moto icon indicating copy to clipboard operation
moto copied to clipboard
verified publisher icon getmoto

EC2: security group rule bad behaviours

Open maximeroma opened this issue 1 year ago • 1 comments

First Issue:

I have create an sg rule like that:

response = ec2_client.authorize_security_group_ingress(
             GroupId=group_id,
            IpPermissions=[
                  {
                      'IpProtocol': rule['ip_protocol'],
                      'FromPort': rule['from_port'],
                      'ToPort': rule['to_port'],
                      'IpRanges': [{'CidrIp': rule['cidr_ipv4'], 'Description': 'Ip test'} if 'cidr_ipv4' in rule else {'CidrIpv6': rule['cidr_ipv6'],'Description': 'Ip test'}]
                }
            ],
            TagSpecifications=[{
                'ResourceType': 'security-group-rule',
                'Tags': [
                    {
                        'Key': 'Automation',
                        'Value': 'Lambda'
                    },
                    {
                        'Key': 'Partner',
                        'Value': 'test'
                    },
                ]
            
            }]
        )

It's return a response with no tags:

{'SecurityGroupRules': [{'SecurityGroupRuleId': 'sgr-f1cb3d13e054dcc7a', 'GroupId': 'sg-b54b06d08c2abe95b', 'GroupOwnerId': '123456789012', 'IsEgress': True, 'IpProtocol': '-1', 'CidrIpv4': '0.0.0.0/0', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-8537473175c427978', 'GroupId': 'sg-0a0ae1fd2ff8bd88a', 'GroupOwnerId': '123456789012', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 80, 'ToPort': 80, 'CidrIpv4': '1.1.1.1/32', 'Tags': []}], ...}

The workaround is to create tags in a second step with ec2.create_tags...

Second issue:

response = ec2_client.describe_security_group_rules(Filters=[{'Name': 'tag:Partner', 'Values': ['test]}])

Response:

botocore.exceptions.ClientError: An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroupRules operation: The security group 'No security groups found matching the filters provided.' does not exist

Without using Filter argument:

{'SecurityGroupRules': [{'SecurityGroupRuleId': 'sgr-440c08b2647bb596a', 'GroupId': 'sg-47513810a50b65e5c', 'GroupOwnerId': '123456789012', 'IsEgress': True, 'IpProtocol': '-1', 'CidrIpv4': '0.0.0.0/0', 'Tags': []}, {'SecurityGroupRuleId': 'sgr-5d0d181c0dbca42b8', 'GroupId': 'sg-e7fb2d342af75c7cd', 'GroupOwnerId': '123456789012', 'IsEgress': False, 'IpProtocol': 'tcp', 'FromPort': 80, 'ToPort': 80, 'CidrIpv4': '1.1.1.1/32', 'Tags': [{'Key': 'Automation', 'Value': 'Lambda'}, {'Key': 'Partner', 'Value': 'test'}]}], ...}}

maximeroma avatar Feb 29 '24 16:02 maximeroma

@bblommers I can take a look

rafcio19 avatar Mar 01 '24 18:03 rafcio19

Hi @maximeroma! Both issues should now be fixed as of moto >= 5.0.3.dev45, but let us know if you run into any other issues.

bblommers avatar Mar 05 '24 14:03 bblommers