No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hello folks,
At my company, we usually spin up new VPC instances for testing purposes. Is there a way to override the default security group configuration for a new vpc using either with aws classic provider or aws-native? The VPC default security group is too permissive; I could of course manually modify the inbound and outbound rules, but is there a way to automate this process using pulumi resource providers?

Why not create a new security group and use that instead of the default?

yes, I should do that. My question is rather: can we attach a custom SG to the aws.ec2.Vpc instance?

I don’t know that you can _replace_ the default SG when you create a VPC, but you can _definitely_ create a new SG after you create a VPC.

Here’s an example in Go (the `VpcId` property takes the ID of a previously created (in the same program) VPC.
```		// Create a security group
		securityGroup, err := ec2.NewSecurityGroup(ctx, "security-group", &amp;ec2.SecurityGroupArgs{
			Name:        pulumi.String("securityGroupName"),
			VpcId:       vpc.ID(),
			Description: pulumi.String("Allows SSH traffic to hosts"),
			Ingress: ec2.SecurityGroupIngressArray{
				ec2.SecurityGroupIngressArgs{
					Protocol:    pulumi.String("tcp"),
					ToPort:      <http://pulumi.Int|pulumi.Int>(22),
					FromPort:    <http://pulumi.Int|pulumi.Int>(22),
					Description: pulumi.String("Allow inbound SSH (TCP 22) from anywhere"),
					CidrBlocks:  pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
				ec2.SecurityGroupIngressArgs{
					Protocol:    pulumi.String("udp"),
					ToPort:      <http://pulumi.Int|pulumi.Int>(51280),
					FromPort:    <http://pulumi.Int|pulumi.Int>(51280),
					Description: pulumi.String("Allow Wireguard VPN (UDP 51280) from anywhere"),
					CidrBlocks:  pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
			},
			Egress: ec2.SecurityGroupEgressArray{
				ec2.SecurityGroupEgressArgs{
					Protocol:    pulumi.String("-1"),
					ToPort:      <http://pulumi.Int|pulumi.Int>(0),
					FromPort:    <http://pulumi.Int|pulumi.Int>(0),
					Description: pulumi.String("Allow all outbound traffic"),
					CidrBlocks:  pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
			},
		})```