Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ec2): Cannot deploy SecurityGroup with allowAllIpv6Outbound: true #22407

Closed
Tietew opened this issue Oct 7, 2022 · 1 comment · Fixed by #22414
Closed

(aws-ec2): Cannot deploy SecurityGroup with allowAllIpv6Outbound: true #22407

Tietew opened this issue Oct 7, 2022 · 1 comment · Fixed by #22414
Assignees
@corymhall
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@Tietew
Copy link
Contributor

Tietew commented Oct 7, 2022
edited
Loading

Describe the bug

Per #22279 (CDK 2.45.0), allowAllIpv6Outbound is added to SecurityGroup.
But deployment is failed when allowAllIpv6Outbound: true

Expected Behavior

The stack is successfully deployed.

Current Behavior

Deployment failed.

❌ CdkIpv6Stack failed: Error: The stack named CdkIpv6Stack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: CIDR block ::/0 is malformed (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: xxx; Proxy: null)

Reproduction Steps

Deploy following stack:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';

class CdkIpv6Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', { isDefault: true });
    new ec2.SecurityGroup(this, 'SecurityGroup', { vpc, allowAllIpv6Outbound: true });
  }
}

const app = new cdk.App();
new CdkIpv6Stack(app, 'CdkIpv6Stack', {
  env: { account: 'xxx', region: 'ap-northeast-1' },
});

Possible Solution

Created template contains "CidrIp": "::/0", but is should be "CidrIpv6": "::/0".

   "SecurityGroupDD263621": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
     "GroupDescription": "CdkIpv6Stack/SecurityGroup",
     "SecurityGroupEgress": [
      {
       "CidrIp": "0.0.0.0/0",
       "Description": "Allow all outbound traffic by default",
       "IpProtocol": "-1"
      },
      {
-      "CidrIp": "::/0",
+      "CidrIpv6": "::/0",
       "Description": "Allow all outbound ipv6 traffic by default",
       "IpProtocol": "-1"
      }
     ],
     "VpcId": "vpc-xxx"
    },
    "Metadata": {
     "aws:cdk:path": "CdkIpv6Stack/SecurityGroup/Resource"
    }
   },

Additional Information/Context

No response

CDK CLI Version

2.45.0

Framework Version

No response

Node.js Version

16.17.1

OS

Ubuntu 20.04

Language

Typescript

Language Version

TypeScript 4.8.4

Other information

No response
@Tietew Tietew added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 7, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Oct 7, 2022
@corymhall corymhall mentioned this issue Oct 7, 2022
Merged
4 tasks
@corymhall corymhall added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 7, 2022
@mergify mergify bot closed this as completed in #22414 Oct 7, 2022
mergify bot pushed a commit that referenced this issue Oct 7, 2022
@corymhall
fix(ec2): cannot deploy SecurityGroup with allowAllIpv6Outbound (#22414)
bb16d97 
Introduced this functionality in #22279, but I didn't add an integration test so it didn't actually work. This PR fixes the mistake _and_ adds an integration test like I should have done the first time.

fixes #22407


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Oct 7, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

arewa pushed a commit to arewa/aws-cdk that referenced this issue Oct 8, 2022
@corymhall @arewa
fix(ec2): cannot deploy SecurityGroup with allowAllIpv6Outbound (aws#…
57e636d 
…22414)

Introduced this functionality in aws#22279, but I didn't add an integration test so it didn't actually work. This PR fixes the mistake _and_ adds an integration test like I should have done the first time.

fixes aws#22407


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
homakk pushed a commit to homakk/aws-cdk that referenced this issue Dec 1, 2022
@corymhall @madeline-k
fix(ec2): cannot deploy SecurityGroup with allowAllIpv6Outbound (aws#…
8ba453f 
…22414)

Introduced this functionality in aws#22279, but I didn't add an integration test so it didn't actually work. This PR fixes the mistake _and_ adds an integration test like I should have done the first time.

fixes aws#22407


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): cannot deploy SecurityGroup with allowAllIpv6Outbound
2 participants
@Tietew @corymhall