Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EC2: ModifySecurityGroupRules, InvalidGroupId.Malformed: Invalid id: "<aws-account-id>/<sg-id>" #4776

Open
yambottle opened this issue Nov 14, 2024 · 2 comments
Labels
awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). kind/bug Some behavior is incorrect or out of spec

Comments

@yambottle
Copy link

Describe what happened

I'm able to create this security group rule with cross-account security group reference(under the context of VPC Peering, here, root account sg needs to add an ingress rule to reference a member account's sg_id by <aws-account-id>/<sg-id>):

root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        opts=pulumi.ResourceOptions(provider=root_provider),
    )

But having this unexpected error when update this rule to add a description:

root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        description=f"Allow pcx from {org_name}_{project_name}", # adding this line
        opts=pulumi.ResourceOptions(provider=root_provider),
    )

Error:

error: updating VPC Security Group Rule (sgr-03c18a4b93862b5eb): operation error EC2: ModifySecurityGroupRules, https response error StatusCode: 400, RequestID: 7a7cc0fb-c763-4b7c-bf20-ca15f338dd38, api error InvalidGroupId.Malformed: Invalid id: "<aws-account-id>/<sg-id>"

I spent a little bit time to trace down to this issue, root cause might be an AWS API issue:
AuthorizeSecurityGroupIngress -> IpPermission -> UserIdGroupPair allows ingress rule creation to reference cross-account security group id. However, ModifySecurityGroupRules doesn't seem to support this reference???

I also thought about work around using delete_before_replace, the idea is to force the update action to delete the rule first and then recreate in order to update, but I got the same error.

root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        description=f"pcx from {org_name}_{project_name}",
        opts=pulumi.ResourceOptions(provider=root_provider, delete_before_replace=True),
    )

Is there any work-around?

Sample program

# needs to have two aws accounts: root account and member account
# needs to setup VPC Peering

# then create a cross-account sg id referenced ingress rule
root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        opts=pulumi.ResourceOptions(provider=root_provider),
    )

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI          
Version      3.138.0
Go Version   go1.23.2
Go Compiler  gc

Plugins
KIND      NAME      VERSION
resource  aws       6.56.1
language  python    unknown

Host     
OS       debian
Version  bookworm/sid
Arch     x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@yambottle yambottle added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 14, 2024
@flostadler
Copy link
Contributor

Sorry you're running into this @yambottle!

This seems to be caused by a bug in the upstream terraform provider: hashicorp/terraform-provider-aws#30664

You mentioned that you tried using the deleteBeforeReplace resource option as a workaround, but that alone is not enough here. Changing the description won't cause a replace, so it's still trying to update the security group in-place.
What you can do is combining this with the replaceOnChanges resource option. By setting that one to ["*"] every property change will result in a replacement.
Could you please confirm whether combining those two resource options acts as a workaround?

@flostadler flostadler added awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). and removed needs-triage Needs attention from the triage team labels Nov 15, 2024
@yambottle
Copy link
Author

Sorry you're running into this @yambottle!

This seems to be caused by a bug in the upstream terraform provider: hashicorp/terraform-provider-aws#30664

You mentioned that you tried using the deleteBeforeReplace resource option as a workaround, but that alone is not enough here. Changing the description won't cause a replace, so it's still trying to update the security group in-place. What you can do is combining this with the replaceOnChanges resource option. By setting that one to ["*"] every property change will result in a replacement. Could you please confirm whether combining those two resource options acts as a workaround?

Confirmed, it works with opts=pulumi.ResourceOptions(provider=root_provider, delete_before_replace=True, replace_on_changes=["description"]), thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Development

No branches or pull requests

2 participants