fix(aws): fail instead of falling back to 0.0.0.0/0 for security group

[ArangoGutierrez]

Summary

• Remove dangerous 0.0.0.0/0 fallback when public IP detection fails
• Now returns a clear error asking user to set ingressCidr explicitly

Audit Finding

• Bump golang.org/x/net from 0.21.0 to 0.23.0 #34 (LOW): Security group 0.0.0.0/0 fallback in pkg/provider/aws/create.go

Changes

• pkg/provider/aws/create.go: Replace 0.0.0.0/0 fallback with error return

Test plan

• gofmt — no formatting issues
• go build — compiles
• go test ./pkg/... — all tests pass

[Copilot]

Pull request overview

This pull request aims to improve security by removing a dangerous fallback to 0.0.0.0/0 when public IP detection fails during AWS security group creation. Instead of silently falling back to allowing traffic from anywhere, the code now returns an error asking users to explicitly set ingressIpRanges.

Changes:

• Removed 0.0.0.0/0 fallback when public IP detection fails in AWS security group creation
• Changed from warning + fallback to immediate error return
• Updated comment to reflect that only auto-detected IP (not fallback) is added

[Copilot]

This change breaks a valid use case where users provide explicit ingressIpRanges. According to the documentation (docs/guides/ip-detection.md and docs/commands/create.md), when users provide ingressIpRanges, the detected IP should be added in addition to those ranges. However, if IP detection fails (e.g., due to corporate firewall or proxy), the code will now error out even when the user has provided valid ingressIpRanges.

The fix should only fail when BOTH conditions are true: (1) IP detection fails AND (2) ingressIpRanges is empty. Otherwise, the code should continue with the user-provided ranges.

Suggested logic:

• Try to detect public IP
• If detection succeeds, add it to ipRanges
• If detection fails AND len(p.Spec.IngressIpRanges) == 0, return error
• If detection fails BUT user provided ingressIpRanges, log a warning and continue

[Copilot]

The error message references "ingressCidr" but the actual field name in the API is "ingressIpRanges" (as seen in api/holodeck/v1alpha1/types.go line 108). This inconsistency could confuse users. The error message should use the correct field name from the API spec.

Suggested change

	return fmt.Errorf("could not detect public IP for security group (set ingressCidr explicitly): %w", err)
	return fmt.Errorf("could not detect public IP for security group (set ingressIpRanges explicitly): %w", err)

[Copilot]

Missing cancelLoading call before returning error. Following the codebase pattern (seen throughout this file and in pkg/provider/aws/cluster.go:222, pkg/provider/aws/nlb.go:68, etc.), errors that occur during a loading operation should call cancelLoading(logger.ErrLoadingFailed) before returning. The loading spinner was started at line 326 but is not properly cancelled when IP detection fails.

Suggested change

	if err != nil {
	if err != nil {
	cancelLoading(logger.ErrLoadingFailed)

[Copilot]

The PR description references "Audit Finding #34 (LOW)" suggesting a security audit, but the linked PR #34 is about bumping golang.org/x/net dependency, not a security audit of this code. This appears to be an error in the PR description - either the wrong issue/PR was referenced, or the audit finding number is incorrect.

[coveralls]

Pull Request Test Coverage Report for Build 21962394536

Details

• 5 of 6 (83.33%) changed or added relevant lines in 1 file are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage increased (+0.01%) to 47.511%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/provider/aws/create.go	5	6	83.33%

Files with Coverage Reduction	New Missed Lines	%
pkg/provider/aws/create.go	1	88.42%

Totals
Change from base Build 21955389842:	0.01%
Covered Lines:	2501
Relevant Lines:	5264

---

💛 - Coveralls