search

cloudtools / troposphere

troposphere - Python library to create AWS CloudFormation descriptions
BSD 2-Clause "Simplified" License
4.93k stars 1.45k forks source link

Can't create "no access" ec2.SecurityGroupRule #392

Open ex-nerd opened 8 years ago

ex-nerd commented 8 years ago

Troposphere is disallowing my ec2.SecurityGroupRule because it doesn't have a valid FromPort or ToPort.

Cloudformation automatically adds an "all" rule to ingress/egress definitions that are left blank, so if you want to specifically create a rule that disallows access you create a rule against localhost with an IpProtocol of -1 and no to/from port info.

Despite what the http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html docs say, FromPort and ToPort are not required when using IpProtocol=-1 from a VPC.

See this example taken from http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#d0e39862 :

"sgwithoutegress": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Limits security group egress traffic",
    "SecurityGroupEgress": [
      {
        "CidrIp": "127.0.0.1/32",
        "IpProtocol": "-1"
      }
    ],
    "VpcId": { "Ref": "myVPC"}
  }
}
phobologic commented 8 years ago

Is the behavior you're talking about discussed anywhere in the docs? The reason this fails now is because troposphere, traditionally, has tried to stick to what is defined in the docs - and the docs for the SecurityGroupRule property says that ToPort/FromPort are required. (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html)

We run into these undocumented 'features' occasionally, and haven't found a good answer to it.

ex-nerd commented 8 years ago

It's not discussed in these docs beyond the example I referenced. However, the properties are marked as optional in the ec2 API docs:

I also haven't been able to find any reference for the default behavior of "if you don't specify a rule, we assume you mean allow all traffic".

jonapich commented 8 years ago

All of the AWS Documentation links you guys referenced so far state that ToPort and FromPort are optional. I guess they updated the doc since this discussion started?

ex-nerd commented 8 years ago

@muikrad That does indeed appear to be the case now. Previously, the page linked to by @phobologic had them listed as required.