https://pulumi.com logo
Join Slack
Powered by
when a security group is altered it triggers a β€œre...
# aws
w
when a security group is altered it triggers a β€œreplace” operation β€” but the delete fails if the security group is being used by other resources (AWS does not allow you to delete a security group that is in use) Is there a workaround for this? cc @dazzling-memory-8548
b
how are you defining your security group, could you share some example code (I have a theory, but want to see some code before I answer πŸ™‚ )
w
If, for example, 
description
is updated β€” pulumi attempts a β€œreplace” which gets the AWS error I mentioned.
b
ah, i was hoping it was just the rules. Unfortunately I don't know of a way around this, it's a limitation of the AWS API. There's no 
PATCH
operation for the description, so it has to do a destroy -> recreate.
well, more accurately, there's no API for 
UpdateSecurityGroup
, only update the rules
w
right. makes sense. is there anything Pulumi can do to assist with the dependency unhooking? or do you just have to remember to do that?
b
are all the resources in the same stack?
w
yes
b
more I think about it, more I'm not sure. gonna try run a test to see if I can get a better result
❀️ 1
I'm guessing in your example, you have an ALB and a security group?
w
correct
b
okay, just tried this and it seemed to create the new security group and then updated the ALB after it was created:
Copy code
Previewing update (production):
     Type                      Name               Plan        Info
     pulumi:pulumi:Stack       alb.go-production
 +-  β”œβ”€ aws:ec2:SecurityGroup  web                replace     [diff: ~description]
 ~   └─ aws:lb:LoadBalancer    web                update      [diff: ~securityGroups]
 +-     β”œβ”€ aws:lb:Listener     http               replace     [diff: ~loadBalancerArn]
 +-     └─ aws:lb:Listener     https              replace     [diff: ~loadBalancerArn]

Outputs:
  ~ arn             : "arn:aws:elasticloadbalancing:us-west-2:616138583583:loadbalancer/app/web-d3c3708/174d37cd98d1a211" => output<string>
  ~ dnsName         : "<http://web-d3c3708-2004262507.us-west-2.elb.amazonaws.com|web-d3c3708-2004262507.us-west-2.elb.amazonaws.com>" => output<string>
  ~ httpListenerArn : "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/ea06334532a1400e" => output<string>
  ~ httpsListenerArn: "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/d8a76ae6ce07a486" => output<string>

Resources:
    ~ 1 to update
    +-3 to replace
    4 changes. 1 unchanged

Do you want to perform this update? yes
Updating (production):
     Type                      Name               Status       Info
     pulumi:pulumi:Stack       alb.go-production
 +-  β”œβ”€ aws:ec2:SecurityGroup  web                replaced     [diff: ~description]
 ~   └─ aws:lb:LoadBalancer    web                updated      [diff: ~securityGroups]

Outputs:
    arn             : "arn:aws:elasticloadbalancing:us-west-2:616138583583:loadbalancer/app/web-d3c3708/174d37cd98d1a211"
    dnsName         : "<http://web-d3c3708-2004262507.us-west-2.elb.amazonaws.com|web-d3c3708-2004262507.us-west-2.elb.amazonaws.com>"
    httpListenerArn : "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/ea06334532a1400e"
    httpsListenerArn: "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/d8a76ae6ce07a486"

Resources:
    ~ 1 updated
    +-1 replaced
    2 changes. 3 unchanged
can you share more code, trying to repro
w
@dazzling-memory-8548
@billowy-army-68599 my colleague is going to tag in here shortly
d
@billowy-army-68599, thanks for looking into this. Though I am assuming the alb has the same problem (I can test in our env shortly), we actually tripped over this scenario when using a security group as part of an ecs service. When it's defined along the lines of this, any changes to 
MySecurityGroup
attempt a recreation which fails due to the ecs association. The stack continues to try to replay the delete until we manually intervene.
Copy code
new aws.ecs.Service("service", {
    cluster: cluster.id,
    desiredCount: 1,
    launchType: "FARGATE",
    networkConfiguration: {
        assignPublicIp: false,
        securityGroups: [MySecurityGroup.id],
        subnets: [privateSubnets["az0"].id, privateSubnets["az1"].id],
    },
    taskDefinition: myTaskDefinition.arn,
}),
b
ah okay, will give it a try on an ECS cluster too
d
b
okay, similar story with this ECS service + Securitygroup, so it's definitely possible:
Copy code
Do you want to perform this update? yes
Updating (production):
     Type                      Name                   Status       Info
     pulumi:pulumi:Stack       grafana.go-production
 +-  β”œβ”€ aws:ec2:SecurityGroup  grafana                replaced     [diff: ~description]
 ~   └─ aws:ecs:Service        grafana                updated      [diff: ~networkConfiguration]

Outputs:
    address: "grafana.aws.briggs.work"

Resources:
    ~ 1 updated
    +-1 replaced
    2 changes. 6 unchanged

Duration: 7m36s
@dazzling-memory-8548 what error does it throw? what version of pulumi + the provider are you using?
d
@billowy-army-68599 I was getting 
Error deleting security group: DependencyViolation: resource sg-XXXXXX has a dependent object status code: 400
on pulumi v2.6.1 + \@pulumi/aws 2.13.0. However, I'm testing now in a fresh env with ecs, and I'm unable to reproduce there or with an alb. It must be some unrelated factor. Sorry to waste your time; I'll update with additional detail if I see it happen again. I appreciate the help.
b
not a waste at all, glad it was resolved!
πŸ‘ 2
Open in Slack
PreviousNext
Powered by