New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using DescribeSecurityGroup IpPermissions in RevokeSecurityGroupIngress Raises Error #1716
Comments
Thanks for the info! I've passed this issue to service team, will update. |
AWS Support thinks it's the fault of the API library.
|
When I throw some debugging into the aws client, I see that my request params properly includes the
|
I revisit your issue, below snippet works for me:
Can you tell me which operation cause the dryrun mismatch for you? I was working with support, the error he provided to me is different from what you have mentioned earlier, I couldn't reproduce a scenario where SDK doesn't use the parameter provided. I'll work with him to see what issue he ran into. Also, to help with debugging, you can set |
Are you testing with security group rules that refer to other security groups? I'm performing this on the security groups that EMR generates ingress rules onto.
|
taking a look, I finally can reproduce this, will update |
Okay, I finally realize what going on there @phene
It means EXACTLY ONE of those It doesn't mean that you are missing parameters, it's suggesting that you can only provide one per one API call. I'll contact service team to update their doc and error message on this, it's quite misleading. |
That doesn't make sense -- doesn't your earlier test pass both ip-range and ipv6-range given they are properties of |
@phene My bad, It's my mistake in my earlier code snippet, I do miss the |
So is the conclusion that revoking via IpPermissions is not supported? This goes against SDK docs. |
The point is you might need to do some tweaks instead of passing through the |
OK, then the SDK docs and parameter validation should be updated to reflect that. It's rather inconvenient to do this since an |
Sorry about the confusion, I can totally see where you're following the way the docs are written, and how the exception name you got back from the service is not helpful (upon re-reading it does seem to say the key "exactly one" provision, but I read it the way you did the first time). We've passed this feedback on to the service team and will press for a change to the shared documentation for this method. |
That aside, have you been able to get your calls working with this clarification? |
Not yet... I'm not even sure what to do with this error message or the VPC is mentions. There's no VPC ID parameter in the def clear_security_group_rules
security_groups.each do |security_group|
Helpers.info "Clearing security group ingress rules for #{security_group.group_name}"
puts security_group.to_hash
security_group.ip_permissions.each do |ip_permission|
revocations(ip_permission).each do |revocation|
revocation.merge!(group_id: security_group.group_id)
puts revocation
Helpers.call_aws(
ec2_client, :revoke_security_group_ingress,
revocation
)
end
end
end
end
def revocations(ip_permission)
[].tap do |rules|
if ip_permission.user_id_group_pairs.any?
ip_permission.user_id_group_pairs.each do |user_id_group_pair|
rules << {
ip_protocol: ip_permission.ip_protocol,
to_port: ip_permission.to_port,
source_security_group_name: user_id_group_pair.group_id,
source_security_group_owner_id: user_id_group_pair.user_id,
}
end
end
end
end
|
I see that |
Somehow, this works via the CLI: |
Sending one ip_permission entry at a time (like the aws cli) yields the same original error: def clear_security_group_rules
security_groups.each do |security_group|
Helpers.info "Clearing security group ingress rules for #{security_group.group_name}"
security_group.ip_permissions.each do |ip_permission|
next unless ip_permission.user_id_group_pairs.any?
ip_permission.user_id_group_pairs.each do |user_id_group_pair|
ip_perm = ip_permission.to_hash
ip_perm[:user_id_group_pairs] = [user_id_group_pair.to_hash]
ec2_client.revoke_security_group_ingress(
group_id: security_group.group_id,
ip_permissions: [ip_perm]
)
end
end
end
end |
It appears that removing the "empty" key/value pairs fixes the issue. Reconstructing a new hash (rather than using to_hash, which includes |
To summarize this issue. I cannot send: {
group_id: [elided],
ip_permissions: [{
:from_port => 0,
:ip_protocol => "tcp",
:ip_ranges => [],
:ipv_6_ranges => [],
:prefix_list_ids => [],
:to_port => 65535,
:user_id_group_pairs => [
{:group_id => "[elided1]", :user_id => "[elided1]"},
{:group_id => "[elided2]", :user_id => "[elided2]"}
]
},
{
:from_port => -1,
:ip_protocol => "icmp",
:ip_ranges => [],
:ipv_6_ranges => [],
:prefix_list_ids => [],
:to_port => -1,
:user_id_group_pairs => [
{:group_id => "[elided1]", :user_id => "[elided1]"},
{:group_id => "[elided2]", :user_id => "[elided2]"}
]
},
]
} But I can send: {
group_id: [elided],
ip_permissions: [{
:from_port => 0,
:ip_protocol => "tcp",
:to_port => 65535,
:user_id_group_pairs => [
{:group_id => "[elided1]", :user_id => "[elided1]"}
]
}]
} and {
group_id: [elided],
ip_permissions: [{
:from_port => 0,
:ip_protocol => "tcp",
:to_port => 65535,
:user_id_group_pairs => [
{:group_id => "[elided2]", :user_id => "[elided2]"}
]
}]
} and {
group_id: [elided],
ip_permissions: [{
:from_port => -1,
:ip_protocol => "icmp",
:to_port => -1,
:user_id_group_pairs => [
{:group_id => "[elided1]", :user_id => "[elided1]"}
]
}]
} , etc... |
To follow-up, we were following up with service team to make sure error messages would be enhanced in similar situations : ) Appreciate your patience and efforts! |
Issue description
Passing the
ip_permissions
property of the result ofdescribe_security_groups
torevoke_security_group_ingress
results in a server errorAws::EC2::Errors::InvalidParameterValue: missing mandatory parameter: exactly one of remote-security-group, remote-ip-range, remote-ipv6-range, or prefix-list-id must be present
This is due to the definition of rules that reference other security groups that take the format:There appears to be a mismatch in expectations between the client code and server code since adding
dry_run: true
to my request results in:Aws::EC2::Errors::DryRunOperation: Request would have succeeded, but DryRun flag is set.
Background
Because of a cyclical dependency issue between EMR-managed security groups, I'm attempting to clear the rules from them before letting CloudFormation delete them. Before my CloudFormation stack delete code runs, I attempt to run
DataPipeline#clear_security_group_rules
defined below.Gem name
aws-sdk-ec2 @ 1.27.0 and 1.25.0
Version of Ruby, OS environment
MacOS Sierra, ruby-2.4.2
Code snippets / steps to reproduce
The text was updated successfully, but these errors were encountered: