Skip to content
This repository has been archived by the owner on Apr 15, 2021. It is now read-only.

AWS EC2 controller only handles SECURITY_GROUP_NAMES correctly if SUBNET is specified #814

Open
ghost opened this issue Aug 3, 2017 · 3 comments
Open

AWS EC2 controller only handles SECURITY_GROUP_NAMES correctly if SUBNET is specified #814

ghost opened this issue Aug 3, 2017 · 3 comments
Labels
foundby/FT later severity/minor

Comments

@ghost
Copy link

ghost commented Aug 3, 2017

[Build] 17.3 2017/07/27

[Steps to reproduce]

  1. log-in as customer and subscribe to AWS EC2 service that has an underlying technical service that
    can specify a security group (but specifies no subnet).
  2. during subscription process specify a security group SG1, that is not the default security group,
    and exist in the default region/subnet.
  3. check provisioned instance's security group

[Expected result]
security group SG1

[Observed result]
instance has default security group

[Details]

  1. If I set security group and subnet this works ok (workaround).
  2. If I set security group SG1, and I do not set the subnet, I end up with an instance created in subnet as in 1. above, with default security group (not SG1)
  3. If I try to manually create an Instance using AWS EC2 UI, and do not specify a subnet, but specify a security group, then the instance is created with the correct security group.
    => The workaround is to specify both. If this cannot be fixed, then it should be documented that the security group will only work if subnet is also specified.

@gertipoppel this might become a documentation issue.
@GoebelL GoebelL added this to the 17.4.0 milestone Aug 3, 2017
@StavrevaS StavrevaS removed this from the 17.4.0 milestone Aug 23, 2017
@StavrevaS
Copy link
Contributor

The AWS Controller ignores the specified security groups in case no subnet parameter specified. In that case, the instance will be created in some default subnet and default security group will be assigned.
The subnet parameter is used to get the VPC Identifier in order to identify the security groups for that VPC and check if the specified one exists. If the subnet parameter is not specified, checking security groups logic should be changed (e.g. get somehow the VPC Id or get the VPC security groups with some filtering).

@gertipoppel, please document that for specifying security groups, the subnet parameter is mandatory. Otherwise the groups will be ignored.

I will not close this issue, but set it for later if requested.

gertipoppel added a commit to servicecatalog/documentation that referenced this issue Sep 5, 2017
@gertipoppel
Fix issue servicecatalog/development#814
5b8c9d0
@gertipoppel
Copy link
Contributor

Added a section to the Restrictions in the Release Notes for 17.4 and added corresponding comments to the SUBNET and SECURITY_GROUP_NAMES parameters in the Appendix "Service Parameters and Operations" of the AWS service controller manual.

Modified sources:
DocSources/en/AWSIntegrationGuide/Appendix/r_ServiceParameters.xml (documentation repository on GitHub)
DocSources/en/ReleaseNotes/Restrictions/c_Restrictions.xml (document repository on GitLab)

gertipoppel added a commit to servicecatalog/documentation that referenced this issue Sep 5, 2017
@gertipoppel
Fix issue servicecatalog/development#814
533a8e6
@ghost
Copy link
Author

ghost commented Sep 11, 2017

[Build] 17.4 verified doc issue

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
foundby/FT later severity/minor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gertipoppel @GoebelL @StavrevaS