AWS CDK - SecurityGroup creation Typescript

Question

I'm trying to migrate the follow CloudFormation resource to CDK using typescript:

ALBSecurityGroup:
      Type: AWS::EC2::SecurityGroup
      Properties:
        VpcId: !Ref VPCId
        GroupDescription: !Sub "${Application}-${Environment}-alb-sg"
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !Ref SecurityGroupIngressCidr

I have tried with this (I don't know how to create the necessary properties):

const albSecurityGroup = new SecurityGroup(this, "ALBSecurityGroup", {
      vpc: Vpc.fromLookup(this, id, {
        vpcId: props.vpcId.stringValue
      }),
      description: appEnv + "-alb-sg"
    })

And using Cfn constructor like this (I don't know how to join CfnSecurityGroup with CfnSecurityGroupIngress):

const x = new CfnSecurityGroupIngress(this, id, {
      ipProtocol: "tcp",
      fromPort: 443,
      toPort: 443,
      cidrIp: props.securityGroupIngressCidr
    }); 

    const albSecurityGroupCfn = new CfnSecurityGroup(this, id, {
      vpcId: props.vpcId.stringValue,
      groupDescription: appEnv + "-alb-sg"
    });

I appreciate your help.

Answer 1

Your answer looks cleaner by using CfnSecurityGroup, but just for completeness and to show the approach that can be taken to achieve the same using an higher order construct SecurityGroup would be as below:

import { SecurityGroup, Peer, Port, Vpc } from '@aws-cdk/aws-ec2';

....

const vpc = Vpc.fromLookup(this, id, {
  vpcId: props.vpcId.stringValue
});

const albSecurityGroup = new SecurityGroup(this, 'MyALBSG', {
  vpc,
  description: appEnv + "-alb-sg",
  allowAllOutbound: true
});

albSecurityGroup.addIngressRule(
  Peer.ipv4(props.securityGroupIngressCidr), 
  Port.tcp(443), 
  "Allow HTTPS traffic from CIDR IPs"
);

....

I would highly suggest going through the overview section of whichever service module you plan to use in CDK. Here is the one for aws-ec2 which shows how SecurityGroup can be written.

You might as well use loadBalancer.connections.allowFrom() directly instead of explicitly creating a security group for your ALB. Assuming your ALB construct is named as loadBalancer, this would look something like:

loadBalancer.connections.allowFrom(
  Peer.ipv4(props.securityGroupIngressCidr), 
  Port.tcp(443), 
  'Allow inbound HTTPS from CIDR IPs'
);

Answer 2

Today I realized that it was an easy solution.

const albSecurityGroupCfn = new CfnSecurityGroup(this, id, {
  vpcId: props.vpcId.stringValue,
  groupDescription: appEnv + "-alb-sg",
  securityGroupIngress: [
    new CfnSecurityGroupIngress(this, id, {
      ipProtocol: "tcp",
      fromPort: 443,
      toPort: 443,
      cidrIp: props.securityGroupIngressCidr
    })
  ]
});

Thanks!

UPDATE: (dmahapatro)

With the above approach you would receive a compile time error showcasing that you need an appropriate type. Here is a minor tweak to above solution:

const albSecurityGroupCfn = new CfnSecurityGroup(this, id, {
  vpcId: props.vpcId.stringValue,
  groupDescription: appEnv + "-alb-sg",
  securityGroupIngress: [{
    ipProtocol: "tcp",
    fromPort: 443,
    toPort: 443,
    cidrIp: props.securityGroupIngressCidr
  }]
});

securityGroupIngress expects below types:

Type: Array<CfnSecurityGroup.IngressProperty | cdk.IResolvable> | cdk.IResolvable

When you provide array of CfnSecurityGroupIngress it does not resolve to any of those types. A better way to handle it is using an array of objects which will coerce to Array<CfnSecurityGroup.IngressProperty> by default. The latest answer shows that you do not need to instantiate CfnSecurityGroupIngress for securityGroupIngress.

On a side note, if VS Code is used as the IDE for CDK, it catches those compile time errors beforehand.