No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

As I understand it, an `up` changes an actual state into a desired  in as close to a single action as is feasible. If I were to attempt what you're describing, I'd look at calling pulumi twice: first create the permissive SG and instance, then change the project to reflect the real desired state.

It would be easy to write a program that calls out to pulumi twice, but I probably would prefer not to, since then I'd need two projects with contradictory desired states. `up`ping one would effectively damage the other.

Is it feasible to build your instance image so that it starts off in its updated state, before it is brought up? You can use image bulider to build the right image, and make your instance dependent on the built image.

Maybe that would allow you to never have a permissive security group?