Closed manuelh2410 closed 3 years ago
Similar issue https://github.com/aws/aws-tools-for-powershell/issues/196 for Grant-EC2SecurityGroupIngress
was opened yesterday and closed.
Hi @manuelh2410,
Good morning.
Unfortunately, I'm unable to reproduce the issue using the following PowerShell commands:
Create IP Range object:
$IpRange = New-Object -TypeName Amazon.EC2.Model.IpRange
$IpRange.CidrIp = "5.5.5.5/32"
$IpRange.Description = "SSH from Office"
Create IP Permission object:
$IpPermission = New-Object Amazon.EC2.Model.IpPermission
$IpPermission.IpProtocol = "tcp"
$IpPermission.ToPort = 22
$IpPermission.FromPort = 22
$IpPermission.Ipv4Ranges = $IpRange
Verify the output of $IpPermission
:
FromPort : 22
IpProtocol : tcp
Ipv4Ranges : {Amazon.EC2.Model.IpRange}
Ipv6Ranges : {}
PrefixListIds : {}
ToPort : 22
UserIdGroupPairs : {}
Verify output of Get-EC2SecurityGroup -GroupName launch-wizard-1
:
Description : launch-wizard-1 created 2021-01-22T14:58:28.097-08:00
GroupId : sg-05ff42XXXXXXXXXXX
GroupName : launch-wizard-1
IpPermissions : {Amazon.EC2.Model.IpPermission}
IpPermissionsEgress : {Amazon.EC2.Model.IpPermission}
OwnerId : NNNNNNNNNNNN
Tags : {}
VpcId : vpc-XXXXXXXX
Execute Set-Variable -Name ExistingSSH -Value ((Get-EC2SecurityGroup -GroupName launch-wizard-1).GroupId)
Verify output of $ExistingSSH
:
sg-05ff42XXXXXXXXXXX
Execute Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission $IpPermission
.
Please verify if you are able to validate your command using the above logic and if this is still an issue.
Thanks, Ashish
I, ve tested again today and was unable to reproduce the issue I will monitor this for a few days before I rewrite my code to include the command.
Good Day,
Thanks for your response, I added my repro steps in my original correspondence IF This is a transient issue, then that's also a problem :-) I opened and closed #196 because I assumed that both the Grant and Revoke versions of this commandlet exhibited the issue . The issue title of issue #196 was also incorrect I, ve tested again today and was unable to reproduce the issue I will monitor this for a few days before I rewrite my code to include the command.
@manuelh2410 Sure, let me know when we could close this issue since it is not reproducible.
This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.
Description
Commandlet: "https://github.com/aws/aws-tools-for-powershell/blob/master/modules/AWSPowerShell/Cmdlets/EC2/Basic/Revoke-EC2SecurityGroupIngress-Cmdlet.cs" Documentation: "https://docs.aws.amazon.com/powershell/latest/reference/items/Revoke-EC2SecurityGroupIngress.html Clearly states that the -GroupID parameter is supposed to be a "string" value"
The problem arises when one attempts to use a variable ex:($ExistingSSH), containing a string value, as input for the GroupID parameter.
For example, when the following command is issued
(Set-Variable -Name ExisingSSH -Value ((Get-EC2SecurityGroup -GroupName SSH).Groupid)
$ip1 = @{ IpProtocol="tcp"; FromPort="22"; ToPort="22"; IpRanges="$OLDIP"}
Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission @( $ip1 )
The following result is returned by the api. Indicating that the commandlet is unable to convert the variable into an acceptable string for the API Or that the API is unable to interpret the variable as "string" input .
Error:
"PS C:\Windows\system32> Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission @( $ip1 ) Grant-EC2SecurityGroupIngress : The request must contain the parameter groupName or groupId At line:1 char:1
+ Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission @( ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...upIngressCmdlet:GrantEC2Sec
urityGroupIngressCmdlet) [Grant-EC2SecurityGroupIngress], InvalidOperationExceptionReproduction Steps
For example, when the following commands are issued
(Set-Variable -Name ExisingSSH -Value ((Get-EC2SecurityGroup -GroupName SSH).Groupid)
$ip1 = @{ IpProtocol="tcp"; FromPort="22"; ToPort="22"; IpRanges="$OLDIP"}
Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission @( $ip1 )
The "Grant-EC2SecurityGroupIngress" Commandlet on the other hand, has no issues processing this api call
Grant-EC2SecurityGroupIngress -GroupID $ExistingRDP -IpPermission @( $ip1 )
does not result in an error.The "-GroupName" parameter for the "Revoke-EC2SecurityGroupIngress" commandlet , also accepts variables without issue Example :
Revoke-EC2SecurityGroupIngress -GroupName $groupname -IpPermission @($ip1)
Logs
see error output:
Error:
"PS C:\Windows\system32> Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission @( $ip1 ) Grant-EC2SecurityGroupIngress : The request must contain the parameter groupName or groupId At line:1 char:1
+ Grant-EC2SecurityGroupIngress -GroupID $ExistingSSH -IpPermission @( ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...upIngressCmdlet:GrantEC2Sec
urityGroupIngressCmdlet) [Grant-EC2SecurityGroupIngress], InvalidOperationExceptionEnvironment
Powershell tools : https://sdk-for-net.amazonwebservices.com/ps/v4/latest/AWSPowerShell.zip
Resolution
The command only works if you explicitly specify a security group id ex: sg-xxxxxxxxxxx for the "-GroupId" parameter
This is a :bug: bug-report