-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2: InvalidPermission.NotFound: The specified rule does not exist in this security group when creating RestrictDefaultSecurityGroupCustomResource #26390
Comments
Hi @alehuo , I am able to reproduce this and got the mentioned resource diff - and deployment is also succeeded - Could you check your account settings to see if its not an issue with the enovironment |
I am now testing if it is environment related. I'm getting the same diff as you. |
Apparently, the default security group of the VPC has no inbound or outbound rules defined, and in our case AWS CDK assumes it has and the deployment fails. What kind of rules does the default security group of your created VPC have? |
Digging deeper into this issue: If I create a completely new VPC with Inbound: Allow all traffic The deployment of a new VPC also succeeded with I suspect that if the VPC's default security group did not have any inbound or outbound rules and later on we switch the |
…ot present (#27039) When using [restrictDefaultSecurityGroup](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#restricting-access-to-the-vpc-default-security-group) to remove default security group rules, an error is thrown and the deploy rolls back if the default rules are not found. This error usually happens when developers previously removed default rules manually or by other means, and then want to switch to using `restrictDefaultSecurityGroup`. They have to re-add default rules and deploy again to cope with the error. This PR fixes the custom resource to ignore the error when default rules are not found. Closes #26390 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
After updating
aws-cdk-lib
from2.77.0
to2.87.0
the following error occurs with the@aws-cdk/aws-ec2:restrictDefaultSecurityGroup
feature flag set totrue
. We had the feature flag set totrue
prior to the update, and there were no errors regarding the deployment.Expected Behavior
cdk deploy
should complete with noUPDATE_ROLLBACK_COMPLETE
errors on the CloudFormation stack.Current Behavior
The stack deployment fails, because the creation of
RestrictDefaultSecurityGroupCustomResource
fails. The following error occurs:Reproduction Steps
Use
aws-cdk-lib
version2.77.0
, set the feature flagec2:restrictDefaultSecurityGroup
totrue
. Create a new VPC and deploy it:After deployment, upgrade
aws-cdk-lib
to2.87.0
and runcdk diff
- you should see aRestrictDefaultSecurityGroupCustomResource
resource being created. At least in our caseaws-cdk-lib
version2.87.0
wanted to create the custom resource. Runcdk deploy
and you should get an error aboutInvalidPermission.NotFound
.Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.87.0 (build 9fca790)
Framework Version
No response
Node.js Version
v16.18.1
OS
MacOS Ventura 13.4.1, ARM64
Language
Typescript
Language Version
TypeScript (5.1.6)
Other information
No response
The text was updated successfully, but these errors were encountered: