Undocumented behaviour Grant-EC2SecurityGroupIngress

[manuelh2410]

## Description https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/EC2/TResourceType.html is not accurate , or incompatible with the "-TagSpecification" switch for the "Grant-EC2SecurityGroupIngress Cmdlet"

According to the documentation [1] [2] you should be able to use the "SecurityGroupRule" resource type when configuring the "Tags" property of the TagSpecification ( Amazon.EC2.Model.TagSpecification ) Object .

Documentation: [1] https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/EC2/TResourceType.html [2] https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/EC2/TTagSpecification.html

Reproduction Steps

Failed request: $MYIP = "1.1.1.1/32" $RDP = "sg-0e16d7026f5276778" $ip2 = @{ IpProtocol="tcp"; FromPort="3389"; ToPort="3389"; IpRanges="$MYIP"} $Tag = New-Object Amazon.EC2.Model.Tag $Tag.Key = "AWSIP" $Tag.Value = "AWSIP" $Tagspec = New-Object Amazon.EC2.Model.TagSpecification $Tagspec.Tags = $Tag $Tagspec.ResourceType = "SecurityGroupRule" Grant-EC2SecurityGroupIngress -GroupId $RDP -IpPermission @($Ip2) -TagSpecification $Tagspec

PS /home/username/Documents/Vscode_Repos/public> Grant-EC2SecurityGroupIngress -GroupId $RDP -IpPermission @($Ip2) -TagSpecification $Tagspec

Grant-EC2SecurityGroupIngress: 'SecurityGroupRule' is not a valid taggable resource type for this operation. PS /home/username/Documents/Vscode_Repos/public>

Environment

Linux 5.11.0-38-generic #42~20.04.1-Ubuntu SMP Tue Sep 28 20:41:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Ubuntu 20.04.3 LTS x64

Name Value

---

PSVersion 7.1.5 PSEdition Core GitCommitId 7.1.5 OS Linux 5.11.0-38-generic #42~20.04.1-Ubuntu SMP Tue Sep 28 20:41:07 UTC 2021 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Resolution

Used API Tag Specification . https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TagSpecification.html $Tagspec.ResourceType = "Security-Group-Rule" PS /home/username/Documents/Vscode_Repos/public> Grant-EC2SecurityGroupIngress -GroupId $RDP -IpPermission @($Ip2) -TagSpecification $Tagspec

Result :

Return SecurityGroupRules

---

True {sg-0e16d7026f5276778}

This is a :bug: bug-report

[ashishdhingra]

Hi @manuelh2410,

Good morning.

Thanks for posting the question. As pointed by the TagSpecification documentation, SecurityGroupRule doesn't appear to be the correct value for ResourceType. The correct value is security-group-rule.

Upon going through the AWS SDK for .NET documentation for ResourceType (this is accessible through Grant-EC2SecurityGroupIngress when viewing reference for TagSpecification), it appears the better alternative would be to use [Amazon.EC2.ResourceType]::SecurityGroupRule constant. For example,

$Tag = New-Object Amazon.EC2.Model.Tag
$Tag.Key = "AWSIP"
$Tag.Value = "AWSIP"
$Tagspec = New-Object Amazon.EC2.Model.TagSpecification
$Tagspec.Tags = $Tag
$Tagspec.ResourceType = [Amazon.EC2.ResourceType]::SecurityGroupRule

The output of [Amazon.EC2.ResourceType]::SecurityGroupRule is:

Value
-----
security-group-rule

Hope this helps.

Thanks, Ashish

[manuelh2410]

this is not mentioned anywhere and the documentation for that parameter clearly points to : [1] https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/EC2/TResourceType.html [2] https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/EC2/TTagSpecification.html

The documentation also states that the value should be of type "String" and not trough a .net class

[ashishdhingra]

https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/EC2/TResourceType.html

@manuelh2410 Here is the guidance from the documentation:

• Grant-EC2SecurityGroupIngress specifies that -TagSpecification parameter of type TagSpecification[].
• TagSpecification documentation mentions ResourceType property as of type Amazon.EC2.ResourceType
• ResourceType documentation clearly mentions Constants used for properties of type ResourceType..

You may use the string security-group-rule (as noted in API documentation for TagSpecification) (this works due to operator overloading) or the constant represented by [Amazon.EC2.ResourceType]::SecurityGroupRule (kindly note that this is the PowerShell syntax to use static fields). Also note that even though the API documentation for TagSpecification lists the allowed and expected values as string, all the SDKs would use some kind of constant class to map to the string values and would actually send the expected string value in the service API call.

Hope this helps. Closing this issue since no action is required on the AWS .NET SDK or AWS Tools for PowerShell.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.