Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing attribute DestinationPrefixListId in SecurityGroupRule #1309

Closed
urluba opened this issue Feb 2, 2019 · 1 comment
Closed

Missing attribute DestinationPrefixListId in SecurityGroupRule #1309

urluba opened this issue Feb 2, 2019 · 1 comment

Comments

@urluba
Copy link

urluba commented Feb 2, 2019

Hi everyone,

According to CFN doc, a prefx list can be used in an Egress Security Group:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-rule.html#cfn-ec2-security-group-rule-destinationprefixlistid

DestinationPrefixListId (SecurityGroupEgress only)

The AWS service prefix of an Amazon VPC endpoint. For more information, see VPC Endpoints in the Amazon VPC User Guide.

Required: Conditional. You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, DestinationSecurityGroupId, or SourceSecurityGroupId.

Type: String

But it's missing in the SecurityGroupRule definition:

troposphere/troposphere/ec2.py

Lines 506 to 518 in d1bb52f

class SecurityGroupRule(AWSProperty):
props = {
'CidrIp': (basestring, False),
'CidrIpv6': (basestring, False),
'Description': (basestring, False),
'FromPort': (network_port, False),
'IpProtocol': (basestring, True),
'SourceSecurityGroupId': (basestring, False),
'SourceSecurityGroupName': (basestring, False),
'SourceSecurityGroupOwnerId': (basestring, False),
'ToPort': (network_port, False),
'DestinationSecurityGroupId': (basestring, False),
}

We should have something like;

class SecurityGroupRule(AWSProperty):
    props = {
        'CidrIp': (basestring, False),
        'CidrIpv6': (basestring, False),
        'Description': (basestring, False),
        'FromPort': (network_port, False),
        'IpProtocol': (basestring, True),
        'SourceSecurityGroupId': (basestring, False),
        'SourceSecurityGroupName': (basestring, False),
        'SourceSecurityGroupOwnerId': (basestring, False),
        'ToPort': (network_port, False),
        'DestinationPrefixListId': (basestring, False),
        'DestinationSecurityGroupId': (basestring, False),
}

Note that, SecurityGroupEgress class is correct and can be used as a workaround.

Whatsoever, thanks for the great work! 👍
markpeek added a commit that referenced this issue Feb 2, 2019
@markpeek
Add DestinationPrefixListId to EC2 SecurityGroupRule (#1309)
bb4acad
@markpeek
Copy link
Member

markpeek commented Feb 2, 2019

Thanks for the issue. Fixed on master now.

Note: SecurityGroupRule is documented but does not exist in the resource specification files. Those have separate properties (Ingress and Egress). In a future version there may be a breaking change as we align with the resource specification.

@markpeek markpeek closed this as completed Feb 2, 2019
davemasino pushed a commit to davemasino/troposphere that referenced this issue Oct 17, 2019
@markpeek
Add DestinationPrefixListId to EC2 SecurityGroupRule (cloudtools#1309)
50ce5e8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markpeek @urluba