Since resource creation is deferred with Pulumi, what's the process for updating an item before it gets created? Specifically, I've created two AWS SecurityGroup objects and want some of the egress rules in one to reference the other. The reason I'm breaking this up is that I don't want to manually define the order in which the groups get created. Creating each and maintaining a reference back seemed like a solution. However, when I pull up the object to modify it, I find the object seems to want a "resolved" value:

let thisGroup = createdSecGroups.get(thisGroupName);
                    if (item.allowed_other_sec_grps && item.allowed_other_sec_grps.length > 0) {
                        for (let allowed of item.allowed_other_sec_grps) {
                            let theOtherSecGrp = createdSecGroups.get(allowed + "_" + vpc);
                            if (theOtherSecGrp && thisGroup) {
                                thisGroup.egress.get().forEach(entry => {
                                    entry.securityGroups = theOtherSecGrp!.id;
                                });
                            }
                        }
                    }

This line is invalid:

entry.securityGroups = theOtherSecGrp!.id;

It looks like securityGroups wants a resolved string[] value. I'm guessing this is another case where I'm thinking about this all wrong... Suggestions are appreciated!

This is generally why you use the

SecurityGroupRule

resource instead of specifying the rules inline in the

SecurityGroup

. See notes on https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/ec2/#SecurityGroupRule.

If I'm reading the documentation right, it says SecurityGroupRules work with "external" Security Groups. So if I'm creating security groups with Pulumi, that doesn't seem to work?

That's right - the latter is the "right" way to do this in Pulumi and Terraform for maximum flexibility.