Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ec2.Connections.allowInternally() does not appear to add Egress rules for aws-ec2.SecurityGroup.allowAllOutbound=false #3254

Closed
1 of 5 tasks
secpaul opened this issue Jul 9, 2019 · 0 comments · Fixed by #3741
Closed
1 of 5 tasks

aws-ec2.Connections.allowInternally() does not appear to add Egress rules for aws-ec2.SecurityGroup.allowAllOutbound=false #3254

secpaul opened this issue Jul 9, 2019 · 0 comments · Fixed by #3741
Assignees
@rix0rrr
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug.

Comments

@secpaul
Copy link

secpaul commented Jul 9, 2019

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior?
    If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce
    When a security group is configured to have allowOutbound=false, resources for Egress rules are not created for the target security group when calling aws-ec2.Connections.allowInternally(). The behaviour of allowFrom() and allowTo() where the target SG and the SG parameter are the same may also exhibit the same behaviour (i.e. x.allowFrom(x,y,z)).

  • What is the expected behavior (or behavior of feature suggested)?
    Desired behaviour is to create Egress rules.

  • What is the motivation / use case for changing the behavior or adding this feature?
    The deployed security group will not permit the requested traffic.

  • Please tell us about your environment:

    • CDK CLI Version: 0.37.0
    • Module Version: xx.xx.xx
    • OS: Ubuntu
    • Language: TypeScript

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

import { expect, haveResource } from '@aws-cdk/assert';
import { Test } from 'nodeunit';
import { Stack, App } from '@aws-cdk/core';
import { Vpc, SecurityGroup, Port } from '@aws-cdk/aws-ec2';

export = {

  'Test aws-ec2.Connections.allowInternally() adds Egress and Ingress rules'(test: Test) {

    const app = new App();
    const stack = new Stack(app, 'TestStack');
    const vpc = new Vpc(stack, 'TestVpc');
    const sg1 = new SecurityGroup(stack, 'TestGroup1', {
      allowAllOutbound: false,
      vpc: vpc
    });
    sg1.connections.allowInternally(
      Port.allTraffic(),
      'Allow all traffic between EC2 Instances having the same security group'
    );
    app.synth();

    expect(stack).to(haveResource('AWS::EC2::SecurityGroupIngress', {
      "GroupId": {
        "Fn::GetAtt": [
          "TestGroup1BB3CCD0D",
          "GroupId"
        ]
      },
      "IpProtocol": "-1",
      "Description": "Allow all traffic between EC2 Instances having the same security group",
      "SourceSecurityGroupId": {
        "Fn::GetAtt": [
          "TestGroup1BB3CCD0D",
          "GroupId"
        ]
      }
    }));

    expect(stack).to(haveResource('AWS::EC2::SecurityGroupEgress', {
      "IpProtocol": "-1",
      "Description": "Allow all traffic between EC2 Instances having the same security group",
      "GroupId": {
        "Fn::GetAtt": [
          "TestGroup1BB3CCD0D",
          "GroupId"
        ]
      },
      "DestinationSecurityGroupId": {
        "Fn::GetAtt": [
          "TestGroup1BB3CCD0D",
          "GroupId"
        ]
      }
    }));
    test.done();
  }
};
``
@secpaul secpaul added the needs-triage This issue or PR still needs to be triaged. label Jul 9, 2019
@rix0rrr rix0rrr added bug This issue is a bug. @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud and removed needs-triage This issue or PR still needs to be triaged. labels Jul 10, 2019
rix0rrr added a commit that referenced this issue Aug 21, 2019
@rix0rrr
fix(ec2): also add egress rules for allowInternally()
2a9abfe 
This didn't use to be done, because upon initial testing
we probably had `allowAllOutbound: true`.

Add the appropriate calls to make this work when it is
set to `false` as well.

Fixes #3254.
@rix0rrr rix0rrr mentioned this issue Aug 21, 2019
Merged
@mergify mergify bot closed this as completed in #3741 Aug 21, 2019
mergify bot pushed a commit that referenced this issue Aug 21, 2019
@rix0rrr @mergify
fix(ec2): also add egress rules for allowInternally() (#3741)
051aacb 
This didn't use to be done, because upon initial testing
we probably had `allowAllOutbound: true`.

Add the appropriate calls to make this work when it is
set to `false` as well.

Fixes #3254.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): also add egress rules for allowInternally() aws/aws-cdk
2 participants
@rix0rrr @secpaul