Class SecurityGroupRule
Provides a security group rule resource. Represents a single ingress or
egress group rule, which can be added to external Security Groups.
NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single
ingressoregressrule), and a Security Group resource withingressandegressrules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
NOTE: Setting
protocol = "all"orprotocol = -1withfrom_portandto_portwill result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.
NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.
Example Usage
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var example = new Aws.Ec2.SecurityGroupRule("example", new Aws.Ec2.SecurityGroupRuleArgs
{
Type = "ingress",
FromPort = 0,
ToPort = 65535,
Protocol = "tcp",
CidrBlocks = aws_vpc.Example.Cidr_block,
SecurityGroupId = "sg-123456",
});
}
}
Usage with prefix list IDs
Prefix list IDs are manged by AWS internally. Prefix list IDs are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
// ...
var myEndpoint = new Aws.Ec2.VpcEndpoint("myEndpoint", new Aws.Ec2.VpcEndpointArgs
{
});
var allowAll = new Aws.Ec2.SecurityGroupRule("allowAll", new Aws.Ec2.SecurityGroupRuleArgs
{
FromPort = 0,
PrefixListIds =
{
myEndpoint.PrefixListId,
},
Protocol = "-1",
SecurityGroupId = "sg-123456",
ToPort = 0,
Type = "egress",
});
}
}
Inherited Members
Namespace: Pulumi.Aws.Ec2
Assembly: Pulumi.Aws.dll
Syntax
public class SecurityGroupRule : CustomResourceConstructors
View SourceSecurityGroupRule(String, SecurityGroupRuleArgs, CustomResourceOptions)
Create a SecurityGroupRule resource with the given unique name, arguments, and options.
Declaration
public SecurityGroupRule(string name, SecurityGroupRuleArgs args, CustomResourceOptions options = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | name | The unique name of the resource |
| SecurityGroupRuleArgs | args | The arguments used to populate this resource's properties |
| CustomResourceOptions | options | A bag of options that control this resource's behavior |
Properties
View SourceCidrBlocks
List of CIDR blocks. Cannot be specified with source_security_group_id.
Declaration
public Output<ImmutableArray<string>> CidrBlocks { get; }Property Value
| Type | Description |
|---|---|
| Output<System.Collections.Immutable.ImmutableArray<System.String>> |
Description
Description of the rule.
Declaration
public Output<string> Description { get; }Property Value
| Type | Description |
|---|---|
| Output<System.String> |
FromPort
The start port (or ICMP type number if protocol is "icmp" or "icmpv6").
Declaration
public Output<int> FromPort { get; }Property Value
| Type | Description |
|---|---|
| Output<System.Int32> |
Ipv6CidrBlocks
List of IPv6 CIDR blocks.
Declaration
public Output<ImmutableArray<string>> Ipv6CidrBlocks { get; }Property Value
| Type | Description |
|---|---|
| Output<System.Collections.Immutable.ImmutableArray<System.String>> |
PrefixListIds
List of prefix list IDs (for allowing access to VPC endpoints).
Only valid with egress.
Declaration
public Output<ImmutableArray<string>> PrefixListIds { get; }Property Value
| Type | Description |
|---|---|
| Output<System.Collections.Immutable.ImmutableArray<System.String>> |
Protocol
The protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
Declaration
public Output<string> Protocol { get; }Property Value
| Type | Description |
|---|---|
| Output<System.String> |
SecurityGroupId
The security group to apply this rule to.
Declaration
public Output<string> SecurityGroupId { get; }Property Value
| Type | Description |
|---|---|
| Output<System.String> |
Self
If true, the security group itself will be added as
a source to this ingress rule. Cannot be specified with source_security_group_id.
Declaration
public Output<bool?> Self { get; }Property Value
| Type | Description |
|---|---|
| Output<System.Nullable<System.Boolean>> |
SourceSecurityGroupId
The security group id to allow access to/from,
depending on the type. Cannot be specified with cidr_blocks and self.
Declaration
public Output<string> SourceSecurityGroupId { get; }Property Value
| Type | Description |
|---|---|
| Output<System.String> |
ToPort
The end port (or ICMP code if protocol is "icmp").
Declaration
public Output<int> ToPort { get; }Property Value
| Type | Description |
|---|---|
| Output<System.Int32> |
Type
The type of rule being created. Valid options are ingress (inbound)
or egress (outbound).
Declaration
public Output<string> Type { get; }Property Value
| Type | Description |
|---|---|
| Output<System.String> |
Methods
View SourceGet(String, Input<String>, SecurityGroupRuleState, CustomResourceOptions)
Get an existing SecurityGroupRule resource's state with the given name, ID, and optional extra properties used to qualify the lookup.
Declaration
public static SecurityGroupRule Get(string name, Input<string> id, SecurityGroupRuleState state = null, CustomResourceOptions options = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | name | The unique name of the resulting resource. |
| Input<System.String> | id | The unique provider ID of the resource to lookup. |
| SecurityGroupRuleState | state | Any extra arguments used during the lookup. |
| CustomResourceOptions | options | A bag of options that control this resource's behavior |
Returns
| Type | Description |
|---|---|
| SecurityGroupRule |