Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-rds] No way of configuring a security group for an OptionGroup #9240

Closed
peteguyatt opened this issue Jul 24, 2020 · 2 comments · Fixed by #10011
Closed

[aws-rds] No way of configuring a security group for an OptionGroup #9240

peteguyatt opened this issue Jul 24, 2020 · 2 comments · Fixed by #10011
Assignees
@njlynch
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Milestone
[GA] RDS

Comments

@peteguyatt
Copy link

peteguyatt commented Jul 24, 2020
edited
Loading

When configuring SSL for an Oracle OptionGroup and providing the required VPC a default security group allowing all outbound is created.

Reproduction Steps

CDK code

    const vpc = ... 
    const engine = rds.DatabaseInstanceEngine.ORACLE_SE2;
    const majorEngineVersion = '12.2';
    const sslOptionGroup = new rds.OptionGroup(this, `OracleSslOptionGroup`, {
      engine,
      majorEngineVersion,
      configurations: [
        {
          name: 'SSL',
          port: 2484,
          vpc: vpc,
          settings: {
            'FIPS.SSLFIPS_140': 'TRUE',
            'SQLNET.CIPHER_SUITE': 'SSL_RSA_WITH_AES_256_GCM_SHA384',
            'SQLNET.SSL_VERSION': '1.2'
          }
        }
      ],
    });

Cloudformation

Description: Standard Oracle Option Group for Oracle RDS
Resources:
  OracleSslOptionGroupSecurityGroupSSL189994D1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for SSL option
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic by default
          IpProtocol: "-1"
      VpcId: vpc-xxxxxxxxxxx
    Metadata:
      aws:cdk:path: rds-optiongroup-oracle-standard/OracleSslOptionGroup/SecurityGroupSSL/Resource
  OracleSslOptionGroup42718335:
    Type: AWS::RDS::OptionGroup
    Properties:
      EngineName: oracle-se2
      MajorEngineVersion: "12.2"
      OptionConfigurations:
        - OptionName: SSL
          OptionSettings:
            - Name: FIPS.SSLFIPS_140
              Value: "TRUE"
            - Name: SQLNET.CIPHER_SUITE
              Value: SSL_RSA_WITH_AES_256_GCM_SHA384
            - Name: SQLNET.SSL_VERSION
              Value: "1.2"
          Port: 2484
          VpcSecurityGroupMemberships:
            - Fn::GetAtt:
                - OracleSslOptionGroupSecurityGroupSSL189994D1
                - GroupId
      OptionGroupDescription: Option group for oracle-se2 12.2
    Metadata:
      aws:cdk:path: rds-optiongroup-oracle-standard/OracleSslOptionGroup/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Modules: aws-cdk=1.49.0,@aws-cdk/assets=1.49.0,@aws-cdk/aws-autoscaling=1.50.0,@aws-cdk/aws-autoscaling-common=1.50.0,@aws-cdk/aws-cloudwatch=1.49.0,@aws-cdk/aws-dms=1.50.0,@aws-cdk/aws-ec2=1.49.0,@aws-cdk/aws-elasticloadbalancingv2=1.50.0,@aws-cdk/aws-events=1.49.0,@aws-cdk/aws-iam=1.49.0,@aws-cdk/aws-kms=1.49.0,@aws-cdk/aws-lambda=1.49.0,@aws-cdk/aws-logs=1.49.0,@aws-cdk/aws-rds=1.49.0,@aws-cdk/aws-s3=1.49.0,@aws-cdk/aws-s3-assets=1.49.0,@aws-cdk/aws-sam=1.49.0,@aws-cdk/aws-secretsmanager=1.49.0,@aws-cdk/aws-sqs=1.49.0,@aws-cdk/aws-ssm=1.49.0,@aws-cdk/cloud-assembly-schema=1.50.0,@aws-cdk/core=1.50.0,@aws-cdk/cx-api=1.50.0,@aws-cdk/region-info=1.49.0,jsii-runtime=node.js/v12.8.0

Error Log

Environment

  • CLI Version : aws-cli/1.18.51 Python/3.7.7 Darwin/18.7.0 botocore/1.16.1
  • Framework Version: 1.49.0
  • Node.js Version: 12..0
  • OS : OSX 10.14.6
  • Language (Version): TypeScript (3.9.6)

Other

There is no way standard way of configuring this security group though CDK and to create a default security group without the ability to lock down the outbound traffic isn't ideal. It would be nice if we could get access to this security group or provide a common security group in which to use.

This is 🐛 Bug Report
@peteguyatt peteguyatt added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 24, 2020
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Jul 24, 2020
@skinny85
Copy link
Contributor

Hey @peteguyatt ,

thanks for opening the issue. You're correct. The OptionConfiguration should take an optional securityGroups?: ec2.ISecurityGroup[] property that allows you to pass a collection of SecurityGroups when creating it, and only create a new SecurityGroup when nothing was passed in that option.

I'm changing this to a feature request, and adding it to our RDS project board.

Thanks,
Adam

@skinny85 skinny85 added effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 24, 2020
@skinny85 skinny85 added this to the RDS to 'stable' milestone Jul 24, 2020
@njlynch njlynch assigned njlynch and unassigned skinny85 Aug 27, 2020
@njlynch njlynch reopened this Aug 27, 2020
njlynch added a commit that referenced this issue Aug 27, 2020
@njlynch
feat(rds): custom security groups for OptionGroups
7e9ec70 
Enables customers to provide a custom security group for any OptionGroup that
requires a VPC and SecurityGroup.

fixes #9240
@njlynch njlynch mentioned this issue Aug 27, 2020
Merged
@mergify mergify bot closed this as completed in #10011 Aug 28, 2020
mergify bot pushed a commit that referenced this issue Aug 28, 2020
@njlynch
feat(rds): custom security groups for OptionGroups (#10011)
5738dc1 
Enables customers to provide a custom security group for any OptionGroup that
requires a VPC and SecurityGroup.

fixes #9240

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@jonahbeckford jonahbeckford mentioned this issue Feb 4, 2021
Closed
@joshprzybyszewski
Copy link

I ran into the same issue in my hobby project recently (the default RDS Security Group will allow all outbound traffic). I found this issue when I hit the following error, and I want to leave my resolution in case it will help the next dev.

Problem message

This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

Security Group Changes
┌───┬─────────────────────────────────────────────┬─────┬────────────┬─────────────────┐
│   │ Group                                       │ Dir │ Protocol   │ Peer            │
├───┼─────────────────────────────────────────────┼─────┼────────────┼─────────────────┤
│ + │ ${mysql-rds-instance/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────┴─────┴────────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Solution

Add a SecurityGroup to my RDS instance (here).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@njlynch njlynch

Labels
@aws-cdk/aws-rds Related to Amazon Relational Database effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
[GA] RDS
Development

Successfully merging a pull request may close this issue.

feat(rds): custom security groups for OptionGroups aws/aws-cdk
4 participants
@skinny85 @njlynch @peteguyatt @joshprzybyszewski