Permit using vpcNames in BlackHole Routes to enhance readability (#21)

Now an existing (within the same configuration file) `vpc:` definition can be referred to by name in the BlackHole section. See the `config-walkthrough.yaml` for details in the `blackholeRoutes:` section.
aws-samples · Sep 15, 2023 · c0509e1 · c0509e1
1 parent 41603c7
commit c0509e1
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 7 deletions.
diff --git a/config/config-walkthrough.yaml b/config/config-walkthrough.yaml
@@ -316,10 +316,12 @@ transitGateways:
     # be tossed into the garbage.  Use this when you have some 'must not' rules to enforce.  Ie: Blacklisting all Production
     # CIDR Addresses on your Development VPC is a good idea!  That way traffic can never get there regardless of routing rules.
     blackholeRoutes:
-        # REQUIRED: The name of the thing we're routing from.  This can be a VPC, or a Provider name.
+        # REQUIRED: The name of the thing we're setting the blackhole for.  This can be a VPC, or a Provider name.
       - vpcName: workloadTwo
-        # REQUIRED: CIDR addresses to discard traffic from
+        # REQUIRED: CIDR addresses to discard traffic from OR the name of a VPC from the `vpc:` section above.  When a vpcName
+        # is specified the vpcCidr is used from the configuration definition above.
         blackholeCidrs:
         - 192.168.168.0/24
+        - workload
         # More blackholeCidrs supported
       # More Lists of Objects supported.
diff --git a/config/sample-central-egress-inspected.vpcBuilder.yaml b/config/sample-central-egress-inspected.vpcBuilder.yaml
@@ -52,7 +52,7 @@ transitGateways:
     blackholeRoutes:
       - vpcName: isolatedVpcOne
         blackholeCidrs:
-          - 10.11.0.0/19
+          - isolatedVpcTwo
       - vpcName: isolatedVpcTwo
         blackholeCidrs:
-          - 10.10.0.0/19
+          - isolatedVpcOne
diff --git a/lib/config/parser.ts b/lib/config/parser.ts
@@ -219,10 +219,32 @@ export class ConfigParser {
     )) {
       const configStanza = this.configRaw.transitGateways[transitGatewayName];
       if (configStanza.blackholeRoutes) {
+        console.log(`Black Hole Routes found, evaluating`);
         for (const route of configStanza.blackholeRoutes) {
-          for (const blackholeCidr of route.blackholeCidrs) {
-            this.verifyCidr(blackholeCidr, false);
-          }
+          route.blackholeCidrs.forEach(
+            (blackholeCidr: string, index: number) => {
+              if (this.blackholeIsCidr(blackholeCidr)) {
+                console.log(`${blackholeCidr} is considered a blackholecidr`);
+                this.verifyCidr(blackholeCidr, false);
+              } else {
+                console.log(`${blackholeCidr} is not a valid cidr`);
+                // Value provided is not CIDR formatted, see if it matches a VPC
+                if (this.vpcNameExists(blackholeCidr)) {
+                  console.log(
+                    `${blackholeCidr} is considered a valid VPC Name`,
+                  );
+                  // We will substitute the value of our VPCs CIDR address here since the rest of our code
+                  // Expects our value to be a CIDR format
+                  route.blackholeCidrs[index] =
+                    this.configRaw.vpcs[blackholeCidr].vpcCidr;
+                } else {
+                  throw new Error(
+                    `blackholeRoutes contains blackholeCidr with value ${blackholeCidr}.  Not a valid CIDR Address or Vpc Name within the 'vpc:' configuration section.`,
+                  );
+                }
+              }
+            },
+          );
         }
       }
       if (configStanza.staticRoutes) {
@@ -1039,6 +1061,11 @@ export class ConfigParser {
     }
   }
 
+  // Determines if the string value passed for blackholeCidr is in a CIDR Format
+  blackholeIsCidr(cidr: string): boolean {
+    return IPCidr.isValidCIDR(cidr);
+  }
+
   verifyCidr(cidr: string, checkMaskRange: boolean = true) {
     try {
       new IPCidr(cidr);

diff --git a/test/config-parser.test.ts b/test/config-parser.test.ts
@@ -602,6 +602,28 @@ test("RouteNamingSanity", () => {
   })
 });
 
+test("BlackHoleCidrValue", () => {
+
+  const configContents: any = minimumConfig();
+  configContents.transitGateways = {
+    testing: {
+      style: "transitGateway",
+      tgwDescription: "testing",
+    },
+  };
+  // Invalid CIDR, invalid VPCName
+  configContents.transitGateways["testing"]["blackholeRoutes"] = [
+    {
+      vpcName: "dev",
+      blackholeCidrs: [ "10.1.0.0" ],
+    },
+  ]
+    let config = new ConfigParser({ configContents: configContents });
+    expect(() => config.parse()).toThrow(
+        `blackholeRoutes contains blackholeCidr with value 10.1.0.0.  Not a valid CIDR Address or Vpc Name within the 'vpc:' configuration section.`
+    );
+});
+
 test("RouteToInternetWithNoInternetProviderInVpc", () => {
   const configContents = minimumConfig();
   configContents.providers = {