Hi people. How do you do when you create a Security Group and then a Kubernetes service of type load balancer?. The service usually appends some rules to the security group on AWS therefore the state will change and once we want to run

pulumi up

it will diff from previous state and try to replace the new rules appended by the kubernetes service. How do you deal with that?

Yes, it's a pain. I think we had to refresh, preview, note the differences and implement them in code so there's no redeployment (which is a pain, but 100% works). Is there a way to associate multiple SGs? If there is, that would work too, and would probably be better.

I think you may be able to get around this by 1) appropriately tagging the security group with the correct

<http://kubernetes.io/owned|kubernetes.io/owned>

tag (so the cloud provider/LB controller knows it can modify the security group; sounds like this is already working for you), and 2) defining security group rules separate from the security group itself.

I went for creating the Sg and adding independent rules on the object that needs them.