This message was deleted.

You would need to allow ingress to the security group from the environment you are running your deployment. Either your machine’s IP, or a CIDR block for your CI/CD system, or peer into the VPC where deployments will run, or set up a VPN connection to the target VPC.

If I have a

rds

like this:

const rds = new aws.rds.Instance('db', {
    vpcSecurityGroupIds: [securityGroup.id, securityGroup2.id]
    //...
});

const provider = new mysql.Provider(...)
const db = new mysql.Database(...)

How can I remove

securityGroup2.id

from the

rds

above after creating rds and database?

securityGroup2

allows my machine to run mysql operations.

It will in general be hard to remove the security group needed here as part of a desired state system (Pulumi, CloudFormation, Terraform, etc.). If it can work for your use case, I'd suggest permanently allowing ingress from the deployment context you are running in. Alternatively, you may want to use the VPN approach to VPN the deployment context into the VPC. This is more machinery to set up - but allows you to dynamically negotiate access from arbitrary external endpoints.

Thanks for your suggestion! I am thinking about another solution. I will create a jumphost and use ansible to connect to the host inside the subnet and from here ansible can connect to the database. So basically, my machine (run ansible code) -> ec2 ssh bastion (public ip, security group to access middle host via ssh) -> ec2 middle host (private ip only, security group to access rds) -> rds. The reason I use ansible instead of pulumi for creating databases in RDS is that I don't need to install nodejs on that host.