https://pulumi.com logo
#general
Title
# general
f

full-dress-10026

12/11/2018, 11:59 PM
I have a security group defined like this:
Copy code
let lbSecurityGroup = new aws.ec2.SecurityGroup("fib-lb-sg", {
    namePrefix: "fib-lb-sg",
    ingress: [{
        protocol: "tcp",
        fromPort: 80,
        toPort: 80,
        cidrBlocks: ["0.0.0.0/0"]
    }],
    egress: [{
        protocol: "-1",
        fromPort: 0,
        toPort: 0,
        cidrBlocks: ["0.0.0.0/0"]
    }],
    vpcId: network.vpcId
});
After running
pulumi up
, I get this message:
Copy code
updating urn:pulumi:fibonacci-dev::fibonacci::aws:ec2/securityGroup:SecurityGroup::fib-lb-sg: from_port (80) and to_port (80) must both be 0 to use the 'ALL' "-1" protocol!
Not sure what it is talking about.
m

microscopic-florist-22719

12/12/2018, 12:00 AM
was the update modifying an existing security group?
f

full-dress-10026

12/12/2018, 12:00 AM
Yes. I changed the ingress rule.
m

microscopic-florist-22719

12/12/2018, 12:01 AM
Did it use "-1" as its protocol before?
f

full-dress-10026

12/12/2018, 12:01 AM
Yes
m

microscopic-florist-22719

12/12/2018, 12:01 AM
kk, let me see if I can repro this
possible that we're pulling that in as a default for some reason
do you also have
aws.ec2.SecurityGroupRule
resources, or does the
aws.ec2.SecurityGroup
define all of its rules inline?
f

full-dress-10026

12/12/2018, 12:03 AM
All rules inline.
m

microscopic-florist-22719

12/12/2018, 12:03 AM
just for kicks, can you try "TCP" instead of "tcp"?
f

full-dress-10026

12/12/2018, 12:03 AM
Added the ingress rule via AWS console then running
pulumi refresh
followed by
pulumi update
fixes it.
Lemme see if I can get into that state again.
m

microscopic-florist-22719

12/12/2018, 12:04 AM
That would be great. So far I've been unable to repro that as well.
Which versions of the packages are you working with?
f

full-dress-10026

12/12/2018, 12:04 AM
Copy code
"dependencies": {
        "@pulumi/pulumi": "0.16.6",
        "@pulumi/aws": "0.16.2",
        "@pulumi/aws-infra": "0.16.2",
        "@pulumi/cloud-aws": "0.16.0",
        "@pulumi/cloud": "0.16.0"
    }
Simply changing from tcp to -1 to tcp does not do it.
m

microscopic-florist-22719

12/12/2018, 12:05 AM
Hm. That's quite odd.
f

full-dress-10026

12/12/2018, 12:07 AM
I think I got it. Go from
Copy code
{
    protocol: "tcp",
        fromPort: 80,
    toPort: 80,
    cidrBlocks: ["0.0.0.0/0"]
}
to
Copy code
{
    protocol: "-1",
        fromPort: 80,
    toPort: 80,
    cidrBlocks: ["0.0.0.0/0"]
}
to
Copy code
{
    protocol: "-1",
        fromPort: 0,
    toPort: 0,
    cidrBlocks: ["0.0.0.0/0"]
}
m

microscopic-florist-22719

12/12/2018, 12:10 AM
That second configuration should not be allowed
Are you able to successfully run a
pulumi update
with
Copy code
{
    protocol: "-1",
        fromPort: 80,
    toPort: 80,
    cidrBlocks: ["0.0.0.0/0"]
}
?
f

full-dress-10026

12/12/2018, 12:10 AM
Right. It failed deployment. But then going from the second to third resulted in the above exception.
m

microscopic-florist-22719

12/12/2018, 12:12 AM
okay, I can repro this
hoo boy, that is weird
can you file an issue in pulumi-aws?
my guess is that there's some bad interaction with terraform here
good to know that a
refresh
unblocked you
f

full-dress-10026

12/12/2018, 12:14 AM
I've somehow managed to hit this multiple times. Some combo of refresh and/or stack export | import usually fixes things.
m

microscopic-florist-22719

12/12/2018, 12:15 AM
cc @stocky-spoon-28903
f

full-dress-10026

12/12/2018, 12:19 AM