guardian · akash1810 · Jan 15, 2025
diff --git a/.changeset/fair-masks-switch.md b/.changeset/fair-masks-switch.md
@@ -0,0 +1,37 @@
+---
+"@guardian/cdk": minor
+---
+
+Removes `GuWazuhAccess` security group as Wazuh has been deprecated.
+
+This change will remove a resource of logical ID `WazuhSecurityGroup` from stacks that use a `GuAutoScalingGroup`.
+The snapshot diff will include the removal of the following resource:
+
+```json
+{
+  "Resources": {
+    "WazuhSecurityGroup": {
+      "Properties": {
+        "GroupDescription": "Allow outbound traffic from wazuh agent to manager",
+        "SecurityGroupEgress": [
+          {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "Wazuh event logging",
+            "FromPort": 1514,
+            "IpProtocol": "tcp",
+            "ToPort": 1514
+          },
+          {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "Wazuh agent registration",
+            "FromPort": 1515,
+            "IpProtocol": "tcp",
+            "ToPort": 1515
+          }
+        ],
+        "Type": "AWS::EC2::SecurityGroup"
+      }
+    }
+  }
+}
+```
diff --git a/src/constructs/autoscaling/asg.test.ts b/src/constructs/autoscaling/asg.test.ts
@@ -134,9 +134,6 @@ describe("The GuAutoScalingGroup", () => {
           {
             "Fn::GetAtt": [Match.stringLikeRegexp(`GuHttpsEgressSecurityGroup${app}[A-Z0-9]+`), "GroupId"],
           },
-          {
-            "Fn::GetAtt": ["WazuhSecurityGroup", "GroupId"],
-          },
           {
             "Fn::GetAtt": [Match.stringLikeRegexp("SecurityGroupTesting[A-Z0-9]+"), "GroupId"],
           },

diff --git a/src/constructs/autoscaling/asg.ts b/src/constructs/autoscaling/asg.ts
@@ -10,7 +10,7 @@ import type { AmigoProps } from "../../types/amigo";
 import { GuAppAwareConstruct } from "../../utils/mixin/app-aware-construct";
 import { GuAmiParameter } from "../core";
 import type { AppIdentity, GuStack } from "../core";
-import { GuHttpsEgressSecurityGroup, GuWazuhAccess } from "../ec2";
+import { GuHttpsEgressSecurityGroup } from "../ec2";
 import { GuInstanceRole } from "../iam";
 
 // Since we want to override the types of what gets passed in for the below props,
@@ -65,9 +65,8 @@ export interface GuAutoScalingGroupProps
  * You may wish to instantiate [[`GuInstanceRole`]] yourself as a basis for this custom role, as it allows custom permissions
  * to be passed in.
  *
- * All EC2 instances in this group will be automatically associated with two security groups:
- * 1. [[`GuHttpsEgressSecurityGroup`]], which allows outbound traffic over HTTPS.
- * 2. [[`GuWazuhAccess`]], which allows instances to communicate with Wazuh (for security monitoring).
+ * All EC2 instances in this group will be automatically associated with the [[`GuHttpsEgressSecurityGroup`]] security groups,
+ * which allows outbound traffic over HTTPS.
  *
  * If additional ingress or egress rules are required, define custom security groups and pass them in via the
  * `additionalSecurityGroups` prop.
@@ -137,12 +136,10 @@ export class GuAutoScalingGroup extends GuAppAwareConstruct(AutoScalingGroup) {
       httpPutResponseHopLimit,
     });
 
-    // Add Wazuh & additional consumer specified Security Groups
+    // Add additional consumer specified Security Groups
     // Note: Launch templates via CDK allow specifying only one SG, so use connections
     // https://github.com/aws/aws-cdk/issues/18712
-    [GuWazuhAccess.getInstance(scope, vpc), ...additionalSecurityGroups].forEach((sg) =>
-      launchTemplate.connections.addSecurityGroup(sg),
-    );
+    additionalSecurityGroups.forEach((sg) => launchTemplate.connections.addSecurityGroup(sg));
 
     const asgProps: AutoScalingGroupProps = {
       ...props,

diff --git a/src/constructs/ec2/security-groups/base.ts b/src/constructs/ec2/security-groups/base.ts
@@ -41,7 +41,6 @@ export interface GuSecurityGroupProps extends GuBaseSecurityGroupProps, AppIdent
  * An ingress rule on port 22 is strictly forbidden as SSH via SSM is preferred.
  *
  * Prefer to use a concrete implementation where possible. See:
- * - [[GuWazuhAccess]]
  * - [[GuPublicInternetAccessSecurityGroup]]
  * - [[GuHttpsEgressSecurityGroup]]
  */

diff --git a/src/constructs/ec2/security-groups/index.ts b/src/constructs/ec2/security-groups/index.ts
@@ -1,2 +1 @@
 export * from "./base";
-export * from "./wazuh";
diff --git a/src/constructs/ec2/security-groups/wazuh.test.ts b/src/constructs/ec2/security-groups/wazuh.test.ts
diff --git a/src/constructs/ec2/security-groups/wazuh.ts b/src/constructs/ec2/security-groups/wazuh.ts
diff --git a/src/constructs/iam/roles/instance-role.ts b/src/constructs/iam/roles/instance-role.ts
@@ -30,11 +30,10 @@ export type GuInstanceRolePropsWithApp = GuInstanceRoleProps & AppIdentity;
  *
  * More specifically:
  * 1. Allows for `ssh` access to an EC2 instance via [ssm-scala](https://github.com/guardian/ssm-scala) (instead of standard `ssh`).
- * 2. Allows EC2 instances to communicate with Wazuh, for security monitoring.
- * 3. Allows EC2 instances to download an artifact from AWS S3, for application deployment.
- * 4. Allows EC2 instances to download private configuration from AWS Parameter Store. See [[`GuParameterStoreReadPolicy`]]
+ * 2. Allows EC2 instances to download an artifact from AWS S3, for application deployment.
+ * 3. Allows EC2 instances to download private configuration from AWS Parameter Store. See [[`GuParameterStoreReadPolicy`]]
  * for specific details.
- * 5. Allows EC2 instances to write logs into our central ELK stack via Kinesis.
+ * 4. Allows EC2 instances to write logs into our central ELK stack via Kinesis.
  *
  * If additional IAM permissions are required, create custom policies and pass them in via the `additionalPolicies` prop.
  *

diff --git a/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap b/src/experimental/patterns/__snapshots__/ec2-app.test.ts.snap
@@ -20,7 +20,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = `
       "GuParameterStoreReadPolicy",
       "GuAmiParameter",
       "GuHttpsEgressSecurityGroup",
-      "GuWazuhAccess",
       "GuAutoScalingGroup",
       "GuApplicationLoadBalancer",
       "GuApplicationTargetGroup",
@@ -568,27 +567,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = `
       },
       "Type": "AWS::EC2::SecurityGroupEgress",
     },
-    "LoadBalancerTestguec2appSecurityGrouptoTestWazuhSecurityGroup8092AEDC9000720EFF26": {
-      "Properties": {
-        "Description": "Load balancer to target",
-        "DestinationSecurityGroupId": {
-          "Fn::GetAtt": [
-            "WazuhSecurityGroup",
-            "GroupId",
-          ],
-        },
-        "FromPort": 9000,
-        "GroupId": {
-          "Fn::GetAtt": [
-            "LoadBalancerTestguec2appSecurityGroupCC6F85C1",
-            "GroupId",
-          ],
-        },
-        "IpProtocol": "tcp",
-        "ToPort": 9000,
-      },
-      "Type": "AWS::EC2::SecurityGroupEgress",
-    },
     "ParameterStoreReadTestguec2app072DCDE1": {
       "Properties": {
         "PolicyDocument": {
@@ -733,70 +711,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = `
       },
       "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
     },
-    "WazuhSecurityGroup": {
-      "Properties": {
-        "GroupDescription": "Allow outbound traffic from wazuh agent to manager",
-        "SecurityGroupEgress": [
-          {
-            "CidrIp": "0.0.0.0/0",
-            "Description": "Wazuh event logging",
-            "FromPort": 1514,
-            "IpProtocol": "tcp",
-            "ToPort": 1514,
-          },
-          {
-            "CidrIp": "0.0.0.0/0",
-            "Description": "Wazuh agent registration",
-            "FromPort": 1515,
-            "IpProtocol": "tcp",
-            "ToPort": 1515,
-          },
-        ],
-        "Tags": [
-          {
-            "Key": "gu:cdk:version",
-            "Value": "TEST",
-          },
-          {
-            "Key": "gu:repo",
-            "Value": "guardian/cdk",
-          },
-          {
-            "Key": "Stack",
-            "Value": "test-stack",
-          },
-          {
-            "Key": "Stage",
-            "Value": "TEST",
-          },
-        ],
-        "VpcId": {
-          "Ref": "VpcId",
-        },
-      },
-      "Type": "AWS::EC2::SecurityGroup",
-    },
-    "WazuhSecurityGroupfromTestLoadBalancerTestguec2appSecurityGroup5F9E11C99000BB163DB4": {
-      "Properties": {
-        "Description": "Load balancer to target",
-        "FromPort": 9000,
-        "GroupId": {
-          "Fn::GetAtt": [
-            "WazuhSecurityGroup",
-            "GroupId",
-          ],
-        },
-        "IpProtocol": "tcp",
-        "SourceSecurityGroupId": {
-          "Fn::GetAtt": [
-            "LoadBalancerTestguec2appSecurityGroupCC6F85C1",
-            "GroupId",
-          ],
-        },
-        "ToPort": 9000,
-      },
-      "Type": "AWS::EC2::SecurityGroupIngress",
-    },
     "teststackTESTtestguec2appAA7F41BE": {
       "DependsOn": [
         "InstanceRoleTestguec2appC325BE42",
@@ -826,12 +740,6 @@ exports[`The GuEc2AppExperimental pattern matches the snapshot 1`] = `
                 "GroupId",
               ],
             },
-            {
-              "Fn::GetAtt": [
-                "WazuhSecurityGroup",
-                "GroupId",
-              ],
-            },
           ],
           "TagSpecifications": [
             {
-Original file line number
+Diff line change
@@ Expand Up / @@ -134,9 +134,6 @@ describe("The GuAutoScalingGroup", () => { @@
               {
                 "Fn::GetAtt": [Match.stringLikeRegexp(`GuHttpsEgressSecurityGroup${app}[A-Z0-9]+`), "GroupId"],
               },
-              {
-                "Fn::GetAtt": ["WazuhSecurityGroup", "GroupId"],
-              },
               {
                 "Fn::GetAtt": [Match.stringLikeRegexp("SecurityGroupTesting[A-Z0-9]+"), "GroupId"],
               },
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -1,2 +1 @@
		export * from "./base";
		export * from "./wazuh";