EC2 IPSec security group ports open even when disabled #14293
Description
Describe the bug
When deploying to ec2-cloud, and the ipsec_enabled parameter
is false a new EC2 external firewall Security Group is created
with two unnecessary ingress firewalls rules. The two inbound ipsec
ports are 500 and 4500. Since the ipsec strongswan role is exlcuded,
there is no strongswan VPN deployed on the new hosted instance, so
no need for these open ports.
To Reproduce
Steps to reproduce the behavior:
- Change the config.cfg
ipsec_enabledparameter tofalse - Run the Algo ansible script and choose EC2 as the cloud provider
- After Algo completes the deployment, note the public IPv4 shown in
the final lines of "PLAY RECAP"
-
If AWS SDK is installed, run this
describe-security-groupsand
describe-instancescli command using the public IP to see the
ingress rules which were created:EC2IP=nn.nn.nn.nn && aws ec2 describe-security-groups --filters \ Name=group-id,Values=$(aws ec2 describe-instances --filters \ Name=network-interface.association.public-ip,Values=$EC2IP \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' \ --output text) \ --query 'SecurityGroups[*].[IpPermissions]' -
Another way to view the rules is in the AWS Dashboard->AWS Services
->CloudFormation->Stacks page. Examine the Stack Details->Resources
to find the InstanceSecurityGroup which was created. Open the Physical
ID of the SG to view the Inbound Rules
Expected behavior
When ipsec_enabled = false, there should only be two security group
rules. One for SSH and one for Wireguard.
Additional context
Perhaps consider the case when wireguard_enabled = false as well.
Do not open that port when not enabled.