fix(ec2): restrictDefaultSecurityGroup fails when default rules are not present #27039
Conversation
github-actions
bot
added
the
valued-contributor
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
Exemption Request |
aws-cdk-automation
added
the
pr-linter/exemption-requested
There was a problem hiding this comment.
The way the linked issue was written, it seemed like this bug was an issue caused by changes in the CDK, but it looks like that's not actually the case? The handler always assumed these default rules were present whether using sdk v2 or v3 right?
An integ test would be ideal for this but I'm not actually sure how we would accomplish it. Will add the exception.
| try { | ||
| await ec2.revokeSecurityGroupEgress(egressRuleParams(groupId)); | ||
| } catch (e: any) { | ||
| if (!(e instanceof Error) || (e instanceof Error && e.name !== 'InvalidPermission.NotFound')) { |
There was a problem hiding this comment.
We just rolled back using typed exceptions in sdk v3 because there are some known issues with it. We should just use e.name so we are in line with all our other custom resource code.
We should just be able to consolidate like so?
try {
await ec2.revokeSecurityGroupEgress(egressRuleParams(groupId));
await ec2.revokeSecurityGroupIngress(ingressRuleParams(groupId, account));
} catch (e: any) {
if (e.name === 'InvalidPermission.NotFound') {
return;
}
throw e;
}Most typed exceptions in sdkV3 have a type for each different error.name value with that field hardcoded in. However Ec2 just has ServiceException with a bunch of different "error codes" which are also used as the error.name field. I just ran the commands against a non-existing security group to ensure that these name fields are as expected since we can't verify them in the sdk code.
There was a problem hiding this comment.
Thanks for your explanation. I removed error type checks.
Just found the error code InvalidPermission.NotFound is listed in this doc.
We should just be able to consolidate like so?
I think these two API calls should be put into separate try-catch blocks, because even if the default egress rule is not found, we still want to execute revokeSecurityGroupIngress.
There was a problem hiding this comment.
ahhh yes, makes sense.
|
mrgrain
changed the title
mrgrain
changed the title
MrArnoldPalmer
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
@MrArnoldPalmer When I try to update the snapshot, it requests certificate using |
|
ahhh you know what, let me run this for you then. I forgot this was required here. |
|
@MrArnoldPalmer |
mergify
bot
dismissed
MrArnoldPalmer’s stale review
Pull request has been modified.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
When using restrictDefaultSecurityGroup to remove default security group rules, an error is thrown and the deploy rolls back if the default rules are not found.
This error usually happens when developers previously removed default rules manually or by other means, and then want to switch to using
restrictDefaultSecurityGroup. They have to re-add default rules and deploy again to cope with the error.This PR fixes the custom resource to ignore the error when default rules are not found.
Closes #26390
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license