- 
                Notifications
    You must be signed in to change notification settings 
- Fork 634
✨ Remove ingress and egress rules from vpc default security group #4707
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change | 
|---|---|---|
|  | @@ -35,6 +35,7 @@ import ( | |
|  | ||
| infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2" | ||
| "sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/awserrors" | ||
| "sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/filter" | ||
| "sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope" | ||
| "sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/services" | ||
| "sigs.k8s.io/cluster-api-provider-aws/v2/test/mocks" | ||
|  | @@ -74,6 +75,7 @@ func TestReconcileSecurityGroups(t *testing.T) { | |
| Tags: infrav1.Tags{ | ||
| infrav1.ClusterTagKey("test-cluster"): "owned", | ||
| }, | ||
| EmptyRoutesDefaultVPCSecurityGroup: true, | ||
| }, | ||
| Subnets: infrav1.Subnets{ | ||
| infrav1.SubnetSpec{ | ||
|  | @@ -90,6 +92,29 @@ func TestReconcileSecurityGroups(t *testing.T) { | |
| }, | ||
| }, | ||
| expect: func(m *mocks.MockEC2APIMockRecorder) { | ||
| There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should also have a test for reconciliation if the rules are already gone – in that case, no requests apart from  There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added a test case to cover that. | ||
| m.DescribeSecurityGroupsWithContext(context.TODO(), &ec2.DescribeSecurityGroupsInput{ | ||
| Filters: []*ec2.Filter{ | ||
| filter.EC2.VPC("vpc-securitygroups"), | ||
| filter.EC2.SecurityGroupName("default"), | ||
| }, | ||
| }). | ||
| Return(&ec2.DescribeSecurityGroupsOutput{ | ||
| SecurityGroups: []*ec2.SecurityGroup{ | ||
| { | ||
| Description: aws.String("default VPC security group"), | ||
| GroupName: aws.String("default"), | ||
| GroupId: aws.String("sg-default"), | ||
| }, | ||
| }, | ||
| }, nil) | ||
| m.RevokeSecurityGroupIngressWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.RevokeSecurityGroupIngressInput{ | ||
| GroupId: aws.String("sg-default"), | ||
| })) | ||
|  | ||
| m.RevokeSecurityGroupEgressWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.RevokeSecurityGroupEgressInput{ | ||
| GroupId: aws.String("sg-default"), | ||
| })) | ||
|  | ||
| m.DescribeSecurityGroupsWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.DescribeSecurityGroupsInput{})). | ||
| Return(&ec2.DescribeSecurityGroupsOutput{}, nil) | ||
|  | ||
|  | @@ -735,6 +760,73 @@ func TestReconcileSecurityGroups(t *testing.T) { | |
| }, | ||
| err: errors.New(`security group overrides provided for managed vpc "test-cluster"`), | ||
| }, | ||
| { | ||
| name: "when VPC default security group has no rules then no errors are returned", | ||
| awsCluster: func(acl infrav1.AWSCluster) infrav1.AWSCluster { | ||
| return acl | ||
| }, | ||
| input: &infrav1.NetworkSpec{ | ||
| VPC: infrav1.VPCSpec{ | ||
| ID: "vpc-securitygroups", | ||
| InternetGatewayID: aws.String("igw-01"), | ||
| Tags: infrav1.Tags{ | ||
| infrav1.ClusterTagKey("test-cluster"): "owned", | ||
| }, | ||
| EmptyRoutesDefaultVPCSecurityGroup: true, | ||
| }, | ||
| Subnets: infrav1.Subnets{ | ||
| infrav1.SubnetSpec{ | ||
| ID: "subnet-securitygroups-private", | ||
| IsPublic: false, | ||
| AvailabilityZone: "us-east-1a", | ||
| }, | ||
| infrav1.SubnetSpec{ | ||
| ID: "subnet-securitygroups-public", | ||
| IsPublic: true, | ||
| NatGatewayID: aws.String("nat-01"), | ||
| AvailabilityZone: "us-east-1a", | ||
| }, | ||
| }, | ||
| }, | ||
| expect: func(m *mocks.MockEC2APIMockRecorder) { | ||
| m.DescribeSecurityGroupsWithContext(context.TODO(), &ec2.DescribeSecurityGroupsInput{ | ||
| Filters: []*ec2.Filter{ | ||
| filter.EC2.VPC("vpc-securitygroups"), | ||
| filter.EC2.SecurityGroupName("default"), | ||
| }, | ||
| }). | ||
| Return(&ec2.DescribeSecurityGroupsOutput{ | ||
| SecurityGroups: []*ec2.SecurityGroup{ | ||
| { | ||
| Description: aws.String("default VPC security group"), | ||
| GroupName: aws.String("default"), | ||
| GroupId: aws.String("sg-default"), | ||
| }, | ||
| }, | ||
| }, nil) | ||
|  | ||
| m.RevokeSecurityGroupIngressWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.RevokeSecurityGroupIngressInput{ | ||
| GroupId: aws.String("sg-default"), | ||
| })).Return(&ec2.RevokeSecurityGroupIngressOutput{}, awserr.New("InvalidPermission.NotFound", "rules not found in security group", nil)) | ||
|  | ||
| m.RevokeSecurityGroupEgressWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.RevokeSecurityGroupEgressInput{ | ||
| GroupId: aws.String("sg-default"), | ||
| })).Return(&ec2.RevokeSecurityGroupEgressOutput{}, awserr.New("InvalidPermission.NotFound", "rules not found in security group", nil)) | ||
|  | ||
| m.DescribeSecurityGroupsWithContext(context.TODO(), &ec2.DescribeSecurityGroupsInput{ | ||
| Filters: []*ec2.Filter{ | ||
| filter.EC2.VPC("vpc-securitygroups"), | ||
| filter.EC2.Cluster("test-cluster"), | ||
| }, | ||
| }).Return(&ec2.DescribeSecurityGroupsOutput{}, nil) | ||
|  | ||
| m.CreateSecurityGroupWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.CreateSecurityGroupInput{})). | ||
| Return(&ec2.CreateSecurityGroupOutput{GroupId: aws.String("sg-node")}, nil).AnyTimes() | ||
|  | ||
| m.AuthorizeSecurityGroupIngressWithContext(context.TODO(), gomock.AssignableToTypeOf(&ec2.AuthorizeSecurityGroupIngressInput{})). | ||
| Return(&ec2.AuthorizeSecurityGroupIngressOutput{}, nil).AnyTimes() | ||
| }, | ||
| }, | ||
| } | ||
|  | ||
| for _, tc := range testCases { | ||
|  | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was already done on line 75