Closed as14692 closed 1 year ago
Added the Reproduction Steps using the Visual Studio Tool
@as14692 Good afternoon. Apologies for delay. I reviewed this issue today with the team. For your use case, the security group selected during deployment process is considered here to configure BeanStalk environment. If you notice here, we are not adding any default/new security group.
I tested the scenario using the reproduction steps you provided. Here's is the CloudFormation template generated in the configured CDK bootstrap environment bucket.
{
"Description": "AWSDotnetDeployCDKStack",
"Metadata": {
"aws-dotnet-deploy-settings": "{\"ApplicationIAMRole\":{\"CreateNew\":true,\"RoleArn\":null},\"ServiceIAMRole\":{\"CreateNew\":true,\"RoleArn\":null},\"EnvironmentType\":\"SingleInstance\",\"InstanceType\":\"\",\"BeanstalkEnvironment\":{\"EnvironmentName\":\"TestAspNetCoreApp-dev\"},\"BeanstalkApplication\":{\"CreateNew\":true,\"ApplicationName\":\"TestAspNetCoreApp\",\"ExistingApplicationName\":null},\"ElasticBeanstalkPlatformArn\":\"arn:aws:elasticbeanstalk:us-east-2::platform/.NET Core running on 64bit Amazon Linux 2/2.5.4\",\"LoadBalancerType\":\"application\",\"EC2KeyPair\":\"\",\"ElasticBeanstalkManagedPlatformUpdates\":{\"ManagedActionsEnabled\":true,\"PreferredStartTime\":\"Sun:00:00\",\"UpdateLevel\":\"minor\"},\"XRayTracingSupportEnabled\":false,\"ReverseProxy\":\"nginx\",\"EnhancedHealthReporting\":\"enhanced\",\"HealthCheckURL\":\"/\",\"ElasticBeanstalkRollingUpdates\":{\"RollingUpdatesEnabled\":false,\"RollingUpdateType\":\"Time\",\"MaxBatchSize\":null,\"MinInstancesInService\":null,\"PauseTime\":null,\"Timeout\":\"PT30M\"},\"CNamePrefix\":\"\",\"ElasticBeanstalkEnvironmentVariables\":{},\"VPC\":{\"UseVPC\":true,\"CreateNew\":false,\"VpcId\":\"vpc-<<REDACTED>>\",\"Subnets\":[\"subnet-<<REDACTED>>\"],\"SecurityGroups\":[\"sg-<<MANUALLY-CREATED-REDACTED>>\"]}}",
"aws-dotnet-deploy-recipe-id": "AspNetAppElasticBeanstalkLinux",
"aws-dotnet-deploy-recipe-version": "1.0.2",
"aws-dotnet-deploy-deployment-bundle-settings": "{\"DotnetBuildConfiguration\":\"Release\",\"DotnetPublishArgs\":\"\",\"SelfContainedBuild\":false}"
},
"Resources": {
"RecipeAppIAMRole9E73EEFA": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AWSElasticBeanstalkWebTier"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AWSElasticBeanstalkWorkerTier"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/Recipe/AppIAMRole/Resource"
}
},
"RecipeEc2InstanceProfileB2CA3751": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "RecipeAppIAMRole9E73EEFA"
}
]
},
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/Recipe/Ec2InstanceProfile"
}
},
"RecipeBeanstalkServiceRole62B7EC28": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/Recipe/BeanstalkServiceRole/Resource"
}
},
"RecipeApplicationVersion145C922C": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": "TestAspNetCoreApp",
"SourceBundle": {
"S3Bucket": "cdk-<<REDACTED>>-assets-<<REDACTED>>-us-east-2",
"S3Key": "953037001d89ca1dc5be9c6834fccfc4cea4fc32b92a8fd30245323db71b8a9b.zip"
}
},
"DependsOn": [
"RecipeBeanstalkApplication3558EA83"
],
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/Recipe/ApplicationVersion"
}
},
"RecipeBeanstalkApplication3558EA83": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"ApplicationName": "TestAspNetCoreApp"
},
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/Recipe/BeanstalkApplication"
}
},
"RecipeBeanstalkEnvironment83CC12DE": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": "TestAspNetCoreApp",
"EnvironmentName": "TestAspNetCoreApp-dev",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": {
"Fn::GetAtt": [
"RecipeEc2InstanceProfileB2CA3751",
"Arn"
]
}
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "SingleInstance"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
},
{
"Namespace": "aws:elasticbeanstalk:xray",
"OptionName": "XRayEnabled",
"Value": "false"
},
{
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": {
"Fn::GetAtt": [
"RecipeBeanstalkServiceRole62B7EC28",
"Arn"
]
}
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "Sun:00:00"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
},
{
"Namespace": "aws:elasticbeanstalk:environment:proxy",
"OptionName": "ProxyServer",
"Value": "nginx"
},
{
"Namespace": "aws:ec2:vpc",
"OptionName": "VPCId",
"Value": "vpc-<<REDACTED>>"
},
{
"Namespace": "aws:ec2:vpc",
"OptionName": "Subnets",
"Value": "subnet-<<REDACTED>>"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": "sg-<<MANUALLY-CREATED-REDACTED>>"
}
],
"PlatformArn": "arn:aws:elasticbeanstalk:us-east-2::platform/.NET Core running on 64bit Amazon Linux 2/2.5.4",
"VersionLabel": {
"Ref": "RecipeApplicationVersion145C922C"
}
},
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/Recipe/BeanstalkEnvironment"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/1VPsU7DUAz8lu4vDiGoG0NbOrBUqCDWyn24lcmLX/XslCHKv+MUGJCHk++su/M9PLTQLPBLq/jRVYmPML4axi44dRi1PaAqmcJqhqAtrIfYka1RKTD2MO5zorA5yR8+ixpKpJeST5xoCpRQjeORcFZSB6NfrS6XxBGNs7xTUYfwn53XrVy5ZOlJbJrCrYF3O7Ocb4GkeSjRE56y7cjqJdxBs6xht33b5EJuVv16P179ybpx3WfxqcxVGcS4J9j/4DckNzEQCAEAAA=="
},
"Metadata": {
"aws:cdk:path": "TestAspNetCoreApp/CDKMetadata/Default"
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
If you notice, it only specifies the only security group sg-<<MANUALLY-CREATED-REDACTED>>
selected during deployment process. However, when this CDK stack is deployed, ElasticBeanstalk environment deployment creates a new security group:
So looks like the default ElasticBeanstalk security group is created during ElasticBeanstalk environment, not by the .NET Deploy Tool. I also came across the article https://repost.aws/knowledge-center/elastic-beanstalk-add-security-group, so looks like default security group is always created in addition to user specified security group.
So looks like it working as expected and .NET Deploy tool is not adding the default security group.
Thanks, Ashish
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Describe the bug
An additional security group is attached to the EC2 instance on deployment which has allow all inbound and outbound rules
Expected Behavior
Attach the security group mentioned only in the deployment settings file.
Current Behavior
An additional security group is attached to the EC2 instance on deployment along with the security group mentioned in the deployment settings file which has allow all inbound and outbound rules
Reproduction Steps
(Using the Visual Studio tool)
security group ID
Publish to AWS...
ASP.NET Core App to AWS Elastic Beanstalk on Linux
Edit Settings
VPC
Use a VPC
Virtual Private Cloud (VPC): VPC ID
Virtual Private Cloud (VPC): Subnets
Virtual Private Cloud (VPC): Security Groups
Publish
Configuration
->Instance traffic and scaling
->EC2 Security Groups
(Alternative - Using the aws dotnet deploy CLI tool) Below is the Deployment file used for deployment to ElasticBeanstalk. I have specified the details for the VPC which includes the security group. After deployment, the EC2 instance has an additional security group attached which is created newly for the deployment. Is there a way to avoid creation of this new security group and use only the security group specified in the file.
Possible Solution
No response
Additional Information/Context
No response
Version used
1.10.4+e8f4ad1dc0
Operating System and version
Windows 10