Class: AWS::EC2::SecurityGroup
- Inherits:
-
Resource
- Object
- Core::Resource
- Resource
- AWS::EC2::SecurityGroup
- Includes:
- TaggedItem
- Defined in:
- lib/aws/ec2/security_group.rb,
lib/aws/ec2/security_group/ip_permission.rb,
lib/aws/ec2/security_group/ip_permission_collection.rb
Overview
Represents a security group in EC2.
Defined Under Namespace
Classes: EgressIpPermissionCollection, IngressIpPermissionCollection, IpPermission, IpPermissionCollection
Instance Attribute Summary collapse
-
#description ⇒ String
readonly
The short informal description given when the group was created.
-
#name ⇒ String
readonly
The name of the security group.
-
#owner_id ⇒ String
readonly
The security group owner’s id.
- #security_group_id ⇒ String (also: #group_id, #id) readonly
-
#vpc_id ⇒ String?
readonly
If this is a VPC security group, vpc_id is the ID of the VPC this group was created in.
Instance Method Summary collapse
-
#allow_ping(*sources) ⇒ nil
Adds ingress rules for ICMP pings.
-
#authorize_egress(*sources, options = {}) ⇒ nil
Authorize egress (outbound) traffic for a VPC security group.
-
#authorize_ingress(protocol, ports, *sources) ⇒ nil
Add an ingress rules to this security group.
-
#delete ⇒ nil
Deletes this security group.
- #describe_call_name ⇒ Object
-
#disallow_ping(*sources) ⇒ nil
Removes ingress rules for ICMP pings.
-
#egress_ip_permissions ⇒ SecurityGroup::EgressIpPermissionCollection
Returns a collection of IpPermission objects that represents all of the egress permissions this security group has authorizations for.
-
#exists? ⇒ Boolean
True if the security group exists.
-
#ingress_ip_permissions ⇒ SecurityGroup::IngressIpPermissionCollection
(also: #ip_permissions)
Returns a collection of IpPermission objects that represents all of the (ingress) permissions this security group has authorizations for.
-
#initialize(security_group_id, options = {}) ⇒ SecurityGroup
constructor
A new instance of SecurityGroup.
-
#instances ⇒ InstanceCollection
Returns an instance collection that will only enumerate instances in this security group.
-
#revoke_egress(*sources) ⇒ nil
Revokes an egress (outound) ip permission.
-
#revoke_ingress(protocol, ports, *sources) ⇒ nil
Revokes an ingress (inbound) ip permission.
-
#vpc ⇒ VPC?
Returns the VPC this security group belongs to, or nil if this is not a VPC security group.
-
#vpc? ⇒ Boolean
Returns true if this security group is a VPC security group and not an EC2 security group.
Methods included from TaggedItem
Constructor Details
#initialize(security_group_id, options = {}) ⇒ SecurityGroup
Returns a new instance of SecurityGroup.
41 42 43 44 |
# File 'lib/aws/ec2/security_group.rb', line 41 def initialize security_group_id, = {} @security_group_id = security_group_id super end |
Instance Attribute Details
#description ⇒ String (readonly)
The short informal description given when the group was created.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def description @description end |
#name ⇒ String (readonly)
The name of the security group.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def name @name end |
#owner_id ⇒ String (readonly)
The security group owner’s id.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def owner_id @owner_id end |
#security_group_id ⇒ String (readonly) Also known as: group_id, id
47 48 49 |
# File 'lib/aws/ec2/security_group.rb', line 47 def security_group_id @security_group_id end |
#vpc_id ⇒ String? (readonly)
If this is a VPC security group, vpc_id is the ID of the VPC this group was created in. Returns false otherwise.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def vpc_id @vpc_id end |
Instance Method Details
#allow_ping(*sources) ⇒ nil
Adds ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of allowed IP ranges the ping can come from.
security_group.allow_ping # anyone can ping servers in this group
# only allow ping from a particular address
security_group.allow_ping('123.123.123.123/0')
133 134 135 136 |
# File 'lib/aws/ec2/security_group.rb', line 133 def allow_ping *sources sources << '0.0.0.0/0' if sources.empty? ('icmp', -1, *sources) end |
#authorize_egress(*sources, options = {}) ⇒ nil
Calling this method on a non-VPC security group raises an error.
Authorize egress (outbound) traffic for a VPC security group.
# allow traffic for all protocols/ports from the given sources
security_group.('10.0.0.0/16', '10.0.0.1/16')
# allow tcp traffic outband via port 80
security_group.('10.0.0.0/16',
:protocol => :tcp, :ports => 80..80)
299 300 301 302 303 304 |
# File 'lib/aws/ec2/security_group.rb', line 299 def *sources client.( :group_id => id, :ip_permissions => [egress_opts(sources)]) nil end |
#authorize_ingress(protocol, ports, *sources) ⇒ nil
Add an ingress rules to this security group. Ingress rules permit inbound traffic over a given protocol for a given port range from one or more souce ip addresses.
This example grants the whole internet (0.0.0.0/0) access to port 80 over TCP (HTTP web traffic).
security_group.(:tcp, 80)
You can specify port ranges as well:
# ftp
security_group.(:tcp, 20..21)
Sources
Security groups accept ingress trafic from:
-
CIDR IP addresses
-
security groups
-
load balancers
Ip Addresses
In the following example allow incoming SSH from a list of IP address ranges.
security_group.(:tcp, 22,
'111.111.111.111/0', '222.222.222.222/0')
Security Groups
To autohrize ingress traffic from all EC2 instance in another security group, just pass the security group:
web = security_groups.create('webservers')
db = security_groups.create('database')
db.(:tcp, 3306, web)
You can also pass a hash of security group details instead of a AWS::EC2::SecurityGroup object.
# by security group name
sg.(:tcp, 80, { :group_name => 'other-group' })
# by security group id
sg.(:tcp, 80, { :group_id => 'sg-1234567' })
If the security group belongs to a different account, just make sure it has the correct owner ID populated:
not_my_sg = SecurityGroup.new('sg-1234567', :owner_id => 'abcxyz123')
my_sg.(:tcp, 80, not_my_sg)
You can do the same with a hash as well (with either :group_id
or :group_name
):
sg.(:tcp, 21..22, { :group_id => 'sg-id', :user_id => 'abcxyz123' })
Load Balancers
If you use ELB to manage load balancers, then you need to add ingress permissions to the security groups they route traffic into. You can do this by passing the AWS::ELB::LoadBalancer into authorize_ingress:
load_balancer = AWS::ELB.new.load_balancers['web-load-balancer']
sg.(:tcp, 80, load_balancer)
Multiple Sources
You can provide multiple sources each time you call authorize ingress, and you can mix and match the source types:
sg.(:tcp, 80, other_sg, '1.2.3.4/0', load_balancer)
246 247 248 249 250 251 252 |
# File 'lib/aws/ec2/security_group.rb', line 246 def protocol, ports, *sources client.( :group_id => id, :ip_permissions => [ingress_opts(protocol, ports, sources)] ) nil end |
#delete ⇒ nil
Deletes this security group.
If you attempt to delete a security group that contains instances, or attempt to delete a security group that is referenced by another security group, an error is raised. For example, if security group B has a rule that allows access from security group A, security group A cannot be deleted until the rule is removed.
330 331 332 333 |
# File 'lib/aws/ec2/security_group.rb', line 330 def delete client.delete_security_group(:group_id => id) nil end |
#describe_call_name ⇒ Object
354 |
# File 'lib/aws/ec2/security_group.rb', line 354 def describe_call_name; self.class.describe_call_name; end |
#disallow_ping(*sources) ⇒ nil
Removes ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of IP ranges to revoke.
146 147 148 149 |
# File 'lib/aws/ec2/security_group.rb', line 146 def disallow_ping *sources sources << '0.0.0.0/0' if sources.empty? revoke_ingress('icmp', -1, *sources) end |
#egress_ip_permissions ⇒ SecurityGroup::EgressIpPermissionCollection
Returns a collection of IpPermission objects that represents all of the egress permissions this security group has authorizations for.
116 117 118 |
# File 'lib/aws/ec2/security_group.rb', line 116 def EgressIpPermissionCollection.new(self, :config => config) end |
#exists? ⇒ Boolean
Returns True if the security group exists.
81 82 83 84 85 |
# File 'lib/aws/ec2/security_group.rb', line 81 def exists? client.describe_security_groups(:filters => [ { :name => "group-id", :values => [id] } ]).security_group_index.key?(id) end |
#ingress_ip_permissions ⇒ SecurityGroup::IngressIpPermissionCollection Also known as: ip_permissions
Returns a collection of IpPermission objects that represents all of the (ingress) permissions this security group has authorizations for.
108 109 110 |
# File 'lib/aws/ec2/security_group.rb', line 108 def IngressIpPermissionCollection.new(self, :config => config) end |
#instances ⇒ InstanceCollection
Returns an instance collection that will only enumerate instances in this security group.
71 72 73 74 75 76 77 78 |
# File 'lib/aws/ec2/security_group.rb', line 71 def instances instances = InstanceCollection.new(:config => config) if vpc? instances.filter('instance.group-id', [group_id]) else instances.filter('group-id', [group_id]) end end |
#revoke_egress(*sources) ⇒ nil
Revokes an egress (outound) ip permission. This is the inverse operation to #authorize_egress. See #authorize_egress for param and option documentation.
314 315 316 317 318 319 |
# File 'lib/aws/ec2/security_group.rb', line 314 def revoke_egress *sources client.revoke_security_group_egress( :group_id => id, :ip_permissions => [egress_opts(sources)]) nil end |
#revoke_ingress(protocol, ports, *sources) ⇒ nil
Revokes an ingress (inbound) ip permission. This is the inverse operation to #authorize_ingress. See #authorize_ingress for param and option documentation.
262 263 264 265 266 267 268 |
# File 'lib/aws/ec2/security_group.rb', line 262 def revoke_ingress protocol, ports, *sources client.revoke_security_group_ingress( :group_id => id, :ip_permissions => [ingress_opts(protocol, ports, sources)] ) nil end |
#vpc ⇒ VPC?
Returns the VPC this security group belongs to, or nil if this is not a VPC security group.
98 99 100 101 102 |
# File 'lib/aws/ec2/security_group.rb', line 98 def vpc if vpc_id VPC.new(vpc_id, :config => config) end end |
#vpc? ⇒ Boolean
Returns true if this security group is a VPC security group and not an EC2 security group. VPC security groups belong to a VPC subnet and can have egress rules.
92 93 94 |
# File 'lib/aws/ec2/security_group.rb', line 92 def vpc? vpc_id ? true : false end |