https://pulumi.com logo
Title
l

limited-pager-46264

02/16/2021, 11:44 AM
I created a SG rule as below, which was successful:
example = aws.ec2.SecurityGroupRule(
                "example",
                type="ingress",
                from_port=443,
                to_port=443,
                protocol="tcp",
                cidr_blocks=["1.1.1.1/32"],
                security_group_id=allow_tls.id,
                opts=pulumi.ResourceOptions(parent=allow_tls))
I then added another ip to the cidr list of the SG rule:
example = aws.ec2.SecurityGroupRule(
                "example",
                type="ingress",
                from_port=443,
                to_port=443,
                protocol="tcp",
                cidr_blocks=["1.1.1.1/32","2.2.2.2/32"],
                security_group_id=allow_tls.id,
                opts=pulumi.ResourceOptions(parent=allow_tls))
That resulted in the following error:
Previewing update (test):
~ pulumi:pulumi:Stack: (refresh)
    [urn=urn:pulumi:test::Experiment::pulumi:pulumi:Stack::Experiment-test]
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::Experiment::pulumi:pulumi:Stack::Experiment-test]
        +-aws:ec2/securityGroupRule:SecurityGroupRule: (replace)
            [id=sgrule-3919269017]
            [urn=urn:pulumi:test::Experiment::aws:ec2/securityGroup:SecurityGroup$aws:ec2/securityGroupRule:SecurityGroupRule::example]
            [provider=urn:pulumi:test::Experiment::pulumi:providers:aws::default_3_29_0::1d8ffca5-685c-4b69-8ddd-3883e405d97f]
          ~ cidrBlocks: [
                [0]: <null>
              + [1]: "2.2.2.2/32"
            ]
Resources:
    +-1 to replace
    2 unchanged
Permalink: file:///Users/sibu/test/state/.pulumi/stacks/test.json
Do you want to perform this update? yes
Updating (test):
~ pulumi:pulumi:Stack: (refresh)
    [urn=urn:pulumi:test::Experiment::pulumi:pulumi:Stack::Experiment-test]
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::Experiment::pulumi:pulumi:Stack::Experiment-test]
error: 1 error occurred:
	* [WARN] A duplicate Security Group rule was found on (sg-0acf2e4ef3c4ab3ee). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
information and instructions for recovery. Error message: the specified rule "peer: 1.1.1.1/32, TCP, from port: 443, to port: 443, ALLOW" already exists


error: update failed
Isn’t it possible to update the cidr_block?
I worked around the issue by using the Resource option
delete_before_replace=True
for the SG rule