https://pulumi.com logo
#aws
Title
a

astonishing-exabyte-93491

07/07/2023, 12:49 PM
Hello folks, At my company, we usually spin up new VPC instances for testing purposes. Is there a way to override the default security group configuration for a new vpc using either with aws classic provider or aws-native? The VPC default security group is too permissive; I could of course manually modify the inbound and outbound rules, but is there a way to automate this process using pulumi resource providers?
s

salmon-account-74572

07/07/2023, 3:28 PM
Why not create a new security group and use that instead of the default?
a

astonishing-exabyte-93491

07/07/2023, 3:30 PM
yes, I should do that. My question is rather: can we attach a custom SG to the aws.ec2.Vpc instance?
s

salmon-account-74572

07/07/2023, 3:33 PM
I don’t know that you can replace the default SG when you create a VPC, but you can definitely create a new SG after you create a VPC.
a

astonishing-exabyte-93491

07/07/2023, 3:33 PM
I see.
s

salmon-account-74572

07/07/2023, 3:36 PM
Here’s an example in Go (the
VpcId
property takes the ID of a previously created (in the same program) VPC.
Copy code
// Create a security group
		securityGroup, err := ec2.NewSecurityGroup(ctx, "security-group", &ec2.SecurityGroupArgs{
			Name:        pulumi.String("securityGroupName"),
			VpcId:       vpc.ID(),
			Description: pulumi.String("Allows SSH traffic to hosts"),
			Ingress: ec2.SecurityGroupIngressArray{
				ec2.SecurityGroupIngressArgs{
					Protocol:    pulumi.String("tcp"),
					ToPort:      <http://pulumi.Int|pulumi.Int>(22),
					FromPort:    <http://pulumi.Int|pulumi.Int>(22),
					Description: pulumi.String("Allow inbound SSH (TCP 22) from anywhere"),
					CidrBlocks:  pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
				ec2.SecurityGroupIngressArgs{
					Protocol:    pulumi.String("udp"),
					ToPort:      <http://pulumi.Int|pulumi.Int>(51280),
					FromPort:    <http://pulumi.Int|pulumi.Int>(51280),
					Description: pulumi.String("Allow Wireguard VPN (UDP 51280) from anywhere"),
					CidrBlocks:  pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
			},
			Egress: ec2.SecurityGroupEgressArray{
				ec2.SecurityGroupEgressArgs{
					Protocol:    pulumi.String("-1"),
					ToPort:      <http://pulumi.Int|pulumi.Int>(0),
					FromPort:    <http://pulumi.Int|pulumi.Int>(0),
					Description: pulumi.String("Allow all outbound traffic"),
					CidrBlocks:  pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
			},
		})
2 Views