Provides a security group rule resource. Represents a single ingress
or egress
group rule, which can be added to external Security Groups.
NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource (a single
ingress
oregress
rule), and a Security Group resource withingress
andegress
rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
Basic usage
resource "aws_security_group_rule" "allow_all" { type = "ingress" from_port = 0 to_port = 65535 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] prefix_list_ids = ["pl-12c4e678"] security_group_id = "sg-123456" }
The following arguments are supported:
type
- (Required) The type of rule being created. Valid options are ingress
(inbound) or egress
(outbound). cidr_blocks
- (Optional) List of CIDR blocks. Cannot be specified with source_security_group_id
. ipv6_cidr_blocks
- (Optional) List of IPv6 CIDR blocks. prefix_list_ids
- (Optional) List of prefix list IDs (for allowing access to VPC endpoints). Only valid with egress
. from_port
- (Required) The start port (or ICMP type number if protocol is "icmp"). protocol
- (Required) The protocol. If not icmp, tcp, udp, or all use the protocol number security_group_id
- (Required) The security group to apply this rule to. source_security_group_id
- (Optional) The security group id to allow access to/from, depending on the type
. Cannot be specified with cidr_blocks
. self
- (Optional) If true, the security group itself will be added as a source to this ingress rule. to_port
- (Required) The end port (or ICMP code if protocol is "icmp"). description
- (Optional) Description of the rule. Prefix list IDs are manged by AWS internally. Prefix list IDs are associated with a prefix list name, or service name, that is linked to a specific region. Prefix list IDs are exported on VPC Endpoints, so you can use this format:
resource "aws_security_group_rule" "allow_all" { type = "egress" to_port = 0 protocol = "-1" prefix_list_ids = ["${aws_vpc_endpoint.my_endpoint.prefix_list_id}"] from_port = 0 security_group_id = "sg-123456" } # ... resource "aws_vpc_endpoint" "my_endpoint" { # ... }
In addition to all arguments above, the following attributes are exported:
id
- The ID of the security group rule type
- The type of rule, ingress
or egress
from_port
- The start port (or ICMP type number if protocol is "icmp") to_port
- The end port (or ICMP code if protocol is "icmp") protocol
– The protocol used description
– Description of the rule
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/aws/r/security_group_rule.html