No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

What's the best way to determine _why_ Pulumi (via `pulumi preview`) is saying a resource must be replaced?

Sometimes I run a `pulumi up` select `details` when it asks me “Do you want to perform this update?” to help figure that out

if that doesn’t help I’ve ran these commands in the past that were helpful:
```pulumi preview --logtostderr -v=9 2&gt; out.txt

grep replaces= out.txt```
It’s super verbose but it might help you determine what’s going on

OK, so it looks like the replacement of the EC2 instance is somehow related to the security group assigned to the instance (which is not changing or being modified in any way).

Is this a known behavior, or is there something I'm doing wrong here?

Are you using the `securityGroups` argument to specify your security groups?

If so, you should use `vpcSecurityGroupIds` instead.

`securityGroups` is a "legacy" AWS argument from the EC2-Classic days before they had VPC support. It's an immutable property of EC2 instances. Whereas `vpcSecurityGroupIds` allows changes.

Ah, I see! Thanks for the clarification. I will update my code accordingly!

We have an open issue to deprecate `securityGroups`, fwiw.