Hey Pulumi - got a question about AWS Security Groups. If I create a security group with an egress rule that doesn’t contain a

cidrBlock

(screenshot), Pulumi creates an empty security group in AWS without an egress rule. But, in Pulumi’s stack output, it says that the egress rule exists. Even after a refresh the state is not updated. Only when I create an egress (or ingress) rule with a

cidrBlock

does Pulumi function as expected. Any idea why this would be happening?

hey there! I'm not really following here, this seems to be expected behaviour. If you create a security group it should still be created, but you haven't fully populated the rule, so no egress rules apply

This is likely a downside of the embedded-security-rule sugar. What happens if you do the equivalent without the

egress

property and with a

SecurityGroupRule

instead? I think it'll probably fail at compile time. Which is, imo, another good reason to avoid sugar constructs like this and stick with objects that map directly to resources.