security_group_egresses

Creates, updates, deletes or gets a security_group_egress resource or lists security_group_egresses in a region

Overview

Name	`security_group_egresses`
Type	Resource
Description	Adds the specified outbound (egress) rule to a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html). You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
Id	`aws.ec2.security_group_egresses`

Fields

Name	Datatype	Description
`cidr_ip`	`string`	The IPv4 address range, in CIDR format. You must specify exactly one of the following: `CidrIp`, `CidrIpv6`, `DestinationPrefixListId`, or `DestinationSecurityGroupId`. For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the User Guide.
`cidr_ipv6`	`string`	The IPv6 address range, in CIDR format. You must specify exactly one of the following: `CidrIp`, `CidrIpv6`, `DestinationPrefixListId`, or `DestinationSecurityGroupId`. For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the User Guide.
`description`	`string`	The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
`from_port`	`integer`	If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
`to_port`	`integer`	If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
`ip_protocol`	`string`	The IP protocol name (`tcp`, `udp`, `icmp`, `icmpv6`) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Use `-1` to specify all protocols. When authorizing security group rules, specifying `-1` or a protocol number other than `tcp`, `udp`, `icmp`, or `icmpv6` allows traffic on all ports, regardless of any port range you specify. For `tcp`, `udp`, and `icmp`, you must specify a port range. For `icmpv6`, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
`destination_security_group_id`	`string`	The ID of the security group. You must specify exactly one of the following: `CidrIp`, `CidrIpv6`, `DestinationPrefixListId`, or `DestinationSecurityGroupId`.
`id`	`string`
`destination_prefix_list_id`	`string`	The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: `CidrIp`, `CidrIpv6`, `DestinationPrefixListId`, or `DestinationSecurityGroupId`.
`group_id`	`string`	The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`IpProtocol, GroupId, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all security_group_egresses in a region.

SELECT
region,
cidr_ip,
cidr_ipv6,
description,
from_port,
to_port,
ip_protocol,
destination_security_group_id,
id,
destination_prefix_list_id,
group_id
FROM aws.ec2.security_group_egresses
WHERE region = 'us-east-1';

Gets all properties from an individual security_group_egress.

SELECT
region,
cidr_ip,
cidr_ipv6,
description,
from_port,
to_port,
ip_protocol,
destination_security_group_id,
id,
destination_prefix_list_id,
group_id
FROM aws.ec2.security_group_egresses
WHERE region = 'us-east-1' AND data__Identifier = '<Id>';

`INSERT` example

Use the following StackQL query and manifest file to create a new security_group_egress resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.ec2.security_group_egresses (
 IpProtocol,
 GroupId,
 region
)
SELECT 
'{{ IpProtocol }}',
 '{{ GroupId }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.ec2.security_group_egresses (
 CidrIp,
 CidrIpv6,
 Description,
 FromPort,
 ToPort,
 IpProtocol,
 DestinationSecurityGroupId,
 DestinationPrefixListId,
 GroupId,
 region
)
SELECT 
 '{{ CidrIp }}',
 '{{ CidrIpv6 }}',
 '{{ Description }}',
 '{{ FromPort }}',
 '{{ ToPort }}',
 '{{ IpProtocol }}',
 '{{ DestinationSecurityGroupId }}',
 '{{ DestinationPrefixListId }}',
 '{{ GroupId }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: security_group_egress
    props:
      - name: CidrIp
        value: '{{ CidrIp }}'
      - name: CidrIpv6
        value: '{{ CidrIpv6 }}'
      - name: Description
        value: '{{ Description }}'
      - name: FromPort
        value: '{{ FromPort }}'
      - name: ToPort
        value: '{{ ToPort }}'
      - name: IpProtocol
        value: '{{ IpProtocol }}'
      - name: DestinationSecurityGroupId
        value: '{{ DestinationSecurityGroupId }}'
      - name: DestinationPrefixListId
        value: '{{ DestinationPrefixListId }}'
      - name: GroupId
        value: '{{ GroupId }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.ec2.security_group_egresses
WHERE data__Identifier = '<Id>'
AND region = 'us-east-1';

Permissions

To operate on the security_group_egresses resource, the following permissions are required:

Read

ec2:DescribeSecurityGroupRules

Create

ec2:AuthorizeSecurityGroupEgress,
ec2:RevokeSecurityGroupEgress,
ec2:DescribeSecurityGroupRules

Update

ec2:UpdateSecurityGroupRuleDescriptionsEgress

List

ec2:DescribeSecurityGroupRules

Delete

ec2:RevokeSecurityGroupEgress,
ec2:DescribeSecurityGroupRules

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Read​

Create​

Update​

List​

Delete​