Channels
#typescript
Title
f
fierce-cpu-94517
07/29/2019, 1:52 PMHitting an error creating an ALB with AWS crosswalk where it tries and fails to update an existing SG while I think it should not try to define new SG rules:
Copy code
Updating (mystack):
Type Name Status Info
pulumi:pulumi:Stack private-cloud-mystack **failed** 1 error
└─ awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer web
+ ├─ awsx:x:elasticloadbalancingv2:ApplicationTargetGroup web created
+ │ └─ aws:elasticloadbalancingv2:TargetGroup web created
+ ├─ awsx:x:elasticloadbalancingv2:ApplicationListener web-listener created
+ │ ├─ awsx:x:ec2:IngressSecurityGroupRule web-listener-external-0-ingress created
+ │ │ └─ aws:ec2:SecurityGroupRule web-listener-external-0-ingress **creating failed** 1 error
+ │ └─ awsx:x:ec2:EgressSecurityGroupRule web-listener-external-0-egress created
+ │ └─ aws:ec2:SecurityGroupRule web-listener-external-0-egress created
+ └─ aws:elasticloadbalancingv2:LoadBalancer web **creating failed** 1 error
Diagnostics:
aws:ec2:SecurityGroupRule (web-listener-external-0-ingress):
error: Plan apply failed: [WARN] A duplicate Security Group rule was found on (sg-0d4db747a736ac640). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
information and instructions for recovery. Error message: the specified rule "peer: 0.0.0.0/0, TCP, from port: 443, to port: 443, ALLOW" already existsHere's my code:
Copy code
const vpc = new awsx.ec2.Vpc("vpc", {
numberOfAvailabilityZones: 3,
})
const sgLoadBalancer = new awsx.ec2.SecurityGroup("load-balancer", {
vpc: vpc,
egress: [{
protocol: "all",
fromPort: 0,
toPort: 65535,
cidrBlocks: ["0.0.0.0/0"],
}],
ingress: [{
protocol: "tcp",
fromPort: 443,
toPort: 443,
cidrBlocks: ["0.0.0.0/0"],
ipv6CidrBlocks: ["::/0"],
}],
})
const alb = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer("web", {
accessLogs: {
bucket: s3AccessLogsBucketName,
enabled: true,
prefix: "load-balancer",
},
enableDeletionProtection: true,
external: true,
securityGroups: [sgLoadBalancer],
subnets: vpc.publicSubnetIds,
vpc: vpc,
})
const webTargetGroup = alb.createTargetGroup("web", {
port: 8001,
protocol: "HTTP",
healthCheck: {
path: "/health",
},
})
const listener = alb.createListener("web-listener", {
protocol: "HTTPS",
sslPolicy: "ELBSecurityPolicy-TLS-1-2-2017-01",
certificateArn: acm.acmSSLCert.arn,
defaultActions: [{
type: "forward",
targetGroupArn: webTargetGroup.targetGroup.arn,
}]
})g
gentle-diamond-70147
07/29/2019, 4:48 PMDo you get this error on the first
upf
fierce-cpu-94517
07/29/2019, 9:28 PMany
up@pulumi/awsg
gentle-diamond-70147
07/29/2019, 9:35 PMSo the ALB was already created and then you added the target group and listener and that's when you got the error?
f
fierce-cpu-94517
07/29/2019, 9:38 PMno, they were all added/created together
g
gentle-diamond-70147
07/29/2019, 9:39 PMoh, I see
f
fierce-cpu-94517
07/29/2019, 9:43 PMthe vpc and sg existed, then I added alb, target group and listener
g
gentle-diamond-70147
07/29/2019, 10:37 PMI believe you're hitting https://github.com/pulumi/pulumi-awsx/issues/361. Until that's resolved, using the aws package is the best workaround.
f
fierce-cpu-94517
07/30/2019, 8:11 AMyes, that's exactly the issue. thanks.