I think this is a tricky question to answer and will do my best to answer it.
pulumi allows you to create security groups that contain, ingress & engress.
The way I solved this problem was to use DefaultSecurityGroup which I think is different from the generic SecurityGroup class.
Remember that when setting security groups, they are attached to vpcs & are quite different from route tables.
One can consider Security groups as bouncers outside a club, they dictate whether or not you are allowed entry to begin with. After that, which room you can go into, is really what the route tables can allow.
Having said that, there are 2 SG that are set to begin with, TCP ingress to 80 & 22 for my public subnet then connecting my instance from public to private RDS.
security_group = DefaultSecurityGroup(
"security-group",
vpc_id = vpc.id,
egress = [
SecurityGroupEgressArgs(
from_port = 0,
to_port = 0,
protocol = "-1",
cidr_blocks = ["0.0.0.0/0"],
)
],
ingress = [
SecurityGroupIngressArgs(
from_port = 80,
to_port = 80,
protocol = "tcp",
cidr_blocks = ["0.0.0.0/0"],
),
SecurityGroupIngressArgs(
from_port = 22,
to_port = 22,
protocol = "tcp",
cidr_blocks = ["0.0.0.0/0"],
),
SecurityGroupIngressArgs(
from_port = 5432,
to_port = 5432,
protocol = "tcp",
cidr_blocks = ["173.0.0.0/24"],
),
],
tags= {
"Name": "ec2-sg"
}
)
for my postgres connection
173.0.0.0/24
is the cidr of my public subnet.
This means that my postgres is not public and can only be connected from my public subnet.
I am yet to use generic security groups which Im sure you can use as an auxiliary to the default but for now, Im happy with just the default.
There is a lot of confusion as to what is the point of having rds.SecurityGroup
I do think that pulumi should clarify said documentation. My work around is to really deal with my rds as the instance that it really is; to allow traffic access to it like any other instance.
Hope that helps & welcome questions/comments
