriberLambdaArnType.Arn,
     value: 'arn:aws:lambda:eu-west-1:012345678:function:tstLogging',
   };
 
   const func = new BaseNodeJsFunction(scope, 'getTest', lambdaConfig);
-  if (!func.defaultSecurityGroup) throw new Error('defaultSecurityGroup should be defined');
-  func.defaultSecurityGroup.addEgressRule(
-    Peer.ipv4('1.2.3.4/32'),
-    Port.tcp(8888),
-    'Sample egress rule',
-  );
+  if (!func.defaultLogGroup) throw new Error('defaultLogGroup should be created by default');
 };
diff --git a/lib/package.json b/lib/package.json
@@ -68,10 +68,13 @@
     "access": "public",
     "registry": "https://registry.npmjs.org"
   },
+  "//pnpm.overrides.braces": "braces is used by @stoplight/spectral-cli - Open issue: https://github.com/stoplightio/spectral/issues/2639. We will remove this override once the issue is fixed.",
+  "//pnpm.overrides.jsonpath-plus": "jsonpath-plus is used by @stoplight/spectral-cli and the safe version is not used yet by this library",
   "pnpm": {
     "overrides": {
       "braces@<3.0.3": ">=3.0.3",
-      "rollup@<3.29.5": ">=3.29.5"
+      "rollup@<3.29.5": ">=3.29.5",
+      "jsonpath-plus": ">=10"
     }
   }
 }
diff --git a/lib/pnpm-lock.yaml b/lib/pnpm-lock.yaml
diff --git a/lib/src/config/configs.test.ts b/lib/src/config/configs.test.ts
@@ -1,6 +1,5 @@
 /* eslint-disable camelcase */
 import { RetentionDays } from 'aws-cdk-lib/aws-logs';
-import { Peer, Port } from 'aws-cdk-lib/aws-ec2';
 
 import { LambdaConfig } from '..';
 
@@ -13,7 +12,6 @@ type TestConfig = StageConfig & {
 const testStageConfigs: StagesConfig<TestConfig> = {
   default: {
     lambda: {
-      allowOutboundTo: [{ peer: Peer.anyIpv4(), port: Port.allTraffic() }],
       logGroupRetention: RetentionDays.ONE_WEEK,
     },
   },
@@ -35,25 +33,21 @@ const testStageConfigs: StagesConfig<TestConfig> = {
 describe('configs', () => {
   it('resolve config with dev overrides', async () => {
     const stageConfig = resolveStageConfig<TestConfig>('dev', testStageConfigs);
-    expect(stageConfig.lambda.allowOutboundTo?.length).toBe(1);
     expect(stageConfig.lambda.logGroupRetention).toBe(RetentionDays.ONE_DAY);
   });
 
   it('resolve stage "dev-pr-123" with same contents as stage "dev"', async () => {
     const stageConfig = resolveStageConfig<TestConfig>('dev-pr-123', testStageConfigs);
-    expect(stageConfig.lambda.allowOutboundTo?.length).toBe(1);
     expect(stageConfig.lambda.logGroupRetention).toBe(RetentionDays.ONE_DAY);
   });
 
   it('resolve prd config with defaults', async () => {
     const stageConfig = resolveStageConfig<TestConfig>('tst', testStageConfigs);
-    expect(stageConfig.lambda.allowOutboundTo?.length).toBe(1);
     expect(stageConfig.lambda.logGroupRetention).toBe(RetentionDays.ONE_WEEK);
   });
 
   it('resolve acc config with defaults', async () => {
     const stageConfig = resolveStageConfig<TestConfig>('prd', testStageConfigs);
-    expect(stageConfig.lambda.allowOutboundTo?.length).toBe(1);
     expect(stageConfig.lambda.logGroupRetention).toBe(RetentionDays.SIX_MONTHS);
   });
 });
diff --git a/lib/src/lambda/lambda-base.test.ts b/lib/src/lambda/lambda-base.test.ts
@@ -16,6 +16,22 @@ describe('lambda-base', () => {
     const app = new App();
     const stack = new Stack(app);
 
+    const vpc = vpcFromConfig(stack, {
+      vpcId: 'aaa',
+      availabilityZones: ['a'],
+      privateSubnetIds: ['a'],
+      privateSubnetRouteTableIds: ['a'],
+    });
+
+    const customSG = new SecurityGroup(stack, 'customsg', {
+      vpc,
+      description: 'custom sg',
+      allowAllOutbound: false,
+    });
+    customSG.addIngressRule(Peer.ipv4('9.9.9.9/32'), Port.allTraffic(), 'allow ingress');
+    customSG.addEgressRule(Peer.ipv4('8.8.8.8/32'), Port.allTraffic(), 'allow egress');
+    customSG.addEgressRule(Peer.ipv4('1.2.3.4/32'), Port.tcp(8888), 'Sample egress rule');
+
     const lambdaConfig: BaseNodeJsProps = {
       stage: 'dev',
       network: {
@@ -32,33 +48,18 @@ describe('lambda-base', () => {
         minCapacity: 3,
       },
       logGroupRetention: RetentionDays.FIVE_DAYS,
+      securityGroups: [customSG],
     };
 
     if (!lambdaConfig.network) throw new Error('lambdaConfig.network should be defined');
-    const vpc = vpcFromConfig(stack, lambdaConfig.network);
     if (!vpc) throw new Error('vpc should be defined');
 
-    const customSG = new SecurityGroup(stack, 'customsg', {
-      vpc,
-      description: 'custom sg',
-      allowAllOutbound: false,
-    });
-    customSG.addIngressRule(Peer.ipv4('9.9.9.9/32'), Port.allTraffic(), 'allow ingress');
-    customSG.addEgressRule(Peer.ipv4('8.8.8.8/32'), Port.allTraffic(), 'allow egress');
-    lambdaConfig.securityGroups = [customSG];
     lambdaConfig.logGroupSubscriberLambdaArn = {
       type: LogGroupSubscriberLambdaArnType.Arn,
       value: 'arn:aws:lambda:eu-west-1:012345678:function:tstLogging',
     };
 
     const func = new BaseNodeJsFunction(stack, 'test-lambda', lambdaConfig);
-    if (!func.defaultSecurityGroup) throw new Error('defaultSecurityGroup should be defined');
-    func.defaultSecurityGroup.addEgressRule(
-      Peer.ipv4('1.2.3.4/32'),
-      Port.tcp(8888),
-      'Sample egress rule',
-    );
-
     expect(func).toBeDefined();
     expect(func.nodeJsFunction.runtime).toBe(Runtime.NODEJS_20_X);
     expect(func.nodeJsFunction.node.id).toBe('test-lambda');
@@ -97,15 +98,13 @@ describe('lambda-base', () => {
       RetentionInDays: 5,
     });
 
-    template.hasResourceProperties('AWS::EC2::SecurityGroup', {
-      GroupDescription: 'Default security group for Lambda test-lambda',
-      SecurityGroupEgress: [{ CidrIp: '1.2.3.4/32', FromPort: 8888, IpProtocol: 'tcp' }],
-    });
-
     template.hasResourceProperties('AWS::EC2::SecurityGroup', {
       GroupDescription: 'custom sg',
       SecurityGroupIngress: [{ CidrIp: '9.9.9.9/32' }],
-      SecurityGroupEgress: [{ CidrIp: '8.8.8.8/32' }],
+      SecurityGroupEgress: [
+        { CidrIp: '8.8.8.8/32' },
+        { CidrIp: '1.2.3.4/32', FromPort: 8888, IpProtocol: 'tcp' },
+      ],
     });
 
     template.hasResourceProperties('AWS::Logs::SubscriptionFilter', {
@@ -178,7 +177,7 @@ describe('lambda-base', () => {
         stage: 'dev',
         eventType: EventType.Http,
         baseCodePath: 'src/lambda/__tests__',
-        allowOutboundTo: [{ peer: Peer.ipv4('0.0.0.0/0'), port: Port.tcp(443) }],
+        // allowOutboundTo: [{ peer: Peer.ipv4('0.0.0.0/0'), port: Port.tcp(443) }],
       });
     };
     expect(f).toThrow();
@@ -270,11 +269,6 @@ describe('lambda-base', () => {
       },
     });
 
-    template.hasResourceProperties('AWS::EC2::SecurityGroup', {
-      GroupDescription: 'Default security group for Lambda test-lambda',
-      SecurityGroupEgress: [{ CidrIp: '255.255.255.255/32', Description: 'Disallow all traffic' }],
-    });
-
     template.hasResource('AWS::Lambda::Version', {});
 
     template.hasResourceProperties('AWS::Lambda::Alias', {