Adding custom cidr to ingress security group using Lambda without default vpc-CodePudding

First of all I have been searching stackflow and the internet for this but I didn't find exactly where the issue is.

Basically I am trying to add custom cidr ips to a security group via lambda function. I have given all the appropriate permissions (as far as i can tell) [REMOVED]and also tried attaching the vpc (which is non-default) to the lambda function to access the security group[REMOVED].

But I am getting "An error occurred (VPCIdNotSpecified) when calling the AuthorizeSecurityGroupIngress operation: No default VPC for this user"

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "wafv2:GetIPSet",
                "logs:CreateLogGroup",
                "wafv2:UpdateIPSet"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:xxxx:log-group:xxx:log-stream:*",
                "arn:aws:wafv2:us-west-2:xxx:*/ipset/*/*"
            ]
        }
    ]
}

Lambda function:

#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
    response = ec2.authorize_security_group_ingress(
    GroupId='sg-xxxxxxx'
    IpPermissions=[
        { 
            'FromPort': 443,
            'IpProtocol': 'tcp',
            'IpRanges': [
                {
                    'CidrIp': '1x.1x.x.1x/32',
                    'Description': 'adding test cidr using lambda'
                },
            ],
            'ToPort': 443
        }
        ],
        DryRun=True
    )
    return response

Could someone point me to the right direction? VPC is non-default. All I need is the add ingress rule to existing security group within non-default vpc

Thanks

CodePudding user response：

Found the solution: Initially it was syntax error but after googling i thought it requires vpc so I added VPC to the Lambda configuration which was not required for this purpose. For anyone having the same issue (only want to update security group with the cidr): below is the correct function and permissions (function isnt complete as depending on the solution u may want to delete old rules too):

Lambda function:

#!/usr/bin/python3.9
import boto3
ec2 = boto3.client('ec2')
def lambda_handler(event, context):
    response = ec2.authorize_security_group_ingress(
        DryRun=False,
        GroupId='sg-0123456789',
        IpPermissions=[
            { 
                'FromPort': 443,
                'IpProtocol': 'tcp',
                'IpRanges': [
                    {
                        'CidrIp': '1x.2x.3x.4x/32',
                        'Description': 'Security group updated via lambda'
                    }
                ],
                'ToPort': 443
            }
        ]
    )
    return response

IAM Policy on lambda execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:ModifySecurityGroupRules",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": "arn or all"
        }
    ]
}