Ref intrinsic for SecurityGroup

[t0yv0]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The docs specify a complex behavior for the Ref intrinsic for this resource:

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the security group if
you specified the VpcId property. Otherwise, it returns the name of the security group. If you omit the VpcId property
and need the ID of the VPC, use Fn::GetAtt instead.

This seem to bear out in practice.

AWSTemplateFormatVersion: '2010-09-09'
Description: A template to create a security group allowing SSH access.

Resources:

  # PulumiTestVPC:
  #   Type: AWS::EC2::VPC
  #   Properties:
  #     CidrBlock: 10.0.0.0/16

  PulumiTestTestSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow SSH access
      # VpcId:
      #   Ref: PulumiTestVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0  # Allow SSH from anywhere (use cautiously)

Outputs:
  TestOutput1:
    Value: !Ref PulumiTestTestSecurityGroup

Without VpcId I get this:

AntonStack-AntonTestSecurityGroup-gDbu6UPqIWDL

With VpcId I get sg-01e8f63de351adcfb:

I think in pulumi-cdk emulation of the CF Ref behavior we can default to assuming VpcId is set and returning GroupId for Ref, but leaving this ticket open in the backlog just in case we will need to revisit the "missing VpcId" behavior for completeness.

Affected area/feature