CloudFormation cannot update a stack when a custom-named resource requires replacing
Should this issue be handled by CloudFormation automatically behind the scenes?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: AWS Security | Application Security | CloudFormation
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I added a customer managed prefix list to a security group and then I started getting this error message:
CloudFormation cannot update a stack when a custom-named resource requires replacingThis is a very strange error message to me. What exactly is a custom-named resource? I give lots of resources I create with CloudFormation a name. What makes something a “custom-named resource” as opposed to some other resource I simply give a name.
It’s not even clear in this case that the prefix list is the problem, but I presume it is — because that is the only thing I changed or added to this security group.
I am not sure why the prefix list requires replacing either. Or is it the security group that requires replacing because it is using a prefix list?
What I am pondering in this case is why CloudFormation cannot handle this issue for the customer. Whatever is causing this is very unclear to me and seems like it could be handled on the back end.
The other thing is that this error message is telling me to “rename” my security group. That is the name I want for my security group. If I rename my existing security group, I will have an extraneous security group hanging around that I don’t need or want. If I write some automated code it will simply keep creating more and more security groups. Wouldn’t it make more sense to delete the security group os CloudFormation can create a new one? Or should I rename the resource, run the code, then run it again with the new name?
I also found this post but it’s not that helpful in terms of answering my questions. It also just says to rename the resource.
Here’s the next problem…I tried to delete the resources related to this error.
First I tried to delete the security group:
But it can’t be deleted due to the rules:
So I have to delete those too:
And..now my resource is stuck in “Delete in progress state”
It’s been sitting that way for quite some time.
Later I realized that although it was stuck in that state I could click on the resource and the events list has an error code:
DependencyViolationUnfortunately it doesn’t say which dependency but I presume it is my EC2 instance. So I could remove this group and then re-add it to the EC2 instance again later. Yes, that works. As soon as I removed the security group from my instance, the resource got delete.
Hopefully someone at AWS reads this and sees how painful this error is.
I don’t fully understand what is causing this error. I wish it was more clear but what I really wish is that AWS CloudFormation would just handle it properly. It seems like AWS CloudFormation could rename the resource in a transaction and then rename it again back to what it is supposed to be if that is what needs to happen here. AWS could also temporarily remove the SG from the group and delete and re-add it. Better yet, resolve the issue in a way that does not affect the security group or EC2 instance, only the rules, because that is the only thing that is changing in my case.
These are the types of things that make deployments difficult in cloud environments.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2022
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab