github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/website/source/docs/providers/aws/r/default_security_group.html.markdown (about)

     1  ---
     2  layout: "aws"
     3  page_title: "AWS: aws_default_security_group"
     4  sidebar_current: "docs-aws-resource-default-security-group"
     5  description: |-
     6    Manage the default Security Group resource.
     7  ---
     8  
     9  # aws\_default\_security\_group
    10  
    11  Provides a resource to manage the default AWS Security Group.
    12  
    13  For EC2 Classic accounts, each region comes with a Default Security Group.
    14  Additionally, each VPC created in AWS comes with a Default Security Group that can be managed, but not
    15  destroyed. **This is an advanced resource**, and has special caveats to be aware
    16  of when using it. Please read this document in its entirety before using this
    17  resource.
    18  
    19  The `aws_default_security_group` behaves differently from normal resources, in that
    20  Terraform does not _create_ this resource, but instead "adopts" it
    21  into management. We can do this because these default security groups cannot be
    22  destroyed, and are created with a known set of default ingress/egress rules.
    23  
    24  When Terraform first adopts the Default Security Group, it **immediately removes all
    25  ingress and egress rules in the Security Group**. It then proceeds to create any rules specified in the
    26  configuration. This step is required so that only the rules specified in the
    27  configuration are created.
    28  
    29  This resource treats it's inline rules as absolute; only the rules defined
    30  inline are created, and any additions/removals external to this resource will
    31  result in diff shown. For these reasons, this resource is incompatible with the
    32  `aws_security_group_rule` resource.
    33  
    34  For more information about Default Security Groups, see the AWS Documentation on
    35  [Default Security Groups][aws-default-security-groups].
    36  
    37  ## Basic Example Usage, with default rules
    38  
    39  The following config gives the Default Security Group the same rules that AWS
    40  provides by default, but pulls the resource under management by Terraform. This means that
    41  any ingress or egress rules added or changed will be detected as drift.
    42  
    43  ```hcl
    44  resource "aws_vpc" "mainvpc" {
    45    cidr_block = "10.1.0.0/16"
    46  }
    47  
    48  resource "aws_default_security_group" "default" {
    49    vpc_id = "${aws_vpc.mainvpc.id}"
    50  
    51    ingress {
    52      protocol  = -1
    53      self      = true
    54      from_port = 0
    55      to_port   = 0
    56    }
    57  
    58    egress {
    59      from_port   = 0
    60      to_port     = 0
    61      protocol    = "-1"
    62      cidr_blocks = ["0.0.0.0/0"]
    63    }
    64  }
    65  ```
    66  
    67  ## Example config to deny all Egress traffic, allowing Ingress
    68  
    69  The following denies all Egress traffic by omitting any `egress` rules, while
    70  including the default `ingress` rule to allow all traffic.
    71  
    72  ```hcl
    73  resource "aws_vpc" "mainvpc" {
    74    cidr_block = "10.1.0.0/16"
    75  }
    76  
    77  resource "aws_default_security_group" "default" {
    78    vpc_id = "${aws_vpc.mainvpc.vpc}"
    79  
    80    ingress {
    81      protocol  = -1
    82      self      = true
    83      from_port = 0
    84      to_port   = 0
    85    }
    86  }
    87  ```
    88  
    89  ## Argument Reference
    90  
    91  The arguments of an `aws_default_security_group` differ slightly from `aws_security_group`
    92  resources. Namely, the `name` argument is computed, and the `name_prefix` attribute
    93  removed. The following arguments are still supported:
    94  
    95  * `ingress` - (Optional) Can be specified multiple times for each
    96     ingress rule. Each ingress block supports fields documented below.
    97  * `egress` - (Optional, VPC only) Can be specified multiple times for each
    98        egress rule. Each egress block supports fields documented below.
    99  * `vpc_id` - (Optional, Forces new resource) The VPC ID. **Note that changing
   100  the `vpc_id` will _not_ restore any default security group rules that were
   101  modified, added, or removed.** It will be left in it's current state
   102  * `tags` - (Optional) A mapping of tags to assign to the resource.
   103  
   104  
   105  ## Usage
   106  
   107  With the exceptions mentioned above, `aws_default_security_group` should
   108  identical behavior to `aws_security_group`. Please consult [AWS_SECURITY_GROUP](/docs/providers/aws/r/security_group.html)
   109  for further usage documentation.
   110  
   111  ### Removing `aws_default_security_group` from your configuration
   112  
   113  Each AWS VPC (or region, if using EC2 Classic) comes with a Default Security
   114  Group that cannot be deleted. The `aws_default_security_group` allows you to
   115  manage this Security Group, but Terraform cannot destroy it. Removing this resource
   116  from your configuration will remove it from your statefile and management, but
   117  will not destroy the Security Group. All ingress or egress rules will be left as
   118  they are at the time of removal. You can resume managing them via the AWS Console.
   119  
   120  ## Attributes Reference
   121  
   122  The following attributes are exported:
   123  
   124  * `id` - The ID of the security group
   125  * `vpc_id` - The VPC ID.
   126  * `owner_id` - The owner ID.
   127  * `name` - The name of the security group
   128  * `description` - The description of the security group
   129  * `ingress` - The ingress rules. See above for more.
   130  * `egress` - The egress rules. See above for more.
   131  
   132  [aws-default-security-groups]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group