使用 AWS-CDK2-Python 使用现有 VPC 创建 EC2 安全组

Question

我正在尝试使用 Python AWS CDK2 在现有 VPC 中创建 EC2 安全组。这是我的代码，

 ec2securitygroup = ec2.CfnSecurityGroup(
            self,
            "EC2SecurityGroup2",
            group_description="Security group for ec2",
            group_name="test-security-group",
            tags=[
                {
                    "key": "Name",
                    "value": "test-security-group"
                }
            ],
            vpc_id="vpc-1234567",
            security_group_ingress=[
                {
                    "cidr_ip": "10.0.0.0/16",
                    "description": "Allow all internal traffic from VPC1",
                    "ip_protocol": "-1"
                },
                {
                    "source_security_group_id": "sg-123456789",
                    "source_security_group_owner_id": "123456789",
                    "from_port": 80,
                    "ip_protocol": "tcp",
                    "to_port": 80
                }
            ],
            security_group_egress=[
                {
                    "cidr_ip": "0.0.0.0/0",
                    "description": "Allow outbound traffic",
                    "ip_protocol": "-1"
                }
            ]
        )

我收到以下错误

jsii.errors.JavaScript错误： @jsii/kernel.SerializationError：传递给新 aws-cdk-lib.aws_ec2.CfnSecurityGroup 的参数道具：无法将值反序列化为 aws-cdk-lib.aws_ec2.CfnSecurityGroupProps

Answer 1

这是由于 CDK 的工作方式以及它是通过 jsii 从 TypeScript 转换而来的。如果您想使用普通的 Python 字典代替接口，则必须使用原始字段名称，而不是翻译成 Python 的字段名称：

ec2securitygroup = ec2.CfnSecurityGroup(
    self,
    "EC2SecurityGroup2",
    group_description="Security group for ec2",
    group_name="test-security-group",
    tags=[{"key": "Name", "value": "test-security-group"}],
    vpc_id="vpc-1234567",
    security_group_ingress=[
        {
            "cidrIp": "10.0.0.0/16",
            "description": "Allow all internal traffic from VPC1",
            "ipProtocol": "-1",
        },
        {
            "sourceSecurityGroupId": "sg-123456789",
            "sourceSecurityGroupOwnerId": "123456789",
            "fromPort": 80,
            "ipProtocol": "tcp",
            "toPort": 80,
        },
    ],
    security_group_egress=[
        {
            "cidrIp": "0.0.0.0/0",
            "description": "Allow outbound traffic",
            "ipProtocol": "-1",
        }
    ],
)

为了能够使用翻译后的 snake_case 字段名称，您必须使用生成的类：

ec2securitygroup = ec2.CfnSecurityGroup(
    self,
    "EC2SecurityGroup2",
    group_description="Security group for ec2",
    group_name="test-security-group",
    tags=[{"key": "Name", "value": "test-security-group"}],
    vpc_id="vpc-1234567",
    security_group_ingress=[
        {
            "cidrIp": "10.0.0.0/16",
            "description": "Allow all internal traffic from VPC1",
            "ipProtocol": "-1",
        },
        {
            "sourceSecurityGroupId": "sg-123456789",
            "sourceSecurityGroupOwnerId": "123456789",
            "fromPort": 80,
            "ipProtocol": "tcp",
            "toPort": 80,
        },
    ],
    security_group_egress=[
        {
            "cidrIp": "0.0.0.0/0",
            "description": "Allow outbound traffic",
            "ipProtocol": "-1",
        }
    ],
)

不过，更好的解决方案是使用 L2 构造：

vpc = ec2.Vpc.from_vpc_attributes(
    self,
    "Vpc2",
    vpc_id="vpc-1234567",
    availability_zones=["us-east-1a", "us-east-1b", "us-east-1c"],
)
ec2securitygroup = ec2.SecurityGroup(
    self,
    "EC2SecurityGroup",
    vpc=vpc,
    security_group_name="test-security-group",
    description="Security group for ec2",
    allow_all_outbound=True,
)
ec2securitygroup.add_ingress_rule(
    peer=ec2.Peer.ipv4("10.0.0.0/16"),
    connection=ec2.Port.all_traffic(),
    description="Allow all internal traffic from VPC1",
)
ec2securitygroup.connections.allow_from(
    other=ec2.SecurityGroup.from_security_group_id(self, "other", "sg-1234567"),
    port_range=ec2.Port.tcp(80),
)

cdk.Tags.of(ec2securitygroup).add("Name", "test-security-group")

当您使用 L2 定义所有内容（包括您的 VPC 和实例）时，一切都会变得更容易。

直接处理安全组实际上是advised against in the CDK documentation，因为它提供了有用的抽象，使其成为实现细节，即所有ec2.IConnectable（如ec2.Instance）公开的ec2.Connections类：

可以通过 addIngressRule 和 addEgressRule 直接操作安全组，但建议通过 .connections 对象进行突变。如果您以这种方式将两个构造与安全组对等，则将在两者中创建适当的规则。

通用 aws-ec2 模块概述文档中提供了有关此功能的更多文档：https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#allowing-connections