github.com/pmcatominey/terraform@v0.7.0-rc2.0.20160708105029-1401a52a5cc5/website/source/docs/providers/aws/r/security_group.html.markdown (about) 1 --- 2 layout: "aws" 3 page_title: "AWS: aws_security_group" 4 sidebar_current: "docs-aws-resource-security-group" 5 description: |- 6 Provides a security group resource. 7 --- 8 9 # aws\_security\_group 10 11 Provides a security group resource. 12 13 ~> **NOTE on Security Groups and Security Group Rules:** Terraform currently 14 provides both a standalone [Security Group Rule resource](security_group_rule.html) (a single `ingress` or 15 `egress` rule), and a Security Group resource with `ingress` and `egress` rules 16 defined in-line. At this time you cannot use a Security Group with in-line rules 17 in conjunction with any Security Group Rule resources. Doing so will cause 18 a conflict of rule settings and will overwrite rules. 19 20 ## Example Usage 21 22 Basic usage 23 24 ``` 25 resource "aws_security_group" "allow_all" { 26 name = "allow_all" 27 description = "Allow all inbound traffic" 28 29 ingress { 30 from_port = 0 31 to_port = 0 32 protocol = "-1" 33 cidr_blocks = ["0.0.0.0/0"] 34 } 35 36 egress { 37 from_port = 0 38 to_port = 0 39 protocol = "-1" 40 cidr_blocks = ["0.0.0.0/0"] 41 prefix_list_ids = ["pl-12c4e678"] 42 } 43 } 44 ``` 45 46 Basic usage with tags: 47 48 ``` 49 resource "aws_security_group" "allow_all" { 50 name = "allow_all" 51 description = "Allow all inbound traffic" 52 53 ingress { 54 from_port = 0 55 to_port = 65535 56 protocol = "tcp" 57 cidr_blocks = ["0.0.0.0/0"] 58 } 59 60 tags { 61 Name = "allow_all" 62 } 63 } 64 ``` 65 66 ## Argument Reference 67 68 The following arguments are supported: 69 70 * `name` - (Optional, Forces new resource) The name of the security group. If omitted, Terraform will 71 assign a random, unique name 72 * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified 73 prefix. Conflicts with `name`. 74 * `description` - (Optional, Forces new resource) The security group description. Defaults to 75 "Managed by Terraform". Cannot be "". __NOTE__: This field maps to the AWS 76 `GroupDescription` attribute, for which there is no Update API. If you'd like 77 to classify your security groups in a way that can be updated, use `tags`. 78 * `ingress` - (Optional) Can be specified multiple times for each 79 ingress rule. Each ingress block supports fields documented below. 80 * `egress` - (Optional, VPC only) Can be specified multiple times for each 81 egress rule. Each egress block supports fields documented below. 82 * `vpc_id` - (Optional, Forces new resource) The VPC ID. 83 * `tags` - (Optional) A mapping of tags to assign to the resource. 84 85 The `ingress` block supports: 86 87 * `cidr_blocks` - (Optional) List of CIDR blocks. 88 * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp") 89 * `protocol` - (Required) The protocol. If you select a protocol of 90 "-1", you must specify a "from_port" and "to_port" equal to 0. 91 * `security_groups` - (Optional) List of security group Group Names if using 92 EC2-Classic, or Group IDs if using a VPC. 93 * `self` - (Optional) If true, the security group itself will be added as 94 a source to this ingress rule. 95 * `to_port` - (Required) The end range port. 96 97 The `egress` block supports: 98 99 * `cidr_blocks` - (Optional) List of CIDR blocks. 100 * `prefix_list_ids` - (Optional) List of prefix list IDs (for allowing access to VPC endpoints) 101 * `from_port` - (Required) The start port (or ICMP type number if protocol is "icmp") 102 * `protocol` - (Required) The protocol. If you select a protocol of 103 "-1", you must specify a "from_port" and "to_port" equal to 0. 104 * `security_groups` - (Optional) List of security group Group Names if using 105 EC2-Classic, or Group IDs if using a VPC. 106 * `self` - (Optional) If true, the security group itself will be added as 107 a source to this egress rule. 108 * `to_port` - (Required) The end range port. 109 110 ~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a 111 new Security Group inside of a VPC. When creating a new Security 112 Group inside a VPC, **Terraform will remove this default rule**, and require you 113 specifically re-create it if you desire that rule. We feel this leads to fewer 114 surprises in terms of controlling your egress rules. If you desire this rule to 115 be in place, you can use this `egress` block: 116 117 egress { 118 from_port = 0 119 to_port = 0 120 protocol = "-1" 121 cidr_blocks = ["0.0.0.0/0"] 122 } 123 124 ## Usage with prefix list IDs 125 126 Prefix list IDs are manged by AWS internally. Prefix list IDs 127 are associated with a prefix list name, or service name, that is linked to a specific region. 128 Prefix list IDs are exported on VPC Endpoints, so you can use this format: 129 130 ``` 131 ... 132 egress { 133 from_port = 0 134 to_port = 0 135 protocol = "-1" 136 prefix_list_ids = ["${aws_vpc_endpoint.my_endpoint.prefix_list_id}"] 137 } 138 ... 139 resource "aws_vpc_endpoint" "my_endpoint" { 140 ... 141 } 142 ``` 143 144 ## Attributes Reference 145 146 The following attributes are exported: 147 148 * `id` - The ID of the security group 149 * `vpc_id` - The VPC ID. 150 * `owner_id` - The owner ID. 151 * `name` - The name of the security group 152 * `description` - The description of the security group 153 * `ingress` - The ingress rules. See above for more. 154 * `egress` - The egress rules. See above for more.