Hitting an error creating an ALB with AWS crosswal...
# typescript
Hitting an error creating an ALB with AWS crosswalk where it tries and fails to update an existing SG while I think it should not try to define new SG rules:
Copy code
Updating (mystack):

     Type                                                        Name                             Status                  Info
     pulumi:pulumi:Stack                                         private-cloud-mystack         **failed**              1 error
     └─ awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer    web                                                      
 +      ├─ awsx:x:elasticloadbalancingv2:ApplicationTargetGroup  web                              created                 
 +      │  └─ aws:elasticloadbalancingv2:TargetGroup             web                              created                 
 +      ├─ awsx:x:elasticloadbalancingv2:ApplicationListener     web-listener                     created                 
 +      │  ├─ awsx:x:ec2:IngressSecurityGroupRule                web-listener-external-0-ingress  created                 
 +      │  │  └─ aws:ec2:SecurityGroupRule                       web-listener-external-0-ingress  **creating failed**     1 error
 +      │  └─ awsx:x:ec2:EgressSecurityGroupRule                 web-listener-external-0-egress   created                 
 +      │     └─ aws:ec2:SecurityGroupRule                       web-listener-external-0-egress   created                 
 +      └─ aws:elasticloadbalancingv2:LoadBalancer               web                              **creating failed**     1 error
  aws:ec2:SecurityGroupRule (web-listener-external-0-ingress):
    error: Plan apply failed: [WARN] A duplicate Security Group rule was found on (sg-0d4db747a736ac640). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error message: the specified rule "peer:, TCP, from port: 443, to port: 443, ALLOW" already exists
Here's my code:
Copy code
const vpc = new awsx.ec2.Vpc("vpc", {
   numberOfAvailabilityZones: 3,

const sgLoadBalancer = new awsx.ec2.SecurityGroup("load-balancer", {
    vpc: vpc,
    egress: [{
        protocol: "all",
        fromPort: 0,
        toPort: 65535,
        cidrBlocks: [""],
    ingress: [{
        protocol: "tcp",
        fromPort: 443,
        toPort: 443,
        cidrBlocks: [""],
        ipv6CidrBlocks: ["::/0"],

const alb = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer("web", {
    accessLogs: {
        bucket: s3AccessLogsBucketName,
        enabled: true,
        prefix: "load-balancer",
    enableDeletionProtection: true,
    external: true,
    securityGroups: [sgLoadBalancer],
    subnets: vpc.publicSubnetIds,
    vpc: vpc,

const webTargetGroup = alb.createTargetGroup("web", {
    port: 8001,
    protocol: "HTTP",
    healthCheck: {
        path: "/health",

const listener = alb.createListener("web-listener", {
    protocol: "HTTPS",
    sslPolicy: "ELBSecurityPolicy-TLS-1-2-2017-01",
    certificateArn: acm.acmSSLCert.arn,
    defaultActions: [{
        type: "forward",
        targetGroupArn: webTargetGroup.targetGroup.arn,
Do you get this error on the first
or after making additional changes?
since the alb definitions were added. I since then gave up and resorted to use regular
alb resources, which works.
So the ALB was already created and then you added the target group and listener and that's when you got the error?
no, they were all added/created together
oh, I see
the vpc and sg existed, then I added alb, target group and listener
I believe you're hitting https://github.com/pulumi/pulumi-awsx/issues/361. Until that's resolved, using the aws package is the best workaround.
yes, that's exactly the issue. thanks.