github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/r/default_security_group.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_default_security_group" 4 sidebar_current: "docs-aws-resource-default-security-group" 5 description: |- 6 Manage the default Security Group resource. 7 --- 8 9 # aws\_default\_security\_group 10 11 Provides a resource to manage the default AWS Security Group. 12 13 For EC2 Classic accounts, each region comes with a Default Security Group. 14 Additionally, each VPC created in AWS comes with a Default Security Group that can be managed, but not 15 destroyed. **This is an advanced resource**, and has special caveats to be aware 16 of when using it. Please read this document in its entirety before using this 17 resource. 18 19 The `aws_default_security_group` behaves differently from normal resources, in that 20 Terraform does not _create_ this resource, but instead "adopts" it 21 into management. We can do this because these default security groups cannot be 22 destroyed, and are created with a known set of default ingress/egress rules. 23 24 When Terraform first adopts the Default Security Group, it **immediately removes all 25 ingress and egress rules in the Security Group**. It then proceeds to create any rules specified in the 26 configuration. This step is required so that only the rules specified in the 27 configuration are created. 28 29 This resource treats it's inline rules as absolute; only the rules defined 30 inline are created, and any additions/removals external to this resource will 31 result in diff shown. For these reasons, this resource is incompatible with the 32 `aws_security_group_rule` resource. 33 34 For more information about Default Security Groups, see the AWS Documentation on 35 [Default Security Groups][aws-default-security-groups]. 36 37 ## Basic Example Usage, with default rules 38 39 The following config gives the Default Security Group the same rules that AWS 40 provides by default, but pulls the resource under management by Terraform. This means that 41 any ingress or egress rules added or changed will be detected as drift. 42 43 ```hcl 44 resource "aws_vpc" "mainvpc" { 45 cidr_block = "10.1.0.0/16" 46 } 47 48 resource "aws_default_security_group" "default" { 49 vpc_id = "${aws_vpc.mainvpc.id}" 50 51 ingress { 52 protocol = -1 53 self = true 54 from_port = 0 55 to_port = 0 56 } 57 58 egress { 59 from_port = 0 60 to_port = 0 61 protocol = "-1" 62 cidr_blocks = ["0.0.0.0/0"] 63 } 64 } 65 ``` 66 67 ## Example config to deny all Egress traffic, allowing Ingress 68 69 The following denies all Egress traffic by omitting any `egress` rules, while 70 including the default `ingress` rule to allow all traffic. 71 72 ```hcl 73 resource "aws_vpc" "mainvpc" { 74 cidr_block = "10.1.0.0/16" 75 } 76 77 resource "aws_default_security_group" "default" { 78 vpc_id = "${aws_vpc.mainvpc.vpc}" 79 80 ingress { 81 protocol = -1 82 self = true 83 from_port = 0 84 to_port = 0 85 } 86 } 87 ``` 88 89 ## Argument Reference 90 91 The arguments of an `aws_default_security_group` differ slightly from `aws_security_group` 92 resources. Namely, the `name` argument is computed, and the `name_prefix` attribute 93 removed. The following arguments are still supported: 94 95 * `ingress` - (Optional) Can be specified multiple times for each 96 ingress rule. Each ingress block supports fields documented below. 97 * `egress` - (Optional, VPC only) Can be specified multiple times for each 98 egress rule. Each egress block supports fields documented below. 99 * `vpc_id` - (Optional, Forces new resource) The VPC ID. **Note that changing 100 the `vpc_id` will _not_ restore any default security group rules that were 101 modified, added, or removed.** It will be left in it's current state 102 * `tags` - (Optional) A mapping of tags to assign to the resource. 103 104 105 ## Usage 106 107 With the exceptions mentioned above, `aws_default_security_group` should 108 identical behavior to `aws_security_group`. Please consult [AWS_SECURITY_GROUP](/docs/providers/aws/r/security_group.html) 109 for further usage documentation. 110 111 ### Removing `aws_default_security_group` from your configuration 112 113 Each AWS VPC (or region, if using EC2 Classic) comes with a Default Security 114 Group that cannot be deleted. The `aws_default_security_group` allows you to 115 manage this Security Group, but Terraform cannot destroy it. Removing this resource 116 from your configuration will remove it from your statefile and management, but 117 will not destroy the Security Group. All ingress or egress rules will be left as 118 they are at the time of removal. You can resume managing them via the AWS Console. 119 120 ## Attributes Reference 121 122 The following attributes are exported: 123 124 * `id` - The ID of the security group 125 * `vpc_id` - The VPC ID. 126 * `owner_id` - The owner ID. 127 * `name` - The name of the security group 128 * `description` - The description of the security group 129 * `ingress` - The ingress rules. See above for more. 130 * `egress` - The egress rules. See above for more. 131 132 [aws-default-security-groups]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group