https://pulumi.com logo
Title
b

big-london-74366

08/25/2021, 6:40 AM
Is there a way for me to attach a security group to another resource without replacing the existing one?
vpcSecurityGroupIds
is read only, so, I can't do something like:
rds.vpcSecurityGroupIds = [rds.vpcSecurityGroupIds.concat(anotherSecurityGroup.id)]
Background story: I created the RDS outside Pulumi, so, I just import it. In order to allow access from another resource to that RDS, I need to add the security group to that RDS
l

little-cartoon-10569

08/25/2021, 6:48 AM
No. This is what the various Association resources are for, and there is no InstanceSecurityGroupAssociation resource ūüėě
However, once it's imported, you can change security groups. You don't need to add to it, just change it.
If you'd loaded it using
Instance.get()
then you'd be out of luck, but since you imported it, you can just add a new security group ID to the constructor, and Pulumi will take care of the rest.
b

big-london-74366

08/25/2021, 7:04 AM
I was using the
pulumi import
command which emit some code that I can copy paste. The problem with 'change' is that I had to replace them. So, if I already have
securityGroup1
and I just want to add
securityGroup2
, I can't because I need to read the value first, but the code that was given is more like 'declaration'. There's no way for me to read first. Sorry for the confusing details lol. I'll read more on the
Association
and
Instance.get
to see if I can move forward with those info
If it's not too much, where can I read about Association?
Instance.get()
may help me with getting the values first, I think
l

little-cartoon-10569

08/25/2021, 7:32 AM
There is no association for this area, and
Instance.get()
isn't what you want. The emitted source code, which you have now put in your Pulumi program, is the correct thing to edit.
You can directly edit the security groups in the instance object. You change the contents of the vpcSecurityGroupId array.
Pulumi is a declarative system, which makes the resources in your cloud provider (AWS) look like the resources defined in your source code. When you change your source code, it changes AWS. You don't construct the resource then modify it: you change the original constructor and redeploy.
vpcSecurityGroupIds is not read only as an argument to the constructor. Only the output is readonly. This is intentional: to change the security groups, you change the parameters to the constructor. Even though this originally came from output Pulumi, this is the correct way to change the instance. Because once you ran
pulumi import
, the resource became Pulumi-managed.
You said earlier
So, if I already have securityGroup1 and I just want to add securityGroup2 , I can't because I need to read the value first
This is not correct. You don't need to read the value first. The value was read during
pulumi import
, and again every time you do a
pulumi up
. It is maintained in your Pulumi state. You just need to add securityGroup2 (to the constructor) and run
pulumi up
. Pulumi works its magic and AWS is updated.
b

big-london-74366

08/25/2021, 7:42 AM
I think I got it, I'l try them out. But thanks for the reply, appreciate it
Based on the info, this is what I got:
// default security group
const defaultSg = new aws.ec2.SecurityGroup("defaultSg", {
  description: "default VPC security group",
  name: "default",
  revokeRulesOnDelete: false,
}, {
  protect: true,
})

// cluster security group
const appSecurityGroups = app.cluster.securityGroups;

const rds = new aws.rds.Instance("blog", {
  autoMinorVersionUpgrade: true,
  copyTagsToSnapshot: true,
  deleteAutomatedBackups: true,
  deletionProtection: true,
  identifier: "blog",
  instanceClass: "db.t3.micro",
  monitoringInterval: 0,
  performanceInsightsEnabled: false,
  publiclyAccessible: false,
  skipFinalSnapshot: true,
  storageEncrypted: true,
  vpcSecurityGroupIds: [defaultSg.id, appSecurityGroups[0].id]
}, {
  protect: true,
});
When I import the RDS for the first time, the
vpcSecurityGroupIds
are not there. So, if I add a new security group, it'll remove the previous config. So, I figured, just read the security group and assign them together like that. That will ensure it won't remove the original security group. Obviously not really a good solution as I need to get all security group first before I declare the RDS rather than merging what security group the RDS has with the new one
l

little-cartoon-10569

08/25/2021, 9:49 PM
That's not right either. What did the source code created by
pulumi import
look like? That's the only thing you need to edit. Also, when adding more than a few lines of source, you can use the "Create a Text Snippet" feature in the lightning menu (left side of text entry field) to make a collapsible code field. Much easier to read.
b

big-london-74366

08/26/2021, 1:26 AM
@little-cartoon-10569
vpcSecurityIds
line in
rds
is the only thing that I added there. It wasn't there, which is why I had to get the current security group id and add the new one in so that it won't remove the previous config. Noted on the Text Snippet
This is the generated code
l

little-cartoon-10569

08/26/2021, 3:01 AM
Excellent. Edit that. Add vpcSecurityGroupIds to that code.
Edit the Pulumi generated code.
b

big-london-74366

08/26/2021, 7:22 AM
@little-cartoon-10569 That's what I did (above). But since the RDS already has a security group, I need to get the security group and add it as part of
vpcSecurityGroupIds
rather than just adding the one. Which is also why I imported the existing security group. Is this the 'right' way to do it?
l

little-cartoon-10569

08/26/2021, 8:06 AM
Sounds good. So you should have 2 security group ids in the array. But still, just in the one place, in the constructor.
b

big-london-74366

08/26/2021, 8:30 AM
Got it. Thanks for all the info ūüėíimple_smile: