Resource: aws_default_security_group

Provides a resource to manage a default security group. This resource can manage the default security group of the default or a non-default VPC.

When Terraform first begins managing the default security group, it immediately removes all ingress and egress rules in the Security Group. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created.

This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the aws_security_group_rule resource.

For more information about default security groups, see the AWS documentation on Default Security Groups. To manage normal security groups, see the aws_security_group resource.

Example Usage

The following config gives the default security group the same rules that AWS provides by default but under management by Terraform. This means that any ingress or egress rules added or changed will be detected as drift.

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.mainvpc.id

  ingress {
    protocol  = -1
    self      = true
    from_port = 0
    to_port   = 0
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Example Config To Deny All Egress Traffic, Allowing Ingress

The following denies all Egress traffic by omitting any egress rules, while including the default ingress rule to allow all traffic.

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.mainvpc.id

  ingress {
    protocol  = -1
    self      = true
    from_port = 0
    to_port   = 0
  }
}

Removing aws_default_security_group From Your Configuration

Removing this resource from your configuration will remove it from your statefile and management, but will not destroy the Security Group. All ingress or egress rules will be left as they are at the time of removal. You can resume managing them via the AWS Console.

Argument Reference

The following arguments are optional:

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress objects have the same arguments.

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import Security Groups using the security group id. For example:

import {
  to = aws_default_security_group.default_sg
  id = "sg-903004f8"
}

Using terraform import, import Security Groups using the security group id. For example:

% terraform import aws_default_security_group.default_sg sg-903004f8