terraform/website/source/docs/providers/aws/r/security_group.html.markdown

---
layout: "aws"
page_title: "AWS: aws_security_group"
sidebar_current: "docs-aws-resource-security-group"
description: |-
  Provides an security group resource.
---

# aws\_security\_group

Provides an security group resource.

## Example Usage

Basic usage

```
resource "aws_security_group" "allow_all" {
  name = "allow_all"
  description = "Allow all inbound traffic"

  ingress {
      from_port = 0
      to_port = 65535
      protocol = "-1"
      cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
      from_port = 0
      to_port = 65535
      protocol = "-1"
      cidr_blocks = ["0.0.0.0/0"]
  }
}
```

Basic usage with tags:

```
resource "aws_security_group" "allow_all" {
  name = "allow_all"
  description = "Allow all inbound traffic"

  ingress {
      from_port = 0
      to_port = 65535
      protocol = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
  }

  tags {
    Name = "allow_all"
  }
}
```

## Argument Reference

The following arguments are supported:

* `name` - (Required) The name of the security group
* `description` - (Required) The security group description.
* `ingress` - (Optional) Can be specified multiple times for each
   ingress rule. Each ingress block supports fields documented below.
* `egress` - (Optional, VPC only) Can be specified multiple times for each
      egress rule. Each egress block supports fields documented below.
* `vpc_id` - (Optional) The VPC ID.
* `tags` - (Optional) A mapping of tags to assign to the resource.

The `ingress` block supports:

* `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be used with `security_groups`.
* `from_port` - (Required) The start port.
* `protocol` - (Required) The protocol.
* `security_groups` - (Optional) List of security group Group Names if using
    EC2-Classic or the default VPC, or Group IDs if using a non-default VPC.
    Cannot be used with `cidr_blocks`.
* `self` - (Optional) If true, the security group itself will be added as
     a source to this ingress rule.
* `to_port` - (Required) The end range port.

The `egress` block supports:

* `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be used with `security_groups`.
* `from_port` - (Required) The start port.
* `protocol` - (Required) The protocol.
* `security_groups` - (Optional) List of security group Group Names if using
    EC2-Classic or the default VPC, or Group IDs if using a non-default VPC.
    Cannot be used with `cidr_blocks`.
* `self` - (Optional) If true, the security group itself will be added as
     a source to this egress rule.
* `to_port` - (Required) The end range port.

~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a
new Security Group inside of a VPC. When creating a new Security
Group inside a VPC, **Terraform will remove this default rule**, and require you
specifically re-create it if you desire that rule. We feel this leads to fewer
surprises in terms of controlling your egress rules. If you desire this rule to
be in place, you can use this `egress` block:

    egress {
      from_port = 0
      to_port = 0
      protocol = "-1"
      cidr_block = "0.0.0.0/0"
    }

## Attributes Reference

The following attributes are exported:

* `id` - The ID of the security group
* `vpc_id` - The VPC ID.
* `owner_id` - The owner ID.
* `name` - The name of the security group
* `description` - The description of the security group
* `ingress` - The ingress rules. See above for more.
* `egress` - The egress rules. See above for more.
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			`---`
			`layout: "aws"`
			`page_title: "AWS: aws_security_group"`
			`sidebar_current: "docs-aws-resource-security-group"`
Add meta descriptions to all pages 2014-10-22 05:21:56 +02:00			`description: \|-`
			`Provides an security group resource.`
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			`---`

			`# aws\_security\_group`

			`Provides an security group resource.`

			`## Example Usage`

Added security group tagging 2014-10-14 23:07:01 +02:00			`Basic usage`

website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			```
			`resource "aws_security_group" "allow_all" {`
Added security group tagging 2014-10-14 23:07:01 +02:00			`name = "allow_all"`
fix indent align indentation with the rest of the code. 2015-03-18 19:45:32 +01:00			`description = "Allow all inbound traffic"`
Add required description attribute to aws_security_group example. 2014-08-03 04:39:22 +02:00
Added security group tagging 2014-10-14 23:07:01 +02:00			`ingress {`
			`from_port = 0`
			`to_port = 65535`
protocol value for all traffic should be -1 If it is all traffic instead of all tcp traffic , protocol should be equal -1 , otherwise indicate all tcp not all traffic 2015-03-03 00:33:54 +01:00			`protocol = "-1"`
Added security group tagging 2014-10-14 23:07:01 +02:00			`cidr_blocks = ["0.0.0.0/0"]`
			`}`
adding documentation 2015-02-17 19:23:10 +01:00
			`egress {`
			`from_port = 0`
			`to_port = 65535`
protocol value for all traffic should be -1 If it is all traffic instead of all tcp traffic , protocol should be equal -1 , otherwise indicate all tcp not all traffic 2015-03-03 00:33:54 +01:00			`protocol = "-1"`
adding documentation 2015-02-17 19:23:10 +01:00			`cidr_blocks = ["0.0.0.0/0"]`
			`}`
Added security group tagging 2014-10-14 23:07:01 +02:00			`}`
			```

			`Basic usage with tags:`

			```
			`resource "aws_security_group" "allow_all" {`
			`name = "allow_all"`
			`description = "Allow all inbound traffic"`

			`ingress {`
			`from_port = 0`
			`to_port = 65535`
			`protocol = "tcp"`
			`cidr_blocks = ["0.0.0.0/0"]`
			`}`

			`tags {`
			`Name = "allow_all"`
			`}`
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			`}`
			```

			`## Argument Reference`

			`The following arguments are supported:`

			* `name` - (Required) The name of the security group
website: document security group description requirement 2014-07-30 23:59:09 +02:00			* `description` - (Required) The security group description.
aws: Making security group ingress rules optional 2014-12-08 08:52:04 +01:00			* `ingress` - (Optional) Can be specified multiple times for each
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			`ingress rule. Each ingress block supports fields documented below.`
revert the required part 2015-05-05 23:22:18 +02:00			* `egress` - (Optional, VPC only) Can be specified multiple times for each
adding documentation 2015-02-17 19:23:10 +01:00			`egress rule. Each egress block supports fields documented below.`
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			* `vpc_id` - (Optional) The VPC ID.
docs: move aws SG tags from rules to resource fixes #1479 2015-04-10 21:29:31 +02:00			* `tags` - (Optional) A mapping of tags to assign to the resource.
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00
			The `ingress` block supports:

Revert "docs: consistent use of array configuration syntax" This reverts commit 4893eb8b559c3664377c5c5aab4b30f82caa922b. 2015-01-14 18:28:25 +01:00			* `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be used with `security_groups`.
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			* `from_port` - (Required) The start port.
			* `protocol` - (Required) The protocol.
security_groups field expects a list of Security Group Group Names, not IDs 2015-04-09 21:41:41 +02:00			* `security_groups` - (Optional) List of security group Group Names if using
			`EC2-Classic or the default VPC, or Group IDs if using a non-default VPC.`
			Cannot be used with `cidr_blocks`.
providers/aws: add `self` to ingress [GH-219] 2014-09-30 23:19:16 +02:00			* `self` - (Optional) If true, the security group itself will be added as
			`a source to this ingress rule.`
website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			* `to_port` - (Required) The end range port.

adding documentation 2015-02-17 19:23:10 +01:00			The `egress` block supports:

			* `cidr_blocks` - (Optional) List of CIDR blocks. Cannot be used with `security_groups`.
			* `from_port` - (Required) The start port.
			* `protocol` - (Required) The protocol.
security_groups field expects a list of Security Group Group Names, not IDs 2015-04-09 21:41:41 +02:00			* `security_groups` - (Optional) List of security group Group Names if using
			`EC2-Classic or the default VPC, or Group IDs if using a non-default VPC.`
			Cannot be used with `cidr_blocks`.
adding documentation 2015-02-17 19:23:10 +01:00			* `self` - (Optional) If true, the security group itself will be added as
			`a source to this egress rule.`
			* `to_port` - (Required) The end range port.

Document Egress+VPC change, update link 2015-05-01 17:07:46 +02:00			~> NOTE on Egress rules: By default, AWS creates an `ALLOW ALL` egress rule when creating a
			`new Security Group inside of a VPC. When creating a new Security`
			`Group inside a VPC, Terraform will remove this default rule, and require you`
			`specifically re-create it if you desire that rule. We feel this leads to fewer`
			`surprises in terms of controlling your egress rules. If you desire this rule to`
			be in place, you can use this `egress` block:

			`egress {`
			`from_port = 0`
			`to_port = 0`
			`protocol = "-1"`
			`cidr_block = "0.0.0.0/0"`
			`}`

website: Docs for VPC, subnet, sec group 2014-07-23 22:32:33 +02:00			`## Attributes Reference`

			`The following attributes are exported:`

			* `id` - The ID of the security group
			* `vpc_id` - The VPC ID.
			* `owner_id` - The owner ID.
			* `name` - The name of the security group
			* `description` - The description of the security group
			* `ingress` - The ingress rules. See above for more.
adding documentation 2015-02-17 19:23:10 +01:00			* `egress` - The egress rules. See above for more.