Bug 1919072

Summary: [AWS] use protocol number 50 instead of protocol name esp in AWS cloudformation template
Product: OpenShift Container Platform Reporter: Yunfei Jiang <yunjiang>
Component: InstallerAssignee: Mark Gray <mark.d.gray>
Installer sub component: openshift-installer QA Contact: Yunfei Jiang <yunjiang>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: high    
Priority: unspecified CC: mstaeble
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-10 09:53:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yunfei Jiang 2021-01-22 03:59:17 UTC 
Got following error when creating security group ingress rule with esp protocol using AWS cloudformation:
`Invalid value ‘esp’ for IP protocol. Unknown protocol.`


AWS Cloudformation does not support protocol name `esp`,  but it does support protocol number [1], and the esp protocol number is 50 [2]

Replace `IpProtocol: esp` with `IpProtocol: 50` in the following lines
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L163
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L191
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L359
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L387


[1][AWS::EC2::SecurityGroupIngress - AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-ipprotocol)
[2][Protocol Numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
Comment 1 Matthew Staebler 2021-01-22 05:26:43 UTC 
This was introduced in the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1916373. Assigning to Mark.
Comment 2 Mark Gray 2021-01-22 13:56:45 UTC 
Hi, did this fail the installation or did the installation proceed?
Comment 4 Yunfei Jiang 2021-01-25 04:10:29 UTC 
(In reply to Mark Gray from comment #2)
> Hi, did this fail the installation or did the installation proceed?

The cloudformation stack can not been created successfully due to error `Invalid value ‘esp’ for IP protocol. Unknown protocol.`
It blocks the installation process.
Comment 5 Yunfei Jiang 2021-01-25 04:13:37 UTC 
verified. PASS.
OCP version: 4.7.0-0.nightly-2021-01-21-090809