From 4767ff38d4505a4c9248c416bc22a086bfcd7388 Mon Sep 17 00:00:00 2001 From: Jeet Nihalani Date: Thu, 5 Aug 2021 17:16:26 -0600 Subject: [PATCH] fix: Update CIDR fetching based on updated CFN template --- .../sagemaker-notebook-instance.cfn.yml | 14 ++-- .../__tests__/environment-sc-service.test.js | 81 +++++++++++++++++++ .../service-catalog/environment-sc-service.js | 16 ++-- 3 files changed, 98 insertions(+), 13 deletions(-) diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml index 2852be1431..f7ae80bfec 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml @@ -61,13 +61,13 @@ Resources: VpcId: Ref: VPC SecurityGroupIngress: - !If - - AppStreamEnabled - - !Ref 'AWS::NoValue' - - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: !Ref AccessFromCIDRBlock + - !If + - AppStreamEnabled + - !Ref "AWS::NoValue" + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref AccessFromCIDRBlock PreSignedURLBoundary: Type: AWS::IAM::ManagedPolicy diff --git a/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/__tests__/environment-sc-service.test.js b/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/__tests__/environment-sc-service.test.js index 451d8f2f4a..b828470083 100644 --- a/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/__tests__/environment-sc-service.test.js +++ b/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/__tests__/environment-sc-service.test.js @@ -1438,6 +1438,87 @@ describe('EnvironmentSCService', () => { }); describe('getSecurityGroupDetails function', () => { + it('should send filtered security group rules as expected for AppStream template', async () => { + // BUILD + const requestContext = {}; + const stackArn = 'sampleCloudFormationStackArn'; + const environment = { + outputs: [{ OutputKey: 'CloudformationStackARN', OutputValue: `/${stackArn}` }], + status: 'COMPLETED', + }; + const origSecurityGroupId = 'sampleSecurityGroupId'; + const stackResources = { + StackResourceSummaries: [{ LogicalResourceId: 'SecurityGroup', PhysicalResourceId: origSecurityGroupId }], + }; + const templateDetails = { + TemplateBody: YAML.dump({ + Resources: { + SecurityGroup: { + Properties: { + SecurityGroupIngress: [ + { + 'Fn::If': [ + 'AppStreamEnabled', + { + SourceSecurityGroupId: {}, + IpProtocol: '-1', + }, + { + IpProtocol: 'tcp', + FromPort: 123, + ToPort: 123, + CidrIp: { + Ref: 'AccessFromCIDRBlock', + }, + }, + ], + }, + ], + }, + }, + }, + }), + }; + const workspaceIngressRules = [ + { + IpProtocol: 'tcp', + FromPort: 123, + ToPort: 123, + IpRanges: [{ CidrIp: '123.123.123.123/32' }], + }, + { + IpProtocol: 'tcp', + FromPort: 1, + ToPort: 1, + IpRanges: [{ CidrIp: '123.123.123.123/32' }], + }, + ]; + service.getCfnDetails = jest.fn(() => { + return { stackResources, templateDetails }; + }); + service.getWorkspaceSecurityGroup = jest.fn(() => { + return { securityGroupResponse: { SecurityGroups: [{ IpPermissions: workspaceIngressRules }] } }; + }); + const expectedOutcome = [ + { + protocol: 'tcp', + fromPort: 123, + toPort: 123, + cidrBlocks: ['123.123.123.123/32'], + }, + ]; + + // OPERATE + const { currentIngressRules, securityGroupId } = await service.getSecurityGroupDetails( + requestContext, + environment, + ); + + // CHECK + expect(currentIngressRules).toMatchObject(expectedOutcome); + expect(securityGroupId).toEqual(origSecurityGroupId); + }); + it('should send filtered security group rules as expected', async () => { // BUILD const requestContext = {}; diff --git a/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-service.js b/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-service.js index 2c7983e387..3e536523a0 100644 --- a/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-service.js +++ b/addons/addon-base-raas/packages/base-raas-services/lib/environment/service-catalog/environment-sc-service.js @@ -1020,19 +1020,23 @@ class EnvironmentScService extends Service { // Only send back details of groups configured by the SC CFN stack const returnVal = _.map(cfnTemplateIngressRules, cfnRule => { + let ruleToUse = cfnRule; + if ('Fn::If' in cfnRule && cfnRule['Fn::If'][0] === 'AppStreamEnabled') { + ruleToUse = cfnRule['Fn::If'][2]; + } const matchingRule = _.find( workspaceIngressRules, workspaceRule => - cfnRule.FromPort === workspaceRule.FromPort && - cfnRule.ToPort === workspaceRule.ToPort && - cfnRule.IpProtocol === workspaceRule.IpProtocol, + ruleToUse.FromPort === workspaceRule.FromPort && + ruleToUse.ToPort === workspaceRule.ToPort && + ruleToUse.IpProtocol === workspaceRule.IpProtocol, ); const currentCidrRanges = matchingRule ? _.map(matchingRule.IpRanges, ipRange => ipRange.CidrIp) : []; return { - fromPort: cfnRule.FromPort, - toPort: cfnRule.ToPort, - protocol: cfnRule.IpProtocol, + fromPort: ruleToUse.FromPort, + toPort: ruleToUse.ToPort, + protocol: ruleToUse.IpProtocol, cidrBlocks: currentCidrRanges, }; });