From 9250950e9c662e669863c012387e22e9876007ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B8rn=20Schou=20Sandager?= Date: Thu, 10 Nov 2022 11:03:20 +0100 Subject: [PATCH] fix(ec2): Invalid security group ID MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using any of the static methods `fromLookup`, `fromLookupById`, `fromLookupByName` the context provider responsible for doing the lookup will be provided with dummy values: ``` { securityGroupId: 'sg-12345678', allowAllOutbound: true, } ``` These values will apply during the construction phase. The actual lookup happens at a later stage. Unfortunately, the dummy value for `securityGroupId` is invalid – at least according to the input validation defined in the `peer` module: https://github.com/aws/aws-cdk/blob/9d1b2c7b1f0147089f912c32a61d7ba86edb543c/packages/@aws-cdk/aws-ec2/lib/peer.ts#L224 This means that any attempt to reference an existing security group retrieved through `fromLookup…()` as a peer causes an exception to be thrown during the construction phase (before CDK even attempts to perform the lookup). Example code: ``` const sg = ec2.SecurityGroup.fromLookupByName(this, "Group", "group-name", vpc); const peer = ec2.Peer.securityGroupId(sg.securityGroupId); ``` Example output: ``` $ cdk synth > Error: Invalid security group ID: "sg-12345" > at new SecurityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:2617) > at Function.securityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:549) ``` Changing the dummy value to match the expected pattern will allow the construction phase to complete, the lookup will come into play, and the synth will complete without errors and with the actual ID of the referenced security group rendered in the resulting CloudFormation template. --- packages/@aws-cdk/aws-ec2/lib/security-group.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-ec2/lib/security-group.ts b/packages/@aws-cdk/aws-ec2/lib/security-group.ts index e3b63b42f48af..ab66118204d2c 100644 --- a/packages/@aws-cdk/aws-ec2/lib/security-group.ts +++ b/packages/@aws-cdk/aws-ec2/lib/security-group.ts @@ -432,7 +432,7 @@ export class SecurityGroup extends SecurityGroupBase { vpcId: options.vpc?.vpcId, }, dummyValue: { - securityGroupId: 'sg-12345', + securityGroupId: 'sg-12345678', allowAllOutbound: true, } as cxapi.SecurityGroupContextResponse, }).value;