github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/website/source/docs/providers/aws/r/security_group_rule.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_security_group_rule" 4 sidebar_current: "docs-aws-resource-security-group-rule" 5 description: |- 6 Provides an security group rule resource. 7 --- 8 9 # aws\_security\_group\_rule 10 11 Provides a security group rule resource. Represents a single `ingress` or 12 `egress` group rule, which can be added to external Security Groups. 13 14 ~> **NOTE on Security Groups and Security Group Rules:** Terraform currently 15 provides both a standalone Security Group Rule resource (a single `ingress` or 16 `egress` rule), and a [Security Group resource](security_group.html) with `ingress` and `egress` rules 17 defined in-line. At this time you cannot use a Security Group with in-line rules 18 in conjunction with any Security Group Rule resources. Doing so will cause 19 a conflict of rule settings and will overwrite rules. 20 21 ## Example Usage 22 23 Basic usage 24 25 ``` 26 resource "aws_security_group_rule" "allow_all" { 27 type = "ingress" 28 from_port = 0 29 to_port = 65535 30 protocol = "tcp" 31 cidr_blocks = ["0.0.0.0/0"] 32 prefix_list_ids = ["pl-12c4e678"] 33 34 security_group_id = "sg-123456" 35 } 36 ``` 37 38 ## Argument Reference 39 40 The following arguments are supported: 41 42 * `type` - (Required) The type of rule being created. Valid options are `ingress` (inbound) 43 or `egress` (outbound). 44 * `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be specified with `source_security_group_id`. 45 * `prefix_list_ids` - (Optional) List of prefix list IDs (for allowing access to VPC endpoints). 46 Only valid with `egress`. 47 * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp"). 48 * `protocol` - (Required) The protocol. If not icmp, tcp, udp, or all use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 49 * `security_group_id` - (Required) The security group to apply this rule to. 50 * `source_security_group_id` - (Optional) The security group id to allow access to/from, 51 depending on the `type`. Cannot be specified with `cidr_blocks`. 52 * `self` - (Optional) If true, the security group itself will be added as 53 a source to this ingress rule. 54 * `to_port` - (Required) The end port (or ICMP code if protocol is "icmp"). 55 56 ## Usage with prefix list IDs 57 58 Prefix list IDs are manged by AWS internally. Prefix list IDs 59 are associated with a prefix list name, or service name, that is linked to a specific region. 60 Prefix list IDs are exported on VPC Endpoints, so you can use this format: 61 62 ``` 63 resource "aws_security_group_rule" "allow_all" { 64 type = "egress" 65 to_port = 0 66 protocol = "-1" 67 prefix_list_ids = ["${aws_vpc_endpoint.my_endpoint.prefix_list_id}"] 68 from_port = 0 69 security_group_id = "sg-123456" 70 } 71 72 # ... 73 resource "aws_vpc_endpoint" "my_endpoint" { 74 # ... 75 } 76 ``` 77 78 ## Attributes Reference 79 80 The following attributes are exported: 81 82 * `id` - The ID of the security group rule 83 * `type` - The type of rule, `ingress` or `egress` 84 * `from_port` - The start port (or ICMP type number if protocol is "icmp") 85 * `to_port` - The end port (or ICMP code if protocol is "icmp") 86 * `protocol` – The protocol used