No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

If you have a repro case for this - definitely open an issue in the `pulumi-aws` repo so we can look into it. We have several test cases that test things very close to this scenario, so I’m interested in what specific conditions are triggering this in your case. 

Cc also <@UB8A66MPS>.

 An you also include your security group definition in the issue <@UHA3XET0V> ?

Here is my security group:
```
const anyCidr = ['0.0.0.0/0']

const albSecurityGroup = new aws.ec2.SecurityGroup('alb-sg', {
  description: 'Enables HTTP inbound and any outbound',
})

const ingressRule = new aws.ec2.SecurityGroupRule('alb-sg-ingress-rule', {
  type: 'ingress',
  protocol: 'tcp',
  fromPort: 80,
  toPort: 80,
  cidrBlocks: anyCidr,
  securityGroupId: albSecurityGroup.id,
})

const egressRule = new aws.ec2.SecurityGroupRule('alb-sg-egress-rule', {
  type: 'egress',
  protocol: '-1',
  fromPort: 0,
  toPort: 0,
  cidrBlocks: anyCidr,
  securityGroupId: albSecurityGroup.id,
})
```
And here's how I'm applying it to the load balancer:
```
const loadBalancer = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer(
  'primary-alb',
  {
    external: true,
    securityGroups: [albSecurityGroup],
  }
)
```
If you would like to see the full code I will create a repo. Thanks

<@UB3BGTV63>, <@UB8A66MPS> - that example works fine. To actually reproduce the issue you need to create a listener as well:
```
const listener = loadBalancer.createListener('http-listener', {
  port: 80,
})
```

Ahh it turns out I have to set `external: false` on the listener to prevent it from trying to create another security group for the load balancer. It does make sense in that if you just create the listener you would want it to create the load balancer and give it a public security group but if you're creating the load balancer yourself it's a little anti-intuitive because you can't create a load balancer with no security groups. Is this already in the docs somewhere and I just missed it?