Skip to content

Resource: awsDefaultSecurityGroup

Provides a resource to manage a default security group. This resource can manage the default security group of the default or a non-default VPC.

\~> NOTE: This is an advanced resource with special caveats. Please read this document in its entirety before using this resource. The awsDefaultSecurityGroup resource behaves differently from normal resources. Terraform does not create this resource but instead attempts to "adopt" it into management.

When Terraform first begins managing the default security group, it immediately removes all ingress and egress rules in the Security Group. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created.

This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the awsSecurityGroupRule resource.

For more information about default security groups, see the AWS documentation on Default Security Groups. To manage normal security groups, see the awsSecurityGroup resource.

Example Usage

The following config gives the default security group the same rules that AWS provides by default but under management by Terraform. This means that any ingress or egress rules added or changed will be detected as drift.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsVpcMainvpc = new aws.vpc.Vpc(this, "mainvpc", {
  cidrBlock: "10.1.0.0/16",
});
new aws.defaultSecurityGroup.DefaultSecurityGroup(this, "default", {
  egress: [
    {
      cidrBlocks: ["0.0.0.0/0"],
      fromPort: 0,
      protocol: "-1",
      toPort: 0,
    },
  ],
  ingress: [
    {
      fromPort: 0,
      protocol: -1,
      selfAttribute: true,
      toPort: 0,
    },
  ],
  vpcId: awsVpcMainvpc.id,
});

Example Config To Deny All Egress Traffic, Allowing Ingress

The following denies all Egress traffic by omitting any egress rules, while including the default ingress rule to allow all traffic.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsVpcMainvpc = new aws.vpc.Vpc(this, "mainvpc", {
  cidrBlock: "10.1.0.0/16",
});
new aws.defaultSecurityGroup.DefaultSecurityGroup(this, "default", {
  ingress: [
    {
      fromPort: 0,
      protocol: -1,
      selfAttribute: true,
      toPort: 0,
    },
  ],
  vpcId: awsVpcMainvpc.id,
});

Removing awsDefaultSecurityGroup From Your Configuration

Removing this resource from your configuration will remove it from your statefile and management, but will not destroy the Security Group. All ingress or egress rules will be left as they are at the time of removal. You can resume managing them via the AWS Console.

Argument Reference

The following arguments are optional:

  • egress - (Optional, VPC only) Configuration block. Detailed below.
  • ingress - (Optional) Configuration block. Detailed below.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpcId - (Optional, Forces new resource) VPC ID. Note that changing the vpcId will not restore any default security group rules that were modified, added, or removed. It will be left in its current state.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress objects have the same arguments.

  • cidrBlocks - (Optional) List of CIDR blocks.
  • description - (Optional) Description of this rule.
  • fromPort - (Required) Start port (or ICMP type number if protocol is icmp)
  • ipv6CidrBlocks - (Optional) List of IPv6 CIDR blocks.
  • prefixListIds - (Optional) List of prefix list IDs (for allowing access to VPC endpoints)
  • protocol - (Required) Protocol. If you select a protocol of "-1" (semantically equivalent to all, which is not a valid value here), you must specify a fromPort and toPort equal to 0. If not icmp, tcp, udp, or 1 use the protocol number.
  • securityGroups - (Optional) List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
  • self - (Optional) Whether the security group itself will be added as a source to this egress rule.
  • toPort - (Required) End range port (or ICMP code if protocol is icmp).

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the security group.
  • description - Description of the security group.
  • id - ID of the security group.
  • name - Name of the security group.
  • ownerId - Owner ID.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

Security Groups can be imported using the securityGroupId, e.g.,

$ terraform import aws_default_security_group.default_sg sg-903004f8