Allow full control of security groups for ApplicationListener

[clstokes]

ApplicationListener seems to have two modes when it comes to security groups:

• If external == true, assume control of the associated load balancer's security groups and open up to the entire public internet. This also sets scheme to internet-facing when calling AWS.
• If external == false, assume no control of the associated load balancer's security group and set scheme to internal.

Part of this logic is at

pulumi-awsx/nodejs/awsx/elasticloadbalancingv2/application.ts

Lines 222 to 234 in a8cab4b

	if (args.external !== false) {
	const args = {
	location: new x.ec2.AnyIPv4Location(),
	ports: new x.ec2.TcpPorts(port),
	description: pulumi.interpolate`Externally available at port ${port}`,
	};
	for (let i = 0, n = this.loadBalancer.securityGroups.length; i < n; i++) {
	const securityGroup = this.loadBalancer.securityGroups[i];
	securityGroup.createIngressRule(`${name}-external-${i}-ingress`, args, { parent: this });
	securityGroup.createEgressRule(`${name}-external-${i}-egress`, args, { parent: this });
	}
	}

This does not allow for users to fully control the security groups of their load balancers and forces them to pick one of two options that might not fit their needs.

I suggest that if a security group is provided that it is used without modification. In this scenario, the user should be knowledgable enough to fully control the security group's rules.

Additionally the ApplicationListener modifying the associated load balancer's security groups provides a confusing "misdirection" when trying to understand this behavior. I'd like it if we could separate this somehow so that when a user is working with a ApplicationListener, the scope of what they're working on is clear and constrained.

[ypresto]

It is also problematic because the created security group assumes that a target's port is the same as a listener port, i.e. ingress lb:80 -> egress target:80.

[ypresto]

Additionally the ApplicationListener modifying the associated load balancer's security groups

I actually expect awsx package to hide SecurityGroup as much as possible, like AWS CDK's high-level constructs.
We can some options to disable it or #293 (comment) , or we can use aws package for handcrafting SecurityGroup and etc.

[devgnx]

I need this

[jeanlescure]

I actually expect awsx package to hide SecurityGroup as much as possible

The ethos is fine, but not allowing a way to override is naive and irresponsible, as it narrows the ability to use this library to "happy paths" only since there's no way for you to guess all scenarios your users will try to apply awsx to.

I'm really worried about having picked Pulumi for orchestration for the project my company is working on as we have already invested a lot of time migrating and from what I read there's no workaround to set custom SecurityGroups for our services, which is a must for us.

[PabloJomer]

I need this.