No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Yes, it's a pain. I think we had to refresh, preview, note the differences and implement them in code so there's no redeployment (which is a pain, but 100% works). Is there a way to associate multiple SGs? If there is, that would work too, and would probably be better.

I _think_ you may be able to get around this by 1) appropriately tagging the security group with the correct `<http://kubernetes.io/owned|kubernetes.io/owned>` tag (so the cloud provider/LB controller knows it can modify the security group; sounds like this is already working for you), and 2) defining security group rules separate from the security group itself.

I went for creating the Sg and adding independent rules on the object that needs them.