Hey everyone, I have a general question about Pulumi and resource creation with AWS. I am trying to create a database and put it in the same VPC with different security groups. High level I have an ECS Fargate cluster running an API server and that is open to the public internet. It then interacts with a database that is closed to the internet. The idea is that the database security group will only allow connections from the API stack and items inside its security group. Below is the code where I create a VPC:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const vpc = new aws.ec2.Vpc("my-vpc", {
  cidrBlock: "10.0.0.0/16",
});

export const vpcId = vpc.id;

Below is the code where I import the VPC and create security groups (I added a depends on condition to ensure that the database security group is created afterwards):

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import { vpcId } from "./vpc";

// Security group for the API stack
const apiSecurityGroup = new aws.ec2.SecurityGroup("api-stack-sg", {
  vpcId: vpcId,
  ingress: [
    {
      fromPort: 80,
      toPort: 80,
      protocol: "tcp",
      cidrBlocks: ["0.0.0.0/0"], // Replace with specific allowed IPs if needed
    },
  ],
  egress: [
    {
      fromPort: 0,
      toPort: 0,
      protocol: "-1", // Allow all outbound traffic
      cidrBlocks: ["0.0.0.0/0"],
    },
  ],
});

// Security group for data-stack; only allows access from API stack security group
const databaseSecurityGroup = new aws.ec2.SecurityGroup("data-stack-sg", {
  vpcId: vpcId,
  ingress: [
    {
      fromPort: 5432,
      toPort: 5432,
      protocol: "tcp",
      securityGroups: [apiSecurityGroup.id],
    },
  ],
  egress: [
    {
      fromPort: 0,
      toPort: 0,
      protocol: "-1",
      cidrBlocks: ["0.0.0.0/0"],
    },
  ],
}, {dependsOn: [apiSecurityGroup]});

export { apiSecurityGroup, databaseSecurityGroup };

Below is the code for the database:

import * as pulumi from "@pulumi/pulumi";
import * as rds from "@pulumi/aws/rds";
import * as random from "@pulumi/random";
import { databaseSecurityGroup } from "../common/securityGroups";
import { vpcId } from "../common/vpc";

// Define the database name
const dbName = "maindb";

// Generate a random password
const dbPassword = new random.RandomPassword("db-password", {
  length: 16,
  special: true,
}, {additionalSecretOutputs: ["result"]});

// Create the RDS Postgres database
const database = new rds.Instance(dbName, {
  engine: "postgres",
  engineVersion: "15.5",
  dbName,
  allocatedStorage: 20,
  instanceClass: "db.t3.small",
  vpcSecurityGroupIds: [databaseSecurityGroup.id],
  username: "adminuser",
  password: dbPassword.result,
});

// Make the database endpoint accessible (adjust public access as needed)
const endpoint = database.endpoint.apply(address => {
  return address.split(":")[0];
});

export { database, endpoint };

However when I run

pulumi up

everything is fine until the database creation... I get the following error:

InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in vpc-##### and the EC2 security group is in vpc-####

How did I end up with two VPCs? Shouldn't they be in the same as I only created one vpc (and passed that ID to the security groups)?