I'm using the javascript SDK to revoke a non default vpc security group's ingress based on the IP address (cidr block), but am getting an error Source Group ID missing. -
(node:8514) UnhandledPromiseRejectionWarning: MissingParameter: Source group ID missing.
I can set the same security group id to 'SourceSecurityGroupOwnerId', but this doesnt' work (and isn't really what I'm after).
Note that actualIpPermissions is retrieved from ec2sdk.describeSecurityGroups.SecurityGroups[0].IpPermissions, not hard coded.
My code:
const actualIpPermissions = [{
FromPort:22,
IpProtocol:"tcp",
IpRanges:[
{CidrIp:"2.123.116.234/32",Description:"SSH some place"},
{CidrIp:"203.44.22.112/32",Description:"SSH from somewhere else"}
],
Ipv6Ranges:[],
PrefixListIds:[],
ToPort:22,
UserIdGroupPairs:[]
}]
const params = {
GroupId: 'sg-111111',
IpPermissions: actualIpPermissions
}
await ec2Sdk.revokeSecurityGroupIngress(params).promise()
I'm using aws-sdk-js version 2.275.1
Running the equivalent command in the aws-cli works correctly:
aws ec2 revoke-security-group-ingress --group-id sg-111111 --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "2.123.116.234/32", "Description": "SSH some place"},{"CidrIp":"203.44.22.112/32", "Description":"SSH from somewhere else"}]}]'
Although the Ipv6Ranges|PrefixListIds|UserIdGroupPairs properties being supplied to the revokeSecurityGroupIngress are empty arrays, the AWS SDK is still validating these.
It seems that the Source group ID missing. error is coming from the UserIdGroupPairs.
To be safe, it looks like best practice to remove any empty array / object if it isn't strictly required.
I'm not sure if this is true for all SDK functions, but it applies to the authorizeSecurityGroupIngress function also