👀 Views: 98 💬 Answers: 1 📅 Created: 2025-06-08

AWS CloudFormation EC2 SecurityGroup YAML

I'm stuck on something that should probably be simple... I'm working with an scenario with an AWS CloudFormation stack update where I need to modify the ingress rules for an existing security group, but the stack fails with the behavior 'InvalidPermission.Duplicate'. After several attempts to resolve this, I am still unable to successfully apply the changes. Here’s a snippet of the relevant part of my CloudFormation template: ```yaml Resources: MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: 'Allow SSH and HTTP' VpcId: !Ref MyVpcId SecurityGroupIngress: - IpProtocol: 'tcp' FromPort: 22 ToPort: 22 CidrIp: '0.0.0.0/0' - IpProtocol: 'tcp' FromPort: 80 ToPort: 80 CidrIp: '0.0.0.0/0' Outputs: SecurityGroupId: Value: !Ref MySecurityGroup ``` The last deployment of this template was successful, and the current ingress rules were working fine. However, I recently updated the ingress rules to include another rule for HTTPS: ```yaml - IpProtocol: 'tcp' FromPort: 443 ToPort: 443 CidrIp: '0.0.0.0/0' ``` But when I run the update command, I keep getting the following behavior: ``` ValidationError: Template format behavior: The specified ingress rule is a duplicate. ``` I checked and confirmed that there are no existing rules for port 443, and when I look at the security group in the AWS console, it indeed shows only two rules for ports 22 and 80. I've tried deleting the stack and recreating it, but the same behavior occurs. Even when I try to update only the ingress rules without adding the new one, I still get the same behavior. It seems like CloudFormation is holding onto some state or configuration that's causing this scenario. Is there any way to resolve this question without manually modifying the security group through the AWS console? Any insights on how to clear out potential stale data or a workaround would be greatly appreciated!