https://pulumi.com logo
Title
n

nutritious-battery-42762

04/04/2022, 2:24 PM
I really wanted to have my database in a separate stack but it seems that'll only cause issues
m

millions-furniture-75402

04/04/2022, 3:09 PM
You can have your database in a separate stack. You probably want to have this stack modify the security rules of the security group declared by the database stack.
pulumi
  .all([appSecurityGroup.id, sharedDbSecurityGroupId])
  .apply(async ([appSecurityGroupId, sharedDbSecurityGroupId]) => {
    const sharedDbSecurityGroup = awsx.ec2.SecurityGroup.fromExistingId("shared-db-sg", sharedDbSecurityGroupId, {
      vpc: vpc.vpc,
    });

    awsx.ec2.SecurityGroupRule.ingress(
      `${appName}-db-sg-rule-ingress`,
      sharedDbSecurityGroup,
      {
        sourceSecurityGroupId: appSecurityGroupId,
      },
      new awsx.ec2.TcpPorts(3306),
      `For ${appName}`,
    );
  });
l

little-cartoon-10569

04/04/2022, 9:24 PM
If it makes sense to have the database in a separate stack, then it should be in a separate project. If a resource ( e.g. a security group rule) is strongly logically coupled to another resource (e.g. a database), then ideally it would be in the same project and stack. Note that a security group rule might not be strongly logically coupled to its security group, depending on your programs' architecture. A rule just need a security group ID, which does not always imply a logical coupling.