feat(ec2): restrict access to default security group (under feature flag) (#25297)

This PR implements functionality which will remove the default ingress/egress rules from the VPC default security group. When a VPC is created, the default security group is created as well with default ingress/egress rules which allow _all_ traffic. It is not possible to delete the default security group, but you should never use it. As a result there are a log of security standards that recommend removing the default rules so that the security group denies all traffic by default. See [this rule](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2).

Since the default security group cannot be managed through a CloudFormation resource, this PR introduces a new Custom Resource which will remove the ingress/egress rules.

I also think that this should be the default behavior so I have introduced a new feature flag to make this the default for new apps. As a result I had to update _a lot_ of integration tests. Since This feature flag would only be introduced on new VPCs it didn't make sense to run the update workflow on all these integration tests so I updated them to disable this new feature.

I added one new integration test to test this functionality.

fixes #19394

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: corymhall

lerna.json

@@ -3,7 +3,6 @@
   "useWorkspaces": true,
   "packages": [
     "packages/aws-cdk-lib",
-    "packages/cdk-cli-wrapper",
     "packages/cdk-assets",
     "packages/aws-cdk",
     "packages/cdk",

package.json

@@ -69,7 +69,6 @@
   "workspaces": {
     "packages": [
       "packages/aws-cdk-lib",
-      "packages/cdk-cli-wrapper",
       "packages/aws-cdk",
       "packages/cdk",
       "packages/cdk-assets",

packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/integ.restapi.vpc-endpoint.ts

@@ -13,7 +13,7 @@ class Test extends cdk.Stack {
   constructor(scope: cdk.App, id: string) {
     super(scope, id);
 
-    const vpc = new ec2.Vpc(this, 'MyVpc', {});
+    const vpc = new ec2.Vpc(this, 'MyVpc', { restrictDefaultSecurityGroup: false });
 
     const vpcEndpoint = vpc.addInterfaceEndpoint('MyVpcEndpoint', {
       service: ec2.InterfaceVpcEndpointAwsService.APIGATEWAY,

packages/@aws-cdk-testing/framework-integ/test/aws-appmesh/test/integ.mesh.ts

@@ -8,6 +8,7 @@ export const app = new cdk.App();
 const stack = new cdk.Stack(app, 'mesh-stack', {});
 
 const vpc = new ec2.Vpc(stack, 'vpc', {
+  restrictDefaultSecurityGroup: false,
   natGateways: 1,
 });
 

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling-hooktargets/test/integ.queue-hook.ts

@@ -19,7 +19,7 @@ class TestStack extends cdk.Stack {
     const queue = new Queue(this, 'HookQueue');
     this.queueUrl = queue.queueUrl;
     const group = new scaling.AutoScalingGroup(this, 'Group', {
-      vpc: new Vpc(this, 'Vpc'),
+      vpc: new Vpc(this, 'Vpc', { restrictDefaultSecurityGroup: false }),
       maxCapacity: 1,
       minCapacity: 0,
       instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.SMALL),

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.amazonlinux2.ts

@@ -8,6 +8,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-autoscaling-integ');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
   maxAzs: 2,
+  restrictDefaultSecurityGroup: false,
 });
 
 new autoscaling.AutoScalingGroup(stack, 'Fleet', {

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.asg-capacity-rebalance.ts

@@ -9,6 +9,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-autoscaling-integ');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
   maxAzs: 2,
+  restrictDefaultSecurityGroup: false,
 });
 
 new autoscaling.AutoScalingGroup(stack, 'CapacityRebalance', {

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.asg-lt.ts

@@ -23,6 +23,7 @@ const ltOverrideT4g = new ec2.LaunchTemplate(stack, 'T4gLT', {
 });
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
+  restrictDefaultSecurityGroup: false,
   maxAzs: 2,
 });
 

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.asg-w-classic-loadbalancer.ts

@@ -9,6 +9,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-asg-integ');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
   maxAzs: 3,
+  restrictDefaultSecurityGroup: false,
 });
 
 const asg = new autoscaling.AutoScalingGroup(stack, 'Fleet', {

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.asg-w-elbv2.ts

@@ -13,6 +13,7 @@ class ElbV2AsgStack extends cdk.Stack {
 
     const vpc = new ec2.Vpc(this, 'VPC', {
       maxAzs: 2,
+      restrictDefaultSecurityGroup: false,
     });
 
     const asg = new autoscaling.AutoScalingGroup(this, 'Fleet', {
@@ -50,6 +51,7 @@ class ElbV2AsgAtgStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
     const vpc = new ec2.Vpc(this, 'VPC', {
+      restrictDefaultSecurityGroup: false,
       maxAzs: 2,
     });
     const alb = new elbv2.ApplicationLoadBalancer(this, 'alb', {

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.custom-scaling.ts

@@ -8,6 +8,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-autoscaling-integ');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
   maxAzs: 2,
+  restrictDefaultSecurityGroup: false,
 });
 
 const asg = new autoscaling.AutoScalingGroup(stack, 'Fleet', {

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.external-role.ts

@@ -7,7 +7,7 @@ class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string) {
     super(scope, id);
 
-    const vpc = new ec2.Vpc(this, 'VPC');
+    const vpc = new ec2.Vpc(this, 'VPC', { restrictDefaultSecurityGroup: false });
     const role = new iam.Role(this, 'Role', {
       assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
     });

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.role-target-hook.ts

@@ -35,7 +35,7 @@ export class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
-    let vpc = new ec2.Vpc(this, 'myVpcAuto', {});
+    let vpc = new ec2.Vpc(this, 'myVpcAuto', { restrictDefaultSecurityGroup: false });
     const myrole = new iam.Role(this, 'MyRole', {
       assumedBy: new iam.ServicePrincipal('autoscaling.amazonaws.com'),
     });

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.spot-instances.ts

@@ -8,6 +8,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-autoscaling-integ');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
   maxAzs: 2,
+  restrictDefaultSecurityGroup: false,
 });
 
 new autoscaling.AutoScalingGroup(stack, 'Fleet', {

packages/@aws-cdk-testing/framework-integ/test/aws-autoscaling/test/integ.warm-pool.ts

@@ -13,6 +13,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-autoscaling-integ');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
   maxAzs: 2,
+  restrictDefaultSecurityGroup: false,
 });
 
 const asg = new autoscaling.AutoScalingGroup(stack, 'Fleet', {

packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.load-balancer-origin.ts

@@ -7,7 +7,7 @@ import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'cloudfront-load-balancer-origin');
 
-const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 2 });
+const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 2, restrictDefaultSecurityGroup: false });
 const loadbalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc, internetFacing: true });
 
 new cloudfront.Distribution(stack, 'Distribution', {

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-file-system-location.ts

@@ -8,6 +8,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-codebuild-file-system-locations');
 const vpc = new ec2.Vpc(stack, 'MyVPC', {
   maxAzs: 1,
   natGateways: 1,
+  restrictDefaultSecurityGroup: false,
 });
 const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup1', {
   allowAllOutbound: true,

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-vpc.ts

@@ -9,6 +9,7 @@ const stack = new cdk.Stack(app, 'aws-cdk-codebuild-project-vpc');
 const vpc = new ec2.Vpc(stack, 'MyVPC', {
   maxAzs: 1,
   natGateways: 1,
+  restrictDefaultSecurityGroup: false,
 });
 const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup1', {
   allowAllOutbound: true,

packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/ecs/integ.deployment-group.ts

@@ -73,7 +73,7 @@ const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-cdk-codedeploy-ecs-dg');
 
 // Network infrastructure
-const vpc = new ec2.Vpc(stack, 'VPC', { maxAzs: 2 });
+const vpc = new ec2.Vpc(stack, 'VPC', { maxAzs: 2, restrictDefaultSecurityGroup: false });
 
 // ECS service
 const cluster = new ecs.Cluster(stack, 'EcsCluster', {

packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/server/integ.deployment-group.ts

@@ -9,7 +9,7 @@ const app = new cdk.App();
 
 const stack = new cdk.Stack(app, 'aws-cdk-codedeploy-server-dg');
 
-const vpc = new ec2.Vpc(stack, 'VPC');
+const vpc = new ec2.Vpc(stack, 'VPC', { restrictDefaultSecurityGroup: false });
 
 const asg = new autoscaling.AutoScalingGroup(stack, 'ASG', {
   instanceType: ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE),

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ecs-deploy.ts

@@ -14,6 +14,7 @@ const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-ecs-deploy');
 
 const vpc = new ec2.Vpc(stack, 'VPC', {
+  restrictDefaultSecurityGroup: false,
   maxAzs: 1,
 });
 const cluster = new ecs.Cluster(stack, 'EcsCluster', {

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ecs-separate-source.lit.ts

@@ -49,6 +49,7 @@ export class EcsAppStack extends cdk.Stack {
       taskDefinition,
       cluster: new ecs.Cluster(this, 'Cluster', {
         vpc: new ec2.Vpc(this, 'Vpc', {
+          restrictDefaultSecurityGroup: false,
           maxAzs: 1,
         }),
       }),

packages/@aws-cdk-testing/framework-integ/test/aws-docdb/test/integ.cluster-rotation.lit.ts

@@ -13,7 +13,7 @@ import * as docdb from 'aws-cdk-lib/aws-docdb';
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-cdk-docdb-cluster-rotation');
 
-const vpc = new ec2.Vpc(stack, 'VPC');
+const vpc = new ec2.Vpc(stack, 'VPC', { restrictDefaultSecurityGroup: false });
 
 /// !show
 const cluster = new docdb.DatabaseCluster(stack, 'Database', {

packages/@aws-cdk-testing/framework-integ/test/aws-docdb/test/integ.cluster.ts

@@ -13,7 +13,7 @@ class TestStack extends cdk.Stack {
   constructor(scope: constructs.Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
-    const vpc = new ec2.Vpc(this, 'VPC', { maxAzs: 2 });
+    const vpc = new ec2.Vpc(this, 'VPC', { maxAzs: 2, restrictDefaultSecurityGroup: false });
 
     const params = new ClusterParameterGroup(this, 'Params', {
       family: 'docdb3.6',

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.bastion-host-arm-support.ts

@@ -5,12 +5,14 @@
  */
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 
 class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     const vpc = new ec2.Vpc(this, 'VPC');
 

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.bastion-host.ts

@@ -1,12 +1,14 @@
 /// !cdk-integ *
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 
 class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     const vpc = new ec2.Vpc(this, 'VPC');
 

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.client-vpn-endpoint.ts

@@ -3,10 +3,12 @@ import * as logs from 'aws-cdk-lib/aws-logs';
 import { App, CustomResource, CustomResourceProvider, CustomResourceProviderRuntime, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 class TestStack extends Stack {
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     // Import server and client certificates in ACM
     const certificates = new ImportCertificates(this, 'ImportCertificates');

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.core-cross-stack-string-list-references.ts

@@ -3,6 +3,7 @@ import { App, CfnParameter, Stack, StackProps } from 'aws-cdk-lib';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { Construct } from 'constructs';
 import { InterfaceVpcEndpoint, InterfaceVpcEndpointAwsService, Vpc } from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 // GIVEN
 const app = new App({
@@ -16,6 +17,7 @@ class ProducerStack extends Stack {
 
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     const vpc = new Vpc(this, 'vpc');
     this.stringListGetAtt = new InterfaceVpcEndpoint(this, 'endpoint', {
@@ -43,6 +45,7 @@ export interface consumerDeployProps extends StackProps {
 class ConsumerStack extends Stack {
   constructor(scope: Construct, id: string, props: consumerDeployProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     new ssm.StringListParameter(this, 'GetAtt', {
       stringListValue: props.stringListGetAtt,

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.graviton3.ts

@@ -2,12 +2,14 @@
 import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 
 class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     const vpc = new ec2.Vpc(this, 'VPC');
 

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-init.ts

@@ -3,9 +3,11 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'integ-init');
+stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
 const vpc = new ec2.Vpc(stack, 'IntegInitVpc');
 

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance.ts

@@ -2,12 +2,14 @@ import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import * as cdk from 'aws-cdk-lib';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 
 class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     const vpc = new ec2.Vpc(this, 'VPC');
     const securityGroup = new ec2.SecurityGroup(this, 'IntegSg', {

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.machine-image.ts

@@ -6,11 +6,13 @@ import {
   aws_ec2 as ec2,
 } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 
 export class TestCase extends Stack {
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
     const vpc = new ec2.Vpc(this, 'Vpc');
     new ec2.Instance(this, 'amzn2', {
       instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances.lit.ts

@@ -1,10 +1,12 @@
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 class NatInstanceStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     /// !show
     // Configure the `natGatewayProvider` when defining a Vpc

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.ports.ts

@@ -1,12 +1,14 @@
 import * as cdk from 'aws-cdk-lib';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 
 class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     const vpc = new ec2.Vpc(this, 'VPC');
 

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.reserved-private-subnet.ts

@@ -1,4 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 
 /*
@@ -15,6 +16,7 @@ const app = new cdk.App();
 class VpcReservedPrivateSubnetStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
 
     /// !show
     // Specify no NAT gateways with a reserved private subnet

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.share-vpcs.lit.ts

@@ -2,6 +2,7 @@
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
 const app = new cdk.App();
 
@@ -30,6 +31,7 @@ class Stack1 extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
     this.vpc = new ec2.Vpc(this, 'VPC');
   }
 }
@@ -45,6 +47,7 @@ class Stack2 extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props: Stack2Props) {
     super(scope, id, props);
 
+    this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
     // Pass the VPC to a construct that needs it
     new ConstructThatTakesAVpc(this, 'Construct', {
       vpc: props.vpc,