SecurityGroup

Provides a security group resource.

NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.

NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, security groups associated with Lambda Functions can take up to 45 minutes to successfully delete.

Usage with prefix list IDs

Prefix list IDs are managed by AWS internally. Prefix list IDs are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// ...
const myEndpoint = new aws.ec2.VpcEndpoint("my_endpoint", {});
import pulumi
import pulumi_aws as aws

# ...
my_endpoint = aws.ec2.VpcEndpoint("myEndpoint")
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        // ...
        var myEndpoint = new Aws.Ec2.VpcEndpoint("myEndpoint", new Aws.Ec2.VpcEndpointArgs
        {
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := ec2.NewVpcEndpoint(ctx, "myEndpoint", nil)
		if err != nil {
			return err
		}
		return nil
	})
}

Create a SecurityGroup Resource

def SecurityGroup(resource_name, opts=None, description=None, egress=None, ingress=None, name=None, name_prefix=None, revoke_rules_on_delete=None, tags=None, vpc_id=None, __props__=None);
public SecurityGroup(string name, SecurityGroupArgs? args = null, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecurityGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecurityGroupArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecurityGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

SecurityGroup Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecurityGroup resource accepts the following input properties:

Description string

Description of this egress rule.

Egress List<SecurityGroupEgressArgs>

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

Ingress List<SecurityGroupIngressArgs>

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

Name string

The name of the security group. If omitted, this provider will assign a random, unique name

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

RevokeRulesOnDelete bool

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

Tags Dictionary<string, string>

A map of tags to assign to the resource.

VpcId string

The VPC ID.

Description string

Description of this egress rule.

Egress []SecurityGroupEgress

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

Ingress []SecurityGroupIngress

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

Name string

The name of the security group. If omitted, this provider will assign a random, unique name

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

RevokeRulesOnDelete bool

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

Tags map[string]string

A map of tags to assign to the resource.

VpcId string

The VPC ID.

description string

Description of this egress rule.

egress SecurityGroupEgress[]

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

ingress SecurityGroupIngress[]

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

name string

The name of the security group. If omitted, this provider will assign a random, unique name

namePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

revokeRulesOnDelete boolean

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

tags {[key: string]: string}

A map of tags to assign to the resource.

vpcId string

The VPC ID.

description str

Description of this egress rule.

egress List[SecurityGroupEgress]

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

ingress List[SecurityGroupIngress]

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

name str

The name of the security group. If omitted, this provider will assign a random, unique name

name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with name.

revoke_rules_on_delete bool

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

tags Dict[str, str]

A map of tags to assign to the resource.

vpc_id str

The VPC ID.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityGroup resource produces the following output properties:

Arn string

The ARN of the security group

Id string
The provider-assigned unique ID for this managed resource.
OwnerId string

The owner ID.

Arn string

The ARN of the security group

Id string
The provider-assigned unique ID for this managed resource.
OwnerId string

The owner ID.

arn string

The ARN of the security group

id string
The provider-assigned unique ID for this managed resource.
ownerId string

The owner ID.

arn str

The ARN of the security group

id str
The provider-assigned unique ID for this managed resource.
owner_id str

The owner ID.

Look up an Existing SecurityGroup Resource

Get an existing SecurityGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityGroupState, opts?: CustomResourceOptions): SecurityGroup
static get(resource_name, id, opts=None, arn=None, description=None, egress=None, ingress=None, name=None, name_prefix=None, owner_id=None, revoke_rules_on_delete=None, tags=None, vpc_id=None, __props__=None);
func GetSecurityGroup(ctx *Context, name string, id IDInput, state *SecurityGroupState, opts ...ResourceOption) (*SecurityGroup, error)
public static SecurityGroup Get(string name, Input<string> id, SecurityGroupState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string

The ARN of the security group

Description string

Description of this egress rule.

Egress List<SecurityGroupEgressArgs>

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

Ingress List<SecurityGroupIngressArgs>

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

Name string

The name of the security group. If omitted, this provider will assign a random, unique name

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

OwnerId string

The owner ID.

RevokeRulesOnDelete bool

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

Tags Dictionary<string, string>

A map of tags to assign to the resource.

VpcId string

The VPC ID.

Arn string

The ARN of the security group

Description string

Description of this egress rule.

Egress []SecurityGroupEgress

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

Ingress []SecurityGroupIngress

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

Name string

The name of the security group. If omitted, this provider will assign a random, unique name

NamePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

OwnerId string

The owner ID.

RevokeRulesOnDelete bool

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

Tags map[string]string

A map of tags to assign to the resource.

VpcId string

The VPC ID.

arn string

The ARN of the security group

description string

Description of this egress rule.

egress SecurityGroupEgress[]

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

ingress SecurityGroupIngress[]

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

name string

The name of the security group. If omitted, this provider will assign a random, unique name

namePrefix string

Creates a unique name beginning with the specified prefix. Conflicts with name.

ownerId string

The owner ID.

revokeRulesOnDelete boolean

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

tags {[key: string]: string}

A map of tags to assign to the resource.

vpcId string

The VPC ID.

arn str

The ARN of the security group

description str

Description of this egress rule.

egress List[SecurityGroupEgress]

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

ingress List[SecurityGroupIngress]

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

name str

The name of the security group. If omitted, this provider will assign a random, unique name

name_prefix str

Creates a unique name beginning with the specified prefix. Conflicts with name.

owner_id str

The owner ID.

revoke_rules_on_delete bool

Instruct this provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false

tags Dict[str, str]

A map of tags to assign to the resource.

vpc_id str

The VPC ID.

Supporting Types

SecurityGroupEgress

See the input and output API doc for this type.

See the input and output API doc for this type.

See the input and output API doc for this type.

FromPort int

The start port (or ICMP type number if protocol is “icmp”)

Protocol string

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

ToPort int

The end range port (or ICMP code if protocol is “icmp”).

CidrBlocks List<string>

List of CIDR blocks.

Description string

Description of this egress rule.

Ipv6CidrBlocks List<string>

List of IPv6 CIDR blocks.

PrefixListIds List<string>

List of prefix list IDs (for allowing access to VPC endpoints)

SecurityGroups List<string>

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

Self bool

If true, the security group itself will be added as a source to this egress rule.

FromPort int

The start port (or ICMP type number if protocol is “icmp”)

Protocol string

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

ToPort int

The end range port (or ICMP code if protocol is “icmp”).

CidrBlocks []string

List of CIDR blocks.

Description string

Description of this egress rule.

Ipv6CidrBlocks []string

List of IPv6 CIDR blocks.

PrefixListIds []string

List of prefix list IDs (for allowing access to VPC endpoints)

SecurityGroups []string

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

Self bool

If true, the security group itself will be added as a source to this egress rule.

fromPort number

The start port (or ICMP type number if protocol is “icmp”)

protocol string

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

toPort number

The end range port (or ICMP code if protocol is “icmp”).

cidrBlocks string[]

List of CIDR blocks.

description string

Description of this egress rule.

ipv6CidrBlocks string[]

List of IPv6 CIDR blocks.

prefixListIds string[]

List of prefix list IDs (for allowing access to VPC endpoints)

securityGroups string[]

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

self boolean

If true, the security group itself will be added as a source to this egress rule.

from_port float

The start port (or ICMP type number if protocol is “icmp”)

protocol str

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

to_port float

The end range port (or ICMP code if protocol is “icmp”).

cidr_blocks List[str]

List of CIDR blocks.

description str

Description of this egress rule.

ipv6_cidr_blocks List[str]

List of IPv6 CIDR blocks.

prefix_list_ids List[str]

List of prefix list IDs (for allowing access to VPC endpoints)

security_groups List[str]

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

self bool

If true, the security group itself will be added as a source to this egress rule.

SecurityGroupIngress

See the input and output API doc for this type.

See the input and output API doc for this type.

See the input and output API doc for this type.

FromPort int

The start port (or ICMP type number if protocol is “icmp”)

Protocol string

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

ToPort int

The end range port (or ICMP code if protocol is “icmp”).

CidrBlocks List<string>

List of CIDR blocks.

Description string

Description of this egress rule.

Ipv6CidrBlocks List<string>

List of IPv6 CIDR blocks.

PrefixListIds List<string>

List of prefix list IDs (for allowing access to VPC endpoints)

SecurityGroups List<string>

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

Self bool

If true, the security group itself will be added as a source to this egress rule.

FromPort int

The start port (or ICMP type number if protocol is “icmp”)

Protocol string

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

ToPort int

The end range port (or ICMP code if protocol is “icmp”).

CidrBlocks []string

List of CIDR blocks.

Description string

Description of this egress rule.

Ipv6CidrBlocks []string

List of IPv6 CIDR blocks.

PrefixListIds []string

List of prefix list IDs (for allowing access to VPC endpoints)

SecurityGroups []string

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

Self bool

If true, the security group itself will be added as a source to this egress rule.

fromPort number

The start port (or ICMP type number if protocol is “icmp”)

protocol string

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

toPort number

The end range port (or ICMP code if protocol is “icmp”).

cidrBlocks string[]

List of CIDR blocks.

description string

Description of this egress rule.

ipv6CidrBlocks string[]

List of IPv6 CIDR blocks.

prefixListIds string[]

List of prefix list IDs (for allowing access to VPC endpoints)

securityGroups string[]

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

self boolean

If true, the security group itself will be added as a source to this egress rule.

from_port float

The start port (or ICMP type number if protocol is “icmp”)

protocol str

The protocol. If you select a protocol of “-1” (semantically equivalent to "all", which is not a valid value here), you must specify a “from_port” and “to_port” equal to 0. If not icmp, tcp, udp, or “-1” use the protocol number

to_port float

The end range port (or ICMP code if protocol is “icmp”).

cidr_blocks List[str]

List of CIDR blocks.

description str

Description of this egress rule.

ipv6_cidr_blocks List[str]

List of IPv6 CIDR blocks.

prefix_list_ids List[str]

List of prefix list IDs (for allowing access to VPC endpoints)

security_groups List[str]

List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

self bool

If true, the security group itself will be added as a source to this egress rule.

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.