Viewing docs for AWS v7.22.0
published on Wednesday, Mar 11, 2026 by Pulumi
published on Wednesday, Mar 11, 2026 by Pulumi
Viewing docs for AWS v7.22.0
published on Wednesday, Mar 11, 2026 by Pulumi
published on Wednesday, Mar 11, 2026 by Pulumi
Resource for managing an exclusive set of AWS VPC (Virtual Private Cloud) Security Group Rules.
This resource manages the complete set of ingress and egress rules assigned to a security group. It provides exclusive control by removing any rules not explicitly defined in the configuration.
!> This resource takes exclusive ownership over ingress and egress rules assigned to a security group. This includes removal of rules which are not explicitly configured. To prevent persistent drift, ensure any aws.vpc.SecurityGroupIngressRule and aws.vpc.SecurityGroupEgressRule resources managed alongside this resource are included in the ingress_rule_ids and egress_rule_ids arguments.
Destruction of this resource means Terraform will no longer manage reconciliation of the configured security group rules. It will not revoke the configured rules from the security group.
When this resource detects a configured rule ID which must be created, a warning diagnostic is emitted. This is due to a limitation in the
AuthorizeSecurityGroupEgressandAuthorizeSecurityGroupIngressAPIs, which require the full rule definition to be provided rather than a reference to an existing rule ID.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.ec2.Vpc("example", {cidrBlock: "10.0.0.0/16"});
const exampleSecurityGroup = new aws.ec2.SecurityGroup("example", {
name: "example",
vpcId: example.id,
});
const exampleSecurityGroupIngressRule = new aws.vpc.SecurityGroupIngressRule("example", {
securityGroupId: exampleSecurityGroup.id,
cidrIpv4: "10.0.0.0/8",
fromPort: 80,
toPort: 80,
ipProtocol: "tcp",
});
const exampleSecurityGroupEgressRule = new aws.vpc.SecurityGroupEgressRule("example", {
securityGroupId: exampleSecurityGroup.id,
cidrIpv4: "0.0.0.0/0",
ipProtocol: "-1",
});
const exampleVpcSecurityGroupRulesExclusive = new aws.ec2.VpcSecurityGroupRulesExclusive("example", {
securityGroupId: exampleSecurityGroup.id,
ingressRuleIds: [exampleSecurityGroupIngressRule.id],
egressRuleIds: [exampleSecurityGroupEgressRule.id],
});
import pulumi
import pulumi_aws as aws
example = aws.ec2.Vpc("example", cidr_block="10.0.0.0/16")
example_security_group = aws.ec2.SecurityGroup("example",
name="example",
vpc_id=example.id)
example_security_group_ingress_rule = aws.vpc.SecurityGroupIngressRule("example",
security_group_id=example_security_group.id,
cidr_ipv4="10.0.0.0/8",
from_port=80,
to_port=80,
ip_protocol="tcp")
example_security_group_egress_rule = aws.vpc.SecurityGroupEgressRule("example",
security_group_id=example_security_group.id,
cidr_ipv4="0.0.0.0/0",
ip_protocol="-1")
example_vpc_security_group_rules_exclusive = aws.ec2.VpcSecurityGroupRulesExclusive("example",
security_group_id=example_security_group.id,
ingress_rule_ids=[example_security_group_ingress_rule.id],
egress_rule_ids=[example_security_group_egress_rule.id])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := ec2.NewVpc(ctx, "example", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.0.0.0/16"),
})
if err != nil {
return err
}
exampleSecurityGroup, err := ec2.NewSecurityGroup(ctx, "example", &ec2.SecurityGroupArgs{
Name: pulumi.String("example"),
VpcId: example.ID(),
})
if err != nil {
return err
}
exampleSecurityGroupIngressRule, err := vpc.NewSecurityGroupIngressRule(ctx, "example", &vpc.SecurityGroupIngressRuleArgs{
SecurityGroupId: exampleSecurityGroup.ID(),
CidrIpv4: pulumi.String("10.0.0.0/8"),
FromPort: pulumi.Int(80),
ToPort: pulumi.Int(80),
IpProtocol: pulumi.String("tcp"),
})
if err != nil {
return err
}
exampleSecurityGroupEgressRule, err := vpc.NewSecurityGroupEgressRule(ctx, "example", &vpc.SecurityGroupEgressRuleArgs{
SecurityGroupId: exampleSecurityGroup.ID(),
CidrIpv4: pulumi.String("0.0.0.0/0"),
IpProtocol: pulumi.String("-1"),
})
if err != nil {
return err
}
_, err = ec2.NewVpcSecurityGroupRulesExclusive(ctx, "example", &ec2.VpcSecurityGroupRulesExclusiveArgs{
SecurityGroupId: exampleSecurityGroup.ID(),
IngressRuleIds: pulumi.StringArray{
exampleSecurityGroupIngressRule.ID(),
},
EgressRuleIds: pulumi.StringArray{
exampleSecurityGroupEgressRule.ID(),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Ec2.Vpc("example", new()
{
CidrBlock = "10.0.0.0/16",
});
var exampleSecurityGroup = new Aws.Ec2.SecurityGroup("example", new()
{
Name = "example",
VpcId = example.Id,
});
var exampleSecurityGroupIngressRule = new Aws.Vpc.SecurityGroupIngressRule("example", new()
{
SecurityGroupId = exampleSecurityGroup.Id,
CidrIpv4 = "10.0.0.0/8",
FromPort = 80,
ToPort = 80,
IpProtocol = "tcp",
});
var exampleSecurityGroupEgressRule = new Aws.Vpc.SecurityGroupEgressRule("example", new()
{
SecurityGroupId = exampleSecurityGroup.Id,
CidrIpv4 = "0.0.0.0/0",
IpProtocol = "-1",
});
var exampleVpcSecurityGroupRulesExclusive = new Aws.Ec2.VpcSecurityGroupRulesExclusive("example", new()
{
SecurityGroupId = exampleSecurityGroup.Id,
IngressRuleIds = new[]
{
exampleSecurityGroupIngressRule.Id,
},
EgressRuleIds = new[]
{
exampleSecurityGroupEgressRule.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.Vpc;
import com.pulumi.aws.ec2.VpcArgs;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.vpc.SecurityGroupIngressRule;
import com.pulumi.aws.vpc.SecurityGroupIngressRuleArgs;
import com.pulumi.aws.vpc.SecurityGroupEgressRule;
import com.pulumi.aws.vpc.SecurityGroupEgressRuleArgs;
import com.pulumi.aws.ec2.VpcSecurityGroupRulesExclusive;
import com.pulumi.aws.ec2.VpcSecurityGroupRulesExclusiveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Vpc("example", VpcArgs.builder()
.cidrBlock("10.0.0.0/16")
.build());
var exampleSecurityGroup = new SecurityGroup("exampleSecurityGroup", SecurityGroupArgs.builder()
.name("example")
.vpcId(example.id())
.build());
var exampleSecurityGroupIngressRule = new SecurityGroupIngressRule("exampleSecurityGroupIngressRule", SecurityGroupIngressRuleArgs.builder()
.securityGroupId(exampleSecurityGroup.id())
.cidrIpv4("10.0.0.0/8")
.fromPort(80)
.toPort(80)
.ipProtocol("tcp")
.build());
var exampleSecurityGroupEgressRule = new SecurityGroupEgressRule("exampleSecurityGroupEgressRule", SecurityGroupEgressRuleArgs.builder()
.securityGroupId(exampleSecurityGroup.id())
.cidrIpv4("0.0.0.0/0")
.ipProtocol("-1")
.build());
var exampleVpcSecurityGroupRulesExclusive = new VpcSecurityGroupRulesExclusive("exampleVpcSecurityGroupRulesExclusive", VpcSecurityGroupRulesExclusiveArgs.builder()
.securityGroupId(exampleSecurityGroup.id())
.ingressRuleIds(exampleSecurityGroupIngressRule.id())
.egressRuleIds(exampleSecurityGroupEgressRule.id())
.build());
}
}
resources:
example:
type: aws:ec2:Vpc
properties:
cidrBlock: 10.0.0.0/16
exampleSecurityGroup:
type: aws:ec2:SecurityGroup
name: example
properties:
name: example
vpcId: ${example.id}
exampleSecurityGroupIngressRule:
type: aws:vpc:SecurityGroupIngressRule
name: example
properties:
securityGroupId: ${exampleSecurityGroup.id}
cidrIpv4: 10.0.0.0/8
fromPort: 80
toPort: 80
ipProtocol: tcp
exampleSecurityGroupEgressRule:
type: aws:vpc:SecurityGroupEgressRule
name: example
properties:
securityGroupId: ${exampleSecurityGroup.id}
cidrIpv4: 0.0.0.0/0
ipProtocol: '-1'
exampleVpcSecurityGroupRulesExclusive:
type: aws:ec2:VpcSecurityGroupRulesExclusive
name: example
properties:
securityGroupId: ${exampleSecurityGroup.id}
ingressRuleIds:
- ${exampleSecurityGroupIngressRule.id}
egressRuleIds:
- ${exampleSecurityGroupEgressRule.id}
Disallow All Rules
To automatically remove any configured security group rules, set both ingress_rule_ids and egress_rule_ids to empty lists.
This will not prevent rules from being assigned to a security group via Terraform (or any other interface). This resource enables bringing security group rule assignments into a configured state, however, this reconciliation happens only when
applyis proactively run.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.ec2.VpcSecurityGroupRulesExclusive("example", {
securityGroupId: exampleAwsSecurityGroup.id,
ingressRuleIds: [],
egressRuleIds: [],
});
import pulumi
import pulumi_aws as aws
example = aws.ec2.VpcSecurityGroupRulesExclusive("example",
security_group_id=example_aws_security_group["id"],
ingress_rule_ids=[],
egress_rule_ids=[])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ec2.NewVpcSecurityGroupRulesExclusive(ctx, "example", &ec2.VpcSecurityGroupRulesExclusiveArgs{
SecurityGroupId: pulumi.Any(exampleAwsSecurityGroup.Id),
IngressRuleIds: pulumi.StringArray{},
EgressRuleIds: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Ec2.VpcSecurityGroupRulesExclusive("example", new()
{
SecurityGroupId = exampleAwsSecurityGroup.Id,
IngressRuleIds = new[] {},
EgressRuleIds = new[] {},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.VpcSecurityGroupRulesExclusive;
import com.pulumi.aws.ec2.VpcSecurityGroupRulesExclusiveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new VpcSecurityGroupRulesExclusive("example", VpcSecurityGroupRulesExclusiveArgs.builder()
.securityGroupId(exampleAwsSecurityGroup.id())
.ingressRuleIds()
.egressRuleIds()
.build());
}
}
resources:
example:
type: aws:ec2:VpcSecurityGroupRulesExclusive
properties:
securityGroupId: ${exampleAwsSecurityGroup.id}
ingressRuleIds: []
egressRuleIds: []
Create VpcSecurityGroupRulesExclusive Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new VpcSecurityGroupRulesExclusive(name: string, args: VpcSecurityGroupRulesExclusiveArgs, opts?: CustomResourceOptions);@overload
def VpcSecurityGroupRulesExclusive(resource_name: str,
args: VpcSecurityGroupRulesExclusiveArgs,
opts: Optional[ResourceOptions] = None)
@overload
def VpcSecurityGroupRulesExclusive(resource_name: str,
opts: Optional[ResourceOptions] = None,
egress_rule_ids: Optional[Sequence[str]] = None,
ingress_rule_ids: Optional[Sequence[str]] = None,
security_group_id: Optional[str] = None,
region: Optional[str] = None)func NewVpcSecurityGroupRulesExclusive(ctx *Context, name string, args VpcSecurityGroupRulesExclusiveArgs, opts ...ResourceOption) (*VpcSecurityGroupRulesExclusive, error)public VpcSecurityGroupRulesExclusive(string name, VpcSecurityGroupRulesExclusiveArgs args, CustomResourceOptions? opts = null)
public VpcSecurityGroupRulesExclusive(String name, VpcSecurityGroupRulesExclusiveArgs args)
public VpcSecurityGroupRulesExclusive(String name, VpcSecurityGroupRulesExclusiveArgs args, CustomResourceOptions options)
type: aws:ec2:VpcSecurityGroupRulesExclusive
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args VpcSecurityGroupRulesExclusiveArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args VpcSecurityGroupRulesExclusiveArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args VpcSecurityGroupRulesExclusiveArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args VpcSecurityGroupRulesExclusiveArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args VpcSecurityGroupRulesExclusiveArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var vpcSecurityGroupRulesExclusiveResource = new Aws.Ec2.VpcSecurityGroupRulesExclusive("vpcSecurityGroupRulesExclusiveResource", new()
{
EgressRuleIds = new[]
{
"string",
},
IngressRuleIds = new[]
{
"string",
},
SecurityGroupId = "string",
Region = "string",
});
example, err := ec2.NewVpcSecurityGroupRulesExclusive(ctx, "vpcSecurityGroupRulesExclusiveResource", &ec2.VpcSecurityGroupRulesExclusiveArgs{
EgressRuleIds: pulumi.StringArray{
pulumi.String("string"),
},
IngressRuleIds: pulumi.StringArray{
pulumi.String("string"),
},
SecurityGroupId: pulumi.String("string"),
Region: pulumi.String("string"),
})
var vpcSecurityGroupRulesExclusiveResource = new VpcSecurityGroupRulesExclusive("vpcSecurityGroupRulesExclusiveResource", VpcSecurityGroupRulesExclusiveArgs.builder()
.egressRuleIds("string")
.ingressRuleIds("string")
.securityGroupId("string")
.region("string")
.build());
vpc_security_group_rules_exclusive_resource = aws.ec2.VpcSecurityGroupRulesExclusive("vpcSecurityGroupRulesExclusiveResource",
egress_rule_ids=["string"],
ingress_rule_ids=["string"],
security_group_id="string",
region="string")
const vpcSecurityGroupRulesExclusiveResource = new aws.ec2.VpcSecurityGroupRulesExclusive("vpcSecurityGroupRulesExclusiveResource", {
egressRuleIds: ["string"],
ingressRuleIds: ["string"],
securityGroupId: "string",
region: "string",
});
type: aws:ec2:VpcSecurityGroupRulesExclusive
properties:
egressRuleIds:
- string
ingressRuleIds:
- string
region: string
securityGroupId: string
VpcSecurityGroupRulesExclusive Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The VpcSecurityGroupRulesExclusive resource accepts the following input properties:
- Egress
Rule List<string>Ids - Egress rule IDs.
- Ingress
Rule List<string>Ids - Ingress rule IDs.
- Security
Group stringId - ID of the security group.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Egress
Rule []stringIds - Egress rule IDs.
- Ingress
Rule []stringIds - Ingress rule IDs.
- Security
Group stringId - ID of the security group.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- egress
Rule List<String>Ids - Egress rule IDs.
- ingress
Rule List<String>Ids - Ingress rule IDs.
- security
Group StringId - ID of the security group.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- egress
Rule string[]Ids - Egress rule IDs.
- ingress
Rule string[]Ids - Ingress rule IDs.
- security
Group stringId - ID of the security group.
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- egress_
rule_ Sequence[str]ids - Egress rule IDs.
- ingress_
rule_ Sequence[str]ids - Ingress rule IDs.
- security_
group_ strid - ID of the security group.
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- egress
Rule List<String>Ids - Egress rule IDs.
- ingress
Rule List<String>Ids - Ingress rule IDs.
- security
Group StringId - ID of the security group.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Outputs
All input properties are implicitly available as output properties. Additionally, the VpcSecurityGroupRulesExclusive resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing VpcSecurityGroupRulesExclusive Resource
Get an existing VpcSecurityGroupRulesExclusive resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: VpcSecurityGroupRulesExclusiveState, opts?: CustomResourceOptions): VpcSecurityGroupRulesExclusive@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
egress_rule_ids: Optional[Sequence[str]] = None,
ingress_rule_ids: Optional[Sequence[str]] = None,
region: Optional[str] = None,
security_group_id: Optional[str] = None) -> VpcSecurityGroupRulesExclusivefunc GetVpcSecurityGroupRulesExclusive(ctx *Context, name string, id IDInput, state *VpcSecurityGroupRulesExclusiveState, opts ...ResourceOption) (*VpcSecurityGroupRulesExclusive, error)public static VpcSecurityGroupRulesExclusive Get(string name, Input<string> id, VpcSecurityGroupRulesExclusiveState? state, CustomResourceOptions? opts = null)public static VpcSecurityGroupRulesExclusive get(String name, Output<String> id, VpcSecurityGroupRulesExclusiveState state, CustomResourceOptions options)resources: _: type: aws:ec2:VpcSecurityGroupRulesExclusive get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Egress
Rule List<string>Ids - Egress rule IDs.
- Ingress
Rule List<string>Ids - Ingress rule IDs.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Security
Group stringId - ID of the security group.
- Egress
Rule []stringIds - Egress rule IDs.
- Ingress
Rule []stringIds - Ingress rule IDs.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Security
Group stringId - ID of the security group.
- egress
Rule List<String>Ids - Egress rule IDs.
- ingress
Rule List<String>Ids - Ingress rule IDs.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- security
Group StringId - ID of the security group.
- egress
Rule string[]Ids - Egress rule IDs.
- ingress
Rule string[]Ids - Ingress rule IDs.
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- security
Group stringId - ID of the security group.
- egress_
rule_ Sequence[str]ids - Egress rule IDs.
- ingress_
rule_ Sequence[str]ids - Ingress rule IDs.
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- security_
group_ strid - ID of the security group.
- egress
Rule List<String>Ids - Egress rule IDs.
- ingress
Rule List<String>Ids - Ingress rule IDs.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- security
Group StringId - ID of the security group.
Import
Using pulumi import, import exclusive management of security group rules using the security_group_id. For example:
$ pulumi import aws:ec2/vpcSecurityGroupRulesExclusive:VpcSecurityGroupRulesExclusive example sg-1234567890abcdef0
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Viewing docs for AWS v7.22.0
published on Wednesday, Mar 11, 2026 by Pulumi
published on Wednesday, Mar 11, 2026 by Pulumi
