I have a weird issue with awsx. I am setting up an ALB with a HTTPS listener that forwards to a HTTP target in ECS. But awsx generates the wrong security group rules, which causes the health checks to fail. This is my code:

const caddyTargetGroup = alb.createTargetGroup('caddy', {
  vpc,
  port: 80,
  protocol: 'HTTP',
});

const caddyHttpsListener = caddyTargetGroup.createListener(
  'caddyHttps',
  { protocol: 'HTTPS', port: 443, certificateArn: certificate.arn },
  { dependsOn: [domainVerificationRecord] }
);

The created security group for the ALB allow inbound and outbound traffic on port 443, but I need outbound traffic on port 80 obviously, or the listener cannot reach the container on port 80. When I change this by hand to port 80 in the SG it works. Is this a bug in pulumi or am I missing something?