search

aws / aws-tools-for-powershell

The AWS Tools for PowerShell lets developers and administrators manage their AWS services from the PowerShell scripting environment.
Apache License 2.0
235 stars 77 forks source link

Security Group Rules created trough "Grant-EC2SecurityGroupIngress" Not Unique #238

Closed manuelh2410 closed 2 years ago

manuelh2410 commented 2 years ago

Description

Security Group Rules created trough "Grant-EC2SecurityGroupIngress" Not Unique none of the security group rule ids for the rules I created with this cmdlet are unique . According to the AWS Console the security group rule ID for the following request should be "sg-0e16d7026f5276778"

Reproduction Steps

$MYIP = "1.1.1.1/32" $RDP = "sg-0e16d7026f5276778"

$ip2 = @{ IpProtocol="tcp"; FromPort="3389"; ToPort="3389"; IpRanges="$MYIP"}

$Tag = New-Object Amazon.EC2.Model.Tag $Tag.Key = "AWSIP" $Tag.Value = "AWSIP"

Grant-EC2SecurityGroupIngress -GroupId $RDP -IpPermission @($Ip2)

Return SecurityGroupRules

True {sg-0e16d7026f5276778}

The command seems to be returning a bogus security group id . instead of SecurityGroupRuleId : sgr-0c9cea02e3fad8698

I instructed it to create a rule , so I expect an sgr-xxxxx id in return . poor API design .

Environment

Resolution

none

This is a :bug: bug-report

manuelh2410 commented 2 years ago

What does seem to work is the following :

`Grant-EC2SecurityGroupIngress -GroupId $RDP -IpPermission @($Ip2) -select "Securitygrouprules"

CidrIpv4 : 1.1.1.1/32 CidrIpv6 : Description : FromPort : 3389 GroupId : sg-0e16d7026f5276778 GroupOwnerId : 419191665529 IpProtocol : tcp IsEgress : False PrefixListId : ReferencedGroupInfo : SecurityGroupRuleId : sgr-0c9cea02e3fad8698 Tags : {} ToPort : 3389 `

ashishdhingra commented 2 years ago

Hi @manuelh2410,

Good morning.

The Grant-EC2SecurityGroupIngress CmdLet invokes the AuthorizeSecurityGroupIngress service API operation and returns the AuthorizeSecurityGroupIngressResponse in the following format as documented in the API reference:

The following elements are returned by the service.

requestId
The ID of the request.

Type: String

return
Returns true if the request succeeds; otherwise, returns an error.

Type: Boolean

securityGroupRuleSet
Information about the inbound (ingress) security group rules that were added.

Type: Array of SecurityGroupRule objects

As pointed by you, we need to select SecurityGroupRules explicitly to return the nested object. The output True {sg-0e16d7026f5276778} is the behavior of PowerShell console when displaying an object and is not controlled by the CmdLet. This doesn't appear to be a bug since the PowerShell CmdLet Grant-EC2SecurityGroupIngress is mapping the result to the response returned by service API as expected. Also, the behavior is consistent across all the SDKs (not just AWS .NET SDK or PowerShell tools) and changing the current behavior would be a breaking change for existing customers.

Thanks, Ashish

manuelh2410 commented 2 years ago

From an end-user perspective this is cumbersome and not customer-centric . It would make more sense to return "Security Group Rule Created" , rather than returning an ID than can be confused as the ID for the security group rule . The New-EC2SecurityGroup cmdlet does not behave in this manner. the New-EC2SecurityGroup returns the security group ID , of the created group as expected . this is not consistent This does not constitute guidance , there is a clear inconsistency here

ashishdhingra commented 2 years ago

From an end-user perspective this is cumbersome and not customer-centric . It would make more sense to return "Security Group Rule Created" , rather than returning an ID than can be confused as the ID for the security group rule . The New-EC2SecurityGroup cmdlet does not behave in this manner. the New-EC2SecurityGroup returns the security group ID , of the created group as expected . this is not consistent

@manuelh2410 The New-EC2SecurityGroup invokes the CreateSecurityGroupResponse service API operation and returns CreateSecurityGroupResponse in the format returned by the service. As mentioned earlier, the display output of the CmdLet is controlled by PowerShell console when displaying an object. The CmdLet returns CreateSecurityGroupResponse object containing GroupId and Tags properties, and since the Tags list is not directly displayable, PowerShell console just displays the GroupId (You may verify this by examining the returned object and use $returnedObject.Tags).

Unfortunately, for Grant-EC2SecurityGroupIngress, we cannot simply return the list of SecurityGroupRules since it is correctly mapping to the service response as it is doing for other CmdLets.

Closing this issue since .NET SDK and PowerShell behavior is consistent with the service response, and changing behavior is not feasible.

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.