SecurityGroupRule

Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.

NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

NOTE: Setting protocol = "all" or protocol = -1 with from_port and to_port will result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.

NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.Ec2.SecurityGroupRule("example", new Aws.Ec2.SecurityGroupRuleArgs
        {
            Type = "ingress",
            FromPort = 0,
            ToPort = 65535,
            Protocol = "tcp",
            CidrBlocks = 
            {
                aws_vpc.Example.Cidr_block,
            },
            Ipv6CidrBlocks = 
            {
                aws_vpc.Example.Ipv6_cidr_block,
            },
            SecurityGroupId = "sg-123456",
        });
    }

}

Coming soon!

import pulumi
import pulumi_aws as aws

example = aws.ec2.SecurityGroupRule("example",
    type="ingress",
    from_port=0,
    to_port=65535,
    protocol="tcp",
    cidr_blocks=[aws_vpc["example"]["cidr_block"]],
    ipv6_cidr_blocks=[aws_vpc["example"]["ipv6_cidr_block"]],
    security_group_id="sg-123456")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.ec2.SecurityGroupRule("example", {
    type: "ingress",
    fromPort: 0,
    toPort: 65535,
    protocol: "tcp",
    cidrBlocks: [aws_vpc.example.cidr_block],
    ipv6CidrBlocks: [aws_vpc.example.ipv6_cidr_block],
    securityGroupId: "sg-123456",
});

Usage With Prefix List IDs

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        // ...
        var myEndpoint = new Aws.Ec2.VpcEndpoint("myEndpoint", new Aws.Ec2.VpcEndpointArgs
        {
        });
        // ...
        var allowAll = new Aws.Ec2.SecurityGroupRule("allowAll", new Aws.Ec2.SecurityGroupRuleArgs
        {
            Type = "egress",
            ToPort = 0,
            Protocol = "-1",
            PrefixListIds = 
            {
                myEndpoint.PrefixListId,
            },
            FromPort = 0,
            SecurityGroupId = "sg-123456",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myEndpoint, err := ec2.NewVpcEndpoint(ctx, "myEndpoint", nil)
		if err != nil {
			return err
		}
		_, err = ec2.NewSecurityGroupRule(ctx, "allowAll", &ec2.SecurityGroupRuleArgs{
			Type:     pulumi.String("egress"),
			ToPort:   pulumi.Int(0),
			Protocol: pulumi.String("-1"),
			PrefixListIds: pulumi.StringArray{
				myEndpoint.PrefixListId,
			},
			FromPort:        pulumi.Int(0),
			SecurityGroupId: pulumi.String("sg-123456"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

# ...
my_endpoint = aws.ec2.VpcEndpoint("myEndpoint")
# ...
allow_all = aws.ec2.SecurityGroupRule("allowAll",
    type="egress",
    to_port=0,
    protocol="-1",
    prefix_list_ids=[my_endpoint.prefix_list_id],
    from_port=0,
    security_group_id="sg-123456")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// ...
const myEndpoint = new aws.ec2.VpcEndpoint("myEndpoint", {});
// ...
const allowAll = new aws.ec2.SecurityGroupRule("allowAll", {
    type: "egress",
    toPort: 0,
    protocol: "-1",
    prefixListIds: [myEndpoint.prefixListId],
    fromPort: 0,
    securityGroupId: "sg-123456",
});

Create a SecurityGroupRule Resource

new SecurityGroupRule(name: string, args: SecurityGroupRuleArgs, opts?: CustomResourceOptions);
@overload
def SecurityGroupRule(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      cidr_blocks: Optional[Sequence[str]] = None,
                      description: Optional[str] = None,
                      from_port: Optional[int] = None,
                      ipv6_cidr_blocks: Optional[Sequence[str]] = None,
                      prefix_list_ids: Optional[Sequence[str]] = None,
                      protocol: Optional[Union[str, ProtocolType]] = None,
                      security_group_id: Optional[str] = None,
                      self: Optional[bool] = None,
                      source_security_group_id: Optional[str] = None,
                      to_port: Optional[int] = None,
                      type: Optional[str] = None)
@overload
def SecurityGroupRule(resource_name: str,
                      args: SecurityGroupRuleArgs,
                      opts: Optional[ResourceOptions] = None)
func NewSecurityGroupRule(ctx *Context, name string, args SecurityGroupRuleArgs, opts ...ResourceOption) (*SecurityGroupRule, error)
public SecurityGroupRule(string name, SecurityGroupRuleArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args SecurityGroupRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args SecurityGroupRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecurityGroupRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecurityGroupRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

SecurityGroupRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecurityGroupRule resource accepts the following input properties:

FromPort int
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Protocol string | Pulumi.Aws.Ec2.ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string
Security group to apply this rule to.
ToPort int
End port (or ICMP code if protocol is “icmp”).
Type string
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
CidrBlocks List<string>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
Ipv6CidrBlocks List<string>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds List<string>
List of Prefix List IDs.
Self bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
FromPort int
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Protocol string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string
Security group to apply this rule to.
ToPort int
End port (or ICMP code if protocol is “icmp”).
Type string
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
CidrBlocks []string
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
Ipv6CidrBlocks []string
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds []string
List of Prefix List IDs.
Self bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
fromPort number
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
protocol string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId string
Security group to apply this rule to.
toPort number
End port (or ICMP code if protocol is “icmp”).
type string
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
cidrBlocks string[]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description string
Description of the rule.
ipv6CidrBlocks string[]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds string[]
List of Prefix List IDs.
self boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
from_port int
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
protocol str | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
security_group_id str
Security group to apply this rule to.
to_port int
End port (or ICMP code if protocol is “icmp”).
type str
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
cidr_blocks Sequence[str]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description str
Description of the rule.
ipv6_cidr_blocks Sequence[str]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefix_list_ids Sequence[str]
List of Prefix List IDs.
self bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
source_security_group_id str
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityGroupRule resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing SecurityGroupRule Resource

Get an existing SecurityGroupRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityGroupRuleState, opts?: CustomResourceOptions): SecurityGroupRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        cidr_blocks: Optional[Sequence[str]] = None,
        description: Optional[str] = None,
        from_port: Optional[int] = None,
        ipv6_cidr_blocks: Optional[Sequence[str]] = None,
        prefix_list_ids: Optional[Sequence[str]] = None,
        protocol: Optional[Union[str, ProtocolType]] = None,
        security_group_id: Optional[str] = None,
        self: Optional[bool] = None,
        source_security_group_id: Optional[str] = None,
        to_port: Optional[int] = None,
        type: Optional[str] = None) -> SecurityGroupRule
func GetSecurityGroupRule(ctx *Context, name string, id IDInput, state *SecurityGroupRuleState, opts ...ResourceOption) (*SecurityGroupRule, error)
public static SecurityGroupRule Get(string name, Input<string> id, SecurityGroupRuleState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

CidrBlocks List<string>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
FromPort int
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Ipv6CidrBlocks List<string>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds List<string>
List of Prefix List IDs.
Protocol string | Pulumi.Aws.Ec2.ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string
Security group to apply this rule to.
Self bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
ToPort int
End port (or ICMP code if protocol is “icmp”).
Type string
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
CidrBlocks []string
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
FromPort int
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Ipv6CidrBlocks []string
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds []string
List of Prefix List IDs.
Protocol string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string
Security group to apply this rule to.
Self bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
ToPort int
End port (or ICMP code if protocol is “icmp”).
Type string
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
cidrBlocks string[]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description string
Description of the rule.
fromPort number
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
ipv6CidrBlocks string[]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds string[]
List of Prefix List IDs.
protocol string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId string
Security group to apply this rule to.
self boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
toPort number
End port (or ICMP code if protocol is “icmp”).
type string
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).
cidr_blocks Sequence[str]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description str
Description of the rule.
from_port int
Start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
ipv6_cidr_blocks Sequence[str]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefix_list_ids Sequence[str]
List of Prefix List IDs.
protocol str | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
security_group_id str
Security group to apply this rule to.
self bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
source_security_group_id str
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
to_port int
End port (or ICMP code if protocol is “icmp”).
type str
Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

Supporting Types

ProtocolType

All
all
TCP
tcp
UDP
udp
ICMP
icmp
ProtocolTypeAll
all
ProtocolTypeTCP
tcp
ProtocolTypeUDP
udp
ProtocolTypeICMP
icmp
All
all
TCP
tcp
UDP
udp
ICMP
icmp
ALL
all
TCP
tcp
UDP
udp
ICMP
icmp

Import

Security Group Rules can be imported using the security_group_id, type, protocol, from_port, to_port, and source(s)/destination(s) (e.g. cidr_block) separated by underscores (_). All parts are required. Not all rule permissions (e.g., not all of a rule’s CIDR blocks) need to be imported for this provider to manage rule permissions. However, importing some of a rule’s permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule. Import an ingress rule in security group sg-6e616f6d69 for TCP port 8000 with an IPv4 destination CIDR of 10.0.3.0/24console

 $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6e616f6d69_ingress_tcp_8000_8000_10.0.3.0/24

Import a rule with various IPv4 and IPv6 source CIDR blocksconsole

 $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-4973616163_ingress_tcp_100_121_10.1.0.0/16_2001:db8::/48_10.2.0.0/16_2002:db8::/48

Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number, e.g., 92. console

 $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6777656e646f6c796e_ingress_92_0_65536_10.0.3.0/24_10.0.4.0/24

Import an egress rule with a prefix list ID destinationconsole

 $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule egress sg-62726f6479_egress_tcp_8000_8000_pl-6469726b

Import a rule applicable to all protocols and ports with a security group sourceconsole

 $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress_rule sg-7472697374616e_ingress_all_0_65536_sg-6176657279

Import a rule that has itself and an IPv6 CIDR block as sourcesconsole

 $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule rule_name sg-656c65616e6f72_ingress_tcp_80_80_self_2001:db8::/48

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.