Expand description
Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.
NOTE: Avoid using the
aws.ec2.SecurityGroupRuleresource, as it struggles with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of theaws.vpc.SecurityGroupEgressRuleandaws.vpc.SecurityGroupIngressRuleresources with one CIDR block per rule.
!> WARNING: You should not use the aws.ec2.SecurityGroupRule resource in conjunction with aws.vpc.SecurityGroupEgressRule and aws.vpc.SecurityGroupIngressRule resources or with an aws.ec2.SecurityGroup resource that has in-line rules. Doing so may cause rule conflicts, perpetual differences, and result in rules being overwritten.
NOTE: Setting
protocol = "all"orprotocol = -1withfrom_portandto_portwill result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.
NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.
§Example Usage
Basic usage
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let example = security_group_rule::create(
"example",
SecurityGroupRuleArgs::builder()
.cidr_blocks(vec!["${exampleAwsVpc.cidrBlock}",])
.from_port(0)
.ipv_6_cidr_blocks(vec!["${exampleAwsVpc.ipv6CidrBlock}",])
.protocol("tcp")
.security_group_id("sg-123456")
.to_port(65535)
.type_("ingress")
.build_struct(),
);
}§Usage With Prefix List IDs
Prefix Lists are either managed by AWS internally, or created by the customer using a Managed Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region.
Prefix list IDs are exported on VPC Endpoints, so you can use this format:
use pulumi_wasm_rust::Output;
use pulumi_wasm_rust::{add_export, pulumi_main};
#[pulumi_main]
fn test_main() -> Result<(), Error> {
let allowAll = security_group_rule::create(
"allowAll",
SecurityGroupRuleArgs::builder()
.from_port(0)
.prefix_list_ids(vec!["${myEndpoint.prefixListId}",])
.protocol("-1")
.security_group_id("sg-123456")
.to_port(0)
.type_("egress")
.build_struct(),
);
let myEndpoint = vpc_endpoint::create(
"myEndpoint",
VpcEndpointArgs::builder().build_struct(),
);
}You can also find a specific Prefix List using the aws.ec2.getPrefixList
or ec2_managed_prefix_list data sources:
resources:
s3GatewayEgress:
type: aws:ec2:SecurityGroupRule
name: s3_gateway_egress
properties:
description: S3 Gateway Egress
type: egress
securityGroupId: sg-123456
fromPort: 443
toPort: 443
protocol: tcp
prefixListIds:
- ${s3.id}
variables:
current:
fn::invoke:
function: aws:getRegion
arguments: {}
s3:
fn::invoke:
function: aws:ec2:getPrefixList
arguments:
name: com.amazonaws.${current.name}.s3§Import
Import a rule with various IPv4 and IPv6 source CIDR blocks:
Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.
Import a default any/any egress rule to 0.0.0.0/0:
Import an egress rule with a prefix list ID destination:
Import a rule applicable to all protocols and ports with a security group source:
Import a rule that has itself and an IPv6 CIDR block as sources:
Using pulumi import to import Security Group Rules using the security_group_id, type, protocol, from_port, to_port, and source(s)/destination(s) (such as a cidr_block) separated by underscores (_). All parts are required. For example:
NOTE: Not all rule permissions (e.g., not all of a rule’s CIDR blocks) need to be imported for this provider to manage rule permissions. However, importing some of a rule’s permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule.
Import an ingress rule in security group sg-6e616f6d69 for TCP port 8000 with an IPv4 destination CIDR of 10.0.3.0/24:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6e616f6d69_ingress_tcp_8000_8000_10.0.3.0/24Import a rule with various IPv4 and IPv6 source CIDR blocks:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-4973616163_ingress_tcp_100_121_10.1.0.0/16_2001:db8::/48_10.2.0.0/16_2002:db8::/48Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6777656e646f6c796e_ingress_92_0_65536_10.0.3.0/24_10.0.4.0/24Import a default any/any egress rule to 0.0.0.0/0:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule default_egress sg-6777656e646f6c796e_egress_all_0_0_0.0.0.0/0Import an egress rule with a prefix list ID destination:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule egress sg-62726f6479_egress_tcp_8000_8000_pl-6469726bImport a rule applicable to all protocols and ports with a security group source:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress_rule sg-7472697374616e_ingress_all_0_65536_sg-6176657279Import a rule that has itself and an IPv6 CIDR block as sources:
$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule rule_name sg-656c65616e6f72_ingress_tcp_80_80_self_2001:db8::/48Structs§
- Use builder syntax to set the inputs and finish with
build_struct().
Functions§
- Registers a new resource with the given unique name and arguments