I ve discovered an issue with a security group rule which I Pulumi Community #aws

I've discovered an issue with a security group rul...

polite-napkin-90098

10/18/2024, 8:41 PM

I've discovered an issue with a security group rule which I can't find in AWS but pulumi claims exists and no amount of refreshing seems to help. -> thread.

polite-napkin-90098

10/18/2024, 8:44 PM

I made a security group for my database with code like:

Copy code

const dbSg = new aws.ec2.SecurityGroup(stackName, {
  description: `security group for ${stackName}`,
  vpcId: vpcId,
  // let the admin sg have access to the db
  ingress: [{
    description: 'mysql in from the admin security group',
    fromPort: 3306,
    toPort: 3306,
    protocol: 'tcp',
    securityGroups: [ dbAdminSg ],
  }],
  tags: {
    Name: `${stackName}`,
  },
},{ provider: provider, ignoreChanges: ['ingress']});

I then exported the id from the aws.rds.Instance with

Copy code

export const sg = database.vpcSecurityGroupIds[0];

Which works fine and exports the sg-#### id from that stack.

polite-napkin-90098

10/18/2024, 8:45 PM

Then I import the id into the api stack and use it to make a security group rule with.

Copy code

const dbIngress = new aws.ec2.SecurityGroupRule(`${stackName}-db`, {
    type: 'ingress',
    fromPort: 3306,
    toPort: 3306,
    protocol: 'tcp',
    sourceSecurityGroupId: apiSg.id,
    securityGroupId: stacks.dbStack.requireOutput('sg'),
  },{ provider: vpc.awsProvider });

polite-napkin-90098

10/18/2024, 8:48 PM

I'm not entirely sure what has transpired in the months since I deployed these stacks, but now I have returned to look at them and remove another rule (which allowed similar access from a sg which is being deprecated) and I find that in the Test environment all is as should be and there is a rule in the db sg to allow the api in. But in the Production stack despite there being an object with an urn and an id for the rule the rule is not on the db security group in AWS.

polite-napkin-90098

10/18/2024, 8:50 PM

I assumed a refresh would check if the rule existed and then an up would want to replace it, but that does not seem to work.

polite-napkin-90098

10/18/2024, 8:51 PM

I can delete the object by urn from the stack with pulumi state delete and then I assume that it will want to recreate it.

polite-napkin-90098

10/18/2024, 8:54 PM

What upsets me most is that the sg rules have a different id and infact id format in AWS and pulumi. The aws ones are like

Copy code

sgr-abcdefghi01234561

and the pulumi ones

Copy code

sgrule-12345678

and thus it is difficult to cross-reference the rules and know that the rule really doesn't exist in AWS and thus really should be removed from the stack. I'm also concerned that a refresh doesn't seem to find the missing sg-rule.

little-cartoon-10569

10/20/2024, 8:00 PM

Refresh doesn't find things that Pulumi doesn't know about. It updates things it does know about. If a new rule has been added to an existing security group, you need to add the correct code to describe it, and then refresh.

22 Views

Open in Slack

Previous Next