Skip to content

Resource: awsEc2TrafficMirrorFilterRule

Provides an Traffic mirror filter rule.\ Read limits and considerations for traffic mirroring

Example Usage

To create a basic traffic mirror session

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsEc2TrafficMirrorFilterFilter =
  new aws.ec2TrafficMirrorFilter.Ec2TrafficMirrorFilter(this, "filter", {
    description: "traffic mirror filter - terraform example",
    networkServices: ["amazon-dns"],
  });
new aws.ec2TrafficMirrorFilterRule.Ec2TrafficMirrorFilterRule(this, "rulein", {
  description: "test rule",
  destinationCidrBlock: "10.0.0.0/8",
  destinationPortRange: {
    fromPort: 22,
    toPort: 53,
  },
  protocol: 6,
  ruleAction: "accept",
  ruleNumber: 1,
  sourceCidrBlock: "10.0.0.0/8",
  sourcePortRange: {
    fromPort: 0,
    toPort: 10,
  },
  trafficDirection: "ingress",
  trafficMirrorFilterId: awsEc2TrafficMirrorFilterFilter.id,
});
new aws.ec2TrafficMirrorFilterRule.Ec2TrafficMirrorFilterRule(this, "ruleout", {
  description: "test rule",
  destinationCidrBlock: "10.0.0.0/8",
  ruleAction: "accept",
  ruleNumber: 1,
  sourceCidrBlock: "10.0.0.0/8",
  trafficDirection: "egress",
  trafficMirrorFilterId: awsEc2TrafficMirrorFilterFilter.id,
});

Argument Reference

The following arguments are supported:

  • description - (Optional) Description of the traffic mirror filter rule.
  • trafficMirrorFilterId - (Required) ID of the traffic mirror filter to which this rule should be added
  • destinationCidrBlock - (Required) Destination CIDR block to assign to the Traffic Mirror rule.
  • destinationPortRange - (Optional) Destination port range. Supported only when the protocol is set to TCP(6) or UDP(17). See Traffic mirror port range documented below
  • protocol - (Optional) Protocol number, for example 17 (UDP), to assign to the Traffic Mirror rule. For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers Authority (IANA) website.
  • ruleAction - (Required) Action to take (accept | reject) on the filtered traffic. Valid values are accept and reject
  • ruleNumber - (Required) Number of the Traffic Mirror rule. This number must be unique for each Traffic Mirror rule in a given direction. The rules are processed in ascending order by rule number.
  • sourceCidrBlock - (Required) Source CIDR block to assign to the Traffic Mirror rule.
  • sourcePortRange - (Optional) Source port range. Supported only when the protocol is set to TCP(6) or UDP(17). See Traffic mirror port range documented below
  • trafficDirection - (Required) Direction of traffic to be captured. Valid values are ingress and egress

Traffic mirror port range support following attributes:

  • fromPort - (Optional) Starting port of the range
  • toPort - (Optional) Ending port of the range

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the traffic mirror filter rule.
  • id - Name of the traffic mirror filter rule.

Import

Traffic mirror rules can be imported using the trafficMirrorFilterId and id separated by : e.g.,

$ terraform import aws_ec2_traffic_mirror_filter_rule.rule tmf-0fbb93ddf38198f64:tmfr-05a458f06445d0aee