github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/website/source/docs/providers/aws/r/default_security_group.html.markdown

github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/website/source/docs/providers/aws/r/default_security_group.html.markdown (about)

     1  ---
     2  layout: "aws"
     3  page_title: "AWS: aws_default_security_group"
     4  sidebar_current: "docs-aws-resource-default-security-group"
     5  description: |-
     6    Manage the default Security Group resource.
     7  ---
     8  
     9  # aws\_default\_security\_group
    10  
    11  Provides a resource to manage the default AWS Security Group.
    12  
    13  For EC2 Classic accounts, each region comes with a Default Security Group.
    14  Additionally, each VPC created in AWS comes with a Default Security Group that can be managed, but not
    15  destroyed. **This is an advanced resource**, and has special caveats to be aware
    16  of when using it. Please read this document in its entirety before using this
    17  resource.
    18  
    19  The `aws_default_security_group` behaves differently from normal resources, in that
    20  Terraform does not _create_ this resource, but instead "adopts" it
    21  into management. We can do this because these default security groups cannot be 
    22  destroyed, and are created with a known set of default ingress/egress rules. 
    23  
    24  When Terraform first adopts the Default Security Group, it **immediately removes all
    25  ingress and egress rules in the ACL**. It then proceeds to create any rules specified in the 
    26  configuration. This step is required so that only the rules specified in the 
    27  configuration are created.
    28  
    29  For more information about Default Security Groups, see the AWS Documentation on 
    30  [Default Security Groups][aws-default-security-groups].
    31  
    32  ## Basic Example Usage, with default rules
    33  
    34  The following config gives the Default Security Group the same rules that AWS 
    35  provides by default, but pulls the resource under management by Terraform. This means that 
    36  any ingress or egress rules added or changed will be detected as drift.
    37  
    38  ```
    39  resource "aws_vpc" "mainvpc" {
    40    cidr_block = "10.1.0.0/16"
    41  }
    42  
    43  resource "aws_default_security_group" "default" {
    44    vpc_id = "${aws_vpc.mainvpc.id}"
    45  
    46    ingress {
    47      protocol  = -1
    48      self      = true
    49      from_port = 0
    50      to_port   = 0
    51    }
    52  
    53    egress {
    54      from_port   = 0
    55      to_port     = 0
    56      protocol    = "-1"
    57      cidr_blocks = ["0.0.0.0/0"]
    58    }
    59  }
    60  ```
    61  
    62  ## Example config to deny all Egress traffic, allowing Ingress
    63  
    64  The following denies all Egress traffic by omitting any `egress` rules, while
    65  including the default `ingress` rule to allow all traffic.
    66  
    67  ```
    68  resource "aws_vpc" "mainvpc" {
    69    cidr_block = "10.1.0.0/16"
    70  }
    71  
    72  resource "aws_default_security_group" "default" {
    73    vpc_id = "${aws_vpc.mainvpc.vpc}"
    74  
    75    ingress {
    76      protocol  = -1
    77      self      = true
    78      from_port = 0
    79      to_port   = 0
    80    }
    81  }
    82  ```
    83  
    84  ## Argument Reference
    85  
    86  The arguments of an `aws_default_security_group` differ slightly from `aws_security_group` 
    87  resources. Namely, the `name` argument is computed, and the `name_prefix` attribute
    88  removed. The following arguments are still supported: 
    89  
    90  * `ingress` - (Optional) Can be specified multiple times for each
    91     ingress rule. Each ingress block supports fields documented below.
    92  * `egress` - (Optional, VPC only) Can be specified multiple times for each
    93        egress rule. Each egress block supports fields documented below.
    94  * `vpc_id` - (Optional, Forces new resource) The VPC ID. **Note that changing
    95  the `vpc_id` will _not_ restore any default security group rules that were
    96  modified, added, or removed.** It will be left in it's current state
    97  * `tags` - (Optional) A mapping of tags to assign to the resource.
    98  
    99  
   100  ## Usage
   101  
   102  With the exceptions mentioned above, `aws_default_security_group` should
   103  identical behavior to `aws_security_group`. Please consult [AWS_SECURITY_GROUP](/docs/providers/aws/r/security_group.html)
   104  for further usage documentation.
   105  
   106  ### Removing `aws_default_security_group` from your configuration
   107  
   108  Each AWS VPC (or region, if using EC2 Classic) comes with a Default Security 
   109  Group that cannot be deleted. The `aws_default_security_group` allows you to 
   110  manage this Security Group, but Terraform cannot destroy it. Removing this resource 
   111  from your configuration will remove it from your statefile and management, but 
   112  will not destroy the Security Group. All ingress or egress rules will be left as 
   113  they are at the time of removal. You can resume managing them via the AWS Console.
   114  
   115  ## Attributes Reference
   116  
   117  The following attributes are exported:
   118  
   119  * `id` - The ID of the security group
   120  * `vpc_id` - The VPC ID.
   121  * `owner_id` - The owner ID.
   122  * `name` - The name of the security group
   123  * `description` - The description of the security group
   124  * `ingress` - The ingress rules. See above for more.
   125  * `egress` - The egress rules. See above for more.
   126  
   127  [aws-default-security-groups]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group