Cyber Defense Advisors

CloudFormation cannot update a stack when a custom-named resource requires replacing

Should this issue be handled by CloudFormation automatically behind the scenes?

I added a customer managed prefix list to a security group and then I started getting this error message:

CloudFormation cannot update a stack when a custom-named resource requires replacing

This is a very strange error message to me. What exactly is a custom-named resource? I give lots of resources I create with CloudFormation a name. What makes something a “custom-named resource” as opposed to some other resource I simply give a name.

It’s not even clear in this case that the prefix list is the problem, but I presume it is — because that is the only thing I changed or added to this security group.

I am not sure why the prefix list requires replacing either. Or is it the security group that requires replacing because it is using a prefix list?

What I am pondering in this case is why CloudFormation cannot handle this issue for the customer. Whatever is causing this is very unclear to me and seems like it could be handled on the back end.

The other thing is that this error message is telling me to “rename” my security group. That is the name I want for my security group. If I rename my existing security group, I will have an extraneous security group hanging around that I don’t need or want. If I write some automated code it will simply keep creating more and more security groups. Wouldn’t it make more sense to delete the security group os CloudFormation can create a new one? Or should I rename the resource, run the code, then run it again with the new name?

I also found this post but it’s not that helpful in terms of answering my questions. It also just says to rename the resource.

Resolve the “Cannot update a stack when a custom-named resource requires replacing” error in AWS CloudFormation

I don’t fully understand what is causing this error. I wish it was more clear but what I really wish is that AWS CloudFormation would just handle it properly. It seems like AWS CloudFormation could rename the resource in a transaction and then rename it again back to what it is supposed to be if that is what needs to happen here. These are the types of things that make deployments difficult in cloud environments.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

CloudFormation cannot update a stack when a custom-named resource requires replacing was originally published in Bugs That Bite on Medium, where people are continuing the conversation by highlighting and responding to this story.