After updating to Pulumi AWS 0.18 I am still getti...
# general
After updating to Pulumi AWS 0.18 I am still getting the "A duplicate Security Group rule was found on" when trying to assign a security group to an application load balancer. It looks like the load balancer creates its own security group and the one I am trying to get it to use just gets created along side it. However if I try and not assign any security groups to the load balancer it will not create it's own and gives me the "ValidationError: A security group must be specified". Am I doing something wrong or is this a bug?
If you have a repro case for this - definitely open an issue in the
repo so we can look into it. We have several test cases that test things very close to this scenario, so I’m interested in what specific conditions are triggering this in your case. Cc also @stocky-spoon-28903.
An you also include your security group definition in the issue @boundless-author-24618 ?
Here is my security group:
Copy code
const anyCidr = ['']

const albSecurityGroup = new aws.ec2.SecurityGroup('alb-sg', {
  description: 'Enables HTTP inbound and any outbound',

const ingressRule = new aws.ec2.SecurityGroupRule('alb-sg-ingress-rule', {
  type: 'ingress',
  protocol: 'tcp',
  fromPort: 80,
  toPort: 80,
  cidrBlocks: anyCidr,

const egressRule = new aws.ec2.SecurityGroupRule('alb-sg-egress-rule', {
  type: 'egress',
  protocol: '-1',
  fromPort: 0,
  toPort: 0,
  cidrBlocks: anyCidr,
And here's how I'm applying it to the load balancer:
Copy code
const loadBalancer = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer(
    external: true,
    securityGroups: [albSecurityGroup],
If you would like to see the full code I will create a repo. Thanks
@white-balloon-205, @stocky-spoon-28903 - that example works fine. To actually reproduce the issue you need to create a listener as well:
Copy code
const listener = loadBalancer.createListener('http-listener', {
  port: 80,
Ahh it turns out I have to set
external: false
on the listener to prevent it from trying to create another security group for the load balancer. It does make sense in that if you just create the listener you would want it to create the load balancer and give it a public security group but if you're creating the load balancer yourself it's a little anti-intuitive because you can't create a load balancer with no security groups. Is this already in the docs somewhere and I just missed it?