pulumi-cdk icon indicating copy to clipboard operation
pulumi-cdk copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Ref intrinsic for SecurityGroup

Open t0yv0 opened this issue 11 months ago • 0 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The docs specify a complex behavior for the Ref intrinsic for this resource:

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the security group if you specified the VpcId property. Otherwise, it returns the name of the security group. If you omit the VpcId property and need the ID of the VPC, use Fn::GetAtt instead.

This seem to bear out in practice.

AWSTemplateFormatVersion: '2010-09-09'
Description: A template to create a security group allowing SSH access.

Resources:

  # PulumiTestVPC:
  #   Type: AWS::EC2::VPC
  #   Properties:
  #     CidrBlock: 10.0.0.0/16

  PulumiTestTestSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow SSH access
      # VpcId:
      #   Ref: PulumiTestVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0  # Allow SSH from anywhere (use cautiously)

Outputs:
  TestOutput1:
    Value: !Ref PulumiTestTestSecurityGroup

Without VpcId I get this:

AntonStack-AntonTestSecurityGroup-gDbu6UPqIWDL

With VpcId I get sg-01e8f63de351adcfb:

I think in pulumi-cdk emulation of the CF Ref behavior we can default to assuming VpcId is set and returning GroupId for Ref, but leaving this ticket open in the backlog just in case we will need to revisit the "missing VpcId" behavior for completeness.

Affected area/feature

t0yv0 avatar Nov 21 '24 16:11 t0yv0