By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ElasticLoadBalancingv2 / Client / set_security_groups / EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic not working

0

I want to set the NLB Security Enforce inbound rules on PrivateLink traffic to off via Cloudformation, but this option is not available as a parameter for AWS::ElasticLoadBalancingV2::LoadBalancer. The workaround is to use a Custom Resource and AWS API as suggested in this article in StackOverflow https://stackoverflow.com/questions/77417813/set-enforce-inbound-rules-on-privatelink-traffic-setting-in-aws-cdk/77422691#77422691

The problem I'm facing is with the lambda invoking function where the API is completely ignoring the parameter input: " EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic" when using NodeJS18 and using Python, I actually get the error:

"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic\", must be one of: LoadBalancerArn, SecurityGroups",
  "errorType": "ParamValidationError"

Updating just the Security Group works fine. For some reason, the API is not "aware" of the 3rd parameter "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic".

Both API documentation pages shows the "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic" as a parameter:

Python: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2/client/set_security_groups.html

AWS SDK for JavaScript v3: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/SetSecurityGroupsCommand/

Executing the change via AWS CLI "aws elbv2 set-security-groups", works fine, as long as it's using the latest AWS CLI 2.13.33. Older AWS CLI version also complains about not recognizing "--enforce-security-group-inbound-rules-on-private-link-traffic"

aws elbv2 set-security-groups \                
--load-balancer-arn ***** \
--security-groups ***** \
--enforce-security-group-inbound-rules-on-private-link-traffic on

Here is the code I'm using Python testing the lambda function:

import boto3

def lambda_handler(event, context):
    client = boto3.client('elbv2')
    response = client.set_security_groups(
    LoadBalancerArn='***',
    SecurityGroups=['***'],
    EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic='off'
    )
    print(response)

and here is one Execution result:

Test Event Name
test

Response
{
  "errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic\", must be one of: LoadBalancerArn, SecurityGroups",
  "errorType": "ParamValidationError",
  "requestId": "*****",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 5, in lambda_handler\n    response = client.set_security_groups(\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 534, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 935, in _make_api_call\n    request_dict = self._convert_to_request_dict(\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 1003, in _convert_to_request_dict\n    request_dict = self._serializer.serialize_to_request(\n",
    "  File \"/var/lang/lib/python3.11/site-packages/botocore/validate.py\", line 381, in serialize_to_request\n    raise ParamValidationError(report=report.generate_report())\n"
  ]
}

Function Logs
START RequestId: ***** Version: $LATEST
[ERROR] ParamValidationError: Parameter validation failed:
Unknown parameter in input: "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", must be one of: LoadBalancerArn, SecurityGroups
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 5, in lambda_handler
    response = client.set_security_groups(
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 534, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 935, in _make_api_call
    request_dict = self._convert_to_request_dict(
  File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 1003, in _convert_to_request_dict
    request_dict = self._serializer.serialize_to_request(
  File "/var/lang/lib/python3.11/site-packages/botocore/validate.py", line 381, in serialize_to_request
    raise ParamValidationError(report=report.generate_report())END RequestId: *****
REPORT RequestId: *****	Duration: 1275.29 ms	Billed Duration: 1276 ms	Memory Size: 128 MB	Max Memory Used: 72 MB	Init Duration: 403.28 ms

Request ID
*****

What am I missing here?

Topics
ServerlessComputeDevOps
Tags
AWS LambdaDevOpsSupport APINetwork Load Balancer
Language
English
Vini
asked 5 months ago355 views
1 Answer
0
Accepted Answer

Hello.

It's probably an issue with the version of boto3 that Lambda is using.
Currently, Lambda uses "boto3-1.27.1" with Python3.11.
https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html

In my environment, when I created a layer and used "boto3-1.28", the error no longer occurred.
The layer was created using the following command.
https://repost.aws/knowledge-center/lambda-python-runtime-errors

LIB_DIR=boto3-mylayer/python
mkdir -p $LIB_DIR
pip3 install boto3 -t $LIB_DIR
cd boto3-mylayer
zip -r /tmp/boto3-mylayer.zip .
aws lambda publish-layer-version --layer-name boto3-mylayer --zip-file fileb:///tmp/boto3-mylayer.zip --compatible-runtimes python3.11
aws lambda update-function-configuration --function-name <Lambda Function Name> --layers arn:aws:lambda:ap-northeast-1:<your AWS Account ID>:layer:boto3-mylayer:1
profile picture
EXPERT
Riku_Kobayashi
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content