Using CLI version 2.11.20. I'm trying to find the security group rule ID (sgr-XXXX) in order to form up the ARN required as a parameter in subsequent commands.
The "describe-security-groups" subcommand is almost perfect for this, as it lets me give precisely the filters that narrow down the results. A pseudocode example with all real numbers replaced with cultural references:
aws ec2 describe-security-groups --filters \
'Name=group-id,Values=sg-8675309' \
'Name="egress.ip-permission.protocol",Values="-1"' \
'Name="egress.ip-permission.cidr",Values="a.b.c.d/n"' ...
{
"SecurityGroups": [
{
"Description": "....",
"GroupName": "....",
"IpPermissions": [
{
"IpProtocol": ....,
"IpRanges": ....,
},
{
"IpProtocol": ....,
"IpRanges": ....,
},
],
"OwnerId": "24601",
"GroupId": "sg-8675309",
"IpPermissionsEgress": [
....
],
"VpcId": "vpc-12345"
}
]
}
Unfortunately, the individual rules ("IpProtocol", "IpRanges", etc) don't include the relatively new SecurityGroupRuleId
field for a given rule. So I have no way of identifying a rule once the --filters
have narrowed it down, and nothing to extract with --query
.
In comes the "describe-security-group-rules" subcommand. This has excellent output from a query:
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-2216862",
"GroupId": "sg-8675309",
"GroupOwnerId": "24601",
"IpProtocol": "-1",
"CidrIpv4": "a.b.c.d/n",
... all the other rule parameters ...
}, { ... }, { ... }
]
}
including the all-important sgr-
ID code. (Example here is the asteroid number where the Scopuli was hidden in the first book/season of The Expanse.)
However, the supported --filters
list for "describe-security-group-rules" is... anemic. We can filter on the security group ID obviously, the security group rule ID (that's what I'm trying to find out), and... the tags. That's it.
I'm trying to think of a way of programmatically narrowing down and extracting the security group rule IDs, given that the most capable filtering command (describe-security-groups) has no support for rule IDs, and the most specific command (describe-security-group-rules) has minimal capabilities. Right now I'm thinking to give a describe-security-group-rules command filtering on the security group ID (which I'll have available), then pipe the JSON into an annoyingly complicated jq
command to do the same kind of filtering that I would have done in aws ec2 describe-security-groups --filters ...
. My limiting factor with this solution is that trying to do filters/queries using jq
is an exercise in coredumps and useless error messages.
I think your idea is right, but the "?" query fails to match anything as soon as I start introducing boolean operators like "&&". Played around with syntax trying to group in parenthetical expressions and similar, but made zero progress. But at least the output from "--query 'SecurityGroupRules'" is in a format that we can work with, so we're not blocked. Cheers!