Closed manuelh2410 closed 3 years ago
manuelh2410
commented
3 years ago You might want to add an additional parameter (switch) to indicate what the desired result should be
ashishdhingra
commented
3 years ago Hi @manuelh2410,
Good morning.
The synopsis of the Edit-EC2InstanceAttribute CmdLet states that it Calls the Amazon Elastic Compute Cloud (EC2) ModifyInstanceAttribute API operation.. The PowerShell functionality is dependent on the Service API behavior. The documentation for ModifyInstanceAttribute API states that Modifies the specified attribute of the specified instance. (not appends). I think it's concise enough, unless you disagree otherwise (in that case we should open a ticket with service API team for documentation update).
Thanks, Ashish
manuelh2410
commented
3 years ago I have to disagree The documentation does not accurately reflect the behaviour. Look up the meaning of modifying and replacing. I also see that you referred to API documentation which is not in line with what is mentioned in the documentation for the command-let . the behaviour of the command is unexpected. and also not logically sound and actually very misleading
ashishdhingra
commented
3 years ago I have to disagree The documentation does not accurately reflect the behaviour. Look up the meaning of modifying and replacing. I also see that you referred to API documentation which is not in line with what is mentioned in the documentation for the command-let . the behaviour of the command is unexpected. and also not logically sound and actually very misleading
Hi @manuelh2410,
Good afternoon.
I do see that the API and PowerShell documentation are in sync. However, I would create a ticket with service team to elaborate on the GroupId.N parameter. Once that is updated by service API team, I would get it updated in PowerShell CmdLet API reference.
Thanks, Ashish
ashishdhingra
commented
3 years ago Service team confirmed that the behavior of GroupId.N parameter for ModifyInstanceAttribute action on the EC2 service is to replace the the existing security groups with the security groups mentioned in the API call. Per their suggestion, submitted the documentation feedback at https://docs.aws.amazon.com/forms/aws-doc-feedback?hidden_service_name=EC2&topic_url=http://docs.aws.amazon.com/en_us/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html
ashishdhingra
commented
3 years ago Following documentation links are updated to elaborate the behavior of GroupId.N parameter that [EC2-VPC] Replaces the security groups of the instance with the specified security groups. You must specify at least one security group, even if it's just the default security group for the VPC. You must specify the security group ID, not the security group name.:
manuelh2410
commented
3 years ago Just update the behaviour of the API call. I don't understand why you can't just add a security group to the instance . Without losing the existing security groups linked to the instance.
It doesn't make sense
Description
Good Day All. It seems that the documentation for this command-let , specifically the "-Group " parameter is incomplete. The documentation does not stipulate that all existing security groups will be removed and replaced with the groups specified in the command string being issued .
Description: "[EC2-VPC] Changes the security groups of the instance. You must specify at least one security group, even if it's just the default security group for the VPC. You must specify the security group ID, not the security group name"
The documentation does not accurately describe the behaviour of this command A change in the attribute data would lead one to assume that parts of the existing attribute data would be kept. This is not the case here. In this scenario, the dataset linked to the attribute is [replaced] entirely. .
Reproduction Steps
Commands: $instanceid = 'i-xxxxxxxxxx' ((Get-EC2InstanceAttribute -InstanceId $instance -Attribute groupSet).Groups).Groupid $RDP = (Get-EC2SecurityGroup -GroupName "RDP").GroupId Edit-EC2InstanceAttribute -InstanceId $instance -Group $RDP ((Get-EC2InstanceAttribute -InstanceId $instance -Attribute groupSet).Groups).Groupid
== This results in only one Security Group (RDP) being linked to the instance, while the instance had pre-existing Security Groups linked prior to issuing the command.
Logs
PS C:> $instanceid = 'i-xxxxxxxxxxx' DEBUG: 1+ >>>> $instanceid = 'i-xxxxxxxxxxxxxx' DEBUG: ! CALL function ''
DEBUG: ! SET $instanceid = 'i-xxxxxxxxxxxx'.
PS C:> ((Get-EC2InstanceAttribute -InstanceId $instance -Attribute groupSet).Groups).Groupid DEBUG: 1+ >>>> ((Get-EC2InstanceAttribute -InstanceId $instance -Attribute g roupSet).Groups).Groupid DEBUG: ! CALL function ''
sg-0765xx19d4bf73xx2
sg-3bxxx108
sg-0c2fa6xxx26e3faf0
sg-0fb48ea39xxx8231a
PS C:> $RDP = (Get-EC2SecurityGroup -GroupName "RDP").GroupId DEBUG: 1+ >>>> $RDP = (Get-EC2SecurityGroup -GroupName "RDP").GroupId DEBUG: ! CALL function ''
DEBUG: ! SET $RDP = 'sg-xxx1185326xx73547'.
PS C:> Edit-EC2InstanceAttribute -InstanceId $instance -Group $RDP DEBUG: 1+ >>>> Edit-EC2InstanceAttribute -InstanceId $instance -Group $RDP DEBUG: ! CALL function ''
PS C:> ((Get-EC2InstanceAttribute -InstanceId $instance -Attribute groupSet).Groups).Groupid DEBUG: 1+ >>>> ((Get-EC2InstanceAttribute -InstanceId $instance -Attribute g roupSet).Groups).Groupid DEBUG: ! CALL function ''
sg-xxx1185326xx73547
Environment
PS C:> $PSVersionTable
Name Value
PSVersion 5.1.19041.610
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.610
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Resolution
This is a :bug: bug-report