No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You can have your database in a separate stack.

You probably want to have this stack modify the security rules of the security group declared by the database stack.

```pulumi
  .all([appSecurityGroup.id, sharedDbSecurityGroupId])
  .apply(async ([appSecurityGroupId, sharedDbSecurityGroupId]) =&gt; {
    const sharedDbSecurityGroup = awsx.ec2.SecurityGroup.fromExistingId("shared-db-sg", sharedDbSecurityGroupId, {
      vpc: vpc.vpc,
    });

    awsx.ec2.SecurityGroupRule.ingress(
      `${appName}-db-sg-rule-ingress`,
      sharedDbSecurityGroup,
      {
        sourceSecurityGroupId: appSecurityGroupId,
      },
      new awsx.ec2.TcpPorts(3306),
      `For ${appName}`,
    );
  });```

If it makes sense to have the database in a separate stack, then it should be in a separate project. If a resource ( e.g. a security group rule) is strongly logically coupled to another resource (e.g. a database), then ideally it would be in the same project and stack. Note that a security group rule might not be strongly logically coupled to its security group, depending on your programs' architecture. A rule just need a security group ID, which does not always imply a logical coupling.