I found the docs for SecurityGroupRule, but the examples seem a bit mangled (is the word "console" meant to be everywhere?) and it all seems to be one-by-one. What's the easiest way of importing all the rules attached to a security group?

Hi Ben, No I don't think the word console is supposed to be all over the place. I'll raise an issue for that. In answer to your question, you can use the import CLI command with a list of resources to import, so you could get the list of rules from the AWS CLI and then pipe that through to the pulumi import command

Thanks @brave-planet-10645 - is there an example anywhere for this? https://www.pulumi.com/docs/reference/cli/pulumi_import/ says the the CLI is single resource only and that for multiples you have to use a JSON file in a specific format. The problem is individual security group rules don't have an arn AFAIK and the output of

aws ec2 describe-security-groups

doesn't look anything like the JSON format

pulumi import

is expecting.

So you will have to parse the output from the AWS CLI to get it into a format that you'd want. It might not be possible to do it in one step, but it'll still be a lot quicker than doing it one at a time

OK - yeah that's less than ideal. What's the best way to submit this as a feature request Piers?

You can always raise an issue in the AWS provider repo: https://github.com/pulumi/pulumi-aws