Open brachna9 opened 3 years ago
I'm running into this same issue. It's also worth noting that declaring the ingress rules inline as part of the AWS::EC2::SecurityGroup
resource does disallow duplicates, if the duplicate rules are declared when the security group is first created. If the duplicate rule is added as part of a later stack update, it appears to accept it silently, and then further updates to the duplicate rules result in the single rule being deleted.
I can confirm that the same issue occurs if you have an ingress rule present in a AWS::EC2::SecurityGroup and an duplicate entry created through a AWS::EC2::SecurityGroupIngress defined elsewhere. The 2nd rule is silently ignored and you don't even get a warning at stack creation time. But when you try cleaning up the seemingly useless AWS::EC2::SecurityGroupIngress entry in stack update, the ingress rule is actually removed from the security group, exactly as described above.
This is a known behavior caused by duplicate definitions of Ingress/Egress rules in the template definition of AWS::EC2::SecurityGroup. To prevent this from occurring, CloudFormation recommends removing duplicate entries which would cause this unwanted behavior. We will update the documentation with this guidance by 10/28.
Steps to remove duplicate ingress/egress rules.
1. Title
Handle duplicates when defining SecurityGroupIngress as property of AWS::EC2::SecurityGroup
2. Scope of request
AWS::EC2::SecurityGroupIngress handles duplicates, however, when creating EC2 security group ingresses as a property of the security group resource (AWS::EC2::SecurityGroup) duplicates are not handled in the same way.
3. Expected behavior
If a duplicate entry is made in the SecurityGroupIngress property of "AWS::EC2::SecurityGroup" resource, CloudFormation should not show it as a drift. Also, the ingress rule should not be removed if only duplicate entry is removed from the ingress rules list.
Sample snippet to replicate -
Drift Result when this stack is created -
Drift Result when Duplicate ingress (EntryB) is removed in update -
Category - Compute