kops get assets --copy fails on v1.32.x due to invalid vpc-id filter in DescribeSecurityGroupRules #17499
Description
/kind bug
1. What kops version are you running? The command kops version, will display
this information.
$ kops version
Version 1.32.1 (built from v1.32.1 tag, plus cherry‑pick of ca9fa29)
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
v1.32.7
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
kops get assets --name <cluster> --copykops get assets --name <cluster> --copy
5. What happened after the commands executed?
Error: error running tasks: deadline exceeded executing task SecurityGroup/api-elb.<cluster>.
Example error: operation error EC2: DescribeSecurityGroupRules,
https response error StatusCode: 400,
api error InvalidParameterValue: The filter 'vpc-id' is invalid
6. What did you expect to happen?
kops get assets --copy should finish without errors and copy images/files.
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.
8. Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.
Same InvalidParameterValue: The filter 'vpc-id' is invalid from DescribeSecurityGroupRules.
9. Anything else do we need to know?
- Root cause – upup/pkg/fi/cloudup/awstasks/securitygroup.go
FindDeletions() adds a vpc-id filter to DescribeSecurityGroupRules:
filters = append(filters,
awsup.NewEC2Filter("vpc-id", *e.VPC.ID),
awsup.NewEC2Filter("group-name", *e.Name))
but that API only allows group-id, security-group-rule-id, or tag:, so AWS returns 400.
-
Verification – removing lines 341‑343 (the vpc-id filter) and rebuilding fixes the issue; kops get assets --copy then succeeds.
-
Related PR – Fix panic when security group ID is not known #17432
(fixes a nil‑pointer panic but does not remove the invalid filter and is not back‑ported to release‑1.32).
Request / Suggestion
- Back‑port PR Fix panic when security group ID is not known #17432 (ca9fa29) and drop the vpc-id filter in release‑1.32.
- Optionally add a unit test ensuring only group-id | security-group-rule-id | tag filters are used with this API.
Removing those three lines shows no negative side‑effects in my tests (assets copy, cluster validation, rolling‑update all succeed).
Thanks!