ElasticLoadBalancingv2 / Client / set_security_groups / EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic not working

0

I want to set the NLB Security Enforce inbound rules on PrivateLink traffic to off via Cloudformation, but this option is not available as a parameter for AWS::ElasticLoadBalancingV2::LoadBalancer. The workaround is to use a Custom Resource and AWS API as suggested in this article in StackOverflow https://stackoverflow.com/questions/77417813/set-enforce-inbound-rules-on-privatelink-traffic-setting-in-aws-cdk/77422691#77422691

The problem I'm facing is with the lambda invoking function where the API is completely ignoring the parameter input: " EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic" when using NodeJS18 and using Python, I actually get the error:

"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic\", must be one of: LoadBalancerArn, SecurityGroups",
  "errorType": "ParamValidationError"

Updating just the Security Group works fine. For some reason, the API is not "aware" of the 3rd parameter "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic".

Both API documentation pages shows the "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic" as a parameter:

Python: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2/client/set_security_groups.html

AWS SDK for JavaScript v3: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/SetSecurityGroupsCommand/

Executing the change via AWS CLI "aws elbv2 set-security-groups", works fine, as long as it's using the latest AWS CLI 2.13.33. Older AWS CLI version also complains about not recognizing "--enforce-security-group-inbound-rules-on-private-link-traffic"

aws elbv2 set-security-groups \                
--load-balancer-arn ***** \
--security-groups ***** \
--enforce-security-group-inbound-rules-on-private-link-traffic on

Here is the code I'm using Python testing the lambda function:

import boto3

def lambda_handler(event, context):
    client = boto3.client('elbv2')
    response = client.set_security_groups(
    LoadBalancerArn='***',
    SecurityGroups=['***'],
    EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic='off'
    )
    print(response)

and here is one Execution result:

Test Event Name
test

Response
{
  "errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic\", must be one of: LoadBalancerArn, SecurityGroups",
  "errorType": "ParamValidationError",
  "requestId": "*****",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 5, in lambda_handler\n    response = client.set_security_groups(\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 534, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 935, in _make_api_call\n    request_dict = self._convert_to_request_dict(\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 1003, in _convert_to_request_dict\n    request_dict = self._serializer.serialize_to_request(\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/validate.py\", line 381, in serialize_to_request\n    raise ParamValidationError(report=report.generate_report())\n"
  ]
}

Function Logs
START RequestId: ***** Version: $LATEST
[ERROR] ParamValidationError: Parameter validation failed:
Unknown parameter in input: "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", must be one of: LoadBalancerArn, SecurityGroups
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 5, in lambda_handler
    response = client.set_security_groups(
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 534, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 935, in _make_api_call
    request_dict = self._convert_to_request_dict(
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 1003, in _convert_to_request_dict
    request_dict = self._serializer.serialize_to_request(
  File "/var/lang/lib/python3.11/site-packages/botocore/validate.py", line 381, in serialize_to_request
    raise ParamValidationError(report=report.generate_report())END RequestId: *****
REPORT RequestId: *****	Duration: 1275.29 ms	Billed Duration: 1276 ms	Memory Size: 128 MB	Max Memory Used: 72 MB	Init Duration: 403.28 ms

Request ID
*****

What am I missing here?

Vini
gefragt vor 6 Monaten371 Aufrufe
1 Antwort
0
Akzeptierte Antwort

Hello.

It's probably an issue with the version of boto3 that Lambda is using.
Currently, Lambda uses "boto3-1.27.1" with Python3.11.
https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html

In my environment, when I created a layer and used "boto3-1.28", the error no longer occurred.
The layer was created using the following command.
https://repost.aws/knowledge-center/lambda-python-runtime-errors

LIB_DIR=boto3-mylayer/python
mkdir -p $LIB_DIR
pip3 install boto3 -t $LIB_DIR
cd boto3-mylayer
zip -r /tmp/boto3-mylayer.zip .
aws lambda publish-layer-version --layer-name boto3-mylayer --zip-file fileb:///tmp/boto3-mylayer.zip --compatible-runtimes python3.11
aws lambda update-function-configuration --function-name <Lambda Function Name> --layers arn:aws:lambda:ap-northeast-1:<your AWS Account ID>:layer:boto3-mylayer:1
profile picture
EXPERTE
beantwortet vor 6 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen