Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(ec2): warn if egress rules are ignored #9127

Merged
merged 2 commits into from
Jul 17, 2020
Merged

chore(ec2): warn if egress rules are ignored #9127

merged 2 commits into from
Jul 17, 2020

Conversation

NetaNir
Copy link
Contributor

@NetaNir NetaNir commented Jul 17, 2020
edited
Loading

If allowAllOutbound is set to true, any call to addEgressRule will be ignored, this PR adds a warning.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@NetaNir NetaNir requested a review from rix0rrr July 17, 2020 04:10
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jul 17, 2020
@NetaNir NetaNir requested review from RomainMuller and a team July 17, 2020 04:10
@NetaNir NetaNir self-assigned this Jul 17, 2020
@NetaNir NetaNir removed the request for review from rix0rrr July 17, 2020 04:10
eladb
eladb reviewed Jul 17, 2020
View reviewed changes
packages/@aws-cdk/aws-ec2/lib/security-group.ts
@@ -404,6 +404,7 @@ export class SecurityGroup extends SecurityGroupBase {
// In the case of "allowAllOutbound", we don't add any more rules. There
// is only one rule which allows all traffic and that subsumes any other
// rule.
this.node.addWarning('Ignoring Egress rule since \'allowAllOutbound\' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to include some info about which egress rule is ignored?

Copy link
Contributor Author

@NetaNir NetaNir Jul 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can add the CIDR but Im not sure it will make a different since all rules are ignored when allowAllOutbound is set to true.

@mergify
Copy link
Contributor

mergify bot commented Jul 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Jul 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 5191103 into master Jul 17, 2020
@mergify mergify bot deleted the neta/warn-ignore-rules branch July 17, 2020 06:27
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 0cb0eb4
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rrrix
Copy link

rrrix commented Jul 22, 2020

Hi @NetaNir,

I run my CDK commands with --strict (e.g. cdk diff -e stack --strict --verbose).

I recently just upgraded to 1.54.0.

This change has now caused all commands to fail in --strict mode, particularly with with built-in L2 construct methods such as ecs.Cluster.addCapacity() (https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ecs.Cluster.html#add-wbr-capacityid-options).

[Warning at /shared/ecs-cluster/t3microCapacity/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
  ConstructNode.addWarning (/Users/user/code/cdk/node_modules/@aws-cdk/core/lib/construct-compat.ts:423:22)
  SecurityGroup.addEgressRule (/Users/user/code/cdk/node_modules/@aws-cdk/aws-ec2/lib/security-group.ts:407:17)
  /Users/user/code/cdk/node_modules/@aws-cdk/aws-ec2/lib/connections.ts:131:23
  ReactiveList.forEachAndForever (/Users/user/code/cdk/node_modules/@aws-cdk/aws-ec2/lib/connections.ts:267:7)
  /Users/user/code/cdk/node_modules/@aws-cdk/aws-ec2/lib/connections.ts:130:45
  ReactiveList.push (/Users/user/code/cdk/node_modules/@aws-cdk/aws-ec2/lib/connections.ts:260:9)
  Connections.addSecurityGroup (/Users/user/code/cdk/node_modules/@aws-cdk/aws-ec2/lib/connections.ts:117:28)
  Cluster.addAutoScalingGroup (/Users/user/code/cdk/node_modules/@aws-cdk/aws-ecs/lib/cluster.ts:195:34)
  Cluster.addCapacity (/Users/user/code/cdk/node_modules/@aws-cdk/aws-ecs/lib/cluster.ts:181:10)
  new SharedService (/Users/user/code/cdk/src/services/shared.ts:109:39)
  main (/Users/user/code/cdk/src/index.ts:82:18)
  Object.<anonymous> (/Users/user/code/cdk/src/index.ts:259:1)
  Module._compile (internal/modules/cjs/loader.js:1201:30)
  Module.m._compile (/Users/user/code/cdk/node_modules/ts-node/src/index.ts:858:23)
  Module._extensions..js (internal/modules/cjs/loader.js:1221:10)
  Object.require.extensions.<computed> [as .ts] (/Users/user/code/cdk/node_modules/ts-node/src/index.ts:861:12)
  Module.load (internal/modules/cjs/loader.js:1050:32)
  Function.Module._load (internal/modules/cjs/loader.js:938:14)
  Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12)
  internal/main/run_main_module.js:17:47
Found warnings (--strict mode)
Error: Found warnings (--strict mode)
    at StackCollection.processMetadataMessages (/Users/x37/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/aws-cdk/lib/api/cxapp/cloud-assembly.ts:204:13)
    at CdkToolkit.validateStacks (/Users/x37/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:425:12)
    at CdkToolkit.selectStacksForDiff (/Users/x37/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:404:16)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at CdkToolkit.diff (/Users/x37/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:81:20)
    at main (/Users/x37/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/aws-cdk/bin/cdk.ts:223:16)
    at initCommandLine (/Users/x37/git/rapticore/glass-comb/Infrastructure/cdk/node_modules/aws-cdk/bin/cdk.ts:188:9)

Is this intended?

@NetaNir
Copy link
Contributor Author

NetaNir commented Jul 22, 2020

@rrrix, can you share the code that is producing the error, I tested:

const cluster = new ecs.Cluster(this, 'EcsCluster');
cluster.addCapacity('DefaultAutoScalingGroup', {
instanceType: new ec2.InstanceType('t2.micro'),
});

and couldn't reproduce.

I have added the warning since by default we create the securityGroup with allowAllOutbound set to true, which cause all subsequent calls to addEgressRule to ignore the added rule, resulting in a lot of confusion.

curtiseppel pushed a commit to curtiseppel/aws-cdk that referenced this pull request Aug 11, 2020
@NetaNir
chore(ec2): warn if egress rules are ignored (aws#9127)
12d6b7e 
If `allowAllOutbound` is set to true, any call to `addEgressRule` will be ignored, this PR adds a warning. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

@RomainMuller RomainMuller Awaiting requested review from RomainMuller

Assignees

@NetaNir NetaNir

Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@NetaNir @aws-cdk-automation @rrrix @eladb