No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I was wondering about that too. I think the answer is that even though the security group belongs to the VPC, it has to be explicitly associated with a resource (lambda, or EC2 instance) to take effect. 

The terminology “vpc config” for lambdas comes from aws, but it’s a little confusing because it implies that it just describes the vpc. It both identifies the subnets *and* the security groups to use. Different lambdas in the same subnet can use different security groups. 

That makes sense. A VPC can have different security groups and a lambda in that VPC can have any one of those associated security groups. I wonder what would happen if a security group that is not associated with a VPC is associated with a lambda in that VPC?

I think you'd get an error telling you that the sg was not in the right VPC, I've not played with lamdbas but have seen a similar error with other resources, i.e. ECS Fargate tasks.