pulumi-aws-kotlin/com.pulumi.aws.ec2.kotlin/SecurityGroupArgs

SecurityGroupArgs

data class SecurityGroupArgs(val description: Output<String>? = null, val egress: Output<List<SecurityGroupEgressArgs>>? = null, val ingress: Output<List<SecurityGroupIngressArgs>>? = null, val name: Output<String>? = null, val namePrefix: Output<String>? = null, val revokeRulesOnDelete: Output<Boolean>? = null, val tags: Output<Map<String, String>>? = null, val vpcId: Output<String>? = null) : ConvertibleToJava<SecurityGroupArgs>

Provides a security group resource.

NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules. NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide. NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, security groups associated with Lambda Functions can take up to 45 minutes to successfully delete.

Example Usage

Basic Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupIngressArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var allowTls = new SecurityGroup("allowTls", SecurityGroupArgs.builder()
            .description("Allow TLS inbound traffic")
            .vpcId(aws_vpc.main().id())
            .ingress(SecurityGroupIngressArgs.builder()
                .description("TLS from VPC")
                .fromPort(443)
                .toPort(443)
                .protocol("tcp")
                .cidrBlocks(aws_vpc.main().cidr_block())
                .ipv6CidrBlocks(aws_vpc.main().ipv6_cidr_block())
                .build())
            .egress(SecurityGroupEgressArgs.builder()
                .fromPort(0)
                .toPort(0)
                .protocol("-1")
                .cidrBlocks("0.0.0.0/0")
                .ipv6CidrBlocks("::/0")
                .build())
            .tags(Map.of("Name", "allow_tls"))
            .build());
    }
}

Usage With Prefix List IDs

Prefix Lists are either managed by AWS internally, or created by the customer using a Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.VpcEndpoint;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var myEndpoint = new VpcEndpoint("myEndpoint");
        var example = new SecurityGroup("example", SecurityGroupArgs.builder()
            .egress(SecurityGroupEgressArgs.builder()
                .fromPort(0)
                .toPort(0)
                .protocol("-1")
                .prefixListIds(myEndpoint.prefixListId())
                .build())
            .build());
    }
}

Change of name or name-prefix value

Security Group's Name cannot be edited after the resource is created. In fact, the name and name-prefix arguments force the creation of a new Security Group resource when they change value. In that case, this provider first deletes the existing Security Group resource and then it creates a new one. If the existing Security Group is associated to a Network Interface resource, the deletion cannot complete. The reason is that Network Interface resources cannot be left with no Security Group attached and the new one is not yet available at that point. You must invert the default behavior of the provider. That is, first the new Security Group resource must be created, then associated to possible Network Interface resources and finally the old Security Group can be detached and deleted. To force this behavior, you must set the create_before_destroy property:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var sgWithChangeableName = new SecurityGroup("sgWithChangeableName");
    }
}

Import

Security Groups can be imported using the security group id, e.g.,

$ pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8

Constructors

SecurityGroupArgs

fun SecurityGroupArgs(description: Output<String>? = null, egress: Output<List<SecurityGroupEgressArgs>>? = null, ingress: Output<List<SecurityGroupIngressArgs>>? = null, name: Output<String>? = null, namePrefix: Output<String>? = null, revokeRulesOnDelete: Output<Boolean>? = null, tags: Output<Map<String, String>>? = null, vpcId: Output<String>? = null)

Functions

toJava

open override fun toJava(): SecurityGroupArgs

Properties

description

val description: Output<String>? = null

Security group description. Defaults to Managed by Pulumi. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.

egress

val egress: Output<List<SecurityGroupEgressArgs>>? = null

Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.

ingress

val ingress: Output<List<SecurityGroupIngressArgs>>? = null

Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.

name

val name: Output<String>? = null

Name of the security group. If omitted, this provider will assign a random, unique name.

namePrefix

val namePrefix: Output<String>? = null

Creates a unique name beginning with the specified prefix. Conflicts with name.

revokeRulesOnDelete

val revokeRulesOnDelete: Output<Boolean>? = null

Instruct the provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.