[Bug] Fix is_subnet_public to use main route table for subnets without explicit association (#7174)

almightychang · himani2411 · web-flow · commit f08eb02774cc · 2026-01-05T11:48:02.000-05:00
* [Bug] Fix is_subnet_public to use main route table for subnets without explicit association When a subnet has no explicit route table association, it uses the VPC's main route table. The previous implementation incorrectly used route_tables[0] which may not be the main route table, causing public subnets to be incorrectly identified as private. This fix explicitly finds the main route table by checking the "Main" flag in route table associations. If no main route table is found (which should not happen in a valid VPC), an exception is raised with a helpful message. Fixes #7173 * Use API filter association.main instead of Python filtering Refactor is_subnet_public to use AWS API filter 'association.main=true' to fetch only the main route table, instead of fetching all route tables and filtering in Python. This is more efficient and cleaner. Update test mocks to match the new API filter parameters. * Refactor main route table tests to use pytest.mark.parametrize Combine test_is_subnet_public_with_main_route_table and test_is_subnet_public_main_route_table_no_igw into a single parameterized test for better maintainability. --------- Co-authored-by: Himani Anil Deshpande <79726937+himani2411@users.noreply.github.com>
diff --git a/cli/src/pcluster/aws/ec2.py b/cli/src/pcluster/aws/ec2.py
@@ -568,7 +568,9 @@ def is_subnet_public(self, subnet_id):
                 raise Exception(f"No subnet found with ID {subnet_id}")
             vpc_id = subnets[0].get("VpcId")
 
-            route_tables = self.describe_route_tables(filters=[{"Name": "vpc-id", "Values": [vpc_id]}])
+            route_tables = self.describe_route_tables(
+                filters=[{"Name": "vpc-id", "Values": [vpc_id]}, {"Name": "association.main", "Values": ["true"]}]
+            )
             if not route_tables:
                 raise Exception("No route tables found. The subnet or VPC configuration may be incorrect.")
 
diff --git a/cli/tests/pcluster/aws/test_ec2.py b/cli/tests/pcluster/aws/test_ec2.py
@@ -679,6 +679,35 @@ def get_describe_route_tables_mocked_request(subnet_id, gateway_id):
     )
 
 
+def get_describe_route_tables_empty_mocked_request(subnet_id):
+    return MockedBoto3Request(
+        method="describe_route_tables",
+        response={"RouteTables": []},
+        expected_params={"Filters": [{"Name": "association.subnet-id", "Values": [subnet_id]}]},
+    )
+
+
+def get_describe_route_tables_by_vpc_mocked_request(vpc_id, route_tables):
+    return MockedBoto3Request(
+        method="describe_route_tables",
+        response={"RouteTables": route_tables},
+        expected_params={
+            "Filters": [
+                {"Name": "vpc-id", "Values": [vpc_id]},
+                {"Name": "association.main", "Values": ["true"]},
+            ]
+        },
+    )
+
+
+def get_describe_subnets_for_vpc_mocked_request(subnet_id, vpc_id):
+    return MockedBoto3Request(
+        method="describe_subnets",
+        response={"Subnets": [{"SubnetId": subnet_id, "VpcId": vpc_id}]},
+        expected_params={"SubnetIds": [subnet_id]},
+    )
+
+
 def test_is_subnet_public(boto3_stubber):
     # First boto3 call. The subnet should be private
     subnet_id = "subnet-12345678"
@@ -698,3 +727,45 @@ def test_is_subnet_public(boto3_stubber):
 
     # Third boto3 call. The result should be from the latest response even if the gateway id of the subnet is different
     assert AWSApi.instance().ec2.is_subnet_public(subnet_id) is True
+
+
+@pytest.mark.parametrize(
+    "subnet_id, routes, expected_result",
+    [
+        pytest.param(
+            "subnet-no-explicit-assoc",
+            [
+                {"DestinationCidrBlock": "10.0.0.0/16", "GatewayId": "local"},
+                {"DestinationCidrBlock": "0.0.0.0/0", "GatewayId": "igw-12345678"},
+            ],
+            True,
+            id="main route table with igw",
+        ),
+        pytest.param(
+            "subnet-private",
+            [{"DestinationCidrBlock": "10.0.0.0/16", "GatewayId": "local"}],
+            False,
+            id="main route table without igw",
+        ),
+    ],
+)
+def test_is_subnet_public_with_main_route_table(boto3_stubber, subnet_id, routes, expected_result):
+    # Test when subnet has no explicit route table association (uses main route table)
+    vpc_id = "vpc-12345678"
+
+    route_tables = [
+        {
+            "RouteTableId": "rtb-main",
+            "Associations": [{"Main": True}],
+            "Routes": routes,
+        },
+    ]
+
+    mocked_requests = [
+        get_describe_route_tables_empty_mocked_request(subnet_id),
+        get_describe_subnets_for_vpc_mocked_request(subnet_id, vpc_id),
+        get_describe_route_tables_by_vpc_mocked_request(vpc_id, route_tables),
+    ]
+    boto3_stubber("ec2", mocked_requests)
+
+    assert AWSApi.instance().ec2.is_subnet_public(subnet_id) is expected_result
