UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

268 lines • 14.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
"use strict"; // *** WARNING: this file was generated by pulumi-language-nodejs. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.SecurityGroup = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../utilities"); /** * Provides a security group resource. * * > **NOTE:** Avoid using the `ingress` and `egress` arguments of the `aws.ec2.SecurityGroup` resource to configure in-line rules, as they struggle with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of the `aws.vpc.SecurityGroupEgressRule` and `aws.vpc.SecurityGroupIngressRule` resources with one CIDR block per rule. * * !> **WARNING:** You should not use the `aws.ec2.SecurityGroup` resource with _in-line rules_ (using the `ingress` and `egress` arguments of `aws.ec2.SecurityGroup`) in conjunction with the `aws.vpc.SecurityGroupEgressRule` and `aws.vpc.SecurityGroupIngressRule` resources or the `aws.ec2.SecurityGroupRule` resource. Doing so may cause rule conflicts, perpetual differences, and result in rules being overwritten. * * > **NOTE:** Referencing Security Groups across VPC peering has certain restrictions. More information is available in the [VPC Peering User Guide](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html). * * > **NOTE:** Due to [AWS Lambda improved VPC networking changes that began deploying in September 2019](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/), security groups associated with Lambda Functions can take up to 45 minutes to successfully delete. To allow for successful deletion, the provider will wait for at least 45 minutes even if a shorter delete timeout is specified. * * > **NOTE:** The `cidrBlocks` and `ipv6CidrBlocks` parameters are optional in the `ingress` and `egress` blocks. If nothing is specified, traffic will be blocked as described in _NOTE on Egress rules_ later. * * ## Example Usage * * ### Basic Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const allowTls = new aws.ec2.SecurityGroup("allow_tls", { * name: "allow_tls", * description: "Allow TLS inbound traffic and all outbound traffic", * vpcId: main.id, * tags: { * Name: "allow_tls", * }, * }); * const allowTlsIpv4 = new aws.vpc.SecurityGroupIngressRule("allow_tls_ipv4", { * securityGroupId: allowTls.id, * cidrIpv4: main.cidrBlock, * fromPort: 443, * ipProtocol: "tcp", * toPort: 443, * }); * const allowTlsIpv6 = new aws.vpc.SecurityGroupIngressRule("allow_tls_ipv6", { * securityGroupId: allowTls.id, * cidrIpv6: main.ipv6CidrBlock, * fromPort: 443, * ipProtocol: "tcp", * toPort: 443, * }); * const allowAllTrafficIpv4 = new aws.vpc.SecurityGroupEgressRule("allow_all_traffic_ipv4", { * securityGroupId: allowTls.id, * cidrIpv4: "0.0.0.0/0", * ipProtocol: "-1", * }); * const allowAllTrafficIpv6 = new aws.vpc.SecurityGroupEgressRule("allow_all_traffic_ipv6", { * securityGroupId: allowTls.id, * cidrIpv6: "::/0", * ipProtocol: "-1", * }); * ``` * * > **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, **this provider will remove this default rule**, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this `egress` block: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.ec2.SecurityGroup("example", {egress: [{ * fromPort: 0, * toPort: 0, * protocol: "-1", * cidrBlocks: ["0.0.0.0/0"], * ipv6CidrBlocks: ["::/0"], * }]}); * ``` * * ### Usage With Prefix List IDs * * Prefix Lists are either managed by AWS internally, or created by the customer using a * Prefix List resource. Prefix Lists provided by * AWS are associated with a prefix list name, or service name, that is linked to a specific region. * Prefix list IDs are exported on VPC Endpoints, so you can use this format: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const myEndpoint = new aws.ec2.VpcEndpoint("my_endpoint", {}); * const example = new aws.ec2.SecurityGroup("example", {egress: [{ * fromPort: 0, * toPort: 0, * protocol: "-1", * prefixListIds: [myEndpoint.prefixListId], * }]}); * ``` * * You can also find a specific Prefix List using the `aws.ec2.getPrefixList` data source. * * ### Removing All Ingress and Egress Rules * * The `ingress` and `egress` arguments are processed in attributes-as-blocks mode. Due to this, removing these arguments from the configuration will **not** cause the provider to destroy the managed rules. To subsequently remove all managed ingress and egress rules: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.ec2.SecurityGroup("example", { * name: "sg", * vpcId: exampleAwsVpc.id, * ingress: [], * egress: [], * }); * ``` * * ### Recreating a Security Group * * A simple security group `name` change "forces new" the security group--the provider destroys the security group and creates a new one. (Likewise, `description`, `namePrefix`, or `vpcId` [cannot be changed](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#creating-security-group).) Attempting to recreate the security group leads to a variety of complications depending on how it is used. * * Security groups are generally associated with other resources--**more than 100** AWS Provider resources reference security groups. Referencing a resource from another resource creates a one-way dependency. For example, if you create an EC2 `aws.ec2.Instance` that has a `vpcSecurityGroupIds` argument that refers to an `aws.ec2.SecurityGroup` resource, the `aws.ec2.SecurityGroup` is a dependent of the `aws.ec2.Instance`. Because of this, the provider will create the security group first so that it can then be associated with the EC2 instance. * * However, the dependency relationship actually goes both directions causing the _Security Group Deletion Problem_. AWS does not allow you to delete the security group associated with another resource (_e.g._, the `aws.ec2.Instance`). * * The provider does not model bi-directional dependencies like this, but, even if it did, simply knowing the dependency situation would not be enough to solve it. For example, some resources must always have an associated security group while others don't need to. In addition, when the `aws.ec2.SecurityGroup` resource attempts to recreate, it receives a dependent object error, which does not provide information on whether the dependent object is a security group rule or, for example, an associated EC2 instance. Within the provider, the associated resource (_e.g._, `aws.ec2.Instance`) does not receive an error when the `aws.ec2.SecurityGroup` is trying to recreate even though that is where changes to the associated resource would need to take place (_e.g._, removing the security group association). * * Despite these sticky problems, below are some ways to improve your experience when you find it necessary to recreate a security group. * * ### Shorter timeout * * (This example is one approach to recreating security groups. For more information on the challenges and the _Security Group Deletion Problem_, see the section above.) * * If destroying a security group takes a long time, it may be because the provider cannot distinguish between a dependent object (_e.g._, a security group rule or EC2 instance) that is _in the process of being deleted_ and one that is not. In other words, it may be waiting for a train that isn't scheduled to arrive. To fail faster, shorten the `delete` timeout from the default timeout: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.ec2.SecurityGroup("example", {name: "izizavle"}); * ``` * * ### Provisioners * * (This example is one approach to recreating security groups. For more information on the challenges and the _Security Group Deletion Problem_, see the section above.) * * **DISCLAIMER:** We **_HIGHLY_** recommend using one of the above approaches and _NOT_ using local provisioners. Provisioners, like the one shown below, should be considered a **last resort** since they are _not readable_, _require skills outside standard configuration_, are _error prone_ and _difficult to maintain_, are not compatible with cloud environments and upgrade tools, require AWS CLI installation, and are subject to changes outside the AWS Provider. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as _null from "@pulumi/null"; * import * as aws from "@pulumi/aws"; * import * as command from "@pulumi/command"; * import * as std from "@pulumi/std"; * * const _default = aws.ec2.getSecurityGroup({ * name: "default", * }); * const example = new aws.ec2.SecurityGroup("example", { * name: "sg", * tags: { * workaround1: "tagged-name", * workaround2: _default.then(_default => _default.id), * }, * }); * const exampleProvisioner0 = new command.local.Command("exampleProvisioner0", { * create: "true", * update: "true", * "delete": ` ENDPOINT_ID=`aws ec2 describe-vpc-endpoints --filters \"Name=tag:Name,Values=${tags.workaround1}\" --query \"VpcEndpoints[0].VpcEndpointId\" --output text` && * aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${ENDPOINT_ID} --add-security-group-ids ${tags.workaround2} --remove-security-group-ids ${id} * `, * }, { * dependsOn: [example], * }); * const exampleResource = new _null.Resource("example", {triggers: { * rerunUponChangeOf: std.join({ * separator: ",", * input: exampleAwsVpcEndpoint.securityGroupIds, * }).then(invoke => invoke.result), * }}); * const exampleResourceProvisioner0 = new command.local.Command("exampleResourceProvisioner0", {create: ` aws ec2 modify-vpc-endpoint --vpc-endpoint-id ${exampleAwsVpcEndpoint.id} --remove-security-group-ids ${_default.id} * `}, { * dependsOn: [exampleResource], * }); * ``` * * ## Import * * ### Identity Schema * * #### Required * * * `id` (String) ID of the security group. * * #### Optional * * * `account_id` (String) AWS Account where this resource is managed. * * * `region` (String) Region where this resource is managed. * * Using `pulumi import`, import Security Groups using the security group `id`. For example: * * console * * % pulumi import aws_security_group.example sg-903004f8 */ class SecurityGroup extends pulumi.CustomResource { /** * Get an existing SecurityGroup resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new SecurityGroup(name, state, { ...opts, id: id }); } /** * Returns true if the given object is an instance of SecurityGroup. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === SecurityGroup.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["arn"] = state?.arn; resourceInputs["description"] = state?.description; resourceInputs["egress"] = state?.egress; resourceInputs["ingress"] = state?.ingress; resourceInputs["name"] = state?.name; resourceInputs["namePrefix"] = state?.namePrefix; resourceInputs["ownerId"] = state?.ownerId; resourceInputs["region"] = state?.region; resourceInputs["revokeRulesOnDelete"] = state?.revokeRulesOnDelete; resourceInputs["tags"] = state?.tags; resourceInputs["tagsAll"] = state?.tagsAll; resourceInputs["vpcId"] = state?.vpcId; } else { const args = argsOrState; resourceInputs["description"] = (args?.description) ?? "Managed by Pulumi"; resourceInputs["egress"] = args?.egress; resourceInputs["ingress"] = args?.ingress; resourceInputs["name"] = args?.name; resourceInputs["namePrefix"] = args?.namePrefix; resourceInputs["region"] = args?.region; resourceInputs["revokeRulesOnDelete"] = args?.revokeRulesOnDelete; resourceInputs["tags"] = args?.tags; resourceInputs["vpcId"] = args?.vpcId; resourceInputs["arn"] = undefined /*out*/; resourceInputs["ownerId"] = undefined /*out*/; resourceInputs["tagsAll"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(SecurityGroup.__pulumiType, name, resourceInputs, opts); } } exports.SecurityGroup = SecurityGroup; /** @internal */ SecurityGroup.__pulumiType = 'aws:ec2/securityGroup:SecurityGroup'; //# sourceMappingURL=securityGroup.js.map