Trying to find security group rule ID matching filters using CLI; "describe-security-groups" versus "describe-security-group-rules"

0

Using CLI version 2.11.20. I'm trying to find the security group rule ID (sgr-XXXX) in order to form up the ARN required as a parameter in subsequent commands.

The "describe-security-groups" subcommand is almost perfect for this, as it lets me give precisely the filters that narrow down the results. A pseudocode example with all real numbers replaced with cultural references:

aws ec2 describe-security-groups --filters \
    'Name=group-id,Values=sg-8675309'   \
    'Name="egress.ip-permission.protocol",Values="-1"'    \
    'Name="egress.ip-permission.cidr",Values="a.b.c.d/n"' ...
{
  "SecurityGroups": [
    {
      "Description": "....",
      "GroupName": "....",
      "IpPermissions": [
        {
          "IpProtocol": ....,
          "IpRanges": ....,
        },
        {
          "IpProtocol": ....,
          "IpRanges": ....,
        },
      ],
      "OwnerId": "24601",
      "GroupId": "sg-8675309",
      "IpPermissionsEgress": [
        ....
      ],
      "VpcId": "vpc-12345"
    }
  ]
}

Unfortunately, the individual rules ("IpProtocol", "IpRanges", etc) don't include the relatively new SecurityGroupRuleId field for a given rule. So I have no way of identifying a rule once the --filters have narrowed it down, and nothing to extract with --query.

In comes the "describe-security-group-rules" subcommand. This has excellent output from a query:

{
  "SecurityGroupRules": [
    {
      "SecurityGroupRuleId": "sgr-2216862",
      "GroupId": "sg-8675309",
      "GroupOwnerId": "24601",
      "IpProtocol": "-1",
      "CidrIpv4": "a.b.c.d/n",
      ... all the other rule parameters ...
    }, { ... }, { ... }
  ]
}

including the all-important sgr- ID code. (Example here is the asteroid number where the Scopuli was hidden in the first book/season of The Expanse.)

However, the supported --filters list for "describe-security-group-rules" is... anemic. We can filter on the security group ID obviously, the security group rule ID (that's what I'm trying to find out), and... the tags. That's it.

I'm trying to think of a way of programmatically narrowing down and extracting the security group rule IDs, given that the most capable filtering command (describe-security-groups) has no support for rule IDs, and the most specific command (describe-security-group-rules) has minimal capabilities. Right now I'm thinking to give a describe-security-group-rules command filtering on the security group ID (which I'll have available), then pipe the JSON into an annoyingly complicated jq command to do the same kind of filtering that I would have done in aws ec2 describe-security-groups --filters .... My limiting factor with this solution is that trying to do filters/queries using jq is an exercise in coredumps and useless error messages.

1 Answer
0

Would something like this work?

aws ec2 describe-security-group-rules \
    --filter Name="group-id",Values="sg-1234567890abdcef" \
    --output text \
    --query "SecurityGroupRules[?IsEgress==\`true\` && IpProtocol==\`-1\` && CidrIpv4==\`a.b.c.d/n\`].SecurityGroupRuleId"
profile pictureAWS
EXPERT
kentrad
answered 10 months ago
  • I think your idea is right, but the "?" query fails to match anything as soon as I start introducing boolean operators like "&&". Played around with syntax trying to group in parenthetical expressions and similar, but made zero progress. But at least the output from "--query 'SecurityGroupRules'" is in a format that we can work with, so we're not blocked. Cheers!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions