I wrote this code to add public subnets of VPC to a rdsSecurityGroup.
for publicSubnet in self.vpc.public_subnets:
self.rdsSecurityGroup.add_ingress_rule(peer=publicSubnet,
connection=ec2.Port.tcp(3306))
But I got this error:
jsii.errors.JSIIError: peer.toIngressRuleConfig is not a function
How can I resolve this?
According to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#security-group-rules, the source/destination of the security group rule can be one of
IP address (range)
Security group
AWS service prefix
Based on above, you would need to lookup CIDR blocks of your public subnets and add those as your sources for ingress rules. However, it looks like lookup of CIDR blocks of vpc/subnets is not so easy at the moment - https://github.com/aws/aws-cdk/issues/2232. You would need to either remember your CIDR blocks in the code if you are creating the subnets, or have CIDR blocks as a constans in your code in case you are using existing VPC and subnets.
Alternative, perhaps more suitable and convenient is to use security groups as a source for your rules. Add all resources in your public subnets to security groups and manage security group rules based on those.
Related
According to the documentation, the Service;
uses the VPC defined in the cluster or creates a new VPC.
But, there doesn't appear to be a property available to get at the newly created VPC. Since CDK mangles the name, getting it by lookup is also difficult.
The VPC can be accessed via the cluster property of the services;
#property
def vpc(self) -> Vpc:
return self._fargate.cluster.vpc
I have a federated Apollo Graph (using ApolloGateway) and a bunch of subgraph microservices. I’ve set them up to do distributed tracing via OpenTelemetry.
Now, they do produce a bunch of traces that I can see in my backend (Elastic APM). However, they are all named graphql.execute, graphql.parse, etc. It is not easy to look for a specific mutation or query to monitor.
What I want to do instead is to take the operation name from the named queries like:
query HeroNameAndFriends {
hero {
name
friends {
name
}
}
}
and rename the entire trace to HeroNameAndFriends.
Is that an acceptable, recommended thing to do?
How would I achieve that?
Do subgraphs have access to the name of the named queries? Can I start small from one of the microservices or do I have to modify the Gateway?
Thank you!
I am using aws-cdk for creating the stack of a new app. We have existing resources deployed with Cloudformation, such as route tables with our VPC peerings and other.
When i create a Subnet with aws-cdk, it automatically creates a route table.
However, i don't need this route table. I use another, already created route table. How can i remove the default routetable ?
I can i could use CfnSubnet instead of Subnet, but I was wondering if there is another solution.
Subnet Subnet = new Subnet(this, "Subnet", SubnetProps.builder()
.withVpcId(vpc.getVpcId())
.withAvailabilityZone("eu-west-1b")
.withCidrBlock(String.format("10.%d.43.128/25", environmentId))
.build());
CfnSubnetRouteTableAssociation routeTableAssociation = (CfnSubnetRouteTableAssociation) subnet.getNode().tryFindChild("RouteTableAssociation");
routeTableAssociation.setRouteTableId(Fn.importValue(String.format("%s-nat-nat000", environment)));
CfnRouteTable cfnRouteTable = (CfnRouteTable) subnet.getNode().tryFindChild("RouteTable");
I think the solution you proposed is the best way to achieve that.
I am working on a project where we have requirement to provide field level access to users.
Example:
Suppose there is an entity named employee with several fields
The application should allow secure access at the field level of the entity.
According to the access user is allowed to edit / read the fields.
We have thought of an implementation using spring acl but it provides instance level security.
Could someone please let know an elegant way to implement it?
Thanks in advance.
Take a look at the fields plugin.
It allows you to control how individual fields are rendered.
You could implement a security check within each field's _field.gsp fragment, or you could override the plugin's taglib's f:all method and add a security check there if you prefer.
You could use the plugin for that, but you'd need to do some extra work. The ACL support in Spring Security basically lets you say "grant permission x on object instance y (of type "foo") with id z to person p". There is an example permissions class with standard instances like Read, Write, Admin, etc., but the underlying infrastructure only works with the numbers 1, 2, 4, 8, etc. so you can easily define your own permission types - they're really just mappings of human-readable names to numbers. You typically grant permissions on domain object instances, but under the hood the names of the domain classes are just strings, so you could store any type name there. And the ids can be any value, e.g. a number or a string.
You wouldn't be able to use the #PreAuthorize and #PostFilter annotations on service methods, but you can still query the ACL beans to see if, given a field or whatever you want, the currently authenticated user is allowed to perform some action.
I'm implementing several custom Data Service Providers in WCF Data Services:
IDataServiceMetadataProvider
IDataServiceQueryProvider
IDataServiceUpdateProvider
To illustrate the point of my question consider this made-up example:
I have a resource called "Employee," which can be addressed in the following ways:
MyDataService.svc/Employees(1)
or
MyDataService.svc/Employees?$filter=FirstName eq 'John'
The results that are returned automatically include URLs for each resource, like:
http://localhost:1337/MyDataService.svc/Employees(5), and so on.
Is it possible to, instead, have Data Services return People(5) instead of Employees(5)?
In short, I need some control over URLs that Data Services generates. Is that possible?
This does not seem possible at this time.