Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ec2): NAT provider's default outbound rules cannot be disabled #12674

Merged
merged 11 commits into from
Mar 4, 2021
Merged

fix(ec2): NAT provider's default outbound rules cannot be disabled #12674

merged 11 commits into from
Mar 4, 2021

Conversation

hedrall
Copy link
Contributor

@hedrall hedrall commented Jan 23, 2021
edited by rix0rrr
Loading

allowAllTraffic only applies to inbound traffic, but it should also apply to outbound traffic.

Deprecate it and add a new enum-based property, defaultAllowedTraffic, which also allows controlling outbound traffic rules. There is no option to allow inbound but not outbound because there is no use case for that.

Fix #12673

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Jan 23, 2021
edited
Loading

@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jan 23, 2021
rix0rrr
rix0rrr previously requested changes Jan 26, 2021
View reviewed changes
Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a test.

@mergify mergify bot dismissed rix0rrr’s stale review February 13, 2021 04:48

Pull request has been modified.

@hedrall
Copy link
Contributor Author

hedrall commented Feb 13, 2021

@rix0rrr
Sorry for the delay.
I have added the test and hope you will check it out.

@hedrall hedrall force-pushed the aws-ec2-allow-all-outbound-false branch from 67d768e to a4eb4b8 Compare February 16, 2021 00:25
@hedrall hedrall force-pushed the aws-ec2-allow-all-outbound-false branch from a4eb4b8 to 12b39a6 Compare February 16, 2021 00:49
@hedrall hedrall requested a review from rix0rrr February 17, 2021 21:40
rix0rrr
rix0rrr previously requested changes Feb 25, 2021
View reviewed changes
Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You know what, I'm sorry.

I did not parse this PR properly the last time I looked at it because the PR body was very sparse. I'd like a PR body to explain the problem and the solution properly so that it can be read and understood in isolation. For example, I'd like the PR body to have read:

allowAllTraffic only applies to inbound traffic, but it should also apply to outbound traffic. Change it so allowAllTraffic: false disables all outbound traffic as well

This concisely describes the proposed change, and also writing it all out makes it immediately clear that this change will be BREAKING for everyone currently using allowAllTraffic: false but not having created outbound rules (because with the current code they wouldn't have had to). It is therefore also clear that it is not safe to change the meaning of this flag.

I will agree with you that the flag is ill-named, and SHOULD do what you propose it does based on its name... but it does not currently do that and changing it is not safe.

I would therefore propose a better change is the following:

  • Add new (optional) flags allowAllInbound/allowAllOutbound, defaults to true. Make these control the inbound/outbound behavior.
  • Deprecate allowAllTraffic, and say it has been replaced with allowAllInbound. If it has been supplied it should be treated as if allowAllInbound has been specified.

Whether or not there should be a new flag which controls both allowAllInbound and allowAllOutbound is a different question. That's one of ergonomics, which we can tackle later.

Another alternative deprecation-plus-replacement I could see is something like:

defaultAllowAll: Traffic.OUTBOUND_ONLY,
defaultAllowAll: Traffic.INBOUND_AND_OUTBOUND,
defaultAllowAll: Traffic.NONE,

Or similar, so we don't have to have 2 boolean flags.

Whatever we choose, it's going to have to involve a new parameter as the change cannot be breaking existing infrastructure.

@mergify mergify bot dismissed rix0rrr’s stale review February 25, 2021 21:47

Pull request has been modified.

@hedrall
Copy link
Contributor Author

hedrall commented Feb 25, 2021

@rix0rrr
Thank you for your review.
I'm sorry that I didn't take many things into consideration.

I tried to fix it using enum like class, but is this the right way to do the part you mentioned?

@hedrall hedrall requested a review from rix0rrr February 25, 2021 23:53
@rix0rrr rix0rrr changed the title fix(aws-ec2): if allowAllTraffic prop of NatProvider is false, make a… fix(ec2): NAT provider's default outbound rules cannot be disabled Mar 3, 2021
rix0rrr
rix0rrr previously approved these changes Mar 3, 2021
View reviewed changes
@mergify mergify bot dismissed rix0rrr’s stale review March 3, 2021 21:23

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Mar 4, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: c168e1c
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 4, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 664133a into aws:master Mar 4, 2021
cornerwings pushed a commit to cornerwings/aws-cdk that referenced this pull request Mar 8, 2021
@hedrall @cornerwings
fix(ec2): NAT provider's default outbound rules cannot be disabled (a…
53d5802 
…ws#12674)

`allowAllTraffic` only applies to inbound traffic, but it should also apply to outbound traffic. 

Deprecate it and add a new enum-based property, `defaultAllowedTraffic`, which also allows controlling outbound traffic rules. There is no option to allow inbound but not outbound because there is no use case for that.

Fix aws#12673

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rix0rrr rix0rrr rix0rrr approved these changes

Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(ec2): allowAllOutbound on default security group should mimic allowAllTraffic on NAT instance
3 participants
@hedrall @aws-cdk-automation @rix0rrr