d/aws_vpc_security_group_rule: New resource.

Acceptance test output:

% make testacc TESTARGS='-run=TestAccVPCSecurityGroupRuleDataSource_' PKG=ec2 ACCTEST_PARALLELISM=3
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/ec2/... -v -count 1 -parallel 3  -run=TestAccVPCSecurityGroupRuleDataSource_ -timeout 180m
=== RUN   TestAccVPCSecurityGroupRuleDataSource_basic
=== PAUSE TestAccVPCSecurityGroupRuleDataSource_basic
=== RUN   TestAccVPCSecurityGroupRuleDataSource_filter
=== PAUSE TestAccVPCSecurityGroupRuleDataSource_filter
=== CONT  TestAccVPCSecurityGroupRuleDataSource_basic
=== CONT  TestAccVPCSecurityGroupRuleDataSource_filter
--- PASS: TestAccVPCSecurityGroupRuleDataSource_basic (23.71s)
--- PASS: TestAccVPCSecurityGroupRuleDataSource_filter (23.93s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/ec2	29.347s

Author: ewbankkit

.changelog/29484.txt

@@ -9,3 +9,7 @@ aws_vpc_security_group_egress_rule
 ```release-note:new-data-source
 aws_vpc_security_group_rules
 ```
+
+```release-note:new-data-source
+aws_vpc_security_group_rule
+```

internal/service/ec2/vpc_security_group_rule_data_source.go

@@ -0,0 +1,173 @@
+package ec2
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/arn"
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/hashicorp/terraform-plugin-framework/datasource"
+	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-provider-aws/internal/flex"
+	"github.com/hashicorp/terraform-provider-aws/internal/framework"
+	tftags "github.com/hashicorp/terraform-provider-aws/internal/tags"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+)
+
+func init() {
+	_sp.registerFrameworkDataSourceFactory(newDataSourceSecurityGroupRule)
+}
+
+func newDataSourceSecurityGroupRule(context.Context) (datasource.DataSourceWithConfigure, error) {
+	return &dataSourceSecurityGroupRule{}, nil
+}
+
+type dataSourceSecurityGroupRule struct {
+	framework.DataSourceWithConfigure
+}
+
+func (d *dataSourceSecurityGroupRule) Metadata(_ context.Context, request datasource.MetadataRequest, response *datasource.MetadataResponse) {
+	response.TypeName = "aws_vpc_security_group_rule"
+}
+
+func (d *dataSourceSecurityGroupRule) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"arn": schema.StringAttribute{
+				Computed: true,
+			},
+			"cidr_ipv4": schema.StringAttribute{
+				Computed: true,
+			},
+			"cidr_ipv6": schema.StringAttribute{
+				Computed: true,
+			},
+			"description": schema.StringAttribute{
+				Computed: true,
+			},
+			"from_port": schema.Int64Attribute{
+				Computed: true,
+			},
+			"id": framework.IDAttribute(),
+			"ip_protocol": schema.StringAttribute{
+				Computed: true,
+			},
+			"is_egress": schema.BoolAttribute{
+				Computed: true,
+			},
+			"prefix_list_id": schema.StringAttribute{
+				Computed: true,
+			},
+			"referenced_security_group_id": schema.StringAttribute{
+				Computed: true,
+			},
+			"security_group_id": schema.StringAttribute{
+				Computed: true,
+			},
+			"security_group_rule_id": schema.StringAttribute{
+				Optional: true,
+				Computed: true,
+			},
+			"tags": tftags.TagsAttributeComputedOnly(),
+			"to_port": schema.Int64Attribute{
+				Computed: true,
+			},
+		},
+		Blocks: map[string]schema.Block{
+			"filter": CustomFiltersBlock(),
+		},
+	}
+}
+
+func (d *dataSourceSecurityGroupRule) Read(ctx context.Context, request datasource.ReadRequest, response *datasource.ReadResponse) {
+	var data dataSourceSecurityGroupRuleData
+
+	response.Diagnostics.Append(request.Config.Get(ctx, &data)...)
+
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	conn := d.Meta().EC2Conn()
+	ignoreTagsConfig := d.Meta().IgnoreTagsConfig
+
+	input := &ec2.DescribeSecurityGroupRulesInput{
+		Filters: BuildCustomFilters(ctx, data.Filters),
+	}
+
+	if !data.SecurityGroupRuleID.IsNull() {
+		input.SecurityGroupRuleIds = []*string{flex.StringFromFramework(ctx, data.SecurityGroupRuleID)}
+	}
+
+	output, err := FindSecurityGroupRule(ctx, conn, input)
+
+	if err != nil {
+		response.Diagnostics.AddError("reading Security Group Rules", tfresource.SingularDataSourceFindError("Security Group Rule", err).Error())
+
+		return
+	}
+
+	data.ID = flex.StringToFramework(ctx, output.SecurityGroupRuleId)
+	data.ARN = d.arn(ctx, data.ID.ValueString())
+	data.CIDRIPv4 = flex.StringToFramework(ctx, output.CidrIpv4)
+	data.CIDRIPv6 = flex.StringToFramework(ctx, output.CidrIpv6)
+	data.Description = flex.StringToFramework(ctx, output.Description)
+	data.FromPort = flex.Int64ToFramework(ctx, output.FromPort)
+	data.IPProtocol = flex.StringToFramework(ctx, output.IpProtocol)
+	data.IsEgress = flex.BoolToFramework(ctx, output.IsEgress)
+	data.PrefixListID = flex.StringToFramework(ctx, output.PrefixListId)
+	data.ReferencedSecurityGroupID = d.flattenReferencedSecurityGroup(ctx, output.ReferencedGroupInfo)
+	data.SecurityGroupID = flex.StringToFramework(ctx, output.GroupId)
+	data.SecurityGroupRuleID = flex.StringToFramework(ctx, output.SecurityGroupRuleId)
+	data.Tags = flex.FlattenFrameworkStringValueMapLegacy(ctx, KeyValueTags(output.Tags).IgnoreAWS().IgnoreConfig(ignoreTagsConfig).Map())
+	data.ToPort = flex.Int64ToFramework(ctx, output.ToPort)
+
+	response.Diagnostics.Append(response.State.Set(ctx, &data)...)
+}
+
+func (d *dataSourceSecurityGroupRule) arn(_ context.Context, id string) types.String {
+	// TODO Consider reusing resourceSecurityGroupRule.arn().
+	arn := arn.ARN{
+		Partition: d.Meta().Partition,
+		Service:   ec2.ServiceName,
+		Region:    d.Meta().Region,
+		AccountID: d.Meta().AccountID,
+		Resource:  fmt.Sprintf("security-group-rule/%s", id),
+	}.String()
+	return types.StringValue(arn)
+}
+
+func (d *dataSourceSecurityGroupRule) flattenReferencedSecurityGroup(ctx context.Context, apiObject *ec2.ReferencedSecurityGroup) types.String {
+	// TODO Consider reusing resourceSecurityGroupRule.flattenReferencedSecurityGroup().
+	if apiObject == nil {
+		return types.StringNull()
+	}
+
+	if apiObject.UserId == nil || aws.StringValue(apiObject.UserId) == d.Meta().AccountID {
+		return flex.StringToFramework(ctx, apiObject.GroupId)
+	}
+
+	// [UserID/]GroupID.
+	return types.StringValue(strings.Join([]string{aws.StringValue(apiObject.UserId), aws.StringValue(apiObject.GroupId)}, "/"))
+}
+
+type dataSourceSecurityGroupRuleData struct {
+	ARN                       types.String `tfsdk:"arn"`
+	CIDRIPv4                  types.String `tfsdk:"cidr_ipv4"`
+	CIDRIPv6                  types.String `tfsdk:"cidr_ipv6"`
+	Description               types.String `tfsdk:"description"`
+	Filters                   types.Set    `tfsdk:"filter"`
+	FromPort                  types.Int64  `tfsdk:"from_port"`
+	ID                        types.String `tfsdk:"id"`
+	IPProtocol                types.String `tfsdk:"ip_protocol"`
+	IsEgress                  types.Bool   `tfsdk:"is_egress"`
+	PrefixListID              types.String `tfsdk:"prefix_list_id"`
+	ReferencedSecurityGroupID types.String `tfsdk:"referenced_security_group_id"`
+	SecurityGroupID           types.String `tfsdk:"security_group_id"`
+	SecurityGroupRuleID       types.String `tfsdk:"security_group_rule_id"`
+	Tags                      types.Map    `tfsdk:"tags"`
+	ToPort                    types.Int64  `tfsdk:"to_port"`
+}

internal/service/ec2/vpc_security_group_rule_data_source_test.go

@@ -0,0 +1,116 @@
+package ec2_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/ec2"
+	sdkacctest "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func TestAccVPCSecurityGroupRuleDataSource_basic(t *testing.T) {
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	dataSourceName := "data.aws_vpc_security_group_rule.test"
+	resourceName := "aws_vpc_security_group_ingress_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, ec2.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccVPCSecurityGroupRuleDataSourceConfig_basic(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "cidr_ipv4", resourceName, "cidr_ipv4"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "cidr_ipv6", resourceName, "cidr_ipv6"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "description", resourceName, "description"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "from_port", resourceName, "from_port"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "ip_protocol", resourceName, "ip_protocol"),
+					resource.TestCheckResourceAttr(dataSourceName, "is_egress", "false"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "prefix_list_id", resourceName, "prefix_list_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "referenced_security_group_id", resourceName, "referenced_security_group_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "security_group_id", resourceName, "security_group_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "security_group_rule_id", resourceName, "security_group_rule_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "tags.%", resourceName, "tags.%"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "to_port", resourceName, "to_port"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccVPCSecurityGroupRuleDataSource_filter(t *testing.T) {
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	dataSourceName := "data.aws_vpc_security_group_rule.test"
+	resourceName := "aws_vpc_security_group_egress_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, ec2.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccVPCSecurityGroupRuleDataSourceConfig_filter(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrPair(dataSourceName, "arn", resourceName, "arn"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "cidr_ipv4", resourceName, "cidr_ipv4"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "cidr_ipv6", resourceName, "cidr_ipv6"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "description", resourceName, "description"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "from_port", resourceName, "from_port"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "ip_protocol", resourceName, "ip_protocol"),
+					resource.TestCheckResourceAttr(dataSourceName, "is_egress", "true"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "prefix_list_id", resourceName, "prefix_list_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "referenced_security_group_id", resourceName, "referenced_security_group_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "security_group_id", resourceName, "security_group_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "security_group_rule_id", resourceName, "security_group_rule_id"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "tags.%", resourceName, "tags.%"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "to_port", resourceName, "to_port"),
+				),
+			},
+		},
+	})
+}
+
+func testAccVPCSecurityGroupRuleDataSourceConfig_basic(rName string) string {
+	return acctest.ConfigCompose(testAccVPCSecurityGroupRuleConfig_base(rName), `
+resource "aws_vpc_security_group_ingress_rule" "test" {
+  security_group_id = aws_security_group.test.id
+
+  cidr_ipv4   = "10.0.0.0/8"
+  from_port   = 80
+  ip_protocol = "tcp"
+  to_port     = 8080
+}
+
+data "aws_vpc_security_group_rule" "test" {
+  security_group_rule_id = aws_vpc_security_group_ingress_rule.test.id
+}
+`)
+}
+
+func testAccVPCSecurityGroupRuleDataSourceConfig_filter(rName string) string {
+	return acctest.ConfigCompose(testAccVPCSecurityGroupRuleConfig_base(rName), fmt.Sprintf(`
+resource "aws_vpc_security_group_egress_rule" "test" {
+  security_group_id = aws_security_group.test.id
+
+  cidr_ipv6   = "2001:db8:85a3::/64"
+  from_port   = 80
+  ip_protocol = "tcp"
+  to_port     = 8080
+
+  tags = {
+    Name = %[1]q
+  }
+}
+
+data "aws_vpc_security_group_rule" "test" {
+  filter {
+    name   = "security-group-rule-id"
+    values = [aws_vpc_security_group_egress_rule.test.id]
+  }
+}
+`, rName))
+}

website/docs/d/vpc_security_group_rule.html.markdown

@@ -0,0 +1,52 @@
+---
+subcategory: "VPC (Virtual Private Cloud)"
+layout: "aws"
+page_title: "AWS: aws_vpc_security_group_rule"
+description: |-
+    Provides details about a specific security group rule
+---
+
+# Data Source: aws_vpc_security_group_rule
+
+`aws_vpc_security_group_rule` provides details about a specific security group rule.
+
+## Example Usage
+
+```terraform
+data "aws_vpc_security_group_rule" "example" {
+  security_group_rule_id = var.security_group_rule_id
+}
+```
+
+## Argument Reference
+
+The arguments of this data source act as filters for querying the available
+security group rules. The given filters must match exactly one security group rule
+whose data will be exported as attributes.
+
+* `security_group_rule_id` - (Optional) ID of the security group rule to select.
+* `filter` - (Optional) Configuration block(s) for filtering. Detailed below.
+
+### filter Configuration Block
+
+The following arguments are supported by the `filter` configuration block:
+
+* `name` - (Required) Name of the filter field. Valid values can be found in the EC2 [`DescribeSecurityGroupRules`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html) API Reference.
+* `values` - (Required) Set of values that are accepted for the given filter field. Results will be selected if any given value matches.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `arn` - The Amazon Resource Name (ARN) of the security group rule.
+* `cidr_ipv4` - The destination IPv4 CIDR range.
+* `cidr_ipv6` - The destination IPv6 CIDR range.
+* `description` - The security group rule description.
+* `from_port` - The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type.
+* `is_egress` - Indicates whether the security group rule is an outbound rule.
+* `ip_protocol` - The IP protocol name or number. Use `-1` to specify all protocols.
+* `prefix_list_id` - The ID of the destination prefix list.
+* `referenced_security_group_id` - The destination security group that is referenced in the rule.
+* `security_group_id` - The ID of the security group.
+* `tags` - A map of tags assigned to the resource.
+* `to_port` - (Optional) The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code.

website/docs/d/vpc_security_group_rules.html.markdown

@@ -3,7 +3,7 @@ subcategory: "VPC (Virtual Private Cloud)"
 layout: "aws"
 page_title: "AWS: aws_vpc_security_group_rules"
 description: |-
-    Get information about a set of security group ruleds.
+    Get information about a set of security group rules.
 ---
 
 # Data Source: aws_vpc_security_group_rules