AWS cli filter not applied

Question

I want to receive some values from an AWS SecurityGroup and am using the following command:

aws ec2 describe-security-groups --group-ids $GROUP \
  --filters 'Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22' \
  --query 'SecurityGroups[*].IpPermissions[*].{cidr:Ipv6Ranges[*].CidrIpv6,from:FromPort,to:ToPort}' \
  --output json

The output however delivers all existing port ranges whereas only port 22 is expected:

[
    [
        {
            "cidr": [
                "::/0"
            ],
            "from": 80,
            "to": 80
        },
        {
            "cidr": [
                "2001::snip/128"
            ],
            "from": 22,
            "to": 22
        },
        {
            "cidr": [
                "::/0"
            ],
            "from": 443,
            "to": 443
        }
    ]
]

It seems my filter isn't applied. Any hint is highly appreciated!

score 2 · Accepted Answer · answered Feb 14 '20 at 13:28

The filter is working correctly. You've requested all security groups that contain (but are not limited to) ToPort == 22 and FromPort == 22. Your query needs to limit what is output. You can do this by adding:

?ToPort == `22`

to the IpPermissions[] part of the query to further limit the output.

The following should give you the output you're looking for:

aws ec2 describe-security-groups --filters 'Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22'   --query 'SecurityGroups[*].IpPermissions[?ToPort == `22`].{cidr:Ipv6Ranges[*].CidrIpv6,from:FromPort,to:ToPort}' --output json

References

CLI Usage Output

I should have read that page more carefully. Many thanks! – Carsten Feb 14 '20 at 20:24 — Carsten, Feb 14 '20 at 20:24

AWS cli filter not applied

1 Answers1