Class: AWS::EC2::SecurityGroup

Inherits:

Resource

• Object
• Resource
• Resource
• AWS::EC2::SecurityGroup

Includes:

TaggedItem

Defined in:

lib/aws/ec2/security_group.rb,
lib/aws/ec2/security_group/ip_permission.rb,
lib/aws/ec2/security_group/ip_permission_collection.rb

Overview

Represents a security group in EC2.

Defined Under Namespace

Classes: IpPermission, IpPermissionCollection

Instance Attribute Summary

• #description ⇒ String readonly

  The short informal description given when the group was created.

• #id ⇒ String (also: #group_id) readonly

  The id of the security group.

• #name ⇒ String readonly

  The name of the security group.

• #owner_id ⇒ String readonly

  The security group owner’s id.

Instance Method Summary

• #allow_ping(*sources) ⇒ Object

  Adds ingress rules for ICMP pings.

• #authorize_ingress(protocol, ports, *sources) ⇒ nil

  Adds an ingress rules to a security group.

• #delete ⇒ nil

  Deletes this security group.

• #describe_call_name ⇒ Object
• #disallow_ping(*sources) ⇒ Object

  Removes ingress rules for ICMP pings.

• #exists? ⇒ Boolean

  True if the security group exists.

• #initialize(id, options = {}) ⇒ SecurityGroup constructor

  A new instance of SecurityGroup.

• #ip_permissions ⇒ SecurityGroup::IpPermissionCollection

  Returns a collection of IpPermission objects that represents all of the permissions this security group has authorizations for.

• #revoke_ingress(protocol, ports, *sources) ⇒ nil

Methods included from TaggedItem

#add_tag, #clear_tags, #tags

Constructor Details

#initialize(id, options = {}) ⇒ SecurityGroup

Returns a new instance of SecurityGroup.

# File 'lib/aws/ec2/security_group.rb', line 35

def initialize id, options = {}
  @id = id
  @name = options[:name]
  @description = options[:description]
  @owner_id = options[:owner_id]
  super
end

Instance Attribute Details

#description ⇒ String (readonly)

The short informal description given when the group was created.

Returns:

• (String) —

  the current value of description

# File 'lib/aws/ec2/security_group.rb', line 31

def description
  @description
end

#id ⇒ String (readonly) Also known as: group_id

Returns The id of the security group.

Returns:

• (String) —

  The id of the security group.

# File 'lib/aws/ec2/security_group.rb', line 44

def id
  @id
end

#name ⇒ String (readonly)

The name of the security group.

Returns:

• (String) —

  the current value of name

# File 'lib/aws/ec2/security_group.rb', line 31

def name
  @name
end

#owner_id ⇒ String (readonly)

The security group owner’s id.

Returns:

• (String) —

  the current value of owner_id

# File 'lib/aws/ec2/security_group.rb', line 31

def owner_id
  @owner_id
end

Instance Method Details

#allow_ping(*sources) ⇒ Object

Adds ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of allowed IP ranges the ping can come from.

security_group.allow_ping # anyone can ping servers in this group

# only allow ping from a particular address
security_group.allow_ping('123.123.123.123/0')

Parameters:

• ip_ranges (String) —

  One or more IP ranges to allow ping from. Defaults to 0.0.0.0/0

# File 'lib/aws/ec2/security_group.rb', line 84

def allow_ping *sources
  sources << '0.0.0.0/0' if sources.empty?
  authorize_ingress('icmp', -1, *sources)
end

#authorize_ingress(protocol, ports, *sources) ⇒ nil

Adds an ingress rules to a security group.

Each ingress exception is comprised of a protocol a port range and a list of sources.

This example grants the whole internet (0.0.0.0/0) access to port 80 over TCP (HTTP web traffic).

security_groups['websrv'].authorize_ingress(:tcp, 80)

In the following example we grant SSH access from a list of IP address.

security_groups['appsrv'].authorize_ingress(:tcp, 22, 
  '111.111.111.111/0', '222.222.222.222/0')

You can also grant privileges to other security groups. This is a convenient shortcut for granting permissions to all EC2 servers in a particular security group access.

web = security_groups['httpservers']
db = security_groups['dbservers']

db.authorize_ingress(:tcp, 3306, web)

You can specify port ranges as well:

security_groups['ftpsvr'].authorize_ingress(:tcp, 20..21)

You can even mix and match IP address and security groups.

Parameters:

• protocol (String, Symbol) —

  Should be :tcp, :udp or :icmp or the string equivalent.

• ports (Integer, Range) —

  The port (or port range) to allow ingress traffic over. You can pass a single integer (like 80) or a range (like 20..21).

• sources (Mixed) —

  One or more CIDR IP addresses, security groups, or hashes. Hash values should have :group_id and :user_id keys/values. This is useful for when the security group belongs to another account. The user id should be the owner_id (account id) of the security group.

Returns:

• (nil)

# File 'lib/aws/ec2/security_group.rb', line 146

def authorize_ingress protocol, ports, *sources
  permissions = format_permission(protocol, ports, sources)
  client.authorize_security_group_ingress(
    :group_id => id,
    :ip_permissions => permissions)
  nil
end

#delete ⇒ nil

Deletes this security group.

If you attempt to delete a security group that contains instances, or attempt to delete a security group that is referenced by another security group, an error is raised. For example, if security group B has a rule that allows access from security group A, security group A cannot be deleted until the rule is removed.

Returns:

• (nil)

# File 'lib/aws/ec2/security_group.rb', line 173

def delete
  client.delete_security_group(:group_id => id)
  nil
end

#describe_call_name ⇒ Object

# File 'lib/aws/ec2/security_group.rb', line 192

def describe_call_name; self.class.describe_call_name; end

#disallow_ping(*sources) ⇒ Object

Removes ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of IP ranges to revoke.

Parameters:

• ip_ranges (String) —

  One or more IP ranges to allow ping from. Defaults to 0.0.0.0/0

# File 'lib/aws/ec2/security_group.rb', line 94

def disallow_ping *sources
  sources << '0.0.0.0/0' if sources.empty?
  revoke_ingress('icmp', -1, *sources)
end

#exists? ⇒ Boolean

Returns True if the security group exists.

Returns:

• (Boolean) —

  True if the security group exists.

# File 'lib/aws/ec2/security_group.rb', line 61

def exists?
  client.describe_security_groups(:filters => [
    { :name => "group-id", :values => [id] }
  ]).security_group_index.key?(id)
end

#ip_permissions ⇒ SecurityGroup::IpPermissionCollection

Returns a collection of IpPermission objects that represents all of the permissions this security group has authorizations for.

Returns:

• (SecurityGroup::IpPermissionCollection) —

  Returns a collection of IpPermission objects that represents all of the permissions this security group has authorizations for.

# File 'lib/aws/ec2/security_group.rb', line 70

def ip_permissions
  IpPermissionCollection.new(self, :config => config)
end

#revoke_ingress(protocol, ports, *sources) ⇒ nil

Parameters:

• see —

  #authorize_ingress

Returns:

• (nil)

# File 'lib/aws/ec2/security_group.rb', line 156

def revoke_ingress protocol, ports, *sources
  permissions = format_permission(protocol, ports, sources)
  client.revoke_security_group_ingress(
    :group_id => id,
    :ip_permissions => permissions)
  nil
end