Class: AWS::EC2::SecurityGroup
- Inherits:
-
Resource
- Object
- Core::Resource
- Resource
- AWS::EC2::SecurityGroup
- Includes:
- TaggedItem
- Defined in:
- lib/aws/ec2/security_group.rb,
lib/aws/ec2/security_group/ip_permission.rb,
lib/aws/ec2/security_group/egress_ip_permission_collection.rb,
lib/aws/ec2/security_group/ingress_ip_permission_collection.rb
Overview
Represents a security group in EC2.
Defined Under Namespace
Classes: EgressIpPermissionCollection, IngressIpPermissionCollection, IpPermission
Constant Summary collapse
- IpPermissionCollection =
alias for ingress permissions
IngressIpPermissionCollection
Instance Attribute Summary collapse
-
#description ⇒ String
readonly
The short informal description given when the group was created.
-
#id ⇒ String
(also: #group_id)
readonly
The ID of the security group.
-
#name ⇒ String
readonly
The name of the security group.
-
#owner_id ⇒ String
readonly
The security group owner’s id.
-
#vpc_id ⇒ String?
readonly
If this is a VPC security group, vpc_id is the ID of the VPC this group was created in.
Instance Method Summary collapse
-
#allow_ping(*sources) ⇒ nil
Adds ingress rules for ICMP pings.
-
#authorize_egress(*sources, options = {}) ⇒ nil
Authorize egress (outbound) traffic for a VPC security group.
-
#authorize_ingress(protocol, ports, *sources) ⇒ nil
Add an ingress rules to this security group.
-
#delete ⇒ nil
Deletes this security group.
- #describe_call_name ⇒ Object
-
#disallow_ping(*sources) ⇒ nil
Removes ingress rules for ICMP pings.
-
#egress_ip_permissions ⇒ SecurityGroup::EgressIpPermissionCollection
Returns a collection of IpPermission objects that represents all of the egress permissions this security group has authorizations for.
-
#exists? ⇒ Boolean
True if the security group exists.
-
#ingress_ip_permissions ⇒ SecurityGroup::IngressIpPermissionCollection
(also: #ip_permissions)
Returns a collection of IpPermission objects that represents all of the (ingress) permissions this security group has authorizations for.
-
#initialize(id, options = {}) ⇒ SecurityGroup
constructor
A new instance of SecurityGroup.
-
#revoke_egress(*sources) ⇒ nil
Revokes an egress (outound) ip permission.
-
#revoke_ingress(protocol, ports, *sources) ⇒ nil
Revokes an ingress (inbound) ip permission.
-
#vpc? ⇒ Boolean
Returns true if this security group is a VPC security group and not an EC2 security group.
Methods included from TaggedItem
Constructor Details
#initialize(id, options = {}) ⇒ SecurityGroup
Returns a new instance of SecurityGroup.
41 42 43 44 |
# File 'lib/aws/ec2/security_group.rb', line 41 def initialize id, = {} @id = id super end |
Instance Attribute Details
#description ⇒ String (readonly)
The short informal description given when the group was created.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def description @description end |
#id ⇒ String (readonly) Also known as: group_id
Returns The ID of the security group.
47 48 49 |
# File 'lib/aws/ec2/security_group.rb', line 47 def id @id end |
#name ⇒ String (readonly)
The name of the security group.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def name @name end |
#owner_id ⇒ String (readonly)
The security group owner’s id.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def owner_id @owner_id end |
#vpc_id ⇒ String? (readonly)
If this is a VPC security group, vpc_id is the ID of the VPC this group was created in. Returns false otherwise.
30 31 32 |
# File 'lib/aws/ec2/security_group.rb', line 30 def vpc_id @vpc_id end |
Instance Method Details
#allow_ping(*sources) ⇒ nil
Adds ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of allowed IP ranges the ping can come from.
security_group.allow_ping # anyone can ping servers in this group
# only allow ping from a particular address
security_group.allow_ping('123.123.123.123/0')
112 113 114 115 |
# File 'lib/aws/ec2/security_group.rb', line 112 def allow_ping *sources sources << '0.0.0.0/0' if sources.empty? ('icmp', -1, *sources) end |
#authorize_egress(*sources, options = {}) ⇒ nil
Calling this method on a non-VPC security group raises an error.
Authorize egress (outbound) traffic for a VPC security group.
# allow traffic for all protocols/ports from the given sources
security_group.('10.0.0.0/16', '10.0.0.1/16')
# allow tcp traffic outband via port 80
security_group.('10.0.0.0/16',
:protocol => :tcp, :ports => 80..80)
277 278 279 280 281 282 |
# File 'lib/aws/ec2/security_group.rb', line 277 def *sources client.( :group_id => id, :ip_permissions => [egress_opts(sources)]) nil end |
#authorize_ingress(protocol, ports, *sources) ⇒ nil
Add an ingress rules to this security group. Ingress rules permit inbound traffic over a given protocol for a given port range from one or more souce ip addresses.
This example grants the whole internet (0.0.0.0/0) access to port 80 over TCP (HTTP web traffic).
security_group.(:tcp, 80)
You can specify port ranges as well:
# ftp
security_group.(:tcp, 20..21)
Sources
Security groups accept ingress trafic from:
-
CIDR IP addresses
-
security groups
-
load balancers
Ip Addresses
In the following example allow incoming SSH from a list of IP address ranges.
security_group.(:tcp, 22,
'111.111.111.111/0', '222.222.222.222/0')
Security Groups
To autohrize ingress traffic from all EC2 instance in another security group, just pass the security group:
web = security_groups.create('webservers')
db = security_groups.create('database')
db.(:tcp, 3306, web)
You can also pass a hash of security group details instead of a AWS::EC2::SecurityGroup object.
# by security group name
sg.(:tcp, 80, { :group_name => 'other-group' })
# by security group id
sg.(:tcp, 80, { :group_id => 'sg-1234567' })
If the security group belongs to a different account, just make sure it has the correct owner ID populated:
not_my_sg = SecurityGroup.new('sg-1234567', :owner_id => 'abcxyz123')
my_sg.(:tcp, 80, not_my_sg)
You can do the same with a hash as well (with either :group_id
or :group_name
):
sg.(:tcp, 21..22, { :group_id => 'sg-id', :user_id => 'abcxyz123' })
Load Balancers
If you use ELB to manage load balancers, then you need to add ingress permissions to the security groups they route traffic into. You can do this by passing the LoadBalancer into authorize_ingress:
load_balancer = AWS::ELB.new.load_balancers['web-load-balancer']
sg.(:tcp, 80, load_balancer)
Multiple Sources
You can provide multiple sources each time you call authorize ingress, and you can mix and match the source types:
sg.(:tcp, 80, other_sg, '1.2.3.4/0', load_balancer)
224 225 226 227 228 229 230 |
# File 'lib/aws/ec2/security_group.rb', line 224 def protocol, ports, *sources client.( :group_id => id, :ip_permissions => [ingress_opts(protocol, ports, sources)] ) nil end |
#delete ⇒ nil
Deletes this security group.
If you attempt to delete a security group that contains instances, or attempt to delete a security group that is referenced by another security group, an error is raised. For example, if security group B has a rule that allows access from security group A, security group A cannot be deleted until the rule is removed.
308 309 310 311 |
# File 'lib/aws/ec2/security_group.rb', line 308 def delete client.delete_security_group(:group_id => id) nil end |
#describe_call_name ⇒ Object
327 |
# File 'lib/aws/ec2/security_group.rb', line 327 def describe_call_name; self.class.describe_call_name; end |
#disallow_ping(*sources) ⇒ nil
Removes ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of IP ranges to revoke.
125 126 127 128 |
# File 'lib/aws/ec2/security_group.rb', line 125 def disallow_ping *sources sources << '0.0.0.0/0' if sources.empty? revoke_ingress('icmp', -1, *sources) end |
#egress_ip_permissions ⇒ SecurityGroup::EgressIpPermissionCollection
Returns a collection of IpPermission objects that represents all of the egress permissions this security group has authorizations for.
95 96 97 |
# File 'lib/aws/ec2/security_group.rb', line 95 def EgressIpPermissionCollection.new(self, :config => config) end |
#exists? ⇒ Boolean
Returns True if the security group exists.
68 69 70 71 72 |
# File 'lib/aws/ec2/security_group.rb', line 68 def exists? client.describe_security_groups(:filters => [ { :name => "group-id", :values => [id] } ]).security_group_index.key?(id) end |
#ingress_ip_permissions ⇒ SecurityGroup::IngressIpPermissionCollection Also known as: ip_permissions
Returns a collection of IpPermission objects that represents all of the (ingress) permissions this security group has authorizations for.
87 88 89 |
# File 'lib/aws/ec2/security_group.rb', line 87 def IngressIpPermissionCollection.new(self, :config => config) end |
#revoke_egress(*sources) ⇒ nil
Revokes an egress (outound) ip permission. This is the inverse operation to #authorize_egress. See #authorize_egress for param and option documentation.
292 293 294 295 296 297 |
# File 'lib/aws/ec2/security_group.rb', line 292 def revoke_egress *sources client.revoke_security_group_egress( :group_id => id, :ip_permissions => [egress_opts(sources)]) nil end |
#revoke_ingress(protocol, ports, *sources) ⇒ nil
Revokes an ingress (inbound) ip permission. This is the inverse operation to #authorize_ingress. See #authorize_ingress for param and option documentation.
240 241 242 243 244 245 246 |
# File 'lib/aws/ec2/security_group.rb', line 240 def revoke_ingress protocol, ports, *sources client.revoke_security_group_ingress( :group_id => id, :ip_permissions => [ingress_opts(protocol, ports, sources)] ) nil end |
#vpc? ⇒ Boolean
Returns true if this security group is a VPC security group and not an EC2 security group. VPC security groups belong to a VPC subnet and can have egress rules.
79 80 81 |
# File 'lib/aws/ec2/security_group.rb', line 79 def vpc? vpc_id ? true : false end |