aws.ec2.SecurityGroupRule
Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.
NOTE: Avoid using the
aws.ec2.SecurityGroupRuleresource, as it struggles with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of theaws.vpc.SecurityGroupEgressRuleandaws.vpc.SecurityGroupIngressRuleresources with one CIDR block per rule.
!> WARNING: You should not use the aws.ec2.SecurityGroupRule resource in conjunction with aws.vpc.SecurityGroupEgressRule and aws.vpc.SecurityGroupIngressRule resources or with an aws.ec2.SecurityGroup resource that has in-line rules. Doing so may cause rule conflicts, perpetual differences, and result in rules being overwritten.
NOTE: Setting
protocol = "all"orprotocol = -1withfrom_portandto_portwill result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.
NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.
Example Usage
Basic usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.ec2.SecurityGroupRule("example", {
type: "ingress",
fromPort: 0,
toPort: 65535,
protocol: aws.ec2.ProtocolType.TCP,
cidrBlocks: [exampleAwsVpc.cidrBlock],
ipv6CidrBlocks: [exampleAwsVpc.ipv6CidrBlock],
securityGroupId: "sg-123456",
});
import pulumi
import pulumi_aws as aws
example = aws.ec2.SecurityGroupRule("example",
type="ingress",
from_port=0,
to_port=65535,
protocol=aws.ec2.ProtocolType.TCP,
cidr_blocks=[example_aws_vpc["cidrBlock"]],
ipv6_cidr_blocks=[example_aws_vpc["ipv6CidrBlock"]],
security_group_id="sg-123456")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ec2.NewSecurityGroupRule(ctx, "example", &ec2.SecurityGroupRuleArgs{
Type: pulumi.String("ingress"),
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
Protocol: pulumi.String(ec2.ProtocolTypeTCP),
CidrBlocks: pulumi.StringArray{
exampleAwsVpc.CidrBlock,
},
Ipv6CidrBlocks: pulumi.StringArray{
exampleAwsVpc.Ipv6CidrBlock,
},
SecurityGroupId: pulumi.String("sg-123456"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Ec2.SecurityGroupRule("example", new()
{
Type = "ingress",
FromPort = 0,
ToPort = 65535,
Protocol = Aws.Ec2.ProtocolType.TCP,
CidrBlocks = new[]
{
exampleAwsVpc.CidrBlock,
},
Ipv6CidrBlocks = new[]
{
exampleAwsVpc.Ipv6CidrBlock,
},
SecurityGroupId = "sg-123456",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroupRule;
import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new SecurityGroupRule("example", SecurityGroupRuleArgs.builder()
.type("ingress")
.fromPort(0)
.toPort(65535)
.protocol("tcp")
.cidrBlocks(exampleAwsVpc.cidrBlock())
.ipv6CidrBlocks(exampleAwsVpc.ipv6CidrBlock())
.securityGroupId("sg-123456")
.build());
}
}
resources:
example:
type: aws:ec2:SecurityGroupRule
properties:
type: ingress
fromPort: 0
toPort: 65535
protocol: tcp
cidrBlocks:
- ${exampleAwsVpc.cidrBlock}
ipv6CidrBlocks:
- ${exampleAwsVpc.ipv6CidrBlock}
securityGroupId: sg-123456
Usage With Prefix List IDs
Prefix Lists are either managed by AWS internally, or created by the customer using a Managed Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region.
Prefix list IDs are exported on VPC Endpoints, so you can use this format:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// ...
const myEndpoint = new aws.ec2.VpcEndpoint("my_endpoint", {});
const allowAll = new aws.ec2.SecurityGroupRule("allow_all", {
type: "egress",
toPort: 0,
protocol: "-1",
prefixListIds: [myEndpoint.prefixListId],
fromPort: 0,
securityGroupId: "sg-123456",
});
import pulumi
import pulumi_aws as aws
# ...
my_endpoint = aws.ec2.VpcEndpoint("my_endpoint")
allow_all = aws.ec2.SecurityGroupRule("allow_all",
type="egress",
to_port=0,
protocol="-1",
prefix_list_ids=[my_endpoint.prefix_list_id],
from_port=0,
security_group_id="sg-123456")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// ...
myEndpoint, err := ec2.NewVpcEndpoint(ctx, "my_endpoint", nil)
if err != nil {
return err
}
_, err = ec2.NewSecurityGroupRule(ctx, "allow_all", &ec2.SecurityGroupRuleArgs{
Type: pulumi.String("egress"),
ToPort: pulumi.Int(0),
Protocol: pulumi.String("-1"),
PrefixListIds: pulumi.StringArray{
myEndpoint.PrefixListId,
},
FromPort: pulumi.Int(0),
SecurityGroupId: pulumi.String("sg-123456"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// ...
var myEndpoint = new Aws.Ec2.VpcEndpoint("my_endpoint");
var allowAll = new Aws.Ec2.SecurityGroupRule("allow_all", new()
{
Type = "egress",
ToPort = 0,
Protocol = "-1",
PrefixListIds = new[]
{
myEndpoint.PrefixListId,
},
FromPort = 0,
SecurityGroupId = "sg-123456",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.VpcEndpoint;
import com.pulumi.aws.ec2.SecurityGroupRule;
import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// ...
var myEndpoint = new VpcEndpoint("myEndpoint");
var allowAll = new SecurityGroupRule("allowAll", SecurityGroupRuleArgs.builder()
.type("egress")
.toPort(0)
.protocol("-1")
.prefixListIds(myEndpoint.prefixListId())
.fromPort(0)
.securityGroupId("sg-123456")
.build());
}
}
resources:
allowAll:
type: aws:ec2:SecurityGroupRule
name: allow_all
properties:
type: egress
toPort: 0
protocol: '-1'
prefixListIds:
- ${myEndpoint.prefixListId}
fromPort: 0
securityGroupId: sg-123456
# ...
myEndpoint:
type: aws:ec2:VpcEndpoint
name: my_endpoint
You can also find a specific Prefix List using the aws.ec2.getPrefixList
or ec2_managed_prefix_list data sources:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getRegion({});
const s3 = current.then(current => aws.ec2.getPrefixList({
name: `com.amazonaws.${current.region}.s3`,
}));
const s3GatewayEgress = new aws.ec2.SecurityGroupRule("s3_gateway_egress", {
description: "S3 Gateway Egress",
type: "egress",
securityGroupId: "sg-123456",
fromPort: 443,
toPort: 443,
protocol: aws.ec2.ProtocolType.TCP,
prefixListIds: [s3.then(s3 => s3.id)],
});
import pulumi
import pulumi_aws as aws
current = aws.get_region()
s3 = aws.ec2.get_prefix_list(name=f"com.amazonaws.{current.region}.s3")
s3_gateway_egress = aws.ec2.SecurityGroupRule("s3_gateway_egress",
description="S3 Gateway Egress",
type="egress",
security_group_id="sg-123456",
from_port=443,
to_port=443,
protocol=aws.ec2.ProtocolType.TCP,
prefix_list_ids=[s3.id])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetRegion(ctx, &aws.GetRegionArgs{}, nil)
if err != nil {
return err
}
s3, err := ec2.GetPrefixList(ctx, &ec2.GetPrefixListArgs{
Name: pulumi.StringRef(fmt.Sprintf("com.amazonaws.%v.s3", current.Region)),
}, nil)
if err != nil {
return err
}
_, err = ec2.NewSecurityGroupRule(ctx, "s3_gateway_egress", &ec2.SecurityGroupRuleArgs{
Description: pulumi.String("S3 Gateway Egress"),
Type: pulumi.String("egress"),
SecurityGroupId: pulumi.String("sg-123456"),
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
Protocol: pulumi.String(ec2.ProtocolTypeTCP),
PrefixListIds: pulumi.StringArray{
pulumi.String(s3.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetRegion.Invoke();
var s3 = Aws.Ec2.GetPrefixList.Invoke(new()
{
Name = $"com.amazonaws.{current.Apply(getRegionResult => getRegionResult.Region)}.s3",
});
var s3GatewayEgress = new Aws.Ec2.SecurityGroupRule("s3_gateway_egress", new()
{
Description = "S3 Gateway Egress",
Type = "egress",
SecurityGroupId = "sg-123456",
FromPort = 443,
ToPort = 443,
Protocol = Aws.Ec2.ProtocolType.TCP,
PrefixListIds = new[]
{
s3.Apply(getPrefixListResult => getPrefixListResult.Id),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.ec2.Ec2Functions;
import com.pulumi.aws.ec2.inputs.GetPrefixListArgs;
import com.pulumi.aws.ec2.SecurityGroupRule;
import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getRegion(GetRegionArgs.builder()
.build());
final var s3 = Ec2Functions.getPrefixList(GetPrefixListArgs.builder()
.name(String.format("com.amazonaws.%s.s3", current.region()))
.build());
var s3GatewayEgress = new SecurityGroupRule("s3GatewayEgress", SecurityGroupRuleArgs.builder()
.description("S3 Gateway Egress")
.type("egress")
.securityGroupId("sg-123456")
.fromPort(443)
.toPort(443)
.protocol("tcp")
.prefixListIds(s3.id())
.build());
}
}
resources:
s3GatewayEgress:
type: aws:ec2:SecurityGroupRule
name: s3_gateway_egress
properties:
description: S3 Gateway Egress
type: egress
securityGroupId: sg-123456
fromPort: 443
toPort: 443
protocol: tcp
prefixListIds:
- ${s3.id}
variables:
current:
fn::invoke:
function: aws:getRegion
arguments: {}
s3:
fn::invoke:
function: aws:ec2:getPrefixList
arguments:
name: com.amazonaws.${current.region}.s3
Create SecurityGroupRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecurityGroupRule(name: string, args: SecurityGroupRuleArgs, opts?: CustomResourceOptions);@overload
def SecurityGroupRule(resource_name: str,
args: SecurityGroupRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecurityGroupRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
from_port: Optional[int] = None,
protocol: Optional[Union[str, ProtocolType]] = None,
security_group_id: Optional[str] = None,
to_port: Optional[int] = None,
type: Optional[str] = None,
cidr_blocks: Optional[Sequence[str]] = None,
description: Optional[str] = None,
ipv6_cidr_blocks: Optional[Sequence[str]] = None,
prefix_list_ids: Optional[Sequence[str]] = None,
region: Optional[str] = None,
self: Optional[bool] = None,
source_security_group_id: Optional[str] = None)func NewSecurityGroupRule(ctx *Context, name string, args SecurityGroupRuleArgs, opts ...ResourceOption) (*SecurityGroupRule, error)public SecurityGroupRule(string name, SecurityGroupRuleArgs args, CustomResourceOptions? opts = null)
public SecurityGroupRule(String name, SecurityGroupRuleArgs args)
public SecurityGroupRule(String name, SecurityGroupRuleArgs args, CustomResourceOptions options)
type: aws:ec2:SecurityGroupRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecurityGroupRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecurityGroupRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecurityGroupRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecurityGroupRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecurityGroupRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var securityGroupRuleResource = new Aws.Ec2.SecurityGroupRule("securityGroupRuleResource", new()
{
FromPort = 0,
Protocol = "string",
SecurityGroupId = "string",
ToPort = 0,
Type = "string",
CidrBlocks = new[]
{
"string",
},
Description = "string",
Ipv6CidrBlocks = new[]
{
"string",
},
PrefixListIds = new[]
{
"string",
},
Region = "string",
Self = false,
SourceSecurityGroupId = "string",
});
example, err := ec2.NewSecurityGroupRule(ctx, "securityGroupRuleResource", &ec2.SecurityGroupRuleArgs{
FromPort: pulumi.Int(0),
Protocol: pulumi.String("string"),
SecurityGroupId: pulumi.String("string"),
ToPort: pulumi.Int(0),
Type: pulumi.String("string"),
CidrBlocks: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
Ipv6CidrBlocks: pulumi.StringArray{
pulumi.String("string"),
},
PrefixListIds: pulumi.StringArray{
pulumi.String("string"),
},
Region: pulumi.String("string"),
Self: pulumi.Bool(false),
SourceSecurityGroupId: pulumi.String("string"),
})
var securityGroupRuleResource = new SecurityGroupRule("securityGroupRuleResource", SecurityGroupRuleArgs.builder()
.fromPort(0)
.protocol("string")
.securityGroupId("string")
.toPort(0)
.type("string")
.cidrBlocks("string")
.description("string")
.ipv6CidrBlocks("string")
.prefixListIds("string")
.region("string")
.self(false)
.sourceSecurityGroupId("string")
.build());
security_group_rule_resource = aws.ec2.SecurityGroupRule("securityGroupRuleResource",
from_port=0,
protocol="string",
security_group_id="string",
to_port=0,
type="string",
cidr_blocks=["string"],
description="string",
ipv6_cidr_blocks=["string"],
prefix_list_ids=["string"],
region="string",
self=False,
source_security_group_id="string")
const securityGroupRuleResource = new aws.ec2.SecurityGroupRule("securityGroupRuleResource", {
fromPort: 0,
protocol: "string",
securityGroupId: "string",
toPort: 0,
type: "string",
cidrBlocks: ["string"],
description: "string",
ipv6CidrBlocks: ["string"],
prefixListIds: ["string"],
region: "string",
self: false,
sourceSecurityGroupId: "string",
});
type: aws:ec2:SecurityGroupRule
properties:
cidrBlocks:
- string
description: string
fromPort: 0
ipv6CidrBlocks:
- string
prefixListIds:
- string
protocol: string
region: string
securityGroupId: string
self: false
sourceSecurityGroupId: string
toPort: 0
type: string
SecurityGroupRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecurityGroupRule resource accepts the following input properties:
- From
Port int - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- Protocol
string | Pulumi.
Aws. Ec2. Protocol Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- Security
Group stringId - Security group to apply this rule to.
- To
Port int - End port (or ICMP code if protocol is "icmp").
- Type string
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- Cidr
Blocks List<string> - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - Description string
- Description of the rule.
- Ipv6Cidr
Blocks List<string> - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - Prefix
List List<string>Ids - List of Prefix List IDs.
- Region string
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- Self bool
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - Source
Security stringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself.
- From
Port int - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- Protocol
string | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- Security
Group stringId - Security group to apply this rule to.
- To
Port int - End port (or ICMP code if protocol is "icmp").
- Type string
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- Cidr
Blocks []string - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - Description string
- Description of the rule.
- Ipv6Cidr
Blocks []string - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - Prefix
List []stringIds - List of Prefix List IDs.
- Region string
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- Self bool
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - Source
Security stringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself.
- from
Port Integer - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- protocol
String | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- security
Group StringId - Security group to apply this rule to.
- to
Port Integer - End port (or ICMP code if protocol is "icmp").
- type String
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr
Blocks List<String> - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description String
- Description of the rule.
- ipv6Cidr
Blocks List<String> - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix
List List<String>Ids - List of Prefix List IDs.
- region String
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- self Boolean
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source
Security StringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself.
- from
Port number - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- protocol
string | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- security
Group stringId - Security group to apply this rule to.
- to
Port number - End port (or ICMP code if protocol is "icmp").
- type string
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr
Blocks string[] - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description string
- Description of the rule.
- ipv6Cidr
Blocks string[] - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix
List string[]Ids - List of Prefix List IDs.
- region string
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- self boolean
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source
Security stringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself.
- from_
port int - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- protocol
str | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- security_
group_ strid - Security group to apply this rule to.
- to_
port int - End port (or ICMP code if protocol is "icmp").
- type str
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr_
blocks Sequence[str] - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description str
- Description of the rule.
- ipv6_
cidr_ Sequence[str]blocks - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix_
list_ Sequence[str]ids - List of Prefix List IDs.
- region str
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- self bool
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source_
security_ strgroup_ id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself.
- from
Port Number - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- protocol String | "all" | "tcp" | "udp" | "icmp"
- Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- security
Group StringId - Security group to apply this rule to.
- to
Port Number - End port (or ICMP code if protocol is "icmp").
- type String
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr
Blocks List<String> - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description String
- Description of the rule.
- ipv6Cidr
Blocks List<String> - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix
List List<String>Ids - List of Prefix List IDs.
- region String
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- self Boolean
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source
Security StringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecurityGroupRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Security
Group stringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
- Id string
- The provider-assigned unique ID for this managed resource.
- Security
Group stringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
- id String
- The provider-assigned unique ID for this managed resource.
- security
Group StringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
- id string
- The provider-assigned unique ID for this managed resource.
- security
Group stringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
- id str
- The provider-assigned unique ID for this managed resource.
- security_
group_ strrule_ id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
- id String
- The provider-assigned unique ID for this managed resource.
- security
Group StringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
Look up Existing SecurityGroupRule Resource
Get an existing SecurityGroupRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecurityGroupRuleState, opts?: CustomResourceOptions): SecurityGroupRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
cidr_blocks: Optional[Sequence[str]] = None,
description: Optional[str] = None,
from_port: Optional[int] = None,
ipv6_cidr_blocks: Optional[Sequence[str]] = None,
prefix_list_ids: Optional[Sequence[str]] = None,
protocol: Optional[Union[str, ProtocolType]] = None,
region: Optional[str] = None,
security_group_id: Optional[str] = None,
security_group_rule_id: Optional[str] = None,
self: Optional[bool] = None,
source_security_group_id: Optional[str] = None,
to_port: Optional[int] = None,
type: Optional[str] = None) -> SecurityGroupRulefunc GetSecurityGroupRule(ctx *Context, name string, id IDInput, state *SecurityGroupRuleState, opts ...ResourceOption) (*SecurityGroupRule, error)public static SecurityGroupRule Get(string name, Input<string> id, SecurityGroupRuleState? state, CustomResourceOptions? opts = null)public static SecurityGroupRule get(String name, Output<String> id, SecurityGroupRuleState state, CustomResourceOptions options)resources: _: type: aws:ec2:SecurityGroupRule get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Cidr
Blocks List<string> - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - Description string
- Description of the rule.
- From
Port int - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- Ipv6Cidr
Blocks List<string> - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - Prefix
List List<string>Ids - List of Prefix List IDs.
- Protocol
string | Pulumi.
Aws. Ec2. Protocol Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- Region string
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- Security
Group stringId - Security group to apply this rule to.
- Security
Group stringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty. - Self bool
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - Source
Security stringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself. - To
Port int - End port (or ICMP code if protocol is "icmp").
- Type string
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- Cidr
Blocks []string - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - Description string
- Description of the rule.
- From
Port int - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- Ipv6Cidr
Blocks []string - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - Prefix
List []stringIds - List of Prefix List IDs.
- Protocol
string | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- Region string
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- Security
Group stringId - Security group to apply this rule to.
- Security
Group stringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty. - Self bool
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - Source
Security stringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself. - To
Port int - End port (or ICMP code if protocol is "icmp").
- Type string
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr
Blocks List<String> - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description String
- Description of the rule.
- from
Port Integer - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- ipv6Cidr
Blocks List<String> - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix
List List<String>Ids - List of Prefix List IDs.
- protocol
String | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- region String
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- security
Group StringId - Security group to apply this rule to.
- security
Group StringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty. - self Boolean
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source
Security StringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself. - to
Port Integer - End port (or ICMP code if protocol is "icmp").
- type String
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr
Blocks string[] - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description string
- Description of the rule.
- from
Port number - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- ipv6Cidr
Blocks string[] - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix
List string[]Ids - List of Prefix List IDs.
- protocol
string | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- region string
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- security
Group stringId - Security group to apply this rule to.
- security
Group stringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty. - self boolean
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source
Security stringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself. - to
Port number - End port (or ICMP code if protocol is "icmp").
- type string
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr_
blocks Sequence[str] - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description str
- Description of the rule.
- from_
port int - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- ipv6_
cidr_ Sequence[str]blocks - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix_
list_ Sequence[str]ids - List of Prefix List IDs.
- protocol
str | Protocol
Type - Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- region str
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- security_
group_ strid - Security group to apply this rule to.
- security_
group_ strrule_ id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty. - self bool
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source_
security_ strgroup_ id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself. - to_
port int - End port (or ICMP code if protocol is "icmp").
- type str
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
- cidr
Blocks List<String> - List of CIDR blocks. Cannot be specified with
source_security_group_idorself. - description String
- Description of the rule.
- from
Port Number - Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
- ipv6Cidr
Blocks List<String> - List of IPv6 CIDR blocks. Cannot be specified with
source_security_group_idorself. - prefix
List List<String>Ids - List of Prefix List IDs.
- protocol String | "all" | "tcp" | "udp" | "icmp"
- Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
- region String
Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Note Although
cidr_blocks,ipv6_cidr_blocks,prefix_list_ids, andsource_security_group_idare all marked as optional, you must provide one of them in order to configure the source of the traffic.- security
Group StringId - Security group to apply this rule to.
- security
Group StringRule Id - If the
aws.ec2.SecurityGroupRuleresource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty. - self Boolean
- Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with
cidr_blocks,ipv6_cidr_blocks, orsource_security_group_id. - source
Security StringGroup Id - Security group id to allow access to/from, depending on the
type. Cannot be specified withcidr_blocks,ipv6_cidr_blocks, orself. - to
Port Number - End port (or ICMP code if protocol is "icmp").
- type String
Type of rule being created. Valid options are
ingress(inbound) oregress(outbound).The following arguments are optional:
Supporting Types
ProtocolType, ProtocolTypeArgs
- All
- all
- TCP
- tcp
- UDP
- udp
- ICMP
- icmp
- Protocol
Type All - all
- Protocol
Type TCP - tcp
- Protocol
Type UDP - udp
- Protocol
Type ICMP - icmp
- All
- all
- TCP
- tcp
- UDP
- udp
- ICMP
- icmp
- All
- all
- TCP
- tcp
- UDP
- udp
- ICMP
- icmp
- ALL
- all
- TCP
- tcp
- UDP
- udp
- ICMP
- icmp
- "all"
- all
- "tcp"
- tcp
- "udp"
- udp
- "icmp"
- icmp
Import
Import a rule with various IPv4 and IPv6 source CIDR blocks:
Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.
Import a default any/any egress rule to 0.0.0.0/0:
Import an egress rule with a prefix list ID destination:
Import a rule applicable to all protocols and ports with a security group source:
Import a rule that has itself and an IPv6 CIDR block as sources:
Using pulumi import to import Security Group Rules using the security_group_id, type, protocol, from_port, to_port, and source(s)/destination(s) (such as a cidr_block) separated by underscores (_). All parts are required. For example:
NOTE: Not all rule permissions (e.g., not all of a rule’s CIDR blocks) need to be imported for this provider to manage rule permissions. However, importing some of a rule’s permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule.
Import an ingress rule in security group sg-6e616f6d69 for TCP port 8000 with an IPv4 destination CIDR of 10.0.3.0/24:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6e616f6d69_ingress_tcp_8000_8000_10.0.3.0/24
Import a rule with various IPv4 and IPv6 source CIDR blocks:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-4973616163_ingress_tcp_100_121_10.1.0.0/16_2001:db8::/48_10.2.0.0/16_2002:db8::/48
Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6777656e646f6c796e_ingress_92_0_65536_10.0.3.0/24_10.0.4.0/24
Import a default any/any egress rule to 0.0.0.0/0:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule default_egress sg-6777656e646f6c796e_egress_all_0_0_0.0.0.0/0
Import an egress rule with a prefix list ID destination:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule egress sg-62726f6479_egress_tcp_8000_8000_pl-6469726b
Import a rule applicable to all protocols and ports with a security group source:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress_rule sg-7472697374616e_ingress_all_0_65536_sg-6176657279
Import a rule that has itself and an IPv6 CIDR block as sources:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule rule_name sg-656c65616e6f72_ingress_tcp_80_80_self_2001:db8::/48
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
