enough-leather-70274
04/07/2021, 3:03 AMsecurity_group_id
. There's a method called getSecurityGroup() but that doesn't actually seem to get a handle on the security group, but instead looks like a metadata object. I guess I really want the equivalent of pulumi import
command, but inline in my main script after creating the directory, so I the script itself can amend the generated rules.
What's the best way to achieve this?little-cartoon-10569
04/07/2021, 3:06 AMnew aws.ec2.SecurityGroupRule("ForMyCIDR", {
securityGroupId: ad.securityGroupId,
// ...
});
(Forgive the typescript...)enough-leather-70274
04/07/2021, 3:09 AMlittle-cartoon-10569
04/07/2021, 3:12 AMenough-leather-70274
04/07/2021, 3:14 AMlittle-cartoon-10569
04/07/2021, 3:15 AMgetSecurityGroup()
method you mentioned is a wrapper around the SDK function, it returns the "real" SDK security group, rather than Pulumi's nicely-OO one.new SecurityGroup("x", { id: ad.securityGroupId }, {})
or SecurityGroup.get("x", ad.securityGroupId)
to load the Pulumi view of the security group, with the latter being preferred. This gives you a read only (sort-of) version, which is good enough for creating security group rules.security_group_id
seems to be allowed as an input value?enough-leather-70274
04/07/2021, 3:23 AMlittle-cartoon-10569
04/07/2021, 3:23 AMpulumi import
.enough-leather-70274
04/07/2021, 3:24 AMlittle-cartoon-10569
04/07/2021, 3:25 AMget()
static method.enough-leather-70274
04/07/2021, 3:26 AMlittle-cartoon-10569
04/07/2021, 3:27 AMenough-leather-70274
04/07/2021, 3:27 AMlittle-cartoon-10569
04/07/2021, 3:28 AMenough-leather-70274
04/07/2021, 3:28 AMlittle-cartoon-10569
04/07/2021, 3:29 AMenough-leather-70274
04/07/2021, 3:29 AMlittle-cartoon-10569
04/07/2021, 3:30 AMpulumi state delete
enough-leather-70274
04/07/2021, 3:31 AMlittle-cartoon-10569
04/07/2021, 3:46 AMpulumi stack export
after running it to see what objects are in it? If you're lucky, you might have an array in the ingress
and egress
properties, which you could empty, and create new SecurityGroupRule objects instead.enough-leather-70274
04/07/2021, 3:47 AMlittle-cartoon-10569
04/07/2021, 3:47 AMCreates an AWS security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers.
enough-leather-70274
04/07/2021, 3:53 AMlittle-cartoon-10569
04/07/2021, 3:57 AM