https://pulumi.com logo
#typescript
Title
# typescript
f

fierce-cpu-94517

07/29/2019, 1:52 PM
Hitting an error creating an ALB with AWS crosswalk where it tries and fails to update an existing SG while I think it should not try to define new SG rules:
Copy code
Updating (mystack):

     Type                                                        Name                             Status                  Info
     pulumi:pulumi:Stack                                         private-cloud-mystack         **failed**              1 error
     └─ awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer    web                                                      
 +      ├─ awsx:x:elasticloadbalancingv2:ApplicationTargetGroup  web                              created                 
 +      │  └─ aws:elasticloadbalancingv2:TargetGroup             web                              created                 
 +      ├─ awsx:x:elasticloadbalancingv2:ApplicationListener     web-listener                     created                 
 +      │  ├─ awsx:x:ec2:IngressSecurityGroupRule                web-listener-external-0-ingress  created                 
 +      │  │  └─ aws:ec2:SecurityGroupRule                       web-listener-external-0-ingress  **creating failed**     1 error
 +      │  └─ awsx:x:ec2:EgressSecurityGroupRule                 web-listener-external-0-egress   created                 
 +      │     └─ aws:ec2:SecurityGroupRule                       web-listener-external-0-egress   created                 
 +      └─ aws:elasticloadbalancingv2:LoadBalancer               web                              **creating failed**     1 error
 
Diagnostics:
  aws:ec2:SecurityGroupRule (web-listener-external-0-ingress):
    error: Plan apply failed: [WARN] A duplicate Security Group rule was found on (sg-0d4db747a736ac640). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error message: the specified rule "peer: 0.0.0.0/0, TCP, from port: 443, to port: 443, ALLOW" already exists
Here's my code:
Copy code
const vpc = new awsx.ec2.Vpc("vpc", {
   numberOfAvailabilityZones: 3,
})

const sgLoadBalancer = new awsx.ec2.SecurityGroup("load-balancer", {
    vpc: vpc,
    egress: [{
        protocol: "all",
        fromPort: 0,
        toPort: 65535,
        cidrBlocks: ["0.0.0.0/0"],
    }],
    ingress: [{
        protocol: "tcp",
        fromPort: 443,
        toPort: 443,
        cidrBlocks: ["0.0.0.0/0"],
        ipv6CidrBlocks: ["::/0"],
    }],
})

const alb = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer("web", {
    accessLogs: {
        bucket: s3AccessLogsBucketName,
        enabled: true,
        prefix: "load-balancer",
    },
    enableDeletionProtection: true,
    external: true,
    securityGroups: [sgLoadBalancer],
    subnets: vpc.publicSubnetIds,
    vpc: vpc,
})

const webTargetGroup = alb.createTargetGroup("web", {
    port: 8001,
    protocol: "HTTP",
    healthCheck: {
        path: "/health",
    },
})

const listener = alb.createListener("web-listener", {
    protocol: "HTTPS",
    sslPolicy: "ELBSecurityPolicy-TLS-1-2-2017-01",
    certificateArn: acm.acmSSLCert.arn,
    defaultActions: [{
        type: "forward",
        targetGroupArn: webTargetGroup.targetGroup.arn,
    }]
})
g

gentle-diamond-70147

07/29/2019, 4:48 PM
Do you get this error on the first
up
or after making additional changes?
f

fierce-cpu-94517

07/29/2019, 9:28 PM
any
up
since the alb definitions were added. I since then gave up and resorted to use regular
@pulumi/aws
alb resources, which works.
g

gentle-diamond-70147

07/29/2019, 9:35 PM
So the ALB was already created and then you added the target group and listener and that's when you got the error?
f

fierce-cpu-94517

07/29/2019, 9:38 PM
no, they were all added/created together
g

gentle-diamond-70147

07/29/2019, 9:39 PM
oh, I see
f

fierce-cpu-94517

07/29/2019, 9:43 PM
the vpc and sg existed, then I added alb, target group and listener
g

gentle-diamond-70147

07/29/2019, 10:37 PM
I believe you're hitting https://github.com/pulumi/pulumi-awsx/issues/361. Until that's resolved, using the aws package is the best workaround.
f

fierce-cpu-94517

07/30/2019, 8:11 AM
yes, that's exactly the issue. thanks.