Skip to content

Resource: awsNetworkInterfaceSgAttachment

This resource attaches a security group to an Elastic Network Interface (ENI). It can be used to attach a security group to any existing ENI, be it a secondary ENI or one attached as the primary interface on an instance.

\~> NOTE on instances, interfaces, and security groups: Terraform currently provides the capability to assign security groups via the awsInstance and the awsNetworkInterface resources. Using this resource in conjunction with security groups provided in-line in those resources will cause conflicts, and will lead to spurious diffs and undefined behavior - please use one or the other.

Example Usage

The following provides a very basic example of setting up an instance (provided by instance) in the default security group, creating a security group (provided by sg) and then attaching the security group to the instance's primary network interface via the awsNetworkInterfaceSgAttachment resource, named sgAttachment:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityGroupSg = new aws.securityGroup.SecurityGroup(this, "sg", {
  tags: {
    type: "terraform-test-security-group",
  },
});
const dataAwsAmiAmi = new aws.dataAwsAmi.DataAwsAmi(this, "ami", {
  filter: [
    {
      name: "name",
      values: ["amzn-ami-hvm-*"],
    },
  ],
  mostRecent: true,
  owners: ["amazon"],
});
const awsInstanceInstance = new aws.instance.Instance(this, "instance", {
  ami: dataAwsAmiAmi.id,
  instanceType: "t2.micro",
  tags: {
    type: "terraform-test-instance",
  },
});
new aws.networkInterfaceSgAttachment.NetworkInterfaceSgAttachment(
  this,
  "sg_attachment",
  {
    networkInterfaceId: awsInstanceInstance.primaryNetworkInterfaceId,
    securityGroupId: awsSecurityGroupSg.id,
  }
);

In this example, instance is provided by the awsInstance data source, fetching an external instance, possibly not managed by Terraform. sgAttachment then attaches to the output instance's networkInterfaceId:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityGroupSg = new aws.securityGroup.SecurityGroup(this, "sg", {
  tags: {
    type: "terraform-test-security-group",
  },
});
const dataAwsInstanceInstance = new aws.dataAwsInstance.DataAwsInstance(
  this,
  "instance",
  {
    instanceId: "i-1234567890abcdef0",
  }
);
new aws.networkInterfaceSgAttachment.NetworkInterfaceSgAttachment(
  this,
  "sg_attachment",
  {
    networkInterfaceId: dataAwsInstanceInstance.networkInterfaceId,
    securityGroupId: awsSecurityGroupSg.id,
  }
);

Argument Reference

  • securityGroupId - (Required) The ID of the security group.
  • networkInterfaceId - (Required) The ID of the network interface to attach to.

Attributes Reference

No additional attributes are exported.

Import

Network Interface Security Group attachments can be imported using the associated network interface ID and security group ID, separated by an underscore (_).

For example:

$ terraform import aws_network_interface_sg_attachment.sg_attachment eni-1234567890abcdef0_sg-1234567890abcdef0