This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

08/25/2021, 6:40 AM

This message was deleted.

little-cartoon-10569

08/25/2021, 6:48 AM

No. This is what the various Association resources are for, and there is no InstanceSecurityGroupAssociation resource 😞

little-cartoon-10569

08/25/2021, 6:50 AM

However, once it's imported, you can change security groups. You don't need to add to it, just change it.

little-cartoon-10569

08/25/2021, 6:51 AM

If you'd loaded it using

Instance.get()

then you'd be out of luck, but since you imported it, you can just add a new security group ID to the constructor, and Pulumi will take care of the rest.

big-london-74366

08/25/2021, 7:04 AM

I was using the

pulumi import

command which emit some code that I can copy paste. The problem with 'change' is that I had to replace them. So, if I already have

securityGroup1

and I just want to add

securityGroup2

, I can't because I need to read the value first, but the code that was given is more like 'declaration'. There's no way for me to read first. Sorry for the confusing details lol. I'll read more on the

Association

and

Instance.get

to see if I can move forward with those info

big-london-74366

08/25/2021, 7:07 AM

If it's not too much, where can I read about Association?

Instance.get()

may help me with getting the values first, I think

little-cartoon-10569

08/25/2021, 7:32 AM

There is no association for this area, and

Instance.get()

isn't what you want. The emitted source code, which you have now put in your Pulumi program, is the correct thing to edit.

little-cartoon-10569

08/25/2021, 7:32 AM

You can directly edit the security groups in the instance object. You change the contents of the vpcSecurityGroupId array.

little-cartoon-10569

08/25/2021, 7:33 AM

Pulumi is a declarative system, which makes the resources in your cloud provider (AWS) look like the resources defined in your source code. When you change your source code, it changes AWS. You don't construct the resource then modify it: you change the original constructor and redeploy.

little-cartoon-10569

08/25/2021, 7:35 AM

vpcSecurityGroupIds is not read only as an argument to the constructor. Only the output is readonly. This is intentional: to change the security groups, you change the parameters to the constructor. Even though this originally came from output Pulumi, this is the correct way to change the instance. Because once you ran

pulumi import

, the resource became Pulumi-managed.

little-cartoon-10569

08/25/2021, 7:39 AM

You said earlier

So, if I already have securityGroup1 and I just want to add securityGroup2 , I can't because I need to read the value first

This is not correct. You don't need to read the value first. The value was read during

pulumi import

, and again every time you do a

pulumi up

. It is maintained in your Pulumi state. You just need to add securityGroup2 (to the constructor) and run

pulumi up

. Pulumi works its magic and AWS is updated.

big-london-74366

08/25/2021, 7:42 AM

I think I got it, I'l try them out. But thanks for the reply, appreciate it

big-london-74366

08/25/2021, 2:04 PM

Based on the info, this is what I got:

Copy code

// default security group
const defaultSg = new aws.ec2.SecurityGroup("defaultSg", {
  description: "default VPC security group",
  name: "default",
  revokeRulesOnDelete: false,
}, {
  protect: true,
})

// cluster security group
const appSecurityGroups = app.cluster.securityGroups;

const rds = new aws.rds.Instance("blog", {
  autoMinorVersionUpgrade: true,
  copyTagsToSnapshot: true,
  deleteAutomatedBackups: true,
  deletionProtection: true,
  identifier: "blog",
  instanceClass: "db.t3.micro",
  monitoringInterval: 0,
  performanceInsightsEnabled: false,
  publiclyAccessible: false,
  skipFinalSnapshot: true,
  storageEncrypted: true,
  vpcSecurityGroupIds: [defaultSg.id, appSecurityGroups[0].id]
}, {
  protect: true,
});

When I import the RDS for the first time, the

vpcSecurityGroupIds

are not there. So, if I add a new security group, it'll remove the previous config. So, I figured, just read the security group and assign them together like that. That will ensure it won't remove the original security group. Obviously not really a good solution as I need to get all security group first before I declare the RDS rather than merging what security group the RDS has with the new one

little-cartoon-10569

08/25/2021, 9:49 PM

That's not right either. What did the source code created by

pulumi import

look like? That's the only thing you need to edit. Also, when adding more than a few lines of source, you can use the "Create a Text Snippet" feature in the lightning menu (left side of text entry field) to make a collapsible code field. Much easier to read.

big-london-74366

08/26/2021, 1:26 AM

@little-cartoon-10569

vpcSecurityIds

line in

rds

is the only thing that I added there. It wasn't there, which is why I had to get the current security group id and add the new one in so that it won't remove the previous config. Noted on the Text Snippet

big-london-74366

08/26/2021, 1:27 AM

This is the generated code

Untitled.js

little-cartoon-10569

08/26/2021, 3:01 AM

Excellent. Edit that. Add vpcSecurityGroupIds to that code.

little-cartoon-10569

08/26/2021, 3:03 AM

Edit the Pulumi generated code.

Untitled.ts

big-london-74366

08/26/2021, 7:22 AM

@little-cartoon-10569 That's what I did (above). But since the RDS already has a security group, I need to get the security group and add it as part of

vpcSecurityGroupIds

rather than just adding the one. Which is also why I imported the existing security group. Is this the 'right' way to do it?

little-cartoon-10569

08/26/2021, 8:06 AM

Sounds good. So you should have 2 security group ids in the array. But still, just in the one place, in the constructor.

big-london-74366

08/26/2021, 8:30 AM

Got it. Thanks for all the info simple smile

48 Views

Open in Slack

Previous Next