aws / aws-dotnet-deploy

Opinionated tooling that simplifies deployment of .NET applications to AWS.
https://aws.github.io/aws-dotnet-deploy/
Apache License 2.0
140 stars 32 forks source link

Attach security group to define firewall rules #769

Closed as14692 closed 1 year ago

as14692 commented 1 year ago

Describe the bug

An additional security group is attached to the EC2 instance on deployment which has allow all inbound and outbound rules

Expected Behavior

Attach the security group mentioned only in the deployment settings file.

Current Behavior

An additional security group is attached to the EC2 instance on deployment along with the security group mentioned in the deployment settings file which has allow all inbound and outbound rules

Reproduction Steps

(Using the Visual Studio tool)

(Alternative - Using the aws dotnet deploy CLI tool) Below is the Deployment file used for deployment to ElasticBeanstalk. I have specified the details for the VPC which includes the security group. After deployment, the EC2 instance has an additional security group attached which is created newly for the deployment. Is there a way to avoid creation of this new security group and use only the security group specified in the file.

{
  "ApplicationName": "ElasticBeanStalkf37e7",
  "RecipeId": "AspNetAppElasticBeanstalkLinux",
  "Settings": {
    "BeanstalkApplication": {
      "CreateNew": true,
      "ApplicationName": "Appf37e7"
    },
    "BeanstalkEnvironment": {
      "EnvironmentName": "Envf37e7"
    },
    "EnvironmentType": "SingleInstance",
    "LoadBalancerType": "application",
    "ApplicationIAMRole": {
      "CreateNew": false,
      "RoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/DeployRole"
    },
    "InstanceType": "m4.4xlarge",
    "VPC": {
      "UseVPC": true,
      "CreateNew": false,
      "VpcId": "vpc-060a48d40a607d686",
      "Subnets": [ "subnet-0b11e438aa352677a" ],
      "SecurityGroups": [ "sg-008739bd4f3df7ff4" ]
    }
  }
}

Possible Solution

No response

Additional Information/Context

No response

Version used

1.10.4+e8f4ad1dc0

Operating System and version

Windows 10

as14692 commented 1 year ago

Added the Reproduction Steps using the Visual Studio Tool

ashishdhingra commented 1 year ago

@as14692 Good afternoon. Apologies for delay. I reviewed this issue today with the team. For your use case, the security group selected during deployment process is considered here to configure BeanStalk environment. If you notice here, we are not adding any default/new security group.

I tested the scenario using the reproduction steps you provided. Here's is the CloudFormation template generated in the configured CDK bootstrap environment bucket.

{
 "Description": "AWSDotnetDeployCDKStack",
 "Metadata": {
  "aws-dotnet-deploy-settings": "{\"ApplicationIAMRole\":{\"CreateNew\":true,\"RoleArn\":null},\"ServiceIAMRole\":{\"CreateNew\":true,\"RoleArn\":null},\"EnvironmentType\":\"SingleInstance\",\"InstanceType\":\"\",\"BeanstalkEnvironment\":{\"EnvironmentName\":\"TestAspNetCoreApp-dev\"},\"BeanstalkApplication\":{\"CreateNew\":true,\"ApplicationName\":\"TestAspNetCoreApp\",\"ExistingApplicationName\":null},\"ElasticBeanstalkPlatformArn\":\"arn:aws:elasticbeanstalk:us-east-2::platform/.NET Core running on 64bit Amazon Linux 2/2.5.4\",\"LoadBalancerType\":\"application\",\"EC2KeyPair\":\"\",\"ElasticBeanstalkManagedPlatformUpdates\":{\"ManagedActionsEnabled\":true,\"PreferredStartTime\":\"Sun:00:00\",\"UpdateLevel\":\"minor\"},\"XRayTracingSupportEnabled\":false,\"ReverseProxy\":\"nginx\",\"EnhancedHealthReporting\":\"enhanced\",\"HealthCheckURL\":\"/\",\"ElasticBeanstalkRollingUpdates\":{\"RollingUpdatesEnabled\":false,\"RollingUpdateType\":\"Time\",\"MaxBatchSize\":null,\"MinInstancesInService\":null,\"PauseTime\":null,\"Timeout\":\"PT30M\"},\"CNamePrefix\":\"\",\"ElasticBeanstalkEnvironmentVariables\":{},\"VPC\":{\"UseVPC\":true,\"CreateNew\":false,\"VpcId\":\"vpc-<<REDACTED>>\",\"Subnets\":[\"subnet-<<REDACTED>>\"],\"SecurityGroups\":[\"sg-<<MANUALLY-CREATED-REDACTED>>\"]}}",
  "aws-dotnet-deploy-recipe-id": "AspNetAppElasticBeanstalkLinux",
  "aws-dotnet-deploy-recipe-version": "1.0.2",
  "aws-dotnet-deploy-deployment-bundle-settings": "{\"DotnetBuildConfiguration\":\"Release\",\"DotnetPublishArgs\":\"\",\"SelfContainedBuild\":false}"
 },
 "Resources": {
  "RecipeAppIAMRole9E73EEFA": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "ec2.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "ManagedPolicyArns": [
     {
      "Fn::Join": [
       "",
       [
        "arn:",
        {
         "Ref": "AWS::Partition"
        },
        ":iam::aws:policy/AWSElasticBeanstalkWebTier"
       ]
      ]
     },
     {
      "Fn::Join": [
       "",
       [
        "arn:",
        {
         "Ref": "AWS::Partition"
        },
        ":iam::aws:policy/AWSElasticBeanstalkWorkerTier"
       ]
      ]
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/Recipe/AppIAMRole/Resource"
   }
  },
  "RecipeEc2InstanceProfileB2CA3751": {
   "Type": "AWS::IAM::InstanceProfile",
   "Properties": {
    "Roles": [
     {
      "Ref": "RecipeAppIAMRole9E73EEFA"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/Recipe/Ec2InstanceProfile"
   }
  },
  "RecipeBeanstalkServiceRole62B7EC28": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "elasticbeanstalk.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "ManagedPolicyArns": [
     {
      "Fn::Join": [
       "",
       [
        "arn:",
        {
         "Ref": "AWS::Partition"
        },
        ":iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy"
       ]
      ]
     },
     {
      "Fn::Join": [
       "",
       [
        "arn:",
        {
         "Ref": "AWS::Partition"
        },
        ":iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
       ]
      ]
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/Recipe/BeanstalkServiceRole/Resource"
   }
  },
  "RecipeApplicationVersion145C922C": {
   "Type": "AWS::ElasticBeanstalk::ApplicationVersion",
   "Properties": {
    "ApplicationName": "TestAspNetCoreApp",
    "SourceBundle": {
     "S3Bucket": "cdk-<<REDACTED>>-assets-<<REDACTED>>-us-east-2",
     "S3Key": "953037001d89ca1dc5be9c6834fccfc4cea4fc32b92a8fd30245323db71b8a9b.zip"
    }
   },
   "DependsOn": [
    "RecipeBeanstalkApplication3558EA83"
   ],
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/Recipe/ApplicationVersion"
   }
  },
  "RecipeBeanstalkApplication3558EA83": {
   "Type": "AWS::ElasticBeanstalk::Application",
   "Properties": {
    "ApplicationName": "TestAspNetCoreApp"
   },
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/Recipe/BeanstalkApplication"
   }
  },
  "RecipeBeanstalkEnvironment83CC12DE": {
   "Type": "AWS::ElasticBeanstalk::Environment",
   "Properties": {
    "ApplicationName": "TestAspNetCoreApp",
    "EnvironmentName": "TestAspNetCoreApp-dev",
    "OptionSettings": [
     {
      "Namespace": "aws:autoscaling:launchconfiguration",
      "OptionName": "IamInstanceProfile",
      "Value": {
       "Fn::GetAtt": [
        "RecipeEc2InstanceProfileB2CA3751",
        "Arn"
       ]
      }
     },
     {
      "Namespace": "aws:elasticbeanstalk:environment",
      "OptionName": "EnvironmentType",
      "Value": "SingleInstance"
     },
     {
      "Namespace": "aws:elasticbeanstalk:managedactions",
      "OptionName": "ManagedActionsEnabled",
      "Value": "true"
     },
     {
      "Namespace": "aws:elasticbeanstalk:xray",
      "OptionName": "XRayEnabled",
      "Value": "false"
     },
     {
      "Namespace": "aws:elasticbeanstalk:healthreporting:system",
      "OptionName": "SystemType",
      "Value": "enhanced"
     },
     {
      "Namespace": "aws:elasticbeanstalk:environment",
      "OptionName": "ServiceRole",
      "Value": {
       "Fn::GetAtt": [
        "RecipeBeanstalkServiceRole62B7EC28",
        "Arn"
       ]
      }
     },
     {
      "Namespace": "aws:elasticbeanstalk:managedactions",
      "OptionName": "PreferredStartTime",
      "Value": "Sun:00:00"
     },
     {
      "Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
      "OptionName": "UpdateLevel",
      "Value": "minor"
     },
     {
      "Namespace": "aws:elasticbeanstalk:environment:proxy",
      "OptionName": "ProxyServer",
      "Value": "nginx"
     },
     {
      "Namespace": "aws:ec2:vpc",
      "OptionName": "VPCId",
      "Value": "vpc-<<REDACTED>>"
     },
     {
      "Namespace": "aws:ec2:vpc",
      "OptionName": "Subnets",
      "Value": "subnet-<<REDACTED>>"
     },
     {
      "Namespace": "aws:autoscaling:launchconfiguration",
      "OptionName": "SecurityGroups",
      "Value": "sg-<<MANUALLY-CREATED-REDACTED>>"
     }
    ],
    "PlatformArn": "arn:aws:elasticbeanstalk:us-east-2::platform/.NET Core running on 64bit Amazon Linux 2/2.5.4",
    "VersionLabel": {
     "Ref": "RecipeApplicationVersion145C922C"
    }
   },
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/Recipe/BeanstalkEnvironment"
   }
  },
  "CDKMetadata": {
   "Type": "AWS::CDK::Metadata",
   "Properties": {
    "Analytics": "v2:deflate64:H4sIAAAAAAAA/1VPsU7DUAz8lu4vDiGoG0NbOrBUqCDWyn24lcmLX/XslCHKv+MUGJCHk++su/M9PLTQLPBLq/jRVYmPML4axi44dRi1PaAqmcJqhqAtrIfYka1RKTD2MO5zorA5yR8+ixpKpJeST5xoCpRQjeORcFZSB6NfrS6XxBGNs7xTUYfwn53XrVy5ZOlJbJrCrYF3O7Ocb4GkeSjRE56y7cjqJdxBs6xht33b5EJuVv16P179ybpx3WfxqcxVGcS4J9j/4DckNzEQCAEAAA=="
   },
   "Metadata": {
    "aws:cdk:path": "TestAspNetCoreApp/CDKMetadata/Default"
   }
  }
 },
 "Parameters": {
  "BootstrapVersion": {
   "Type": "AWS::SSM::Parameter::Value<String>",
   "Default": "/cdk-bootstrap/hnb659fds/version",
   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
  }
 },
 "Rules": {
  "CheckBootstrapVersion": {
   "Assertions": [
    {
     "Assert": {
      "Fn::Not": [
       {
        "Fn::Contains": [
         [
          "1",
          "2",
          "3",
          "4",
          "5"
         ],
         {
          "Ref": "BootstrapVersion"
         }
        ]
       }
      ]
     },
     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
    }
   ]
  }
 }
}

If you notice, it only specifies the only security group sg-<<MANUALLY-CREATED-REDACTED>> selected during deployment process. However, when this CDK stack is deployed, ElasticBeanstalk environment deployment creates a new security group:

Screenshot 2023-06-02 at 2 11 13 PM

So looks like the default ElasticBeanstalk security group is created during ElasticBeanstalk environment, not by the .NET Deploy Tool. I also came across the article https://repost.aws/knowledge-center/elastic-beanstalk-add-security-group, so looks like default security group is always created in addition to user specified security group.

So looks like it working as expected and .NET Deploy tool is not adding the default security group.

Thanks, Ashish

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.