security_group_ingresses
Creates, updates, deletes or gets a security_group_ingress resource or lists security_group_ingresses in a region
Overview
| Name | security_group_ingresses |
| Type | Resource |
| Description | Resource Type definition for AWS::EC2::SecurityGroupIngress |
| Id | awscc.ec2.security_group_ingresses |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
id | string | The Security Group Rule Id |
cidr_ip | string | The IPv4 ranges |
cidr_ipv6 | string | [VPC only] The IPv6 ranges |
description | string | Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously |
from_port | integer | The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.Use this for ICMP and any protocol that uses ports. |
group_id | string | The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property. |
group_name | string | The name of the security group. |
ip_protocol | string | The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).[VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed. |
source_prefix_list_id | string | [EC2-VPC only] The ID of a prefix list. |
source_security_group_id | string | The ID of the security group. You must specify either the security group ID or the security group name. For security groups in a nondefault VPC, you must specify the security group ID. |
source_security_group_name | string | [EC2-Classic, default VPC] The name of the source security group.You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property. |
source_security_group_owner_id | string | [nondefault VPC] The AWS account ID that owns the source security group. You can't specify this property with an IP address range.If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional. |
to_port | integer | The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes.Use this for ICMP and any protocol that uses ports. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
id | string | The Security Group Rule Id |
region | string | AWS region. |
For more information, see AWS::EC2::SecurityGroupIngress.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | security_group_ingresses | INSERT | IpProtocol, region |
delete_resource | security_group_ingresses | DELETE | Identifier, region |
update_resource | security_group_ingresses | UPDATE | Identifier, PatchDocument, region |
list_resources | security_group_ingresses_list_only | SELECT | region |
get_resource | security_group_ingresses | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual security_group_ingress.
SELECT
region,
id,
cidr_ip,
cidr_ipv6,
description,
from_port,
group_id,
group_name,
ip_protocol,
source_prefix_list_id,
source_security_group_id,
source_security_group_name,
source_security_group_owner_id,
to_port
FROM awscc.ec2.security_group_ingresses
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}';
Lists all security_group_ingresses in a region.
SELECT
region,
id
FROM awscc.ec2.security_group_ingresses_list_only
WHERE
region = '{{ region }}';
INSERT example
Use the following StackQL query and manifest file to create a new security_group_ingress resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.ec2.security_group_ingresses (
IpProtocol,
region
)
SELECT
'{{ ip_protocol }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
/*+ create */
INSERT INTO awscc.ec2.security_group_ingresses (
CidrIp,
CidrIpv6,
Description,
FromPort,
GroupId,
GroupName,
IpProtocol,
SourcePrefixListId,
SourceSecurityGroupId,
SourceSecurityGroupName,
SourceSecurityGroupOwnerId,
ToPort,
region
)
SELECT
'{{ cidr_ip }}',
'{{ cidr_ipv6 }}',
'{{ description }}',
'{{ from_port }}',
'{{ group_id }}',
'{{ group_name }}',
'{{ ip_protocol }}',
'{{ source_prefix_list_id }}',
'{{ source_security_group_id }}',
'{{ source_security_group_name }}',
'{{ source_security_group_owner_id }}',
'{{ to_port }}',
'{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: security_group_ingress
props:
- name: cidr_ip
value: '{{ cidr_ip }}'
- name: cidr_ipv6
value: '{{ cidr_ipv6 }}'
- name: description
value: '{{ description }}'
- name: from_port
value: '{{ from_port }}'
- name: group_id
value: '{{ group_id }}'
- name: group_name
value: '{{ group_name }}'
- name: ip_protocol
value: '{{ ip_protocol }}'
- name: source_prefix_list_id
value: '{{ source_prefix_list_id }}'
- name: source_security_group_id
value: '{{ source_security_group_id }}'
- name: source_security_group_name
value: '{{ source_security_group_name }}'
- name: source_security_group_owner_id
value: '{{ source_security_group_owner_id }}'
- name: to_port
value: '{{ to_port }}'
UPDATE example
Use the following StackQL query and manifest file to update a security_group_ingress resource, using stack-deploy.
/*+ update */
UPDATE awscc.ec2.security_group_ingresses
SET PatchDocument = string('{{ {
"Description": description
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ id }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
DELETE example
/*+ delete */
DELETE FROM awscc.ec2.security_group_ingresses
WHERE
Identifier = '{{ id }}' AND
region = '{{ region }}'
RETURNING
ErrorCode,
EventTime,
Identifier,
Operation,
OperationStatus,
RequestToken,
ResourceModel,
RetryAfter,
StatusMessage,
TypeName
;
Additional Parameters
Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:
| Parameter | Description |
|---|---|
ClientToken | A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request. |
RoleArn | The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.If you do not specify a role, a temporary session is created using your AWS user credentials. |
TypeVersionId | For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used. |
Permissions
To operate on the security_group_ingresses resource, the following permissions are required:
- Create
- Update
- Delete
- Read
- List
ec2:DescribeSecurityGroupRules,
ec2:AuthorizeSecurityGroupIngress
ec2:UpdateSecurityGroupRuleDescriptionsIngress
ec2:DescribeSecurityGroupRules,
ec2:RevokeSecurityGroupIngress
ec2:DescribeSecurityGroups,
ec2:DescribeSecurityGroupRules
ec2:DescribeSecurityGroupRules