1

My EC2 instance has many tags with a desired value EBM. The thing that this value could be in a different Name, sometimes under tag:Name and sometimes tag:XXX, I tried the below query and it didn't work:

 aws --region sa-east-1 ec2 describe-security-groups --filters 'Name=*,Values=*EBM*'

An error occurred (InvalidParameterValue) when calling the DescribeSecurityGroups operation: The filter '*' is invalid

any idea how to make the Name as wild card just match the value?

I tried this and it didn't work:

 aws --region sa-east-1 ec2 describe-security-groups --filters 'Name=*,Values=*EBM*'

An error occurred (InvalidParameterValue) when calling the DescribeSecurityGroups operation: The filter '*' is invalid

I also tried this and didn't work:

aws --region sa-east-1 ec2 describe-security-groups --filters 'Name=*.*,Values=*EBM*'
TheHero
  • 11
  • 3

2 Answers2

1

Latest Edit:

I have tested that in my lab environment and its possible to get what you are looking for combining --filter & -query altogether!

Alternatively, you can use the contains function with the Tag[] in the query to match tag values that contain SecGrp anywhere in the value, Keep in mind that the --query option uses the JMESPath query language, which has its own syntax and rules. You can find more information on using JMESPath queries in the AWS CLI documentation.

Further, to get the tag values for security groups in a hash form (i.e., a dictionary or associative array), you can combine that with your --query to get a nicer readable format, below is how you can get that ...

 $ aws ec2 describe-security-groups --filters Name=tag-key,Values="*" --query 'SecurityGroups[*].Tags[?contains(Value, `EBM`)][].{Key: Key, Value: Value}' --profile dev
[
    {
        "Key": "mylabtest",
        "Value": "EBMSecGrpec2"
    },
    {
        "Key": "mylabtest",
        "Value": "EBMSecGrpfsxontap"
    },
    {
        "Key": "mylabtest",
        "Value": "EBMSecGrpfsxlustre"
    },
    {
        "Key": "mylabtest",
        "Value": "EBMSecGrpPostConfigAWSCodeBuild"
    }
]

You can get into into tablular form as well..

 aws ec2 describe-security-groups --filters Name=tag-key,Values="*" --query 'SecurityGroups[*].Tags[?contains(Value, `EBM`)][].{Key: Key, Value: Value}' --profile dev  --output table

Use describe-tags

To --filter with a value only regardless of the name in the AWS CLI, you simply can use "Name=value,Values=*tg*".

  • Keep Name=value so as to look at the value fields only.
  • use Value=*EBM* it will fetch all values having EBM regardless of prefix or suffix.

However, You can combine --filters with the --query option to filter the output and only display specific fields. For example, to only display the tag names and values, you can use the following command:

$ aws ec2 describe-tags --filters "Name=value,Values=*tg*" --query 'Tags[*].{Key_Name: Key, VauleOfKey: Value}' --profile dev
[
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    },
    {
        "Key_Name": "SSM_Managed",
        "VauleOfKey": "Stg"
    }
]

OR

You can get it as a table to be more readable ..

 $ aws ec2 describe-tags --filters "Name=value,Values=*tg*" --query 'Tags[*].{Key_Name: Key, VauleOfKey: Value}' --profile dev --output table
-------------------------------
|        DescribeTags         |
+--------------+--------------+
|   Key_Name   | VauleOfKey   |
+--------------+--------------+
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
|  SSM_Managed |  Stg         |
+--------------+--------------+

To make it more explicit before you use above, you can use the following command to be more simplistic. it will return all tags with a value of "VALUE", regardless of the tag name.:

aws ec2 describe-tags --filters "Name=value,Values=VALUE"

If you want to filter the results further, you can include additional filters by adding them to the list in the --filters flag, separated by a comma. For example, to only return tags with a value of "VALUE" that are associated with security groups, you can use the following command:

aws ec2 describe-tags --filters "Name=value,Values=VALUE","Name=resource-type,Values=security-group"

EDIT:

Using describe-security-groups with all values *SecGrpec2* and then get the name of Security group these value belongs to.

$ aws ec2 describe-security-groups --filters "Name=tag-value,Values=*SecGrpec2*" --profile dev | jq -r '.SecurityGroups[].GroupName'
EC2 - SC101
EC2 - SD102
EC2 - ST101
Karn Kumar
  • 8,518
  • 3
  • 27
  • 53
0

Its not possible. You have to get all rules first, then then do filtering yourself.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • I thought its doable as it can be done from the management console where you can search with value only and it will show you regardless under which Name it belongs . thanks for the confirmation – TheHero Dec 16 '22 at 06:10
  • @TheHero `--filters` is server-side filtering. But you can look into `--query` which is client side filtering. – Marcin Dec 16 '22 at 06:13
  • i found old fashion way :) aws --region sa-east-1 ec2 describe-security-groups | egrep -i "Val.*EBM|GroupId" | grep EBM -B1 | grep GroupId | awk '{print $2}' – TheHero Dec 16 '22 at 06:34
  • @TheHero, this is Old school method, however, i just posted the answer, hope will be quicker and more helpful. – Karn Kumar Dec 30 '22 at 06:57