SecurityGroupRule

Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.

NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
NOTE: Setting protocol = "all" or protocol = -1 with from_port and to_port will result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.
NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.
Usage with prefix list IDs

Prefix list IDs are manged by AWS internally. Prefix list IDs are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// ...
const myEndpoint = new aws.ec2.VpcEndpoint("my_endpoint", {});
const allowAll = new aws.ec2.SecurityGroupRule("allow_all", {
    fromPort: 0,
    prefixListIds: [myEndpoint.prefixListId],
    protocol: "-1",
    securityGroupId: "sg-123456",
    toPort: 0,
    type: "egress",
});

import pulumi
import pulumi_aws as aws

# ...
my_endpoint = aws.ec2.VpcEndpoint("myEndpoint")
allow_all = aws.ec2.SecurityGroupRule("allowAll",
    from_port=0,
    prefix_list_ids=[my_endpoint.prefix_list_id],
    protocol="-1",
    security_group_id="sg-123456",
    to_port=0,
    type="egress")

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        // ...
        var myEndpoint = new Aws.Ec2.VpcEndpoint("myEndpoint", new Aws.Ec2.VpcEndpointArgs
        {
        });
        var allowAll = new Aws.Ec2.SecurityGroupRule("allowAll", new Aws.Ec2.SecurityGroupRuleArgs
        {
            FromPort = 0,
            PrefixListIds = 
            {
                myEndpoint.PrefixListId,
            },
            Protocol = "-1",
            SecurityGroupId = "sg-123456",
            ToPort = 0,
            Type = "egress",
        });
    }

}

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		myEndpoint, err := ec2.NewVpcEndpoint(ctx, "myEndpoint", nil)
		if err != nil {
			return err
		}
		_, err = ec2.NewSecurityGroupRule(ctx, "allowAll", &ec2.SecurityGroupRuleArgs{
			FromPort: pulumi.Int(0),
			PrefixListIds: pulumi.StringArray{
				myEndpoint.PrefixListId,
			},
			Protocol:        pulumi.String("-1"),
			SecurityGroupId: pulumi.String("sg-123456"),
			ToPort:          pulumi.Int(0),
			Type:            pulumi.String("egress"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.Ec2.SecurityGroupRule("example", new Aws.Ec2.SecurityGroupRuleArgs
        {
            Type = "ingress",
            FromPort = 0,
            ToPort = 65535,
            Protocol = "tcp",
            CidrBlocks = aws_vpc.Example.Cidr_block,
            SecurityGroupId = "sg-123456",
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := ec2.NewSecurityGroupRule(ctx, "example", &ec2.SecurityGroupRuleArgs{
            Type:            pulumi.String("ingress"),
            FromPort:        pulumi.Int(0),
            ToPort:          pulumi.Int(65535),
            Protocol:        pulumi.String("tcp"),
            CidrBlocks:      aws_vpc.Example.Cidr_block,
            SecurityGroupId: pulumi.String("sg-123456"),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

example = aws.ec2.SecurityGroupRule("example",
    type="ingress",
    from_port=0,
    to_port=65535,
    protocol="tcp",
    cidr_blocks=aws_vpc["example"]["cidr_block"],
    security_group_id="sg-123456")

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.ec2.SecurityGroupRule("example", {
    type: "ingress",
    fromPort: 0,
    toPort: 65535,
    protocol: "tcp",
    cidrBlocks: aws_vpc.example.cidr_block,
    securityGroupId: "sg-123456",
});

Create a SecurityGroupRule Resource

new SecurityGroupRule(name: string, args: SecurityGroupRuleArgs, opts?: CustomResourceOptions);

def SecurityGroupRule(resource_name, opts=None, cidr_blocks=None, description=None, from_port=None, ipv6_cidr_blocks=None, prefix_list_ids=None, protocol=None, security_group_id=None, self=None, source_security_group_id=None, to_port=None, type=None, __props__=None);

func NewSecurityGroupRule(ctx *Context, name string, args SecurityGroupRuleArgs, opts ...ResourceOption) (*SecurityGroupRule, error)

public SecurityGroupRule(string name, SecurityGroupRuleArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args SecurityGroupRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecurityGroupRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecurityGroupRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

SecurityGroupRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The SecurityGroupRule resource accepts the following input properties:

FromPort int: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Protocol string: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string: The security group to apply this rule to.
ToPort int: The end port (or ICMP code if protocol is “icmp”).
Type string: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).
CidrBlocks List<string>: List of CIDR blocks. Cannot be specified with source_security_group_id.
Description string: Description of the rule.
Ipv6CidrBlocks List<string>: List of IPv6 CIDR blocks.
PrefixListIds List<string>: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
Self bool: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
SourceSecurityGroupId string: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.

FromPort int: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Protocol string: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string: The security group to apply this rule to.
ToPort int: The end port (or ICMP code if protocol is “icmp”).
Type string: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).
CidrBlocks []string: List of CIDR blocks. Cannot be specified with source_security_group_id.
Description string: Description of the rule.
Ipv6CidrBlocks []string: List of IPv6 CIDR blocks.
PrefixListIds []string: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
Self bool: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
SourceSecurityGroupId string: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.

fromPort number: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
protocol string: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId string: The security group to apply this rule to.
toPort number: The end port (or ICMP code if protocol is “icmp”).
type string: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).
cidrBlocks string[]: List of CIDR blocks. Cannot be specified with source_security_group_id.
description string: Description of the rule.
ipv6CidrBlocks string[]: List of IPv6 CIDR blocks.
prefixListIds string[]: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
self boolean: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
sourceSecurityGroupId string: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.

from_port float: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
protocol str: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
security_group_id str: The security group to apply this rule to.
to_port float: The end port (or ICMP code if protocol is “icmp”).
type str: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).
cidr_blocks List[str]: List of CIDR blocks. Cannot be specified with source_security_group_id.
description str: Description of the rule.
ipv6_cidr_blocks List[str]: List of IPv6 CIDR blocks.
prefix_list_ids List[str]: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
self bool: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
source_security_group_id str: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityGroupRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing SecurityGroupRule Resource

Get an existing SecurityGroupRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityGroupRuleState, opts?: CustomResourceOptions): SecurityGroupRule

static get(resource_name, id, opts=None, cidr_blocks=None, description=None, from_port=None, ipv6_cidr_blocks=None, prefix_list_ids=None, protocol=None, security_group_id=None, self=None, source_security_group_id=None, to_port=None, type=None, __props__=None);

func GetSecurityGroupRule(ctx *Context, name string, id IDInput, state *SecurityGroupRuleState, opts ...ResourceOption) (*SecurityGroupRule, error)

public static SecurityGroupRule Get(string name, Input<string> id, SecurityGroupRuleState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

CidrBlocks List<string>: List of CIDR blocks. Cannot be specified with source_security_group_id.
Description string: Description of the rule.
FromPort int: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Ipv6CidrBlocks List<string>: List of IPv6 CIDR blocks.
PrefixListIds List<string>: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
Protocol string: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string: The security group to apply this rule to.
Self bool: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
SourceSecurityGroupId string: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.
ToPort int: The end port (or ICMP code if protocol is “icmp”).
Type string: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).

CidrBlocks []string: List of CIDR blocks. Cannot be specified with source_security_group_id.
Description string: Description of the rule.
FromPort int: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
Ipv6CidrBlocks []string: List of IPv6 CIDR blocks.
PrefixListIds []string: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
Protocol string: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId string: The security group to apply this rule to.
Self bool: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
SourceSecurityGroupId string: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.
ToPort int: The end port (or ICMP code if protocol is “icmp”).
Type string: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).

cidrBlocks string[]: List of CIDR blocks. Cannot be specified with source_security_group_id.
description string: Description of the rule.
fromPort number: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
ipv6CidrBlocks string[]: List of IPv6 CIDR blocks.
prefixListIds string[]: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
protocol string: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId string: The security group to apply this rule to.
self boolean: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
sourceSecurityGroupId string: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.
toPort number: The end port (or ICMP code if protocol is “icmp”).
type string: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).

cidr_blocks List[str]: List of CIDR blocks. Cannot be specified with source_security_group_id.
description str: Description of the rule.
from_port float: The start port (or ICMP type number if protocol is “icmp” or “icmpv6”).
ipv6_cidr_blocks List[str]: List of IPv6 CIDR blocks.
prefix_list_ids List[str]: List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress.
protocol str: The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
security_group_id str: The security group to apply this rule to.
self bool: If true, the security group itself will be added as a source to this ingress rule. Cannot be specified with source_security_group_id.
source_security_group_id str: The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks and self.
to_port float: The end port (or ICMP code if protocol is “icmp”).
type str: The type of rule being created. Valid options are ingress (inbound) or egress (outbound).

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud