Skip to content

Set correct userIDGroupPairs defaults for SecurityGroups CRs. #194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 3, 2024
Merged

Set correct userIDGroupPairs defaults for SecurityGroups CRs. #194

merged 1 commit into from
Jun 3, 2024

Conversation

a-hilaly
Copy link
Member

@a-hilaly a-hilaly commented Jun 3, 2024
edited
Loading

Closes aws-controllers-k8s/community#2068,
aws-controllers-k8s/community#2061, and
aws-controllers-k8s/community#2058

The EC2 API for setting ingress/egress rules has many special restrictions,
making its behavior hard to predict. For example, GroupName should only be
used with default VPCs. When using non default VPCs users should use GroupID
instead

To address this problem, we are introducing a defaulting mechanism to help the
controller infer and use the correct GroupID when a user doesnt provide one.

You might wonder why all the trouble, and why not just use ACK resource references?
Well.. this is necessary because ACK resource references cannot do self
references, making fully declarative egress/ingress rule definition impossible in some
cases.

Changes:

  • Mark UserIDGroupPairs.GroupName as non-required (at the CRD level)
  • Default UserIDGroupPairs.GroupID to the parent security group ID
  • Default UserIDGroupPairs.VPCID to the VPC of the parent security group
  • Add more e2e tests for UserIDGroupPairs

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ack-prow ack-prow bot requested review from jljaco and LikithaVemulapalli June 3, 2024 08:10
@ack-prow ack-prow bot added the approved label Jun 3, 2024
@a-hilaly a-hilaly force-pushed the securitygroups/fix-useridgrouppairs branch from dd123dc to b2467c4 Compare June 3, 2024 09:01
@a-hilaly a-hilaly mentioned this pull request Jun 3, 2024
Closed
@a-hilaly
Properly default SecurityGroups userIDGroupPairs.
983332a 
- Mark `UserIDGroupPairs.GroupName` as non-required (at the CRD level)
- Default `UserIDGroupPairs.{VPCID,GroupID}` to the parent security group ID / linked-vpcID
- Add e2e tests for UserIDGroupPairs
@a-hilaly a-hilaly force-pushed the securitygroups/fix-useridgrouppairs branch from b2467c4 to 983332a Compare June 3, 2024 09:08
@ack-bot
Copy link
Collaborator

ack-bot commented Jun 3, 2024

/lgtm

@ack-prow ack-prow bot added the lgtm Indicates that a PR is ready to be merged. label Jun 3, 2024
@ack-prow ACK Prow
Copy link

ack-prow bot commented Jun 3, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: a-hilaly, ack-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ack-prow ack-prow bot merged commit 68c5e39 into aws-controllers-k8s:main Jun 3, 2024
6 checks passed
nnbu pushed a commit to nnbu/ack-ec2-controller that referenced this pull request Sep 18, 2024
@a-hilaly
Set correct userIDGroupPairs defaults for SecurityGroups CRs. (aw…
e53c674 
…s-controllers-k8s#194)

Closes aws-controllers-k8s/community#2068,
aws-controllers-k8s/community#2061, and
aws-controllers-k8s/community#2058

The EC2 API for setting ingress/egress rules has many special restrictions,
making its behavior hard to predict. For example, `GroupName` should only be
used with default VPCs. When using non default VPCs users should use `GroupID`
instead

To address this problem, we are introducing a defaulting mechanism to help the
controller infer and use the correct `GroupID` when a user doesnt provide one.

You might wonder why all the trouble, and why not just use ACK resource references?
Well.. this is necessary because ACK resource references cannot do self
references, making fully declarative egress/ingress rule definition impossible in some
cases.

Changes:
- Mark `UserIDGroupPairs.GroupName` as non-required (at the CRD level)
- Default `UserIDGroupPairs.GroupID` to the parent security group ID
- Default `UserIDGroupPairs.VPCID` to the VPC of the parent security group
- Add more e2e tests for `UserIDGroupPairs`

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jljaco jljaco Awaiting requested review from jljaco

@LikithaVemulapalli LikithaVemulapalli Awaiting requested review from LikithaVemulapalli

Assignees

@ack-bot ack-bot

Labels
approved lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EC2 controller throws resource reference wrapper or ID required: GroupName,GroupRef when referencing a SecurityGroup using groupID in userIDGroupPairs
2 participants
@a-hilaly @ack-bot