https://pulumi.com logo
Title
f

flaky-arm-38472

10/13/2022, 6:35 AM
Hi people. How do you do when you create a Security Group and then a Kubernetes service of type load balancer?. The service usually appends some rules to the security group on AWS therefore the state will change and once we want to run
pulumi up
it will diff from previous state and try to replace the new rules appended by the kubernetes service. How do you deal with that?
Anyone done this before?
l

little-cartoon-10569

10/14/2022, 2:58 AM
Yes, it's a pain. I think we had to refresh, preview, note the differences and implement them in code so there's no redeployment (which is a pain, but 100% works). Is there a way to associate multiple SGs? If there is, that would work too, and would probably be better.
s

salmon-account-74572

10/14/2022, 3:03 AM
I think you may be able to get around this by 1) appropriately tagging the security group with the correct
<http://kubernetes.io/owned|kubernetes.io/owned>
tag (so the cloud provider/LB controller knows it can modify the security group; sounds like this is already working for you), and 2) defining security group rules separate from the security group itself.
f

flaky-arm-38472

10/14/2022, 7:28 AM
I went for creating the Sg and adding independent rules on the object that needs them.