EFS SecurityGroup Warning

This patch fixes #511 by sending an instance's full SG list to the remote service where the EFS storage driver examines the server-side SG list with the client-side list. If any of the server-side SGs are not present in the client-side list a warning will be logged in order to assist with debugging.
thecodeteam · Jun 26, 2017 · 32bf893 · 32bf893
1 parent 6939c3b
commit 32bf893
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/drivers/storage/efs/storage/efs_storage.go b/drivers/storage/efs/storage/efs_storage.go
@@ -657,18 +657,44 @@ func (d *driver) VolumeAttach(
 	// No mount targets were found
 	if ma == nil {
 
+		var iSecGrpIDs []string
 		secGrpIDs := d.secGroups
 		if v, ok := iid.Fields[efs.InstanceIDFieldSecurityGroups]; ok {
-			iSecGrpIDs := strings.Split(v, ";")
-			ctx.WithField("secGrpIDs", iSecGrpIDs).Debug(
-				"using instance security group IDs")
-			secGrpIDs = iSecGrpIDs
+			iSecGrpIDs = strings.Split(v, ";")
+			if len(iSecGrpIDs) == 1 {
+				ctx.WithField("secGrpIDs", iSecGrpIDs).Debug(
+					"using instance security group IDs")
+				secGrpIDs = iSecGrpIDs
+			}
 		}
 
 		if len(secGrpIDs) == 0 {
 			return nil, "", errInvalidSecGroups
 		}
 
+		// make sure all of the request security groups
+		// are available on the instance
+		var missingSecGrpIDs []string
+		for _, csg := range secGrpIDs {
+			var found bool
+			for _, isg := range iSecGrpIDs {
+				if csg == isg {
+					found = true
+					break
+				}
+			}
+			if !found {
+				missingSecGrpIDs = append(missingSecGrpIDs, csg)
+			}
+		}
+
+		// log a warning if any of the server-side defined SGs
+		// are not present in the list sent by the client instance
+		if len(missingSecGrpIDs) > 0 {
+			log.WithField("missingStorageGroups", missingSecGrpIDs).Warn(
+				"configured sec grps not present on instance")
+		}
+
 		request := &awsefs.CreateMountTargetInput{
 			FileSystemId:   aws.String(vol.ID),
 			SubnetId:       aws.String(iid.ID),

diff --git a/drivers/storage/efs/utils/utils.go b/drivers/storage/efs/utils/utils.go
@@ -93,7 +93,7 @@ func InstanceID(ctx types.Context) (*types.InstanceID, error) {
 		efs.InstanceIDFieldAvailabilityZone: iid.AvailabilityZone,
 	}
 
-	if len(secGroups) == 1 {
+	if len(secGroups) > 0 {
 		iidFields[efs.InstanceIDFieldSecurityGroups] = strings.Join(
 			secGroups, ";")
 	}