cppforlife
commented
8 years ago @mandelsoft makes sense though i would also recommend to set your aws key permissions to only allow single vpc visibility.
Closed mandelsoft closed 8 years ago
cppforlife
commented
8 years ago @mandelsoft makes sense though i would also recommend to set your aws key permissions to only allow single vpc visibility.
ljfranklin
commented
8 years ago @mandelsoft I think this issue was fixed a while back when dealing with a related bug. Happy accident! Looks like we now only look at the security groups that belong to the VPC that contains the target subnet: https://github.com/cloudfoundry-incubator/bosh-aws-cpi-release/blob/d075d1cb24cf742c0d867094794584ce0b25cbb5/src/bosh_aws_cpi/lib/cloud/aws/security_group_mapper.rb#L41. Feel free to re-open if you're still seeing this.
It is possible to specify security groups by name or id. While the specification of ids works correctly for accounts containing multiple VPCs, the specification by name has a problem.
It somehow randomly(?) maps the name to a valid security group in the given account. But it does not check whether the selected security group belongs to the VPC the given network belongs to. As a result typically the VM creation fails if there are multiple VPCs using the same security groups, because the selected security group id is not valid for the network the VM is created for.
We are using IDs now, but the resulting manifests are quite unreadable. It would be much better to be able to use security group name instead.