fix(ec2): also add egress rules for allowInternally()

This didn't use to be done, because upon initial testing we probably had `allowAllOutbound: true`. Add the appropriate calls to make this work when it is set to `false` as well. Fixes #3254.
aws · Aug 21, 2019 · 2a9abfe · 2a9abfe
1 parent d8fcb50
commit 2a9abfe
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-ec2/lib/connections.ts b/packages/@aws-cdk/aws-ec2/lib/connections.ts
@@ -172,8 +172,7 @@ export class Connections implements IConnectable {
     this._securityGroups.forEachAndForever(securityGroup => {
       this._securityGroupRules.forEachAndForever(rule => {
         securityGroup.addIngressRule(rule, portRange, description);
-        // FIXME: this seems required but we didn't use to have it. Research.
-        // securityGroup.addEgressRule(rule, portRange, description);
+        securityGroup.addEgressRule(rule, portRange, description);
       });
     });
   }

diff --git a/packages/@aws-cdk/aws-ec2/test/test.connections.ts b/packages/@aws-cdk/aws-ec2/test/test.connections.ts
@@ -159,6 +159,13 @@ export = {
       ToPort: 88
     }));
 
+    expect(stack).to(haveResource('AWS::EC2::SecurityGroupEgress', {
+      DestinationSecurityGroupId: { "Fn::GetAtt": [ "SecurityGroup1F554B36F", "GroupId" ] },
+      GroupId: { "Fn::GetAtt": [ "SecurityGroup1F554B36F", "GroupId" ] },
+      FromPort: 88,
+      ToPort: 88
+    }));
+
     test.done();
   },