The example CLI for aws ec2 modify-security-group-rules is not working

[chimerab]

Describe the bug

According to document
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-security-group-rules.html

aws ec2 modify-security-group-rules
--group-id sg-1234567890abcdef0
--security-group-rules SecurityGroupRuleId=sgr-abcdef01234567890,SecurityGroupRule={Description=test,IpProtocol=-1,CidrIpv4=0.0.0.0/0}

Expected Behavior

{
"Return": true
}

Current Behavior

Parameter validation failed:
Invalid type for parameter SecurityGroupRules[0].SecurityGroupRule, value: Description=test, type: <class 'str'>, valid types: <class 'dict'>
Invalid type for parameter SecurityGroupRules[1].SecurityGroupRule, value: IpProtocol=-1, type: <class 'str'>, valid types: <class 'dict'>
Invalid type for parameter SecurityGroupRules[2].SecurityGroupRule, value: CidrIpv4=0.0.0.0/0, type: <class 'str'>, valid types: <class 'dict'>

Reproduction Steps

aws --version
aws-cli/1.22.81 Python/3.7.10 Linux/4.14.290-217.505.amzn2.x86_64 botocore/1.24.26

just copy/past the example in the document in the console.

Possible Solution

aws ec2 modify-security-group-rules
--group-id sg-1234567890abcdef0
--security-group-rules SecurityGroupRuleId=sgr-abcdef01234567890,SecurityGroupRule='{Description=test,IpProtocol=-1,CidrIpv4=0.0.0.0/0}'

Additional Information/Context

No response

CLI version used

1.22.81

Environment details (OS name and version, etc.)

Amazon Linux 2

[yankeexe]

Experiencing the same issue.

[tim-finnigan]

Hello and thanks for reaching out. It looks like the example should be:

aws ec2 modify-security-group-rules 
        --group-id sg-1234567890abcdef0 
        --security-group-rules SecurityGroupRuleId=sgr-abcdef01234567890,SecurityGroupRule={{Description=test},{IpProtocol=-1},{CidrIpv4=0.0.0.0/0}}

I created the PR linked above to update the example.

[leosilvapaiola]

Hey guys, I struggled with this issue for 3 hours and finally hit the right syntax for this command to work.

Hidden in an input here by Akshat Sachdeva.

The correct syntax will be:

aws ec2 modify-security-group-rules --group-id sg-xxx
--security-group-rules "SecurityGroupRuleId=sgr-xxx,SecurityGroupRule={Description='SSH
Test1',CidrIpv4=x.x.x.x/32,IpProtocol=tcp,FromPort=22,ToPort=22}"

OR

aws ec2 modify-security-group-rules --group-id sg-xxx
--security-group-rules 'SecurityGroupRuleId=sgr-xxx,SecurityGroupRule={Description="SSH
Test2",CidrIpv4=x.x.x.x/32,IpProtocol=tcp,FromPort=22,ToPort=22}'

PLEASE NOTICE, the single quote and double quote symbols for both options and understand them.

[tjrjaws]

Example is not clear or followable. Not sure how I landed on quotation which was accepted, and its ugly, but it worked from terminal:

aws ec2 modify-security-group-rules --group-id sg-xxx --security-group-rules '{"SecurityGroupRuleId":"sgr-xxx","SecurityGroupRule":{"IpProtocol":"-1","CidrIpv4":"0.0.0.0/0"}}' { "Return": true }

[tim-finnigan]

This seems to be due to an underlying issue with how some shorthand syntax examples are generated. Other services affected include SNS and SQS. Some further investigation is required into what is affected and how to resolve this.

[oleg-ku-32768]

Hey guys, I struggled with this issue for 3 hours and finally hit the right syntax for this command to work.

Same here... 😕
Thanks a lot for clarification!

[Tenosiey]

Thanks to @tjrjaws your example worked for me!
Here is another example that I'm using to update the inbound IPv4 Rules to grant access via RDP to an EC2 Instance.

aws ec2 modify-security-group-rules --profile PROFILE-NAME --group-id sg-123456 --security-group-rules '{"SecurityGroupRuleId":"sgr-123456","SecurityGroupRule":{"Description":"updated rules","IpProtocol":"tcp","FromPort":3389,"ToPort":3389,"CidrIpv4":"8.8.8.8/32"}}'

[wangshu3000]

Tried to fix this in this PR. Can anyone please have a review?
https://github.com/aws/aws-cli/pull/7286/files

[nbaud]

[leosilvapaiola] > Your solution worked for me, thanks :)

[RafaelRanvier]

One more way: aws ec2 modify-security-group-rules --group-id sg-0000000000 --security-group-rules SecurityGroupRuleId=sgr-000000000000000,SecurityGroupRule="{IpProtocol=tcp,FromPort=80,ToPort=80,CidrIpv4=0.0.0.0/0}"

I believe that amazon people simply forgot to put double quotes, I haven't tested it, but it's possible that it works with single quotes too.

[leosilvapaiola]

One more way: aws ec2 modify-security-group-rules --group-id sg-0000000000 --security-group-rules SecurityGroupRuleId=sgr-000000000000000,SecurityGroupRule="{IpProtocol=tcp,FromPort=80,ToPort=80,CidrIpv4=0.0.0.0/0}"

I believe that amazon people simply forgot to put double quotes, I haven't tested it, but it's possible that it works with single quotes too.

Yes that works too, but the main issue was in my case, when I wanted to add a 'description' to the rule. There it is when you have to be careful with the single quotes or the double quotes.

[paulfwhite]

Thanks for lots of good examples.
Here is my working Windows syntax
aws ec2 modify-security-group-rules --group-id sg-abcdef12345678901 --security-group-rules "SecurityGroupRuleId=sgr-1234567890123456,SecurityGroupRule={Description='PW 140224',IpProtocol=tcp,FromPort=3389,ToPort=3389,CidrIpv4=1.2.3.4/32}"

[tim-finnigan]

The quoting in the documented example has since been fixed: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-security-group-rules.html

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.