when a security group is altered it triggers a “replace” operation — but the delete fails if the security group is being used by other resources (AWS does not allow you to delete a security group that is in use) Is there a workaround for this? cc @dazzling-memory-8548

how are you defining your security group, could you share some example code (I have a theory, but want to see some code before I answer 🙂 )

ah, i was hoping it was just the rules. Unfortunately I don't know of a way around this, it's a limitation of the AWS API. There's no

PATCH

operation for the description, so it has to do a destroy -> recreate.

right. makes sense. is there anything Pulumi can do to assist with the dependency unhooking? or do you just have to remember to do that?

are all the resources in the same stack?

yes

more I think about it, more I'm not sure. gonna try run a test to see if I can get a better result

correct

okay, just tried this and it seemed to create the new security group and then updated the ALB after it was created:

Previewing update (production):
     Type                      Name               Plan        Info
     pulumi:pulumi:Stack       alb.go-production
 +-  ├─ aws:ec2:SecurityGroup  web                replace     [diff: ~description]
 ~   └─ aws:lb:LoadBalancer    web                update      [diff: ~securityGroups]
 +-     ├─ aws:lb:Listener     http               replace     [diff: ~loadBalancerArn]
 +-     └─ aws:lb:Listener     https              replace     [diff: ~loadBalancerArn]

Outputs:
  ~ arn             : "arn:aws:elasticloadbalancing:us-west-2:616138583583:loadbalancer/app/web-d3c3708/174d37cd98d1a211" => output<string>
  ~ dnsName         : "<http://web-d3c3708-2004262507.us-west-2.elb.amazonaws.com|web-d3c3708-2004262507.us-west-2.elb.amazonaws.com>" => output<string>
  ~ httpListenerArn : "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/ea06334532a1400e" => output<string>
  ~ httpsListenerArn: "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/d8a76ae6ce07a486" => output<string>

Resources:
    ~ 1 to update
    +-3 to replace
    4 changes. 1 unchanged

Do you want to perform this update? yes
Updating (production):
     Type                      Name               Status       Info
     pulumi:pulumi:Stack       alb.go-production
 +-  ├─ aws:ec2:SecurityGroup  web                replaced     [diff: ~description]
 ~   └─ aws:lb:LoadBalancer    web                updated      [diff: ~securityGroups]

Outputs:
    arn             : "arn:aws:elasticloadbalancing:us-west-2:616138583583:loadbalancer/app/web-d3c3708/174d37cd98d1a211"
    dnsName         : "<http://web-d3c3708-2004262507.us-west-2.elb.amazonaws.com|web-d3c3708-2004262507.us-west-2.elb.amazonaws.com>"
    httpListenerArn : "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/ea06334532a1400e"
    httpsListenerArn: "arn:aws:elasticloadbalancing:us-west-2:616138583583:listener/app/web-d3c3708/174d37cd98d1a211/d8a76ae6ce07a486"

Resources:
    ~ 1 updated
    +-1 replaced
    2 changes. 3 unchanged

@billowy-army-68599, thanks for looking into this. Though I am assuming the alb has the same problem (I can test in our env shortly), we actually tripped over this scenario when using a security group as part of an ecs service. When it's defined along the lines of this, any changes to

MySecurityGroup

attempt a recreation which fails due to the ecs association. The stack continues to try to replay the delete until we manually intervene.

new aws.ecs.Service("service", {
    cluster: cluster.id,
    desiredCount: 1,
    launchType: "FARGATE",
    networkConfiguration: {
        assignPublicIp: false,
        securityGroups: [MySecurityGroup.id],
        subnets: [privateSubnets["az0"].id, privateSubnets["az1"].id],
    },
    taskDefinition: myTaskDefinition.arn,
}),

ah okay, will give it a try on an ECS cluster too

Thanks. It may be related to https://github.com/terraform-providers/terraform-provider-aws/issues/1671

okay, similar story with this ECS service + Securitygroup, so it's definitely possible:

Do you want to perform this update? yes
Updating (production):
     Type                      Name                   Status       Info
     pulumi:pulumi:Stack       grafana.go-production
 +-  ├─ aws:ec2:SecurityGroup  grafana                replaced     [diff: ~description]
 ~   └─ aws:ecs:Service        grafana                updated      [diff: ~networkConfiguration]

Outputs:
    address: "grafana.aws.briggs.work"

Resources:
    ~ 1 updated
    +-1 replaced
    2 changes. 6 unchanged

Duration: 7m36s

@billowy-army-68599 I was getting

Error deleting security group: DependencyViolation: resource sg-XXXXXX has a dependent object status code: 400

on pulumi v2.6.1 + \@pulumi/aws 2.13.0. However, I'm testing now in a fresh env with ecs, and I'm unable to reproduce there or with an alb. It must be some unrelated factor. Sorry to waste your time; I'll update with additional detail if I see it happen again. I appreciate the help.

not a waste at all, glad it was resolved!