alicloud.ecs.getSecurityGroupRules

Alibaba Cloud v3.103.0, May 22 26

Viewing docs for Alibaba Cloud v3.103.0
published on Friday, May 22, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-alicloud

Viewing docs for Alibaba Cloud v3.103.0
published on Friday, May 22, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-alicloud

The alicloud.ecs.getSecurityGroupRules data source provides a collection of security permissions of a specific security group. Each collection item represents a single ingress or egress permission rule. The ID of the security group can be provided via a variable or the result from the other data source alicloud.ecs.getSecurityGroups.

Example Usage

The following example shows how to obtain details about a security group rule and how to pass its data to an instance at launch time.

import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";

const config = new pulumi.Config();
const securityGroupId = config.requireObject<any>("securityGroupId");
// Or get it from the alicloud_security_groups data source.
// Please note that the data source arguments must be enough to filter results to one security group.
const groupsDs = alicloud.ecs.getSecurityGroups({
    nameRegex: "api",
});
// Filter the security group rule by group
const ingressRulesDs = groupsDs.then(groupsDs => alicloud.ecs.getSecurityGroupRules({
    groupId: groupsDs.groups?.[0]?.id,
    nicType: "internet",
    direction: "ingress",
    ipProtocol: "tcp",
}));
// Pass port_range to the backend service
const backend = new alicloud.ecs.Instance("backend", {userData: ingressRulesDs.then(ingressRulesDs => `config_service.sh --portrange=${ingressRulesDs.rules?.[0]?.portRange}`)});

import pulumi
import pulumi_alicloud as alicloud

config = pulumi.Config()
security_group_id = config.require_object("securityGroupId")
# Or get it from the alicloud_security_groups data source.
# Please note that the data source arguments must be enough to filter results to one security group.
groups_ds = alicloud.ecs.get_security_groups(name_regex="api")
# Filter the security group rule by group
ingress_rules_ds = alicloud.ecs.get_security_group_rules(group_id=groups_ds.groups[0].id,
    nic_type="internet",
    direction="ingress",
    ip_protocol="tcp")
# Pass port_range to the backend service
backend = alicloud.ecs.Instance("backend", user_data=f"config_service.sh --portrange={ingress_rules_ds.rules[0].port_range}")

package main

import (
	"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ecs"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		var securityGroupId interface{}
		cfg.RequireObject("securityGroupId", &securityGroupId)
		// Or get it from the alicloud_security_groups data source.
		// Please note that the data source arguments must be enough to filter results to one security group.
		groupsDs, err := ecs.GetSecurityGroups(ctx, &ecs.GetSecurityGroupsArgs{
			NameRegex: pulumi.StringRef("api"),
		}, nil)
		if err != nil {
			return err
		}
		// Filter the security group rule by group
		ingressRulesDs, err := ecs.GetSecurityGroupRules(ctx, &ecs.GetSecurityGroupRulesArgs{
			GroupId:    groupsDs.Groups[0].Id,
			NicType:    pulumi.StringRef("internet"),
			Direction:  pulumi.StringRef("ingress"),
			IpProtocol: pulumi.StringRef("tcp"),
		}, nil)
		if err != nil {
			return err
		}
		// Pass port_range to the backend service
		_, err = ecs.NewInstance(ctx, "backend", &ecs.InstanceArgs{
			UserData: pulumi.Sprintf("config_service.sh --portrange=%v", ingressRulesDs.Rules[0].PortRange),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;

return await Deployment.RunAsync(() => 
{
    var config = new Config();
    var securityGroupId = config.RequireObject<dynamic>("securityGroupId");
    // Or get it from the alicloud_security_groups data source.
    // Please note that the data source arguments must be enough to filter results to one security group.
    var groupsDs = AliCloud.Ecs.GetSecurityGroups.Invoke(new()
    {
        NameRegex = "api",
    });

    // Filter the security group rule by group
    var ingressRulesDs = AliCloud.Ecs.GetSecurityGroupRules.Invoke(new()
    {
        GroupId = groupsDs.Apply(getSecurityGroupsResult => getSecurityGroupsResult.Groups[0]?.Id),
        NicType = "internet",
        Direction = "ingress",
        IpProtocol = "tcp",
    });

    // Pass port_range to the backend service
    var backend = new AliCloud.Ecs.Instance("backend", new()
    {
        UserData = $"config_service.sh --portrange={ingressRulesDs.Apply(getSecurityGroupRulesResult => getSecurityGroupRulesResult.Rules[0]?.PortRange)}",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.ecs.EcsFunctions;
import com.pulumi.alicloud.ecs.inputs.GetSecurityGroupsArgs;
import com.pulumi.alicloud.ecs.inputs.GetSecurityGroupRulesArgs;
import com.pulumi.alicloud.ecs.Instance;
import com.pulumi.alicloud.ecs.InstanceArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        final var securityGroupId = config.require("securityGroupId");
        // Or get it from the alicloud_security_groups data source.
        // Please note that the data source arguments must be enough to filter results to one security group.
        final var groupsDs = EcsFunctions.getSecurityGroups(GetSecurityGroupsArgs.builder()
            .nameRegex("api")
            .build());

        // Filter the security group rule by group
        final var ingressRulesDs = EcsFunctions.getSecurityGroupRules(GetSecurityGroupRulesArgs.builder()
            .groupId(groupsDs.groups()[0].id())
            .nicType("internet")
            .direction("ingress")
            .ipProtocol("tcp")
            .build());

        // Pass port_range to the backend service
        var backend = new Instance("backend", InstanceArgs.builder()
            .userData(String.format("config_service.sh --portrange=%s", ingressRulesDs.rules()[0].portRange()))
            .build());

    }
}

configuration:
  # Get the security group id from a variable
  securityGroupId:
    type: object
resources:
  # Pass port_range to the backend service
  backend:
    type: alicloud:ecs:Instance
    properties:
      userData: config_service.sh --portrange=${ingressRulesDs.rules[0].portRange}
variables:
  # Or get it from the alicloud_security_groups data source.
  # Please note that the data source arguments must be enough to filter results to one security group.
  groupsDs:
    fn::invoke:
      function: alicloud:ecs:getSecurityGroups
      arguments:
        nameRegex: api
  # Filter the security group rule by group
  ingressRulesDs:
    fn::invoke:
      function: alicloud:ecs:getSecurityGroupRules
      arguments:
        groupId: ${groupsDs.groups[0].id}
        nicType: internet
        direction: ingress
        ipProtocol: tcp

pulumi {
  required_providers {
    alicloud = {
      source = "pulumi/alicloud"
    }
  }
}

data "alicloud_ecs_getsecuritygroups" "groupsDs" {
  name_regex = "api"
}
data "alicloud_ecs_getsecuritygrouprules" "ingressRulesDs" {
  group_id    = data.alicloud_ecs_getsecuritygroups.groupsDs.groups[0].id
  nic_type    = "internet"
  direction   = "ingress"
  ip_protocol = "tcp"
}

# or ${var.security_group_id}
# Pass port_range to the backend service
resource "alicloud_ecs_instance" "backend" {
  user_data ="config_service.sh --portrange=${data.alicloud_ecs_getsecuritygrouprules.ingressRulesDs.rules[0].port_range}"
}
# Get the security group id from a variable
variable "securityGroupId" {
}
# Or get it from the alicloud_security_groups data source.
# Please note that the data source arguments must be enough to filter results to one security group.
# Filter the security group rule by group

Using getSecurityGroupRules

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getSecurityGroupRules(args: GetSecurityGroupRulesArgs, opts?: InvokeOptions): Promise<GetSecurityGroupRulesResult>
function getSecurityGroupRulesOutput(args: GetSecurityGroupRulesOutputArgs, opts?: InvokeOptions): Output<GetSecurityGroupRulesResult>

def get_security_group_rules(direction: Optional[str] = None,
                             group_id: Optional[str] = None,
                             ip_protocol: Optional[str] = None,
                             nic_type: Optional[str] = None,
                             output_file: Optional[str] = None,
                             policy: Optional[str] = None,
                             opts: Optional[InvokeOptions] = None) -> GetSecurityGroupRulesResult
def get_security_group_rules_output(direction: pulumi.Input[Optional[str]] = None,
                             group_id: pulumi.Input[Optional[str]] = None,
                             ip_protocol: pulumi.Input[Optional[str]] = None,
                             nic_type: pulumi.Input[Optional[str]] = None,
                             output_file: pulumi.Input[Optional[str]] = None,
                             policy: pulumi.Input[Optional[str]] = None,
                             opts: Optional[InvokeOptions] = None) -> Output[GetSecurityGroupRulesResult]

func GetSecurityGroupRules(ctx *Context, args *GetSecurityGroupRulesArgs, opts ...InvokeOption) (*GetSecurityGroupRulesResult, error)
func GetSecurityGroupRulesOutput(ctx *Context, args *GetSecurityGroupRulesOutputArgs, opts ...InvokeOption) GetSecurityGroupRulesResultOutput

> Note: This function is named GetSecurityGroupRules in the Go SDK.

public static class GetSecurityGroupRules 
{
    public static Task<GetSecurityGroupRulesResult> InvokeAsync(GetSecurityGroupRulesArgs args, InvokeOptions? opts = null)
    public static Output<GetSecurityGroupRulesResult> Invoke(GetSecurityGroupRulesInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetSecurityGroupRulesResult> getSecurityGroupRules(GetSecurityGroupRulesArgs args, InvokeOptions options)
public static Output<GetSecurityGroupRulesResult> getSecurityGroupRules(GetSecurityGroupRulesArgs args, InvokeOptions options)

fn::invoke:
  function: alicloud:ecs/getSecurityGroupRules:getSecurityGroupRules
  arguments:
    # arguments dictionary

data "alicloud_ecs_getsecuritygrouprules" "name" {
    # arguments
}

The following arguments are supported:

GroupId string: The ID of the security group that owns the rules.
Direction string: Authorization direction. Valid values are: ingress or egress.
IpProtocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
NicType string: Refers to the network type. Can be either internet or intranet. The default value is internet.
OutputFile string: File name where to save data source results (after running pulumi preview).
Policy string: Authorization policy. Can be either accept or drop. The default value is accept.

GroupId string: The ID of the security group that owns the rules.
Direction string: Authorization direction. Valid values are: ingress or egress.
IpProtocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
NicType string: Refers to the network type. Can be either internet or intranet. The default value is internet.
OutputFile string: File name where to save data source results (after running pulumi preview).
Policy string: Authorization policy. Can be either accept or drop. The default value is accept.

group_id string: The ID of the security group that owns the rules.
direction string: Authorization direction. Valid values are: ingress or egress.
ip_protocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nic_type string: Refers to the network type. Can be either internet or intranet. The default value is internet.
output_file string: File name where to save data source results (after running pulumi preview).
policy string: Authorization policy. Can be either accept or drop. The default value is accept.

groupId String: The ID of the security group that owns the rules.
direction String: Authorization direction. Valid values are: ingress or egress.
ipProtocol String: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nicType String: Refers to the network type. Can be either internet or intranet. The default value is internet.
outputFile String: File name where to save data source results (after running pulumi preview).
policy String: Authorization policy. Can be either accept or drop. The default value is accept.

groupId string: The ID of the security group that owns the rules.
direction string: Authorization direction. Valid values are: ingress or egress.
ipProtocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nicType string: Refers to the network type. Can be either internet or intranet. The default value is internet.
outputFile string: File name where to save data source results (after running pulumi preview).
policy string: Authorization policy. Can be either accept or drop. The default value is accept.

group_id str: The ID of the security group that owns the rules.
direction str: Authorization direction. Valid values are: ingress or egress.
ip_protocol str: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nic_type str: Refers to the network type. Can be either internet or intranet. The default value is internet.
output_file str: File name where to save data source results (after running pulumi preview).
policy str: Authorization policy. Can be either accept or drop. The default value is accept.

groupId String: The ID of the security group that owns the rules.
direction String: Authorization direction. Valid values are: ingress or egress.
ipProtocol String: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nicType String: Refers to the network type. Can be either internet or intranet. The default value is internet.
outputFile String: File name where to save data source results (after running pulumi preview).
policy String: Authorization policy. Can be either accept or drop. The default value is accept.

getSecurityGroupRules Result

The following output properties are available:

GroupDesc string: The description of the security group that owns the rules.
GroupId string
GroupName string: The name of the security group that owns the rules.
Id string: The provider-assigned unique ID for this managed resource.
Rules List<Pulumi.AliCloud.Ecs.Outputs.GetSecurityGroupRulesRule>: A list of security group rules. Each element contains the following attributes:
Direction string: Authorization direction, ingress or egress.
IpProtocol string: The protocol. Can be tcp, udp, icmp, gre or all.
NicType string: Network type, internet or intranet.
OutputFile string
Policy string: Authorization policy. Can be either accept or drop.

GroupDesc string: The description of the security group that owns the rules.
GroupId string
GroupName string: The name of the security group that owns the rules.
Id string: The provider-assigned unique ID for this managed resource.
Rules []GetSecurityGroupRulesRule: A list of security group rules. Each element contains the following attributes:
Direction string: Authorization direction, ingress or egress.
IpProtocol string: The protocol. Can be tcp, udp, icmp, gre or all.
NicType string: Network type, internet or intranet.
OutputFile string
Policy string: Authorization policy. Can be either accept or drop.

group_desc string: The description of the security group that owns the rules.
group_id string
group_name string: The name of the security group that owns the rules.
id string: The provider-assigned unique ID for this managed resource.
rules list(object): A list of security group rules. Each element contains the following attributes:
direction string: Authorization direction, ingress or egress.
ip_protocol string: The protocol. Can be tcp, udp, icmp, gre or all.
nic_type string: Network type, internet or intranet.
output_file string
policy string: Authorization policy. Can be either accept or drop.

groupDesc String: The description of the security group that owns the rules.
groupId String
groupName String: The name of the security group that owns the rules.
id String: The provider-assigned unique ID for this managed resource.
rules List<GetSecurityGroupRulesRule>: A list of security group rules. Each element contains the following attributes:
direction String: Authorization direction, ingress or egress.
ipProtocol String: The protocol. Can be tcp, udp, icmp, gre or all.
nicType String: Network type, internet or intranet.
outputFile String
policy String: Authorization policy. Can be either accept or drop.

groupDesc string: The description of the security group that owns the rules.
groupId string
groupName string: The name of the security group that owns the rules.
id string: The provider-assigned unique ID for this managed resource.
rules GetSecurityGroupRulesRule[]: A list of security group rules. Each element contains the following attributes:
direction string: Authorization direction, ingress or egress.
ipProtocol string: The protocol. Can be tcp, udp, icmp, gre or all.
nicType string: Network type, internet or intranet.
outputFile string
policy string: Authorization policy. Can be either accept or drop.

group_desc str: The description of the security group that owns the rules.
group_id str
group_name str: The name of the security group that owns the rules.
id str: The provider-assigned unique ID for this managed resource.
rules Sequence[GetSecurityGroupRulesRule]: A list of security group rules. Each element contains the following attributes:
direction str: Authorization direction, ingress or egress.
ip_protocol str: The protocol. Can be tcp, udp, icmp, gre or all.
nic_type str: Network type, internet or intranet.
output_file str
policy str: Authorization policy. Can be either accept or drop.

groupDesc String: The description of the security group that owns the rules.
groupId String
groupName String: The name of the security group that owns the rules.
id String: The provider-assigned unique ID for this managed resource.
rules List<Property Map>: A list of security group rules. Each element contains the following attributes:
direction String: Authorization direction, ingress or egress.
ipProtocol String: The protocol. Can be tcp, udp, icmp, gre or all.
nicType String: Network type, internet or intranet.
outputFile String
policy String: Authorization policy. Can be either accept or drop.

Supporting Types

GetSecurityGroupRulesRule

Description string: The description of the rule.
DestCidrIp string: Target IP address segment for egress authorization.
DestGroupId string: Target security group id for ingress authorization.
DestGroupOwnerAccount string: Alibaba Cloud account of the target security group.
Direction string: Authorization direction. Valid values are: ingress or egress.
IpProtocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
NicType string: Refers to the network type. Can be either internet or intranet. The default value is internet.
Policy string: Authorization policy. Can be either accept or drop. The default value is accept.
PortRange string: The range of port numbers.
Priority int: Rule priority.
SourceCidrIp string: Source IP address segment for ingress authorization.
SourceGroupId string: Source security group ID for ingress authorization.
SourceGroupOwnerAccount string: Alibaba Cloud account of the source security group.

Description string: The description of the rule.
DestCidrIp string: Target IP address segment for egress authorization.
DestGroupId string: Target security group id for ingress authorization.
DestGroupOwnerAccount string: Alibaba Cloud account of the target security group.
Direction string: Authorization direction. Valid values are: ingress or egress.
IpProtocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
NicType string: Refers to the network type. Can be either internet or intranet. The default value is internet.
Policy string: Authorization policy. Can be either accept or drop. The default value is accept.
PortRange string: The range of port numbers.
Priority int: Rule priority.
SourceCidrIp string: Source IP address segment for ingress authorization.
SourceGroupId string: Source security group ID for ingress authorization.
SourceGroupOwnerAccount string: Alibaba Cloud account of the source security group.

description string: The description of the rule.
dest_cidr_ip string: Target IP address segment for egress authorization.
dest_group_id string: Target security group id for ingress authorization.
dest_group_owner_account string: Alibaba Cloud account of the target security group.
direction string: Authorization direction. Valid values are: ingress or egress.
ip_protocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nic_type string: Refers to the network type. Can be either internet or intranet. The default value is internet.
policy string: Authorization policy. Can be either accept or drop. The default value is accept.
port_range string: The range of port numbers.
priority number: Rule priority.
source_cidr_ip string: Source IP address segment for ingress authorization.
source_group_id string: Source security group ID for ingress authorization.
source_group_owner_account string: Alibaba Cloud account of the source security group.

description String: The description of the rule.
destCidrIp String: Target IP address segment for egress authorization.
destGroupId String: Target security group id for ingress authorization.
destGroupOwnerAccount String: Alibaba Cloud account of the target security group.
direction String: Authorization direction. Valid values are: ingress or egress.
ipProtocol String: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nicType String: Refers to the network type. Can be either internet or intranet. The default value is internet.
policy String: Authorization policy. Can be either accept or drop. The default value is accept.
portRange String: The range of port numbers.
priority Integer: Rule priority.
sourceCidrIp String: Source IP address segment for ingress authorization.
sourceGroupId String: Source security group ID for ingress authorization.
sourceGroupOwnerAccount String: Alibaba Cloud account of the source security group.

description string: The description of the rule.
destCidrIp string: Target IP address segment for egress authorization.
destGroupId string: Target security group id for ingress authorization.
destGroupOwnerAccount string: Alibaba Cloud account of the target security group.
direction string: Authorization direction. Valid values are: ingress or egress.
ipProtocol string: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nicType string: Refers to the network type. Can be either internet or intranet. The default value is internet.
policy string: Authorization policy. Can be either accept or drop. The default value is accept.
portRange string: The range of port numbers.
priority number: Rule priority.
sourceCidrIp string: Source IP address segment for ingress authorization.
sourceGroupId string: Source security group ID for ingress authorization.
sourceGroupOwnerAccount string: Alibaba Cloud account of the source security group.

description str: The description of the rule.
dest_cidr_ip str: Target IP address segment for egress authorization.
dest_group_id str: Target security group id for ingress authorization.
dest_group_owner_account str: Alibaba Cloud account of the target security group.
direction str: Authorization direction. Valid values are: ingress or egress.
ip_protocol str: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nic_type str: Refers to the network type. Can be either internet or intranet. The default value is internet.
policy str: Authorization policy. Can be either accept or drop. The default value is accept.
port_range str: The range of port numbers.
priority int: Rule priority.
source_cidr_ip str: Source IP address segment for ingress authorization.
source_group_id str: Source security group ID for ingress authorization.
source_group_owner_account str: Alibaba Cloud account of the source security group.

description String: The description of the rule.
destCidrIp String: Target IP address segment for egress authorization.
destGroupId String: Target security group id for ingress authorization.
destGroupOwnerAccount String: Alibaba Cloud account of the target security group.
direction String: Authorization direction. Valid values are: ingress or egress.
ipProtocol String: The IP protocol. Valid values are: tcp, udp, icmp, gre and all.
nicType String: Refers to the network type. Can be either internet or intranet. The default value is internet.
policy String: Authorization policy. Can be either accept or drop. The default value is accept.
portRange String: The range of port numbers.
priority Number: Rule priority.
sourceCidrIp String: Source IP address segment for ingress authorization.
sourceGroupId String: Source security group ID for ingress authorization.
sourceGroupOwnerAccount String: Alibaba Cloud account of the source security group.

Package Details

Repository: Alibaba Cloud pulumi/pulumi-alicloud
License: Apache-2.0
Notes: This Pulumi package is based on the alicloud Terraform Provider.

Viewing docs for Alibaba Cloud v3.103.0
published on Friday, May 22, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-alicloud

alicloud.ecs.getSecurityGroupRules

On this page

On this page

Example Usage

Using getSecurityGroupRules

getSecurityGroupRules Result

Supporting Types

GetSecurityGroupRulesRule

Package Details

On this page

On this page

Try Pulumi Cloud free.
Your team will thank you.

alicloud.ecs.getSecurityGroupRules

On this page

On this page

Example Usage

Using getSecurityGroupRules

getSecurityGroupRules Result

Supporting Types

GetSecurityGroupRulesRule

Package Details

On this page

On this page

Try Pulumi Cloud free.Your team will thank you.

Try Pulumi Cloud free.
Your team will thank you.