search

ernestio / ernest

Ernest is a tool to define, manage and collaborate on your infrastructure
http://ernest.io/
Mozilla Public License 2.0
17 stars 6 forks source link

When an AWS VPC is created with Ernest a default security-group is also being created unexpectedly. #831

Closed reidjc closed 6 years ago

reidjc commented 6 years ago

If we have no security-groups:

$ aws ec2 describe-security-groups
{
    "SecurityGroups": []
}

And we apply this YAML:

$ cat test.yml
---
name: test
project: aws-de

vpcs:
  - name: test-vpc
    subnet: 10.0.0.0/16
    auto_remove: true

security_groups:
  - name: test-sg
    vpc: test-vpc
    egress:
      - ip: 10.10.0.0/16
        protocol: tcp
        from_port: '22'
        to_port: '25'

VPC test-vpc and security-group test-sg are created:

$ ernest env apply test.yml

Environment Name: aws-de/test
Build ID: 76157afd-02a2-40b9-a4c4-fb67f9f2b051

Firewalls   1/1   Created
Vpcs        1/1   Created

Status: Applied

================
Platform Details
================

Name : test
Status : done
Project : aws-de
Provider :
  Type : aws
Members:
  jason (env owner)
  matt (project reader)
Date : 2018-01-08 10:32:25.661574 +0000 UTC

VPCs:
+----------+--------------+-------------+
|   NAME   |      ID      |   SUBNET    |
+----------+--------------+-------------+
| test-vpc | vpc-8266abe9 | 10.0.0.0/16 |
+----------+--------------+-------------+

Security groups:
+---------+-------------+
|  NAME   |  GROUP ID   |
+---------+-------------+
| test-sg | sg-1179557b |
+---------+-------------+

If we now list the security-groups we can see test-sg, and also an unexpected security-group default:

$ aws ec2 describe-security-groups
{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": [
                        {
                            "GroupId": "sg-0778546d",
                            "UserId": "193771034680"
                        }
                    ]
                }
            ],
            "OwnerId": "193771034680",
            "GroupId": "sg-0778546d",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "vpc-8266abe9"
        },
        {
            "Description": "test-sg",
            "GroupName": "test-sg",
            "IpPermissions": [],
            "OwnerId": "193771034680",
            "GroupId": "sg-1179557b",
            "IpPermissionsEgress": [
                {
                    "FromPort": 22,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "10.10.0.0/16"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 25,
                    "UserIdGroupPairs": []
                }
            ],
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "test-sg"
                },
                {
                    "Key": "ernest.service",
                    "Value": "test"
                }
            ],
            "VpcId": "vpc-8266abe9"
        }
    ]
}
g3kk0 commented 6 years ago

This is the default security group which gets created by AWS whenever you create a VPC. It is used as the default security group for newly provisioned instances. As far as I'm aware this cannot disabled.