Security Group: Egress rule with incorrect to_port takes 3 pulumi ups to correct.

[MitchellGerdisch]

What happened?

• Using the code below, start with the egress rule set with from_port=0 and to_port=65535.
• Run pulumi up
• See error message about how to and from port both need to be 0.
• Take a look at Pulumi console and note that the state shows the egress property set with the 0 and 65535 values.
• Take a look at AWS console for the security group and note that no outbound rule is defined. Not too surprising given the error.
• Change the egress rule so both from_port and to_port are set to 0.
• Run pulumi up
• See same error message about how both values must be 0 even though they are now set correctly.
• Take a look at Pulumi console and note that the state shows the egress is now correctly set to 0 for both from_port and to_port.
• Take a look at AWS console and note that there is still no outbound rule defined for the security group.
• Run pulumi up again (without any changes to the code) and note that it still shows a diff for the to_port from 65535 to 0. And the update completes successfully.
• Take a look at Pulumi console and see that the security group egress rule property is missing.
• Take a look at the AWS console and see that there is still no outbound rule shown.
• Run pulumi up again and note the diff shows it is adding a complete egress rule and that the update completes successfully.
• Take a look at the Puluim console and see the egress rule is now shown.
• Take a look at the AWS console and see that the outbound rule is now there.
• Subsequent pulumi up shows no changes.

Example

from pulumi_aws import ec2

security_group = ec2.SecurityGroup(
    f"egress-test",
    egress=[
        ec2.SecurityGroupEgressArgs(
            from_port=0, to_port=65535, protocol="-1", cidr_blocks=["0.0.0.0/0"], 
            # from_port=0, to_port=0, protocol="-1", cidr_blocks=["0.0.0.0/0"], 
        )
    ],
)

Output of pulumi about

CLI
Version 3.101.1
Go Version go1.21.5
Go Compiler gc

Plugins
NAME VERSION
aws 6.18.0
python unknown

Host
OS darwin
Version 13.5
Arch x86_64

This project is written in python: executable='/Users/mitch/Downloads/wmg-sg/venv/bin/python3' version='3.11.3'

Current Stack: MitchGerdisch/xxxx/dev

TYPE URN
pulumi:pulumi:Stack urn:pulumi:dev::xxxx::pulumi:pulumi:Stack::wmg-sg-dev
pulumi:providers:aws urn:pulumi:dev::xxxx::pulumi:providers:aws::default_6_18_0
aws:ec2/securityGroup:SecurityGroup urn:pulumi:dev::xxxx::aws:ec2/securityGroup:SecurityGroup::egress-test

Found no pending operations associated with dev

Backend
Name pulumi.com

Dependencies:
NAME VERSION
pip 23.3.2
pulumi_aws 6.18.0
setuptools 69.0.3
wheel 0.42.0

Additional context

I tested this with Terraform using the latest version of the aws provider and version 5.31.0 which is what the the Pulumi AWS provider is based on.
Terraform does not exhibit this behavior.
You get an error about the to_port=65535 like with Pulumi.
But after changing it to the correct value of 0 and doing a terraform apply, it updates correctly with no errors.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Thanks for letting us know @MitchellGerdisch. This looks like a combination of an upstream issue (hashicorp/terraform-provider-aws#34640) and a diff bug (that provides a partial work-around?).

[MitchellGerdisch]

I'm not sure it is the same issue.
I did test the same scenario with TF and although it (correctly) complained about using to_port=65535 after updating to_port=0, a subsequent terraform apply worked as expected. Whereas with Pulumi multiple pulumi ups are needed after fixing the to_port property.

[t0yv0]

I've went through the steps and it seems go better but not entirely satisfactory now.

1. errors as before, but pulumi state has no SG. However, AWS console has as SG without egress rules.
2. after I edit the program and do a pulumi up, I get OK and a new SG created in the console with the expected egress rules
3. subsequent pulumi up show no changes

So this is almost entirely what we want except the sequence created 2 Security Group instead of one. That is, validation failure here created an actual AWS security group and then didn't clean it up after it realized there is a problem:

import pulumi
from pulumi_aws import ec2

security_group = ec2.SecurityGroup(
    f"egress-test",
    egress=[
        ec2.SecurityGroupEgressArgs(
            from_port=0, to_port=0, protocol="-1", cidr_blocks=["0.0.0.0/0"],
        )
    ],
)

Leaving this in the tracker for now, suspect this aspect reproduces upstream.

[t0yv0]

CLI          
Version      3.130.0
Go Version   go1.22.6
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  aws     6.52.0
language  python  unknown

Host     
OS       darwin
Version  14.6.1
Arch     arm64

This project is written in python: executable='/Users/anton/Library/Mobile Documents/com~apple~CloudDocs/pulumi-bugs/pulumi-aws-3257/venv/bin/python' version='3.10.13'

Current Stack: anton-pulumi-corp/pulumi-aws-3257/dev

TYPE                                 URN
pulumi:pulumi:Stack                  urn:pulumi:dev::pulumi-aws-3257::pulumi:pulumi:Stack::pulumi-aws-3257-dev
pulumi:providers:aws                 urn:pulumi:dev::pulumi-aws-3257::pulumi:providers:aws::default_6_52_0
aws:ec2/securityGroup:SecurityGroup  urn:pulumi:dev::pulumi-aws-3257::aws:ec2/securityGroup:SecurityGroup::egress-test


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/anton-pulumi-corp
User           anton-pulumi-corp
Organizations  anton-pulumi-corp, moolumi, demo, pulumi
Token type     personal

Dependencies:
NAME        VERSION
pip         24.2
pulumi_aws  6.52.0
setuptools  75.1.0
wheel       0.44.0

Pulumi locates its logs in /var/folders/gd/3ncjb1lj5ljgk8xl5ssn_gvc0000gn/T/com.apple.shortcuts.mac-helper// by default