No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

image.png

Hey Pulumi - got a question about AWS Security Groups.

If I create a security group with an egress rule that doesn’t contain a `cidrBlock` (screenshot), Pulumi creates an empty security group in AWS without an egress rule. But, in Pulumi’s stack output, it says that the egress rule exists. Even after a refresh the state is not updated.

Only when I create an egress (or ingress) rule with a `cidrBlock` does Pulumi function as expected.

Any idea why this would be happening?

hey there! I'm not really following here, this seems to be expected behaviour. If you create a security group it should still be created, but you haven't fully populated the rule, so no egress rules apply

This is likely a downside of the embedded-security-rule sugar. What happens if you do the equivalent without the `egress` property and with a `SecurityGroupRule` instead? I think it'll probably fail at compile time. Which is, imo, another good reason to avoid sugar constructs like this and stick with objects that map directly to resources.