Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand configuration options for Security Group configuration #307

Closed
2 tasks
ddneilson opened this issue Feb 3, 2021 · 0 comments · Fixed by #319
Closed
2 tasks

Expand configuration options for Security Group configuration #307

ddneilson opened this issue Feb 3, 2021 · 0 comments · Fixed by #319
Assignees
@jericht
Labels
feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.

Comments

@ddneilson
Copy link
Contributor

It is not currently possible to provide/configure the Security Group for:

  1. Repository -- https://docs.aws.amazon.com/rfdk/api/latest/docs/aws-rfdk.deadline.Repository.html
  2. The RCS host instance in RenderQueue -- https://docs.aws.amazon.com/rfdk/api/latest/docs/aws-rfdk.deadline.RenderQueue.html

It would be grand to be able to have fine-grained control over those security groups.

Use Case

Presently, the security groups created for these resources allow full-egress by default. Customers that are aiming for enhanced layers of network-level access controls have a need to set these security groups to deny all egress by default, and to explicitly add their own egress rules.

Customers may also have created their own security group that, say, controls access to VPC Interface Endpoints, and they need a means by which those security groups can be added to the Repository & RenderQueue's hosts.

Proposed Solution

  1. Property on the construct(s) that allow providing the security group that will be used. Note: RenderQueue should provide separate properties for the ALB & ECS host; the Connections object of the RenderQueue should remain as the ALB's SG, but there should also be an easy-access way to get to the RCS-host's SG.
  2. Addition of an addSecurityGroup() method (ex: https://docs.aws.amazon.com/rfdk/api/latest/docs/aws-rfdk.deadline.WorkerInstanceFleet.html#add-wbr-security-wbr-groupsecuritygroup ) to these constructs that allows the customer to add additional security groups to the construct after creation. In the RenderQueue, there should be separate methods for the ALB & RCS SGs. Note: These additional security groups should not be added to the Connections object of the construct -- doing that would make any use of the construct's Connections object also change the added SGs.

Other

N/A

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@ddneilson ddneilson added needs-triage This issue or PR still needs to be triaged. feature-request A feature should be added or improved. labels Feb 3, 2021
@jericht jericht self-assigned this Feb 18, 2021
@jericht jericht mentioned this issue Feb 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jericht jericht

Labels
feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(deadline): add security group configuration for Repository and RenderQueue jericht/aws-rfdk
2 participants
@ddneilson @jericht