I've been playing with the client VPN stuff, and it seems like the features aren't really flushed out. You can create a client vpn, and associate it with a subnet, but you can't assign the security groups, manage the routes, or the authorization. Does that sound right? If so, it's better than nothing, but could be better.

Does it make sense to do a ticket for something like that, or is this a "wait for upstream to have better support"

In general, things like this would need to be addressed up-stream. We're happy to help drive visibility and potentially contribute to PRs - but I'd suggest first making sure there are tracking issues opened in the upstream repos.

or is there a way to do arbitrary aws cli commands for gaps?

Does CloudFormation have sufficient support? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html If so, you can use https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/cloudformation/#Stack to deploy a single (or couple) resources using CloudFormation from within Pulumi. Else - you can also build a dynamic provider that wraps calls to

aws

calls for the CRUD operations. This is a little more work for sure - but possible and very flexible. https://github.com/pulumi/examples/blob/master/azure-ts-dynamicresource/cdnCustomDomain.ts is a complete example of this sort of thing.

All of that is spectacular information. Thank you!