copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

[Bug]: Backend Service on Apprunner is ignroing the security groups I define on the service

Open LiamDotPro opened this issue 1 year ago • 7 comments

Description:

When using the following my custom groups are never defined on the app runner deployment:

network:
  vpc:
    placement: private
    security_groups:
    deny_default: true
    groups: [ sg-021be4f595b2a7c79, sg-021a5462b70d2176d ]

I instead always get the default security groups, I've tried this on two separate deployments and the same thing occurs.

Details:

version: v1.33.2, built for darwin AWS EU Region 2 MacOS

Observed result:

My service deploys correctly with no faults, but the custom security groups are not added. I am deploying into a predefined VPC and this is working correctly.

Expected result:

My security groups to be added.

Debugging:

I tried a mixture of adding deny_default, tried different ways of defining the security groups including as strings etc, just can't get it to add the correctly.

LiamDotPro avatar May 13 '24 11:05 LiamDotPro

Kind of related is that if it we're possible to select a preconfigured connector this would also remove my issue, although of course it's just another point of failure if I'm using the same one for multiple instances. Without being able to apply these custom security groups it makes my app runner instance unaccessible from other services.

LiamDotPro avatar May 13 '24 11:05 LiamDotPro

Hi, @LiamDotPro!

Configuring your security groups is possible for ECS services (Backend and Load Balanced Web Services), but not for App Runner services (Request-Driven Web Services). https://aws.github.io/copilot-cli/docs/manifest/rd-web-service/

Thanks!

huanjani avatar May 17 '24 18:05 huanjani

@huanjani Thanks for the feedback, is it possible to then turn this into a feature request? It seems entirely possible to configure specific security groups onto app runner in cloudformation so I suppose it's possible with copilot?

LiamDotPro avatar May 20 '24 14:05 LiamDotPro

Possible dup of #3504

rsyring avatar Jul 19 '24 04:07 rsyring

This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar Sep 18 '24 00:09 github-actions[bot]

Just wanted to bump that I'm still experiencing the same issue and having to continuously re-create the connector when doing deployments, luckily it's not that often we are deploying atm.

LiamDotPro avatar Sep 28 '24 19:09 LiamDotPro

Hi @LiamDotPro ! I think this can be achieved using yaml patch. Please let me know if that helps with your case.

Lou1415926 avatar Oct 07 '24 16:10 Lou1415926