No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hello, I am running into a spurious replace issue, is this a known problem? Pulumi believes that it needs to replace an ec2 instance to give it security group, but the instance already has the security group shown. It happens even after a `pulumi refresh`.
```
    ++aws:ec2/instance:Instance: (create-replacement)
        &lt;snip&gt;
      ~ securityGroups: [
          + [0]: "sg-082e7a6e007b182dc"
        ]
    +-aws:ec2/instance:Instance: (replace)
      ~ securityGroups: [
          + [0]: "sg-082e7a6e007b182dc"
        ]
```

<@UH3GSLTNK> are you trying to import existing resources into a Pulumi stack? Or is this a `pulumi preview/up` on an existing Pulumi setup?

these particular resources were created with pulumi

<@UH3GSLTNK> what are the changes to your pulumi code compared to the previous `pulumi up`?

I added new VPC Peering resources, while keeping the code for ec2 instance creation constant between runs.
```
const blahInstance = new aws.ec2.Instance("blah-qa", {
  ami: "ami-blah",
  instanceType: aws.ec2.InstanceTypes.T3_XLarge,
  subnetId: vpcPrivateSubnetIds[0],
  securityGroups: [blahSg.id],
  keyName: "blah",
  associatePublicIpAddress: false,
  tags: {
    Name: "blah"
  }
});
```

What I usually do is comment out all my changes and add my changes again one by one up to the point where this behaviour happens.

I recall the issue here is that `securityGroups` is actually the wrong property to use here - you need to use `vpcSecurityGroupIds` if you are working with a VPC (which it looks like you are).

I believe the confusion you are seeing comes from some strange behaviour where in this case your `securityGroups` wasn't really being applied in the first place, and so it looks like it's constantly trying to reapply it?

I think there have been some previous conversations on this topic in the channel here - such as <https://pulumi-community.slack.com/archives/C84L4E3N1/p1562426255155500>.

Ok, that seems to work, no longer tries to replace, doc comment on that property would be great

Indeed, bitten by that too back in my Terraform days.

<@UH3GSLTNK> sorry, securityGroups is actually for EC2 classic :disappointed: we may need to make this clearer

<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/ec2/#Instance-securityGroups>

No worries, rename for that property to classicSecurityGroups could work now that aliases are a thing and avoid the foot gun 

Or maybe not, I guess those only work on urn