InterfaceVpcEndpoint.connections.addSecurityGroup() not working

[greg5123334]

Greetings, I have encountered an issue in adding a Security Group to an InterfaceVpcEndpoint.

When calling connections.addSecurityGroup(), even though i can see the SG has been added to the construct itself by printing out connections.securityGroups.toString() in an Output, i do not see the SG being added to the Endpoint upon deployment.

Is this a bug in InterfaceVpcEndpoint or perhaps Connections? Please let me know if you need any more info.

Reproduction Steps

import * as cdk from '@aws-cdk/core';
import * as ec2 from '@aws-cdk/aws-ec2';
import { InterfaceVpcEndpoint } from '@aws-cdk/aws-ec2';

export class VpcStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'VPC');
    const sg1 = new ec2.SecurityGroup(this, 'SG-1', {
      vpc: vpc,
      description: 'Added at Endpoint creation.',
    });

    const cp_endpoint = new InterfaceVpcEndpoint(this, 'MyVpcEndpoint', {
      vpc: vpc,
      service: ec2.InterfaceVpcEndpointAwsService.CODEPIPELINE,
      securityGroups: [sg1],
    });


    const sg2 = new ec2.SecurityGroup(this, 'SG-2', {
      vpc: vpc,
      description: 'Test - added via connections.addSecurityGroup()',
    });


    // ========= Test ==========

    cp_endpoint.connections.addSecurityGroup(sg2); //This doesn't work.

    // =========================

    new cdk.CfnOutput(this, 'EndpointSecurityGroups', {
      value: cp_endpoint.connections.securityGroups.toString(),
    })
  }
}

What did you expect to happen?

See the second Security Group, SG-2, added to the VPC Endpoint.

What actually happened?

The Security Group, SG-2, was not added to the VPC Endpoint.
Additionally, it is peculiar to see that both the SecurityGroups are indeed listed in the Output that prints out the security groups of the InterfaceVPCEndpoint construct, but not in the console nor via describe-vpc-endpoints

Environment

• CDK CLI Version : 1.119.0 (build 2921d64)
• Framework Version:
• Node.js Version: v16.2.0
• OS : Microsoft Windows 10 Enterprise Version 10.0.18363 Build 18363
• Language (Version): Python 3.9.5

Other

---

This is 🐛 Bug Report

[peterwoodworth]

Hey @gregfarr, sorry for the long response time.

I don't think this is a bug, and that everything is working as expected here. That said, it is pretty confusing from a customer standpoint.

The addSecurityGroup method is described to Add a security group to the list of security groups managed by this object..

The Connections object here doesn't determine which Security groups get added to your InterfaceVpcEndpoint, so you'll have to specify that where you create the endpoint.

[greg5123334]

no worries @peterwoodworth

so it seems this is expected behavior which i had misinterpreted.

thanks for taking a look for me.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.