Document Egress+VPC change, update link
This commit is contained in:
parent
1558fd1c3e
commit
b145ce88b7
|
@ -148,12 +148,12 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
|
|||
|
||||
securityGroupOpts := &ec2.CreateSecurityGroupInput{}
|
||||
|
||||
if v := d.Get("vpc_id"); v != nil {
|
||||
if v := d.Get("vpc_id"); v != nil {
|
||||
if len(d.Get("egress").(*schema.Set).List()) == 0 {
|
||||
return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See https://terraform.io/why.html")
|
||||
return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://localhost:4567/docs/providers/aws/r/security_group.html for more information.")
|
||||
}
|
||||
|
||||
securityGroupOpts.VPCID = aws.String(v.(string))
|
||||
securityGroupOpts.VPCID = aws.String(v.(string))
|
||||
}
|
||||
|
||||
if v := d.Get("description"); v != nil {
|
||||
|
|
|
@ -63,9 +63,8 @@ The following arguments are supported:
|
|||
* `description` - (Required) The security group description.
|
||||
* `ingress` - (Optional) Can be specified multiple times for each
|
||||
ingress rule. Each ingress block supports fields documented below.
|
||||
* `egress` - (Optional) Can be specified multiple times for each
|
||||
* `egress` - (Required, VPC only) Can be specified multiple times for each
|
||||
egress rule. Each egress block supports fields documented below.
|
||||
VPC only.
|
||||
* `vpc_id` - (Optional) The VPC ID.
|
||||
* `tags` - (Optional) A mapping of tags to assign to the resource.
|
||||
|
||||
|
@ -93,6 +92,20 @@ The `egress` block supports:
|
|||
a source to this egress rule.
|
||||
* `to_port` - (Required) The end range port.
|
||||
|
||||
~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a
|
||||
new Security Group inside of a VPC. When creating a new Security
|
||||
Group inside a VPC, **Terraform will remove this default rule**, and require you
|
||||
specifically re-create it if you desire that rule. We feel this leads to fewer
|
||||
surprises in terms of controlling your egress rules. If you desire this rule to
|
||||
be in place, you can use this `egress` block:
|
||||
|
||||
egress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_block = "0.0.0.0/0"
|
||||
}
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
The following attributes are exported:
|
||||
|
|
Loading…
Reference in New Issue