aws · mergify · Aug 5, 2022 · Aug 3, 2022 · Aug 4, 2022 · Aug 4, 2022
diff --git a/packages/@aws-cdk/aws-batch/README.md b/packages/@aws-cdk/aws-batch/README.md
@@ -74,6 +74,22 @@ const spotEnvironment = new batch.ComputeEnvironment(this, 'MySpotEnvironment',
 });
 ```
 
+### Compute Environments and Security Groups
+
+Compute Environments implement the `IConnectable` interface, which means you can use
+connections on other CDK resources to manipulate the security groups and allow access.
+
+For example, allowing a Compute Environment to access an EFS filesystem:
+
+```ts
+import * as efs from '@aws-cdk/aws-efs';
+
+declare const fileSystem: efs.FileSystem;
+declare const computeEnvironment: batch.ComputeEnvironment;
+
+fileSystem.connections.allowDefaultPortFrom(computeEnvironment);
+```
+
 ### Fargate Compute Environment
 
 It is possible to have AWS Batch submit jobs to be run on Fargate compute resources. Below is an example of how this can be done:

diff --git a/packages/@aws-cdk/aws-batch/lib/compute-environment.ts b/packages/@aws-cdk/aws-batch/lib/compute-environment.ts
@@ -323,7 +323,7 @@ export interface IComputeEnvironment extends IResource {
  *
  * Defines a batch compute environment to run batch jobs on.
  */
-export class ComputeEnvironment extends Resource implements IComputeEnvironment {
+export class ComputeEnvironment extends Resource implements IComputeEnvironment, ec2.IConnectable {
   /**
    * Fetches an existing batch compute environment by its amazon resource name.
    *
@@ -357,6 +357,11 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
    */
   public readonly computeEnvironmentName: string;
 
+  /**
+   * Connections for this compute environment.
+   */
+  public readonly connections: ec2.Connections;
+
   constructor(scope: Construct, id: string, props: ComputeEnvironmentProps = { enabled: true, managed: true }) {
     super(scope, id, {
       physicalName: props.computeEnvironmentName,
@@ -370,8 +375,11 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
     const spotFleetRole = this.getSpotFleetRole(props);
     let computeResources: CfnComputeEnvironment.ComputeResourcesProperty | undefined;
 
+    this.connections = this.buildConnections(props.computeResources?.vpc, props.computeResources?.securityGroups);
+
     // Only allow compute resources to be set when using MANAGED type
     if (props.computeResources && this.isManaged(props)) {
+
       computeResources = {
         bidPercentage: props.computeResources.bidPercentage,
         desiredvCpus: props.computeResources.desiredvCpus,
@@ -380,7 +388,7 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
         launchTemplate: props.computeResources.launchTemplate,
         maxvCpus: props.computeResources.maxvCpus || 256,
         placementGroup: props.computeResources.placementGroup,
-        securityGroupIds: this.buildSecurityGroupIds(props.computeResources.vpc, props.computeResources.securityGroups),
+        securityGroupIds: this.getSecurityGroupIds(),
         spotIamFleetRole: spotFleetRole?.roleArn,
         subnets: props.computeResources.vpc.selectSubnets(props.computeResources.vpcSubnets).subnetIds,
         tags: props.computeResources.computeResourcesTags,
@@ -576,14 +584,29 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
     return instanceTypes.map((type: ec2.InstanceType) => type.toString());
   }
 
-  private buildSecurityGroupIds(vpc: ec2.IVpc, securityGroups?: ec2.ISecurityGroup[]): string[] | undefined {
+  private buildConnections(vpc?: ec2.IVpc, securityGroups?:ec2.ISecurityGroup[]): ec2.Connections {
+
+    if (vpc === undefined) {
+      return new ec2.Connections({});
+    }
+
     if (securityGroups === undefined) {
-      return [
-        new ec2.SecurityGroup(this, 'Resource-Security-Group', { vpc }).securityGroupId,
-      ];
+      return new ec2.Connections({
+        securityGroups: [
+          new ec2.SecurityGroup(this, 'Resource-Security-Group', { vpc }),
+        ],
+      });
+    }
+
+    return new ec2.Connections({ securityGroups });
+  };
+
+  private getSecurityGroupIds(): string[] | undefined {
+    if (this.connections === undefined) {
+      return undefined;
     }
 
-    return securityGroups.map((group: ec2.ISecurityGroup) => group.securityGroupId);
+    return this.connections.securityGroups.map((group: ec2.ISecurityGroup) => group.securityGroupId);
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-batch/package.json b/packages/@aws-cdk/aws-batch/package.json
@@ -93,6 +93,7 @@
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-ecr": "0.0.0",
     "@aws-cdk/aws-ecs": "0.0.0",
+    "@aws-cdk/aws-efs": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-secretsmanager": "0.0.0",
     "@aws-cdk/aws-ssm": "0.0.0",
@@ -104,6 +105,7 @@
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-ecr": "0.0.0",
     "@aws-cdk/aws-ecs": "0.0.0",
+    "@aws-cdk/aws-efs": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-secretsmanager": "0.0.0",
     "@aws-cdk/aws-ssm": "0.0.0",

diff --git a/...tch-with-efs.integ.snapshot/BatchWithEFSTestDefaultTestDeployAssert0F887B55.template.json b/...tch-with-efs.integ.snapshot/BatchWithEFSTestDefaultTestDeployAssert0F887B55.template.json
@@ -0,0 +1 @@
+{}