New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ec2): Invalid security group ID #22859
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
Seems the robot overlords are unimpressed by this PR with no changes to tests 😞 Hoping that a human will be reading this, I will attempt to defend myself: I did read the contribution guidelines and saw that a fix type PR "requires tests in principle, but can be suppressed". I believe the change I am proposing here is small enough, involving only a string literal dummy value. I hope you agree 🙏 |
9250950
to
ca08e78
Compare
My initial attempt at this fix broke four existing tests. I have just now force pushed an updated version of my commit that should make the four tests pass again 🤞 However, it seems to me that these particular tests are really misleading. As far as I can tell, none of these go past the construction phase, so the lookup won't actually happen, and the asserts are all happening against the dummy value. I am not exactly sure to do from here. Assuming the tests pass after my recent changes, I believe this PR will fix an actual bug, which is causing me some issues in the application I am working on currently. At the same time, I understand if you would prefer to see the tests improved before wrapping this up. Let me know what you think. |
Looks like they don't 😢
I'd like to see an integration test for your particular example code. At the moment the tests only really cover that you have changed the dummy value. |
I don't think it'll be possible to write an integ test for this. Integ tests generally don't cover dummy values... |
Good point. I still think we should at least have a test that asserts that the example code does not throw (which it currently does):
|
ca08e78
to
aa2a96e
Compare
Sorry about those failing unit tests. I should have known attempting to cowboy in three characters without taking the time to get a local build environment in place to run all of the tests would lead to suffering I've amended my commit yet again to adjust the dummy value across another two tests. As for integration tests, I was thinking if something along these lines might do the trick:
In code, it would look something like this (though I still haven't managed to build/test it locally): import * as cdk from '@aws-cdk/core';
import * as ec2 from '../lib';
const appWithVpc = new cdk.App();
const stackWithVpc = new cdk.Stack(appWithVpc, 'StackWithVpc');
const vpc = new ec2.Vpc(stackWithVpc, 'MyVpc', {
vpcName: 'my-vpc-name',
});
new ec2.SecurityGroup(stackWithVpc, 'SgToLookup', {
securityGroupName: 'sg-to-lookup',
vpc
});
const appUnderTest = new cdk.App();
const stackUnderTest = new cdk.Stack(appUnderTest, 'StackUnderTest');
const vpcFromLookup = ec2.Vpc.fromLookup(stackUnderTest, 'VpcFromLookup', {
vpcName: 'my-vpc-name',
});
const sgLookedUp = ec2.SecurityGroup.fromLookupByName(
stackUnderTest,
'SgLookedUp',
'sg-to-lookup',
vpcFromLookup
);
const newSg = new ec2.SecurityGroup(appUnderTest, 'NewSg', {
vpc: vpcFromLookup,
});
newSg.addIngressRule(
ec2.Peer.securityGroupId(sgLookedUp.securityGroupId),
ec2.Port.allTcp()
);
appWithVpc.synth();
appUnderTest.synth(); |
@schourode that test would certainly be possible. We're doing something similar here: https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-ssm/test/integ.parameter-store-string.ts But like Rico pointed out, there's maybe not much point to an integration test. Maybe a simple unit test with your example code would be sufficient and easier? Your choice. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for a unit test that confirms the code that used to throw no longer throws.
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
When using any of the static methods `fromLookup`, `fromLookupById`, `fromLookupByName` the context provider responsible for doing the lookup will be provided with dummy values: ``` { securityGroupId: 'sg-12345678', allowAllOutbound: true, } ``` These values will apply during the construction phase. The actual lookup happens at a later stage. Unfortunately, the dummy value for `securityGroupId` is invalid – at least according to the input validation defined in the `peer` module: https://github.com/aws/aws-cdk/blob/9d1b2c7b1f0147089f912c32a61d7ba86edb543c/packages/@aws-cdk/aws-ec2/lib/peer.ts#L224 This means that any attempt to reference an existing security group retrieved through `fromLookup…()` as a peer causes an exception to be thrown during the construction phase (before CDK even attempts to perform the lookup). Example code: ``` const sg = ec2.SecurityGroup.fromLookupByName(this, "Group", "group-name", vpc); const peer = ec2.Peer.securityGroupId(sg.securityGroupId); ``` Example output: ``` $ cdk synth > Error: Invalid security group ID: "sg-12345" > at new SecurityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:2617) > at Function.securityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:549) ``` Changing the dummy value to match the expected pattern will allow the construction phase to complete, the lookup will come into play, and the synth will complete without errors and with the actual ID of the referenced security group rendered in the resulting CloudFormation template.
aa2a96e
to
910a40f
Compare
@rix0rrr @mrgrain I have added a unit test asserting that The CI linter is still unhappy that my PR is not adding any new integration test. Is that something you are able to overrule (assuming you are happy with the unit test of course)? |
@schourode looks great now, thank you! I'll take it from here |
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
When using any of the static methods `fromLookup`, `fromLookupById`, `fromLookupByName` the context provider responsible for doing the lookup will be provided with dummy values: ``` { securityGroupId: 'sg-12345', allowAllOutbound: true, } ``` These values will apply during the construction phase. The actual lookup happens at a later stage. Unfortunately, the dummy value for `securityGroupId` is invalid – at least according to the input validation defined in the `peer` module: https://github.com/aws/aws-cdk/blob/9d1b2c7b1f0147089f912c32a61d7ba86edb543c/packages/@aws-cdk/aws-ec2/lib/peer.ts#L224 This means that any attempt to reference an existing security group retrieved through `fromLookup…()` as a peer causes an exception to be thrown during the construction phase (before CDK even attempts to perform the lookup). Example code: ``` const sg = ec2.SecurityGroup.fromLookupByName(this, "Group", "group-name", vpc); const peer = ec2.Peer.securityGroupId(sg.securityGroupId); ``` Example output: ``` $ cdk synth > Error: Invalid security group ID: "sg-12345" > at new SecurityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:2617) > at Function.securityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:549) ``` Changing the dummy value to match the expected pattern will allow the construction phase to complete, the lookup will come into play, and the synth will complete without errors and with the actual ID of the referenced security group rendered in the resulting CloudFormation template. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When using any of the static methods `fromLookup`, `fromLookupById`, `fromLookupByName` the context provider responsible for doing the lookup will be provided with dummy values: ``` { securityGroupId: 'sg-12345', allowAllOutbound: true, } ``` These values will apply during the construction phase. The actual lookup happens at a later stage. Unfortunately, the dummy value for `securityGroupId` is invalid – at least according to the input validation defined in the `peer` module: https://github.com/aws/aws-cdk/blob/9d1b2c7b1f0147089f912c32a61d7ba86edb543c/packages/@aws-cdk/aws-ec2/lib/peer.ts#L224 This means that any attempt to reference an existing security group retrieved through `fromLookup…()` as a peer causes an exception to be thrown during the construction phase (before CDK even attempts to perform the lookup). Example code: ``` const sg = ec2.SecurityGroup.fromLookupByName(this, "Group", "group-name", vpc); const peer = ec2.Peer.securityGroupId(sg.securityGroupId); ``` Example output: ``` $ cdk synth > Error: Invalid security group ID: "sg-12345" > at new SecurityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:2617) > at Function.securityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:549) ``` Changing the dummy value to match the expected pattern will allow the construction phase to complete, the lookup will come into play, and the synth will complete without errors and with the actual ID of the referenced security group rendered in the resulting CloudFormation template. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When using any of the static methods `fromLookup`, `fromLookupById`, `fromLookupByName` the context provider responsible for doing the lookup will be provided with dummy values: ``` { securityGroupId: 'sg-12345', allowAllOutbound: true, } ``` These values will apply during the construction phase. The actual lookup happens at a later stage. Unfortunately, the dummy value for `securityGroupId` is invalid – at least according to the input validation defined in the `peer` module: https://github.com/aws/aws-cdk/blob/9d1b2c7b1f0147089f912c32a61d7ba86edb543c/packages/@aws-cdk/aws-ec2/lib/peer.ts#L224 This means that any attempt to reference an existing security group retrieved through `fromLookup…()` as a peer causes an exception to be thrown during the construction phase (before CDK even attempts to perform the lookup). Example code: ``` const sg = ec2.SecurityGroup.fromLookupByName(this, "Group", "group-name", vpc); const peer = ec2.Peer.securityGroupId(sg.securityGroupId); ``` Example output: ``` $ cdk synth > Error: Invalid security group ID: "sg-12345" > at new SecurityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:2617) > at Function.securityGroupId (/Users/jsc/code/trustpilot/appmesh-demo/node_modules/aws-cdk-lib/aws-ec2/lib/peer.js:1:549) ``` Changing the dummy value to match the expected pattern will allow the construction phase to complete, the lookup will come into play, and the synth will complete without errors and with the actual ID of the referenced security group rendered in the resulting CloudFormation template. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When using any of the static methods
fromLookup
,fromLookupById
,fromLookupByName
the context provider responsible for doing the lookup will be provided with dummy values:These values will apply during the construction phase. The actual lookup happens at a later stage.
Unfortunately, the dummy value for
securityGroupId
is invalid – at least according to the input validation defined in thepeer
module:aws-cdk/packages/@aws-cdk/aws-ec2/lib/peer.ts
Line 224 in 9d1b2c7
This means that any attempt to reference an existing security group retrieved through
fromLookup…()
as a peer causes an exception to be thrown during the construction phase (before CDK even attempts to perform the lookup).Example code:
Example output:
Changing the dummy value to match the expected pattern will allow the construction phase to complete, the lookup will come into play, and the synth will complete without errors and with the actual ID of the referenced security group rendered in the resulting CloudFormation template.
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integ
to deploy the infrastructure and generate the snapshot (i.e.yarn integ
without--dry-run
)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license