I want to set the NLB Security Enforce inbound rules on PrivateLink traffic to off via Cloudformation, but this option is not available as a parameter for AWS::ElasticLoadBalancingV2::LoadBalancer.
The workaround is to use a Custom Resource and AWS API as suggested in this article in StackOverflow
https://stackoverflow.com/questions/77417813/set-enforce-inbound-rules-on-privatelink-traffic-setting-in-aws-cdk/77422691#77422691
The problem I'm facing is with the lambda invoking function where the API is completely ignoring the parameter input: " EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic" when using NodeJS18 and using Python, I actually get the error:
"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic\", must be one of: LoadBalancerArn, SecurityGroups",
"errorType": "ParamValidationError"
Updating just the Security Group works fine.
For some reason, the API is not "aware" of the 3rd parameter "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic".
Both API documentation pages shows the "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic" as a parameter:
Python:
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2/client/set_security_groups.html
AWS SDK for JavaScript v3:
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/SetSecurityGroupsCommand/
Executing the change via AWS CLI "aws elbv2 set-security-groups", works fine, as long as it's using the latest AWS CLI 2.13.33. Older AWS CLI version also complains about not recognizing "--enforce-security-group-inbound-rules-on-private-link-traffic"
aws elbv2 set-security-groups \
--load-balancer-arn ***** \
--security-groups ***** \
--enforce-security-group-inbound-rules-on-private-link-traffic on
Here is the code I'm using Python testing the lambda function:
import boto3
def lambda_handler(event, context):
client = boto3.client('elbv2')
response = client.set_security_groups(
LoadBalancerArn='***',
SecurityGroups=['***'],
EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic='off'
)
print(response)
and here is one Execution result:
Test Event Name
test
Response
{
"errorMessage": "Parameter validation failed:\nUnknown parameter in input: \"EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic\", must be one of: LoadBalancerArn, SecurityGroups",
"errorType": "ParamValidationError",
"requestId": "*****",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 5, in lambda_handler\n response = client.set_security_groups(\n",
" File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 534, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 935, in _make_api_call\n request_dict = self._convert_to_request_dict(\n",
" File \"/var/lang/lib/python3.11/site-packages/botocore/client.py\", line 1003, in _convert_to_request_dict\n request_dict = self._serializer.serialize_to_request(\n",
" File \"/var/lang/lib/python3.11/site-packages/botocore/validate.py\", line 381, in serialize_to_request\n raise ParamValidationError(report=report.generate_report())\n"
]
}
Function Logs
START RequestId: ***** Version: $LATEST
[ERROR] ParamValidationError: Parameter validation failed:
Unknown parameter in input: "EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic", must be one of: LoadBalancerArn, SecurityGroups
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 5, in lambda_handler
response = client.set_security_groups(
File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 534, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 935, in _make_api_call
request_dict = self._convert_to_request_dict(
File "/var/lang/lib/python3.11/site-packages/botocore/client.py", line 1003, in _convert_to_request_dict
request_dict = self._serializer.serialize_to_request(
File "/var/lang/lib/python3.11/site-packages/botocore/validate.py", line 381, in serialize_to_request
raise ParamValidationError(report=report.generate_report())END RequestId: *****
REPORT RequestId: ***** Duration: 1275.29 ms Billed Duration: 1276 ms Memory Size: 128 MB Max Memory Used: 72 MB Init Duration: 403.28 ms
Request ID
*****
What am I missing here?