Merge pull request #4490 from andrestc/ec2-sg-readonly

dgageot · web-flow · commit 635818aba6d3 · 2018-06-04T14:15:21.000+02:00
drivers/amazonec2: adds flag to prevent mutating security groups
diff --git a/drivers/amazonec2/amazonec2.go b/drivers/amazonec2/amazonec2.go
@@ -86,6 +86,7 @@ type Driver struct {
 	SecurityGroupName  string
 	SecurityGroupNames []string
 
+	SecurityGroupReadOnly   bool
 	OpenPorts               []string
 	Tags                    string
 	ReservationId           string
@@ -161,6 +162,11 @@ func (d *Driver) GetCreateFlags() []mcnflag.Flag {
 			Usage:  "AWS VPC subnet id",
 			EnvVar: "AWS_SUBNET_ID",
 		},
+		mcnflag.BoolFlag{
+			Name:   "amazonec2-security-group-readonly",
+			Usage:  "Skip adding default rules to security groups",
+			EnvVar: "AWS_SECURITY_GROUP_READONLY",
+		},
 		mcnflag.StringSliceFlag{
 			Name:   "amazonec2-security-group",
 			Usage:  "AWS VPC security group",
@@ -348,6 +354,7 @@ func (d *Driver) SetConfigFromFlags(flags drivers.DriverOptions) error {
 	d.VpcId = flags.String("amazonec2-vpc-id")
 	d.SubnetId = flags.String("amazonec2-subnet-id")
 	d.SecurityGroupNames = flags.StringSlice("amazonec2-security-group")
+	d.SecurityGroupReadOnly = flags.Bool("amazonec2-security-group-readonly")
 	d.Tags = flags.String("amazonec2-tags")
 	zone := flags.String("amazonec2-zone")
 	d.Zone = zone[:]
@@ -1141,6 +1148,10 @@ func (d *Driver) configureSecurityGroups(groupNames []string) error {
 }
 
 func (d *Driver) configureSecurityGroupPermissions(group *ec2.SecurityGroup) ([]*ec2.IpPermission, error) {
+	if d.SecurityGroupReadOnly {
+		log.Debug("Skipping permission configuration on security groups")
+		return nil, nil
+	}
 	hasPorts := make(map[string]bool)
 	for _, p := range group.IpPermissions {
 		if p.FromPort != nil {
diff --git a/drivers/amazonec2/amazonec2_test.go b/drivers/amazonec2/amazonec2_test.go
@@ -98,6 +98,15 @@ func TestConfigureSecurityGroupPermissionsDockerAndSsh(t *testing.T) {
 	assert.Empty(t, perms)
 }
 
+func TestConfigureSecurityGroupPermissionsSkipReadOnly(t *testing.T) {
+	driver := NewTestDriver()
+	driver.SecurityGroupReadOnly = true
+	perms, err := driver.configureSecurityGroupPermissions(securityGroup)
+
+	assert.Nil(t, err)
+	assert.Len(t, perms, 0)
+}
+
 func TestConfigureSecurityGroupPermissionsOpenPorts(t *testing.T) {
 	driver := NewTestDriver()
 	driver.OpenPorts = []string{"8888/tcp", "8080/udp", "9090"}
