FEATURES OPEN SOURCE ABOUT DOCS LOGIN REGISTER

aws_default_security_group

Provides a resource to manage the default AWS Security Group.

For EC2 Classic accounts, each region comes with a Default Security Group. Additionally, each VPC created in AWS comes with a Default Security Group that can be managed, but not destroyed. This is an advanced resource, and has special caveats to be aware of when using it. Please read this document in its entirety before using this resource.

The aws_default_security_group behaves differently from normal resources, in that Terraform does not create this resource, but instead “adopts” it into management. We can do this because these default security groups cannot be destroyed, and are created with a known set of default ingress/egress rules.

When Terraform first adopts the Default Security Group, it immediately removes all ingress and egress rules in the ACL. It then proceeds to create any rules specified in the configuration. This step is required so that only the rules specified in the configuration are created.

For more information about Default Security Groups, see the AWS Documentation on Default Security Groups.

Basic Example Usage, with default rules

The following config gives the Default Security Group the same rules that AWS provides by default, but pulls the resource under management by Terraform. This means that any ingress or egress rules added or changed will be detected as drift.

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default" {
  vpc_id = "${aws_vpc.mainvpc.id}"

  ingress {
    protocol  = -1
    self      = true
    from_port = 0
    to_port   = 0
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Example config to deny all Egress traffic, allowing Ingress

The following denies all Egress traffic by omitting any egress rules, while including the default ingress rule to allow all traffic.

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default" {
  vpc_id = "${aws_vpc.mainvpc.vpc}"

  ingress {
    protocol  = -1
    self      = true
    from_port = 0
    to_port   = 0
  }
}

Argument Reference

The arguments of an aws_default_security_group differ slightly from aws_security_group resources. Namely, the name argument is computed, and the name_prefix attribute removed. The following arguments are still supported:

Usage

With the exceptions mentioned above, aws_default_security_group should identical behavior to aws_security_group. Please consult AWS_SECURITY_GROUP for further usage documentation.

Removing aws_default_security_group from your configuration

Each AWS VPC (or region, if using EC2 Classic) comes with a Default Security Group that cannot be deleted. The aws_default_security_group allows you to manage this Security Group, but Terraform cannot destroy it. Removing this resource from your configuration will remove it from your statefile and management, but will not destroy the Security Group. All ingress or egress rules will be left as they are at the time of removal. You can resume managing them via the AWS Console.

Attributes Reference

The following attributes are exported:


See the source of this document at Terraform.io