Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS::EC2::SecurityGroup] - [Enhancement] - Allow Updates to Rule Descriptions Without Disruption #2259

Open
zachaws opened this issue Feb 13, 2025 · 0 comments
Open

[AWS::EC2::SecurityGroup] - [Enhancement] - Allow Updates to Rule Descriptions Without Disruption #2259

zachaws opened this issue Feb 13, 2025 · 0 comments
Labels
enhancement New feature or request

Comments

@zachaws
Copy link

zachaws commented Feb 13, 2025

Name of the resource

AWS::EC2::SecurityGroup

Resource name

No response

Description

Current Behavior and APIs

Currently, when updating Security Group rule descriptions using the AWS::EC2::SecurityGroup [1] resource in CloudFormation, the process involves removing existing rules and recreating them with new descriptions. This is done through a sequence of RevokeSecurityGroupIngress [2] / RevokeSecurityGroupEgress [3] followed by AuthorizeSecurityGroupIngress [4] / AuthorizeSecurityGroupEgress [5] API calls, which can lead to potential service disruptions.

AWS EC2 already provides dedicated APIs (UpdateSecurityGroupRuleDescriptionsIngress [6] and UpdateSecurityGroupRuleDescriptionsEgress [7]) that allow for in-place updates of security group rule descriptions without rule recreation. These APIs are currently utilized by the standalone AWS::EC2::SecurityGroupIngress [8] and AWS::EC2::SecurityGroupEgress [9] resources, but not by the AWS::EC2::SecurityGroup [1] resource.

Proposed Change

Enhance the AWS::EC2::SecurityGroup [1] resource to use the UpdateSecurityGroupRuleDescriptions* [6][7] APIs when only the description field of security group rules is being modified.

This change would eliminate service disruption during description modifications and align the behavior with the standalone Security Group Ingress/Egress resources (AWS::EC2::SecurityGroupIngress [8] and AWS::EC2::SecurityGroupEgress [9] ).

Current vs Desired Behavior

Current:

Update Description → RevokeSecurityGroup* → AuthorizeSecurityGroup*

Desired:

Update Description → Direct Update Using UpdateSecurityGroupRuleDescriptions*

Technical Impact

This change would require updating the CloudFormation to detect description-only changes and route them to the appropriate API calls, while maintaining the current behavior for other types of rule modifications.

References

[1] - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroup.html
[2] - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html
[3] - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html
[4] - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html
[5] - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html
[6] - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UpdateSecurityGroupRuleDescriptionsIngress.html
[7] - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UpdateSecurityGroupRuleDescriptionsEgress.html
[8] - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupingress.html
[9] - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroupegress.html

Other Details

No response
@zachaws zachaws added the enhancement New feature or request label Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zachaws