fix(ec2): default-VPC region coherence + CreateDefault idempotency + delete protection#1761
Merged
Merged
Conversation
…delete protection Bug-hunt 2026-06-18 findings 1.1, 1.2, 1.3 + delete-protection. - 1.1: default-resource ids were seeded on (account, region, role), but read handlers build a throwaway Ec2State::new(account, req.region) for accounts that don't exist yet -- where req.region is the caller's SigV4 scope, not the server's region. When they differed, a no-subnet RunInstances stamped the instance with subnet/VPC ids that didn't exist in its own persisted account. Drop region from the id seed (deterministic_id is now region-independent); fakecloud pins one region per server anyway, so read and persist now always agree. AZ/CIDR cosmetics still use the region. - 1.3: CreateDefaultVpc now returns the seeded default VPC instead of minting a second isDefault=true VPC (impossible on AWS). - 1.2: CreateDefaultSubnet now attaches to the account's real default VPC (was the literal "vpc-default", which matched no VPC and orphaned the subnet) and returns the existing per-AZ default subnet when one exists. - delete-protection: DeleteSecurityGroup on the `default` group -> CannotDelete; DeleteNetworkAcl on a default NACL -> CannotDeleteDefaultNetworkAcl, matching AWS. Prevents a VPC ending up with no default SG (which made a later no-SecurityGroupId RunInstances launch with an empty group list). Tests: unit tests for region-independent ids; e2e for idempotent CreateDefaultVpc, CreateDefaultSubnet attaching to the real default VPC, and default SG/NACL delete rejection. Full EC2 conformance 769/769.
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bug-hunt 2026-06-18 findings 1.1, 1.2, 1.3, + delete-protection.
(account, region, role), but read handlers build a throwawayEc2State::new(account, req.region)for accounts that don't exist yet, wherereq.regionis the caller's SigV4 scope, not the server's region. When they differed (serverus-east-1, clienteu-west-1), a no-subnetRunInstancesstamped the instance with subnet/VPC ids absent from its own persisted account. Fix:deterministic_idis now region-independent (fakecloud pins one region per server), so read-path and persisted ids always agree.CreateDefaultVpcnow returns the seeded default VPC instead of minting a secondisDefault=trueVPC.CreateDefaultSubnetnow attaches to the account's real default VPC (was the literalvpc-default, which matched no VPC and orphaned the subnet) and returns the existing per-AZ default subnet when one exists.DeleteSecurityGroupon thedefaultgroup →CannotDelete;DeleteNetworkAclon a default NACL →CannotDeleteDefaultNetworkAcl(matches AWS). Prevents a VPC ending up with no default SG.Test plan
cargo test -p fakecloud-ec2— unit tests for region-independent ids (incl. read-vs-persist agreement across regions).cargo test -p fakecloud-e2e --test ec2_instance_control_plane— idempotent CreateDefaultVpc, CreateDefaultSubnet attaches to the real default VPC, default SG/NACL delete rejection (20/20).cargo test -p fakecloud-conformance --test ec2— 769/769.Summary by cubic
Fixes EC2 default network behavior: default resource IDs are now region-independent, CreateDefaultVpc/Subnet are idempotent and attach correctly, and default SG/NACL delete protection matches AWS. This prevents mismatched IDs on cross-region reads and avoids orphaned subnets or missing default groups.
deterministic_idregion-independent so read paths and persisted state agree; no-subnet RunInstances now lands in the real default VPC/subnet.CannotDelete) and default NACL (CannotDeleteDefaultNetworkAcl) to prevent invalid states.Written for commit cf23a74. Summary will update on new commits.