Class DefaultSecurityGroup

Provides a resource to manage the default AWS Security Group.

For EC2 Classic accounts, each region comes with a Default Security Group. Additionally, each VPC created in AWS comes with a Default Security Group that can be managed, but not destroyed. This is an advanced resource, and has special caveats to be aware of when using it. Please read this document in its entirety before using this resource.

The aws.ec2.DefaultSecurityGroup behaves differently from normal resources, in that this provider does not create this resource, but instead "adopts" it into management. We can do this because these default security groups cannot be destroyed, and are created with a known set of default ingress/egress rules.

When this provider first adopts the Default Security Group, it immediately removes all ingress and egress rules in the Security Group. It then proceeds to create any rules specified in the configuration. This step is required so that only the rules specified in the configuration are created.

This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the aws.ec2.SecurityGroupRule resource.

For more information about Default Security Groups, see the AWS Documentation on [Default Security Groups][aws-default-security-groups].

Basic Example Usage, with default rules

The following config gives the Default Security Group the same rules that AWS provides by default, but pulls the resource under management by this provider. This means that any ingress or egress rules added or changed will be detected as drift.

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
    {
        CidrBlock = "10.1.0.0/16",
    });
    var @default = new Aws.Ec2.DefaultSecurityGroup("default", new Aws.Ec2.DefaultSecurityGroupArgs
    {
        Egress = 
        {
            new Aws.Ec2.Inputs.DefaultSecurityGroupEgressArgs
            {
                CidrBlocks = 
                {
                    "0.0.0.0/0",
                },
                FromPort = 0,
                Protocol = "-1",
                ToPort = 0,
            },
        },
        Ingress = 
        {
            new Aws.Ec2.Inputs.DefaultSecurityGroupIngressArgs
            {
                FromPort = 0,
                Protocol = -1,
                Self = true,
                ToPort = 0,
            },
        },
        VpcId = mainvpc.Id,
    });
}

}

Example config to deny all Egress traffic, allowing Ingress

The following denies all Egress traffic by omitting any egress rules, while including the default ingress rule to allow all traffic.

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var mainvpc = new Aws.Ec2.Vpc("mainvpc", new Aws.Ec2.VpcArgs
    {
        CidrBlock = "10.1.0.0/16",
    });
    var @default = new Aws.Ec2.DefaultSecurityGroup("default", new Aws.Ec2.DefaultSecurityGroupArgs
    {
        Ingress = 
        {
            new Aws.Ec2.Inputs.DefaultSecurityGroupIngressArgs
            {
                FromPort = 0,
                Protocol = -1,
                Self = true,
                ToPort = 0,
            },
        },
        VpcId = mainvpc.Id,
    });
}

}

Usage

With the exceptions mentioned above, aws.ec2.DefaultSecurityGroup should identical behavior to aws.ec2.SecurityGroup. Please consult AWS_SECURITY_GROUP for further usage documentation.

Removing aws.ec2.DefaultSecurityGroup from your configuration

Each AWS VPC (or region, if using EC2 Classic) comes with a Default Security Group that cannot be deleted. The aws.ec2.DefaultSecurityGroup allows you to manage this Security Group, but this provider cannot destroy it. Removing this resource from your configuration will remove it from your statefile and management, but will not destroy the Security Group. All ingress or egress rules will be left as they are at the time of removal. You can resume managing them via the AWS Console.

Inheritance
System.Object
Resource
CustomResource
DefaultSecurityGroup
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Aws.Ec2
Assembly: Pulumi.Aws.dll
Syntax
public class DefaultSecurityGroup : CustomResource

Constructors

View Source

DefaultSecurityGroup(String, DefaultSecurityGroupArgs, CustomResourceOptions)

Create a DefaultSecurityGroup resource with the given unique name, arguments, and options.

Declaration
public DefaultSecurityGroup(string name, DefaultSecurityGroupArgs args = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
DefaultSecurityGroupArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Arn

Declaration
public Output<string> Arn { get; }
Property Value
Type Description
Output<System.String>
View Source

Description

The description of the security group

Declaration
public Output<string> Description { get; }
Property Value
Type Description
Output<System.String>
View Source

Egress

Can be specified multiple times for each egress rule. Each egress block supports fields documented below.

Declaration
public Output<ImmutableArray<DefaultSecurityGroupEgress>> Egress { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<DefaultSecurityGroupEgress>>
View Source

Ingress

Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below.

Declaration
public Output<ImmutableArray<DefaultSecurityGroupIngress>> Ingress { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<DefaultSecurityGroupIngress>>
View Source

Name

The name of the security group

Declaration
public Output<string> Name { get; }
Property Value
Type Description
Output<System.String>
View Source

OwnerId

The owner ID.

Declaration
public Output<string> OwnerId { get; }
Property Value
Type Description
Output<System.String>
View Source

RevokeRulesOnDelete

Declaration
public Output<bool?> RevokeRulesOnDelete { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

Tags

A map of tags to assign to the resource.

Declaration
public Output<ImmutableDictionary<string, object>> Tags { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableDictionary<System.String, System.Object>>
View Source

VpcId

The VPC ID. Note that changing the vpc_id will not restore any default security group rules that were modified, added, or removed. It will be left in its current state

Declaration
public Output<string> VpcId { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, DefaultSecurityGroupState, CustomResourceOptions)

Get an existing DefaultSecurityGroup resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static DefaultSecurityGroup Get(string name, Input<string> id, DefaultSecurityGroupState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
DefaultSecurityGroupState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
DefaultSecurityGroup