Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot revoke_ingress for non-default VPC

See original GitHub issue

Hello,

I’m trying to revoke one rule out of many in a security group but receive error

An error occurred (InvalidGroup.NotFound) when calling the RevokeSecurityGroupIngress operation: The security group ‘sg-11111111’ does not exist in default VPC ‘none’

Despite I mention VPC id explicitly:

SG_we_are_working_with = 'sg-xxxxx'
SG_which_is_the_source_of_the_traffic = 'sg-11111111'
VpcId = 'vpc-2222222'

#first I load the group to find the necessary rule
    ec2 = boto3.resource('ec2')
    #client = boto3.client('ec2')
    security_group = ec2.SecurityGroup(SG_we_are_working_with)
    security_group.load()   # get current data

    # here is loop over rules
    for item in security_group.ip_permissions:
   .....
   
    # now attempt to delete, the necessary data is in 'item' variable:
                        IpPermissions=[
                            {
                                'FromPort': item['FromPort'],
                                'ToPort': item['ToPort'],
                                'IpProtocol': 'tcp',
                                'UserIdGroupPairs': [
                                    {
                                        'Description': item['UserIdGroupPairs'][0]["Description"],
                                        'GroupId': item['UserIdGroupPairs'][0]["GroupId"],
                                        'UserId': item['UserIdGroupPairs'][0]["UserId"],
                                        'VpcId': str(VpcId)
                                    },
                                ]
                            }
                        ]
                        security_group.revoke_ingress(
                            FromPort =  item['FromPort'],
                            GroupName = SG_we_are_working_with,
                            IpPermissions = IpPermissions,
                            IpProtocol = 'tcp',
                            SourceSecurityGroupName = SG_which_is_the_source_of_the_traffic,
                            ToPort = item['ToPort']
                        )

Am I doing something wrong?

The environment is Lambda with Python 2.7

Thank you.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
pputnikcommented, Oct 17, 2018

@kyleknap I found the documentation is misleading, that is it does not explain why we have two "FromPort"s - one in the main part and second inside IpPermissions variable, when to use which. Initially I tried to define both (along with both IpProtocol, ToPort etc), and that caused the error. The solution which works (assuming IpPermissions variable contains ports, vpc etc) is:

security_group.revoke_ingress(
    IpPermissions = IpPermissions,
)

And this caused error:

security_group.revoke_ingress(
   FromPort =  item['FromPort'],
   GroupName = SG_we_are_working_with,
   IpPermissions = IpPermissions,
   IpProtocol = 'tcp',
   SourceSecurityGroupName = SG_which_is_the_source_of_the_traffic,
   ToPort = item['ToPort']
)

The VPC part remains as is and works perfectly. I cannot make the ticket as solved because either doc or code should be fixed in order to avoid confusing.

0reactions
github-actions[bot]commented, Aug 21, 2020

Greetings! It looks like this issue hasn’t been active in longer than one year. We encourage you to check if this is still an issue in the latest release. Because it has been longer than one year since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment to prevent automatic closure, or if the issue is already closed, please feel free to reopen it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cannot revoke_ingress for non-default VPC with boto3
I have found that the easiest way to revoke permissions is to pass-in the permissions already on the security group:
Read more >
RevokeSecurityGroupIngress - Amazon Elastic Compute Cloud
For security groups in a nondefault VPC, you must specify the security group ID. Type: String. Required: No. IpPermissions.N. The sets of IP...
Read more >
EC2 — Boto3 Docs 1.26.32 documentation - AWS
You cannot recover an Elastic IP address for EC2-Classic. ... For a security group in a nondefault VPC, use the security group ID....
Read more >
Configuring subnets and security groups in a non-default VPC ...
If the non-default VPC support is enabled in one of your regions, you must tag at least one subnet in each availability zone...
Read more >
aws_default_security_group | Resources | hashicorp/aws
This resource can manage the default security group of the default or a non-default VPC. NOTE: This is an advanced resource with special...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ssl_context error

Next page

Add getSigninToken method