Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(ec2): restrictDefaultSecurityGroup fails when default rules are not present #27039

Merged
merged 9 commits into from
Sep 20, 2023

Conversation

clueleaf
Copy link
Contributor

@clueleaf clueleaf commented Sep 7, 2023

When using restrictDefaultSecurityGroup to remove default security group rules, an error is thrown and the deploy rolls back if the default rules are not found.
This error usually happens when developers previously removed default rules manually or by other means, and then want to switch to using restrictDefaultSecurityGroup. They have to re-add default rules and deploy again to cope with the error.
This PR fixes the custom resource to ignore the error when default rules are not found.

Closes #26390


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the valued-contributor [Pilot] contributed between 6-12 PRs to the CDK label Sep 7, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team September 7, 2023 02:27
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Sep 7, 2023
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@clueleaf
Copy link
Contributor Author

clueleaf commented Sep 7, 2023

Exemption Request
I don't think an integration test is necessary for custom resource code change.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Sep 7, 2023
Copy link
Contributor

@MrArnoldPalmer MrArnoldPalmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way the linked issue was written, it seemed like this bug was an issue caused by changes in the CDK, but it looks like that's not actually the case? The handler always assumed these default rules were present whether using sdk v2 or v3 right?

An integ test would be ideal for this but I'm not actually sure how we would accomplish it. Will add the exception.

try {
await ec2.revokeSecurityGroupEgress(egressRuleParams(groupId));
} catch (e: any) {
if (!(e instanceof Error) || (e instanceof Error && e.name !== 'InvalidPermission.NotFound')) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We just rolled back using typed exceptions in sdk v3 because there are some known issues with it. We should just use e.name so we are in line with all our other custom resource code.

We should just be able to consolidate like so?

try {
  await ec2.revokeSecurityGroupEgress(egressRuleParams(groupId));
  await ec2.revokeSecurityGroupIngress(ingressRuleParams(groupId, account));
} catch (e: any) {
  if (e.name === 'InvalidPermission.NotFound') {
    return;
  }
  throw e;
}

Most typed exceptions in sdkV3 have a type for each different error.name value with that field hardcoded in. However Ec2 just has ServiceException with a bunch of different "error codes" which are also used as the error.name field. I just ran the commands against a non-existing security group to ensure that these name fields are as expected since we can't verify them in the sdk code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your explanation. I removed error type checks.
Just found the error code InvalidPermission.NotFound is listed in this doc.

We should just be able to consolidate like so?

I think these two API calls should be put into separate try-catch blocks, because even if the default egress rule is not found, we still want to execute revokeSecurityGroupIngress.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahhh yes, makes sense.

@clueleaf
Copy link
Contributor Author

clueleaf commented Sep 9, 2023

@MrArnoldPalmer

The way the linked issue was written, it seemed like this bug was an issue caused by changes in the CDK, but it looks like that's not actually the case? The handler always assumed these default rules were present whether using sdk v2 or v3 right?

restrictDefaultSecurityGroup property and @aws-cdk/aws-ec2:restrictDefaultSecurityGroup feature flag were introduced in v2.78.0 (#25297), so setting it before v2.78.0 has no effect. The only change since the introduction of this feature was switching to use node18 and sdkv3.
I think the core cause of the issue was the actual security group situation as the error message shows.

@mrgrain mrgrain changed the title fix(ec2): using restrictDefaultSecurityGroup should not fail when defalt rules are not present fix(ec2): using restrictDefaultSecurityGroup should not fail when default rules are not present Sep 9, 2023
@mrgrain mrgrain changed the title fix(ec2): using restrictDefaultSecurityGroup should not fail when default rules are not present fix(ec2): restrictDefaultSecurityGroup fails when default rules are not present Sep 9, 2023
@MrArnoldPalmer MrArnoldPalmer added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Sep 11, 2023
@aws-cdk-automation aws-cdk-automation dismissed their stale review September 11, 2023 15:31

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

MrArnoldPalmer
MrArnoldPalmer previously approved these changes Sep 11, 2023
Copy link
Contributor

@MrArnoldPalmer MrArnoldPalmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, one snapshot needs to be updated in framework-integ. Are you able to run the integration test?

@clueleaf
Copy link
Contributor Author

@MrArnoldPalmer
Thanks.
I can run the integration test, but I have trouble using my own domain.
Following this, I set up env vars:

% export HOSTED_ZONE_ID=<Hosted Zone ID that I own>
% export HOSTED_ZONE_NAME=<Hosted Zone name that I own>
% export DOMAIN_NAME=*.<Hosted Zone name that I own>

% echo $HOSTED_ZONE_ID
<Hosted Zone ID that I own>
% echo $HOSTED_ZONE_NAME
<Hosted Zone name that I own>
% echo $DOMAIN_NAME                     
*.<hosted zone name that I own>

When I try to update the snapshot,

% yarn integ test/aws-elasticloadbalancingv2/test/integ.alb.oidc.js --no-clean --update-on-failed

it requests certificate using *.example.com domain and then fails.
Do you have any guidance regarding setting up domains?

@MrArnoldPalmer
Copy link
Contributor

ahhh you know what, let me run this for you then. I forgot this was required here.

@clueleaf
Copy link
Contributor Author

@MrArnoldPalmer
Thanks! That will be helpful.

@mergify mergify bot dismissed MrArnoldPalmer’s stale review September 19, 2023 16:17

Pull request has been modified.

Copy link
Contributor

@MrArnoldPalmer MrArnoldPalmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was going to reapprove after merging in main but apparently I included some extra stuff that got generated during build. All this should be in main already or excluded. Sorry I'll clean this up tomorrow.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: d92f17d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Sep 20, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 1e67f9d into aws:main Sep 20, 2023
9 checks passed
@clueleaf clueleaf deleted the feat/restrict_default_sg branch September 21, 2023 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. valued-contributor [Pilot] contributed between 6-12 PRs to the CDK
Projects
None yet
3 participants