diff --git a/internal/cloud/awscloud/secure-instance.go b/internal/cloud/awscloud/secure-instance.go index 2adfdbd79..fccbe506a 100644 --- a/internal/cloud/awscloud/secure-instance.go +++ b/internal/cloud/awscloud/secure-instance.go @@ -274,75 +274,6 @@ func (a *AWS) createOrReplaceSG(hostInstanceID, hostIP, vpcID string) (string, e if err != nil { return sgID, err } - if len(describeSGOutput.SecurityGroups) != 1 { - return sgID, fmt.Errorf("Expected 1 security group, got %d", len(describeSGOutput.SecurityGroups)) - } - - if len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress) != 1 { - return sgID, fmt.Errorf("Expected exactly 1 egress rule on the security group (got %d)", len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress)) - } - - describeSGROutput, err := a.ec2.DescribeSecurityGroupRules(&ec2.DescribeSecurityGroupRulesInput{ - Filters: []*ec2.Filter{ - &ec2.Filter{ - Name: aws.String("group-id"), - Values: []*string{ - aws.String(sgID), - }, - }, - }, - }) - if err != nil { - return sgID, err - } - - for _, rule := range describeSGROutput.SecurityGroupRules { - if *rule.IsEgress { - revokeOutput, err := a.ec2.RevokeSecurityGroupEgress(&ec2.RevokeSecurityGroupEgressInput{ - GroupId: aws.String(sgID), - SecurityGroupRuleIds: []*string{ - rule.SecurityGroupRuleId, - }, - }) - if err != nil { - return sgID, err - } - if !*revokeOutput.Return { - return sgID, fmt.Errorf("Failed to revoke security group %s's egress rule %s", sgID, *rule.SecurityGroupRuleId) - } - } - } - - sgEgressOutput, err := a.ec2.AuthorizeSecurityGroupEgress(&ec2.AuthorizeSecurityGroupEgressInput{ - GroupId: aws.String(sgID), - IpPermissions: []*ec2.IpPermission{ - &ec2.IpPermission{ - IpProtocol: aws.String(ec2.ProtocolTcp), - FromPort: aws.Int64(1), - ToPort: aws.Int64(65535), - IpRanges: []*ec2.IpRange{ - &ec2.IpRange{ - CidrIp: aws.String(fmt.Sprintf("%s/32", hostIP)), - }, - }, - }, - }, - }) - if err != nil { - return sgID, err - } - if !*sgEgressOutput.Return { - return sgID, fmt.Errorf("Unable to attach egress rules to SG") - } - - describeSGOutput, err = a.ec2.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{ - GroupIds: []*string{ - aws.String(sgID), - }, - }) - if err != nil { - return sgID, err - } // SGs are created with a predefind egress rule that allows all outgoing traffic, so expecting 1 outbound rule if len(describeSGOutput.SecurityGroups[0].IpPermissions) != 1 || len(describeSGOutput.SecurityGroups[0].IpPermissionsEgress) != 1 {