Tuesday, June 27, 2017

The network acl entry identified by xxxx already exists


Here are some troubleshooting tips if you are getting this error when running a CloudFormation template to create NACLs:

"ResourceStatusReason": "The network acl entry identified by 2012 already exists."

First of all, check that you do not have duplicate rule numbers in your NACL rule list. The rule number property on a CloudFormation NACL resource looks like this:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html

  NaclAWSDNS:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: !Ref paramsAWSGlobalDNS
      Egress: true
      NetworkAclId: !Ref FireboxPublicSubnetNacl
      Protocol: 17
      PortRange:
         From: 53
         To: 53
      RuleAction : "Allow"
      RuleNumber : "2012" 

You can simply Ctrl-F and search in the file for 2012.

But what if you only have one rule with the RuleNumber 2012. In that case perhaps you renamed some rules. For instance NaclAWSDNS in a prior execution of the template was NaclSomethingElse.

When you renamed the NACL and create the new one you would think CloudFormation would delete the old one first and replace with the new one but doesn't seem to be doing that. It is leaving the old one in place, presumably for security reasons. Perhaps taking the old one out first will remove a DENY rule that is being replaced with a new DENY rule and creates a window of opportunity for a hacker. Or perhaps if the second rule addition fails for some other reason the network is left in a vulnerable state. Who knows why...

The solution in the latter case is to simply give the rule that you are renaming a different rule number that is unused.