New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AwsCustomResource/EC2.SecurityGroup: can not add two Prefix Lists to an Egress Rule #13668
Comments
I am also affected by this issue. @markilott Did you come up with a viable workaround? |
@elemakil unfortunately the only workaround I found was to use one security group per prefix list. I think it would also be possible to export the prefix lists in one stack them import them back in as strings in another stack, but I didn't try it. |
Hey @markilott, Thank you for reporting this, I just did a little bit of quick research to see if I could find where the issue is. While I didnt find anything conclusive, it looks like the likely culprit is this block of code in the aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts Lines 106 to 114 in c832c1b
One of the devs on the team will look into a fix as time permits. In the interim, if you want to bump up the attention feel free to get more likes on this issue and we will increase its priority order. 😸 😷 |
@markilott can you let me know if this is still an issue for you? I believe this was fixed in #17221. |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Workaround: assign Port.tcp(443) to one of egress rule and other with Port.tcpRange(443,443) |
This is still an issue, can we get this reopened? |
I use cdk v2.102.0 and don't face this issue
|
❓ General Issue
Trying to add prefix lists for S3 and DynamoDB Gateway Endpoints to a Security Group.
I am using a Custom Resource to lookup the Prefix List Id's so I can add them to Egress Rules (required as we can not allow all outbound for Lambda functions in production).
What I expected to happen:
Lookup Prefix Lists, and have both added to Egress Rules for the Security Group.
What actually happens:
Only the first Egress Rule specified is added.
Environment
To reproduce:
Other Information
I've tried a few different ways to do this but the result is always the same. I can see in CloudWatch that the Lambda is running and returning the correct data. The problem is that the second Egress Rule does not get created in the CloudFormation template.
If I manually add the Prefix List Id strings instead of using the CustomResource then both Egress Rules are created.
If I use two Security Groups and add one prefix to each using the CustomResource then both are created:
The field order does not matter, the second specified is always omitted:
The issue seems to be that synth ignores a second rule when it is token based.
The text was updated successfully, but these errors were encountered: