diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go index 4d9b572d6..034b41ab3 100644 --- a/builtin/providers/aws/resource_aws_security_group.go +++ b/builtin/providers/aws/resource_aws_security_group.go @@ -150,7 +150,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er if v := d.Get("vpc_id"); v != nil { if len(d.Get("egress").(*schema.Set).List()) == 0 { - return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://localhost:4567/docs/providers/aws/r/security_group.html for more information.") + return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://terraform.io/docs/providers/aws/r/security_group.html for more information.") } securityGroupOpts.VPCID = aws.String(v.(string)) @@ -195,6 +195,35 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er d.Id(), err) } + // AWS defaults all Security Groups to have an ALLOW ALL egress rule. Here we + // revoke that rule, so users don't unknowningly have/use it. + if v := d.Get("vpc_id"); v != nil { + log.Printf("[DEBUG] Revoking default egress rule for Security Group for %s", d.Id()) + + req := &ec2.RevokeSecurityGroupEgressInput{ + GroupID: createResp.GroupID, + IPPermissions: []*ec2.IPPermission{ + &ec2.IPPermission{ + FromPort: aws.Long(int64(0)), + ToPort: aws.Long(int64(0)), + IPRanges: []*ec2.IPRange{ + &ec2.IPRange{ + CIDRIP: aws.String("0.0.0.0/0"), + }, + }, + IPProtocol: aws.String("-1"), + }, + }, + } + + if _, err = conn.RevokeSecurityGroupEgress(req); err != nil { + return fmt.Errorf( + "Error revoking default egress rule for Security Group (%s): %s", + d.Id(), err) + } + + } + return resourceAwsSecurityGroupUpdate(d, meta) } @@ -408,29 +437,12 @@ func resourceAwsSecurityGroupUpdateRules( } os := o.(*schema.Set) - ns := n.(*schema.Set) + ns := n.(*schema.Set) - remove := expandIPPerms(group, os.Difference(ns).List()) + remove := expandIPPerms(group, os.Difference(ns).List()) + add := expandIPPerms(group, ns.Difference(os).List()) - if len(remove) == 0 && len(os.List()) == 0 && ruleset == "egress" { - // For new Security groups, a default Egress rule is created. Here we add - // the equivelent IPPermission struct for removal, so that only the - // supplied egress rules exist in the security group. - remove = append(remove, &ec2.IPPermission{ - FromPort: aws.Long(int64(0)), - ToPort: aws.Long(int64(0)), - IPRanges: []*ec2.IPRange{ - &ec2.IPRange{ - CIDRIP: aws.String("0.0.0.0/0"), - }, - }, - IPProtocol: aws.String("-1"), - }) - } - - add := expandIPPerms(group, ns.Difference(os).List()) - - // TODO: We need to handle partial state better in the in-between + // TODO: We need to handle partial state better in the in-between // in this update. // TODO: It'd be nicer to authorize before removing, but then we have