1. Packages
  2. AWS
  3. API Docs
  4. ec2
  5. SecurityGroupRule
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

aws.ec2.SecurityGroupRule

Explore with Pulumi AI

Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.

NOTE: Avoid using the aws.ec2.SecurityGroupRule resource, as it struggles with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of the aws.vpc.SecurityGroupEgressRule and aws.vpc.SecurityGroupIngressRule resources with one CIDR block per rule.

!> WARNING: You should not use the aws.ec2.SecurityGroupRule resource in conjunction with aws.vpc.SecurityGroupEgressRule and aws.vpc.SecurityGroupIngressRule resources or with an aws.ec2.SecurityGroup resource that has in-line rules. Doing so may cause rule conflicts, perpetual differences, and result in rules being overwritten.

NOTE: Setting protocol = "all" or protocol = -1 with from_port and to_port will result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by this provider and may generate warnings in the future.

NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.

Example Usage

Basic usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.ec2.SecurityGroupRule("example", {
    type: "ingress",
    fromPort: 0,
    toPort: 65535,
    protocol: aws.ec2.ProtocolType.TCP,
    cidrBlocks: [exampleAwsVpc.cidrBlock],
    ipv6CidrBlocks: [exampleAwsVpc.ipv6CidrBlock],
    securityGroupId: "sg-123456",
});
Copy
import pulumi
import pulumi_aws as aws

example = aws.ec2.SecurityGroupRule("example",
    type="ingress",
    from_port=0,
    to_port=65535,
    protocol=aws.ec2.ProtocolType.TCP,
    cidr_blocks=[example_aws_vpc["cidrBlock"]],
    ipv6_cidr_blocks=[example_aws_vpc["ipv6CidrBlock"]],
    security_group_id="sg-123456")
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := ec2.NewSecurityGroupRule(ctx, "example", &ec2.SecurityGroupRuleArgs{
			Type:     pulumi.String("ingress"),
			FromPort: pulumi.Int(0),
			ToPort:   pulumi.Int(65535),
			Protocol: pulumi.String(ec2.ProtocolTypeTCP),
			CidrBlocks: pulumi.StringArray{
				exampleAwsVpc.CidrBlock,
			},
			Ipv6CidrBlocks: pulumi.StringArray{
				exampleAwsVpc.Ipv6CidrBlock,
			},
			SecurityGroupId: pulumi.String("sg-123456"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.Ec2.SecurityGroupRule("example", new()
    {
        Type = "ingress",
        FromPort = 0,
        ToPort = 65535,
        Protocol = Aws.Ec2.ProtocolType.TCP,
        CidrBlocks = new[]
        {
            exampleAwsVpc.CidrBlock,
        },
        Ipv6CidrBlocks = new[]
        {
            exampleAwsVpc.Ipv6CidrBlock,
        },
        SecurityGroupId = "sg-123456",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroupRule;
import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new SecurityGroupRule("example", SecurityGroupRuleArgs.builder()
            .type("ingress")
            .fromPort(0)
            .toPort(65535)
            .protocol("tcp")
            .cidrBlocks(exampleAwsVpc.cidrBlock())
            .ipv6CidrBlocks(exampleAwsVpc.ipv6CidrBlock())
            .securityGroupId("sg-123456")
            .build());

    }
}
Copy
resources:
  example:
    type: aws:ec2:SecurityGroupRule
    properties:
      type: ingress
      fromPort: 0
      toPort: 65535
      protocol: tcp
      cidrBlocks:
        - ${exampleAwsVpc.cidrBlock}
      ipv6CidrBlocks:
        - ${exampleAwsVpc.ipv6CidrBlock}
      securityGroupId: sg-123456
Copy

Usage With Prefix List IDs

Prefix Lists are either managed by AWS internally, or created by the customer using a Managed Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region.

Prefix list IDs are exported on VPC Endpoints, so you can use this format:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// ...
const myEndpoint = new aws.ec2.VpcEndpoint("my_endpoint", {});
const allowAll = new aws.ec2.SecurityGroupRule("allow_all", {
    type: "egress",
    toPort: 0,
    protocol: "-1",
    prefixListIds: [myEndpoint.prefixListId],
    fromPort: 0,
    securityGroupId: "sg-123456",
});
Copy
import pulumi
import pulumi_aws as aws

# ...
my_endpoint = aws.ec2.VpcEndpoint("my_endpoint")
allow_all = aws.ec2.SecurityGroupRule("allow_all",
    type="egress",
    to_port=0,
    protocol="-1",
    prefix_list_ids=[my_endpoint.prefix_list_id],
    from_port=0,
    security_group_id="sg-123456")
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// ...
		myEndpoint, err := ec2.NewVpcEndpoint(ctx, "my_endpoint", nil)
		if err != nil {
			return err
		}
		_, err = ec2.NewSecurityGroupRule(ctx, "allow_all", &ec2.SecurityGroupRuleArgs{
			Type:     pulumi.String("egress"),
			ToPort:   pulumi.Int(0),
			Protocol: pulumi.String("-1"),
			PrefixListIds: pulumi.StringArray{
				myEndpoint.PrefixListId,
			},
			FromPort:        pulumi.Int(0),
			SecurityGroupId: pulumi.String("sg-123456"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    // ...
    var myEndpoint = new Aws.Ec2.VpcEndpoint("my_endpoint");

    var allowAll = new Aws.Ec2.SecurityGroupRule("allow_all", new()
    {
        Type = "egress",
        ToPort = 0,
        Protocol = "-1",
        PrefixListIds = new[]
        {
            myEndpoint.PrefixListId,
        },
        FromPort = 0,
        SecurityGroupId = "sg-123456",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.VpcEndpoint;
import com.pulumi.aws.ec2.SecurityGroupRule;
import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // ...
        var myEndpoint = new VpcEndpoint("myEndpoint");

        var allowAll = new SecurityGroupRule("allowAll", SecurityGroupRuleArgs.builder()
            .type("egress")
            .toPort(0)
            .protocol("-1")
            .prefixListIds(myEndpoint.prefixListId())
            .fromPort(0)
            .securityGroupId("sg-123456")
            .build());

    }
}
Copy
resources:
  allowAll:
    type: aws:ec2:SecurityGroupRule
    name: allow_all
    properties:
      type: egress
      toPort: 0
      protocol: '-1'
      prefixListIds:
        - ${myEndpoint.prefixListId}
      fromPort: 0
      securityGroupId: sg-123456
  # ...
  myEndpoint:
    type: aws:ec2:VpcEndpoint
    name: my_endpoint
Copy

You can also find a specific Prefix List using the aws.ec2.getPrefixList or ec2_managed_prefix_list data sources:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const current = aws.getRegion({});
const s3 = current.then(current => aws.ec2.getPrefixList({
    name: `com.amazonaws.${current.name}.s3`,
}));
const s3GatewayEgress = new aws.ec2.SecurityGroupRule("s3_gateway_egress", {
    description: "S3 Gateway Egress",
    type: "egress",
    securityGroupId: "sg-123456",
    fromPort: 443,
    toPort: 443,
    protocol: aws.ec2.ProtocolType.TCP,
    prefixListIds: [s3.then(s3 => s3.id)],
});
Copy
import pulumi
import pulumi_aws as aws

current = aws.get_region()
s3 = aws.ec2.get_prefix_list(name=f"com.amazonaws.{current.name}.s3")
s3_gateway_egress = aws.ec2.SecurityGroupRule("s3_gateway_egress",
    description="S3 Gateway Egress",
    type="egress",
    security_group_id="sg-123456",
    from_port=443,
    to_port=443,
    protocol=aws.ec2.ProtocolType.TCP,
    prefix_list_ids=[s3.id])
Copy
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetRegion(ctx, &aws.GetRegionArgs{}, nil)
		if err != nil {
			return err
		}
		s3, err := ec2.GetPrefixList(ctx, &ec2.GetPrefixListArgs{
			Name: pulumi.StringRef(fmt.Sprintf("com.amazonaws.%v.s3", current.Name)),
		}, nil)
		if err != nil {
			return err
		}
		_, err = ec2.NewSecurityGroupRule(ctx, "s3_gateway_egress", &ec2.SecurityGroupRuleArgs{
			Description:     pulumi.String("S3 Gateway Egress"),
			Type:            pulumi.String("egress"),
			SecurityGroupId: pulumi.String("sg-123456"),
			FromPort:        pulumi.Int(443),
			ToPort:          pulumi.Int(443),
			Protocol:        pulumi.String(ec2.ProtocolTypeTCP),
			PrefixListIds: pulumi.StringArray{
				pulumi.String(s3.Id),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var current = Aws.GetRegion.Invoke();

    var s3 = Aws.Ec2.GetPrefixList.Invoke(new()
    {
        Name = $"com.amazonaws.{current.Apply(getRegionResult => getRegionResult.Name)}.s3",
    });

    var s3GatewayEgress = new Aws.Ec2.SecurityGroupRule("s3_gateway_egress", new()
    {
        Description = "S3 Gateway Egress",
        Type = "egress",
        SecurityGroupId = "sg-123456",
        FromPort = 443,
        ToPort = 443,
        Protocol = Aws.Ec2.ProtocolType.TCP,
        PrefixListIds = new[]
        {
            s3.Apply(getPrefixListResult => getPrefixListResult.Id),
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.ec2.Ec2Functions;
import com.pulumi.aws.ec2.inputs.GetPrefixListArgs;
import com.pulumi.aws.ec2.SecurityGroupRule;
import com.pulumi.aws.ec2.SecurityGroupRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AwsFunctions.getRegion();

        final var s3 = Ec2Functions.getPrefixList(GetPrefixListArgs.builder()
            .name(String.format("com.amazonaws.%s.s3", current.applyValue(getRegionResult -> getRegionResult.name())))
            .build());

        var s3GatewayEgress = new SecurityGroupRule("s3GatewayEgress", SecurityGroupRuleArgs.builder()
            .description("S3 Gateway Egress")
            .type("egress")
            .securityGroupId("sg-123456")
            .fromPort(443)
            .toPort(443)
            .protocol("tcp")
            .prefixListIds(s3.applyValue(getPrefixListResult -> getPrefixListResult.id()))
            .build());

    }
}
Copy
resources:
  s3GatewayEgress:
    type: aws:ec2:SecurityGroupRule
    name: s3_gateway_egress
    properties:
      description: S3 Gateway Egress
      type: egress
      securityGroupId: sg-123456
      fromPort: 443
      toPort: 443
      protocol: tcp
      prefixListIds:
        - ${s3.id}
variables:
  current:
    fn::invoke:
      function: aws:getRegion
      arguments: {}
  s3:
    fn::invoke:
      function: aws:ec2:getPrefixList
      arguments:
        name: com.amazonaws.${current.name}.s3
Copy

Create SecurityGroupRule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecurityGroupRule(name: string, args: SecurityGroupRuleArgs, opts?: CustomResourceOptions);
@overload
def SecurityGroupRule(resource_name: str,
                      args: SecurityGroupRuleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecurityGroupRule(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      from_port: Optional[int] = None,
                      protocol: Optional[Union[str, ProtocolType]] = None,
                      security_group_id: Optional[str] = None,
                      to_port: Optional[int] = None,
                      type: Optional[str] = None,
                      cidr_blocks: Optional[Sequence[str]] = None,
                      description: Optional[str] = None,
                      ipv6_cidr_blocks: Optional[Sequence[str]] = None,
                      prefix_list_ids: Optional[Sequence[str]] = None,
                      self: Optional[bool] = None,
                      source_security_group_id: Optional[str] = None)
func NewSecurityGroupRule(ctx *Context, name string, args SecurityGroupRuleArgs, opts ...ResourceOption) (*SecurityGroupRule, error)
public SecurityGroupRule(string name, SecurityGroupRuleArgs args, CustomResourceOptions? opts = null)
public SecurityGroupRule(String name, SecurityGroupRuleArgs args)
public SecurityGroupRule(String name, SecurityGroupRuleArgs args, CustomResourceOptions options)
type: aws:ec2:SecurityGroupRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. SecurityGroupRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. SecurityGroupRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. SecurityGroupRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. SecurityGroupRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. SecurityGroupRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var securityGroupRuleResource = new Aws.Ec2.SecurityGroupRule("securityGroupRuleResource", new()
{
    FromPort = 0,
    Protocol = "string",
    SecurityGroupId = "string",
    ToPort = 0,
    Type = "string",
    CidrBlocks = new[]
    {
        "string",
    },
    Description = "string",
    Ipv6CidrBlocks = new[]
    {
        "string",
    },
    PrefixListIds = new[]
    {
        "string",
    },
    Self = false,
    SourceSecurityGroupId = "string",
});
Copy
example, err := ec2.NewSecurityGroupRule(ctx, "securityGroupRuleResource", &ec2.SecurityGroupRuleArgs{
	FromPort:        pulumi.Int(0),
	Protocol:        pulumi.String("string"),
	SecurityGroupId: pulumi.String("string"),
	ToPort:          pulumi.Int(0),
	Type:            pulumi.String("string"),
	CidrBlocks: pulumi.StringArray{
		pulumi.String("string"),
	},
	Description: pulumi.String("string"),
	Ipv6CidrBlocks: pulumi.StringArray{
		pulumi.String("string"),
	},
	PrefixListIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	Self:                  pulumi.Bool(false),
	SourceSecurityGroupId: pulumi.String("string"),
})
Copy
var securityGroupRuleResource = new SecurityGroupRule("securityGroupRuleResource", SecurityGroupRuleArgs.builder()
    .fromPort(0)
    .protocol("string")
    .securityGroupId("string")
    .toPort(0)
    .type("string")
    .cidrBlocks("string")
    .description("string")
    .ipv6CidrBlocks("string")
    .prefixListIds("string")
    .self(false)
    .sourceSecurityGroupId("string")
    .build());
Copy
security_group_rule_resource = aws.ec2.SecurityGroupRule("securityGroupRuleResource",
    from_port=0,
    protocol="string",
    security_group_id="string",
    to_port=0,
    type="string",
    cidr_blocks=["string"],
    description="string",
    ipv6_cidr_blocks=["string"],
    prefix_list_ids=["string"],
    self=False,
    source_security_group_id="string")
Copy
const securityGroupRuleResource = new aws.ec2.SecurityGroupRule("securityGroupRuleResource", {
    fromPort: 0,
    protocol: "string",
    securityGroupId: "string",
    toPort: 0,
    type: "string",
    cidrBlocks: ["string"],
    description: "string",
    ipv6CidrBlocks: ["string"],
    prefixListIds: ["string"],
    self: false,
    sourceSecurityGroupId: "string",
});
Copy
type: aws:ec2:SecurityGroupRule
properties:
    cidrBlocks:
        - string
    description: string
    fromPort: 0
    ipv6CidrBlocks:
        - string
    prefixListIds:
        - string
    protocol: string
    securityGroupId: string
    self: false
    sourceSecurityGroupId: string
    toPort: 0
    type: string
Copy

SecurityGroupRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecurityGroupRule resource accepts the following input properties:

FromPort
This property is required.
Changes to this property will trigger replacement.
int
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
Protocol
This property is required.
Changes to this property will trigger replacement.
string | Pulumi.Aws.Ec2.ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId
This property is required.
Changes to this property will trigger replacement.
string
Security group to apply this rule to.
ToPort
This property is required.
Changes to this property will trigger replacement.
int
End port (or ICMP code if protocol is "icmp").
Type
This property is required.
Changes to this property will trigger replacement.
string

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

CidrBlocks Changes to this property will trigger replacement. List<string>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
Ipv6CidrBlocks Changes to this property will trigger replacement. List<string>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds Changes to this property will trigger replacement. List<string>
List of Prefix List IDs.
Self Changes to this property will trigger replacement. bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId Changes to this property will trigger replacement. string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
FromPort
This property is required.
Changes to this property will trigger replacement.
int
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
Protocol
This property is required.
Changes to this property will trigger replacement.
string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId
This property is required.
Changes to this property will trigger replacement.
string
Security group to apply this rule to.
ToPort
This property is required.
Changes to this property will trigger replacement.
int
End port (or ICMP code if protocol is "icmp").
Type
This property is required.
Changes to this property will trigger replacement.
string

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

CidrBlocks Changes to this property will trigger replacement. []string
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
Ipv6CidrBlocks Changes to this property will trigger replacement. []string
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds Changes to this property will trigger replacement. []string
List of Prefix List IDs.
Self Changes to this property will trigger replacement. bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId Changes to this property will trigger replacement. string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
fromPort
This property is required.
Changes to this property will trigger replacement.
Integer
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
protocol
This property is required.
Changes to this property will trigger replacement.
String | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId
This property is required.
Changes to this property will trigger replacement.
String
Security group to apply this rule to.
toPort
This property is required.
Changes to this property will trigger replacement.
Integer
End port (or ICMP code if protocol is "icmp").
type
This property is required.
Changes to this property will trigger replacement.
String

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidrBlocks Changes to this property will trigger replacement. List<String>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description String
Description of the rule.
ipv6CidrBlocks Changes to this property will trigger replacement. List<String>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds Changes to this property will trigger replacement. List<String>
List of Prefix List IDs.
self Changes to this property will trigger replacement. Boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId Changes to this property will trigger replacement. String
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
fromPort
This property is required.
Changes to this property will trigger replacement.
number
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
protocol
This property is required.
Changes to this property will trigger replacement.
string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId
This property is required.
Changes to this property will trigger replacement.
string
Security group to apply this rule to.
toPort
This property is required.
Changes to this property will trigger replacement.
number
End port (or ICMP code if protocol is "icmp").
type
This property is required.
Changes to this property will trigger replacement.
string

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidrBlocks Changes to this property will trigger replacement. string[]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description string
Description of the rule.
ipv6CidrBlocks Changes to this property will trigger replacement. string[]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds Changes to this property will trigger replacement. string[]
List of Prefix List IDs.
self Changes to this property will trigger replacement. boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId Changes to this property will trigger replacement. string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
from_port
This property is required.
Changes to this property will trigger replacement.
int
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
protocol
This property is required.
Changes to this property will trigger replacement.
str | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
security_group_id
This property is required.
Changes to this property will trigger replacement.
str
Security group to apply this rule to.
to_port
This property is required.
Changes to this property will trigger replacement.
int
End port (or ICMP code if protocol is "icmp").
type
This property is required.
Changes to this property will trigger replacement.
str

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidr_blocks Changes to this property will trigger replacement. Sequence[str]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description str
Description of the rule.
ipv6_cidr_blocks Changes to this property will trigger replacement. Sequence[str]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefix_list_ids Changes to this property will trigger replacement. Sequence[str]
List of Prefix List IDs.
self Changes to this property will trigger replacement. bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
source_security_group_id Changes to this property will trigger replacement. str
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
fromPort
This property is required.
Changes to this property will trigger replacement.
Number
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
protocol
This property is required.
Changes to this property will trigger replacement.
String | "all" | "tcp" | "udp" | "icmp"
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId
This property is required.
Changes to this property will trigger replacement.
String
Security group to apply this rule to.
toPort
This property is required.
Changes to this property will trigger replacement.
Number
End port (or ICMP code if protocol is "icmp").
type
This property is required.
Changes to this property will trigger replacement.
String

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidrBlocks Changes to this property will trigger replacement. List<String>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description String
Description of the rule.
ipv6CidrBlocks Changes to this property will trigger replacement. List<String>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds Changes to this property will trigger replacement. List<String>
List of Prefix List IDs.
self Changes to this property will trigger replacement. Boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId Changes to this property will trigger replacement. String
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecurityGroupRule resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
SecurityGroupRuleId string
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
Id string
The provider-assigned unique ID for this managed resource.
SecurityGroupRuleId string
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
id String
The provider-assigned unique ID for this managed resource.
securityGroupRuleId String
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
id string
The provider-assigned unique ID for this managed resource.
securityGroupRuleId string
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
id str
The provider-assigned unique ID for this managed resource.
security_group_rule_id str
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
id String
The provider-assigned unique ID for this managed resource.
securityGroupRuleId String
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.

Look up Existing SecurityGroupRule Resource

Get an existing SecurityGroupRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecurityGroupRuleState, opts?: CustomResourceOptions): SecurityGroupRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        cidr_blocks: Optional[Sequence[str]] = None,
        description: Optional[str] = None,
        from_port: Optional[int] = None,
        ipv6_cidr_blocks: Optional[Sequence[str]] = None,
        prefix_list_ids: Optional[Sequence[str]] = None,
        protocol: Optional[Union[str, ProtocolType]] = None,
        security_group_id: Optional[str] = None,
        security_group_rule_id: Optional[str] = None,
        self: Optional[bool] = None,
        source_security_group_id: Optional[str] = None,
        to_port: Optional[int] = None,
        type: Optional[str] = None) -> SecurityGroupRule
func GetSecurityGroupRule(ctx *Context, name string, id IDInput, state *SecurityGroupRuleState, opts ...ResourceOption) (*SecurityGroupRule, error)
public static SecurityGroupRule Get(string name, Input<string> id, SecurityGroupRuleState? state, CustomResourceOptions? opts = null)
public static SecurityGroupRule get(String name, Output<String> id, SecurityGroupRuleState state, CustomResourceOptions options)
resources:  _:    type: aws:ec2:SecurityGroupRule    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
CidrBlocks Changes to this property will trigger replacement. List<string>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
FromPort Changes to this property will trigger replacement. int
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
Ipv6CidrBlocks Changes to this property will trigger replacement. List<string>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds Changes to this property will trigger replacement. List<string>
List of Prefix List IDs.
Protocol Changes to this property will trigger replacement. string | Pulumi.Aws.Ec2.ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId Changes to this property will trigger replacement. string
Security group to apply this rule to.
SecurityGroupRuleId string
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
Self Changes to this property will trigger replacement. bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId Changes to this property will trigger replacement. string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
ToPort Changes to this property will trigger replacement. int
End port (or ICMP code if protocol is "icmp").
Type Changes to this property will trigger replacement. string

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

CidrBlocks Changes to this property will trigger replacement. []string
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
Description string
Description of the rule.
FromPort Changes to this property will trigger replacement. int
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
Ipv6CidrBlocks Changes to this property will trigger replacement. []string
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
PrefixListIds Changes to this property will trigger replacement. []string
List of Prefix List IDs.
Protocol Changes to this property will trigger replacement. string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
SecurityGroupId Changes to this property will trigger replacement. string
Security group to apply this rule to.
SecurityGroupRuleId string
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
Self Changes to this property will trigger replacement. bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
SourceSecurityGroupId Changes to this property will trigger replacement. string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
ToPort Changes to this property will trigger replacement. int
End port (or ICMP code if protocol is "icmp").
Type Changes to this property will trigger replacement. string

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidrBlocks Changes to this property will trigger replacement. List<String>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description String
Description of the rule.
fromPort Changes to this property will trigger replacement. Integer
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
ipv6CidrBlocks Changes to this property will trigger replacement. List<String>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds Changes to this property will trigger replacement. List<String>
List of Prefix List IDs.
protocol Changes to this property will trigger replacement. String | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId Changes to this property will trigger replacement. String
Security group to apply this rule to.
securityGroupRuleId String
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
self Changes to this property will trigger replacement. Boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId Changes to this property will trigger replacement. String
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
toPort Changes to this property will trigger replacement. Integer
End port (or ICMP code if protocol is "icmp").
type Changes to this property will trigger replacement. String

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidrBlocks Changes to this property will trigger replacement. string[]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description string
Description of the rule.
fromPort Changes to this property will trigger replacement. number
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
ipv6CidrBlocks Changes to this property will trigger replacement. string[]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds Changes to this property will trigger replacement. string[]
List of Prefix List IDs.
protocol Changes to this property will trigger replacement. string | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId Changes to this property will trigger replacement. string
Security group to apply this rule to.
securityGroupRuleId string
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
self Changes to this property will trigger replacement. boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId Changes to this property will trigger replacement. string
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
toPort Changes to this property will trigger replacement. number
End port (or ICMP code if protocol is "icmp").
type Changes to this property will trigger replacement. string

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidr_blocks Changes to this property will trigger replacement. Sequence[str]
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description str
Description of the rule.
from_port Changes to this property will trigger replacement. int
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
ipv6_cidr_blocks Changes to this property will trigger replacement. Sequence[str]
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefix_list_ids Changes to this property will trigger replacement. Sequence[str]
List of Prefix List IDs.
protocol Changes to this property will trigger replacement. str | ProtocolType
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
security_group_id Changes to this property will trigger replacement. str
Security group to apply this rule to.
security_group_rule_id str
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
self Changes to this property will trigger replacement. bool
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
source_security_group_id Changes to this property will trigger replacement. str
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
to_port Changes to this property will trigger replacement. int
End port (or ICMP code if protocol is "icmp").
type Changes to this property will trigger replacement. str

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

cidrBlocks Changes to this property will trigger replacement. List<String>
List of CIDR blocks. Cannot be specified with source_security_group_id or self.
description String
Description of the rule.
fromPort Changes to this property will trigger replacement. Number
Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
ipv6CidrBlocks Changes to this property will trigger replacement. List<String>
List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
prefixListIds Changes to this property will trigger replacement. List<String>
List of Prefix List IDs.
protocol Changes to this property will trigger replacement. String | "all" | "tcp" | "udp" | "icmp"
Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
securityGroupId Changes to this property will trigger replacement. String
Security group to apply this rule to.
securityGroupRuleId String
If the aws.ec2.SecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
self Changes to this property will trigger replacement. Boolean
Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
sourceSecurityGroupId Changes to this property will trigger replacement. String
Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
toPort Changes to this property will trigger replacement. Number
End port (or ICMP code if protocol is "icmp").
type Changes to this property will trigger replacement. String

Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

Note Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and source_security_group_id are all marked as optional, you must provide one of them in order to configure the source of the traffic.

Supporting Types

ProtocolType
, ProtocolTypeArgs

All
all
TCP
tcp
UDP
udp
ICMP
icmp
ProtocolTypeAll
all
ProtocolTypeTCP
tcp
ProtocolTypeUDP
udp
ProtocolTypeICMP
icmp
All
all
TCP
tcp
UDP
udp
ICMP
icmp
All
all
TCP
tcp
UDP
udp
ICMP
icmp
ALL
all
TCP
tcp
UDP
udp
ICMP
icmp
"all"
all
"tcp"
tcp
"udp"
udp
"icmp"
icmp

Import

Import a rule with various IPv4 and IPv6 source CIDR blocks:

Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.

Import a default any/any egress rule to 0.0.0.0/0:

Import an egress rule with a prefix list ID destination:

Import a rule applicable to all protocols and ports with a security group source:

Import a rule that has itself and an IPv6 CIDR block as sources:

Using pulumi import to import Security Group Rules using the security_group_id, type, protocol, from_port, to_port, and source(s)/destination(s) (such as a cidr_block) separated by underscores (_). All parts are required. For example:

NOTE: Not all rule permissions (e.g., not all of a rule’s CIDR blocks) need to be imported for this provider to manage rule permissions. However, importing some of a rule’s permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule.

Import an ingress rule in security group sg-6e616f6d69 for TCP port 8000 with an IPv4 destination CIDR of 10.0.3.0/24:

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6e616f6d69_ingress_tcp_8000_8000_10.0.3.0/24
Copy

Import a rule with various IPv4 and IPv6 source CIDR blocks:

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-4973616163_ingress_tcp_100_121_10.1.0.0/16_2001:db8::/48_10.2.0.0/16_2002:db8::/48
Copy

Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number. For example: 92.

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress sg-6777656e646f6c796e_ingress_92_0_65536_10.0.3.0/24_10.0.4.0/24
Copy

Import a default any/any egress rule to 0.0.0.0/0:

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule default_egress sg-6777656e646f6c796e_egress_all_0_0_0.0.0.0/0
Copy

Import an egress rule with a prefix list ID destination:

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule egress sg-62726f6479_egress_tcp_8000_8000_pl-6469726b
Copy

Import a rule applicable to all protocols and ports with a security group source:

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule ingress_rule sg-7472697374616e_ingress_all_0_65536_sg-6176657279
Copy

Import a rule that has itself and an IPv6 CIDR block as sources:

$ pulumi import aws:ec2/securityGroupRule:SecurityGroupRule rule_name sg-656c65616e6f72_ingress_tcp_80_80_self_2001:db8::/48
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.