feat(ec2): well-known port aliases (#29793)

### Issue # (if applicable) None as far as I can tell ### Reason for this change The web console lists commonly used ports when adding a rule to a security group, this aims to reproduce this simple quality of life shortcut. It can also help with code readability, and might save people from a typo ### Description of changes * Add well-known static `Port` instances * Intersection of the AWS web console listed ports and the [IANA Service Name and Transport Protocol Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) ### Description of how you validated changes Compared the AWS web console values to the IANA list, and added a unit test to make sure the alias behaved properly ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Apr 12, 2024 · f10494c · f10494c
1 parent 8198884
commit f10494c
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 9 deletions.
diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md
@@ -215,7 +215,7 @@ const provider = ec2.NatProvider.instanceV2({
 new ec2.Vpc(this, 'TheVPC', {
   natGatewayProvider: provider,
 });
-provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80));
+provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP);
 ```
 
 You can also customize the characteristics of your NAT instances, including their security group,
@@ -266,7 +266,7 @@ const provider = ec2.NatProvider.instance({
 new ec2.Vpc(this, 'TheVPC', {
   natGatewayProvider: provider,
 });
-provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80));
+provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP);
 ```
 
 ### Ip Address Management
@@ -724,13 +724,13 @@ declare const appFleet: autoscaling.AutoScalingGroup;
 declare const dbFleet: autoscaling.AutoScalingGroup;
 
 // Allow connections from anywhere
-loadBalancer.connections.allowFromAnyIpv4(ec2.Port.tcp(443), 'Allow inbound HTTPS');
+loadBalancer.connections.allowFromAnyIpv4(ec2.Port.HTTPS, 'Allow inbound HTTPS');
 
 // The same, but an explicit IP address
-loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.tcp(443), 'Allow inbound HTTPS');
+loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.HTTPS, 'Allow inbound HTTPS');
 
 // Allow connection between AutoScalingGroups
-appFleet.connections.allowTo(dbFleet, ec2.Port.tcp(443), 'App can call database');
+appFleet.connections.allowTo(dbFleet, ec2.Port.HTTPS, 'App can call database');
 ```
 
 ### Connection Peers
@@ -747,7 +747,7 @@ peer = ec2.Peer.anyIpv4();
 peer = ec2.Peer.ipv6('::0/0');
 peer = ec2.Peer.anyIpv6();
 peer = ec2.Peer.prefixList('pl-12345');
-appFleet.connections.allowTo(peer, ec2.Port.tcp(443), 'Allow outbound HTTPS');
+appFleet.connections.allowTo(peer, ec2.Port.HTTPS, 'Allow outbound HTTPS');
 ```
 
 Any object that has a security group can itself be used as a connection peer:
@@ -758,9 +758,9 @@ declare const fleet2: autoscaling.AutoScalingGroup;
 declare const appFleet: autoscaling.AutoScalingGroup;
 
 // These automatically create appropriate ingress and egress rules in both security groups
-fleet1.connections.allowTo(fleet2, ec2.Port.tcp(80), 'Allow between fleets');
+fleet1.connections.allowTo(fleet2, ec2.Port.HTTP, 'Allow between fleets');
 
-appFleet.connections.allowFromAnyIpv4(ec2.Port.tcp(80), 'Allow from load balancer');
+appFleet.connections.allowFromAnyIpv4(ec2.Port.HTTP, 'Allow from load balancer');
 ```
 
 ### Port Ranges
@@ -770,6 +770,7 @@ the connection specifier:
 
 ```ts
 ec2.Port.tcp(80)
+ec2.Port.HTTPS
 ec2.Port.tcpRange(60000, 65535)
 ec2.Port.allTcp()
 ec2.Port.allIcmp()
@@ -823,7 +824,7 @@ const mySecurityGroupWithoutInlineRules = new ec2.SecurityGroup(this, 'SecurityG
   disableInlineRules: true
 });
 //This will add the rule as an external cloud formation construct
-mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'allow ssh access from the world');
+mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.SSH, 'allow ssh access from the world');
 ```
 
 ### Importing an existing security group

diff --git a/packages/aws-cdk-lib/aws-ec2/lib/port.ts b/packages/aws-cdk-lib/aws-ec2/lib/port.ts
@@ -188,6 +188,41 @@ export interface PortProps {
  * Interface for classes that provide the connection-specification parts of a security group rule
  */
 export class Port {
+  /** Well-known SSH port (TCP 22) */
+  public static readonly SSH = Port.tcp(22);
+  /** Well-known SMTP port (TCP 25) */
+  public static readonly SMTP = Port.tcp(25);
+  /** Well-known DNS port (UDP 53) */
+  public static readonly DNS_UDP = Port.udp(53);
+  /** Well-known DNS port (TCP 53) */
+  public static readonly DNS_TCP = Port.tcp(53);
+  /** Well-known HTTP port (TCP 80) */
+  public static readonly HTTP = Port.tcp(80);
+  /** Well-known POP3 port (TCP 110) */
+  public static readonly POP3 = Port.tcp(110);
+  /** Well-known IMAP port (TCP 143) */
+  public static readonly IMAP = Port.tcp(143);
+  /** Well-known LDAP port (TCP 389) */
+  public static readonly LDAP = Port.tcp(389);
+  /** Well-known HTTPS port (TCP 443) */
+  public static readonly HTTPS = Port.tcp(443);
+  /** Well-known SMB port (TCP 445) */
+  public static readonly SMB = Port.tcp(445);
+  /** Well-known IMAPS port (TCP 993) */
+  public static readonly IMAPS = Port.tcp(993);
+  /** Well-known POP3S port (TCP 995) */
+  public static readonly POP3S = Port.tcp(995);
+  /** Well-known Microsoft SQL Server port (TCP 1433) */
+  public static readonly MSSQL = Port.tcp(1433);
+  /** Well-known NFS port (TCP 2049) */
+  public static readonly NFS = Port.tcp(2049);
+  /** Well-known MySQL and Aurora port (TCP 3306) */
+  public static readonly MYSQL_AURORA = Port.tcp(3306);
+  /** Well-known Microsoft Remote Desktop Protocol port (TCP 3389) */
+  public static readonly RDP = Port.tcp(3389);
+  /** Well-known PostgreSQL port (TCP 5432) */
+  public static readonly POSTGRES = Port.tcp(5432);
+
   /**
    * A single TCP port
    */

diff --git a/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts b/packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts
@@ -503,6 +503,12 @@ describe('security group', () => {
         }],
       });
     });
+
+    test('Static well-known ports are well-defined', () => {
+      // THEN
+      expect(Port.SSH).toEqual(Port.tcp(22));
+      expect(Port.DNS_UDP).toEqual(Port.udp(53));
+    });
   });
 });