Merge pull request #447 from /issues/431

Fixes #431 - fix major error in calculating 'EC2/Rules per VPC security group' limit
jantman · Nov 1, 2019 · b743823 · b743823
2 parents e66bfef + 8644997
commit b743823
Show file tree

Hide file tree

Showing 4 changed files with 487 additions and 14 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -28,6 +28,7 @@ Changelog
 * In following with the above two issues, raise a ``DeprecationWarning`` when running on any Python2 version prior to 2.7 or any Python3 version prior to 3.4, in accorance with the `published end-of-life dates of those versions <https://devguide.python.org/devcycle/#end-of-life-branches>`_.
 * `Issue #436 <https://github.com/jantman/awslimitchecker/issues/436>`_ - Begin testing under Python 3.8 and base our Docker image on ``python:3.8-alpine``.
 * `Issue #435 <https://github.com/jantman/awslimitchecker/issues/435>`_ - Allow configuring the botocore maximum retries for Throttling / RateExceeded errors on a per-AWS-API basis via environment variables. See the relevant sections of the :ref:`CLI Usage <cli_usage.throttling>` or :ref:`Python Usage <python_usage.throttling>` documentation for further details.
+* `Issue #431 <https://github.com/jantman/awslimitchecker/issues/431>`_ - Fix a **major under-calculation** of usage for the EC2 ``Rules per VPC security group`` limit. We were previously calculating the number of "Rules" (from port / to port / protocol combinations) in a Security Group, but the limit is actually based on the number of permissions granted. See `this comment <https://github.com/jantman/awslimitchecker/issues/431#issuecomment-548599785>`_ on the issue for further details.
 
 .. _changelog.8_0_0_vcpu_limits:
 

diff --git a/awslimitchecker/services/ec2.py b/awslimitchecker/services/ec2.py
@@ -591,9 +591,38 @@ def _find_usage_networking_sgs(self):
         sgs_per_vpc = defaultdict(int)
         rules_per_sg = defaultdict(int)
         for sg in self.resource_conn.security_groups.all():
-            if sg.vpc_id is not None:
-                sgs_per_vpc[sg.vpc_id] += 1
-                rules_per_sg[sg.id] = len(sg.ip_permissions)
+            if sg.vpc_id is None:
+                continue
+            sgs_per_vpc[sg.vpc_id] += 1
+            """
+            see: https://github.com/jantman/awslimitchecker/issues/431
+
+            The value for each of ingress and egress is the count of all
+            PrefixListIds in all rules, plus the count of all
+            UserIdGroupPairs in all rules, plus the maximum of:
+              the count of all IpRanges in all rules
+                 -or-
+              the count of all Ipv6Ranges in all rules
+
+            The limit that we alert on is the maximum of those values for
+            ingress and egress.
+
+            In short, behind the scenes, there are four firewall rulesets
+            per SG: (IPv4|IPv6) (ingress|egress)
+            Each can have a maximum of <limit> entries. PrefixListIds and
+            UserIdGroupPairs count towards both IPv4 and IPv6.
+            """
+            counts = []
+            for perm in [sg.ip_permissions, sg.ip_permissions_egress]:
+                counts.append(
+                    max(
+                        sum([len(x.get('IpRanges', [])) for x in perm]),
+                        sum([len(x.get('Ipv6Ranges', [])) for x in perm])
+                    ) +
+                    sum([len(x.get('PrefixListIds', [])) for x in perm]) +
+                    sum([len(x.get('UserIdGroupPairs', [])) for x in perm])
+                )
+            rules_per_sg[sg.id] = max(counts)
         # set usage
         for vpc_id, count in sgs_per_vpc.items():
             self.limits['Security groups per VPC']._add_current_usage(