Is there a simple way to block ingress via a security group for a Fargate service? I don't want to create a VPC for the service, but whatever one it lands in.

Not sure about fargate specifically, but for security groups in general they are whitelist activated.So a blank security group will allow nothing in or out. You have to explicitly add allows onto it. So you could check if any security groups are being added automatically on your Fargate service, and either modify them or replace them. If none exist, create a new blank security group (probably with allow 0.0.0.0/0 outbound, if required) and add it onto the service?

OO. One is being added automatically (I am not defining it). Could I then grab that SG after and edit it. Is there some docs to put me in the right direction?

Depends on if AWS is adding the group, or if Pulumi is. Are you using the Crosswalk provider? Check the pulumi provider documentation for the provider you're using and see if it exposes the security group as an Output. If yes, then you can edit it. If not, then to my knowledge you'll have to create it manually yourself with Pulumi. Or perhaps import it on the fly? I'm not sure what the other languages allow, since I use yaml. https://www.pulumi.com/registry/packages/awsx/api-docs/ecs/fargateservice/

So I was able to sort of get it but I seem to got stuck with Output<string | undefined> and I cannot figure for the life of me how to get it to just be a string.

What language are you using?

Typescript, not by choice

Ok, can't help sorry. I have used yaml only