DefaultSecurityGroup
Provides a resource to manage the default AWS Security Group.
For EC2 Classic accounts, each region comes with a Default Security Group. Additionally, each VPC created in AWS comes with a Default Security Group that can be managed, but not destroyed. This is an advanced resource, and has special caveats to be aware of when using it. Please read this document in its entirety before using this resource.
The aws.ec2.DefaultSecurityGroup behaves differently from normal resources, in that
this provider does not create this resource, but instead “adopts” it
into management. We can do this because these default security groups cannot be
destroyed, and are created with a known set of default ingress/egress rules.
When this provider first adopts the Default Security Group, it immediately removes all ingress and egress rules in the Security Group. It then proceeds to create any rules specified in the configuration. This step is required so that only the rules specified in the configuration are created.
This resource treats its inline rules as absolute; only the rules defined
inline are created, and any additions/removals external to this resource will
result in diff shown. For these reasons, this resource is incompatible with the
aws.ec2.SecurityGroupRule resource.
For more information about Default Security Groups, see the AWS Documentation on [Default Security Groups][aws-default-security-groups].
Basic Example Usage, with default rules
The following config gives the Default Security Group the same rules that AWS provides by default, but pulls the resource under management by this provider. This means that any ingress or egress rules added or changed will be detected as drift.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const mainvpc = new aws.ec2.Vpc("mainvpc", {
cidrBlock: "10.1.0.0/16",
});
const defaultDefaultSecurityGroup = new aws.ec2.DefaultSecurityGroup("default", {
egress: [{
cidrBlocks: ["0.0.0.0/0"],
fromPort: 0,
protocol: "-1",
toPort: 0,
}],
ingress: [{
fromPort: 0,
protocol: "-1",
self: true,
toPort: 0,
}],
vpcId: mainvpc.id,
});import pulumi
import pulumi_aws as aws
mainvpc = aws.ec2.Vpc("mainvpc", cidr_block="10.1.0.0/16")
default = aws.ec2.DefaultSecurityGroup("default",
egress=[{
"cidr_blocks": ["0.0.0.0/0"],
"from_port": 0,
"protocol": "-1",
"to_port": 0,
}],
ingress=[{
"from_port": 0,
"protocol": -1,
"self": True,
"to_port": 0,
}],
vpc_id=mainvpc.id)using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.1.0.0/16",
});
var @default = new Aws.Ec2.DefaultSecurityGroup("default", new Aws.Ec2.DefaultSecurityGroupArgs
{
Egress =
{
new Aws.Ec2.Inputs.DefaultSecurityGroupEgressArgs
{
CidrBlocks =
{
"0.0.0.0/0",
},
FromPort = 0,
Protocol = "-1",
ToPort = 0,
},
},
Ingress =
{
new Aws.Ec2.Inputs.DefaultSecurityGroupIngressArgs
{
FromPort = 0,
Protocol = "-1",
Self = true,
ToPort = 0,
},
},
VpcId = mainvpc.Id,
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
mainvpc, err := ec2.NewVpc(ctx, "mainvpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.1.0.0/16"),
})
if err != nil {
return err
}
_, err = ec2.NewDefaultSecurityGroup(ctx, "_default", &ec2.DefaultSecurityGroupArgs{
Egress: ec2.DefaultSecurityGroupEgressArray{
&ec2.DefaultSecurityGroupEgressArgs{
CidrBlocks: pulumi.StringArray{
pulumi.String("0.0.0.0/0"),
},
FromPort: pulumi.Int(0),
Protocol: pulumi.String("-1"),
ToPort: pulumi.Int(0),
},
},
Ingress: ec2.DefaultSecurityGroupIngressArray{
&ec2.DefaultSecurityGroupIngressArgs{
FromPort: pulumi.Int(0),
Protocol: pulumi.String("-1"),
Self: pulumi.Bool(true),
ToPort: pulumi.Int(0),
},
},
VpcId: mainvpc.ID(),
})
if err != nil {
return err
}
return nil
})
}Example config to deny all Egress traffic, allowing Ingress
The following denies all Egress traffic by omitting any egress rules, while
including the default ingress rule to allow all traffic.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const mainvpc = new aws.ec2.Vpc("mainvpc", {
cidrBlock: "10.1.0.0/16",
});
const defaultDefaultSecurityGroup = new aws.ec2.DefaultSecurityGroup("default", {
ingress: [{
fromPort: 0,
protocol: "-1",
self: true,
toPort: 0,
}],
vpcId: mainvpc.id,
});import pulumi
import pulumi_aws as aws
mainvpc = aws.ec2.Vpc("mainvpc", cidr_block="10.1.0.0/16")
default = aws.ec2.DefaultSecurityGroup("default",
ingress=[{
"from_port": 0,
"protocol": -1,
"self": True,
"to_port": 0,
}],
vpc_id=mainvpc.id)using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.1.0.0/16",
});
var @default = new Aws.Ec2.DefaultSecurityGroup("default", new Aws.Ec2.DefaultSecurityGroupArgs
{
Ingress =
{
new Aws.Ec2.Inputs.DefaultSecurityGroupIngressArgs
{
FromPort = 0,
Protocol = "-1",
Self = true,
ToPort = 0,
},
},
VpcId = mainvpc.Id,
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
mainvpc, err := ec2.NewVpc(ctx, "mainvpc", &ec2.VpcArgs{
CidrBlock: pulumi.String("10.1.0.0/16"),
})
if err != nil {
return err
}
_, err = ec2.NewDefaultSecurityGroup(ctx, "_default", &ec2.DefaultSecurityGroupArgs{
Ingress: ec2.DefaultSecurityGroupIngressArray{
&ec2.DefaultSecurityGroupIngressArgs{
FromPort: pulumi.Int(0),
Protocol: pulumi.String("-1"),
Self: pulumi.Bool(true),
ToPort: pulumi.Int(0),
},
},
VpcId: mainvpc.ID(),
})
if err != nil {
return err
}
return nil
})
}Usage
With the exceptions mentioned above, aws.ec2.DefaultSecurityGroup should
identical behavior to aws.ec2.SecurityGroup. Please consult AWS_SECURITY_GROUP
for further usage documentation.
Removing aws.ec2.DefaultSecurityGroup from your configuration
Each AWS VPC (or region, if using EC2 Classic) comes with a Default Security
Group that cannot be deleted. The aws.ec2.DefaultSecurityGroup allows you to
manage this Security Group, but this provider cannot destroy it. Removing this resource
from your configuration will remove it from your statefile and management, but
will not destroy the Security Group. All ingress or egress rules will be left as
they are at the time of removal. You can resume managing them via the AWS Console.
Create a DefaultSecurityGroup Resource
new DefaultSecurityGroup(name: string, args?: DefaultSecurityGroupArgs, opts?: CustomResourceOptions);def DefaultSecurityGroup(resource_name, opts=None, egress=None, ingress=None, revoke_rules_on_delete=None, tags=None, vpc_id=None, __props__=None);func NewDefaultSecurityGroup(ctx *Context, name string, args *DefaultSecurityGroupArgs, opts ...ResourceOption) (*DefaultSecurityGroup, error)public DefaultSecurityGroup(string name, DefaultSecurityGroupArgs? args = null, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args DefaultSecurityGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DefaultSecurityGroupArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DefaultSecurityGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
DefaultSecurityGroup Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The DefaultSecurityGroup resource accepts the following input properties:
- Egress
List<Default
Security Group Egress Args> Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
List<Default
Security Group Ingress Args> Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Revoke
Rules boolOn Delete - Dictionary<string, string>
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
- Egress
[]Default
Security Group Egress Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
[]Default
Security Group Ingress Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Revoke
Rules boolOn Delete - map[string]string
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
- egress
Default
Security Group Egress[] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
Default
Security Group Ingress[] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- revoke
Rules booleanOn Delete - {[key: string]: string}
A map of tags to assign to the resource.
- vpc
Id string The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
- egress
List[Default
Security Group Egress] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
List[Default
Security Group Ingress] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- revoke_
rules_ boolon_ delete - Dict[str, str]
A map of tags to assign to the resource.
- vpc_
id str The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
Outputs
All input properties are implicitly available as output properties. Additionally, the DefaultSecurityGroup resource produces the following output properties:
Look up an Existing DefaultSecurityGroup Resource
Get an existing DefaultSecurityGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DefaultSecurityGroupState, opts?: CustomResourceOptions): DefaultSecurityGroupstatic get(resource_name, id, opts=None, arn=None, description=None, egress=None, ingress=None, name=None, owner_id=None, revoke_rules_on_delete=None, tags=None, vpc_id=None, __props__=None);func GetDefaultSecurityGroup(ctx *Context, name string, id IDInput, state *DefaultSecurityGroupState, opts ...ResourceOption) (*DefaultSecurityGroup, error)public static DefaultSecurityGroup Get(string name, Input<string> id, DefaultSecurityGroupState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
- Description string
The description of the security group
- Egress
List<Default
Security Group Egress Args> Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
List<Default
Security Group Ingress Args> Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Name string
The name of the security group
- Owner
Id string The owner ID.
- Revoke
Rules boolOn Delete - Dictionary<string, string>
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
- Arn string
- Description string
The description of the security group
- Egress
[]Default
Security Group Egress Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- Ingress
[]Default
Security Group Ingress Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- Name string
The name of the security group
- Owner
Id string The owner ID.
- Revoke
Rules boolOn Delete - map[string]string
A map of tags to assign to the resource.
- Vpc
Id string The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
- arn string
- description string
The description of the security group
- egress
Default
Security Group Egress[] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
Default
Security Group Ingress[] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- name string
The name of the security group
- owner
Id string The owner ID.
- revoke
Rules booleanOn Delete - {[key: string]: string}
A map of tags to assign to the resource.
- vpc
Id string The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
- arn str
- description str
The description of the security group
- egress
List[Default
Security Group Egress] Can be specified multiple times for each egress rule. Each egress block supports fields documented below.
- ingress
List[Default
Security Group Ingress] Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.
- name str
The name of the security group
- owner_
id str The owner ID.
- revoke_
rules_ boolon_ delete - Dict[str, str]
A map of tags to assign to the resource.
- vpc_
id str The VPC ID. Note that changing the
vpc_idwill not restore any default security group rules that were modified, added, or removed. It will be left in its current state
Supporting Types
DefaultSecurityGroupEgress
- From
Port int - Protocol string
- To
Port int - Cidr
Blocks List<string> - Description string
The description of the security group
- Ipv6Cidr
Blocks List<string> - Prefix
List List<string>Ids - Security
Groups List<string> - Self bool
- From
Port int - Protocol string
- To
Port int - Cidr
Blocks []string - Description string
The description of the security group
- Ipv6Cidr
Blocks []string - Prefix
List []stringIds - Security
Groups []string - Self bool
- from
Port number - protocol string
- to
Port number - cidr
Blocks string[] - description string
The description of the security group
- ipv6Cidr
Blocks string[] - prefix
List string[]Ids - security
Groups string[] - self boolean
- from_
port float - protocol str
- to_
port float - cidr_
blocks List[str] - description str
The description of the security group
- ipv6_
cidr_ List[str]blocks - prefix_
list_ List[str]ids - security_
groups List[str] - self bool
DefaultSecurityGroupIngress
- From
Port int - Protocol string
- To
Port int - Cidr
Blocks List<string> - Description string
The description of the security group
- Ipv6Cidr
Blocks List<string> - Prefix
List List<string>Ids - Security
Groups List<string> - Self bool
- From
Port int - Protocol string
- To
Port int - Cidr
Blocks []string - Description string
The description of the security group
- Ipv6Cidr
Blocks []string - Prefix
List []stringIds - Security
Groups []string - Self bool
- from
Port number - protocol string
- to
Port number - cidr
Blocks string[] - description string
The description of the security group
- ipv6Cidr
Blocks string[] - prefix
List string[]Ids - security
Groups string[] - self boolean
- from_
port float - protocol str
- to_
port float - cidr_
blocks List[str] - description str
The description of the security group
- ipv6_
cidr_ List[str]blocks - prefix_
list_ List[str]ids - security_
groups List[str] - self bool
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.