https://pulumi.com logo
Join Slack
Powered by
Is there a way for me to attach a security group t...
# general
b
Is there a way for me to attach a security group to another resource without replacing the existing one? 
vpcSecurityGroupIds
is read only, so, I can't do something like:
Copy code
rds.vpcSecurityGroupIds = [rds.vpcSecurityGroupIds.concat(anotherSecurityGroup.id)]
Background story: I created the RDS outside Pulumi, so, I just import it. In order to allow access from another resource to that RDS, I need to add the security group to that RDS
l
No. This is what the various Association resources are for, and there is no InstanceSecurityGroupAssociation resource 😞
However, once it's imported, you can change security groups. You don't need to add to it, just change it.
If you'd loaded it using 
Instance.get()
then you'd be out of luck, but since you imported it, you can just add a new security group ID to the constructor, and Pulumi will take care of the rest.
b
I was using the 
pulumi import
command which emit some code that I can copy paste. The problem with 'change' is that I had to replace them. So, if I already have 
securityGroup1
and I just want to add 
securityGroup2
, I can't because I need to read the value first, but the code that was given is more like 'declaration'. There's no way for me to read first. Sorry for the confusing details lol. I'll read more on the 
Association
and 
Instance.get
to see if I can move forward with those info
If it's not too much, where can I read about Association? 
Instance.get()
may help me with getting the values first, I think
l
There is no association for this area, and 
Instance.get()
isn't what you want. The emitted source code, which you have now put in your Pulumi program, is the correct thing to edit.
You can directly edit the security groups in the instance object. You change the contents of the vpcSecurityGroupId array.
Pulumi is a declarative system, which makes the resources in your cloud provider (AWS) look like the resources defined in your source code. When you change your source code, it changes AWS. You don't construct the resource then modify it: you change the original constructor and redeploy.
vpcSecurityGroupIds is not read only as an argument to the constructor. Only the output is readonly. This is intentional: to change the security groups, you change the parameters to the constructor. Even though this originally came from output Pulumi, this is the correct way to change the instance. Because once you ran 
pulumi import
, the resource became Pulumi-managed.
You said earlier
So, if I already have securityGroup1 and I just want to add securityGroup2 , I can't because I need to read the value first
This is not correct. You don't need to read the value first. The value was read during 
pulumi import
, and again every time you do a 
pulumi up
. It is maintained in your Pulumi state. You just need to add securityGroup2 (to the constructor) and run 
pulumi up
. Pulumi works its magic and AWS is updated.
b
I think I got it, I'l try them out. But thanks for the reply, appreciate it
Based on the info, this is what I got:
Copy code
// default security group
const defaultSg = new aws.ec2.SecurityGroup("defaultSg", {
  description: "default VPC security group",
  name: "default",
  revokeRulesOnDelete: false,
}, {
  protect: true,
})

// cluster security group
const appSecurityGroups = app.cluster.securityGroups;

const rds = new aws.rds.Instance("blog", {
  autoMinorVersionUpgrade: true,
  copyTagsToSnapshot: true,
  deleteAutomatedBackups: true,
  deletionProtection: true,
  identifier: "blog",
  instanceClass: "db.t3.micro",
  monitoringInterval: 0,
  performanceInsightsEnabled: false,
  publiclyAccessible: false,
  skipFinalSnapshot: true,
  storageEncrypted: true,
  vpcSecurityGroupIds: [defaultSg.id, appSecurityGroups[0].id]
}, {
  protect: true,
});
When I import the RDS for the first time, the 
vpcSecurityGroupIds
are not there. So, if I add a new security group, it'll remove the previous config. So, I figured, just read the security group and assign them together like that. That will ensure it won't remove the original security group. Obviously not really a good solution as I need to get all security group first before I declare the RDS rather than merging what security group the RDS has with the new one
l
That's not right either. What did the source code created by 
pulumi import
look like? That's the only thing you need to edit. Also, when adding more than a few lines of source, you can use the "Create a Text Snippet" feature in the lightning menu (left side of text entry field) to make a collapsible code field. Much easier to read.
b
@little-cartoon-10569 
vpcSecurityIds
line in 
rds
is the only thing that I added there. It wasn't there, which is why I had to get the current security group id and add the new one in so that it won't remove the previous config. Noted on the Text Snippet
This is the generated code
Untitled.js
l
Excellent. Edit that. Add vpcSecurityGroupIds to that code.
Edit the Pulumi generated code.
Untitled.ts
b
@little-cartoon-10569 That's what I did (above). But since the RDS already has a security group, I need to get the security group and add it as part of 
vpcSecurityGroupIds
rather than just adding the one. Which is also why I imported the existing security group. Is this the 'right' way to do it?
l
Sounds good. So you should have 2 security group ids in the array. But still, just in the one place, in the constructor.
b
Got it. Thanks for all the info simple smile
Open in Slack
PreviousNext
Powered by