fix: Hardcode the logicalId for GuWazuhAccess

Replacing in-use security groups is difficult as it requires careful orchestration with instances. Hardcoding the logicalId to "WazuhSecurityGroup" regardless of new or migrating stack makes it: - easier for YAML defined stacks to move to GuCDK as the resource will be kept - easier for stacks already using GuCDK to upgrade versions BREAKING CHANGE: * Hardcode the logicalId for `GuWazuhAccess` to `WazuhSecurityGroup`
guardian · Apr 9, 2021 · 3a50488 · 3a50488
1 parent 5a89068
commit 3a50488
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/src/constructs/ec2/security-groups/wazuh.test.ts b/src/constructs/ec2/security-groups/wazuh.test.ts
@@ -1,4 +1,5 @@
 import "@aws-cdk/assert/jest";
+import "../../../utils/test/jest";
 import { Vpc } from "@aws-cdk/aws-ec2";
 import { Stack } from "@aws-cdk/core";
 import { simpleGuStackForTesting } from "../../../utils/test";
@@ -36,4 +37,18 @@ describe("The GuWazuhAccess class", () => {
       ],
     });
   });
+
+  it("has the logicalId WazuhSecurityGroup in a new stack", () => {
+    const stack = simpleGuStackForTesting({ migratedFromCloudFormation: false });
+    GuWazuhAccess.getInstance(stack, vpc);
+
+    expect(stack).toHaveResourceOfTypeAndLogicalId("AWS::EC2::SecurityGroup", "WazuhSecurityGroup");
+  });
+
+  it("has the logicalId WazuhSecurityGroup in a migrating stack", () => {
+    const stack = simpleGuStackForTesting({ migratedFromCloudFormation: true });
+    GuWazuhAccess.getInstance(stack, vpc);
+
+    expect(stack).toHaveResourceOfTypeAndLogicalId("AWS::EC2::SecurityGroup", "WazuhSecurityGroup");
+  });
 });
diff --git a/src/constructs/ec2/security-groups/wazuh.ts b/src/constructs/ec2/security-groups/wazuh.ts
@@ -1,6 +1,7 @@
 import type { IVpc } from "@aws-cdk/aws-ec2";
 import { Peer } from "@aws-cdk/aws-ec2";
 import type { GuStack } from "../../core";
+import { GuMigratingResource } from "../../core/migrating";
 import { GuBaseSecurityGroup } from "./base";
 
 export class GuWazuhAccess extends GuBaseSecurityGroup {
@@ -17,6 +18,19 @@ export class GuWazuhAccess extends GuBaseSecurityGroup {
         { range: Peer.anyIpv4(), port: 1515, description: "Wazuh agent registration" },
       ],
     });
+
+    /*
+    Replacing in-use security groups is difficult as it requires careful orchestration with instances.
+    Fix the logicalId to "WazuhSecurityGroup" regardless of new or migrating stack.
+    This makes it:
+      - easier for YAML defined stacks to move to GuCDK as the resource will be kept
+      - easier for stacks already using GuCDK to upgrade versions
+     */
+    GuMigratingResource.setLogicalId(
+      this,
+      { migratedFromCloudFormation: true },
+      { existingLogicalId: "WazuhSecurityGroup" }
+    );
   }
 
   public static getInstance(stack: GuStack, vpc: IVpc): GuWazuhAccess {