provider/aws: Remove default egress rule from Security Group on creation #1765
Conversation
| @@ -407,6 +411,23 @@ func resourceAwsSecurityGroupUpdateRules( | |||
| ns := n.(*schema.Set) | |||
|
|
|||
| remove := expandIPPerms(group, os.Difference(ns).List()) | |||
|
|
|||
| if len(remove) == 0 && len(os.List()) == 0 && ruleset == "egress" { | |||
There was a problem hiding this comment.
len(remove) == 0 && len(os.List()) == 0 may be redundant, but I wasn't sure if len(os.List()) == 0 was enough. Should it be sufficient to check for nil here?
There was a problem hiding this comment.
Probably technically redundant, but I feel like it doesn't hurt to be extra explicit/conservative.
|
Note: some acceptance tests in SG now fail, but I can fix those if we think this is the right direction to take |
| }, | ||
| }, | ||
| IPProtocol: aws.String("-1"), | ||
| }) |
There was a problem hiding this comment.
Will this work if a user specifies the same egress rule in their config?
Probably an AccTest would answer one way or another.
There was a problem hiding this comment.
yes, it deletes the default, then immediately creates a new one
There was a problem hiding this comment.
Oh right, I forgot these lists end up getting executed serially, not in batches. Works for me!
|
I was picturing a wholly separate API request to specifically nuke the implicit rule, letting the remaining code do its thing unchanged, but if we can get this rule-list strategy tested and make it work I'm cool with it. |
|
I've updated this, but am stuck on something. The enforcement of an We still revoke it just fine, but we failed to enforce the restriction. I can see confusion / problems from this, as users are probably used to but also maybe unaware of the default rule. |
|
This is also contributing to the -1 protocol problem in #1177. Egress rules get the default, but local config doesn't have it, so there's always something found on plan. |
|
Note this will also become a decision point for network ACLs, but the need isn't apparent because the read function for network ACLs is broken ( #1808 ) |
catsby
force-pushed
the
f-aws-security-group-remove-default-egress
branch
from
2325c69
to
e9b08cf
Compare
|
|
||
| // TODO: We need to handle partial state better in the in-between | ||
| // TODO: We need to handle partial state better in the in-between |
|
LGTM except for whitespace nits |
|
@phinze ah, thanks; formatting issue after rebase ಠ_ಠ Fixed, merging this |
…efault-egress provider/aws: Remove default egress rule from Security Group on creation
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Security Groups in a VPC receive a default
egressrule to permit all. This causes some issues though, as it's implicit, and causes errors if people try to add a duplicate rule. It also triggers a new plan if you do specify anegressrule, as we interpret that as needing to remove the old one.This PR changes two things:
egressrule, we delete the default ALLOW ALL ruleyou must now specify anrenegedegressrule when creating a Security Group inside a VPCRefs #1177
Fixes #1169, #1631
Probably fixes #1299