outbound networks methods dont' work with imported security groups #4361

gidimariastorm · 2019-10-03T10:31:46Z

I'm trying to upload the rules in outbound for two existing secgroup:

as_sg = ec2.SecurityGroup.from_security_group_id(self,'ASSG',security_group_id='sg-eacf0093')
fe_sg = ec2.SecurityGroup.from_security_group_id(self, 'FESG', security_group_id='sg-f4cf008d')

now the inbound method works correctly such as:
allow_from_any_ipv4 or allow_from

as_sg = ec2.SecurityGroup.from_security_group_id(self,'ASSG',security_group_id='sg-eacf0093')
fe_sg = ec2.SecurityGroup.from_security_group_id(self, 'FESG', security_group_id='sg-f4cf008d')
fe_sg.connections.allow_from_any_ipv4(ec2.Port.tcp(443))

> > Stack ad-ro-mi-prod-alb-autoscaling
> Security Group Changes
> ┌───┬─────────────┬─────┬──────────┬─────────────────┐
> │   │ Group       │ Dir │ Protocol │ Peer            │
> ├───┼─────────────┼─────┼──────────┼─────────────────┤
> │ + │ sg-f4cf008d │ In  │ TCP 443  │ Everyone (IPv4) │
> └───┴─────────────┴─────┴──────────┴─────────────────┘
> (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
> 
> Resources
> [+] AWS::EC2::SecurityGroupIngress FESG/from 0.0.0.0_0:443 FESGfrom0000044359AEBFA7

or also this it works:

fe_sg.connections.allow_from(as_sg.connections, ec2.Port.tcp(444))

> 
> > Security Group Changes
> ┌───┬─────────────┬─────┬──────────┬─────────────┐
> │   │ Group       │ Dir │ Protocol │ Peer        │
> ├───┼─────────────┼─────┼──────────┼─────────────┤
> │ + │ sg-f4cf008d │ In  │ TCP 444  │ sg-eacf0093 │
> └───┴─────────────┴─────┴──────────┴─────────────┘
> (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
> 
> Resources
> [+] AWS::EC2::SecurityGroupIngress FESG/from adromiprodalbautoscalingASSG2B6F69BD:444
>

even the add_ingress_rule works

However If I use the outbound methods it doesn't work.

fe_sg.connections.allow_to(as_sg.connections, ec2.Port.tcp(444))

> Security Group Changes
> ┌───┬─────────────┬─────┬──────────┬─────────────┐
> │   │ Group       │ Dir │ Protocol │ Peer        │
> ├───┼─────────────┼─────┼──────────┼─────────────┤
> │ + │ sg-eacf0093 │ In  │ TCP 444  │ sg-f4cf008d │
> └───┴─────────────┴─────┴──────────┴─────────────┘
> (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
>

it updates only the Ingress rules. this behavior is not present with security groups created with the CDK.

I'm also used the add_egress_rule without success

ingress example:

fe_sg.add_ingress_rule(ec2.Peer().prefix_list('sg-eacf0093'), ec2.Port.tcp(443),remote_rule=True)

> Security Group Changes
> ┌───┬─────────────┬─────┬──────────┬─────────────┐
> │   │ Group       │ Dir │ Protocol │ Peer        │
> ├───┼─────────────┼─────┼──────────┼─────────────┤
> │ + │ sg-f4cf008d │ In  │ TCP 443  │ sg-eacf0093 │
> └───┴─────────────┴─────┴──────────┴─────────────┘
> (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
> 
> Resources
> [+] AWS::EC2::SecurityGroupIngress FESG/from sg-eacf0093:443 FESGfromsgeacf00934433CF0B05C

egress:

fe_sg.add_egress_rule(ec2.Peer().prefix_list('sg-eacf0093'), ec2.Port.tcp(443),remote_rule=True)

> Stack name-stack
> There were no differences

the issue is also present if I try to update the outbound rules of an existing secgroup for a sec group created in the CDK.

Reproduction Steps

import an existing security group.
try to update its egress rules

Error Log

Environment

CLI Version : cdk 1.10.1
Framework Version:
OS : macOS
Language : python 3.7

Other

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

rix0rrr · 2019-10-04T08:13:44Z

True. It assumes that imported security groups will have been created with allowAllOutbound, since that is the default.

If that is not the case, you will have to mention this explicitly upon importing:

as_sg = ec2.SecurityGroup.from_security_group_id(self,'ASSG',security_group_id='sg-eacf0093', allow_all_outbound=False)

See https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_ec2/SecurityGroup.html#aws_cdk.aws_ec2.SecurityGroup.from_security_group_id

gidimariastorm · 2019-10-04T09:52:45Z

thanks :)

gidimariastorm added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2019

gidimariastorm changed the title ~~outbound networks methods dont' work with imported securygroup Imported~~ outbound networks methods dont' work with imported security groups Oct 3, 2019

NGL321 added language/python Related to Python bindings @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2019

NGL321 assigned rix0rrr Oct 3, 2019

rix0rrr removed the needs-reproduction This issue needs reproduction. label Oct 4, 2019

rix0rrr closed this as completed Oct 4, 2019

rix0rrr added guidance Question that needs advice or information. and removed bug This issue is a bug. labels Oct 4, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

outbound networks methods dont' work with imported security groups #4361

outbound networks methods dont' work with imported security groups #4361

gidimariastorm commented Oct 3, 2019 •

edited by NGL321

Loading

rix0rrr commented Oct 4, 2019

gidimariastorm commented Oct 4, 2019

outbound networks methods dont' work with imported security groups #4361

outbound networks methods dont' work with imported security groups #4361

Comments

gidimariastorm commented Oct 3, 2019 • edited by NGL321 Loading

Reproduction Steps

Error Log

Environment

Other

rix0rrr commented Oct 4, 2019

gidimariastorm commented Oct 4, 2019

gidimariastorm commented Oct 3, 2019 •

edited by NGL321

Loading