Closed
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Unable to deploy the AWS::EC2::SecurityGroupIngress resource when using the GroupId property.
The resource SgAIngressRule in the below template fails to deploy:
---
AWSTemplateFormatVersion: "2010-09-09"
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/20"
SgA:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: 'sec-group-a'
GroupDescription: "Hello World"
VpcId: !Ref VPC
SgAIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref SgA
IpProtocol: '-1'
CidrIp: 10.70.0.0/20Notable log entries regarding the resource's creation:
2021-09-14T03:16:50:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "SgAIngressRule" (1/1) type "AWS::EC2::SecurityGroupIngress" in loop iteration 1
2021-09-14 03:16:50,594:API: 127.0.0.1 - - [14/Sep/2021 03:16:50] "POST / HTTP/1.1" 200 -
2021-09-14T03:16:50:DEBUG:localstack.utils.cloudformation.template_deployer: Running action "create" for resource type "EC2::SecurityGroupIngress" id "SgAIngressRule"
2021-09-14T03:16:50:DEBUG:localstack_ext.services.cloudformation.service_models: Neither "VpcId" nor "CidrIpv6" found in CF params: {'GroupId': 'sg-5ef54dceb0bc65eb4', 'IpProtocol': '-1', 'CidrIp': '10.70.0.0/20'}
2021-09-14T03:16:50:DEBUG:localstack.utils.cloudformation.template_deployer: Request for resource type "EC2::SecurityGroupIngress" in region us-east-1: authorize_security_group_ingress {'GroupId': 'sg-5ef54dceb0bc65eb4', 'IpProtocol': '-1', 'CidrIp': '10.70.0.0/20'}
2021-09-14 03:16:50,610:API: 127.0.0.1 - - [14/Sep/2021 03:16:50] "POST / HTTP/1.1" 400 -
2021-09-14T03:16:50:WARNING:localstack.utils.cloudformation.template_deployer: Error calling <bound method ClientCreator._create_api_method.<locals>._api_call of <botocore.client.EC2 object at 0x7feb8b2a73d0>> with params: {'GroupId': 'sg-5ef54dceb0bc65eb4', 'IpProtocol': '-1', 'CidrIp': '10.70.0.0/20'} for resource: {'Type': 'AWS::EC2::SecurityGroupIngress', 'Properties': {'GroupId': 'sg-5ef54dceb0bc65eb4', 'IpProtocol': '-1', 'CidrIp': '10.70.0.0/20'}, 'LogicalResourceId': 'SgAIngressRule', 'PhysicalResourceId': '-1_None_None', '_state_': {}}
2021-09-14T03:16:50:DEBUG:localstack.utils.cloudformation.template_deployer: Error applying changes for CloudFormation stack "sginress-example": An error occurred (InvalidPermission.Duplicate) when calling the AuthorizeSecurityGroupIngress operation: The specified rule already exists Traceback (most recent call last):
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1841, in _run
self.do_apply_changes_in_loop(changes, stack, stack_name)
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1912, in do_apply_changes_in_loop
self.apply_change(change, stack, new_resources, stack_name=stack_name)
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1977, in apply_change
result = deploy_resource(resource_id, new_resources, stack_name)
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 787, in deploy_resource
result = execute_resource_action(resource_id, resources, stack_name, ACTION_CREATE)
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 903, in execute_resource_action
resource_id, resources, resource_type, func, stack_name, action_name
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1062, in configure_resource_via_sdk
raise e
File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1050, in configure_resource_via_sdk
result = function(**params)
File "/opt/code/localstack/.venv/lib/python3.7/site-packages/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/opt/code/localstack/.venv/lib/python3.7/site-packages/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidPermission.Duplicate) when calling the AuthorizeSecurityGroupIngress operation: The specified rule already exists
Expected Behavior
For the resource SgAIngressRule to deploy successfully.
How are you starting LocalStack?
With a docker-compose.yml file
Steps To Reproduce
docker-compose.yml:
version: "3.8"
services:
localstack:
container_name: "localstack-a"
image: localstack/localstack
network_mode: bridge
ports:
- "127.0.0.1:4566:4566"
- "127.0.0.1:5000:5000"
- "127.0.0.1:5001:5001"
- "127.0.0.1:5002:5002"
- "127.0.0.1:5003:5003"
environment:
- DEBUG=1
- DATA_DIR=/tmp/localstack-data
- LOCALSTACK_API_KEY=<removed>
- DOCKER_HOST=unix:///var/run/docker.sock
- HOST_TMP_FOLDER=/tmp/localstack/
- SERVICE_INSTANCES_PORTS_START=5000
- SERVICE_INSTANCES_PORTS_END=5003
volumes:
- "${TMPDIR:-/tmp/localstack}:/tmp/localstack"
- "/var/run/docker.sock:/var/run/docker.sock"
- "/tmp/localstack-data:/tmp/localstack-data"- Run the docker compose file as above
- Save example template as example.yml
- Attempt to deploy to localstack: awslocal cloudformation create-stack --stack-name example --template-body file://Cloudformation/example.yml
- Observe errors in docker logs
Environment
- OS: Ubuntu 20.04
- LocalStack:
LocalStack build git hash: af13fb23
LocalStack build date: 2021-09-13
LocalStack version: 0.12.17.5