From c0509e1ce1d8db7663c9ee9cab8cd2a1e0ea2ba4 Mon Sep 17 00:00:00 2001
From: Adam McLean <24688110+apmclean@users.noreply.github.com>
Date: Fri, 15 Sep 2023 13:37:25 -0400
Subject: [PATCH] Permit using vpcNames in BlackHole Routes to enhance
 readability (#21)

Now an existing (within the same configuration file) `vpc:` definition can be referred to by name in the BlackHole section.

See the `config-walkthrough.yaml` for details in the `blackholeRoutes:` section.
---
 config/config-walkthrough.yaml                |  6 ++--
 ...e-central-egress-inspected.vpcBuilder.yaml |  4 +--
 lib/config/parser.ts                          | 33 +++++++++++++++++--
 test/config-parser.test.ts                    | 22 +++++++++++++
 4 files changed, 58 insertions(+), 7 deletions(-)

diff --git a/config/config-walkthrough.yaml b/config/config-walkthrough.yaml
index 03039b2..aafa63d 100644
--- a/config/config-walkthrough.yaml
+++ b/config/config-walkthrough.yaml
@@ -316,10 +316,12 @@ transitGateways:
     # be tossed into the garbage.  Use this when you have some 'must not' rules to enforce.  Ie: Blacklisting all Production
     # CIDR Addresses on your Development VPC is a good idea!  That way traffic can never get there regardless of routing rules.
     blackholeRoutes:
-        # REQUIRED: The name of the thing we're routing from.  This can be a VPC, or a Provider name.
+        # REQUIRED: The name of the thing we're setting the blackhole for.  This can be a VPC, or a Provider name.
       - vpcName: workloadTwo
-        # REQUIRED: CIDR addresses to discard traffic from
+        # REQUIRED: CIDR addresses to discard traffic from OR the name of a VPC from the `vpc:` section above.  When a vpcName
+        # is specified the vpcCidr is used from the configuration definition above.
         blackholeCidrs:
         - 192.168.168.0/24
+        - workload
         # More blackholeCidrs supported
       # More Lists of Objects supported.
diff --git a/config/sample-central-egress-inspected.vpcBuilder.yaml b/config/sample-central-egress-inspected.vpcBuilder.yaml
index d4aa832..bd8a7a0 100644
--- a/config/sample-central-egress-inspected.vpcBuilder.yaml
+++ b/config/sample-central-egress-inspected.vpcBuilder.yaml
@@ -52,7 +52,7 @@ transitGateways:
     blackholeRoutes:
       - vpcName: isolatedVpcOne
         blackholeCidrs:
-          - 10.11.0.0/19
+          - isolatedVpcTwo
       - vpcName: isolatedVpcTwo
         blackholeCidrs:
-          - 10.10.0.0/19
\ No newline at end of file
+          - isolatedVpcOne
\ No newline at end of file
diff --git a/lib/config/parser.ts b/lib/config/parser.ts
index 3786934..7ab9be7 100644
--- a/lib/config/parser.ts
+++ b/lib/config/parser.ts
@@ -219,10 +219,32 @@ export class ConfigParser {
     )) {
       const configStanza = this.configRaw.transitGateways[transitGatewayName];
       if (configStanza.blackholeRoutes) {
+        console.log(`Black Hole Routes found, evaluating`);
         for (const route of configStanza.blackholeRoutes) {
-          for (const blackholeCidr of route.blackholeCidrs) {
-            this.verifyCidr(blackholeCidr, false);
-          }
+          route.blackholeCidrs.forEach(
+            (blackholeCidr: string, index: number) => {
+              if (this.blackholeIsCidr(blackholeCidr)) {
+                console.log(`${blackholeCidr} is considered a blackholecidr`);
+                this.verifyCidr(blackholeCidr, false);
+              } else {
+                console.log(`${blackholeCidr} is not a valid cidr`);
+                // Value provided is not CIDR formatted, see if it matches a VPC
+                if (this.vpcNameExists(blackholeCidr)) {
+                  console.log(
+                    `${blackholeCidr} is considered a valid VPC Name`,
+                  );
+                  // We will substitute the value of our VPCs CIDR address here since the rest of our code
+                  // Expects our value to be a CIDR format
+                  route.blackholeCidrs[index] =
+                    this.configRaw.vpcs[blackholeCidr].vpcCidr;
+                } else {
+                  throw new Error(
+                    `blackholeRoutes contains blackholeCidr with value ${blackholeCidr}.  Not a valid CIDR Address or Vpc Name within the 'vpc:' configuration section.`,
+                  );
+                }
+              }
+            },
+          );
         }
       }
       if (configStanza.staticRoutes) {
@@ -1039,6 +1061,11 @@ export class ConfigParser {
     }
   }
 
+  // Determines if the string value passed for blackholeCidr is in a CIDR Format
+  blackholeIsCidr(cidr: string): boolean {
+    return IPCidr.isValidCIDR(cidr);
+  }
+
   verifyCidr(cidr: string, checkMaskRange: boolean = true) {
     try {
       new IPCidr(cidr);
diff --git a/test/config-parser.test.ts b/test/config-parser.test.ts
index d4cfe32..3360817 100644
--- a/test/config-parser.test.ts
+++ b/test/config-parser.test.ts
@@ -602,6 +602,28 @@ test("RouteNamingSanity", () => {
   })
 });
 
+test("BlackHoleCidrValue", () => {
+
+  const configContents: any = minimumConfig();
+  configContents.transitGateways = {
+    testing: {
+      style: "transitGateway",
+      tgwDescription: "testing",
+    },
+  };
+  // Invalid CIDR, invalid VPCName
+  configContents.transitGateways["testing"]["blackholeRoutes"] = [
+    {
+      vpcName: "dev",
+      blackholeCidrs: [ "10.1.0.0" ],
+    },
+  ]
+    let config = new ConfigParser({ configContents: configContents });
+    expect(() => config.parse()).toThrow(
+        `blackholeRoutes contains blackholeCidr with value 10.1.0.0.  Not a valid CIDR Address or Vpc Name within the 'vpc:' configuration section.`
+    );
+});
+
 test("RouteToInternetWithNoInternetProviderInVpc", () => {
   const configContents = minimumConfig();
   configContents.providers = {