https://pulumi.com logo
Join Slack
Powered by
Hi @everyone, I am deploying REST api with applica...
# general
h
Hi @everyone, I am deploying REST api with application load balancer but I got a bucket notification error first. After I ran 
pulumi up
again, the bucket notification error was disappeared but I got an another error 
A duplicate Security Group rule was found
. I investigated the deployment and seems it is related to load balancer security group. Would love to get some assistance on this.
l
Are you creating the ALB using awsx? That creates some extra resources for you. If you want full control over everything that's being created, don't use awsx.
h
yes, but then what is the best option?
l
Do you mean, which args do you use? That depends on your use case. Do you mean, which provider do you use? aws.
h
aws
I am deploying a fargate service.
I created a listener from ALB and used that for portMapping in fargate taskDefinition.
l
What problems are you currently facing?
h
Copy code
aws:ec2:SecurityGroupRule (api-xxxx-external-0-ingress):
    error: 1 error occurred:
        * [WARN] A duplicate Security Group rule was found on (sg-xxxxx). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, TCP, from port: 80, to port: 80, ALLOW" already exists
        status code: 400, request id: b3973b4a-368c-4ac8-ab83-06536c1b5655
I destroyed all resources and run deployment again. that sometimes was successful if I didn't got any error.
But I deploy a little heavy resources so I encountered almost error so I had to do re-deployment. But I faced the above error.
l
The error message explains the problem. You're deploying the same rule twice. Pulumi can't reconcile SG rules easily, since there's no discriminator within the SG for them. You need to be very careful about changing any of the required properties, or about building the SG rules from any sort of unordered collection.
You'll probably need to enhance your rule-creation logic to ensure there's no possibility of creating a particular before the old copy of the rule is properly deleted.
The heavy-handed workaround is to comment out all the rules when this happens, 
pulumi up
, then uncomment them and 
pulumi up
again.
h
IMO the security rule is created implicitly, not explicitly when creating listener in ALB. am I right?
l
I'd have to see the code. Did you use the awsx library?
I see security group rules added here: https://github.com/pulumi/pulumi-awsx/blob/44d871d77778c9c5cad7b0e421a37b4153692bc9/awsx/lb/applicationLoadBalancer.ts#L91 Maybe you need to set 
defaultSecurityGroup: false
to delete them.
h
Copy code
const vpc = new awsx.ec2.Vpc(`${vpcName}`, {
  tags: { Name: ${vpcName} },
  numberOfNatGateways: 1,
});

const cluster = new awsx.ecs.Cluster(`${clusterName}`, {
    vpc,
  });

const listener = new awsx.lb.ApplicationLoadBalancer(
      `alb`,
      {
        vpc,
        external: true,
        securityGroups: cluster.securityGroups,
      }
    )
      .createTargetGroup("target", {
        port: 3001,
        protocol: "HTTP",
        healthCheck: {
          path: "/healthCheck",
        },
      })
      .createListener("server", { port: 80, external: true });
l
Or maybe create your own security group and pass it in as defaultSecurityGroup.securityGroupId? Not sure.
Ok from that code you've just posted, it looks like the ALB isn't creating any security group rules, because you're providing 
securityGroups
. So the problem is in the cluster code.
h
There is nothing to do in cluster code
l
Well, the ALB code creates (as far as I can tell) exactly two security group rules, and they're guarded by 
if (!lbArgs.securityGroups && !defaultSecurityGroup?.skip) {
. And since 
lbArgs.securityGroups
is truthy, then the rules aren't being created. You have problems with security group rules, but it looks like it's not these two security group rules.
What kind of cluster are you creating, and how?
Ah I see it above
Are you using awsx.classic? There's no Cluster in the API docs.
h
yes
l
You could either create your own security groups and pass them in to the cluster constructor, or else maybe rename the cluster so the existing resources get destroyed and recreated?
h
so vpc name should be dynamic, right?
l
I don't know what a dynamic name is.
But you should generally try very hard not to change the name of a resource. It's awkward.
Not sure what that has to do with security group rules though?
h
thank you for your assistance
👍 1
10 Views
Open in Slack
PreviousNext
Powered by