EC2: Fix egress rules used in ingress revoke method (#6180)

getmoto · Apr 6, 2023 · dc460a3 · dc460a3
1 parent bbb07b4
commit dc460a3
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/moto/ec2/models/security_groups.py b/moto/ec2/models/security_groups.py
@@ -733,7 +733,7 @@ def revoke_security_group_ingress(
 
         if security_rule_ids:
             group.ingress_rules = [
-                rule for rule in group.egress_rules if rule.id not in security_rule_ids
+                rule for rule in group.ingress_rules if rule.id not in security_rule_ids
             ]
             return
 

diff --git a/tests/test_ec2/test_security_groups.py b/tests/test_ec2/test_security_groups.py
@@ -1820,3 +1820,52 @@ def test_filter_group_name():
     security_groups = list(security_groups)
     assert len(security_groups) == 1
     assert security_groups[0].group_name == sg1.group_name
+
+
+@mock_ec2
+def test_revoke_security_group_ingress():
+    ec2 = boto3.client("ec2", region_name="us-east-1")
+
+    vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
+
+    sg = ec2.create_security_group(
+        Description="Test SG", GroupName=str(uuid4()), VpcId=vpc["Vpc"]["VpcId"]
+    )
+    sg_id = sg["GroupId"]
+
+    ec2.authorize_security_group_ingress(
+        GroupId=sg_id,
+        IpPermissions=[
+            {
+                "FromPort": 3000,
+                "ToPort": 3300,
+                "IpProtocol": "TCP",
+                "IpRanges": [{"CidrIp": "10.0.0.1/32"}],
+            },
+            {
+                "FromPort": 8080,
+                "ToPort": 8080,
+                "IpProtocol": "TCP",
+                "IpRanges": [{"CidrIp": "10.0.0.1/32"}],
+            },
+        ],
+    )
+
+    response = ec2.describe_security_group_rules(
+        Filters=[{"Name": "group-id", "Values": [sg_id]}]
+    )
+
+    ingress_rules = [r for r in response["SecurityGroupRules"] if not r["IsEgress"]]
+    assert len(ingress_rules) == 2
+
+    # revoke 1 of the 2 ingress rules
+    ec2.revoke_security_group_ingress(
+        GroupId=sg_id, SecurityGroupRuleIds=[ingress_rules[0]["SecurityGroupRuleId"]]
+    )
+
+    response = ec2.describe_security_group_rules(
+        Filters=[{"Name": "group-id", "Values": [sg_id]}]
+    )
+
+    ingress_rules = [r for r in response["SecurityGroupRules"] if not r["IsEgress"]]
+    assert len(ingress_rules) == 1