github.com/nathanielks/terraform@v0.6.1-0.20170509030759-13e1a62319dc/website/source/docs/providers/aws/r/security_group.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_security_group" 4 sidebar_current: "docs-aws-resource-security-group" 5 description: |- 6 Provides a security group resource. 7 --- 8 9 # aws\_security\_group 10 11 Provides a security group resource. 12 13 ~> **NOTE on Security Groups and Security Group Rules:** Terraform currently 14 provides both a standalone [Security Group Rule resource](security_group_rule.html) (a single `ingress` or 15 `egress` rule), and a Security Group resource with `ingress` and `egress` rules 16 defined in-line. At this time you cannot use a Security Group with in-line rules 17 in conjunction with any Security Group Rule resources. Doing so will cause 18 a conflict of rule settings and will overwrite rules. 19 20 ## Example Usage 21 22 Basic usage 23 24 ```hcl 25 resource "aws_security_group" "allow_all" { 26 name = "allow_all" 27 description = "Allow all inbound traffic" 28 29 ingress { 30 from_port = 0 31 to_port = 0 32 protocol = "-1" 33 cidr_blocks = ["0.0.0.0/0"] 34 } 35 36 egress { 37 from_port = 0 38 to_port = 0 39 protocol = "-1" 40 cidr_blocks = ["0.0.0.0/0"] 41 prefix_list_ids = ["pl-12c4e678"] 42 } 43 } 44 ``` 45 46 Basic usage with tags: 47 48 ```hcl 49 resource "aws_security_group" "allow_all" { 50 name = "allow_all" 51 description = "Allow all inbound traffic" 52 53 ingress { 54 from_port = 0 55 to_port = 65535 56 protocol = "tcp" 57 cidr_blocks = ["0.0.0.0/0"] 58 } 59 60 tags { 61 Name = "allow_all" 62 } 63 } 64 ``` 65 66 ## Argument Reference 67 68 The following arguments are supported: 69 70 * `name` - (Optional, Forces new resource) The name of the security group. If omitted, Terraform will 71 assign a random, unique name 72 * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified 73 prefix. Conflicts with `name`. 74 * `description` - (Optional, Forces new resource) The security group description. Defaults to 75 "Managed by Terraform". Cannot be "". __NOTE__: This field maps to the AWS 76 `GroupDescription` attribute, for which there is no Update API. If you'd like 77 to classify your security groups in a way that can be updated, use `tags`. 78 * `ingress` - (Optional) Can be specified multiple times for each 79 ingress rule. Each ingress block supports fields documented below. 80 * `egress` - (Optional, VPC only) Can be specified multiple times for each 81 egress rule. Each egress block supports fields documented below. 82 * `vpc_id` - (Optional, Forces new resource) The VPC ID. 83 * `tags` - (Optional) A mapping of tags to assign to the resource. 84 85 The `ingress` block supports: 86 87 * `cidr_blocks` - (Optional) List of CIDR blocks. 88 * `ipv6_cidr_blocks` - (Optional) List of IPv6 CIDR blocks. 89 * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp") 90 * `protocol` - (Required) The protocol. If you select a protocol of 91 "-1" (semantically equivalent to `"all"`, which is not a valid value here), you must specify a "from_port" and "to_port" equal to 0. If not icmp, tcp, udp, or "-1" use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 92 * `security_groups` - (Optional) List of security group Group Names if using 93 EC2-Classic, or Group IDs if using a VPC. 94 * `self` - (Optional) If true, the security group itself will be added as 95 a source to this ingress rule. 96 * `to_port` - (Required) The end range port (or ICMP code if protocol is "icmp"). 97 98 The `egress` block supports: 99 100 * `cidr_blocks` - (Optional) List of CIDR blocks. 101 * `ipv6_cidr_blocks` - (Optional) List of IPv6 CIDR blocks. 102 * `prefix_list_ids` - (Optional) List of prefix list IDs (for allowing access to VPC endpoints) 103 * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp") 104 * `protocol` - (Required) The protocol. If you select a protocol of 105 "-1" (semantically equivalent to `"all"`, which is not a valid value here), you must specify a "from_port" and "to_port" equal to 0. If not icmp, tcp, udp, or "-1" use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 106 * `security_groups` - (Optional) List of security group Group Names if using 107 EC2-Classic, or Group IDs if using a VPC. 108 * `self` - (Optional) If true, the security group itself will be added as 109 a source to this egress rule. 110 * `to_port` - (Required) The end range port (or ICMP code if protocol is "icmp"). 111 112 ~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a 113 new Security Group inside of a VPC. When creating a new Security 114 Group inside a VPC, **Terraform will remove this default rule**, and require you 115 specifically re-create it if you desire that rule. We feel this leads to fewer 116 surprises in terms of controlling your egress rules. If you desire this rule to 117 be in place, you can use this `egress` block: 118 119 ```hcl 120 egress { 121 from_port = 0 122 to_port = 0 123 protocol = "-1" 124 cidr_blocks = ["0.0.0.0/0"] 125 } 126 ``` 127 128 ## Usage with prefix list IDs 129 130 Prefix list IDs are managed by AWS internally. Prefix list IDs 131 are associated with a prefix list name, or service name, that is linked to a specific region. 132 Prefix list IDs are exported on VPC Endpoints, so you can use this format: 133 134 ```hcl 135 # ... 136 egress { 137 from_port = 0 138 to_port = 0 139 protocol = "-1" 140 prefix_list_ids = ["${aws_vpc_endpoint.my_endpoint.prefix_list_id}"] 141 } 142 # ... 143 resource "aws_vpc_endpoint" "my_endpoint" { 144 # ... 145 } 146 ``` 147 148 ## Attributes Reference 149 150 The following attributes are exported: 151 152 * `id` - The ID of the security group 153 * `vpc_id` - The VPC ID. 154 * `owner_id` - The owner ID. 155 * `name` - The name of the security group 156 * `description` - The description of the security group 157 * `ingress` - The ingress rules. See above for more. 158 * `egress` - The egress rules. See above for more. 159 160 161 ## Import 162 163 Security Groups can be imported using the `security group id`, e.g. 164 165 ``` 166 $ terraform import aws_security_group.elb_sg sg-903004f8 167 ```