OpenStack

v3.9.0 published on Thursday, Aug 4, 2022 by Pulumi

SecGroup

Manages a V2 security group resource within OpenStack.

Please note that managing security groups through the OpenStack Compute API has been deprecated. Unless you are using an older OpenStack environment, it is recommended to use the openstack.networking.SecGroup and openstack.networking.SecGroupRule resources instead, which uses the OpenStack Networking API.

Notes

ICMP Rules

When using ICMP as the ip_protocol, the from_port sets the ICMP type and the to_port sets the ICMP code. To allow all ICMP types, set each value to -1, like so:

import * as pulumi from "@pulumi/pulumi";
import pulumi
using Pulumi;

class MyStack : Stack
{
    public MyStack()
    {
    }

}
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
    }
}
{}

A list of ICMP types and codes can be found here.

Referencing Security Groups

When referencing a security group in a configuration (for example, a configuration creates a new security group and then needs to apply it to an instance being created in the same configuration), it is currently recommended to reference the security group by name and not by ID, like this:

import * as pulumi from "@pulumi/pulumi";
import * as openstack from "@pulumi/openstack";

const test_server = new openstack.compute.Instance("test-server", {
    flavorId: "3",
    imageId: "ad091b52-742f-469e-8f3c-fd81cadf0743",
    keyPair: "my_key_pair_name",
    securityGroups: [openstack_compute_secgroup_v2_secgroup_1.name],
});
import pulumi
import pulumi_openstack as openstack

test_server = openstack.compute.Instance("test-server",
    flavor_id="3",
    image_id="ad091b52-742f-469e-8f3c-fd81cadf0743",
    key_pair="my_key_pair_name",
    security_groups=[openstack_compute_secgroup_v2["secgroup_1"]["name"]])
using Pulumi;
using OpenStack = Pulumi.OpenStack;

class MyStack : Stack
{
    public MyStack()
    {
        var test_server = new OpenStack.Compute.Instance("test-server", new OpenStack.Compute.InstanceArgs
        {
            FlavorId = "3",
            ImageId = "ad091b52-742f-469e-8f3c-fd81cadf0743",
            KeyPair = "my_key_pair_name",
            SecurityGroups = 
            {
                openstack_compute_secgroup_v2.Secgroup_1.Name,
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-openstack/sdk/v3/go/openstack/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewInstance(ctx, "test-server", &compute.InstanceArgs{
			FlavorId: pulumi.String("3"),
			ImageId:  pulumi.String("ad091b52-742f-469e-8f3c-fd81cadf0743"),
			KeyPair:  pulumi.String("my_key_pair_name"),
			SecurityGroups: pulumi.StringArray{
				pulumi.Any(openstack_compute_secgroup_v2.Secgroup_1.Name),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.openstack.compute.Instance;
import com.pulumi.openstack.compute.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test_server = new Instance("test-server", InstanceArgs.builder()        
            .flavorId("3")
            .imageId("ad091b52-742f-469e-8f3c-fd81cadf0743")
            .keyPair("my_key_pair_name")
            .securityGroups(openstack_compute_secgroup_v2.secgroup_1().name())
            .build());

    }
}
resources:
  test-server:
    type: openstack:compute:Instance
    properties:
      flavorId: 3
      imageId: ad091b52-742f-469e-8f3c-fd81cadf0743
      keyPair: my_key_pair_name
      securityGroups:
        - ${openstack_compute_secgroup_v2.secgroup_1.name}

Example Usage

using Pulumi;
using OpenStack = Pulumi.OpenStack;

class MyStack : Stack
{
    public MyStack()
    {
        var secgroup1 = new OpenStack.Compute.SecGroup("secgroup1", new OpenStack.Compute.SecGroupArgs
        {
            Description = "my security group",
            Rules = 
            {
                new OpenStack.Compute.Inputs.SecGroupRuleArgs
                {
                    Cidr = "0.0.0.0/0",
                    FromPort = 22,
                    IpProtocol = "tcp",
                    ToPort = 22,
                },
                new OpenStack.Compute.Inputs.SecGroupRuleArgs
                {
                    Cidr = "0.0.0.0/0",
                    FromPort = 80,
                    IpProtocol = "tcp",
                    ToPort = 80,
                },
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-openstack/sdk/v3/go/openstack/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewSecGroup(ctx, "secgroup1", &compute.SecGroupArgs{
			Description: pulumi.String("my security group"),
			Rules: compute.SecGroupRuleArray{
				&compute.SecGroupRuleArgs{
					Cidr:       pulumi.String("0.0.0.0/0"),
					FromPort:   pulumi.Int(22),
					IpProtocol: pulumi.String("tcp"),
					ToPort:     pulumi.Int(22),
				},
				&compute.SecGroupRuleArgs{
					Cidr:       pulumi.String("0.0.0.0/0"),
					FromPort:   pulumi.Int(80),
					IpProtocol: pulumi.String("tcp"),
					ToPort:     pulumi.Int(80),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.openstack.compute.SecGroup;
import com.pulumi.openstack.compute.SecGroupArgs;
import com.pulumi.openstack.compute.inputs.SecGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var secgroup1 = new SecGroup("secgroup1", SecGroupArgs.builder()        
            .description("my security group")
            .rules(            
                SecGroupRuleArgs.builder()
                    .cidr("0.0.0.0/0")
                    .fromPort(22)
                    .ipProtocol("tcp")
                    .toPort(22)
                    .build(),
                SecGroupRuleArgs.builder()
                    .cidr("0.0.0.0/0")
                    .fromPort(80)
                    .ipProtocol("tcp")
                    .toPort(80)
                    .build())
            .build());

    }
}
import pulumi
import pulumi_openstack as openstack

secgroup1 = openstack.compute.SecGroup("secgroup1",
    description="my security group",
    rules=[
        openstack.compute.SecGroupRuleArgs(
            cidr="0.0.0.0/0",
            from_port=22,
            ip_protocol="tcp",
            to_port=22,
        ),
        openstack.compute.SecGroupRuleArgs(
            cidr="0.0.0.0/0",
            from_port=80,
            ip_protocol="tcp",
            to_port=80,
        ),
    ])
import * as pulumi from "@pulumi/pulumi";
import * as openstack from "@pulumi/openstack";

const secgroup1 = new openstack.compute.SecGroup("secgroup_1", {
    description: "my security group",
    rules: [
        {
            cidr: "0.0.0.0/0",
            fromPort: 22,
            ipProtocol: "tcp",
            toPort: 22,
        },
        {
            cidr: "0.0.0.0/0",
            fromPort: 80,
            ipProtocol: "tcp",
            toPort: 80,
        },
    ],
});
resources:
  secgroup1:
    type: openstack:compute:SecGroup
    properties:
      description: my security group
      rules:
        - cidr: 0.0.0.0/0
          fromPort: 22
          ipProtocol: tcp
          toPort: 22
        - cidr: 0.0.0.0/0
          fromPort: 80
          ipProtocol: tcp
          toPort: 80

Create a SecGroup Resource

new SecGroup(name: string, args: SecGroupArgs, opts?: CustomResourceOptions);
@overload
def SecGroup(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             description: Optional[str] = None,
             name: Optional[str] = None,
             region: Optional[str] = None,
             rules: Optional[Sequence[SecGroupRuleArgs]] = None)
@overload
def SecGroup(resource_name: str,
             args: SecGroupArgs,
             opts: Optional[ResourceOptions] = None)
func NewSecGroup(ctx *Context, name string, args SecGroupArgs, opts ...ResourceOption) (*SecGroup, error)
public SecGroup(string name, SecGroupArgs args, CustomResourceOptions? opts = null)
public SecGroup(String name, SecGroupArgs args)
public SecGroup(String name, SecGroupArgs args, CustomResourceOptions options)
type: openstack:compute:SecGroup
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args SecGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args SecGroupArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args SecGroupArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args SecGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args SecGroupArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

SecGroup Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The SecGroup resource accepts the following input properties:

Description string

A description for the security group. Changing this updates the description of an existing security group.

Name string

A unique name for the security group. Changing this updates the name of an existing security group.

Region string

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

Rules List<Pulumi.OpenStack.Compute.Inputs.SecGroupRuleArgs>

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

Description string

A description for the security group. Changing this updates the description of an existing security group.

Name string

A unique name for the security group. Changing this updates the name of an existing security group.

Region string

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

Rules []SecGroupRuleArgs

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description String

A description for the security group. Changing this updates the description of an existing security group.

name String

A unique name for the security group. Changing this updates the name of an existing security group.

region String

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules List<SecGroupRuleArgs>

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description string

A description for the security group. Changing this updates the description of an existing security group.

name string

A unique name for the security group. Changing this updates the name of an existing security group.

region string

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules SecGroupRuleArgs[]

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description str

A description for the security group. Changing this updates the description of an existing security group.

name str

A unique name for the security group. Changing this updates the name of an existing security group.

region str

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules Sequence[SecGroupRuleArgs]

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description String

A description for the security group. Changing this updates the description of an existing security group.

name String

A unique name for the security group. Changing this updates the name of an existing security group.

region String

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules List<Property Map>

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecGroup resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing SecGroup Resource

Get an existing SecGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecGroupState, opts?: CustomResourceOptions): SecGroup
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        description: Optional[str] = None,
        name: Optional[str] = None,
        region: Optional[str] = None,
        rules: Optional[Sequence[SecGroupRuleArgs]] = None) -> SecGroup
func GetSecGroup(ctx *Context, name string, id IDInput, state *SecGroupState, opts ...ResourceOption) (*SecGroup, error)
public static SecGroup Get(string name, Input<string> id, SecGroupState? state, CustomResourceOptions? opts = null)
public static SecGroup get(String name, Output<String> id, SecGroupState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Description string

A description for the security group. Changing this updates the description of an existing security group.

Name string

A unique name for the security group. Changing this updates the name of an existing security group.

Region string

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

Rules List<Pulumi.OpenStack.Compute.Inputs.SecGroupRuleArgs>

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

Description string

A description for the security group. Changing this updates the description of an existing security group.

Name string

A unique name for the security group. Changing this updates the name of an existing security group.

Region string

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

Rules []SecGroupRuleArgs

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description String

A description for the security group. Changing this updates the description of an existing security group.

name String

A unique name for the security group. Changing this updates the name of an existing security group.

region String

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules List<SecGroupRuleArgs>

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description string

A description for the security group. Changing this updates the description of an existing security group.

name string

A unique name for the security group. Changing this updates the name of an existing security group.

region string

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules SecGroupRuleArgs[]

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description str

A description for the security group. Changing this updates the description of an existing security group.

name str

A unique name for the security group. Changing this updates the name of an existing security group.

region str

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules Sequence[SecGroupRuleArgs]

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

description String

A description for the security group. Changing this updates the description of an existing security group.

name String

A unique name for the security group. Changing this updates the name of an existing security group.

region String

The region in which to obtain the V2 Compute client. A Compute client is needed to create a security group. If omitted, the region argument of the provider is used. Changing this creates a new security group.

rules List<Property Map>

A rule describing how the security group operates. The rule object structure is documented below. Changing this updates the security group rules. As shown in the example above, multiple rule blocks may be used.

Supporting Types

SecGroupRule

FromPort int

An integer representing the lower bound of the port range to open. Changing this creates a new security group rule.

IpProtocol string

The protocol type that will be allowed. Changing this creates a new security group rule.

ToPort int

An integer representing the upper bound of the port range to open. Changing this creates a new security group rule.

Cidr string

Required if from_group_id or self is empty. The IP range that will be the source of network traffic to the security group. Use 0.0.0.0/0 to allow all IP addresses. Changing this creates a new security group rule. Cannot be combined with from_group_id or self.

FromGroupId string

Required if cidr or self is empty. The ID of a group from which to forward traffic to the parent group. Changing this creates a new security group rule. Cannot be combined with cidr or self.

Id string
Self bool

Required if cidr and from_group_id is empty. If true, the security group itself will be added as a source to this ingress rule. Cannot be combined with cidr or from_group_id.

FromPort int

An integer representing the lower bound of the port range to open. Changing this creates a new security group rule.

IpProtocol string

The protocol type that will be allowed. Changing this creates a new security group rule.

ToPort int

An integer representing the upper bound of the port range to open. Changing this creates a new security group rule.

Cidr string

Required if from_group_id or self is empty. The IP range that will be the source of network traffic to the security group. Use 0.0.0.0/0 to allow all IP addresses. Changing this creates a new security group rule. Cannot be combined with from_group_id or self.

FromGroupId string

Required if cidr or self is empty. The ID of a group from which to forward traffic to the parent group. Changing this creates a new security group rule. Cannot be combined with cidr or self.

Id string
Self bool

Required if cidr and from_group_id is empty. If true, the security group itself will be added as a source to this ingress rule. Cannot be combined with cidr or from_group_id.

fromPort Integer

An integer representing the lower bound of the port range to open. Changing this creates a new security group rule.

ipProtocol String

The protocol type that will be allowed. Changing this creates a new security group rule.

toPort Integer

An integer representing the upper bound of the port range to open. Changing this creates a new security group rule.

cidr String

Required if from_group_id or self is empty. The IP range that will be the source of network traffic to the security group. Use 0.0.0.0/0 to allow all IP addresses. Changing this creates a new security group rule. Cannot be combined with from_group_id or self.

fromGroupId String

Required if cidr or self is empty. The ID of a group from which to forward traffic to the parent group. Changing this creates a new security group rule. Cannot be combined with cidr or self.

id String
self Boolean

Required if cidr and from_group_id is empty. If true, the security group itself will be added as a source to this ingress rule. Cannot be combined with cidr or from_group_id.

fromPort number

An integer representing the lower bound of the port range to open. Changing this creates a new security group rule.

ipProtocol string

The protocol type that will be allowed. Changing this creates a new security group rule.

toPort number

An integer representing the upper bound of the port range to open. Changing this creates a new security group rule.

cidr string

Required if from_group_id or self is empty. The IP range that will be the source of network traffic to the security group. Use 0.0.0.0/0 to allow all IP addresses. Changing this creates a new security group rule. Cannot be combined with from_group_id or self.

fromGroupId string

Required if cidr or self is empty. The ID of a group from which to forward traffic to the parent group. Changing this creates a new security group rule. Cannot be combined with cidr or self.

id string
self boolean

Required if cidr and from_group_id is empty. If true, the security group itself will be added as a source to this ingress rule. Cannot be combined with cidr or from_group_id.

from_port int

An integer representing the lower bound of the port range to open. Changing this creates a new security group rule.

ip_protocol str

The protocol type that will be allowed. Changing this creates a new security group rule.

to_port int

An integer representing the upper bound of the port range to open. Changing this creates a new security group rule.

cidr str

Required if from_group_id or self is empty. The IP range that will be the source of network traffic to the security group. Use 0.0.0.0/0 to allow all IP addresses. Changing this creates a new security group rule. Cannot be combined with from_group_id or self.

from_group_id str

Required if cidr or self is empty. The ID of a group from which to forward traffic to the parent group. Changing this creates a new security group rule. Cannot be combined with cidr or self.

id str
self bool

Required if cidr and from_group_id is empty. If true, the security group itself will be added as a source to this ingress rule. Cannot be combined with cidr or from_group_id.

fromPort Number

An integer representing the lower bound of the port range to open. Changing this creates a new security group rule.

ipProtocol String

The protocol type that will be allowed. Changing this creates a new security group rule.

toPort Number

An integer representing the upper bound of the port range to open. Changing this creates a new security group rule.

cidr String

Required if from_group_id or self is empty. The IP range that will be the source of network traffic to the security group. Use 0.0.0.0/0 to allow all IP addresses. Changing this creates a new security group rule. Cannot be combined with from_group_id or self.

fromGroupId String

Required if cidr or self is empty. The ID of a group from which to forward traffic to the parent group. Changing this creates a new security group rule. Cannot be combined with cidr or self.

id String
self Boolean

Required if cidr and from_group_id is empty. If true, the security group itself will be added as a source to this ingress rule. Cannot be combined with cidr or from_group_id.

Import

Security Groups can be imported using the id, e.g.

 $ pulumi import openstack:compute/secGroup:SecGroup my_secgroup 1bc30ee9-9d5b-4c30-bdd5-7f1e663f5edf

Package Details

Repository
https://github.com/pulumi/pulumi-openstack
License
Apache-2.0
Notes

This Pulumi package is based on the openstack Terraform Provider.