aws - security-group - set-permissions action support for self referencing

[pendyalal]

Describe the bug For default Security Groups while adding self Reference, throwing errors

To Reproduce policies:

• name: default-sgs resource: aws.security-group filters:
  • type: value key: GroupName value: default op: eq
  • type: ingress IpProtocol: "-1" IpRanges:
    • CidrIp: "0.0.0.0/0" actions:
  • type: set-permissions add-ingress:
    • IpPermissions:
      • IpProtocol: "-1" FromPort: -1 ToPort: -1
    • SourceSecurityGroupName: "sg-11111111"

Expected behavior

All traffic | All | All | sg-1111111 (default)

Background (please complete the following information):

• OS: [e.g. OSX 10.15] AMZN2
• Python Version: [e.g. python 3.8.1] 3.8.2
• Custodian Version: [e.g. 0.8.46.1] 0.9.2
• Tool Version: [if applicable]
• Cloud Provider: [e.g. gcp, aws, azure] aws
• Policy: [please exclude any account/sensitive information]

  
  policies:
   - name: default-sgs
     resource: aws.security-group
     filters:
       - type: value
         key: GroupName
         value: default
         op: eq
       - type: ingress
         IpProtocol: "-1"
         IpRanges:
           - CidrIp: "0.0.0.0/0"
     actions:
       - type: set-permissions
         add-ingress:
           - IpPermissions:
             - IpProtocol: "-1"
               FromPort: -1
              ToPort: -1
           - SourceSecurityGroupName: "sg-11111111"

 - Traceback: [if applicable, please exclude sensitive/account information]
2020-06-02 13:45:49,522: custodian.commands:ERROR Error while executing policy default-sgs, continuing
Traceback (most recent call last):
  File "/home/ec2-user/custodian/lib/python3.8/site-packages/c7n/commands.py", line 281, in run
    policy()
  File "/home/ec2-user/custodian/lib/python3.8/site-packages/c7n/policy.py", line 1169, in __call__
    resources = mode.run()
  File "/home/ec2-user/custodian/lib/python3.8/site-packages/c7n/policy.py", line 323, in run
    results = a.process(resources)
  File "/home/ec2-user/custodian/lib/python3.8/site-packages/c7n/resources/vpc.py", line 1464, in process
    method(**p)
  File "/home/ec2-user/custodian/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/ec2-user/custodian/lib/python3.8/site-packages/botocore/client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'sg-11111111' does not exist in default VPC 'none'

**Additional context**
Add any other context about the problem here.

[kapilt]

you need to use group id not group name in the self referential. names are for non vpc attached groups (classic) which aren't supported.

[pendyalal]

policies:
     - name: default-sgs
       resource: aws.security-group
       filters:
         - type: value
           key: GroupName
           value: default
           op: eq
         - type: ingress
           IpProtocol: "-1"
           IpRanges:
             - CidrIp: "0.0.0.0/0"
       actions:
         - type: set-permissions
           #remove-ingress: matched
           add-ingress:
             -  IpPermissions:
                 -
                   FromPort: -1
                   IpProtocol: "-1"
                   ToPort: -1
                   UserIdGroupPairs:
                    **    - GroupId: '{ GroupId }' **

@kapilt , sgId found in the filter can we use that Id dynamically in actions?