How to Import Security group from another stack using #AWS-CDK?

Rumman Ahmed picture Rumman Ahmed · Oct 22, 2018 · Viewed 7.6k times · Source

I would like to know how to import security group defined in another stack, and then use in current stack.

I have tried this so far..

class relayStack extends cdk.Stack {
    public sg_relay: ec2.SecurityGroupRefProps

    constructor(parent: cdk.App, name: string, props: VPCProps) {
        super(parent, name, props);

        //#IMPORT VPC PROPS
        const vpc = ec2.VpcNetwork.import(this, 'VPC-Hottest100', props.infra.vpc);
        //#AUTOSCALING GROUP
        const asg_relayServer = new ec2.AutoScalingGroup(this, 'ASG_Relay', {
            vpc,
            instanceType: new ec2.InstanceTypePair(ec2.InstanceClass.T2, ec2.InstanceSize.Small),
            minSize: 1,
            maxSize: 3,
            desiredCapacity: 1,
            machineImage: new ec2.GenericLinuxImage({
                "ap-southeast-2": "ami-dc361ebf",
            }),
            keyName: 'icecast-poc',
            allowAllOutbound: false,
            vpcPlacement: {
                usePublicSubnets: false
            }
        });

        //#SECURITY Group
        const sg_relay = new ec2.SecurityGroup(this, 'SG_RELAY', {
            vpc,
            description: "Relay stack security group",
            groupName: 'relay-sg'
        })


        this.sg_relay = sg_relay
    }
}

And then from another stack I would like to access the exported security group sg_relay

I have tried following

//#SECURITY GROUP
const sg_nginx = new ec2.SecurityGroup(this, "SG_NGINX", {
    vpc,
    description: "NGINX stack security group",
    groupName: 'nginx-sg'
})

const sg_relayImp = new ec2.SecurityGroupRef(this, "SG_RELAY_IMP", {
    securityGroupId: new ec2.SecurityGroupId('SG_RELAY')
})

And then use as following

sg_nginx.addIngressRule(sg_relayImp, wowzaPort, 'asg_RelyToNgn_8000')

Obviously its not working for me.

I could not find any import function for security group between stacks, like vpc has one.

Could anyone please help me with this situation?

Answer

Kane picture Kane · Aug 21, 2019

You can directly refer the cross-stack resources in an app.

Below is a code snippet,

export class InfraCdkStack extends cdk.Stack {
  // Create a readonly property to reference on an instance.
  readonly vpc: ec2.IVpc;

  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // The code that defines your stack goes here.
    // Assign your vpc to your previously created property.
    // Creates a vpc in two AZs.
    this.vpc = new ec2.Vpc(this, 'MyVPC');
  }
}

// Create an interface to hold the vpc information.
interface ECSStackProps extends cdk.StackProps {
  vpc: ec2.IVpc;
}

// Have your class constructor accept the interface.
export class ECSCdkStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props: ECSStackProps) {
    super(scope, id, props);
}

const app = new cdk.App();
const infraStack = new InfraCdkStack(app, 'InfraCdkStack');
// Pass the infraStack.vpc property to the ECSCdkStack class.
const gameECSStack = new ECSCdkStack(app, 'ECSCdkStack', {
    vpc: infraStack.vpc
});

There is an example in official doc to demonstrate how sharing s3 bucket.