https://pulumi.com logo
Title
s

sparse-tomato-5980

05/13/2021, 6:08 PM
Hi all - need a quick sanity check. (I'm talking about a specific resource, but this might just be applicable to anything that accepts an Input of Sequence[SomethingArgs]) I'm wondering if it's idiomatic to mutate an `aws.ec2.SecurityGroup`'s
.ingress
(or
.egress
) after it's already been constructed - i.e.
ingress_rules: List[aws.ec2.SecurityGroupIngressArgs] = ...
security_group = aws.ec2.SecurityGroup(
    "SwarmSecurityGroup",
    ...
    ingress=ingress_rules,
)

# ... and later...
new_ingress_rule: aws.ec2.SecurityGroupIngressArgs = ...
# might need a .apply or something, but you get the gist - add something to this list
security_group.ingress = [new_ingress_rule, *security_group.ingress]
The problem is that
SecurityGroup#ingress
isn't of type IngressArgs, but an
outputs.SecurityGroupIngress
What makes me think this is forbidden: I could probably convert my IngressArgs into a SecurityGroupIngress, but the roundabout-ness of all this makes me wonder if I'm doing something wrong. What makes me think this is allowable: aws.ec2.SecurityGroup has getter-setters for
.ingress
b

bored-oyster-3147

05/13/2021, 6:12 PM
I don't think this will work and I think you should be using
aws.ec2.SecurityGroupRule
to add rules to an
aws.ec2.SecurityGroup
that you have already declared
s

sparse-tomato-5980

05/13/2021, 6:12 PM
Aha!
Okay, thanks - you've saved me another N days of bashing my head 🙂
🙌 1
b

billowy-army-68599

05/13/2021, 6:13 PM
yes, to clarify on what Joshua said, the SecurityGroup API call used here is immutable, so if you make changed it'll delete/replace. If you use securitygroup rule it can be updated without impact
✅ 1
s

sparse-tomato-5980

05/13/2021, 6:13 PM
My team is coming from CDK - is it safe to say that most "mutations" of pre-existing resources are done by declaring new, additional resources (sort of like PolicyRoleAttachment in IAM?)
b

billowy-army-68599

05/13/2021, 6:18 PM
yes that's right
s

sparse-tomato-5980

05/13/2021, 6:25 PM
Awesome. Thanks!
b

billowy-army-68599

05/13/2021, 6:26 PM
btw, would love to get some feedback and thoughts about the migration when you're happy to chat about it!
s

sparse-tomato-5980

05/13/2021, 6:27 PM
You're probably already hearing from us, somebody else on my team had a video call with somebody at pulumi yesterday 🙂
b

billowy-army-68599

05/13/2021, 6:30 PM
awesome to hear!
f

full-artist-27215

05/13/2021, 7:09 PM
👋 I am that other person 😂
👀 1
b

billowy-army-68599

05/13/2021, 7:40 PM
I know you chatted with Cam and Robby yesterday, but would love to chat with you about your experience with CDK and Pulumi when you get chance! lmk if you're open to it!
f

full-artist-27215

05/13/2021, 8:13 PM
My personal experience with CDK consists of moving away from it 😂 That being said, it seems like there is a bit more "magic" in CDK than Pulumi, which has made Pulumi much more comprehensible (for me, at least).
but I'm down for a chat anytime
s

sparse-tomato-5980

05/13/2021, 9:14 PM
One ask is: If these fields are genuinely immutable, could we remove the @property setters on them (or at least document that they're for internal use only?)