github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/website/source/docs/providers/aws/r/security_group_rule.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_security_group_rule" 4 sidebar_current: "docs-aws-resource-security-group-rule" 5 description: |- 6 Provides an security group rule resource. 7 --- 8 9 # aws\_security\_group\_rule 10 11 Provides a security group rule resource. Represents a single `ingress` or 12 `egress` group rule, which can be added to external Security Groups. 13 14 ~> **NOTE on Security Groups and Security Group Rules:** Terraform currently 15 provides both a standalone Security Group Rule resource (a single `ingress` or 16 `egress` rule), and a [Security Group resource](security_group.html) with `ingress` and `egress` rules 17 defined in-line. At this time you cannot use a Security Group with in-line rules 18 in conjunction with any Security Group Rule resources. Doing so will cause 19 a conflict of rule settings and will overwrite rules. 20 21 ## Example Usage 22 23 Basic usage 24 25 ```hcl 26 resource "aws_security_group_rule" "allow_all" { 27 type = "ingress" 28 from_port = 0 29 to_port = 65535 30 protocol = "tcp" 31 cidr_blocks = ["0.0.0.0/0"] 32 prefix_list_ids = ["pl-12c4e678"] 33 34 security_group_id = "sg-123456" 35 } 36 ``` 37 38 ## Argument Reference 39 40 The following arguments are supported: 41 42 * `type` - (Required) The type of rule being created. Valid options are `ingress` (inbound) 43 or `egress` (outbound). 44 * `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be specified with `source_security_group_id`. 45 * `ipv6_cidr_blocks` - (Optional) List of IPv6 CIDR blocks. 46 * `prefix_list_ids` - (Optional) List of prefix list IDs (for allowing access to VPC endpoints). 47 Only valid with `egress`. 48 * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp"). 49 * `protocol` - (Required) The protocol. If not icmp, tcp, udp, or all use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 50 * `security_group_id` - (Required) The security group to apply this rule to. 51 * `source_security_group_id` - (Optional) The security group id to allow access to/from, 52 depending on the `type`. Cannot be specified with `cidr_blocks`. 53 * `self` - (Optional) If true, the security group itself will be added as 54 a source to this ingress rule. 55 * `to_port` - (Required) The end port (or ICMP code if protocol is "icmp"). 56 57 ## Usage with prefix list IDs 58 59 Prefix list IDs are manged by AWS internally. Prefix list IDs 60 are associated with a prefix list name, or service name, that is linked to a specific region. 61 Prefix list IDs are exported on VPC Endpoints, so you can use this format: 62 63 ```hcl 64 resource "aws_security_group_rule" "allow_all" { 65 type = "egress" 66 to_port = 0 67 protocol = "-1" 68 prefix_list_ids = ["${aws_vpc_endpoint.my_endpoint.prefix_list_id}"] 69 from_port = 0 70 security_group_id = "sg-123456" 71 } 72 73 # ... 74 resource "aws_vpc_endpoint" "my_endpoint" { 75 # ... 76 } 77 ``` 78 79 ## Attributes Reference 80 81 The following attributes are exported: 82 83 * `id` - The ID of the security group rule 84 * `type` - The type of rule, `ingress` or `egress` 85 * `from_port` - The start port (or ICMP type number if protocol is "icmp") 86 * `to_port` - The end port (or ICMP code if protocol is "icmp") 87 * `protocol` – The protocol used