Aws-cdk: [core] Do not emit duplicate messages (warnings/errors/...)
When synthesizing the [EKS integration test] I am getting the following output:
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/KubectlProviderSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
Reproduction Steps
In the CDK repo:
$ cd packages/@aws-cdk/aws-eks
$ cdk synth -a test/integ.eks-cluster.ts
What did you expect to happen?
Don't display the same warning twice:
[Warning at /aws-cdk-eks-cluster-test/Cluster/ControlPlaneSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/KubectlProviderSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
[Warning at /aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
What actually happened?
Environment
- CLI Version : 1.57.0
- Framework Version: 1.57.0
- Node.js Version: 14.5.0
- OS : Mac OSX
- Language (Version): all
This is :bug: Bug Report
eladb
All 6 comments
The same annotation should probably just not be emitted twice.
rix0rrr
on 10 Aug 2020
Also that warning should probably not be emitted at all.
rix0rrr
on 10 Aug 2020
👍4
The same annotation should probably just not be emitted twice.
That's probably a good idea - we can do that based on scope path and message text.
eladb
on 10 Aug 2020
The reason I added the warning was due to multiple issues reported by users when trying to add an egress rule to allow all IPv6 traffic, and the rule being ignored since by default allowAllOutBound is set to true.
The default condition today creates a weird situation in which not all traffic is allowed by default (only IPv4) and in order to add all IPv6 one needs to set "allowAllOutBound" to false and then add two rules which allows all traffic, to IPv4 and IPv6.
See more discussion in https://github.com/aws/aws-cdk/pull/7827#discussion_r456199699
@rix0rrr
NetaNir
on 15 Aug 2020
Assuming I'm creating an SG for an ECS service, like this:
const serviceSg = new ec2.SecurityGroup(this, "MySg", {
vpc: props.vpc,
});
const service = new ecs.FargateService(this, "Service", {
securityGroups: [serviceSg],
});
Then allow ingress from, let's say a database:
db.connections.allowFrom(serviceSg, ec2.Port.tcp(1234));
At this point I'll get the warning, in a (to my knowledge) perfectly valid setup. Trying to "fix" it by setting allowAllOutbound=false will break the ECS service since it now can't pull docker images anymore.
IMHO a warning shouldn't be shown here. It can be irritating and in this case counterproductive.
joerx
on 19 Sep 2020
Yeah, the allowFrom is trying to add an ingress rule to the connection and an egress rule to security group. Since the security group already allows all outbound traffic the warning will be added. I agree that in this case it is not helpful. We will remove the warning once we add Ipv6 to the allowAllOutBound implementation.
NetaNir
on 22 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
vgribok
路
3Comments
kawamoto
路
3Comments
v-do
路
3Comments
NukaCody
路
3Comments
slipdexic
路
3Comments
Most helpful comment
Also that warning should probably not be emitted at all.