Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ec2): securityGroupName returns id of sg and not name #13774

Closed
alexjfisher opened this issue Mar 24, 2021 · 2 comments · Fixed by #16116
Closed

(aws-ec2): securityGroupName returns id of sg and not name #13774

alexjfisher opened this issue Mar 24, 2021 · 2 comments · Fixed by #16116
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1

Comments

@alexjfisher
Copy link

The securityGroupName property is documented as

An attribute that represents the security group name.

Unfortunately, it can return the ID of the security group, and not the name, (depending on how the security group is created?)

Reproduction Steps

    const vpc = ec2.Vpc.fromLookup(this, 'VPC', {
      tags: { 'aws:cloudformation:stack-name': 'BaseStack' },
    });
    const sg = new ec2.SecurityGroup(this, 'sg', {
      vpc,
      securityGroupName: "my-security-group",
    });

    // SNIP //

    // Try to reference the securityGroupName later, eg. in a Fargate container's environment variables
    const container = fargateTaskDefinition.addContainer("my-container", {
      // SNIP //
      environment: {
        "AWS_SECURITY_GROUP": sg.securityGroupName,
      },
    });

What did you expect to happen?

I expected the AWS_SECURITY_GROUP environment variable passed to my fargate task's container to contain the value my-security-group.

What actually happened?

It contained the security group id, (starting sg-).

Environment

  • CDK CLI Version : 1.94.1
  • Framework Version: ?
  • Node.js Version: v14.15.5
  • OS : CentOS 7
  • Language (Version): TypeScript

Other

Looking at the relevant part of cloudformation generated,

{
  "Name": "AWS_SECURITY_GROUP",
  "Value": {
    "Ref": "sgDE989EBE"
   }
}

and the implementation.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts

Line 412 in 2fed1e1

this.securityGroupName = this.securityGroup.ref;

I think the issue is perhaps a cloud formation limitation and related to me creating the security group with the vpc attribute.

From https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

Ref:
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource ID. For security groups that were created without specifying a VPC (EC2-Classic or a default VPC), Ref returns the resource name.

P.S. I'm new to both CDK and typescript/javascript, so apologies if I've messed something up.

This is 🐛 Bug Report
@alexjfisher alexjfisher added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 24, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Mar 24, 2021
@rix0rrr
Copy link
Contributor

rix0rrr commented Mar 30, 2021
edited
Loading

You are completely correct.

In fact it seems like it's not possible to obtain a security group's name, so we should probably deprecate the accessor and make it throw.

@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1 labels Mar 30, 2021
@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Jun 1, 2021
@rix0rrr rix0rrr assigned njlynch and unassigned rix0rrr Jun 3, 2021
@mprencipe mprencipe mentioned this issue Aug 18, 2021
Merged
@mergify mergify bot closed this as completed in #16116 Sep 21, 2021
mergify bot pushed a commit that referenced this issue Sep 21, 2021
@mprencipe
chore(ec2): deprecate security group name accessor (#16116)
ac503cb 
The security group name accessor will (almost) always return the security group ID, rather than the name. This change deprecates the name accessor to make it clearer to users that this is not a supported use case.

fixes #13774

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(ec2): deprecate security group name accessor
4 participants
@alexjfisher @rix0rrr @njlynch @ryparker