How to delete a AWS waf IP-sets IP using CLI command?

Question

Im trying to delete a aws waf IP-SETS IP using CLI cmd.

im using this cmd.

aws waf delete-ip-set --name PROD-IP-SUSPECTS --scope REGIONAL ap-south-1

im getting this error.

usage: aws [options] [ ...] [parameters]

To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: the following arguments are required: --ip-set-id, --change-token

Answer 1

You can follow below commands to use it in your case

    [ec2-user@ip-192-168-1-249 ~]$ aws waf get-change-token
{
    "ChangeToken": "77f566dc-f188-4104-a485-74b9702f3704"
}
[ec2-user@ip-192-168-1-249 ~]$ aws waf create-ip-set --name ipset1111 --change-token 77f566dc-f188-4104-a485-74b9702f3704
{
    "IPSet": {
        "IPSetId": "130056e7-32e9-4b44-8f16-a8116221edd4",
        "Name": "ipset1111",
        "IPSetDescriptors": []
    },
    "ChangeToken": "77f566dc-f188-4104-a485-74b9702f3704"
}
[ec2-user@ip-192-168-1-249 ~]$ aws waf list-ip-sets
{
    "IPSets": [
        {
            "IPSetId": "130056e7-32e9-4b44-8f16-a8116221edd4",
            "Name": "ipset1111"
        }
    ]
}
[ec2-user@ip-192-168-1-249 ~]$ aws waf delete-ip-set --ip-set-id 130056e7-32e9-4b44-8f16-a8116221edd4 --change-token 77f566dc-f188-4104-a485-74b9702f3704

An error occurred (WAFStaleDataException) when calling the DeleteIPSet operation: The input token is no longer current.
[ec2-user@ip-192-168-1-249 ~]$ aws waf get-change-token
{
    "ChangeToken": "62ade59c-db73-4cb1-b6e6-318e23553b99"
}
[ec2-user@ip-192-168-1-249 ~]$ aws waf delete-ip-set --ip-set-id 130056e7-32e9-4b44-8f16-a8116221edd4 --change-token 62ade59c-db73-4cb1-b6e6-318e23553b99
{
    "ChangeToken": "62ade59c-db73-4cb1-b6e6-318e23553b99"
}

• aws waf get-change-token : to get change token
• aws waf create-ip-set : to create ip set
• aws waf list-ip-sets : to list ip sets

In the docs, they mention this

Permanently deletes an IPSet . You can’t delete an IPSet if it’s still used in any Rules or if it still includes any IP addresses.

If you just want to remove an IPSet from a Rule , use UpdateRule .

To permanently delete an IPSet from AWS WAF, perform the following steps:

Update the IPSet to remove IP address ranges, if any. For more information, see UpdateIPSet .

Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteIPSet request.

Submit a DeleteIPSet request.

Answer 2

I think --name is not in the Synopsis from aws cli docs. You can try aws waf delete-ip-set --ip-set-id <value> --change-token <value>

Follow this docs: https://docs.aws.amazon.com/cli/latest/reference/waf/delete-ip-set.html