SecurityGroup
Provides a security group resource.
NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single
ingress
oregress
rule), and a Security Group resource withingress
andegress
rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.
NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, security groups associated with Lambda Functions can take up to 45 minutes to successfully delete.
Usage with prefix list IDs
Prefix Lists are either managed by AWS internally, or created by the customer using a Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const myEndpoint = new aws.ec2.VpcEndpoint("myEndpoint", {});
// ... other configuration ...
// ... other configuration ...
const example = new aws.ec2.SecurityGroup("example", {egress: [{
fromPort: 0,
toPort: 0,
protocol: "-1",
prefixListIds: [myEndpoint.prefixListId],
}]});
import pulumi
import pulumi_aws as aws
my_endpoint = aws.ec2.VpcEndpoint("myEndpoint")
# ... other configuration ...
# ... other configuration ...
example = aws.ec2.SecurityGroup("example", egress=[aws.ec2.SecurityGroupEgressArgs(
from_port=0,
to_port=0,
protocol="-1",
prefix_list_ids=[my_endpoint.prefix_list_id],
)])
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var myEndpoint = new Aws.Ec2.VpcEndpoint("myEndpoint", new Aws.Ec2.VpcEndpointArgs
{
});
// ... other configuration ...
// ... other configuration ...
var example = new Aws.Ec2.SecurityGroup("example", new Aws.Ec2.SecurityGroupArgs
{
Egress =
{
new Aws.Ec2.Inputs.SecurityGroupEgressArgs
{
FromPort = 0,
ToPort = 0,
Protocol = "-1",
PrefixListIds =
{
myEndpoint.PrefixListId,
},
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v3/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myEndpoint, err := ec2.NewVpcEndpoint(ctx, "myEndpoint", nil)
if err != nil {
return err
}
_, err = ec2.NewSecurityGroup(ctx, "example", &ec2.SecurityGroupArgs{
Egress: ec2.SecurityGroupEgressArray{
&ec2.SecurityGroupEgressArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
Protocol: pulumi.String("-1"),
PrefixListIds: pulumi.StringArray{
myEndpoint.PrefixListId,
},
},
},
})
if err != nil {
return err
}
return nil
})
}
You can also find a specific Prefix List using the aws.getPrefixList
data source.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var allowTls = new Aws.Ec2.SecurityGroup("allowTls", new Aws.Ec2.SecurityGroupArgs
{
Description = "Allow TLS inbound traffic",
VpcId = aws_vpc.Main.Id,
Ingress =
{
new Aws.Ec2.Inputs.SecurityGroupIngressArgs
{
Description = "TLS from VPC",
FromPort = 443,
ToPort = 443,
Protocol = "tcp",
CidrBlocks =
{
aws_vpc.Main.Cidr_block,
},
},
},
Egress =
{
new Aws.Ec2.Inputs.SecurityGroupEgressArgs
{
FromPort = 0,
ToPort = 0,
Protocol = "-1",
CidrBlocks =
{
"0.0.0.0/0",
},
},
},
Tags =
{
{ "Name", "allow_tls" },
},
});
}
}
Coming soon!
import pulumi
import pulumi_aws as aws
allow_tls = aws.ec2.SecurityGroup("allowTls",
description="Allow TLS inbound traffic",
vpc_id=aws_vpc["main"]["id"],
ingress=[aws.ec2.SecurityGroupIngressArgs(
description="TLS from VPC",
from_port=443,
to_port=443,
protocol="tcp",
cidr_blocks=[aws_vpc["main"]["cidr_block"]],
)],
egress=[aws.ec2.SecurityGroupEgressArgs(
from_port=0,
to_port=0,
protocol="-1",
cidr_blocks=["0.0.0.0/0"],
)],
tags={
"Name": "allow_tls",
})
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const allowTls = new aws.ec2.SecurityGroup("allowTls", {
description: "Allow TLS inbound traffic",
vpcId: aws_vpc.main.id,
ingress: [{
description: "TLS from VPC",
fromPort: 443,
toPort: 443,
protocol: "tcp",
cidrBlocks: [aws_vpc.main.cidr_block],
}],
egress: [{
fromPort: 0,
toPort: 0,
protocol: "-1",
cidrBlocks: ["0.0.0.0/0"],
}],
tags: {
Name: "allow_tls",
},
});
Create a SecurityGroup Resource
new SecurityGroup(name: string, args?: SecurityGroupArgs, opts?: CustomResourceOptions);
def SecurityGroup(resource_name: str, opts: Optional[ResourceOptions] = None, description: Optional[str] = None, egress: Optional[Sequence[SecurityGroupEgressArgs]] = None, ingress: Optional[Sequence[SecurityGroupIngressArgs]] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, revoke_rules_on_delete: Optional[bool] = None, tags: Optional[Mapping[str, str]] = None, vpc_id: Optional[str] = None)
func NewSecurityGroup(ctx *Context, name string, args *SecurityGroupArgs, opts ...ResourceOption) (*SecurityGroup, error)
public SecurityGroup(string name, SecurityGroupArgs? args = null, CustomResourceOptions? opts = null)
- name string
- The unique name of the resource.
- args SecurityGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecurityGroupArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecurityGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
SecurityGroup Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The SecurityGroup resource accepts the following input properties:
- Description string
Description of this egress rule.
- Egress
List<Security
Group Egress Args> Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
List<Security
Group Ingress Args> Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Name string
The name of the security group. If omitted, this provider will assign a random, unique name
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Revoke
Rules boolOn Delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- Dictionary<string, string>
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID.
- Description string
Description of this egress rule.
- Egress
[]Security
Group Egress Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
[]Security
Group Ingress Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Name string
The name of the security group. If omitted, this provider will assign a random, unique name
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Revoke
Rules boolOn Delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- map[string]string
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID.
- description string
Description of this egress rule.
- egress
Security
Group Egress[] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
Security
Group Ingress[] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- name string
The name of the security group. If omitted, this provider will assign a random, unique name
- name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- revoke
Rules booleanOn Delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- {[key: string]: string}
A map of tags to assign to the resource.
- vpc
Id string The VPC ID.
- description str
Description of this egress rule.
- egress
Sequence[Security
Group Egress Args] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
Sequence[Security
Group Ingress Args] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- name str
The name of the security group. If omitted, this provider will assign a random, unique name
- name_
prefix str Creates a unique name beginning with the specified prefix. Conflicts with
name
.- revoke_
rules_ boolon_ delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- Mapping[str, str]
A map of tags to assign to the resource.
- vpc_
id str The VPC ID.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecurityGroup resource produces the following output properties:
Look up an Existing SecurityGroup Resource
Get an existing SecurityGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecurityGroupState, opts?: CustomResourceOptions): SecurityGroup
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, arn: Optional[str] = None, description: Optional[str] = None, egress: Optional[Sequence[SecurityGroupEgressArgs]] = None, ingress: Optional[Sequence[SecurityGroupIngressArgs]] = None, name: Optional[str] = None, name_prefix: Optional[str] = None, owner_id: Optional[str] = None, revoke_rules_on_delete: Optional[bool] = None, tags: Optional[Mapping[str, str]] = None, vpc_id: Optional[str] = None) -> SecurityGroup
func GetSecurityGroup(ctx *Context, name string, id IDInput, state *SecurityGroupState, opts ...ResourceOption) (*SecurityGroup, error)
public static SecurityGroup Get(string name, Input<string> id, SecurityGroupState? state, CustomResourceOptions? opts = null)
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
The ARN of the security group
- Description string
Description of this egress rule.
- Egress
List<Security
Group Egress Args> Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
List<Security
Group Ingress Args> Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Name string
The name of the security group. If omitted, this provider will assign a random, unique name
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Owner
Id string The owner ID.
- Revoke
Rules boolOn Delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- Dictionary<string, string>
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID.
- Arn string
The ARN of the security group
- Description string
Description of this egress rule.
- Egress
[]Security
Group Egress Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
[]Security
Group Ingress Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Name string
The name of the security group. If omitted, this provider will assign a random, unique name
- Name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- Owner
Id string The owner ID.
- Revoke
Rules boolOn Delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- map[string]string
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID.
- arn string
The ARN of the security group
- description string
Description of this egress rule.
- egress
Security
Group Egress[] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
Security
Group Ingress[] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- name string
The name of the security group. If omitted, this provider will assign a random, unique name
- name
Prefix string Creates a unique name beginning with the specified prefix. Conflicts with
name
.- owner
Id string The owner ID.
- revoke
Rules booleanOn Delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- {[key: string]: string}
A map of tags to assign to the resource.
- vpc
Id string The VPC ID.
- arn str
The ARN of the security group
- description str
Description of this egress rule.
- egress
Sequence[Security
Group Egress Args] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
Sequence[Security
Group Ingress Args] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- name str
The name of the security group. If omitted, this provider will assign a random, unique name
- name_
prefix str Creates a unique name beginning with the specified prefix. Conflicts with
name
.- owner_
id str The owner ID.
- revoke_
rules_ boolon_ delete Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default
false
- Mapping[str, str]
A map of tags to assign to the resource.
- vpc_
id str The VPC ID.
Supporting Types
SecurityGroupEgress
- From
Port int The start port (or ICMP type number if protocol is “icmp”)
- Protocol string
- To
Port int The end range port (or ICMP code if protocol is “icmp”).
- Cidr
Blocks List<string> List of CIDR blocks.
- Description string
Description of this egress rule.
- Ipv6Cidr
Blocks List<string> List of IPv6 CIDR blocks.
- Prefix
List List<string>Ids List of Prefix List IDs.
- Security
Groups List<string> List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- Self bool
If true, the security group itself will be added as a source to this egress rule.
- From
Port int The start port (or ICMP type number if protocol is “icmp”)
- Protocol string
- To
Port int The end range port (or ICMP code if protocol is “icmp”).
- Cidr
Blocks []string List of CIDR blocks.
- Description string
Description of this egress rule.
- Ipv6Cidr
Blocks []string List of IPv6 CIDR blocks.
- Prefix
List []stringIds List of Prefix List IDs.
- Security
Groups []string List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- Self bool
If true, the security group itself will be added as a source to this egress rule.
- from
Port number The start port (or ICMP type number if protocol is “icmp”)
- protocol string
- to
Port number The end range port (or ICMP code if protocol is “icmp”).
- cidr
Blocks string[] List of CIDR blocks.
- description string
Description of this egress rule.
- ipv6Cidr
Blocks string[] List of IPv6 CIDR blocks.
- prefix
List string[]Ids List of Prefix List IDs.
- security
Groups string[] List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- self boolean
If true, the security group itself will be added as a source to this egress rule.
- from_
port int The start port (or ICMP type number if protocol is “icmp”)
- protocol str
- to_
port int The end range port (or ICMP code if protocol is “icmp”).
- cidr_
blocks Sequence[str] List of CIDR blocks.
- description str
Description of this egress rule.
- ipv6_
cidr_ Sequence[str]blocks List of IPv6 CIDR blocks.
- prefix_
list_ Sequence[str]ids List of Prefix List IDs.
- security_
groups Sequence[str] List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- self bool
If true, the security group itself will be added as a source to this egress rule.
SecurityGroupIngress
- From
Port int The start port (or ICMP type number if protocol is “icmp”)
- Protocol string
- To
Port int The end range port (or ICMP code if protocol is “icmp”).
- Cidr
Blocks List<string> List of CIDR blocks.
- Description string
Description of this egress rule.
- Ipv6Cidr
Blocks List<string> List of IPv6 CIDR blocks.
- Prefix
List List<string>Ids List of Prefix List IDs.
- Security
Groups List<string> List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- Self bool
If true, the security group itself will be added as a source to this egress rule.
- From
Port int The start port (or ICMP type number if protocol is “icmp”)
- Protocol string
- To
Port int The end range port (or ICMP code if protocol is “icmp”).
- Cidr
Blocks []string List of CIDR blocks.
- Description string
Description of this egress rule.
- Ipv6Cidr
Blocks []string List of IPv6 CIDR blocks.
- Prefix
List []stringIds List of Prefix List IDs.
- Security
Groups []string List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- Self bool
If true, the security group itself will be added as a source to this egress rule.
- from
Port number The start port (or ICMP type number if protocol is “icmp”)
- protocol string
- to
Port number The end range port (or ICMP code if protocol is “icmp”).
- cidr
Blocks string[] List of CIDR blocks.
- description string
Description of this egress rule.
- ipv6Cidr
Blocks string[] List of IPv6 CIDR blocks.
- prefix
List string[]Ids List of Prefix List IDs.
- security
Groups string[] List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- self boolean
If true, the security group itself will be added as a source to this egress rule.
- from_
port int The start port (or ICMP type number if protocol is “icmp”)
- protocol str
- to_
port int The end range port (or ICMP code if protocol is “icmp”).
- cidr_
blocks Sequence[str] List of CIDR blocks.
- description str
Description of this egress rule.
- ipv6_
cidr_ Sequence[str]blocks List of IPv6 CIDR blocks.
- prefix_
list_ Sequence[str]ids List of Prefix List IDs.
- security_
groups Sequence[str] List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.
- self bool
If true, the security group itself will be added as a source to this egress rule.
Import
Security Groups can be imported using the security group id
, e.g.
$ pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.