Humm, is there a way to update a security group rather than replace it when modifying ingress / egress rules? I've got a group that I imported, and I want to modify it, but it's not acceptable to have some in-between state where the EC2 instances don't have any security group applied. The instances are unfortunately not in Pulumi's control, and probably shouldn't be either (as they are created by a lambda deployed via a CF template by a vendor).

Can you elaborate on this -"where the EC2 instances don't have any security group applied"? In general, a SecurityGroup should not need to be replaced when modifying ingress or egress rules. Can you share the output of

pulumi preview --diff

?

Ah, I just realized the issue.. I tried to change the description of the security group. If I don't, then it looks fine.