Adds the specified outbound (egress) rule to a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules. You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
Usage example for the egress rule resource for both IPv4 and IPv6.
resource "awscc_ec2_security_group_egress" "allow_all_traffic_ipv4" {
group_id = awscc_ec2_security_group.allow_all.id
cidr_ip = "0.0.0.0/0"
ip_protocol = "-1" # semantically equivalent to all ports
description = "Outbound rule to allow all traffic"
}
resource "awscc_ec2_security_group_egress" "allow_all_traffic_ipv6" {
group_id = awscc_ec2_security_group.allow_all.id
cidr_ipv_6 = "::/0"
ip_protocol = "-1" # semantically equivalent to all ports
description = "Outbound rule to allow all traffic"
}
resource "awscc_ec2_security_group" "allow_all" {
group_description = "Allow all outbound traffic"
vpc_id = awscc_ec2_vpc.selected.id
tags = [
{
key = "Name"
value = "allow_all"
}
]
}
resource "awscc_ec2_vpc_cidr_block" "selected" {
amazon_provided_ipv_6_cidr_block = true
vpc_id = awscc_ec2_vpc.selected.id
}
resource "awscc_ec2_vpc" "selected" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
}
Usage example for the egress rule resource with ports specified.
resource "awscc_ec2_security_group_egress" "allow_https_traffic_ipv4" {
group_id = awscc_ec2_security_group.example.id
cidr_ip = "0.0.0.0/0"
ip_protocol = "tcp"
from_port = 443
to_port = 443
description = "Outbound rule to allow https traffic"
}
resource "awscc_ec2_security_group" "example" {
group_description = "Example SG"
vpc_id = awscc_ec2_vpc.selected.id
tags = [
{
key = "Name"
value = "example_sg"
}
]
}
resource "awscc_ec2_vpc" "selected" {
cidr_block = "10.0.0.0/16"
}
group_id
(String) The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.ip_protocol
(String) The IP protocol name (tcp
, udp
, icmp
, icmpv6
) or number (see Protocol Numbers).
Use -1
to specify all protocols. When authorizing security group rules, specifying -1
or a protocol number other than tcp
, udp
, icmp
, or icmpv6
allows traffic on all ports, regardless of any port range you specify. For tcp
, udp
, and icmp
, you must specify a port range. For icmpv6
, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.cidr_ip
(String) The IPv4 address range, in CIDR format.
You must specify exactly one of the following: CidrIp
, CidrIpv6
, DestinationPrefixListId
, or DestinationSecurityGroupId
.
For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide.cidr_ipv_6
(String) The IPv6 address range, in CIDR format.
You must specify exactly one of the following: CidrIp
, CidrIpv6
, DestinationPrefixListId
, or DestinationSecurityGroupId
.
For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide.description
(String) The description of an egress (outbound) security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*destination_prefix_list_id
(String) The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group.
You must specify exactly one of the following: CidrIp
, CidrIpv6
, DestinationPrefixListId
, or DestinationSecurityGroupId
.destination_security_group_id
(String) The ID of the security group.
You must specify exactly one of the following: CidrIp
, CidrIpv6
, DestinationPrefixListId
, or DestinationSecurityGroupId
.from_port
(Number) If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).to_port
(Number) If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).id
(String) Uniquely identifies the resource.security_group_egress_id
(String)Import is supported using the following syntax:
$ terraform import awscc_ec2_security_group_egress.example <resource ID>