Merge pull request #371 from guardian/aa-wazuh-singleton

feat: make Wazuh access security group a singleton

src/constructs/ec2/security-group.test.ts → src/constructs/ec2/security-groups/base.test.ts

@@ -1,15 +1,10 @@
-import { SynthUtils } from "@aws-cdk/assert";
 import "@aws-cdk/assert/jest";
+import { SynthUtils } from "@aws-cdk/assert";
 import { Peer, Port, Vpc } from "@aws-cdk/aws-ec2";
 import { Stack } from "@aws-cdk/core";
-import { simpleGuStackForTesting } from "../../utils/test";
-import type { SynthedStack } from "../../utils/test";
-import {
-  GuHttpsEgressSecurityGroup,
-  GuPublicInternetAccessSecurityGroup,
-  GuSecurityGroup,
-  GuWazuhAccess,
-} from "./security-groups";
+import { simpleGuStackForTesting } from "../../../utils/test";
+import type { SynthedStack } from "../../../utils/test";
+import { GuHttpsEgressSecurityGroup, GuPublicInternetAccessSecurityGroup, GuSecurityGroup } from "./base";
 
 describe("The GuSecurityGroup class", () => {
   const vpc = Vpc.fromVpcAttributes(new Stack(), "VPC", {
@@ -111,68 +106,6 @@ describe("The GuSecurityGroup class", () => {
   });
 });
 
-describe("The GuWazuhAccess class", () => {
-  const vpc = Vpc.fromVpcAttributes(new Stack(), "VPC", {
-    vpcId: "test",
-    availabilityZones: [""],
-    publicSubnetIds: [""],
-  });
-
-  it("sets props as expected", () => {
-    const stack = simpleGuStackForTesting();
-
-    new GuWazuhAccess(stack, "WazuhSecurityGroup", { vpc });
-
-    expect(stack).toHaveResource("AWS::EC2::SecurityGroup", {
-      GroupDescription: "Wazuh agent registration and event logging",
-      SecurityGroupEgress: [
-        {
-          CidrIp: "0.0.0.0/0",
-          Description: "Wazuh event logging",
-          FromPort: 1514,
-          IpProtocol: "tcp",
-          ToPort: 1514,
-        },
-        {
-          CidrIp: "0.0.0.0/0",
-          Description: "Wazuh agent registration",
-          FromPort: 1515,
-          IpProtocol: "tcp",
-          ToPort: 1515,
-        },
-      ],
-    });
-  });
-
-  it("merges default and passed in props", () => {
-    const stack = simpleGuStackForTesting();
-
-    new GuWazuhAccess(stack, "WazuhSecurityGroup", { vpc, description: "This is a test" });
-
-    expect(stack).toHaveResource("AWS::EC2::SecurityGroup", {
-      GroupDescription: "This is a test",
-    });
-  });
-
-  it("overrides the id if the prop is set to true", () => {
-    const stack = simpleGuStackForTesting();
-
-    new GuWazuhAccess(stack, "WazuhSecurityGroup", { vpc });
-
-    const json = SynthUtils.toCloudFormation(stack) as SynthedStack;
-    expect(Object.keys(json.Resources)).toContain("WazuhSecurityGroup");
-  });
-
-  it("does not overrides the id if the prop is set to false", () => {
-    const stack = simpleGuStackForTesting();
-
-    new GuWazuhAccess(stack, "WazuhSecurityGroup", { vpc, overrideId: false });
-
-    const json = SynthUtils.toCloudFormation(stack) as SynthedStack;
-    expect(Object.keys(json.Resources)).not.toContain("WazuhSecurityGroup");
-  });
-});
-
 describe("The GuPublicInternetAccessSecurityGroup class", () => {
   const vpc = Vpc.fromVpcAttributes(new Stack(), "VPC", {
     vpcId: "test",

src/constructs/ec2/security-groups.ts → src/constructs/ec2/security-groups/base.ts

@@ -1,6 +1,6 @@
 import type { CfnSecurityGroup, IPeer, SecurityGroupProps } from "@aws-cdk/aws-ec2";
 import { Peer, Port, SecurityGroup } from "@aws-cdk/aws-ec2";
-import type { GuStack } from "../core";
+import type { GuStack } from "../../core";
 
 /**
  * A way to describe an ingress or egress rule for a security group.
@@ -68,27 +68,6 @@ export class GuSecurityGroup extends SecurityGroup {
   }
 }
 
-export class GuWazuhAccess extends GuSecurityGroup {
-  private static getDefaultProps(): Partial<GuSecurityGroupProps> {
-    return {
-      description: "Wazuh agent registration and event logging",
-      overrideId: true,
-      allowAllOutbound: false,
-      egresses: [
-        { range: Peer.anyIpv4(), port: 1514, description: "Wazuh event logging" },
-        { range: Peer.anyIpv4(), port: 1515, description: "Wazuh agent registration" },
-      ],
-    };
-  }
-
-  constructor(scope: GuStack, id: string, props: GuSecurityGroupProps) {
-    super(scope, id, {
-      ...GuWazuhAccess.getDefaultProps(),
-      ...props,
-    });
-  }
-}
-
 export class GuPublicInternetAccessSecurityGroup extends GuSecurityGroup {
   constructor(scope: GuStack, id: string, props: SecurityGroupProps) {
     super(scope, id, {

src/constructs/ec2/security-groups/index.ts

@@ -0,0 +1,2 @@
+export * from "./base";
+export * from "./wazuh";

src/constructs/ec2/security-groups/wazuh.test.ts

@@ -0,0 +1,39 @@
+import "@aws-cdk/assert/jest";
+import { Vpc } from "@aws-cdk/aws-ec2";
+import { Stack } from "@aws-cdk/core";
+import { simpleGuStackForTesting } from "../../../utils/test";
+import { GuWazuhAccess } from "./wazuh";
+
+describe("The GuWazuhAccess class", () => {
+  const vpc = Vpc.fromVpcAttributes(new Stack(), "VPC", {
+    vpcId: "test",
+    availabilityZones: [""],
+    publicSubnetIds: [""],
+  });
+
+  it("sets props as expected", () => {
+    const stack = simpleGuStackForTesting();
+
+    GuWazuhAccess.getInstance(stack, vpc);
+
+    expect(stack).toHaveResource("AWS::EC2::SecurityGroup", {
+      GroupDescription: "Wazuh agent registration and event logging",
+      SecurityGroupEgress: [
+        {
+          CidrIp: "0.0.0.0/0",
+          Description: "Wazuh event logging",
+          FromPort: 1514,
+          IpProtocol: "tcp",
+          ToPort: 1514,
+        },
+        {
+          CidrIp: "0.0.0.0/0",
+          Description: "Wazuh agent registration",
+          FromPort: 1515,
+          IpProtocol: "tcp",
+          ToPort: 1515,
+        },
+      ],
+    });
+  });
+});

src/constructs/ec2/security-groups/wazuh.ts

@@ -0,0 +1,33 @@
+import type { IVpc } from "@aws-cdk/aws-ec2";
+import { Peer } from "@aws-cdk/aws-ec2";
+import type { GuStack } from "../../core";
+import { GuSecurityGroup } from "./base";
+
+export class GuWazuhAccess extends GuSecurityGroup {
+  private static instance: GuWazuhAccess | undefined;
+
+  private constructor(scope: GuStack, vpc: IVpc) {
+    super(scope, "WazuhSecurityGroup", {
+      vpc,
+      description: "Wazuh agent registration and event logging",
+      overrideId: true,
+      allowAllOutbound: false,
+      egresses: [
+        { range: Peer.anyIpv4(), port: 1514, description: "Wazuh event logging" },
+        { range: Peer.anyIpv4(), port: 1515, description: "Wazuh agent registration" },
+      ],
+    });
+  }
+
+  public static getInstance(stack: GuStack, vpc: IVpc): GuWazuhAccess {
+    // Resources can only live in the same App so return a new instance where necessary.
+    // See https://github.com/aws/aws-cdk/blob/0ea4b19afd639541e5f1d7c1783032ee480c307e/packages/%40aws-cdk/core/lib/private/refs.ts#L47-L50
+    const isSameStack = this.instance?.node.root === stack.node.root;
+
+    if (!this.instance || !isSameStack) {
+      this.instance = new GuWazuhAccess(stack, vpc);
+    }
+
+    return this.instance;
+  }
+}

src/constructs/iam/policies/log-shipping.ts

@@ -17,7 +17,7 @@ export class GuLogShippingPolicy extends GuAllowPolicy {
   }
 
   public static getInstance(stack: GuStack): GuLogShippingPolicy {
-    // Resources can only live in the same App so return a new `GuSSMRunCommandPolicy` where necessary.
+    // Resources can only live in the same App so return a new instance where necessary.
     // See https://github.com/aws/aws-cdk/blob/0ea4b19afd639541e5f1d7c1783032ee480c307e/packages/%40aws-cdk/core/lib/private/refs.ts#L47-L50
     const isSameStack = this.instance?.node.root === stack.node.root;