1. Packages
  2. AWS Classic
  3. API Docs
  4. ec2
  5. SecurityGroupRule

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

aws.ec2.SecurityGroupRule

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

    Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.

    NOTE on Security Groups and Security Group Rules: This provider currently provides a Security Group resource with ingress and egress rules defined in-line and a Security Group Rule resource which manages one or more ingress or egress rules. Both of these resource were added before AWS assigned a security group rule unique ID, and they do not work well in all scenarios using thedescription and tags attributes, which rely on the unique ID. The aws.vpc.SecurityGroupEgressRule and aws.vpc.SecurityGroupIngressRule resources have been added to address these limitations and should be used for all new security group rules. You should not use the aws.vpc.SecurityGroupEgressRule and aws.vpc.SecurityGroupIngressRule resources in conjunction with an aws.ec2.SecurityGroup resource with in-line rules or with aws.ec2.SecurityGroupRule resources defined for the same Security Group, as rule conflicts may occur and rules will be overwritten.

    NOTE: Setting protocol = "all" or protocol = -1 with from_port and to_port will result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.

    NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.

    Example Usage

    Basic usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.ec2.SecurityGroupRule("example", {
        type: "ingress",
        fromPort: 0,
        toPort: 65535,
        protocol: aws.ec2.ProtocolType.TCP,
        cidrBlocks: [exampleAwsVpc.cidrBlock],
        ipv6CidrBlocks: [exampleAwsVpc.ipv6CidrBlock],
        securityGroupId: "sg-123456",
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.ec2.SecurityGroupRule("example",
        type="ingress",
        from_port=0,
        to_port=65535,
        protocol=aws.ec2.ProtocolType.TCP,
        cidr_blocks=[example_aws_vpc["cidrBlock"]],
        ipv6_cidr_blocks=[example_aws_vpc["ipv6CidrBlock"]],
        security_group_id="sg-123456")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := ec2.NewSecurityGroupRule(ctx, "example", &ec2.SecurityGroupRuleArgs{
    			Type:     pulumi.String("ingress"),
    			FromPort: pulumi.Int(0),
    			ToPort:   pulumi.Int(65535),
    			Protocol: pulumi.String(ec2.ProtocolTypeTCP),
    			CidrBlocks: pulumi.StringArray{
    				exampleAwsVpc.CidrBlock,
    			},
    			Ipv6CidrBlocks: pulumi.StringArray{
    				exampleAwsVpc.Ipv6CidrBlock,
    			},
    			SecurityGroupId: pulumi.String("sg-123456"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Ec2.SecurityGroupRule("example", new()
        {
            Type = "ingress",
            FromPort = 0,
            ToPort = 65535,
            Protocol = Aws.Ec2.ProtocolType.TCP,
            CidrBlocks = new[]
            {
                exampleAwsVpc.CidrBlock,
            },
            Ipv6CidrBlocks = new[]
            {
                exampleAwsVpc.Ipv6CidrBlock,
            },
            SecurityGroupId = "sg-123456",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.ec2.SecurityGroupRule;
    import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new SecurityGroupRule("example", SecurityGroupRuleArgs.builder()        
                .type("ingress")
                .fromPort(0)
                .toPort(65535)
                .protocol("tcp")
                .cidrBlocks(exampleAwsVpc.cidrBlock())
                .ipv6CidrBlocks(exampleAwsVpc.ipv6CidrBlock())
                .securityGroupId("sg-123456")
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:ec2:SecurityGroupRule
        properties:
          type: ingress
          fromPort: 0
          toPort: 65535
          protocol: tcp
          cidrBlocks:
            - ${exampleAwsVpc.cidrBlock}
          ipv6CidrBlocks:
            - ${exampleAwsVpc.ipv6CidrBlock}
          securityGroupId: sg-123456
    

    Usage With Prefix List IDs

    Prefix Lists are either managed by AWS internally, or created by the customer using a Managed Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region.

    Prefix list IDs are exported on VPC Endpoints, so you can use this format:

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    // ...
    const myEndpoint = new aws.ec2.VpcEndpoint("my_endpoint", {});
    const allowAll = new aws.ec2.SecurityGroupRule("allow_all", {
        type: "egress",
        toPort: 0,
        protocol: "-1",
        prefixListIds: [myEndpoint.prefixListId],
        fromPort: 0,
        securityGroupId: "sg-123456",
    });
    
    import pulumi
    import pulumi_aws as aws
    
    # ...
    my_endpoint = aws.ec2.VpcEndpoint("my_endpoint")
    allow_all = aws.ec2.SecurityGroupRule("allow_all",
        type="egress",
        to_port=0,
        protocol="-1",
        prefix_list_ids=[my_endpoint.prefix_list_id],
        from_port=0,
        security_group_id="sg-123456")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		// ...
    		myEndpoint, err := ec2.NewVpcEndpoint(ctx, "my_endpoint", nil)
    		if err != nil {
    			return err
    		}
    		_, err = ec2.NewSecurityGroupRule(ctx, "allow_all", &ec2.SecurityGroupRuleArgs{
    			Type:     pulumi.String("egress"),
    			ToPort:   pulumi.Int(0),
    			Protocol: pulumi.String("-1"),
    			PrefixListIds: pulumi.StringArray{
    				myEndpoint.PrefixListId,
    			},
    			FromPort:        pulumi.Int(0),
    			SecurityGroupId: pulumi.String("sg-123456"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        // ...
        var myEndpoint = new Aws.Ec2.VpcEndpoint("my_endpoint");
    
        var allowAll = new Aws.Ec2.SecurityGroupRule("allow_all", new()
        {
            Type = "egress",
            ToPort = 0,
            Protocol = "-1",
            PrefixListIds = new[]
            {
                myEndpoint.PrefixListId,
            },
            FromPort = 0,
            SecurityGroupId = "sg-123456",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.ec2.VpcEndpoint;
    import com.pulumi.aws.ec2.SecurityGroupRule;
    import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var myEndpoint = new VpcEndpoint("myEndpoint");
    
            var allowAll = new SecurityGroupRule("allowAll", SecurityGroupRuleArgs.builder()        
                .type("egress")
                .toPort(0)
                .protocol("-1")
                .prefixListIds(myEndpoint.prefixListId())
                .fromPort(0)
                .securityGroupId("sg-123456")
                .build());
    
        }
    }
    
    resources:
      allowAll:
        type: aws:ec2:SecurityGroupRule
        name: allow_all
        properties:
          type: egress
          toPort: 0
          protocol: '-1'
          prefixListIds:
            - ${myEndpoint.prefixListId}
          fromPort: 0
          securityGroupId: sg-123456
      # ...
      myEndpoint:
        type: aws:ec2:VpcEndpoint
        name: my_endpoint
    

    You can also find a specific Prefix List using the aws.ec2.getPrefixList or ec2_managed_prefix_list data sources:

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getRegion({});
    const s3 = current.then(current => aws.ec2.getPrefixList({
        name: `com.amazonaws.${current.name}.s3`,
    }));
    const s3GatewayEgress = new aws.ec2.SecurityGroupRule("s3_gateway_egress", {
        description: "S3 Gateway Egress",
        type: "egress",
        securityGroupId: "sg-123456",
        fromPort: 443,
        toPort: 443,
        protocol: aws.ec2.ProtocolType.TCP,
        prefixListIds: [s3.then(s3 => s3.id)],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    current = aws.get_region()
    s3 = aws.ec2.get_prefix_list(name=f"com.amazonaws.{current.name}.s3")
    s3_gateway_egress = aws.ec2.SecurityGroupRule("s3_gateway_egress",
        description="S3 Gateway Egress",
        type="egress",
        security_group_id="sg-123456",
        from_port=443,
        to_port=443,
        protocol=aws.ec2.ProtocolType.TCP,
        prefix_list_ids=[s3.id])
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetRegion(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		s3, err := ec2.GetPrefixList(ctx, &ec2.GetPrefixListArgs{
    			Name: pulumi.StringRef(fmt.Sprintf("com.amazonaws.%v.s3", current.Name)),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = ec2.NewSecurityGroupRule(ctx, "s3_gateway_egress", &ec2.SecurityGroupRuleArgs{
    			Description:     pulumi.String("S3 Gateway Egress"),
    			Type:            pulumi.String("egress"),
    			SecurityGroupId: pulumi.String("sg-123456"),
    			FromPort:        pulumi.Int(443),
    			ToPort:          pulumi.Int(443),
    			Protocol:        pulumi.String(ec2.ProtocolTypeTCP),
    			PrefixListIds: pulumi.StringArray{
    				pulumi.String(s3.Id),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetRegion.Invoke();
    
        var s3 = Aws.Ec2.GetPrefixList.Invoke(new()
        {
            Name = $"com.amazonaws.{current.Apply(getRegionResult => getRegionResult.Name)}.s3",
        });
    
        var s3GatewayEgress = new Aws.Ec2.SecurityGroupRule("s3_gateway_egress", new()
        {
            Description = "S3 Gateway Egress",
            Type = "egress",
            SecurityGroupId = "sg-123456",
            FromPort = 443,
            ToPort = 443,
            Protocol = Aws.Ec2.ProtocolType.TCP,
            PrefixListIds = new[]
            {
                s3.Apply(getPrefixListResult => getPrefixListResult.Id),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetRegionArgs;
    import com.pulumi.aws.ec2.Ec2Functions;
    import com.pulumi.aws.ec2.inputs.GetPrefixListArgs;
    import com.pulumi.aws.ec2.SecurityGroupRule;
    import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getRegion();
    
            final var s3 = Ec2Functions.getPrefixList(GetPrefixListArgs.builder()
                .name(String.format("com.amazonaws.%s.s3", current.applyValue(getRegionResult -> getRegionResult.name())))
                .build());
    
            var s3GatewayEgress = new SecurityGroupRule("s3GatewayEgress", SecurityGroupRuleArgs.builder()        
                .description("S3 Gateway Egress")
                .type("egress")
                .securityGroupId("sg-123456")
                .fromPort(443)
                .toPort(443)
                .protocol("tcp")
                .prefixListIds(s3.applyValue(getPrefixListResult -> getPrefixListResult.id()))
                .build());
    
        }
    }
    
    resources:
      s3GatewayEgress:
        type: aws:ec2:SecurityGroupRule
        name: s3_gateway_egress
        properties:
          description: S3 Gateway Egress
          type: egress
          securityGroupId: sg-123456
          fromPort: 443
          toPort: 443
          protocol: tcp
          prefixListIds:
            - ${s3.id}
    variables:
      current:
        fn::invoke:
          Function: aws:getRegion
          Arguments: {}
      s3:
        fn::invoke:
          Function: aws:ec2:getPrefixList
          Arguments:
            name: com.amazonaws.${current.name}.s3
    

    Create SecurityGroupRule Resource

    new SecurityGroupRule(name: string, args: SecurityGroupRuleArgs, opts?: CustomResourceOptions);
    @overload
    def SecurityGroupRule(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          cidr_blocks: Optional[Sequence[str]] = None,
                          description: Optional[str] = None,
                          from_port: Optional[int] = None,
                          ipv6_cidr_blocks: Optional[Sequence[str]] = None,
                          prefix_list_ids: Optional[Sequence[str]] = None,
                          protocol: Optional[Union[str, ProtocolType]] = None,
                          security_group_id: Optional[str] = None,
                          self: Optional[bool] = None,
                          source_security_group_id: Optional[str] = None,
                          to_port: Optional[int] = None,
                          type: Optional[str] = None)
    @overload
    def SecurityGroupRule(resource_name: str,
                          args: SecurityGroupRuleArgs,
                          opts: Optional[ResourceOptions] = None)
    func NewSecurityGroupRule(ctx *Context, name string, args SecurityGroupRuleArgs, opts ...ResourceOption) (*SecurityGroupRule, error)
    public SecurityGroupRule(string name, SecurityGroupRuleArgs args, CustomResourceOptions? opts = null)
    public SecurityGroupRule(String name, SecurityGroupRuleArgs args)
    public SecurityGroupRule(String name, SecurityGroupRuleArgs args, CustomResourceOptions options)
    
    type: aws:ec2:SecurityGroupRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args SecurityGroupRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecurityGroupRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecurityGroupRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecurityGroupRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecurityGroupRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    SecurityGroupRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecurityGroupRule resource accepts the following input properties:

    FromPort int
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    Protocol string | Pulumi.Aws.Ec2.ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    SecurityGroupId string
    Security group to apply this rule to.
    ToPort int
    End port (or ICMP code if protocol is "icmp").
    Type string

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    CidrBlocks List<string>
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    Description string
    Description of the rule.
    Ipv6CidrBlocks List<string>
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    PrefixListIds List<string>
    List of Prefix List IDs.
    Self bool
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    SourceSecurityGroupId string
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    FromPort int
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    Protocol string | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    SecurityGroupId string
    Security group to apply this rule to.
    ToPort int
    End port (or ICMP code if protocol is "icmp").
    Type string

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    CidrBlocks []string
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    Description string
    Description of the rule.
    Ipv6CidrBlocks []string
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    PrefixListIds []string
    List of Prefix List IDs.
    Self bool
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    SourceSecurityGroupId string
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    fromPort Integer
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    protocol String | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    securityGroupId String
    Security group to apply this rule to.
    toPort Integer
    End port (or ICMP code if protocol is "icmp").
    type String

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidrBlocks List<String>
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description String
    Description of the rule.
    ipv6CidrBlocks List<String>
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefixListIds List<String>
    List of Prefix List IDs.
    self Boolean
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    sourceSecurityGroupId String
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    fromPort number
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    protocol string | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    securityGroupId string
    Security group to apply this rule to.
    toPort number
    End port (or ICMP code if protocol is "icmp").
    type string

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidrBlocks string[]
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description string
    Description of the rule.
    ipv6CidrBlocks string[]
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefixListIds string[]
    List of Prefix List IDs.
    self boolean
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    sourceSecurityGroupId string
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    from_port int
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    protocol str | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    security_group_id str
    Security group to apply this rule to.
    to_port int
    End port (or ICMP code if protocol is "icmp").
    type str

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidr_blocks Sequence[str]
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description str
    Description of the rule.
    ipv6_cidr_blocks Sequence[str]
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefix_list_ids Sequence[str]
    List of Prefix List IDs.
    self bool
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    source_security_group_id str
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    fromPort Number
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    protocol String | "all" | "tcp" | "udp" | "icmp"
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    securityGroupId String
    Security group to apply this rule to.
    toPort Number
    End port (or ICMP code if protocol is "icmp").
    type String

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidrBlocks List<String>
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description String
    Description of the rule.
    ipv6CidrBlocks List<String>
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefixListIds List<String>
    List of Prefix List IDs.
    self Boolean
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    sourceSecurityGroupId String
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecurityGroupRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    SecurityGroupRuleId string
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    Id string
    The provider-assigned unique ID for this managed resource.
    SecurityGroupRuleId string
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    id String
    The provider-assigned unique ID for this managed resource.
    securityGroupRuleId String
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    id string
    The provider-assigned unique ID for this managed resource.
    securityGroupRuleId string
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    id str
    The provider-assigned unique ID for this managed resource.
    security_group_rule_id str
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    id String
    The provider-assigned unique ID for this managed resource.
    securityGroupRuleId String
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.

    Look up Existing SecurityGroupRule Resource

    Get an existing SecurityGroupRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecurityGroupRuleState, opts?: CustomResourceOptions): SecurityGroupRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            cidr_blocks: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            from_port: Optional[int] = None,
            ipv6_cidr_blocks: Optional[Sequence[str]] = None,
            prefix_list_ids: Optional[Sequence[str]] = None,
            protocol: Optional[Union[str, ProtocolType]] = None,
            security_group_id: Optional[str] = None,
            security_group_rule_id: Optional[str] = None,
            self: Optional[bool] = None,
            source_security_group_id: Optional[str] = None,
            to_port: Optional[int] = None,
            type: Optional[str] = None) -> SecurityGroupRule
    func GetSecurityGroupRule(ctx *Context, name string, id IDInput, state *SecurityGroupRuleState, opts ...ResourceOption) (*SecurityGroupRule, error)
    public static SecurityGroupRule Get(string name, Input<string> id, SecurityGroupRuleState? state, CustomResourceOptions? opts = null)
    public static SecurityGroupRule get(String name, Output<String> id, SecurityGroupRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CidrBlocks List<string>
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    Description string
    Description of the rule.
    FromPort int
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    Ipv6CidrBlocks List<string>
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    PrefixListIds List<string>
    List of Prefix List IDs.
    Protocol string | Pulumi.Aws.Ec2.ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    SecurityGroupId string
    Security group to apply this rule to.
    SecurityGroupRuleId string
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    Self bool
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    SourceSecurityGroupId string
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    ToPort int
    End port (or ICMP code if protocol is "icmp").
    Type string

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    CidrBlocks []string
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    Description string
    Description of the rule.
    FromPort int
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    Ipv6CidrBlocks []string
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    PrefixListIds []string
    List of Prefix List IDs.
    Protocol string | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    SecurityGroupId string
    Security group to apply this rule to.
    SecurityGroupRuleId string
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    Self bool
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    SourceSecurityGroupId string
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    ToPort int
    End port (or ICMP code if protocol is "icmp").
    Type string

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidrBlocks List<String>
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description String
    Description of the rule.
    fromPort Integer
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    ipv6CidrBlocks List<String>
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefixListIds List<String>
    List of Prefix List IDs.
    protocol String | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    securityGroupId String
    Security group to apply this rule to.
    securityGroupRuleId String
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    self Boolean
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    sourceSecurityGroupId String
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    toPort Integer
    End port (or ICMP code if protocol is "icmp").
    type String

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidrBlocks string[]
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description string
    Description of the rule.
    fromPort number
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    ipv6CidrBlocks string[]
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefixListIds string[]
    List of Prefix List IDs.
    protocol string | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    securityGroupId string
    Security group to apply this rule to.
    securityGroupRuleId string
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    self boolean
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    sourceSecurityGroupId string
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    toPort number
    End port (or ICMP code if protocol is "icmp").
    type string

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidr_blocks Sequence[str]
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description str
    Description of the rule.
    from_port int
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    ipv6_cidr_blocks Sequence[str]
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefix_list_ids Sequence[str]
    List of Prefix List IDs.
    protocol str | ProtocolType
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    security_group_id str
    Security group to apply this rule to.
    security_group_rule_id str
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    self bool
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    source_security_group_id str
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    to_port int
    End port (or ICMP code if protocol is "icmp").
    type str

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    cidrBlocks List<String>
    List of CIDR blocks. Cannot be specified with source_security_group_id or self.
    description String
    Description of the rule.
    fromPort Number
    Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
    ipv6CidrBlocks List<String>
    List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
    prefixListIds List<String>
    List of Prefix List IDs.
    protocol String | "all" | "tcp" | "udp" | "icmp"
    Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
    securityGroupId String
    Security group to apply this rule to.
    securityGroupRuleId String
    If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
    self Boolean
    Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
    sourceSecurityGroupId String
    Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
    toPort Number
    End port (or ICMP code if protocol is "icmp").
    type String

    Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

    The following arguments are optional:

    Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

    Supporting Types

    ProtocolType, ProtocolTypeArgs

    All
    all
    TCP
    tcp
    UDP
    udp
    ICMP
    icmp
    ProtocolTypeAll
    all
    ProtocolTypeTCP
    tcp
    ProtocolTypeUDP
    udp
    ProtocolTypeICMP
    icmp
    All
    all
    TCP
    tcp
    UDP
    udp
    ICMP
    icmp
    All
    all
    TCP
    tcp
    UDP
    udp
    ICMP
    icmp
    ALL
    all
    TCP
    tcp
    UDP
    udp
    ICMP
    icmp
    "all"
    all
    "tcp"
    tcp
    "udp"
    udp
    "icmp"
    icmp

    Import

    Import a rule with various IPv4 and IPv6 source CIDR blocks:

    Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.

    Import a default any/any egress rule to 0.0.0.0/0:

    Import an egress rule with a prefix list ID destination:

    Import a rule applicable to all protocols and ports with a security group source:

    Import a rule that has itself and an IPv6 CIDR block as sources:

    Using pulumi import to import Security Group Rules using the security_group_id, type, protocol, from_port, to_port, and source(s)/destination(s) (such as a cidr_block) separated by underscores (_). All parts are required. For example:

    NOTE: Not all rule permissions (e.g., not all of a rule’s CIDR blocks) need to be imported for this provider to manage rule permissions. However, importing some of a rule’s permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule.

    Import an ingress rule in security group sg-6e616f6d69 for TCP port 8000 with an IPv4 destination CIDR of 10.0.3.0/24:

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6e616f6d69_ingress_tcp_8000_8000_10.0.3.0/24
    

    Import a rule with various IPv4 and IPv6 source CIDR blocks:

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-4973616163_ingress_tcp_100_121_10.1.0.0/16_2001:db8::/48_10.2.0.0/16_2002:db8::/48
    

    Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6777656e646f6c796e_ingress_92_0_65536_10.0.3.0/24_10.0.4.0/24
    

    Import a default any/any egress rule to 0.0.0.0/0:

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule default_egress sg-6777656e646f6c796e_egress_all_0_0_0.0.0.0/0
    

    Import an egress rule with a prefix list ID destination:

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule egress sg-62726f6479_egress_tcp_8000_8000_pl-6469726b
    

    Import a rule applicable to all protocols and ports with a security group source:

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress_rule sg-7472697374616e_ingress_all_0_65536_sg-6176657279
    

    Import a rule that has itself and an IPv6 CIDR block as sources:

    $ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule rule_name sg-656c65616e6f72_ingress_tcp_80_80_self_2001:db8::/48
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi