pulumi-aws-kotlin/com.pulumi.aws.ec2.kotlin/SecurityGroupArgs

SecurityGroupArgs

data class SecurityGroupArgs(val description: Output<String>? = null, val egress: Output<List<SecurityGroupEgressArgs>>? = null, val ingress: Output<List<SecurityGroupIngressArgs>>? = null, val name: Output<String>? = null, val namePrefix: Output<String>? = null, val revokeRulesOnDelete: Output<Boolean>? = null, val tags: Output<Map<String, String>>? = null, val vpcId: Output<String>? = null) : ConvertibleToJava<SecurityGroupArgs>

Provides a security group resource.

NOTE on Security Groups and Security Group Rules: This provider currently provides a Security Group resource with ingress and egress rules defined in-line and a Security Group Rule resource which manages one or more ingress or egress rules. Both of these resource were added before AWS assigned a security group rule unique ID, and they do not work well in all scenarios using thedescription and tags attributes, which rely on the unique ID. The aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources have been added to address these limitations and should be used for all new security group rules. You should not use the aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources in conjunction with an aws.ec2.SecurityGroup resource with in-line rules or with aws.ec2.SecurityGroupRule resources defined for the same Security Group, as rule conflicts may occur and rules will be overwritten. NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide. NOTE: Due to AWS Lambda improved VPC networking changes that began deploying in September 2019, security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. NOTE: The cidr_blocks and ipv6_cidr_blocks parameters are optional in the ingress and egress blocks. If nothing is specified, traffic will be blocked as described in NOTE on Egress rules later.

Example Usage

Basic Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupIngressArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var allowTls = new SecurityGroup("allowTls", SecurityGroupArgs.builder()
            .description("Allow TLS inbound traffic")
            .vpcId(aws_vpc.main().id())
            .ingress(SecurityGroupIngressArgs.builder()
                .description("TLS from VPC")
                .fromPort(443)
                .toPort(443)
                .protocol("tcp")
                .cidrBlocks(aws_vpc.main().cidr_block())
                .ipv6CidrBlocks(aws_vpc.main().ipv6_cidr_block())
                .build())
            .egress(SecurityGroupEgressArgs.builder()
                .fromPort(0)
                .toPort(0)
                .protocol("-1")
                .cidrBlocks("0.0.0.0/0")
                .ipv6CidrBlocks("::/0")
                .build())
            .tags(Map.of("Name", "allow_tls"))
            .build());
    }
}
Content copied to clipboard

Usage With Prefix List IDs

Prefix Lists are either managed by AWS internally, or created by the customer using a Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.VpcEndpoint;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.SecurityGroupArgs;
import com.pulumi.aws.ec2.inputs.SecurityGroupEgressArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var myEndpoint = new VpcEndpoint("myEndpoint");
        var example = new SecurityGroup("example", SecurityGroupArgs.builder()
            .egress(SecurityGroupEgressArgs.builder()
                .fromPort(0)
                .toPort(0)
                .protocol("-1")
                .prefixListIds(myEndpoint.prefixListId())
                .build())
            .build());
    }
}
Content copied to clipboard

create_before_destroy

(This example is one approach to recreating security groups. For more information on the challenges and the Security Group Deletion Problem, see the section above.) Normally, the provider first deletes the existing security group resource and then creates a new one. When a security group is associated with a resource, the delete won't succeed. You can invert the default behavior using the create_before_destroy meta argument:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new SecurityGroup("example");
    }
}
Content copied to clipboard

replace_triggered_by

(This example is one approach to recreating security groups. For more information on the challenges and the Security Group Deletion Problem, see the section above.) To replace a resource when a security group changes, use the replace_triggered_by meta argument. Note that in this example, the aws.ec2.Instance will be destroyed and created again when the aws.ec2.SecurityGroup changes.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import com.pulumi.aws.ec2.Instance;
import com.pulumi.aws.ec2.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleSecurityGroup = new SecurityGroup("exampleSecurityGroup");
        var exampleInstance = new Instance("exampleInstance", InstanceArgs.builder()
            .instanceType("t3.small")
            .vpcSecurityGroupIds(aws_security_group.test().id())
            .build());
    }
}
Content copied to clipboard

Shorter timeout

(This example is one approach to recreating security groups. For more information on the challenges and the Security Group Deletion Problem, see the section above.) If destroying a security group takes a long time, it may be because the provider cannot distinguish between a dependent object (e.g., a security group rule or EC2 instance) that is in the process of being deleted and one that is not. In other words, it may be waiting for a train that isn't scheduled to arrive. To fail faster, shorten the delete timeout from the default timeout:

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ec2.SecurityGroup;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new SecurityGroup("example");
    }
}
Content copied to clipboard

Import

Security Groups can be imported using the security group id, e.g.,

$ pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(description: Output<String>? = null, egress: Output<List<SecurityGroupEgressArgs>>? = null, ingress: Output<List<SecurityGroupIngressArgs>>? = null, name: Output<String>? = null, namePrefix: Output<String>? = null, revokeRulesOnDelete: Output<Boolean>? = null, tags: Output<Map<String, String>>? = null, vpcId: Output<String>? = null)

Properties

Link copied to clipboard
val description: Output<String>? = null

Security group description. Defaults to Managed by Pulumi. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.

Link copied to clipboard
val egress: Output<List<SecurityGroupEgressArgs>>? = null

Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.

Link copied to clipboard
val ingress: Output<List<SecurityGroupIngressArgs>>? = null

Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.

Link copied to clipboard
val name: Output<String>? = null

Name of the security group. If omitted, the provider will assign a random, unique name.

Link copied to clipboard
val namePrefix: Output<String>? = null

Creates a unique name beginning with the specified prefix. Conflicts with name.

Link copied to clipboard
val revokeRulesOnDelete: Output<Boolean>? = null

Instruct the provider to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.

Link copied to clipboard
val tags: Output<Map<String, String>>? = null

Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val vpcId: Output<String>? = null

VPC ID. Defaults to the region's default VPC.

Functions

Link copied to clipboard
open override fun toJava(): SecurityGroupArgs