Security group egress rule is deleted when adding another egress rule.

[Irame]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about the bug

When deploying a cloud formation template that adds a SecurityGroupEgress to a existing security group that already has a egress rule which allows all outbound traffic, the existing rule is removed.

I encountered this issue when adding a listener rule to a load balancer via the CDK to route traffic to an EC2 instance. This caused the CDK to create an outbound rule for the existing security group of the load balancer to allow traffic to the EC2 instance. This removed the existing outbound rule to allow all traffic which caused the load balancer to stop working for all existing listener rules.

The deletion of the outbound rule is also not mentioned in the summary/diff when deploying (or using diff) via the CDK. The original state is also not restored when deleting the stack.

Expected behavior

The outbound rule is added to the security group without touching the existing rules.

Observed behavior

The existing egress rule which allows all traffic is deleted when adding a new outbound rule.

Test cases

Parameters:
  ExistingSecurityGroupWithAllowAllOutbound:
    Type: "AWS::EC2::SecurityGroup::Id"

Resources:
  EgressRule:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      CidrIp: 1.2.3.0/24
      FromPort: 80
      GroupId: !Ref ExistingSecurityGroupWithAllowAllOutbound
      IpProtocol: tcp
      ToPort: 80

Supply the id of an existing security group with a outbound rule that allows all traffic.