0

I am trying to create a VPC with Pulumi crosswalk and then use the output's vpc_id to pass as argument to fetch security groups. However, being natively async, vpc object is supposedly being queried before creation causing it to throw an error:

Exception: invoke of aws:ec2/getSecurityGroup:getSecurityGroup failed: invocation of aws:ec2/getSecurityGroup:getSecurityGroup returned an error: invoking aws:ec2/getSecurityGroup:getSecurityGroup: 1 error occurred: * multiple Security Groups matched; use additional constraints to reduce matches to a single Security Group

I am unable to figure out the following:

  1. Why does it say there are multiple matches when there aren't?
  2. Why does it throw an error in preview? Does preview also make an AWS call?
  3. how to put a hold on the query until VPC is created, considering 'depends_on' won't work for get_security_group method? Is there a Pulumi way to handle this situation?

Following is the code snippet:

vpc = awsx.ec2.Vpc("pulumi-test",cidr_block='10.2.0.0/16',subnet_specs=[
      awsx.ec2.SubnetSpecArgs(
        type=awsx.ec2.SubnetType.PRIVATE,
        cidr_mask=26,
      ),
      awsx.ec2.SubnetSpecArgs(
        type=awsx.ec2.SubnetType.PUBLIC,
        cidr_mask=26,
      )
    ], number_of_availability_zones=1)
security_group = aws.ec2.get_security_group(vpc_id=vpc.vpc_id)
Ken White
  • 123,280
  • 14
  • 225
  • 444
Akshay Baura
  • 41
  • 1
  • 6
  • Are you executing this on some existing stack/state (already containing some resources, for example the VPC) or is it brand new? – Michal Fudala Aug 03 '22 at 21:10
  • Can you visit your AWS account and make sure that there are no additional security groups associated with this VPC? – Michal Fudala Aug 03 '22 at 21:29
  • I am pretty sure there are no sg since i am spinning up everything from scratch. The only thing is i have destroyed the stack a couple of times earlier. Is there a chance that this is causing the issue? – Akshay Baura Aug 04 '22 at 22:10

1 Answers1

0

1.

You should probably not make any assumptions about there being only a single security group. Use the get_security_groups function to get them all. Example:

security_groups = aws.ec2.get_security_groups(filters=[aws.ec2.GetSecurityGroupsFilterArgs(name='vpc-id', values=[vpc.vpc_id])])

2.

Yes, pulumi preview will execute functions if possible (get_security_group in your case). Even function calls that are Output-based (see 3. for clarification) can be executed during preview.

This can happen if the Output that this function uses belongs to a resource that already exists (was created in some of the preceding pulumi up).

For example:

  1. You add the VPC code.
  2. You execute pulumi up successfully (VPC is created and its Pulumi state is stored in the backend).
  3. You add the code that uses one of the VPC outputs (get_security_group(vpc.vpc_id)).
  4. You execute pulumi preview and the above function is executed with the real VPC id (vpc.vpc_id).

3.

There is no need for depends_on. Pulumi functions are different than resources. In Python, two invocation forms are available. The one you are using is Output-based.

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

Michal Fudala
  • 340
  • 2
  • 10
  • I am not making assumptions on the presence of any security groups for the vpc, I'm certain there aren't any since it's my account I'm trying this on. Also, when I create the VPC first separately and then query it for SG, it works fine. This makes me fairly certain that there aren't any SG there already. Thanks for points 2 and 3. – Akshay Baura Aug 04 '22 at 23:19