https://pulumi.com logo
#aws
Title
# aws
b

better-baker-47643

02/03/2022, 8:48 PM
Is it just me or is shockingly difficult to get a simple ECS-fargate / RDS / lambda web app deployed?
m

millions-furniture-75402

02/03/2022, 8:53 PM
What has been your approach so far?
b

better-baker-47643

02/03/2022, 9:03 PM
basically combining the various tutorials
this error is classic:
Copy code
* [WARN] A duplicate Security Group rule was found on (sg-0a0f3c5fc91f75c92). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, TCP, from port: 443, to port: 443, ALLOW" already exists
        status code: 400, request id: 5db2e46f-244c-4009-b179-46ae45b85150
l

little-cartoon-10569

02/03/2022, 9:30 PM
That's not specific to any of the techs you mentioned initially. That problem generally occurs (for me) when I change the Pulumi name of a security group rule.
šŸ’Æ 1
Changing the name of a rule means it's a new rule in Pulumi's eyes. It will delete the old rule and create the new one. Unfortunately, it creates the new rule first, which causes it to conflict with the old rule.
The way I usually fix this is to comment out the rule that is having its name changed, and run
pulumi up
. This deletes the rule with the old name. You can then put the code back in and run
pulumi up
again, which puts the rule back with the new name.
Try to avoid renaming SG rules (and NACL rules, and probably a few other similar entities), as the process is annoying.
b

better-baker-47643

02/03/2022, 9:43 PM
thanks. I’ve worked through this one. I guess my point is that it just seems like there is a huge lack of sensible defaults. what i’m doing is pretty standard, it ā€œsmells wrongā€ that it takes a few hundred lines of configuration
then your trapped with a security group that Pulumi requires you to delete but RDS wont let you delete
l

little-cartoon-10569

02/03/2022, 10:09 PM
RDS is a bit of a pain when it comes to configuration. We have a multi-AZ SQL server instance, and our playbooks list which properties we must change when it's up, which must be changed when it's stopped, and which require turning off multi-AZ in order to change... 😭
b

better-baker-47643

02/03/2022, 10:19 PM
i wonder if some of these issues would go away if i migrated to the awsnative provider off of classic
l

little-cartoon-10569

02/03/2022, 10:23 PM
Good question. The closer you are to the AWS SDKs, the less likely some unassuming convenience code sneaks up and hits you in the back of the head.
b

better-baker-47643

02/04/2022, 1:57 PM
so AWS AppRunner was what I was looking for.. would have saved two days of fighting with fargate if i found it monday 🤷
p

powerful-furniture-83753

02/04/2022, 5:01 PM
doing literally the same stuff in our stack, and what i will say is this isn't really on pulumi. Renaming security groups and any of the nitty gritty inside VPCs is tricky. Even in AWS. If it's still in your test stack, just tear it down and recreate it, it's much easier. Plus, when you ask nicely here, people are generally really helpful!
2 Views