From c9857b127267b3fc09fb2ec6e3de744bbbda6c5d Mon Sep 17 00:00:00 2001 From: akash1810 Date: Wed, 15 Jan 2025 20:39:34 +0000 Subject: [PATCH] feat: Remove `GuWazuhAccess` class Remove the `GuWazuhAccess` class which adds a security group of logical ID `WazuhSecurityGroup` to any stack using `GuAutoScalingGroup` either directly or via a pattern. --- .changeset/fair-masks-switch.md | 37 +++ src/constructs/autoscaling/asg.test.ts | 3 - src/constructs/autoscaling/asg.ts | 13 +- src/constructs/ec2/security-groups/base.ts | 1 - src/constructs/ec2/security-groups/index.ts | 1 - .../ec2/security-groups/wazuh.test.ts | 45 ---- src/constructs/ec2/security-groups/wazuh.ts | 112 --------- src/constructs/iam/roles/instance-role.ts | 7 +- .../__snapshots__/ec2-app.test.ts.snap | 92 ------- .../ec2-app/__snapshots__/base.test.ts.snap | 226 ------------------ 10 files changed, 45 insertions(+), 492 deletions(-) create mode 100644 .changeset/fair-masks-switch.md delete mode 100644 src/constructs/ec2/security-groups/wazuh.test.ts delete mode 100644 src/constructs/ec2/security-groups/wazuh.ts diff --git a/.changeset/fair-masks-switch.md b/.changeset/fair-masks-switch.md new file mode 100644 index 0000000000..a5a0efa185 --- /dev/null +++ b/.changeset/fair-masks-switch.md @@ -0,0 +1,37 @@ +--- +"@guardian/cdk": minor +--- + +Removes `GuWazuhAccess` security group as Wazuh has been deprecated. + +This change will remove a resource of logical ID `WazuhSecurityGroup` from stacks that use a `GuAutoScalingGroup`. +The snapshot diff will include the removal of the following resource: + +```json +{ + "Resources": { + "WazuhSecurityGroup": { + "Properties": { + "GroupDescription": "Allow outbound traffic from wazuh agent to manager", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Wazuh event logging", + "FromPort": 1514, + "IpProtocol": "tcp", + "ToPort": 1514 + }, + { + "CidrIp": "0.0.0.0/0", + "Description": "Wazuh agent registration", + "FromPort": 1515, + "IpProtocol": "tcp", + "ToPort": 1515 + } + ], + "Type": "AWS::EC2::SecurityGroup" + } + } + } +} +``` diff --git a/src/constructs/autoscaling/asg.test.ts b/src/constructs/autoscaling/asg.test.ts index 2884b9bb9c..a8f7efe555 100644 --- a/src/constructs/autoscaling/asg.test.ts +++ b/src/constructs/autoscaling/asg.test.ts @@ -134,9 +134,6 @@ describe("The GuAutoScalingGroup", () => { { "Fn::GetAtt": [Match.stringLikeRegexp(`GuHttpsEgressSecurityGroup${app}[A-Z0-9]+`), "GroupId"], }, - { - "Fn::GetAtt": ["WazuhSecurityGroup", "GroupId"], - }, { "Fn::GetAtt": [Match.stringLikeRegexp("SecurityGroupTesting[A-Z0-9]+"), "GroupId"], }, diff --git a/src/constructs/autoscaling/asg.ts b/src/constructs/autoscaling/asg.ts index 2bbfab1281..b6aed19bae 100644 --- a/src/constructs/autoscaling/asg.ts +++ b/src/constructs/autoscaling/asg.ts @@ -10,7 +10,7 @@ import type { AmigoProps } from "../../types/amigo"; import { GuAppAwareConstruct } from "../../utils/mixin/app-aware-construct"; import { GuAmiParameter } from "../core"; import type { AppIdentity, GuStack } from "../core"; -import { GuHttpsEgressSecurityGroup, GuWazuhAccess } from "../ec2"; +import { GuHttpsEgressSecurityGroup } from "../ec2"; import { GuInstanceRole } from "../iam"; // Since we want to override the types of what gets passed in for the below props, @@ -65,9 +65,8 @@ export interface GuAutoScalingGroupProps * You may wish to instantiate [[`GuInstanceRole`]] yourself as a basis for this custom role, as it allows custom permissions * to be passed in. * - * All EC2 instances in this group will be automatically associated with two security groups: - * 1. [[`GuHttpsEgressSecurityGroup`]], which allows outbound traffic over HTTPS. - * 2. [[`GuWazuhAccess`]], which allows instances to communicate with Wazuh (for security monitoring). + * All EC2 instances in this group will be automatically associated with the [[`GuHttpsEgressSecurityGroup`]] security groups, + * which allows outbound traffic over HTTPS. * * If additional ingress or egress rules are required, define custom security groups and pass them in via the * `additionalSecurityGroups` prop. @@ -137,12 +136,10 @@ export class GuAutoScalingGroup extends GuAppAwareConstruct(AutoScalingGroup) { httpPutResponseHopLimit, }); - // Add Wazuh & additional consumer specified Security Groups + // Add additional consumer specified Security Groups // Note: Launch templates via CDK allow specifying only one SG, so use connections // https://github.com/aws/aws-cdk/issues/18712 - [GuWazuhAccess.getInstance(scope, vpc), ...additionalSecurityGroups].forEach((sg) => - launchTemplate.connections.addSecurityGroup(sg), - ); + additionalSecurityGroups.forEach((sg) => launchTemplate.connections.addSecurityGroup(sg)); const asgProps: AutoScalingGroupProps = { ...props, diff --git a/src/constructs/ec2/security-groups/base.ts b/src/constructs/ec2/security-groups/base.ts index 01199a8976..0d9b2a9198 100644 --- a/src/constructs/ec2/security-groups/base.ts +++ b/src/constructs/ec2/security-groups/base.ts @@ -41,7 +41,6 @@ export interface GuSecurityGroupProps extends GuBaseSecurityGroupProps, AppIdent * An ingress rule on port 22 is strictly forbidden as SSH via SSM is preferred. * * Prefer to use a concrete implementation where possible. See: - * - [[GuWazuhAccess]] * - [[GuPublicInternetAccessSecurityGroup]] * - [[GuHttpsEgressSecurityGroup]] */ diff --git a/src/constructs/ec2/security-groups/index.ts b/src/constructs/ec2/security-groups/index.ts index c2b8fbdac1..955fdd1439 100644 --- a/src/constructs/ec2/security-groups/index.ts +++ b/src/constructs/ec2/security-groups/index.ts @@ -1,2 +1 @@ export * from "./base"; -export * from "./wazuh"; diff --git a/src/constructs/ec2/security-groups/wazuh.test.ts b/src/constructs/ec2/security-groups/wazuh.test.ts deleted file mode 100644 index 20571727bc..0000000000 --- a/src/constructs/ec2/security-groups/wazuh.test.ts +++ /dev/null @@ -1,45 +0,0 @@ -import { Stack } from "aws-cdk-lib"; -import { Template } from "aws-cdk-lib/assertions"; -import { Vpc } from "aws-cdk-lib/aws-ec2"; -import { GuTemplate, simpleGuStackForTesting } from "../../../utils/test"; -import { GuWazuhAccess } from "./wazuh"; - -describe("The GuWazuhAccess class", () => { - const vpc = Vpc.fromVpcAttributes(new Stack(), "VPC", { - vpcId: "test", - availabilityZones: [""], - publicSubnetIds: [""], - }); - - it("sets props as expected", () => { - const stack = simpleGuStackForTesting(); - - GuWazuhAccess.getInstance(stack, vpc); - - Template.fromStack(stack).hasResourceProperties("AWS::EC2::SecurityGroup", { - GroupDescription: "Allow outbound traffic from wazuh agent to manager", - SecurityGroupEgress: [ - { - CidrIp: "0.0.0.0/0", - Description: "Wazuh event logging", - FromPort: 1514, - IpProtocol: "tcp", - ToPort: 1514, - }, - { - CidrIp: "0.0.0.0/0", - Description: "Wazuh agent registration", - FromPort: 1515, - IpProtocol: "tcp", - ToPort: 1515, - }, - ], - }); - }); - - it("has the logicalId WazuhSecurityGroup", () => { - const stack = simpleGuStackForTesting(); - GuWazuhAccess.getInstance(stack, vpc); - GuTemplate.fromStack(stack).hasResourceWithLogicalId("AWS::EC2::SecurityGroup", "WazuhSecurityGroup"); - }); -}); diff --git a/src/constructs/ec2/security-groups/wazuh.ts b/src/constructs/ec2/security-groups/wazuh.ts deleted file mode 100644 index 32c2e9e049..0000000000 --- a/src/constructs/ec2/security-groups/wazuh.ts +++ /dev/null @@ -1,112 +0,0 @@ -import { Peer } from "aws-cdk-lib/aws-ec2"; -import type { IVpc } from "aws-cdk-lib/aws-ec2"; -import { isSingletonPresentInStack } from "../../../utils/singleton"; -import type { GuStack } from "../../core"; -import { GuBaseSecurityGroup } from "./base"; - -/** - * A security group to allow a Wazuh agent on an EC2 instance to communicate with the outside. - * This is implemented as a singleton, meaning only one resource will be created in a stack. - * If there are multiple apps in the stack, they will re-use this resource. - * - * The logicalId will always be "WazuhSecurityGroup". - * - * Will create a resource like this: - * - * ```yaml - * WazuhSecurityGroup: - * Type: AWS::EC2::SecurityGroup - * Properties: - * GroupDescription: Allow outbound traffic from wazuh agent to manager - * VpcId: - * Ref: VpcId - * SecurityGroupEgress: - * - Description: Wazuh event logging - * IpProtocol: tcp - * FromPort: 1514 - * ToPort: 1514 - * CidrIp: 0.0.0.0/0 - * - Description: Wazuh agent registration - * IpProtocol: tcp - * FromPort: 1515 - * ToPort: 1515 - * CidrIp: 0.0.0.0/0 - * ``` - * - * Which will then get used like this: - * - * ```yaml - * InstanceRoleForAppA: - * Type: AWS::IAM::Role - * Properties: - * SecurityGroups: - * - Ref: WazuhSecurityGroup - * - * InstanceRoleForAppB: - * Type: AWS::IAM::Role - * Properties: - * SecurityGroups: - * - Ref: WazuhSecurityGroup - * ``` - * - * Usage within a stack: - * ```typescript - * GuWazuhAccess.getInstance(this, vpc); - * ``` - * - * @see https://github.com/guardian/security-hq/blob/main/hq/markdown/wazuh.md - */ -export class GuWazuhAccess extends GuBaseSecurityGroup { - private static instance: GuWazuhAccess | undefined; - - private constructor(scope: GuStack, vpc: IVpc) { - super(scope, "WazuhSecurityGroup", { - vpc, - - /* - The group description of a security group is stateful. - Be careful about changing this! - - See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-groupdescription - */ - description: "Allow outbound traffic from wazuh agent to manager", - allowAllOutbound: false, - egresses: [ - { range: Peer.anyIpv4(), port: 1514, description: "Wazuh event logging" }, - { range: Peer.anyIpv4(), port: 1515, description: "Wazuh agent registration" }, - ], - }); - - /* - Replacing in-use security groups is difficult as it requires careful orchestration with instances. - Fix the logicalId to "WazuhSecurityGroup" regardless of new or migrating stack. - This makes it: - - easier for YAML defined stacks to move to GuCDK as the resource will be kept - - easier for stacks already using GuCDK to upgrade versions - */ - scope.overrideLogicalId(this, { - logicalId: "WazuhSecurityGroup", - reason: "Avoid tricky security group replacement during a YAML to GuCDK migration.", - }); - } - - /** - * GuWazuhAccess is implemented as a singleton meaning only one instance will be created for the entire stack. - * If there are multiple apps in the stack, they will re-use this resource. - * - * Usage: - * ```typescript - * GuWazuhAccess.getInstance(this, vpc); - * ``` - * - * @param stack the stack to add this security group to - * @param vpc the vpc to add this security group to - */ - public static getInstance(stack: GuStack, vpc: IVpc): GuWazuhAccess { - if (!this.instance || !isSingletonPresentInStack(stack, this.instance)) { - this.instance = new GuWazuhAccess(stack, vpc); - } - - return this.instance; - } -} diff --git a/src/constructs/iam/roles/instance-role.ts b/src/constructs/iam/roles/instance-role.ts index a6bc4a60b9..2c58b87420 100644 --- a/src/constructs/iam/roles/instance-role.ts +++ b/src/constructs/iam/roles/instance-role.ts @@ -30,11 +30,10 @@ export type GuInstanceRolePropsWithApp = GuInstanceRoleProps & AppIdentity; * * More specifically: * 1. Allows for `ssh` access to an EC2 instance via [ssm-scala](https://github.com/guardian/ssm-scala) (instead of standard `ssh`). - * 2. Allows EC2 instances to communicate with Wazuh, for security monitoring. - * 3. Allows EC2 instances to download an artifact from AWS S3, for application deployment. - * 4. Allows EC2 instances to download private configuration from AWS Parameter Store. See [[`GuParameterStoreReadPolicy`]] + * 2. Allows EC2 instances to download an artifact from AWS S3, for application deployment. + * 3. Allows EC2 instances to download private configuration from AWS Parameter Store. See [[`GuParameterStoreReadPolicy`]] * for specific details. - * 5. Allows EC2 instances to write logs into our central ELK stack via Kinesis. + * 4. Allows EC2 instances to write logs into our central ELK stack via Kinesis. * * If additional IAM permissions are required, create custom policies and pass them in via the `additionalPolicies` prop. * diff --git a/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap b/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap index cd9e9ce9f7..df042f86f4 100644 --- a/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap +++ b/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap @@ -20,7 +20,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = ` "GuParameterStoreReadPolicy", "GuAmiParameter", "GuHttpsEgressSecurityGroup", - "GuWazuhAccess", "GuAutoScalingGroup", "GuApplicationLoadBalancer", "GuApplicationTargetGroup", @@ -568,27 +567,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = ` }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "LoadBalancerTestguec2appSecurityGrouptoTestWazuhSecurityGroup8092AEDC9000720EFF26": { - "Properties": { - "Description": "Load balancer to target", - "DestinationSecurityGroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "FromPort": 9000, - "GroupId": { - "Fn::GetAtt": [ - "LoadBalancerTestguec2appSecurityGroupCC6F85C1", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "ToPort": 9000, - }, - "Type": "AWS::EC2::SecurityGroupEgress", - }, "ParameterStoreReadTestguec2app072DCDE1": { "Properties": { "PolicyDocument": { @@ -733,70 +711,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = ` }, "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", }, - "WazuhSecurityGroup": { - "Properties": { - "GroupDescription": "Allow outbound traffic from wazuh agent to manager", - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "Description": "Wazuh event logging", - "FromPort": 1514, - "IpProtocol": "tcp", - "ToPort": 1514, - }, - { - "CidrIp": "0.0.0.0/0", - "Description": "Wazuh agent registration", - "FromPort": 1515, - "IpProtocol": "tcp", - "ToPort": 1515, - }, - ], - "Tags": [ - { - "Key": "gu:cdk:version", - "Value": "TEST", - }, - { - "Key": "gu:repo", - "Value": "guardian/cdk", - }, - { - "Key": "Stack", - "Value": "test-stack", - }, - { - "Key": "Stage", - "Value": "TEST", - }, - ], - "VpcId": { - "Ref": "VpcId", - }, - }, - "Type": "AWS::EC2::SecurityGroup", - }, - "WazuhSecurityGroupfromTestLoadBalancerTestguec2appSecurityGroup5F9E11C99000BB163DB4": { - "Properties": { - "Description": "Load balancer to target", - "FromPort": 9000, - "GroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "LoadBalancerTestguec2appSecurityGroupCC6F85C1", - "GroupId", - ], - }, - "ToPort": 9000, - }, - "Type": "AWS::EC2::SecurityGroupIngress", - }, "teststackTESTtestguec2appAA7F41BE": { "DependsOn": [ "InstanceRoleTestguec2appC325BE42", @@ -826,12 +740,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = ` "GroupId", ], }, - { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, ], "TagSpecifications": [ { diff --git a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap index ae5926efa7..79fd8bfdfd 100644 --- a/src/patterns/ec2-app/__snapshots__/base.test.ts.snap +++ b/src/patterns/ec2-app/__snapshots__/base.test.ts.snap @@ -20,7 +20,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi "GuParameterStoreReadPolicy", "GuAmiParameter", "GuHttpsEgressSecurityGroup", - "GuWazuhAccess", "GuAutoScalingGroup", "GuApplicationLoadBalancer", "GuApplicationTargetGroup", @@ -534,27 +533,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "LoadBalancerTestguec2appSecurityGrouptoTestWazuhSecurityGroup8092AEDC3000E12CA15B": { - "Properties": { - "Description": "Load balancer to target", - "DestinationSecurityGroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "FromPort": 3000, - "GroupId": { - "Fn::GetAtt": [ - "LoadBalancerTestguec2appSecurityGroupCC6F85C1", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "ToPort": 3000, - }, - "Type": "AWS::EC2::SecurityGroupEgress", - }, "ParameterStoreReadTestguec2app072DCDE1": { "Properties": { "PolicyDocument": { @@ -675,27 +653,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "RestrictedIngressSecurityGroupTestguec2apptoTestWazuhSecurityGroup8092AEDC3000E2216923": { - "Properties": { - "Description": "Load balancer to target", - "DestinationSecurityGroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "FromPort": 3000, - "GroupId": { - "Fn::GetAtt": [ - "RestrictedIngressSecurityGroupTestguec2appF4DE7574", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "ToPort": 3000, - }, - "Type": "AWS::EC2::SecurityGroupEgress", - }, "SsmSshPolicy4CFC977E": { "Properties": { "PolicyDocument": { @@ -781,91 +738,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi }, "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", }, - "WazuhSecurityGroup": { - "Properties": { - "GroupDescription": "Allow outbound traffic from wazuh agent to manager", - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "Description": "Wazuh event logging", - "FromPort": 1514, - "IpProtocol": "tcp", - "ToPort": 1514, - }, - { - "CidrIp": "0.0.0.0/0", - "Description": "Wazuh agent registration", - "FromPort": 1515, - "IpProtocol": "tcp", - "ToPort": 1515, - }, - ], - "Tags": [ - { - "Key": "gu:cdk:version", - "Value": "TEST", - }, - { - "Key": "gu:repo", - "Value": "guardian/cdk", - }, - { - "Key": "Stack", - "Value": "test-stack", - }, - { - "Key": "Stage", - "Value": "TEST", - }, - ], - "VpcId": { - "Ref": "VpcId", - }, - }, - "Type": "AWS::EC2::SecurityGroup", - }, - "WazuhSecurityGroupfromTestLoadBalancerTestguec2appSecurityGroup5F9E11C9300023EFEFE4": { - "Properties": { - "Description": "Load balancer to target", - "FromPort": 3000, - "GroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "LoadBalancerTestguec2appSecurityGroupCC6F85C1", - "GroupId", - ], - }, - "ToPort": 3000, - }, - "Type": "AWS::EC2::SecurityGroupIngress", - }, - "WazuhSecurityGroupfromTestRestrictedIngressSecurityGroupTestguec2app006B9AC1300032C8ABF9": { - "Properties": { - "Description": "Load balancer to target", - "FromPort": 3000, - "GroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "RestrictedIngressSecurityGroupTestguec2appF4DE7574", - "GroupId", - ], - }, - "ToPort": 3000, - }, - "Type": "AWS::EC2::SecurityGroupIngress", - }, "teststackTESTtestguec2appAA7F41BE": { "DependsOn": [ "InstanceRoleTestguec2appC325BE42", @@ -895,12 +767,6 @@ exports[`the GuEC2App pattern can produce a restricted EC2 app locked to specifi "GroupId", ], }, - { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, ], "TagSpecifications": [ { @@ -1034,7 +900,6 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a "GuParameterStoreReadPolicy", "GuAmiParameter", "GuHttpsEgressSecurityGroup", - "GuWazuhAccess", "GuAutoScalingGroup", "GuApplicationLoadBalancer", "GuApplicationTargetGroup", @@ -1529,27 +1394,6 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "LoadBalancerTestguec2appSecurityGrouptoTestWazuhSecurityGroup8092AEDC3000E12CA15B": { - "Properties": { - "Description": "Load balancer to target", - "DestinationSecurityGroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "FromPort": 3000, - "GroupId": { - "Fn::GetAtt": [ - "LoadBalancerTestguec2appSecurityGroupCC6F85C1", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "ToPort": 3000, - }, - "Type": "AWS::EC2::SecurityGroupEgress", - }, "ParameterStoreReadTestguec2app072DCDE1": { "Properties": { "PolicyDocument": { @@ -1694,70 +1538,6 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a }, "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", }, - "WazuhSecurityGroup": { - "Properties": { - "GroupDescription": "Allow outbound traffic from wazuh agent to manager", - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "Description": "Wazuh event logging", - "FromPort": 1514, - "IpProtocol": "tcp", - "ToPort": 1514, - }, - { - "CidrIp": "0.0.0.0/0", - "Description": "Wazuh agent registration", - "FromPort": 1515, - "IpProtocol": "tcp", - "ToPort": 1515, - }, - ], - "Tags": [ - { - "Key": "gu:cdk:version", - "Value": "TEST", - }, - { - "Key": "gu:repo", - "Value": "guardian/cdk", - }, - { - "Key": "Stack", - "Value": "test-stack", - }, - { - "Key": "Stage", - "Value": "TEST", - }, - ], - "VpcId": { - "Ref": "VpcId", - }, - }, - "Type": "AWS::EC2::SecurityGroup", - }, - "WazuhSecurityGroupfromTestLoadBalancerTestguec2appSecurityGroup5F9E11C9300023EFEFE4": { - "Properties": { - "Description": "Load balancer to target", - "FromPort": 3000, - "GroupId": { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, - "IpProtocol": "tcp", - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "LoadBalancerTestguec2appSecurityGroupCC6F85C1", - "GroupId", - ], - }, - "ToPort": 3000, - }, - "Type": "AWS::EC2::SecurityGroupIngress", - }, "teststackTESTtestguec2appAA7F41BE": { "DependsOn": [ "InstanceRoleTestguec2appC325BE42", @@ -1787,12 +1567,6 @@ exports[`the GuEC2App pattern should produce a functional EC2 app with minimal a "GroupId", ], }, - { - "Fn::GetAtt": [ - "WazuhSecurityGroup", - "GroupId", - ], - }, ], "TagSpecifications": [ {