Skip to content

bug: duplicate EC2 security group rules #11512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
mcieno opened this issue Sep 13, 2024 · 4 comments
Closed
1 task done

bug: duplicate EC2 security group rules #11512

mcieno opened this issue Sep 13, 2024 · 4 comments
Labels
aws:ec2 Amazon Elastic Compute Cloud status: response required Waiting for a response from the reporter type: bug Bug report

Comments

@mcieno
Copy link

mcieno commented Sep 13, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Some security group rules added via ec2:AuthorizeSecurityGroupIngress are duplicated.

Expected Behavior

Security group rules should not be duplicated.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack

# compose.yml
services:
  aws:
    image: localstack/localstack:3.7
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "4566:4566"
    environment:
      LS_LOG: trace
      SERVICES: "ec2"

Client commands

Create a security group

group_id=$(
    awslocal ec2 create-security-group \
        --group-name="example" \
        --description="Just an example" \
    | jq -r .GroupId
)

Add some rules

awslocal ec2 authorize-security-group-ingress \
    --group-id="${group_id}" \
    --ip-permissions='[
      {
        "FromPort": 1,
        "ToPort": 2,
        "IpProtocol": "tcp",
        "IpRanges": [{
          "CidrIp": "127.0.0.1/32",
          "Description": "first rule"
        }]
      },
      {
        "FromPort": 1,
        "ToPort": 2,
        "IpProtocol": "tcp",
        "IpRanges": [{
          "CidrIp": "127.0.0.2/32",
          "Description": "second rule"
        }]
      }
    ]'
Output 
{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-19b625c802efc975a",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 1,
            "ToPort": 2,
            "CidrIpv4": "127.0.0.2/32",
            "Description": "second rule",
            "Tags": []
        }
    ]
}

Make sure the rules have been added correctly

awslocal ec2 describe-security-group-rules \
    --filters="Name=group-id,Values=${group_id}"
Output 
{
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-c397ed63f861a0362",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 1,
            "ToPort": 2,
            "CidrIpv4": "127.0.0.1/32",
            "Description": "first rule",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-19b625c802efc975a",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 1,
            "ToPort": 2,
            "CidrIpv4": "127.0.0.2/32",
            "Description": "second rule",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-6773f91e11c3ff172",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": true,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "0.0.0.0/0",
            "Tags": []
        }
    ]
}

Invoke ec2:DescribeSecurityGroups operation

awslocal ec2 describe-security-groups
Output 
{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [],
            "OwnerId": "000000000000",
            "GroupId": "sg-9897979fa57feca88",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "Tags": [],
            "VpcId": "vpc-226bb034"
        },
        {
            "Description": "Just an example",
            "GroupName": "example",
            "IpPermissions": [
                {
                    "FromPort": 1,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "127.0.0.1/32",
                            "Description": "first rule"
                        },
                        {
                            "CidrIp": "127.0.0.2/32",
                            "Description": "second rule"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 2,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "000000000000",
            "GroupId": "sg-95594140376c802f5",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "Tags": [],
            "VpcId": "vpc-226bb034"
        }
    ]
}

Check the rules again, second rule is now duplicated

awslocal ec2 describe-security-group-rules \
    --filters="Name=group-id,Values=${group_id}"
Output 
{
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-c397ed63f861a0362",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 1,
            "ToPort": 2,
            "CidrIpv4": "127.0.0.1/32",
            "Description": "first rule",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-c397ed63f861a0362",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 1,
            "ToPort": 2,
            "CidrIpv4": "127.0.0.2/32",
            "Description": "second rule",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-19b625c802efc975a",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 1,
            "ToPort": 2,
            "CidrIpv4": "127.0.0.2/32",
            "Description": "second rule",
            "Tags": []
        },
        {
            "SecurityGroupRuleId": "sgr-6773f91e11c3ff172",
            "GroupId": "sg-95594140376c802f5",
            "GroupOwnerId": "000000000000",
            "IsEgress": true,
            "IpProtocol": "-1",
            "FromPort": -1,
            "ToPort": -1,
            "CidrIpv4": "0.0.0.0/0",
            "Tags": []
        }
    ]
}

Environment

- OS: Ubuntu 22.04.3 LTS
- LocalStack:
  LocalStack version: 3.7.2
  LocalStack Docker image sha: sha256:811d4cd67e6cc833cd5849ddaac454abd90c0d0fc00d402f8f82ee47926c5e10
  LocalStack build date: 2024-09-06
  LocalStack build git hash: a607fed91

Anything else?

I observed that immediately after adding the rules everything looks normal. Yet, after invoking ec2:DescribeSecurityGroups, the duplicates appear.

Hence, it appears to me that this bug is related to some side effect of ec2:DescribeSecurityGroups operation trying to group rules when, for example, "from" and "to" ports are the same.

Also note how the output of authorize-security-group-ingress is incorrect (it shows one rule instead of two).

Debug logs

DEBUG --- [  MainThread] l.utils.docker_utils       : Using SdkDockerClient. LEGACY_DOCKER_CLIENT: False, SDK installed: True
 WARN --- [  MainThread] l.services.internal        : Enabling diagnose endpoint, please be aware that this can expose sensitive information via your network.
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.runtime.components.aws = <class 'localstack.aws.components.AwsComponents'>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.runtime.components:aws

LocalStack version: 3.7.2
LocalStack build date: 2024-09-06
LocalStack build git hash: a607fed91

DEBUG --- [  MainThread] localstack.utils.run       : Executing command: rm -rf "/tmp/localstack"
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start._patch_botocore_endpoint_in_memory = <function _patch_botocore_endpoint_in_memory at 0xffffb1d3f060>)
DEBUG --- [  MainThread] plux.runtime.manager       : plugin localstack.hooks.on_infra_start:_patch_botocore_endpoint_in_memory is disabled, reason: Load condition for plugin was false
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start._patch_botocore_json_parser = <function _patch_botocore_json_parser at 0xffffb1d3eca0>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:_patch_botocore_json_parser
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start._patch_cbor2 = <function _patch_cbor2 at 0xffffb1d3ede0>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:_patch_cbor2
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start._publish_config_as_analytics_event = <function _publish_config_as_analytics_event at 0xffffb1131760>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:_publish_config_as_analytics_event
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start._publish_container_info = <function _publish_container_info at 0xffffb1131b20>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:_publish_container_info
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start._run_init_scripts_on_start = <function _run_init_scripts_on_start at 0xffffb12ed6c0>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:_run_init_scripts_on_start
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.apply_aws_runtime_patches = <function apply_aws_runtime_patches at 0xffffb1131e40>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:apply_aws_runtime_patches
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.apply_runtime_patches = <function apply_runtime_patches at 0xffffb1132200>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:apply_runtime_patches
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.conditionally_enable_debugger = <function conditionally_enable_debugger at 0xffffb1132660>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:conditionally_enable_debugger
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.delete_cached_certificate = <function delete_cached_certificate at 0xffffb1132c00>)
DEBUG --- [  MainThread] plux.runtime.manager       : plugin localstack.hooks.on_infra_start:delete_cached_certificate is disabled, reason: Load condition for plugin was false
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.deprecation_warnings = <function deprecation_warnings at 0xffffb1132a20>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:deprecation_warnings
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.register_cloudformation_deploy_ui = <function register_cloudformation_deploy_ui at 0xffffb1132e80>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:register_cloudformation_deploy_ui
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.register_custom_endpoints = <function register_custom_endpoints at 0xffffb1009440>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:register_custom_endpoints
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.register_partition_adjusting_proxy_listener = <function register_partition_adjusting_proxy_listener at 0xffffb11328e0>)
DEBUG --- [  MainThread] plux.runtime.manager       : plugin localstack.hooks.on_infra_start:register_partition_adjusting_proxy_listener is disabled, reason: Load condition for plugin was false
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.setup_dns_configuration_on_host = <function setup_dns_configuration_on_host at 0xffffb10098a0>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:setup_dns_configuration_on_host
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.start_dns_server = <function start_dns_server at 0xffffb1009760>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:start_dns_server
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_start.validate_configuration = <function validate_configuration at 0xffffb1009300>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_start:validate_configuration
DEBUG --- [  MainThread] localstack.dns.server      : Determined fallback dns: 127.0.0.11
DEBUG --- [  MainThread] localstack.dns.server      : Starting DNS servers (tcp/udp port 53 on 0.0.0.0)...
DEBUG --- [  MainThread] localstack.dns.server      : Adding host .*localhost.localstack.cloud pointing to LocalStack
DEBUG --- [  MainThread] localstack.dns.server      : Adding host .*localhost.localstack.cloud with record DynamicRecord(record_type=<RecordType.A: 1>, record_id=None)
DEBUG --- [  MainThread] localstack.dns.server      : Adding host .*localhost.localstack.cloud with record DynamicRecord(record_type=<RecordType.AAAA: 2>, record_id=None)
DEBUG --- [-functhread1] localstack.dns.server      : DNS Server started
DEBUG --- [  MainThread] localstack.dns.server      : DNS server startup finished.
DEBUG --- [  MainThread] localstack.runtime.init    : Init scripts discovered: {BOOT: [], START: [], READY: [], SHUTDOWN: []}
DEBUG --- [  MainThread] localstack.plugins         : Checking for the usage of deprecated community features and configs...
DEBUG --- [  MainThread] localstack.dns.server      : Overwriting container DNS server to point to localhost
DEBUG --- [  MainThread] localstack.utils.ssl       : Attempting to download local SSL certificate file
DEBUG --- [  MainThread] localstack.utils.ssl       : SSL certificate downloaded successfully
DEBUG --- [  MainThread] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.runtime.server.twisted = <class 'localstack.runtime.server.plugins.TwistedRuntimeServerPlugin'>)
DEBUG --- [  MainThread] plux.runtime.manager       : loading plugin localstack.runtime.server:twisted
DEBUG --- [ady_monitor)] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_ready._run_init_scripts_on_ready = <function _run_init_scripts_on_ready at 0xffffb12ed800>)
DEBUG --- [ady_monitor)] plux.runtime.manager       : loading plugin localstack.hooks.on_infra_ready:_run_init_scripts_on_ready
DEBUG --- [ady_monitor)] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.hooks.on_infra_ready.register_virtual_host_routes = <function register_virtual_host_routes at 0xffffa90ccae0>)
DEBUG --- [ady_monitor)] plux.runtime.manager       : plugin localstack.hooks.on_infra_ready:register_virtual_host_routes is disabled, reason: Load condition for plugin was false
Ready.
DEBUG --- [et.reactor-0] l.a.p.service_router       : building service catalog index cache file /var/lib/localstack/cache/service-catalog-3_7_2-1_35_10.pickle
DEBUG --- [et.reactor-0] rolo.gateway.wsgi          : POST localhost:4566/
DEBUG --- [et.reactor-0] plux.runtime.manager       : instantiating plugin PluginSpec(localstack.aws.provider.ec2:default = <function ec2 at 0xffff839a4a40>)
DEBUG --- [et.reactor-0] plux.runtime.manager       : loading plugin localstack.aws.provider:ec2:default
 INFO --- [et.reactor-0] localstack.utils.bootstrap : Execution of "_load_service_plugin" took 521.60ms
 INFO --- [et.reactor-0] localstack.utils.bootstrap : Execution of "require" took 521.75ms
DEBUG --- [et.reactor-0] l.aws.protocol.serializer  : No accept header given. Using request's Content-Type (application/x-www-form-urlencoded; charset=utf-8) as preferred response Content-Type.
 INFO --- [et.reactor-0] localstack.request.aws     : AWS ec2.CreateSecurityGroup => 200; 000000000000/us-east-1; CreateSecurityGroupRequest({'Description': 'Just an example', 'GroupName': 'example'}, headers={'Host': 'localhost:4566', 'Accept-Encoding': 'identity', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.34.13 md/Botocore#1.35.13 ua/2.0 os/linux#5.15.0-119-generic md/arch#aarch64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.13', 'X-Amz-Date': '20240913T094221Z', 'Authorization': 'AWS4-HMAC-SHA256 Credential=test/20240913/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=bc973a4d197c670fb9298a029d1b721f17a2223cb3064c631fc9ea087743be4e', 'amz-sdk-invocation-id': '8bfa0030-bf83-499b-a2ae-ae0b52254bf1', 'amz-sdk-request': 'attempt=1', 'Content-Length': '96', 'x-moto-account-id': '000000000000'}); CreateSecurityGroupResult({'GroupId': 'sg-95594140376c802f5', 'Tags': []}, headers={'Content-Type': 'text/xml', 'Content-Length': '254'})
DEBUG --- [et.reactor-0] rolo.gateway.wsgi          : POST localhost:4566/
DEBUG --- [et.reactor-0] l.aws.protocol.serializer  : No accept header given. Using request's Content-Type (application/x-www-form-urlencoded; charset=utf-8) as preferred response Content-Type.
 INFO --- [et.reactor-0] localstack.request.aws     : AWS ec2.AuthorizeSecurityGroupIngress => 200; 000000000000/us-east-1; AuthorizeSecurityGroupIngressRequest({'GroupId': 'sg-95594140376c802f5', 'IpPermissions': [{'FromPort': 1, 'IpProtocol': 'tcp', 'IpRanges': [{'CidrIp': '127.0.0.1/32', 'Description': 'first rule'}], 'ToPort': 2}, {'FromPort': 1, 'IpProtocol': 'tcp', 'IpRanges': [{'CidrIp': '127.0.0.2/32', 'Description': 'second rule'}], 'ToPort': 2}]}, headers={'Host': 'localhost:4566', 'Accept-Encoding': 'identity', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.34.13 md/Botocore#1.35.13 ua/2.0 os/linux#5.15.0-119-generic md/arch#aarch64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.13', 'X-Amz-Date': '20240913T094230Z', 'Authorization': 'AWS4-HMAC-SHA256 Credential=test/20240913/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=cec6c131d8ab0ca53547f824333c1b6300fcbce2c5e7b43745be51e55762d67f', 'amz-sdk-invocation-id': 'ef053b1b-2375-4313-82b6-e9b98ab45b59', 'amz-sdk-request': 'attempt=1', 'Content-Length': '449', 'x-moto-account-id': '000000000000'}); AuthorizeSecurityGroupIngressResult({'Return': True, 'SecurityGroupRules': [{'SecurityGroupRuleId': 'sgr-19b625c802efc975a', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 1, 'ToPort': 2, 'CidrIpv4': '127.0.0.2/32', 'Description': 'second rule', 'Tags': []}]}, headers={'Content-Type': 'text/xml', 'Content-Length': '623'})
DEBUG --- [et.reactor-0] rolo.gateway.wsgi          : POST localhost:4566/
DEBUG --- [et.reactor-0] l.aws.protocol.serializer  : No accept header given. Using request's Content-Type (application/x-www-form-urlencoded; charset=utf-8) as preferred response Content-Type.
 INFO --- [et.reactor-0] localstack.request.aws     : AWS ec2.DescribeSecurityGroupRules => 200; 000000000000/us-east-1; DescribeSecurityGroupRulesRequest({'Filters': [{'Name': 'group-id', 'Values': ['sg-95594140376c802f5']}]}, headers={'Host': 'localhost:4566', 'Accept-Encoding': 'identity', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.34.13 md/Botocore#1.35.13 ua/2.0 os/linux#5.15.0-119-generic md/arch#aarch64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.13', 'X-Amz-Date': '20240913T094301Z', 'Authorization': 'AWS4-HMAC-SHA256 Credential=test/20240913/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=7f06f64bed179ce37f8d06da2eed9dd5d382bd0ccae82af02dddd65b5d22a746', 'amz-sdk-invocation-id': '12d61346-e7ee-4d77-88be-ba4abf31a16c', 'amz-sdk-request': 'attempt=1', 'Content-Length': '113', 'x-moto-account-id': '000000000000'}); DescribeSecurityGroupRulesResult({'SecurityGroupRules': [{'SecurityGroupRuleId': 'sgr-c397ed63f861a0362', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 1, 'ToPort': 2, 'CidrIpv4': '127.0.0.1/32', 'Description': 'first rule', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-19b625c802efc975a', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 1, 'ToPort': 2, 'CidrIpv4': '127.0.0.2/32', 'Description': 'second rule', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-6773f91e11c3ff172', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': True, 'IpProtocol': '-1', 'FromPort': -1, 'ToPort': -1, 'CidrIpv4': '0.0.0.0/0', 'Tags': []}]}, headers={'Content-Type': 'text/xml', 'Content-Length': '1218'})
DEBUG --- [et.reactor-0] rolo.gateway.wsgi          : POST localhost:4566/
DEBUG --- [et.reactor-0] l.aws.protocol.serializer  : No accept header given. Using request's Content-Type (application/x-www-form-urlencoded; charset=utf-8) as preferred response Content-Type.
 INFO --- [et.reactor-0] localstack.request.aws     : AWS ec2.DescribeSecurityGroups => 200; 000000000000/us-east-1; DescribeSecurityGroupsRequest({}, headers={'Host': 'localhost:4566', 'Accept-Encoding': 'identity', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.34.13 md/Botocore#1.35.13 ua/2.0 os/linux#5.15.0-119-generic md/arch#aarch64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.13', 'X-Amz-Date': '20240913T094315Z', 'Authorization': 'AWS4-HMAC-SHA256 Credential=test/20240913/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5548d7a38f841a4172461452f955fb05b5fad0ade327d9622262e3e0656d7fd1', 'amz-sdk-invocation-id': 'e33fd5e9-7f7e-40a6-88bf-41e53a53d0a7', 'amz-sdk-request': 'attempt=1', 'Content-Length': '48', 'x-moto-account-id': '000000000000'}); DescribeSecurityGroupsResult({'SecurityGroups': [{'Description': 'default VPC security group', 'GroupName': 'default', 'IpPermissions': [], 'OwnerId': '000000000000', 'GroupId': 'sg-9897979fa57feca88', 'IpPermissionsEgress': [{'IpProtocol': '-1', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}], 'Ipv6Ranges': [], 'PrefixListIds': [], 'UserIdGroupPairs': []}], 'Tags': [], 'VpcId': 'vpc-226bb034'}, {'Description': 'Just an example', 'GroupName': 'example', 'IpPermissions': [{'FromPort': 1, 'IpProtocol': 'tcp', 'IpRanges': [{'CidrIp': '127.0.0.1/32', 'Description': 'first rule'}, {'CidrIp': '127.0.0.2/32', 'Description': 'second rule'}], 'Ipv6Ranges': [], 'PrefixListIds': [], 'ToPort': 2, 'UserIdGroupPairs': []}], 'OwnerId': '000000000000', 'GroupId': 'sg-95594140376c802f5', 'IpPermissionsEgress': [{'IpProtocol': '-1', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}], 'Ipv6Ranges': [], 'PrefixListIds': [], 'UserIdGroupPairs': []}], 'Tags': [], 'VpcId': 'vpc-226bb034'}]}, headers={'Content-Type': 'text/xml', 'Content-Length': '1383'})
DEBUG --- [et.reactor-0] rolo.gateway.wsgi          : POST localhost:4566/
DEBUG --- [et.reactor-0] l.aws.protocol.serializer  : No accept header given. Using request's Content-Type (application/x-www-form-urlencoded; charset=utf-8) as preferred response Content-Type.
 INFO --- [et.reactor-0] localstack.request.aws     : AWS ec2.DescribeSecurityGroupRules => 200; 000000000000/us-east-1; DescribeSecurityGroupRulesRequest({'Filters': [{'Name': 'group-id', 'Values': ['sg-95594140376c802f5']}]}, headers={'Host': 'localhost:4566', 'Accept-Encoding': 'identity', 'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/1.34.13 md/Botocore#1.35.13 ua/2.0 os/linux#5.15.0-119-generic md/arch#aarch64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.35.13', 'X-Amz-Date': '20240913T094335Z', 'Authorization': 'AWS4-HMAC-SHA256 Credential=test/20240913/us-east-1/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=eb57f248aefba9ad37cf9b45bd62979313432999052df7b9475a784ce7ca422c', 'amz-sdk-invocation-id': '22da0bb2-a600-48ca-b07c-d8a4b0171829', 'amz-sdk-request': 'attempt=1', 'Content-Length': '113', 'x-moto-account-id': '000000000000'}); DescribeSecurityGroupRulesResult({'SecurityGroupRules': [{'SecurityGroupRuleId': 'sgr-c397ed63f861a0362', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 1, 'ToPort': 2, 'CidrIpv4': '127.0.0.1/32', 'Description': 'first rule', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-c397ed63f861a0362', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 1, 'ToPort': 2, 'CidrIpv4': '127.0.0.2/32', 'Description': 'second rule', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-19b625c802efc975a', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 1, 'ToPort': 2, 'CidrIpv4': '127.0.0.2/32', 'Description': 'second rule', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-6773f91e11c3ff172', 'GroupId': 'sg-95594140376c802f5', 'GroupOwnerId': '000000000000', 'IsEgress': True, 'IpProtocol': '-1', 'FromPort': -1, 'ToPort': -1, 'CidrIpv4': '0.0.0.0/0', 'Tags': []}]}, headers={'Content-Type': 'text/xml', 'Content-Length': '1550'})
@mcieno mcieno added status: triage needed Requires evaluation by maintainers type: bug Bug report labels Sep 13, 2024
@Anze1508 Anze1508 added aws:ec2 Amazon Elastic Compute Cloud status: backlog Triaged but not yet being worked on and removed status: triage needed Requires evaluation by maintainers labels Sep 16, 2024
@localstack-bot
Copy link
Collaborator

Hello 👋! It looks like this issue hasn’t been active in longer than five months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

@localstack-bot localstack-bot added the status: stale To be closed soon due to staleness label Feb 13, 2025
@mcieno
Copy link
Author

mcieno commented Feb 13, 2025

This is still an issue in LocalStack 4.1.1 (build date: 2025-02-05, build git hash: 873d150c0).

@localstack-bot localstack-bot removed the status: stale To be closed soon due to staleness label Feb 13, 2025
@dfangl
Copy link
Member

dfangl commented May 23, 2025
edited
Loading

Hi @mcieno - sorry for the late reply.
I have not been able to reproduce this issue today, with the latest image.
The second execution of the command, after the describe operation, does - as expected - return 3 rules, the default egress and the two created ingress rules.
Could you double check if you can confirm this issue is resolved?

@dfangl dfangl added status: response required Waiting for a response from the reporter and removed status: backlog Triaged but not yet being worked on labels May 23, 2025
@mcieno
Copy link
Author

mcieno commented May 23, 2025

Hi @dfangl, unsure what change fixed this but yes, it's resolved in 4.4.0 🎉

Thank you

@mcieno mcieno closed this as completed May 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws:ec2 Amazon Elastic Compute Cloud status: response required Waiting for a response from the reporter type: bug Bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dfangl @mcieno @localstack-bot @Anze1508