Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(ec2): addIngressRule and addEgressRule detect unresolved tokens as duplicates #17201

Closed
peterwoodworth opened this issue Oct 28, 2021 · 2 comments · Fixed by #17221
Closed

(ec2): addIngressRule and addEgressRule detect unresolved tokens as duplicates #17201

peterwoodworth opened this issue Oct 28, 2021 · 2 comments · Fixed by #17221
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@peterwoodworth
Copy link
Contributor

peterwoodworth commented Oct 28, 2021
edited

What is the problem?

When passing in a token to the peer property of these functions, the renderPeer() function is called and will return a constant value '{IndirectPeer}'.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts

Lines 174 to 193 in 5831456

function determineRuleScope(
group: SecurityGroupBase,
peer: IPeer,
connection: Port,
fromTo: 'from' | 'to',
remoteRule?: boolean): [SecurityGroupBase, string] {
if (remoteRule && SecurityGroupBase.isSecurityGroup(peer) && differentStacks(group, peer)) {
// Reversed
const reversedFromTo = fromTo === 'from' ? 'to' : 'from';
return [peer, `${group.uniqueId}:${connection} ${reversedFromTo}`];
} else {
// Regular (do old ID escaping to in order to not disturb existing deployments)
return [group, `${fromTo} ${renderPeer(peer)}:${connection}`.replace('/', '_')];
}
}
function renderPeer(peer: IPeer) {
return Token.isUnresolved(peer.uniqueId) ? '{IndirectPeer}' : peer.uniqueId;
}

If the other properties remain constant, calling this multiple times will cause only one rule to be added to the security group due to the duplicate checker seen here

aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts

Lines 86 to 96 in 5831456

const [scope, id] = determineRuleScope(this, peer, connection, 'from', remoteRule);
// Skip duplicates
if (scope.node.tryFindChild(id) === undefined) {
new CfnSecurityGroupIngress(scope, id, {
groupId: this.securityGroupId,
...peer.toIngressRuleConfig(),
...connection.toRuleJson(),
description,
});
}

Reproduction Steps

Call addIngressRule() or addEgressRule() multiple times on a security group, while only changing the peer prop from one token to another token. Only one rule will be added

What did you expect to happen?

I was trying to add multiple ingress rules to a security group

What actually happened?

I only added one ingress rule to a security group

CDK CLI Version

latest

Framework Version

No response

Node.js Version

16

OS

mac

Language

Typescript

Language Version

No response

Other information

No response
@peterwoodworth peterwoodworth added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 28, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Oct 28, 2021
@peterwoodworth peterwoodworth added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 28, 2021
@peterwoodworth peterwoodworth mentioned this issue Oct 28, 2021
Closed
@njlynch
Copy link
Contributor

njlynch commented Oct 28, 2021

The first solution that comes to mind would be to maintain a lookup of the peer.uniqueId to renderPeer result. If it's the first unresolved Token we've seen, we return {IndirectPeer}. For each new unique Id, we add a counter (e.g., {IndirectPeer2}. This would maintain backwards compatibility for existing apps, but allow new scenarios with multiple unresolved tokens.

@njlynch njlynch removed their assignment Oct 28, 2021
@peterwoodworth peterwoodworth mentioned this issue Oct 28, 2021
Merged
@mergify mergify bot closed this as completed in #17221 Nov 2, 2021
mergify bot pushed a commit that referenced this issue Nov 2, 2021
@peterwoodworth
fix(ec2): functions addIngressRule and addEgressRule detect unresolve…
d4952c3 
…d tokens as duplicates (#17221)

fixes #17201 

The issue is when the same security group uses these functions, so I added a private counter to `SecurityGroupBase`. However, to modify this private counter, `determineRuleScope` and `renderPeer` need to be member functions. These originally weren't member functions for a reason, and that's because `SecurityGroup` also uses these functions.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Nov 2, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@peterwoodworth @TikiTDO
fix(ec2): functions addIngressRule and addEgressRule detect unresolve…
d5287e4 
…d tokens as duplicates (aws#17221)

fixes aws#17201 

The issue is when the same security group uses these functions, so I added a private counter to `SecurityGroupBase`. However, to modify this private counter, `determineRuleScope` and `renderPeer` need to be member functions. These originally weren't member functions for a reason, and that's because `SecurityGroup` also uses these functions.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
2 participants
@njlynch @peterwoodworth