Fix nested trust boundaries

hupe1980 · hupe1980 · commit 098581652d63 · 2022-06-24T16:38:47.000+02:00
diff --git a/API.md b/API.md
@@ -44,6 +44,7 @@ new plus_aws.ApplicationLoadBalancer(scope: Construct, id: string, props: Applic
 | --- | --- |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.toString">toString</a></code> | Returns a string representation of this construct. |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.communicatesWith">communicatesWith</a></code> | *No description.* |
+| <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.isTrafficForwarding">isTrafficForwarding</a></code> | *No description.* |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.isWebApplication">isWebApplication</a></code> | *No description.* |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.isWebService">isWebService</a></code> | *No description.* |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.processes">processes</a></code> | *No description.* |
@@ -83,6 +84,12 @@ public communicatesWith(id: string, target: TechnicalAsset, options: Communicati
 
 ---
 
+##### `isTrafficForwarding` <a name="isTrafficForwarding" id="cdktg.plus_aws.ApplicationLoadBalancer.isTrafficForwarding"></a>
+
+```typescript
+public isTrafficForwarding(): boolean
+```
+
 ##### `isWebApplication` <a name="isWebApplication" id="cdktg.plus_aws.ApplicationLoadBalancer.isWebApplication"></a>
 
 ```typescript
@@ -182,7 +189,6 @@ Any object.
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.property.owner">owner</a></code> | <code>string</code> | *No description.* |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.property.scope">scope</a></code> | <code><a href="#cdktg.Scope">Scope</a></code> | *No description.* |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.property.tags">tags</a></code> | <code>string[]</code> | *No description.* |
-| <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.property.trustBoundary">trustBoundary</a></code> | <code><a href="#cdktg.TrustBoundary">TrustBoundary</a></code> | *No description.* |
 | <code><a href="#cdktg.plus_aws.ApplicationLoadBalancer.property.securityGroup">securityGroup</a></code> | <code>cdktg.plus_aws.SecurityGroup</code> | *No description.* |
 
 ---
@@ -379,16 +385,6 @@ public readonly tags: string[];
 
 ---
 
-##### `trustBoundary`<sup>Optional</sup> <a name="trustBoundary" id="cdktg.plus_aws.ApplicationLoadBalancer.property.trustBoundary"></a>
-
-```typescript
-public readonly trustBoundary: TrustBoundary;
-```
-
-- *Type:* <a href="#cdktg.TrustBoundary">TrustBoundary</a>
-
----
-
 ##### `securityGroup`<sup>Required</sup> <a name="securityGroup" id="cdktg.plus_aws.ApplicationLoadBalancer.property.securityGroup"></a>
 
 ```typescript
@@ -442,6 +438,7 @@ new plus.Browser(scope: Construct, id: string, props: BrowserProps)
 | --- | --- |
 | <code><a href="#cdktg.plus.Browser.toString">toString</a></code> | Returns a string representation of this construct. |
 | <code><a href="#cdktg.plus.Browser.communicatesWith">communicatesWith</a></code> | *No description.* |
+| <code><a href="#cdktg.plus.Browser.isTrafficForwarding">isTrafficForwarding</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Browser.isWebApplication">isWebApplication</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Browser.isWebService">isWebService</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Browser.processes">processes</a></code> | *No description.* |
@@ -481,6 +478,12 @@ public communicatesWith(id: string, target: TechnicalAsset, options: Communicati
 
 ---
 
+##### `isTrafficForwarding` <a name="isTrafficForwarding" id="cdktg.plus.Browser.isTrafficForwarding"></a>
+
+```typescript
+public isTrafficForwarding(): boolean
+```
+
 ##### `isWebApplication` <a name="isWebApplication" id="cdktg.plus.Browser.isWebApplication"></a>
 
 ```typescript
@@ -580,7 +583,6 @@ Any object.
 | <code><a href="#cdktg.plus.Browser.property.owner">owner</a></code> | <code>string</code> | *No description.* |
 | <code><a href="#cdktg.plus.Browser.property.scope">scope</a></code> | <code><a href="#cdktg.Scope">Scope</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Browser.property.tags">tags</a></code> | <code>string[]</code> | *No description.* |
-| <code><a href="#cdktg.plus.Browser.property.trustBoundary">trustBoundary</a></code> | <code><a href="#cdktg.TrustBoundary">TrustBoundary</a></code> | *No description.* |
 
 ---
 
@@ -776,16 +778,6 @@ public readonly tags: string[];
 
 ---
 
-##### `trustBoundary`<sup>Optional</sup> <a name="trustBoundary" id="cdktg.plus.Browser.property.trustBoundary"></a>
-
-```typescript
-public readonly trustBoundary: TrustBoundary;
-```
-
-- *Type:* <a href="#cdktg.TrustBoundary">TrustBoundary</a>
-
----
-
 
 ### Cloud <a name="Cloud" id="cdktg.plus_aws.Cloud"></a>
 
@@ -2581,6 +2573,7 @@ new TechnicalAsset(scope: Construct, id: string, props: TechnicalAssetProps)
 | --- | --- |
 | <code><a href="#cdktg.TechnicalAsset.toString">toString</a></code> | Returns a string representation of this construct. |
 | <code><a href="#cdktg.TechnicalAsset.communicatesWith">communicatesWith</a></code> | *No description.* |
+| <code><a href="#cdktg.TechnicalAsset.isTrafficForwarding">isTrafficForwarding</a></code> | *No description.* |
 | <code><a href="#cdktg.TechnicalAsset.isWebApplication">isWebApplication</a></code> | *No description.* |
 | <code><a href="#cdktg.TechnicalAsset.isWebService">isWebService</a></code> | *No description.* |
 | <code><a href="#cdktg.TechnicalAsset.processes">processes</a></code> | *No description.* |
@@ -2620,6 +2613,12 @@ public communicatesWith(id: string, target: TechnicalAsset, options: Communicati
 
 ---
 
+##### `isTrafficForwarding` <a name="isTrafficForwarding" id="cdktg.TechnicalAsset.isTrafficForwarding"></a>
+
+```typescript
+public isTrafficForwarding(): boolean
+```
+
 ##### `isWebApplication` <a name="isWebApplication" id="cdktg.TechnicalAsset.isWebApplication"></a>
 
 ```typescript
@@ -2719,7 +2718,6 @@ Any object.
 | <code><a href="#cdktg.TechnicalAsset.property.owner">owner</a></code> | <code>string</code> | *No description.* |
 | <code><a href="#cdktg.TechnicalAsset.property.scope">scope</a></code> | <code><a href="#cdktg.Scope">Scope</a></code> | *No description.* |
 | <code><a href="#cdktg.TechnicalAsset.property.tags">tags</a></code> | <code>string[]</code> | *No description.* |
-| <code><a href="#cdktg.TechnicalAsset.property.trustBoundary">trustBoundary</a></code> | <code><a href="#cdktg.TrustBoundary">TrustBoundary</a></code> | *No description.* |
 
 ---
 
@@ -2915,16 +2913,6 @@ public readonly tags: string[];
 
 ---
 
-##### `trustBoundary`<sup>Optional</sup> <a name="trustBoundary" id="cdktg.TechnicalAsset.property.trustBoundary"></a>
-
-```typescript
-public readonly trustBoundary: TrustBoundary;
-```
-
-- *Type:* <a href="#cdktg.TrustBoundary">TrustBoundary</a>
-
----
-
 
 ### TrustBoundary <a name="TrustBoundary" id="cdktg.TrustBoundary"></a>
 
@@ -3165,6 +3153,7 @@ new plus.Vault(scope: Construct, id: string, props: VaultProps)
 | --- | --- |
 | <code><a href="#cdktg.plus.Vault.toString">toString</a></code> | Returns a string representation of this construct. |
 | <code><a href="#cdktg.plus.Vault.communicatesWith">communicatesWith</a></code> | *No description.* |
+| <code><a href="#cdktg.plus.Vault.isTrafficForwarding">isTrafficForwarding</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.isWebApplication">isWebApplication</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.isWebService">isWebService</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.processes">processes</a></code> | *No description.* |
@@ -3205,6 +3194,12 @@ public communicatesWith(id: string, target: TechnicalAsset, options: Communicati
 
 ---
 
+##### `isTrafficForwarding` <a name="isTrafficForwarding" id="cdktg.plus.Vault.isTrafficForwarding"></a>
+
+```typescript
+public isTrafficForwarding(): boolean
+```
+
 ##### `isWebApplication` <a name="isWebApplication" id="cdktg.plus.Vault.isWebApplication"></a>
 
 ```typescript
@@ -3316,7 +3311,6 @@ Any object.
 | <code><a href="#cdktg.plus.Vault.property.owner">owner</a></code> | <code>string</code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.property.scope">scope</a></code> | <code><a href="#cdktg.Scope">Scope</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.property.tags">tags</a></code> | <code>string[]</code> | *No description.* |
-| <code><a href="#cdktg.plus.Vault.property.trustBoundary">trustBoundary</a></code> | <code><a href="#cdktg.TrustBoundary">TrustBoundary</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.property.configurationSecrets">configurationSecrets</a></code> | <code><a href="#cdktg.DataAsset">DataAsset</a></code> | *No description.* |
 | <code><a href="#cdktg.plus.Vault.property.vaultStorage">vaultStorage</a></code> | <code><a href="#cdktg.TechnicalAsset">TechnicalAsset</a></code> | *No description.* |
 
@@ -3514,16 +3508,6 @@ public readonly tags: string[];
 
 ---
 
-##### `trustBoundary`<sup>Optional</sup> <a name="trustBoundary" id="cdktg.plus.Vault.property.trustBoundary"></a>
-
-```typescript
-public readonly trustBoundary: TrustBoundary;
-```
-
-- *Type:* <a href="#cdktg.TrustBoundary">TrustBoundary</a>
-
----
-
 ##### `configurationSecrets`<sup>Required</sup> <a name="configurationSecrets" id="cdktg.plus.Vault.property.configurationSecrets"></a>
 
 ```typescript
diff --git a/src/plus-aws/application-load-balancer.ts b/src/plus-aws/application-load-balancer.ts
@@ -45,7 +45,7 @@ export class ApplicationLoadBalancer extends TechnicalAsset {
       customDevelopedParts: false,
     });
 
-    this.securityGroup =
+    this.securityGroup = this.trustBoundary =
       props.securityGroup ?? new SecurityGroup(this, `${id} SG`);
 
     this.securityGroup.addTechnicalAssets(this);
diff --git a/src/technical-asset.ts b/src/technical-asset.ts
@@ -45,10 +45,11 @@ export class TechnicalAsset extends Resource {
   public readonly ciaTriad: CIATriad;
   public readonly multiTenant: boolean;
   public readonly redundant: boolean;
-  public readonly trustBoundary?: TrustBoundary;
   public readonly customDevelopedParts: boolean;
   public readonly dataFormatsAccepted?: DataFormat[];
 
+  protected trustBoundary?: TrustBoundary;
+
   private dataAssetsProcessed: Set<string>;
   private dataAssetsStored: Set<string>;
   private communications: Communication[];
@@ -119,6 +120,14 @@ export class TechnicalAsset extends Resource {
     );
   }
 
+  public isTrafficForwarding(): boolean {
+    return [
+      Technology.LOAD_BALANCER,
+      Technology.REVERSE_PROXY,
+      Technology.WAF,
+    ].includes(this.technology);
+  }
+
   public communicatesWith(
     id: string,
     target: TechnicalAsset,
@@ -135,6 +144,13 @@ export class TechnicalAsset extends Resource {
     return communication;
   }
 
+  /**
+   * @internal
+   */
+  public get _trustBoundary() {
+    return this.trustBoundary;
+  }
+
   /**
    * @internal
    */
diff --git a/src/trust-boundary.ts b/src/trust-boundary.ts
@@ -33,9 +33,8 @@ export class TrustBoundary extends Resource {
 
   public addTechnicalAssets(...assets: TechnicalAsset[]) {
     assets.forEach((a) => {
-      if (a.trustBoundary) {
-        this.addTrustBoundary(a.trustBoundary);
-        return;
+      if (a._trustBoundary) {
+        return this.addTrustBoundary(a._trustBoundary);
       }
 
       this.technicalAssetsInside.add(a.uuid);
diff --git a/test/plus-aws/application-load-balancer.test.ts b/test/plus-aws/application-load-balancer.test.ts
@@ -35,7 +35,7 @@ test("synth application-load-balancer with default securit-group", () => {
 
   const cloud = new Cloud(model, "AWS-Cloud");
 
-  cloud.addTrustBoundary(alb.securityGroup);
+  cloud.addTechnicalAssets(alb);
 
   project.synth();
 });
