Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ec2): restrictDefaultSecurityGroup does not remove IPv6 egress rule #29709

Open
jpickwell opened this issue Apr 3, 2024 · 3 comments
Open

(aws-ec2): restrictDefaultSecurityGroup does not remove IPv6 egress rule #29709

jpickwell opened this issue Apr 3, 2024 · 3 comments
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@jpickwell
Copy link

Describe the bug

Setting restrictDefaultSecurityGroup to true for a dual-stack VPC will not remove the IPv6 egress rule.

Expected Behavior

For a dual-stack VPC with restrictDefaultSecurityGroup set to true, all (IPv4 and IPv6) ingress and egress rules should be removed.

Current Behavior

For a dual-stack VPC with restrictDefaultSecurityGroup set to true, only IPv4 ingress and egress rules are removed.

Reproduction Steps

import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';

const app = new cdk.App();
const stack = new cdk.Stack(app, 'stack');

const vpc = new ec2.Vpc(stack, 'vpc', {
  ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/24'),
  ipProtocol: ec2.IpProtocol.DUAL_STACK,
  restrictDefaultSecurityGroup: true,
});

app.synth();

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.135.0 (build d46c474)

Framework Version

No response

Node.js Version

v20.12.0

OS

macOS Sonoma 14.4.1 (23E224)

Language

TypeScript

Language Version

TypeScript (5.4.3)

Other information

No response
@jpickwell jpickwell added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 3, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Apr 3, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 5, 2024
@khushail khushail self-assigned this Apr 5, 2024
@github-actions github-actions bot mentioned this issue Apr 8, 2024
Closed
@github-actions github-actions bot mentioned this issue May 1, 2024
Closed
@khushail khushail changed the title (ec2): restrictDefaultSecurityGroup does not remove IPv6 egress rule (aws-ec2): restrictDefaultSecurityGroup does not remove IPv6 egress rule May 2, 2024
@nmussy
Copy link
Contributor

nmussy commented May 4, 2024

Regardless of the DUAL_STACK prop, we could always include both 0.0.0.0/0 and ::/0 here, correct?

aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-ec2/restrict-default-security-group-handler/index.ts

Lines 27 to 37 in fff9cf6

function egressRuleParams(groupId: string): sdk.RevokeSecurityGroupEgressCommandInput | sdk.AuthorizeSecurityGroupEgressCommandInput {
return {
GroupId: groupId,
IpPermissions: [{
IpRanges: [{
CidrIp: '0.0.0.0/0',
}],
IpProtocol: '-1',
}],
};
}

@khushail khushail added p2 effort/small Small work item – less than a day of effort labels May 8, 2024
@mwebber
Copy link

mwebber commented Jun 11, 2024

I have also observed this.
The feature was originally introduced in #25297, with a subsequent fix applied in #27039.

@nmussy

Regardless of the DUAL_STACK prop, we could always include both 0.0.0.0/0 and ::/0 here, correct?

I think that routine needs to do 2 things:

  • remove the rules from the default when @aws-cdk/aws-ec2:restrictDefaultSecurityGroup feature flag changed to true
  • restore the rules from the default when @aws-cdk/aws-ec2:restrictDefaultSecurityGroup feature flag changed to false

In the second case there, if it's not dual stack, then it should not add ::/0 back in, I guess.

@mwebber mwebber mentioned this issue Jun 11, 2024
Closed
2 tasks
@khushail khushail removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Jun 17, 2024
@khushail khushail removed their assignment Jun 17, 2024
@khushail
Copy link
Contributor

khushail commented Oct 23, 2024
edited
Loading

Apologies for the delay in getting back.

Thanks @mwebber for sharing your insights and linking the PRs- #25297 ,#27039

I would reach out to team to share their insights on the changes implemented through PRs and current issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mwebber @nmussy @jpickwell @khushail