This message was deleted.

This problem is most often found when you're renaming the pulumi SecurityGroupRule resource. The best approach is to remove the rule from code (comment it out),

pulumi up

, then put the code back in and edit it before

pulumi up

again.

Yeah I'm not renaming a rule. I'm just changing a rule or adding rules to add a new CIDR. I can't clear them out because they front real, actual traffic. I'd rather replace the rule with a "allow all from all ports" momentarily, but it sounds like that requires a staged/transactional process that pulumi doesn't support without dynamic backends?

If the Pulumi name is changing, then you'll see this behaviour. If it's not, then you won't. If you are doing something like building the rules in a loop, where the name is based on the loop ID and the port is based on a set, then you can get situations where "rule-1" changes from 80 to 443 and "rule-2" changes from 443 to 80. This is effectively renaming, and causes this problem.

I'm just adding to the cidrBlocks but maybe awsx.ec2.SecurityGroup is looping?

Howdy, I'm late on this, but I wanted to note that I ran into this behavior using normal terraform a while ago (2018ish?) We found that terraform was doing a "delete all rules -> recreate all rules" thing for us, and what would happen is we would create a very broad rule (e.g. 10.0.0.0/8) and then later we'd try to create a new rule that "fell under" that rule due to CIDR notation (e.g. 10.100.0.0/16) and had the same port/protocol, the AWS API would throw this error at us, and terraform would exit from a user perspective this looked exactly like terraform just nuked all of the rules but one, or however many rules it got through before encountering these pseudo-duplicates