Humm, is there a way to update a security group rather than replace it when modifying ingress / egress rules?
I've got a group that I imported, and I want to modify it, but it's not acceptable to have some in-between state where the EC2 instances don't have any security group applied. The instances are unfortunately not in Pulumi's control, and probably shouldn't be either (as they are created by a lambda deployed via a CF template by a vendor).