From b9f5ecacde63da9fb8b7e0e302285ce8155324f7 Mon Sep 17 00:00:00 2001
From: Bert Blommers <bblommers@users.noreply.github.com>
Date: Mon, 19 Sep 2022 21:34:06 +0000
Subject: [PATCH] EC2:run_instances() now validates the provided SecurityGroup
 (#5486)

---
 moto/ec2/models/instances.py     | 11 ++++++++---
 tests/test_ec2/test_instances.py | 13 +++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/moto/ec2/models/instances.py b/moto/ec2/models/instances.py
index 1ec92e8331d8..4d9e4b6bab64 100644
--- a/moto/ec2/models/instances.py
+++ b/moto/ec2/models/instances.py
@@ -21,6 +21,7 @@
     InvalidInstanceIdError,
     InvalidInstanceTypeError,
     InvalidParameterValueErrorUnknownAttribute,
+    InvalidSecurityGroupNotFoundError,
     OperationNotPermitted4,
 )
 from ..utils import (
@@ -596,8 +597,6 @@ def add_instances(self, image_id, count, user_data, security_group_names, **kwar
         ):
             if settings.EC2_ENABLE_INSTANCE_TYPE_VALIDATION:
                 raise InvalidInstanceTypeError(kwargs["instance_type"])
-        new_reservation = Reservation()
-        new_reservation.id = random_reservation_id()
 
         security_groups = [
             self.get_security_group_by_name_or_id(name) for name in security_group_names
@@ -605,10 +604,16 @@ def add_instances(self, image_id, count, user_data, security_group_names, **kwar
 
         for sg_id in kwargs.pop("security_group_ids", []):
             if isinstance(sg_id, str):
-                security_groups.append(self.get_security_group_from_id(sg_id))
+                sg = self.get_security_group_from_id(sg_id)
+                if sg is None:
+                    raise InvalidSecurityGroupNotFoundError(sg_id)
+                security_groups.append(sg)
             else:
                 security_groups.append(sg_id)
 
+        new_reservation = Reservation()
+        new_reservation.id = random_reservation_id()
+
         self.reservations[new_reservation.id] = new_reservation
 
         tags = kwargs.pop("tags", {})
diff --git a/tests/test_ec2/test_instances.py b/tests/test_ec2/test_instances.py
index 432e84bc1db5..f0f3622cf616 100644
--- a/tests/test_ec2/test_instances.py
+++ b/tests/test_ec2/test_instances.py
@@ -688,6 +688,19 @@ def test_get_instances_filtering_by_ni_private_dns():
     reservations[0]["Instances"].should.have.length_of(1)
 
 
+@mock_ec2
+def test_run_instances_with_unknown_security_group():
+    client = boto3.client("ec2", region_name="us-east-1")
+    sg_id = f"sg-{str(uuid4())[0:6]}"
+    with pytest.raises(ClientError) as exc:
+        client.run_instances(
+            ImageId=EXAMPLE_AMI_ID, MinCount=1, MaxCount=1, SecurityGroupIds=[sg_id]
+        )
+    err = exc.value.response["Error"]
+    err["Code"].should.equal("InvalidGroup.NotFound")
+    err["Message"].should.equal(f"The security group '{sg_id}' does not exist")
+
+
 @mock_ec2
 def test_get_instances_filtering_by_instance_group_name():
     client = boto3.client("ec2", region_name="us-east-1")