Has anyone successfully used AWS native to do security group referencing across the transit gateway with another account id? I have the configuration there. Both the transit gateway and all attachments are enabled for security group referencing. I can create rules that reference the security group with the AWS cli, and I've compared the responses logged in cloudtrail for the AWS cli vs pulumi. The response provided by AWS is the same, but pulumi handles it as a failure. error: creating resource: reading resource state: operation error CloudControl: GetResource, https response error StatusCode: 400, RequestID: b43587c9-ea8c-49db-84e9-0eb5b8fdc060, ResourceNotFoundException: AWS:EC2:SecurityGroupIngress Handler returned status FAILED: The security group 'sg-12345678901234' does not exist (Service: Ec2, Status Code: 400, Request ID: 00ee5f94-abde-486f-b1dd-ed8db9a5fa99) (SDK Attempt Count: 1) (HandlerErrorCode: NotFound, RequestToken: 9003f0ad-11ba-48f7-883b-8d96e669a95d) I can see in the details of pulumi up that it is providing the right values, including the account id to reference. I haven't found any options to do the references with the aws library instead of aws-native which would enable me to continue. I expect this error will probably result in a bug ticket for aws native.

Does the user/role you're using in the Pulumi provider have auth to read the security group in the other account?

It's the same user which successfully created it via the cli

Ah. That's strange. Sounds like a bug report might be the right way to go.

Curious why you're using AWS CC (FKA AWS Native)

I didn't see any security group rule methods within aws that supports referencing security groups across accounts via an account id

It doesn't? I thought it was just the 2nd part of the ARN.