Cloudformation importing existing security group failing with Internal Error

Question

Hi there,

I'm trying to import a few networking resources into a new VPC stack. When I try to import all the resources at once, Cloudformation returns an Internal Error message. To isolate the problematic resource, I started importing each resource 1 by 1 and it seems like the issue is coming from the import of a security group.

When I try to import just the specific security group, I receive the Internal Error message. I have confirmed the security group ID is correct, and that the security group belongs to the correct VPC.

Additionally, I have been able to import another set of security groups into our staging stack about two weeks ago. I am seeing this problem today when I try to perform a similar import on our production stack.

Any idea on how to debug this further? The Internal Error message is not very useful.

Answer

I can't share the full Cloudformation template because it contains company specific information. However, here are the relevant parts:

```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  Account:
    Type: String
    Default: production
    AllowedValues:
      - production
      - staging
Resources:
  VPC:
    Type: AWS::EC2::VPC
    DeletionPolicy: Retain
    Properties:
      CidrBlock: 10.0.0.0/16 # 65,536 private IPv4 addresses
      EnableDnsSupport: true
      EnableDnsHostnames: true
  WideOpenSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    DeletionPolicy: Retain
    Properties:
      VpcId: !Ref VPC
      GroupDescription: wide open security group that allows all traffic through
      SecurityGroupIngress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
```

This is the error I see in the UI:
![Enter image description here](/media/postImages/original/IMAjapDBnDTZWe08qP5HJ9_Q)

There are no differences between the successful and unsuccessful security groups. They were both created using the same Cloudformation template, just in separate accounts (staging account and production account). I was able to successfully migrate the staging security groups from one Cloudformation stack to another. But I'm hitting this issue when I try to perform the same migration for the production security groups.

Answer

Thank you for sharing.

There seems to be no problem with the content of the CloudFormation template.  
First of all, why not try troubleshooting according to the following document?  
According to the following document, it is possible to see the cause of failure from CloudTrail's API history.  
https://repost.aws/knowledge-center/cloudformation-internal-failure-error

You may also want to use the CloudFormation designer to check the syntax of your template.  
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer.html

Answer

I attempted to troubleshoot using that document earlier. The "Deploy a test stack" section is what prompted me to try importing the resources 1 by 1, and thats how I was able to determine the Security Groups are the issue. I also looked at Cloudtrail logs and I don't see any logs for this error. It seems like the error is happening before the Cloudtrail log can even be emitted.

I just dropped my entire Cloudformation template into the designer as you suggested, and I can confirm the syntax is correct.

Answer

Hello.

Is it possible for you to share the CloudFormation template you are using and the error message?  
Also, are there any differences when comparing the security group that was successfully imported and the security group that was unsuccessfully imported?

Cloudformation importing existing security group failing with Internal Error

Relevant content