Document Egress+VPC change, update link

2015-05-01 10:07:46 -05:00 · 2015-05-01 10:07:46 -05:00 · b145ce88b7
parent 1558fd1c3e
commit b145ce88b7
2 changed files with 18 additions and 5 deletions
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@ -148,12 +148,12 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er

 	securityGroupOpts := &ec2.CreateSecurityGroupInput{}

-	if v := d.Get("vpc_id"); v != nil {
+        if v := d.Get("vpc_id"); v != nil {
                if len(d.Get("egress").(*schema.Set).List()) == 0 {
-                        return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See https://terraform.io/why.html")
+                        return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://localhost:4567/docs/providers/aws/r/security_group.html for more information.")
                }

-		securityGroupOpts.VPCID = aws.String(v.(string))
+                securityGroupOpts.VPCID = aws.String(v.(string))
 	}

 	if v := d.Get("description"); v != nil {
--- a/website/source/docs/providers/aws/r/security_group.html.markdown
+++ b/website/source/docs/providers/aws/r/security_group.html.markdown
@ -63,9 +63,8 @@ The following arguments are supported:
 * `description` - (Required) The security group description.
 * `ingress` - (Optional) Can be specified multiple times for each
   ingress rule. Each ingress block supports fields documented below.
-* `egress` - (Optional) Can be specified multiple times for each
+* `egress` - (Required, VPC only) Can be specified multiple times for each
      egress rule. Each egress block supports fields documented below.
-      VPC only.
 * `vpc_id` - (Optional) The VPC ID.
 * `tags` - (Optional) A mapping of tags to assign to the resource.

@ -93,6 +92,20 @@ The `egress` block supports:
     a source to this egress rule.
 * `to_port` - (Required) The end range port.

+~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a
+new Security Group inside of a VPC. When creating a new Security
+Group inside a VPC, **Terraform will remove this default rule**, and require you
+specifically re-create it if you desire that rule. We feel this leads to fewer
+surprises in terms of controlling your egress rules. If you desire this rule to
+be in place, you can use this `egress` block:
+
+    egress {
+      from_port = 0
+      to_port = 0
+      protocol = "-1"
+      cidr_block = "0.0.0.0/0"
+    }
+
 ## Attributes Reference

 The following attributes are exported: