aws-cdk: invoking add_ingress_rule() on an imported security group throws AttributeError: 'Resource' object has no attribute 'add_ingress_rule'

After upgrading CDK to v1.16.x and jsii to 0.20.3 today, add_ingress_rule() suddenly started throwing the below error when trying to add an inbound rule to an imported security group.

AttributeError: ‘Resource’ object has no attribute ‘add_ingress_rule’

Reproduction Steps

self._lambda_security_group = ec2.SecurityGroup.from_security_group_id(
    self,
    'sg1',
    security_group_id='sg-xxxx'
)

self._lambda_security_group.add_ingress_rule(
    ec2.Peer().prefix_list('sg-xxxx'),
    ec2.Port.tcp(443),
    description="Sample Ingress rule"
)

Error Log

Traceback (most recent call last):
  File "app.py", line 30, in <module>
    env=core.Environment(account=ES_DOMAIN_ARN.split(":")[4], region=ES_DOMAIN_ARN.split(":")[3])
  File "/Users/aravraje/aws-solutions/aws-es-recommended-cw-alarms/.env/lib/python3.7/site-packages/jsii/_runtime.py", line 66, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/Users/aravraje/aws-solutions/aws-es-recommended-cw-alarms/aws_es_recommended_cw_alarms/aws_es_recommended_cw_alarms_stack.py", line 23, in __init__
    self, "aws-es-cw-alarms", domain_arn, aws_cli_profile, cw_trigger_sns_arn_list, enable_es_api_output, es_api_output_sns_arn
  File "/Users/aravraje/aws-solutions/aws-es-recommended-cw-alarms/.env/lib/python3.7/site-packages/jsii/_runtime.py", line 66, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/Users/aravraje/aws-solutions/aws-es-recommended-cw-alarms/aws_es_recommended_cw_alarms/aws_es_cw_alarms.py", line 220, in __init__
    self._lambda_security_group.add_ingress_rule(
AttributeError: 'Resource' object has no attribute 'add_ingress_rule'

Environment

• CLI Version : 1.16.1 (build 9a5a761)
• Framework Version:
• OS : macOS Sierra
• Language : Python

Other

---

This is 🐛 Bug Report