security_group_egresses

Creates, updates, deletes or gets a security_group_egress resource or lists security_group_egresses in a region

Overview

Name	security_group_egresses
Type	Resource
Description	Adds the specified outbound (egress) rule to a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules. You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
Id	awscc.ec2.security_group_egresses

Fields

get (all properties)

Name	Datatype	Description
cidr_ip	string	The IPv4 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide.
cidr_ipv6	string	The IPv6 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide.
description	string	The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
from_port	integer	If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
to_port	integer	If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
ip_protocol	string	The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers). Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
destination_security_group_id	string	The ID of the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.
id	string
destination_prefix_list_id	string	The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.
group_id	string	The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
region	string	AWS region.

list (identifiers only)

Name	Datatype	Description
id	string
region	string	AWS region.

For more information, see AWS::EC2::SecurityGroupEgress.

Methods

Name	Resource	Accessible by	Required Params
create_resource	security_group_egresses	INSERT	IpProtocol, GroupId, region
delete_resource	security_group_egresses	DELETE	Identifier, region
update_resource	security_group_egresses	UPDATE	Identifier, PatchDocument, region
list_resources	security_group_egresses_list_only	SELECT	region
get_resource	security_group_egresses	SELECT	Identifier, region

SELECT examples

get (all properties)

Gets all properties from an individual security_group_egress.

SELECT
  region,
  cidr_ip,
  cidr_ipv6,
  description,
  from_port,
  to_port,
  ip_protocol,
  destination_security_group_id,
  id,
  destination_prefix_list_id,
  group_id
FROM awscc.ec2.security_group_egresses
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ id }}';

list (identifiers only)

Lists all security_group_egresses in a region.

SELECT
  region,
  id
FROM awscc.ec2.security_group_egresses_list_only
WHERE
  region = '{{ region }}';

INSERT example

Use the following StackQL query and manifest file to create a new security_group_egress resource, using stack-deploy.

Required Properties

/*+ create */
INSERT INTO awscc.ec2.security_group_egresses (
  IpProtocol,
  GroupId,
  region
)
SELECT
  '{{ ip_protocol }}',
  '{{ group_id }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

All Properties

/*+ create */
INSERT INTO awscc.ec2.security_group_egresses (
  CidrIp,
  CidrIpv6,
  Description,
  FromPort,
  ToPort,
  IpProtocol,
  DestinationSecurityGroupId,
  DestinationPrefixListId,
  GroupId,
  region
)
SELECT
  '{{ cidr_ip }}',
  '{{ cidr_ipv6 }}',
  '{{ description }}',
  '{{ from_port }}',
  '{{ to_port }}',
  '{{ ip_protocol }}',
  '{{ destination_security_group_id }}',
  '{{ destination_prefix_list_id }}',
  '{{ group_id }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Manifest

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: security_group_egress
  props:
    - name: cidr_ip
      value: '{{ cidr_ip }}'
    - name: cidr_ipv6
      value: '{{ cidr_ipv6 }}'
    - name: description
      value: '{{ description }}'
    - name: from_port
      value: '{{ from_port }}'
    - name: to_port
      value: '{{ to_port }}'
    - name: ip_protocol
      value: '{{ ip_protocol }}'
    - name: destination_security_group_id
      value: '{{ destination_security_group_id }}'
    - name: destination_prefix_list_id
      value: '{{ destination_prefix_list_id }}'
    - name: group_id
      value: '{{ group_id }}'

UPDATE example

Use the following StackQL query and manifest file to update a security_group_egress resource, using stack-deploy.

/*+ update */
UPDATE awscc.ec2.security_group_egresses
SET PatchDocument = string('{{ {
    "Description": description
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ id }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.ec2.security_group_egresses
WHERE
  Identifier = '{{ id }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
ClientToken	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
RoleArn	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the security_group_egresses resource, the following permissions are required:

Read

ec2:DescribeSecurityGroupRules

Create

ec2:AuthorizeSecurityGroupEgress,
ec2:RevokeSecurityGroupEgress,
ec2:DescribeSecurityGroupRules

Update

ec2:UpdateSecurityGroupRuleDescriptionsEgress

List

ec2:DescribeSecurityGroupRules

Delete

ec2:RevokeSecurityGroupEgress,
ec2:DescribeSecurityGroupRules