Skip to content

Resource: awsSecurityGroupRule

Provides a security group rule resource. Represents a single ingress or egress group rule, which can be added to external Security Groups.

\~> NOTE on Security Groups and Security Group Rules: Terraform currently provides a Security Group resource with ingress and egress rules defined in-line and a Security Group Rule resource which manages one or more ingress or egress rules. Both of these resource were added before AWS assigned a security group rule unique ID, and they do not work well in all scenarios using thedescription and tags attributes, which rely on the unique ID. The awsVpcSecurityGroupEgressRule and awsVpcSecurityGroupIngressRule resources have been added to address these limitations and should be used for all new security group rules. You should not use the awsVpcSecurityGroupEgressRule and awsVpcSecurityGroupIngressRule resources in conjunction with an awsSecurityGroup resource with in-line rules or with awsSecurityGroupRule resources defined for the same Security Group, as rule conflicts may occur and rules will be overwritten.

\~> NOTE: Setting protocol = "all" or protocol =1 with fromPort and toPort will result in the EC2 API creating a security group rule with all ports open. This API behavior cannot be controlled by Terraform and may generate warnings in the future.

\~> NOTE: Referencing Security Groups across VPC peering has certain restrictions. More information is available in the VPC Peering User Guide.

Example Usage

Basic usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.securityGroupRule.SecurityGroupRule(this, "example", {
  cidrBlocks: ["${aws_vpc.example.cidr_block}"],
  fromPort: 0,
  ipv6CidrBlocks: ["${aws_vpc.example.ipv6_cidr_block}"],
  protocol: "tcp",
  securityGroupId: "sg-123456",
  toPort: 65535,
  type: "ingress",
});

Usage With Prefix List IDs

Prefix Lists are either managed by AWS internally, or created by the customer using a Managed Prefix List resource. Prefix Lists provided by AWS are associated with a prefix list name, or service name, that is linked to a specific region.

Prefix list IDs are exported on VPC Endpoints, so you can use this format:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsVpcEndpointMyEndpoint = new aws.vpcEndpoint.VpcEndpoint(
  this,
  "my_endpoint",
  {}
);
new aws.securityGroupRule.SecurityGroupRule(this, "allow_all", {
  fromPort: 0,
  prefixListIds: [awsVpcEndpointMyEndpoint.prefixListId],
  protocol: "-1",
  securityGroupId: "sg-123456",
  toPort: 0,
  type: "egress",
});

You can also find a specific Prefix List using the awsPrefixList or ec2ManagedPrefixList data sources:

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsRegionCurrent = new aws.dataAwsRegion.DataAwsRegion(
  this,
  "current",
  {}
);
const dataAwsPrefixListS3 = new aws.dataAwsPrefixList.DataAwsPrefixList(
  this,
  "s3",
  {
    name: `com.amazonaws.\${${dataAwsRegionCurrent.name}}.s3`,
  }
);
new aws.securityGroupRule.SecurityGroupRule(this, "s3_gateway_egress", {
  description: "S3 Gateway Egress",
  fromPort: 443,
  prefixListIds: [dataAwsPrefixListS3.id],
  protocol: "tcp",
  securityGroupId: "sg-123456",
  toPort: 443,
  type: "egress",
});

Argument Reference

The following arguments are required:

  • fromPort - (Required) Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
  • protocol - (Required) Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
  • securityGroupId - (Required) Security group to apply this rule to.
  • toPort - (Required) End port (or ICMP code if protocol is "icmp").
  • type - (Required) Type of rule being created. Valid options are ingress (inbound) or egress (outbound).

The following arguments are optional:

  • cidrBlocks - (Optional) List of CIDR blocks. Cannot be specified with sourceSecurityGroupId or self.
  • description - (Optional) Description of the rule.
  • ipv6CidrBlocks - (Optional) List of IPv6 CIDR blocks. Cannot be specified with sourceSecurityGroupId or self.
  • prefixListIds - (Optional) List of Prefix List IDs.
  • self - (Optional) Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidrBlocks, ipv6CidrBlocks, or sourceSecurityGroupId.
  • sourceSecurityGroupId - (Optional) Security group id to allow access to/from, depending on the type. Cannot be specified with cidrBlocks, ipv6CidrBlocks, or self.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - ID of the security group rule.
  • securityGroupRuleId - If the awsSecurityGroupRule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.

Timeouts

Configuration options:

  • create - (Default 5M)

Import

Security Group Rules can be imported using the securityGroupId, type, protocol, fromPort, toPort, and source(s)/destination(s) (e.g., cidrBlock) separated by underscores (_). All parts are required.

Not all rule permissions (e.g., not all of a rule's CIDR blocks) need to be imported for Terraform to manage rule permissions. However, importing some of a rule's permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule.

Import an ingress rule in security group sg6E616F6D69 for TCP port 8000 with an IPv4 destination CIDR of 10030/24:

$ terraform import aws_security_group_rule.ingress sg-6e616f6d69_ingress_tcp_8000_8000_10.0.3.0/24

Import a rule with various IPv4 and IPv6 source CIDR blocks:

$ terraform import aws_security_group_rule.ingress sg-4973616163_ingress_tcp_100_121_10.1.0.0/16_2001:db8::/48_10.2.0.0/16_2002:db8::/48

Import a rule, applicable to all ports, with a protocol other than TCP/UDP/ICMP/ICMPV6/ALL, e.g., Multicast Transport Protocol (MTP), using the IANA protocol number, e.g., 92.

$ terraform import aws_security_group_rule.ingress sg-6777656e646f6c796e_ingress_92_0_65536_10.0.3.0/24_10.0.4.0/24

Import a default any/any egress rule to 0.0.0.0/0:

$ terraform import aws_security_group_rule.default_egress sg-6777656e646f6c796e_egress_all_0_0_0.0.0.0/0

Import an egress rule with a prefix list ID destination:

$ terraform import aws_security_group_rule.egress sg-62726f6479_egress_tcp_8000_8000_pl-6469726b

Import a rule applicable to all protocols and ports with a security group source:

$ terraform import aws_security_group_rule.ingress_rule sg-7472697374616e_ingress_all_0_65536_sg-6176657279

Import a rule that has itself and an IPv6 CIDR block as sources:

$ terraform import aws_security_group_rule.rule_name sg-656c65616e6f72_ingress_tcp_80_80_self_2001:db8::/48