pulumi-aws-kotlin/com.pulumi.aws.ec2.kotlin/SecurityGroup

SecurityGroup

class SecurityGroup : KotlinCustomResource

Provides a security group resource.

NOTE on Security Groups and Security Group Rules: This provider currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules. NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide. NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, security groups associated with Lambda Functions can take up to 45 minutes to successfully delete.

Example Usage

Basic Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupIngressArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var allowTls = new SecurityGroup("allowTls", SecurityGroupArgs.builder()
            .description("Allow TLS inbound traffic")
            .vpcId(aws_vpc.main().id())
            .ingress(SecurityGroupIngressArgs.builder()
                .description("TLS from VPC")
                .fromPort(443)
                .toPort(443)
                .protocol("tcp")
                .cidrBlocks(aws_vpc.main().cidr_block())
                .ipv6CidrBlocks(aws_vpc.main().ipv6_cidr_block())
                .build())
            .egress(SecurityGroupEgressArgs.builder()
                .fromPort(0)
                .toPort(0)
                .protocol("-1")
                .cidrBlocks("0.0.0.0/0")
                .ipv6CidrBlocks("::/0")
                .build())
            .tags(Map.of("Name", "allow_tls"))
            .build());
    }
}
Content copied to clipboard

Usage With Prefix List IDs

Prefix Lists are either managed by AWS internally, or created by the customer using a Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.VpcEndpoint;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var myEndpoint = new VpcEndpoint("myEndpoint");
        var example = new SecurityGroup("example", SecurityGroupArgs.builder()
            .egress(SecurityGroupEgressArgs.builder()
                .fromPort(0)
                .toPort(0)
                .protocol("-1")
                .prefixListIds(myEndpoint.prefixListId())
                .build())
            .build());
    }
}
Content copied to clipboard

Change of name or name-prefix value

Security Group's Name cannot be edited after the resource is created. In fact, the name and name-prefix arguments force the creation of a new Security Group resource when they change value. In that case, this provider first deletes the existing Security Group resource and then it creates a new one. If the existing Security Group is associated to a Network Interface resource, the deletion cannot complete. The reason is that Network Interface resources cannot be left with no Security Group attached and the new one is not yet available at that point. You must invert the default behavior of the provider. That is, first the new Security Group resource must be created, then associated to possible Network Interface resources and finally the old Security Group can be detached and deleted. To force this behavior, you must set the create_before_destroy property:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var sgWithChangeableName = new SecurityGroup("sgWithChangeableName");
    }
}
Content copied to clipboard

Import

Security Groups can be imported using the security group id, e.g.,

$ pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8
Content copied to clipboard

Properties

Link copied to clipboard
val arn: Output<String>

ARN of the security group.

Link copied to clipboard
val description: Output<String>

Security group description. Defaults to Managed by Pulumi. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.

Link copied to clipboard
val egress: Output<List<SecurityGroupEgress>>

Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val ingress: Output<List<SecurityGroupIngress>>

Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.

Link copied to clipboard
val name: Output<String>

Name of the security group. If omitted, this provider will assign a random, unique name.

Link copied to clipboard
val namePrefix: Output<String>

Creates a unique name beginning with the specified prefix. Conflicts with name.

Link copied to clipboard
val ownerId: Output<String>

Owner ID.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val revokeRulesOnDelete: Output<Boolean>?

Instruct the provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.

Link copied to clipboard
val tags: Output<Map<String, String>>?

Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tagsAll: Output<Map<String, String>>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val vpcId: Output<String>

VPC ID. Defaults to the region's default VPC.