2

I am trying to delete security groups that has 0 interfaces and is not being referred in the ingress rule of any other security group using boto3. But I am getting error: An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-XXYYZZ has a dependent object

I want a code to list down the ingress rules that is referring to security group sg-XXYYZZ and delete those ingress rule using boto3 before I delete the security group: response = ec2.delete_security_group( GroupId=sg, DryRun=False )

I am listing the ingress rules using:

    for sg in final_del_list:
        response = ec2.describe_security_groups( GroupIds=[sg] )
        print( "\n\n Security Group:", sg )
        for res in response['SecurityGroups']:
            msg = "The Ingress rules are as follows: " if len(res['IpPermissions']) > 0 else "No ingress rules"
            print( msg )
            for ip in res['IpPermissions']:
                print( "IP Protocol: ", ip['IpProtocol'] )
                try:
                    print( "PORT: ", str( ip['FromPort'] ) )
                    for range in ip['IpRanges']:
                        print( "IP Ranges: ", range['CidrIp'] )
                except Exception:
                    print( "No value for ports and ip ranges available for this security group" )

Can someone guide me how can I list security that is referring to sg-XXYYZZ in its ingress rule or help me solve the error

Tannu Priya
  • 313
  • 2
  • 15
  • What is your question? – jarmod Apr 15 '20 at 19:12
  • @jarmod I want to write a code to list down the ingress rules that is referring to security group sg-XXYYZZ and delete those ingress rule using boto3 – Tannu Priya Apr 15 '20 at 19:14
  • Stack Overflow isn't a code-writing service, unfortunately, but we can help you solve specific problems with your code. You could start with describe_security_groups (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_security_groups), look at the inbound rules associated with the security group (`IpPermissions`),then look at `IpRanges.CidrIp` to find source security groups starting with 'sg-'). – jarmod Apr 15 '20 at 20:46
  • @jarmod Thank you for your comment. I am not looking for a code in answers, As I mentioned I am trying to write a code I actually did write code, its just I am not able to list down the security group. I believe I did not put the question right. I would update my question. thanks – Tannu Priya Apr 15 '20 at 22:12

2 Answers2

3

By seeing your error: An error occurred (DependencyViolation) when calling the DeleteSecurityGroup operation: resource sg-XXYYZZ has a dependent object

I can suggest few thing here rather than writing code as of now. 1. You cannot security group, if it is associated with any other instances even instance is in stopped state. 2. This might seem an orphan security group, but it might be associated with another security group which is attached with an instance. So, you need to first edit that security group, then only you can delete your specified security group.

I wrote one such script in github which might help you

Jassi
  • 521
  • 6
  • 31
2

The security groups can be found listed under UserIdGroupPairs

   response = ec2.describe_security_groups( GroupIds=[sg] )
    for res in response['SecurityGroups']:
        if len( res['IpPermissions'] ) > 0:
            for item in res['IpPermissions']:
                for sg in item['UserIdGroupPairs']:
                    sg_list.append( sg['GroupId'] )
Tannu Priya
  • 313
  • 2
  • 15