|
1 | 1 | import * as cdk from "aws-cdk-lib"; |
2 | 2 | import * as cdkConstructs from 'constructs'; |
3 | 3 | import * as ec2 from "aws-cdk-lib/aws-ec2"; |
| 4 | +import * as nag from "cdk-nag"; |
4 | 5 |
|
5 | 6 | export interface SuiNodeSecurityGroupConstructProps { |
6 | 7 | vpc: cdk.aws_ec2.IVpc; |
7 | 8 | } |
8 | 9 |
|
9 | | - export class SuiNodeSecurityGroupConstruct extends cdkConstructs.Construct { |
10 | | - public securityGroup: cdk.aws_ec2.ISecurityGroup; |
| 10 | +export class SuiNodeSecurityGroupConstruct extends cdkConstructs.Construct { |
| 11 | + public securityGroup: cdk.aws_ec2.ISecurityGroup; |
11 | 12 |
|
12 | | - constructor(scope: cdkConstructs.Construct, id: string, props: SuiNodeSecurityGroupConstructProps) { |
13 | | - super(scope, id); |
| 13 | + constructor(scope: cdkConstructs.Construct, id: string, props: SuiNodeSecurityGroupConstructProps) { |
| 14 | + super(scope, id); |
14 | 15 |
|
15 | | - const { |
16 | | - vpc, |
17 | | - } = props; |
| 16 | + const { |
| 17 | + vpc, |
| 18 | + } = props; |
18 | 19 |
|
19 | | - const sg = new ec2.SecurityGroup(this, `rpc-node-security-group`, { |
20 | | - vpc, |
21 | | - description: "Security Group for Blockchain nodes", |
22 | | - allowAllOutbound: true, |
23 | | - }); |
| 20 | + const sg = new ec2.SecurityGroup(this, `rpc-node-security-group`, { |
| 21 | + vpc, |
| 22 | + description: "Security Group for Blockchain nodes", |
| 23 | + allowAllOutbound: true, |
| 24 | + }); |
24 | 25 |
|
25 | | - // Private port |
26 | | - sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.udp(8084), "Sui P2P"); |
27 | | - sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(9184), "Sui Metrics"); |
28 | | - sg.addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(9000), "JSON-RPC"); |
29 | | - sg.addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(22), "SSH"); |
| 26 | + // Private port |
| 27 | + sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.udp(8084), "Sui P2P"); |
| 28 | + sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(9184), "Sui Metrics"); |
| 29 | + sg.addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(9000), "JSON-RPC"); |
| 30 | + sg.addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(22), "SSH"); |
30 | 31 |
|
31 | | - this.securityGroup = sg |
32 | | - } |
| 32 | + this.securityGroup = sg |
| 33 | + |
| 34 | + /** |
| 35 | + * cdk-nag suppressions |
| 36 | + */ |
| 37 | + nag.NagSuppressions.addResourceSuppressions( |
| 38 | + this, |
| 39 | + [ |
| 40 | + { |
| 41 | + id: "AwsSolutions-EC23", |
| 42 | + reason: "Sui requires wildcard inbound for specific ports", |
| 43 | + }, |
| 44 | + ], |
| 45 | + true |
| 46 | + ); |
| 47 | + |
33 | 48 | } |
| 49 | +} |
0 commit comments